Re-verification of a Lip Synchronization Protocol using Robust Reachability

The timed automata formalism is an important model for specifying and analysing real-time systems. Robustness is the correctness of the model in the presence of small drifts on clocks or imprecision in testing guards. A symbolic algorithm for the analysis of the robustness of timed automata has been implemented. In this paper, we re-analyse an industrial case lip synchronization protocol using the new robust reachability algorithm. This lip synchronization protocol is an interesting case because timing aspects are crucial for the correctness of the protocol. Several versions of the model are considered: with an ideal video stream, with anchored jitter, and with non-anchored jitter

Re-verification of a Lip Synchronization Algorithm using robust reachability

The timed automata formalism is an important model for specifying and analysing real-time systems. Robustness is the correctness of the model in the presence of small drifts on clocks or imprecision in testing guards. A symbolic algorithm for the analysis of the robustness of timed automata has been implemented. In this paper we re-analyse an industrial case lip synchronization protocol using the new robust reachability algorithm.This lip synchronization protocol is an interesting case because timing aspect are crucial for the correctness of the protocol. Several versions of the model are considered, with an ideal video stream, with anchored jitter, and with non-anchored jitter

Robust Model-Checking of Linear-Time Properties in Timed Automata

International audienceFormal verification of timed systems is well understood, but their \emphimplementation is still challenging. Recent works by Raskin \emphet al. have brought out a model of parameterized timed automata that can be used to prove \emphimplementability of timed systems for safety properties. We define here a more general notion of robust model-checking for linear-time properties, which consists in verifying whether a property still holds even if the transitions are slightly delayed or expedited. We provide PSPACE algorithms for the robust model-checking of Büchi-like and LTL properties. We also verify bounded-response-time properties

Robust safety of timed automata

Timed automata are governed by an idealized semantics that assumes a perfectly precise behavior of the clocks. The traditional semantics is not robust because the slightest perturbation in the timing of actions may lead to completely different behaviors of the automaton. Following several recent works, we consider a relaxation of this semantics, in which guards on transitions are widened byΔ>0 and clocks can drift byε>0. The relaxed semantics encompasses the imprecisions that are inevitably present in an implementation of a timed automaton, due to the finite precision of digital clocks. We solve the safety verification problem for this robust semantics: given a timed automaton and a set of bad states, our algorithm decides if there exist positive values for the parametersΔ andε such that the timed automaton never enters the bad states under the relaxed semantic

Remedies for building reliable cyber-physical systems

Cyber-physical systems (CPS) are systems that are tight integration of computer programs as controllers or cyber parts, and physical environments. The interaction is carried out by obtaining information about the physical environment through reading sensors and responding to the current knowledge through actuators. Examples of such systems are autonomous automobile systems, avionic systems, robotic systems, and medical devices. Perhaps the most common feature of all these systems is that they are all safety critical systems and failure most likely causes catastrophic consequences. This means that while testing continues to increase confidence in cyber-physical systems, formal or mathematical proofs are needed at the very least for the safety requirements of these systems. Hybrid automata is the main modeling language for cyber-physical systems. However, verifying safety properties is undecidable for all but very restricted known classes of these automata. Our first result introduces a new subclass of hybrid automata for which bounded time safety model checking problem is decidable. We also prove that unbounded time model checking for this subclass is undecidable which suggests this is the best one can hope for the new class. Our second result in this thesis is a counter-example guided abstraction refinement algorithm for unbounded time model checking of non- linear hybrid automata. Clearly, this is an undecidable problem and that is the main reason for using abstraction refinement techniques. Our CEGAR framework for this class is sound but not complete, meaning the algorithm never incorrectly says a system is safe, but may output unsafe incorrectly. We have also implemented our algorithm and compared it with seven other tools. There are multiple inherent problems with traditional model checking approaches. First, it is well-known that most models do not depict physical environments precisely. Second, the model checking problem is undecidable for most classes of hybrid automata. And third, even when model checking is decidable, controller part in most models cannot be implemented. These problems suggest that current methods of modeling cyber-physical systems and problems might not be the right ones. Our last result focuses on robust model checking of cyber-physical systems. In this part of the thesis, we focus on the implementability issue and show how to solve four different robust model checking problem for timed automata. We also introduce an optimal algorithm for robust time bounded safety model checking of monotonic rectangular automata

Verification of a fieldbus scheduling protocol using timed automata

This paper deals with the formal verification of a fieldbus real-time scheduling mechanism, using the notion of timed-automata and the UPPAAL model checker. A new approach is proposed here that treats the set of schedulers that regulate access on a fieldbus as a separate entity, called the scheduling layer. In addition a network with a changing topology is considered, where nodes may be turned on or off. The behaviour of the scheduling layer in conjunction with the data link, the medium and the network management layer is examined and it is proved that it enjoys a number of desirable properties

Resilience of Timed Systems

This paper addresses reliability of timed systems in the setting of resilience, that considers the behaviors of a system when unspecified timing errors such as missed deadlines occur. Given a fault model that allows transitions to fire later than allowed by their guard, a system is universally resilient (or self-resilient) if after a fault, it always returns to a timed behavior of the non-faulty system. It is existentially resilient if after a fault, there exists a way to return to a timed behavior of the non-faulty system, that is, if there exists a controller which can guide the system back to a normal behavior. We show that universal resilience of timed automata is undecidable, while existential resilience is decidable, in EXPSPACE. To obtain better complexity bounds and decidability of universal resilience, we consider untimed resilience, as well as subclasses of timed automata

Relating Syntactic and Semantic Perturbations of Hybrid Automata

We investigate how the semantics of a hybrid automaton deviates with respect to syntactic perturbations on the hybrid automaton. We consider syntactic perturbations of a hybrid automaton, wherein the syntactic representations of its elements, namely, initial sets, invariants, guards, and flows, in some logic are perturbed. Our main result establishes a continuity like property that states that small perturbations in the syntax lead to small perturbations in the semantics. More precisely, we show that for every real number epsilon>0 and natural number k, there is a real number delta>0 such that H^delta, the delta syntactic perturbation of a hybrid automaton H, is epsilon-simulation equivalent to H up to k transition steps. As a byproduct, we obtain a proof that a bounded safety verification tool such as dReach will eventually prove the safety of a safe hybrid automaton design (when only non-strict inequalities are used in all constraints) if dReach iteratively reduces the syntactic parameter delta that is used in checking approximate satisfiability. This has an immediate application in counter-example validation in a CEGAR framework, namely, when a counter-example is spurious, then we have a complete procedure for deducing the same