Observation partielle des systèmes temporisés

Transcription

Observation partielle des systèmes
temporisés
Patricia Bouyer, Fabrice Chevalier
LSV – CNRS & ENS de Cachan
Moez Krichen, Stavros Tripakis
VERIMAG
MSR’05 – Septembre 2005
1 / 27
Partial observation
Outline
1 Partial observation
2 Control under partial observation
3 Fault diagnosis
4 Conformance testing
5 Conclusion
2 / 27
Partial observation
Why partial observation?
Naturally appears in the modelling of applications:
modelling of an environment
inherent non-determinism in applications
partial knowledge of the system
3 / 27
Partial observation
Why partial observation?
Naturally appears in the modelling of applications:
modelling of an environment
inherent non-determinism in applications
partial knowledge of the system
Example (The car periphery supervision)
Embedded system
Hostile environment
Sensors
distances
speeds
c Society of Automative Engineers Inc.
3 / 27
Partial observation
Several application domains
Control under partial observation
Fault diagnosis
Conformance testing
Runtime model-checking
Learning
···
4 / 27
Partial observation
Several application domains
Fault diagnosis
Conformance testing
Runtime model-checking
Learning
···
4 / 27
Partial observation
The finite automata framework
Non-observable actions can be modelled as “ε-transitions”.
5 / 27
Partial observation
They can be removed from finite automata.
5 / 27
Partial observation
Partial observation is often not more difficult than global
observation
5 / 27
Partial observation
Partial observation is often not more difficult than global
observation:
control under partial observation
LTL
Partial obs. 2EXP-comp.
Global obs. 2EXP-comp.
[Kupferman, Vardi 1997]
CTL∗
CTL
2EXP-comp. EXP-comp.
2EXP-comp. EXP-comp.
two-player games with incomplete information
[Reif 1984]
[Arnold, Vincent, Walukiewicz 2003]
5 / 27
Partial observation
What’s more difficult with time?
Stumbling blocks:
ε-transitions can not be removed from timed automata
x = 1, a, x := 0
[Bérard, Diekert, Gastin, Petit 1998]
x = 1, ε, x := 0
6 / 27
Partial observation
What’s more difficult with time?
Stumbling blocks:
ε-transitions can not be removed from timed automata
x = 1, a, x := 0
[Bérard, Diekert, Gastin, Petit 1998]
x = 1, ε, x := 0
timed automata can not be determinized nor complemented
a
a
a, x := 0
a
x = 1, a
[Alur, Dill 1990’s]
6 / 27
Outline
3 Fault diagnosis
5 Conclusion
7 / 27
A first example
c1 , c2 : controllable actions
u: uncontrollable action
c1
1
c2
x ≥ 2, u
Bad
2
c1
c2
This system is controllable under full observation...
8 / 27
A first example
c1 , c2 : controllable actions
u: uncontrollable and
non-observable action
c1
1
c2
x ≥ 2, u
Bad
2
c1
c2
This system is controllable under full observation...
... but not controllable under partial observation.
8 / 27
[Bouyer, D’Souza, Madhusudan, Petit 2003]
On the “negative” side
Theorem
Safety and reachability timed control under partial observation is
undecidable.
➜ by reduction of the universality problem for timed automata
9 / 27
Theorem
undecidable.
NB: this result is robust for several modelizations...
9 / 27
Theorem
undecidable.
NB: this result is robust for several modelizations...
On the “positive” side
Theorem
Fixing the resources of the controller, the control under partial
observation problem becomes decidable (but 2EXPTIME-complete).
9 / 27
Fault diagnosis
Outline
3 Fault diagnosis
5 Conclusion
10 / 27
Fault diagnosis
[Sampath, Sengupta, Lafortune,
Sinnamohideen, Teneketzis 1995]
Principle of fault diagnosis
Principle: “observe the behavior of a plant, and
tell if something wrong has happened”
f
a
b
a
c
System:
u
11 / 27
Fault diagnosis
f
a
b
a
c
System:
u
Σo = {a, b, c} Σu = {f , u}
ε
a
b
a
c
Sensors:
ε
11 / 27
Fault diagnosis
f
a
b
a
c
System:
u
Σo = {a, b, c} Σu = {f , u}
ε
a
b
a
c
Sensors:
ε
Observations:
«ab» or «ac»
11 / 27
Fault diagnosis
f
a
b
a
c
System:
u
Σo = {a, b, c} Σu = {f , u}
ε
a
b
a
c
Sensors:
ε
Observations:
«ab» or «ac»
Did a fault occur?
11 / 27
Fault diagnosis
f
a
b
a
c
System:
u
Σo = {a, b, c} Σu = {f , u}
ε
a
b
a
c
Sensors:
ε
Observations:
«ab» or «ac»
Did a fault occur?
11 / 27
Fault diagnosis
The timed framework
Plant = timed automaton
Σo observable events, and Σu unobservable events
12 / 27
Fault diagnosis
The timed framework
Pb: Given an observation (timed word over Σo ), did a fault occur?
12 / 27
Fault diagnosis
The timed framework
Aim: Answer within ∆ units of time.
12 / 27
Fault diagnosis
The timed framework
Example (Σo = {a, b} Σu = {f })
Execution of the plant: w = (a, 1)(f , 3.1)(b, 4.5)
Observation: π(w ) = (a, 1)(b, 4.5)
12 / 27
Fault diagnosis
The timed framework
Example (Σo = {a, b} Σu = {f })
Execution of the plant: w = (a, 1)(f , 3.1)(b, 4.5)
Observation: π(w ) = (a, 1)(b, 4.5)
1-diagnoser:
2-diagnoser:
has to announce fault on π(w )
can announce fault on π(w )
may announce nothing on π(w )
12 / 27
Fault diagnosis
∆-diagnosis
A ∆-diagnoser for P is a function D : TW (Σo ) → {0, 1} such that:
13 / 27
Fault diagnosis
∆-diagnosis
for every non-faulty execution ρ of P, D(πΣo (ρ)) = 0
13 / 27
Fault diagnosis
∆-diagnosis
for every ∆-faulty execution ρ of P, D(πΣo (ρ)) = 1
13 / 27
Fault diagnosis
∆-diagnosis
Example
b
x <2
b
f
a, x := 0
This system is 2-diagnosable...
13 / 27
Fault diagnosis
∆-diagnosis
Example
b
x <2
b
f
a, x := 0
This system is 2-diagnosable... but not 1-diagnosable
13 / 27
Fault diagnosis
∆-diagnosis
Example
b
x <2
b
f
a, x := 0
This system is 2-diagnosable... but not 1-diagnosable
(because (f , 0)(b, 1) and (b, 1) raise the same observation)
13 / 27
Fault diagnosis
Decidability of diagnosability
b
x <2
a, x := 0
b
f
[Tripakis 2002]
b
N
x <2
b
f
a, x := 0
14 / 27
Fault diagnosis
b
b
f
x <2
a, x := 0
[Tripakis 2002]
b
N
x <2
b
f
a, x := 0
The plant is diagnosable iff there is an infinite non-zeno run
in the above product which goes through (
,
)
14 / 27
Fault diagnosis
b
b
f
x <2
a, x := 0
[Tripakis 2002]
b
N
x <2
b
f
a, x := 0
The plant is diagnosable iff there is an infinite non-zeno run
in the above product which goes through (
,
)
➜ The diagnosability problem is PSPACE-complete
14 / 27
Fault diagnosis
In practice: state estimation
[Tripakis 2002]
•
15 / 27
Fault diagnosis
•
[Tripakis 2002]
a, 1.3
15 / 27
Fault diagnosis
•
[Tripakis 2002]
a, 1.3
zone
15 / 27
Fault diagnosis
•
[Tripakis 2002]
a, 1.3
zone
15 / 27
Fault diagnosis
•
[Tripakis 2002]
a, 1.3
zone
15 / 27
Fault diagnosis
•
b, 5.67
a, 1.3
[Tripakis 2002]
zone
15 / 27
Fault diagnosis
•
b, 5.67
a, 1.3
[Tripakis 2002]
zone
15 / 27
Fault diagnosis
•
b, 5.67
a, 1.3
[Tripakis 2002]
zone
15 / 27
Fault diagnosis
•
[Tripakis 2002]
b, 5.67
a, 1.3
zone
complete solution
possible for offline
diagnosis (log files)
very expensive to run it
online
15 / 27
Fault diagnosis
Towards easier online diagnosis
➜ Our aim: build a deterministic diagnoser O...
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
a, x := 0
b
f
x < 2, b
•
x ≥ 2, b
a, x := 0
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
b
f
x < 2, b
•
a, x := 0
x ≥ 2, b
a, x := 0
w = (b, 0.5)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
b
x < 2, b
x ≥ 2, b
f
a, x := 0
a, x := 0
w = (b, 0.5)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
b
f
x < 2, b
•
a, x := 0
x ≥ 2, b
a, x := 0
w = (b, 0.5)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
b
f
x < 2, b
•
a, x := 0
x ≥ 2, b
a, x := 0
w = (b, 0.5) (a, 1)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
b
x < 2, b
x ≥ 2, b
f
a, x := 0
a, x := 0
w = (b, 0.5) (a, 1)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
b
f
x < 2, b
•
a, x := 0
x ≥ 2, b
a, x := 0
w = (b, 0.5) (a, 1)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
a, x := 0
b
x < 2, b
f
•
x ≥ 2, b
a, x := 0
w = (b, 0.5) (a, 1) (b, 3)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
a, x := 0
b
x < 2, b
x ≥ 2, b
f
a, x := 0
w = (b, 0.5) (a, 1) (b, 3)
16 / 27
Fault diagnosis
L∆f (P) ⊆ L(O) ⊆ L¬f (P)c
Example
Diagnoser
Plant
b
x <2
a, x := 0
b
x < 2, b
x ≥ 2, b
f
•
a, x := 0
w = (b, 0.5) (a, 1) (b, 3)
16 / 27
Fault diagnosis
Diagnosis by deterministic timed automata
Less general than previous diagnosis
x =1
u
x := 0
x = 0, f
x = 0, a
0 < x < 1, a
17 / 27
Fault diagnosis
x =1
u
x := 0
x = 0, f
x = 0, a
0 < x < 1, a
The diagnosis problem with DTA is not solved yet.
17 / 27
Fault diagnosis
x =1
u
x := 0
x = 0, f
x = 0, a
0 < x < 1, a
The “precise” diagnosis problem and the “asap” diagnosis problem
with DTA are undecidable.
[Chevalier 2004]
17 / 27
Fault diagnosis
x =1
u
x := 0
x = 0, f
x = 0, a
0 < x < 1, a
[Chevalier 2004]
We restrict to bounded resources µ = (X , m, max)
17 / 27
Fault diagnosis
x =1
u
x := 0
x = 0, a
x = 0, f
0 < x < 1, a
[Chevalier 2004]
We restrict to bounded resources µ = (X , m, max)
Theorem
[Bouyer, Chevalier, D’Souza 2005]
∆-diagnosis of timed systems with DTAµ is 2EXPTIME-complete.
17 / 27
Fault diagnosis
Diagnosis as a game
We will transform the diagnosis problem into a two-player safety game:
one player is the diagnoser
the other player is the environment
18 / 27
Fault diagnosis
Diagnosis as a game
Reminder (two-player safety game)
•
: avoid red state
18 / 27
Fault diagnosis
Diagnosis as a game
•
: avoid red state
18 / 27
Fault diagnosis
Diagnosis as a game
•
: avoid red state
18 / 27
Fault diagnosis
Diagnosis as a game
The plant is ∆-DTAµ -diagnosable iff
has a winning strategy.
18 / 27
Fault diagnosis
P
1
a, x := 0
x > 1, f .b
f
x ≤ 1, u.b
u
2
Is there a diagnoser for the plant with one clock and constants 0 and 1?
19 / 27
Fault diagnosis
P
1
a, x := 0
x > 1, f .b
f
x ≤ 1, u.b
u
2
Is there a diagnoser for the plant with one clock and constants 0 and 1?
y > 1, b
O
a, y := 0
y ≤ 1, b
19 / 27
Fault diagnosis
P
a, x := 0
1
a, x := 0, y := 0
x > 1, f .b
f
x ≤ 1, u.b
u
x > 1 ∧ y > 1, f .b
f;···
2
2; x = y = 0
R
1; x = y = 0
a, x := 0
x ≤ 1 ∧ y ≤ 1, u.b
x > 1 ∧ y > 1, f .b
u; · · ·
f;···
a, x := 0
2; y > x = 0 x ≤ 1 ∧ y > 1, u.b
u; · · ·
x ≤ 1 ∧ y ≤ 1, u.b
19 / 27
Fault diagnosis
P
a, x := 0
1
a, x := 0, y := 0
x > 1, f .b
f
x ≤ 1, u.b
u
x > 1 ∧ y > 1, f .b
f;···
2
2; x = y = 0
R
1; x = y = 0
a, x := 0
x ≤ 1 ∧ y ≤ 1, u.b
x > 1 ∧ y > 1, f .b
u; · · ·
f;···
a, x := 0
2; y > x = 0 x ≤ 1 ∧ y > 1, u.b
u; · · ·
x ≤ 1 ∧ y ≤ 1, u.b
19 / 27
Fault diagnosis
P
1
a, x := 0
x > 1, f .b
f
x ≤ 1, u.b
u
y > 1, b
f;···
y ≤ 1, b
u; · · ·
2
a, y := 0
2; x = y = 0
a
π(R)
1; x = y = 0
y > 1, b
f;···
a
2; y > x = 0
y > 1, b
u; · · ·
y ≤ 1, b
19 / 27
Fault diagnosis
P
1
a, x := 0
a, y := 0
Det(π(R))
x > 1, f .b
f
x ≤ 1, u.b
u
y > 1, b
f;···
y ≤ 1, b
u; · · ·
y > 1, b
f;···
u; · · ·
y ≤ 1, b
u; · · ·
2
2; x = y = 0
1; x = y = 0
a
2; y > x = 0
2; x = y = 0
19 / 27
Fault diagnosis
P
1
a, x := 0
x > 1, f .b
f
x ≤ 1, u.b
u
2
y > 1, b
f;···
2; x = y = 0
y := 0
GP,µ
1; x = y = 0
y ≤ 1, b
a
y > 1, b
2; y > x = 0
2; x = y = 0
y ≤ 1, b
u; · · ·
f;···
u; · · ·
u; · · ·
19 / 27
Fault diagnosis
Diagnosis by DTAµ
Proposition
has a winning strategy in GP,µ iff there is a diagnoser for P in DTAµ .
➜ ∆-DTAµ -diagnosability is in 2EXPTIME.
20 / 27
Fault diagnosis
Diagnosis by DTAµ
Proposition
has a winning strategy in GP,µ iff there is a diagnoser for P in DTAµ .
➜ ∆-DTAµ -diagnosability is in 2EXPTIME.
Moreover, we can simulate an Alternating Turing Machine using
exponential space with a diagnosis problem...
➜ ∆-DTAµ -diagnosability is 2EXPTIME-hard.
20 / 27
Fault diagnosis
Diagnosis by event-recording timed automata
[Alur, Fix, Henzinger 1994]
one clock xa per event a
clock xa is reset when a occurs
21 / 27
Fault diagnosis
Property
Event-recording timed automata are determinizable
Event-recording timed automata are input-determined
[D’Souza, Tabareau 2004]
21 / 27
Fault diagnosis
Property
Event-recording timed automata are determinizable
Event-recording timed automata are input-determined
[D’Souza, Tabareau 2004]
➜ Diagnosis (with bounded resources) becomes PSPACE-complete
[Bouyer, Chevalier, D’Souza 2005]
21 / 27
Conformance testing
Outline
3 Fault diagnosis
5 Conclusion
22 / 27
Conformance testing
Black-box conformance testing
[Krichen, Tripakis 2004,2005]
Inputs
a?
Black-box
(SUT)
Outputs
b!
conforms to
Spec
23 / 27
Conformance testing
Black-box
Inputs
a?
(SUT)
Outputs
b!
conforms to
Spec
The specification is given as an I/O-timed automaton with
ε-transitions.
23 / 27
Conformance testing
Black-box
Inputs
a?
(SUT)
Outputs
b!
conforms to
Spec
The specification is given as an I/O-timed automaton with
ε-transitions.
A test is a strategy of interaction between the tester and the SUT.
The tester tries to demonstrate that the SUT does not conform to
the specification, while the SUT tries to prevent doing so.
23 / 27
Conformance testing
Example
a?
x := 0
a!
x := 0
x ≤5
ε
x ≤5
ε
3 ≤ x ≤ 5, b?
4 ≤ x ≤ 5, c?
ε
3≤x ≤5
b!
4≤x ≤5
c!
A specification
Pass
x < 3, b?
x < 4, c?
x ≤ 5, d ?
Fail
A possible test
24 / 27
Conformance testing
Techniques used for building tests
Very similar to those for fault diagnosis:
state estimation in the specification
fixing the resources, synthesis of strategies in the game between the
SUT and the tester
25 / 27
Conclusion
Outline
3 Fault diagnosis
5 Conclusion
26 / 27
Conclusion
Conclusion & further developments
Conclusion
Partial observation adds much complexity to many problems
Main reason: there is no real nice theory of regular timed languages
27 / 27
Conclusion
Conclusion & further developments
Conclusion
Partial observation adds much complexity to many problems
Main reason: there is no real nice theory of regular timed languages
Further developments
Algorithms for control under partial observation
Further notions of partial observation: time is no more completely
observable, but only through a tick action
Fault diagnosis with DTA/ERA
Get rid of some resources or the ∆ parameter
Control under partial observation for other classes of systems
(e.g. o-minimal hybrid games)
27 / 27

Observation partielle des systèmes temporisés

Transcription

Documents pareils

TRAIL BOUZIGUES 25 Mars 2012 - 24 km classement dossard Nom

[V6.04.221] SSNV221-Hydrostatic Testing with linear

Spiele in der Informatik