Modeling and Analysis of Hybrid Systems - SS 2013

Written Exam II
Wednesday, September 18, 2013

Forename and surname: Matriculation number:

n
Sign here:

tio
• Do not open the exam until we give the start signal.

• Please place your student identity card on your desk for identification purposes.

• The duration of the exam is 120 minutes.

• Use a blue or black (permanent) pen only.

• Please write your name and matriculation number on each page of this exam.

• Please write clear and legible answers.

lu
• Please use a separate sheet for each task. If you need more sheets, indicate this by a hand
signal.

• Please clearly cross out parts you do not wish to be evaluated.

• If you have problems understanding a task, indicate this by a hand signal.

• You are not allowed to use auxiliary material except for a pen. In particular, switch off
So

your electronic devices! Cheating disqualifies from the exam.

Task: 1.) 2.) 3.) 4.) 5.) 6.) Total

Maximum score: 7 11 7 8 9 8 50
Reached score:

Good luck!
So
lu
tio
n
Name: Student number:

Task 1. Hybrid System Modeling (3 + 2 + 2 points)

Figure 1 depicts a water tank, where x denotes the height

of the water in the tank. The water flows out of the tank
through an aperture at the bottom. Additionally, the tank
can be filled with water by turning a pump on. If the pump
is off (and the tank is not empty), the water height change x
rate is dx
dt = −0.5. Otherwise, if the pump is on, the water
height changes according to dx
dt = 1.
A controller tries to keep the water level in a safe range
by turning the pump on when the water height reaches 3
and turning the pump off when the water height reaches Figure 1: Water tank
7.

n
(1) Please define the missing components of the following hybrid automaton to model the water
tank system:

tio x=3
on
ẋ =
off
ẋ =
lu
(2) Please give a definition of Zeno paths.
(3) Does the above hybrid automaton has a Zeno path? Justify your answer!

Solution:
So

(1)

x=7

on off
x=3
ẋ = 1 ẋ = −0.5
x ≤ 7 x ≥ 3

x=3

(2) A Zeno path is a path which has a finite time duration but contains infinitely many discrete
jumps.
(3) No, the above hybrid automaton does not have any Zeno paths, since it always spends 4 time
units in location on and 8 time units in location off. Therefore, the smallest time duration
between two jumps is 4, such that infinitely many jumps imply infinite time duration.
So
lu
tio
n
Name: Student number:

Task 2. Timed Automata (3 + 6 + 2 points)

(1) Please describe the basic steps of TCTL model checking on timed automata.
(2) Consider the following timed automaton T :

`0 `1
x=0
ẋ = 1 ẋ = 1
x≤1 x≤1
b
{p} x = 1 x := 0 {q}

We want to check whether T satisfies the TCTL formula AGAF ≤1 p. Please give the reach-

n
able fragment of the region transition system generated during model checking.
(3) The TCTL model checking algorithm can be applied to Zeno-free timed automata only.
Why?

Solution:

tio
(1) The basic steps of TCTL model checking on timed automata are as follows. We assume the
timed automaton is denoted by A and the TCTL formula is given by ϕ.
(i) Transform the TCTL formula ϕ into a CTL formula ϕ̂ by eliminating the timing pa-
rameters.
(ii) Transform the timed automaton A into a region transition system RTS(A).
(iii) Apply the CTL model checking algorithm to check whether ϕ̂ |= RTS(A).
lu
(iv) Return the model checking result.
(2) The region transition system is as follows:

`0 `0 `0 `0 `0 `0 `0
x = 0 x ∈ (0, 1) x = 1 x = 0 x ∈ (0, 1) x = 1 x = 0
z =x z =x z =x z = 1 z > 1 z > 1 z > 1
So

a a a b a a a b a

`1 `1 `1 `1 `1 `1 `1
x = 0 x ∈ (0, 1) x = 1 x = 0 x ∈ (0, 1) x = 1 x = 0
z =x z =x z =x z = 1 z > 1 z > 1 z > 1

(3) The TCTL model checking algorithm is not correct for timed automata with Zeno-paths.
If a timed automaton is Zeno-free, all paths in its abstraction (region transition system)
correspond to at least one time-divergent path in the timed automaton. However, it is not
necessarily the case for timed automata with Zeno behavior. Assume the following timed
automaton T 0 :
α

`0
x=0
ẋ = 1
x=0
This automaton has no time-divergent paths at all, therefore T 0 6|=TCTL EF true. If we would
use TCTL model checking, it would generate the following region transition system RTS :

`0
x = 0
(z = 0)

Please note that RTS |=CTL EF true holds for this Kripke structure.

n
tio
lu
So
Name: Student number:

Task 3. Rectangular Automata (2 + 2 + 3 points)

(1) Please explain the differences between rectangular automata and stopwatch automata.

(2) Is the reachability problem on initialized rectangular automata decidable? Describe the
structure of the proof!

(3) Please transform the following initialized stopwatch automaton to a timed automaton. Here,
we allow non-zero reset values in the resulting timed automaton.

x≥1 x := 3

`0 `1
x=0
ẋ = 1 ẋ = 0
x≤2 true

n
x := 1

`2 x := 2
ẋ = 1
x≤3

Solution: tio
(1) Time derivatives and reset values can be specified by intervals in rectangular automata. In
a stopwatch automaton, the time-derivative of a variable can only be either 1 or 0, and reset
values should be point intervals.

(2) Yes, the reachability problem for initialized rectangular automata is decidable. The proof
lu
leads back the reachability problem for initialized rectangular automata to the reachability
problem for timed automata, which is known to be decidable. The proof uses the following
transformation steps:
initialized rectangular automaton
↓
initialized singular automaton
↓
So

initialized stopwatch automaton

↓
timed automaton

(3) The solution is as follows.

x≥1 x := 3

`0 `01
x=0
ẋ = 1 ẋ = 1
x≤2 true
x := 1 (x = 3)

x := 1
`2 `00
1
ẋ = 1 ẋ = 1
x := 2
x≤3 true
(x = 2)
So
lu
tio
n
Name: Student number:

Task 4. Linear Hybrid Automata (2 + 4 + 2 points)

(1) Please explain the differences between linear hybrid automata and general hybrid automata.

(2) For the state set defined by S = h`, y ≤ x∧1 ≤ xi, please compute (a) its forward time closure
Tl+ (S) under the dynamics ẋ = 2, ẏ = −1 with invariant x ≤ 2, and (b) its postcondition
+ 0
D(`,` 0 ) (S) via a jump to ` with guard x ≤ 2 and reset x := 0.

(3) Is the reachability problem on linear hybrid automata decidable? Justify your answer!

Solution:

(1) Linear hybrid automata are a subclass of general hybrid automata such that (i) the time-

n
derivatives of variables can only be constants, (ii) invariants and guards are defined by
conjunctions of finitely many linear constraints, and (iii) resets are defined by linear terms.

(2) (a)

(b)
tio
Tl+ (S) = h`, ∃x0 , y 0 , t. (y 0 ≤ x0 ∧ 1 ≤ x0 ∧ x = x0 + 2t ∧ y = y 0 − t ∧ t ≥ 0 ∧ x ≤ 2)i
= h`, y ≤ x ∧ 1 ≤ x ≤ 2i

+
D(`,` 0 0 0 0 0 0 0 0
0 ) (S) = h` , ∃x , y .(y ≤ x ∧ 1 ≤ x ∧ x ≤ 2 ∧ x = 0 ∧ y = y )i

= h`0 , y ≤ 2 ∧ x = 0i

(3) The reachability problem for linear hybrid automata is not decidable, since the reachability
problem for 2-counter machines, which are a subclass of linear hybrid automata, is undecid-
lu
able.
So
So
lu
tio
n
Name: Student number:

Task 5. Reachability Analysis (1 + 2 + 2 + 4 points)

(1) We mentioned different kinds of geometric representations for state sets. Please name at
least two.

(2) We want to implement a fixedpoint-based reachability analysis algorithm using a given state
set representation. Which operations are needed on the state set representation? Please
mention at least four.

(3) What is a flow pipe segmentation?

(4) Please explain the basic principle of minimization.

Solution:

n
(1) We introduced the following geometric representations in our lecture: boxes (hyperrectan-
gles), convex polyhedra, orthogonal polyhedra (grids). Besides, we also mentioned: ellipsoids,
zonotopes, support functions and oriented rectangular hulls.

tio
(2) The mostly used operations are intersection, union, test for emptiness, membership, linear
transformation, Minkowski sum.

(3) A flow pipe is an over-approximation of the states reachable from a given state set by
letting time elapse within a given time horizon. A flow pipe segmentation divides the time
horizon [0, T ] into smaller time segments [0, δ], [δ, 2δ], . . . , [(n − 1)δ, nδ] with nδ = T and
over-approximates for each time segment [iδ, (i + 1)δ] the states reachable within that time
separately.

(4) Given an initial condition and a safety specification, minimization tries to construct a par-
lu
titioning of the state space by

• specifying an initial partitioning into regions of good and bad states and
• refining this partitioning until the regions are stable, i.e., until for each pair of (reach-
able) regions R and R0 either all states in R have a successor in R0 or none of them.
So
So
lu
tio
n
Name: Student number:

Task 6. Convex Polytopes (2 + 2 + 2 + 2 points)

(1) Please define what it means that a set is convex.

(2) Please define the convex hull of a set. How can the convex hull be computed for a finite set
V = {v1 , v2 , . . . , vn }?

(3) How can we check whether a point x0 belongs to a V-polytope P ?

(4) How can we check whether a point x0 belongs to an H-polytope P ?

Solution:

n
(1) We call a set S convex if for any x, y ∈ S, all of the points on the line segment from x to y
also belong to S. Formally, it is given by

∀x, y ∈ S.∀λ ∈ [0, 1]. ((λx + (1 − λ)y) ∈ S)

tio
(2) The convex hull of a set S is the smallest convex set which contains S. The convex hull of
V is given by

conv(V ) = {x | ∃λ1 , . . . , λn ∈ [0, 1].(

n
X

i=1
λi = 1 ∧ x =
n
X

i=1
λi vi )}

(3) Assume that the V-polytope P is given by the vertex set V = {v1 , v2 , . . . , vn }. To check the
membership of x0 , we need to check the satisfiability of the linear real-arithmetic formula
n n n
lu
^ X X
( 0 ≤ λi ≤ 1) ∧ λ i = 1 ∧ x0 = λ i vi .
i=1 i=1 i=1

If it is satisfiable then x0 ∈ P , otherwise x0 ∈

/ P.

(4) Assume that the H-polytope P is given by the representation A · x ≤ b such that A is a
real-valued matrix and b is a real-valued column vector. To check the membership of x0 , we
only need to evaluate A · x0 , if the result is less or equal b, then x0 ∈ P , otherwise x0 ∈
/ P.
So
So
lu
tio
n