# June 22nd 2270

© Software Systems Engineering Research Group, BTU Cottbus, 2002

# Efficient BDD Representation for Reachability Analysis of Timed Automata

Dirk Beyer



Software Systems Engineering Research Group BTU Cottbus

www.software-systemtechnik.de/Rabbit

#### Modeling

- flat set of communicating automata
- structure of system is lost in model
- > confusing, hard to understand, not modular

#### Verification

- explicit enumeration of discrete states, exponential
- clock valuations are represented by matrices
- non-convex sets require more than one matrices
- CDDs are used, but without regarding variable ordering
- > inefficient, exponential effort

#### Case studies

- scalable benchmark examples with regular structure
- few models with realistic, unregular structure
- existing case studies to small

© Software Systems Engineering Research Group, BTU Cottbus, 2002

3

## **Example: Fischer's protocol**



Timed Automata for process i

# **Modularity in Cottbus Timed Automata**



© Software Systems Engineering Research Group, BTU Cottbus, 2002

5





© Software Systems Engineering Research Group, BTU Cottbus, 2002

# **Reuse of components**



© Software Systems Engineering Research Group, BTU Cottbus, 2002

7

# Refinement steps for large systems



© Software Systems Engineering Research Group, BTU Cottbus, 2002

- Modeling
  - hierarchical model, abstraction layers
  - reuse of components, substitution of modules
  - → structured, understandable, maintainable, because modular, useful for verification

#### Verification

- explicit enumeration of discrete states, exponential
- clock valuations are represented by matrices
- non-convex sets require more than one matrices
- CDDs are used, but without regarding variable ordering
- > inefficient, exponential effort

#### Case studies

- scalable benchmark examples with regular structure
- few models with realistic, unregular structure
- > existing case studies to small

© Software Systems Engineering Research Group, BTU Cottbus, 2002

Q

#### Verification of real-time systems

- Formalism for modular modeling
  - Theoretical basis: timed and hybrid automata
  - Module concept
  - Good for modeling large systems

#### Reachability analysis using BDD representation

- Integer semantics
- Estimate-based variable ordering
- Very efficient

#### Refinement checking

- Simulation relation
- Modular Proofs

## Reachability analysis

- · Verification of safety properties
  - → Performance problems with existing tools
- 1st problem: explicit discrete states
  - → BDD representation (own package)
- 2nd problem: separated clock representation
  - → discrete TA-semantics, using also BDDs
- 3rd problem: variable orderings
  - → heuristic using communication structure

© Software Systems Engineering Research Group, BTU Cottbus, 2002

11

#### **Contribution to efficiency**

- Evaluation of our method for three examples (Fischer, FDDI, CSMA/CD)
- 1. there <u>exists</u> a variable ordering for polynomial size complexity
- 2. our tool is <u>able to find</u> such variable ordering automatically
- 3. empirical evidence
- industrial case study: the approach works
- the approach is applicable for DDs in general

# **Complexity results**

| Protocol           | BDD size                                                   | CDD size<br>(location-first) | CDD size<br>(smallest) |
|--------------------|------------------------------------------------------------|------------------------------|------------------------|
| Fischer            | Q(c <sup>3</sup> n <sup>2</sup> <i>lg</i> c)               | W (2 <sup>n</sup> )          | Q(n³)                  |
| CSMA/CD            | Q(n s <sup>3</sup> lg 1)                                   | W (3 <sup>n</sup> )          | Q(n²)                  |
| Token ring<br>FDDI | $Q(n^2 \text{ ttrt}^2  lg \text{ ttrt})$ $= Q(n^4  lg  n)$ | Q(n²)                        | Q(n²)                  |

© Software Systems Engineering Research Group, BTU Cottbus, 2002

13

# Complexity analysis: Fischer's protocol



Timed Automata for process i

© Software Systems Engineering Research Group, BTU Cottbus, 2002

## **Communication graph**

- General characteristics of "good" variable orderings:
  - Communicating components have neighboring positions
  - Components which communicate with many other components at first
- Automatic ordering:
  - Estimation for the size of the BDD evaluates different variable orderings

© Software Systems Engineering Research Group, BTU Cottbus, 2002

15

#### **BDD** structure and size estimation



$$\sum_{i=1}^{n} \left( 2^{|q_i|} - 1 \right) \cdot \left( \prod_{k \in Comm_A(i)} |Q_k| \right)$$

© Software Systems Engineering Research Group, BTU Cottbus, 2002

## **Example: Fischer's mutex protocol**

#### TA for process i:

#### Communication graph:





© Software Systems Engineering Research Group, BTU Cottbus, 2002

17

## Different variable orderings

Consider 3 different variable orderings for the BDD







k at end k in front

© Software Systems Engineering Research Group, BTU Cottbus, 2002

Separated





© Software Systems Engineering Research Group, BTU Cottbus, 2002

19

# Comparison with other approaches



© Software Systems Engineering Research Group, BTU Cottbus, 2002









- Modeling
  - hierarchical model, abstraction layers
  - reuse of components, substitution of modules
  - → structured, understandable, maintainable, because modular
- Verification
  - unique symbolic representation of states AND clock valuations
  - proved integer semantics, proved upper bound for trans rel
  - method for complexity analysis, polynomial is possible
  - method for variable ordering, good orderings can be computed
  - → efficient, polynomial effort for some examples
- Case studies
  - scalable benchmark examples with regular structure
  - few models with realistic, unregular structure
  - existing case studies to small

© Software Systems Engineering Research Group, BTU Cottbus, 2002

25

## Video production cell





- Modeling
  - hierarchical model, abstraction layers
  - reuse of components, substitution of modules
  - → structured, understandable, maintainable, because modular
- Verification
  - unique symbolic representation of states AND clock valuations
  - proved integer semantics, proved upper bound for trans rel
  - method for complexity analysis, polynomial is possible
  - method for variable ordering, good orderings can be computed
  - → efficient, polynomial effort for some examples
- Case studies
  - scalable benchmark examples => polynomial effort
  - large production cell model => verifiable using modular structure
  - → approach works, is relevant for practice, executable controller can be synthesized from proven model

© Software Systems Engineering Research Group, BTU Cottbus, 2002

29

#### Results

- Modular formalism for modelling
- Efficient verification using BDD representation
  - Complexity analysis of reach sets: good ordering exists
  - Good variable orderings <u>can be found</u> by tool using modular structure of model
- Tool framework for timed and hybrid automata
  - Double Description Method for the hybrid case
  - Binary Decision Diagrams for the timed case
- Different verification strategies for modular proofs
  - Reachability analysis for safety properties
  - Refinement check via simulation relation
- Several case studies:
  - AND circuit, Fischer's protocol, CSMA/CD, FDDI,
  - Production cell, controller synthesis



