 Okay, so our work is also on time automata, so we define time automata very well, so this just let me show you Just recall you what it is. This is just finite automata with clocks and of course clocks We have clock guards on the edges and the clock resets. So this defines a very natural semantics by delay transitions where all clocks grow by some amount and by discrete transitions which are instantaneous that are taken in zero time and Yes, such as sequence is just a one just one behavior one possible behavior of the system So I will call this semantics. This is the usual natural semantics. This is the exact semantics but okay, so time automata are of course abstract models and This is why they're a bit idealistic. So for example Time automata assume that there's no minimum delay no level on the delays between actions So this means that we assume that the system is able to do two actions One after another with a very small delay between them. So this is of course not realistic in real systems And we also assume that the clocks are perfectly continuous and they're infinitely precise So of course in reality, we have digital clocks So we can only measure time with this clock ticks So this could be very small, but still it's some positive period and also we have reaction times Which means that when the system receives a signal and interrupts something like that It has to spend a little time treating the signal Okay, so the program semantics was defined by the roof Diana Vazquian To deal to take into account these aspects So I don't want to define the program semantics, but just think of it as a very concrete semantics So this is the real-world behavior of some digital system Executing the time automaton and yeah, we would consider so we actually study a variant of this program semantics Now these imprecisions in time automata can also be modeled in a different way So it is a time automaton with Take so constantly the clock constant x is less than 2 When in the real system you evaluate this constraint is when it's a values to true In reality, it only means some it can only guarantee that it's x is less than 2 plus some delta of course because of the Imprecisions this is an example for Delta equals to 0.1 and similarly Why is greater than 2 it becomes? Why is greater than 2 minus delta? So we enlarge all the guards to model these imprecisions So this is another way to model these imprecisions and there's a relation between two the two semantics We had a for any time automaton a All behaviors of a are included in the program semantics Just have to enlarge By Delta, so if you enlarge all the guards by Delta like in here and we have this inclusion So this inclusion is actually timed simulation So not just trace inclusion is timed simulation And if you enlarge even more the guards then the program semantics is included in the enlarged automaton Yeah, so this is based on this this work and also our work so this means that The program semantics so the real world behavior could have extra behavior additional behavior than the the abstract model a And it's also means that this justice enlargement Easy over approximation of the program semantics So now let me show you that in fact these semantics can have in fact extra behavior So this is an example. This is a very simple system. You have a camera what come and encoder This is probably a song card song card actually, but anyway So the camera captures images and so it captures one frame every two time units And it sends it to the encoder and the encoder has to treat these Maybe store them somewhere and if yes, we assume that the encoder treats each frame in two time units and of course this is a possible so this feasible that is We can treat as many frames as we want so This is a very simple scheduling problem We have a periodic tasks of period two time units and we're able to treat this or this is schedulable But now suppose that you implement this system and achieve our hardware and somehow you end up with additional Unexpected delay. So instead of two time units, you have the encoding is done in two plus delta time units And then of course these deltas could accumulate over time if this repeats at every time And at some point you will have to skip a frame in order to cope with arriving the arriving frames So this this system is of course a time automaton It could be modeled as a time automaton and the first system is this a time automaton without the delta And it is safe in the sense that there is no frame skips But for any delta any any positive delta. So if you model check you'll see that you have to skip a frame eventually So the qualitative behavior can change for any enlargement even if enlargement is very small Yeah, so this was observed observed So the enlarge or program semantics can add undesired behavior and different qualitative behavior But this was observed by period first for clock gifs and then for clock imprecisions So because of this problem The primary parameterized robust model checking was studied. So in this problem, so it's just like model checking you You're getting a time automaton a property I want to decide satisfaction, but you want to decide if there exists a bound on the imprecisions There's this a delta small enough so that the enlarge automaton satisfies phi So this yeah So this is decidable. So this was first studied for safety properties by many people and for linear time properties and even for a fragment of MTL Time time logic time the extension of LTL Also for time on time language equivalence between a and a delta Yeah, so in all this previous work the idea is to check whether this additional behavior Introduced because of imprecisions is harmless They are there harmless. So we want to check for example if the enlarge automaton is still safe But in this work we adopt a different approach. We want we don't want we don't want any additional behavior You want to modify the automaton to systematically exclude any additional behavior under imprecisions and therefore for small enough Delta So to do so or main tool is shrinking. So we want to shrink shrink time automata So it's a very simple idea. So if you you have this edge this card in your time automaton So this is the real world behavior of course because of the imprecisions and this is why because of this enlarge one This is why we have this extra additional behavior. If you don't want this to happen Very simple idea is to shrink the guard to replace this two by two minus delta This by one minus delta prime so that now this is the real world behavior and now if you choose this parameters correctly, of course this This will be included in the intended behavior. So it should be between one and two So ideas just to shrink more than what it will get enlarged by and this will of course Prevent any additional behavior So we will consider a separate shrinking parameter for each atomic clock constraints So this belt and delta prime can be different and actually we will be looking for parameters like like in this form So we will have one rational delta and K1 K2 K3 these will be integers So what I mean is that instead of looking for a set of rational numbers like like it here We'll be looking for some uniform delta. So rational delta times integers But this is of course the equivalent any set of rational numbers can be written Like this there is some some delta times positive integers And yeah, so given such a vector delta and K This is a shrunk automaton to this music each Each guard has been shrunk by corresponding value Okay, now here's a series of Relations for the program semantics of the shrunk automaton is included in the original automaton That's that's because the idea is that if you shrink enough then you'll get this inclusion But of course so this is already a very good thing because this is the real-world behavior and it is included in the abstract model if you model check a Using your power using the new algorithm, then the real-world behavior is included in your model, so if a is safe then the system will be safe but of course this is not always enough because This could have no behavior. So or maybe it's doing something not uninteresting. So What so we're interesting in? this semantics Lightness or so we want to find these parameters delta K Such that the program semantics is able to time-out check simulate Specification and it is non-blocking So if you have this you have if you have these conditions then it is a very good implementation Contains all all the intended behavior and it's non-blocking. It is safe and so on So just a simple observation you also have this inclusion So that's because okay. That's because here. We enlarge a little more. So Shrunk is here machine more so that we have this inclusion now what what we show this is my or main result is that We show that one can decide these parameters and compute them compute the least parameters delta times K for which we have so the eight and timers are simulated by the shrunk automaton and The shrunk automaton is non-blocking So if you just want simulation, then this is next time So if you have the simulation, then we of course we have completed this So then the program semantics is simulation equivalent to the specification If you just want non-blocking this then it is in p space and in fact in p if the number of edges per location is Bounded by a constant So I believe this is a reasonable parameter And if you want both that is the same parameters delta K such that both properties hold and it is also possible the next time And this this this implies that the program semantics is non-blocking and it is simulation equivalent This is not obvious actually, but this is not not for today Okay, so now just to show you how have a shrunk automaton looks like so if you take this automaton if you apply your algorithm It will say it will tell you that it's a shrinkable and it will give you these red red parameters Now you see that so one becomes One minus delta here and we have two delta three delta four delta So we really need to consider different parameters for each Atomic clock constraint and we have this both properties non-blocking is a simulation equivalence for actually for all delta between 0 1 1 4 So in general all our results will hold for all small enough delta Okay, also You may wonder how to interpret these Shrinking parameters. So what to do what to do with this friction parameters once you apply the algorithm Here's a attempt to interpret this if you have this edge and Supposed it is shrunk by these values So there are two cases time in the time automaton an edge can be controllable Which means maybe the system should send a signal between three and seven time units Then this is easy to interpret it should just send it between three plus two delta seven minus four delta But sometimes the edges are not controllable For example, it can be the case that up in the rival to L1. Maybe you execute a task If you have a real-time operating system and just wait for termination and then make maybe this three and seven correspond to Best case execution time worst case execution time So then you cannot control the termination. You just wait for termination and you have just a guarantee then I believe you should review your timing analysis and make sure that The test will terminate not later than seven minus four delta or do the necessary for this And perhaps is if it terminates before then maybe you should wait a little bit before continuing So that's how I would use these parameters Okay, now in the rest I'd like to show you a few techniques we used to Compute these parameters Now I'll only consider non-blocking this so a time automaton is non-blocking if Whenever you take a transition and change location You're able to take another transition eventually so every execution can be extended to an infinite execution and This this can be also for time automaton this can be Express like this so Let G sigma be the guard of this edge and G sigma prime guards so non-blocking this means that the guard of Sigma should be included in the predecessors of the next Transitions so pre-time is time predecessors on reset is the universe of reset So if the guard is included in the predecessors of the union union of this Next transitions and of course your non-blocking if this holds for all ages And this precisely means that you have non-blocking this But so let's simplify. So let's take this automaton And now this is the condition for non-blocking this G sigma is included in the predecessor of sigma prime Now so let's just consider an example Let's consider these guards. So these are zones as we saw in the previous talk This is the guard of sigma prime. This is one of sigma So the pre-time this is the time predecessors. This is easy to compute. This is just just take this Let's do the time predecessors and on reset is the set of valuations from which you can reach this set by resetting y So just trust me this is This is what you get and you have inclusion. This means that This automaton is non-blocking or This condition holds for the H sigma But of course what we want to do is to compute the parameters to get non-blocking this So we want the same inclusion to hold when the guards are shrunk by some unknown parameters So we want to determine Integers K and Delta for which this holds. So this is what we want to do You want to shrink each guard? So shrinking is really can be seen geometrically reducing This same These are so unknown parameters K1 for times Delta K2 times Delta and so K i Are integers and Delta is a rational So the pre-time is again this So this is not completely obvious, but if you can we show that This that that we have will have some additional Shrinking parameters in the diagonals and we get here one K1 plus K3 times Delta K2 plus K4 times Delta And the on reset is this That is the same previous zone gets shrunk by K1 plus K3 none of us you have inclusion if and only if K5 is greater than K1 plus K3 So you should shrink more here than and this can be written as this using max K5 should be should be the max of K5 and K1 plus K3 So what we did is this we started with some equation on zones with parameters And we have an equivalence With an equation on just integers using the maximum plus So what what is really interesting here is that Here we don't have time automata. We don't have zones. We don't have this complicated things We just have integers positive integers and Actually, we will only have maximum plus. So this is the interesting thing and Actually, these observations will always hold. So this is Stimatically we show that this happens systematically. So given any fixed point equation on zones. So just think of this equation So yeah, M is a set of guards So it's a set of it's a vector of zones and F is a function using pre-time intersections or well known operations So yeah, just like in here and let M be a solution So for any integer vector K the solution shrunk by K times delta for delta small enough Is a solution of this fixed point equation if and only if the integer vector K satisfies Phi Where Phi is a max plus expression. So it's like in here is phi is a fixed point equation on the max plus algebra So it only uses max and plus So and and yeah, we show that it's not very difficult show that This kind of equations can be solved efficiently in polynomial time so now to decide Stringability sort of for non-blocking is to compute these parameters just have to write what you want Without thinking of the parameters. We're just right down the non-blocking is right down the simulation equation and Compute the solution so this solution should be computable This is for usual methods for time automata and just compute this equation phi. So it is also computable easily and Once you have phi just solve solve it It's a fixed point equation on max plus algebra and then this gives you this will also always give you a this will also This also gives a bound on Delta. So we'll have a solution for small enough Delta. Okay, so Summarize shrinking so it's a very simple idea It's gives always gives good implementation, which is included in the specification, but it's it's not always such It may not contain good behavior. So we synthesize these parameters to get non-blocking this and I Want the specification to be included in the implementation and okay to complexity rise from NP takes time And yeah, what I didn't show you today is that these properties simulation equivalence and non-blocking this are preserved in program semantics So this is not revealed so that I showed for the shrunk automaton, but in this concrete semantics It's these properties are preserved So from a technical point of view, I think what I find interesting is this relation between Zones shrunk by parameters and max plus algebra, which was unexpected for me And so we in order to deal with These zones shrunk by parameters. We use difference band matrices With a pyramid parameterized max plus expressions. So this is a new data structure And I believe it can be used for many other problems of this type We all have results and robots controller synthesis using this data structure Okay, thank you for your attention