Verification of Timed and Hybrid Systems

Uppaal [UPP,BLL98] is an integrated tool environment for modelling, simulating and verification of real-time and hybrid systems, developed jointly by BRICS at Aalborg University in Denmark and by DoCS at Uppsala University in Sweden. In this talk we will review the status of the currently distributed version of Uppaal and describe in more detail the ongoing developments which are to be incorporated in future releases of the tool. Extended Modelling Language The modelling language of Uppaal supports model-checking of safety and bounded liveness properties of systems that can be modeled as a collection of timed automata communicating through channels or shared variables. Typical application areas include real-time controllers and communication protocols in particular those where timing aspects are criticial. In the currently distributed version the modelling language is somewhat richer compared to that of its predecessors. The new language supports process templates and more complex (bounded) data structures, such as data variables, constants, arrays etc. A process template in the new language is a timed automaton extended with a list of formal parameters and a set of locally declared clocks, variables and constants. Typically, a system description will consist of a set of instances of timed automata declared from the process templates, and some global data, such as global clocks, variables, synchronisation channels etc. The above extensions do not increase the expressive power of the modelling formalism but “merely” permit descriptions to be more concise and flexible. In contrast to this, we are currently experimenting with an extension which allows clocks to be stopped in certain situations — so-called stop-watches. Though a seemingly minor upgrade from the model of timed automata, we have shown [CL00] that the introduction of stop-watches yields the full expressive power of linear hybrid automata [Hen96]. In addition, the existing efficient analysis for timed automata may be extended to an (approximate) analysis in the presence of stop-watches. Thus, linear hybrid automata may be analysed without the need for representing and manipulating general polyhedra. ⋆ ⋆ ⋆ BRICS: Center for Basic Research in Computer Science at Aarhus and Aalborg Univeristy † Email: [email protected] Beyond Model-Checking A new application area of Uppaal is that of scheduling, and a number of such problems have been encountered as case-studies in the ESPRIT project VHS [VHS] (e.g. [BS99,KLPW99]). Modelling the tasks to be scheduled as well as the constraining, shared resources involved as interacting timed automata allows the scheduling problem to be stated as a (time-bounded) reachability question. The diagnostic trace potentially provided by Uppaal offers a valid schedule to the problem. However, often one wants not just an arbitrary valid schedule but a schedule which is optimal with respect to some suitable cost measure (e.g. in terms of total elapsed time). An experimental implementation of Uppaal that allows for optimal schedules to be generated with respect to user-defined optimization criteria is currently under development and investigation in collaboration with researchers at BRICS@Aarhus and Nijmegen University. Improvement of Verifier A main focus of the Uppaal project is to develop efficient algorithms and data structures for the verification of timed systems. We have recently developed a new data structure called Clock Difference Diagrams, CDDs [LWYP99,BLP99]. The new structure is BDD-like (i.e. it allows for sharing of isomorphic sub trees) but intended for representing and efficiently manipulating the non-convex subsets of the Euclidian space encountered during verification of timed automata. In the currently distributed version of Uppaal the symbolic state-space is represented using so-called Difference Bounded Matrices, DBMs. In an experiment using eight industrial examples, we have found that use of CDDs instead of DBMs led to space savings between 46% and 99% with a moderate increase in run time. For a related data structure we refer the reader to [MLAH99]. A distributed implementation of the reachability algorithm running on a number of platforms has recently been completed [BHV00] and will soon be available. The experiments with the implementation have been succesfull not only in providing essentially linear speed-up in the number of processors available but also to point to alternative search-orders compared with the standard breadthand depth-first search orders. Despite the increasing number of succesfull applications of Uppaal the stateexplosion problem is not just a theoretical limitation of the technology but also a phenomena encountered in practice [HLS99]. Thus, to truely scale up, it is necessary to complement the tool with methods for abstraction and compositionality. In [JLS00] we have developed and applied such a methodology and demonstrated how all steps of the methods may be supported by Uppaal. 1 in the sence that model-checking a single timed automaton is either EXPTIMEor PSPACE-complet depending on the expressiveness of the logic considered