EECS 598-005 Hybrid Systems: Specication, Verication and Control Fall 2013 Lecture Notes 3 Necmiye Ozay, 9/11/2013

These notes are mostly based on chapters 3 of [1]. Another good read on safety and liveness properties is the paper by Alpern and Schneider [2].

Linear-time properties

Denition 1 An linear-time property P over atomic propositions AP is a set of innite words over 2AP (i.e., P (2AP ) ). Example 1 Let AP = {r, y, g }, the following are linear-time properties: P1 = P2 = P3 = P4 = A0 A1 A2 . . . (2AP ) | j 0, Aj / {{r, g }, {r, y, g }} A0 A1 A2 . . . (2AP ) | j 0, Aj = {g } A0 A1 A2 . . . (2AP ) | (j 0 s.t. Aj = {g }), Aj +1 = {r} A0 A1 A2 . . . (2AP ) | A0 = {r}

Consider the innite word = {g }{r}{g }{r}{g }{r} . . . over AP ; then P1 , P2 , P3 , and P4 . Consider the innite word = 0 1 2 . . . over AP , where j = {g } if j = 0 or j is a prime number, and j = {r} otherwise; then P1 , P2 , / P3 , and P4 . For the case when atomic propositions in AP = {r, y, g } correspond to red light is on, yellow light is on and green light is on respectively; P1 corresponds to the set of all sequences in which red and green light are not simultaneously on; P2 corresponds to the set of all sequences in which there are innitely many instances where only green light is on; P3 corresponds to the set of sequences in which every instance where only green light is on is immediately followed by an instance where only red light is on; and P4 corresponds to the set of sequences that do not start with only red light on.

Remark 1 For AP = {r, y, g }, 2AP = {, {r}, {g }, {y }, {r, g }, {r, y }, {g, y }, {r, y, g }} . Recall the set notation for evaluation functions of propositions that we discussed in lecture 2. Each A 2AP corresponds to an evaluation (valuation or interpretation) for AP . For instance A = {r, g } corresponds to the evaluation function such that (r) = T rue, (y ) = F alse, (g ) = T rue. Therefore, with a slight abuse of notation, we will use A = {r, g } or A = {r, y, g } interchangeably as labels (both in class and possibly in these notes). The meaning should be clear from context. Remark 2 These properties are called linear-time because they are dened in terms of sets of sequences and sequences are considered to be linear objects. In linear-time, at each moment, there is only one possible future. There are also branching-time properties (and logics for expressing such properties) where each element of the property set is an innite tree. In branching-time, at each moment, time may split into alternate courses representing different possible futures.1 Linear-time properties can be considered as a special case of branching-time properties with branching factor equal to 1.

1.1

Satisfaction of linear-time properties by transition systems

Denition 2 Given an LT Property P over AP , and a transition system T S = (S, Act, , I, AP, L), the transition system T S is said to satisfy the property P (denoted by T S |= P ) if and only if T races(T S ) P . Example 2 Consider the following transition system T S = (S, Act, , I, AP, L) modeling a trafc light with AP = {r, y, g }: q2 {r, y } q1 {r} q3
1

q4 {y } {g }

from Emerson, Halpern, Sometimes and Not Never Revisited: On Branching versus Linear Time Temporal Logic, JACM, 1986.

Then, T S |= P1 , T S |= P2 , T S |= P3 , and T S |= P4 . Theorem 1 Let T S 1 and T S 2 be transition systems without terminal states and with the same set AP of atomic propositions. Then the following statements are equivalent: 1. T races(T S 1 ) T races(T S 2 ) (this condition is called trace inclusion); 2. For any LT property P over AP : T S 2 |= P implies T S 1 |= P . Corollary 1 Let T S 1 and T S 2 be transition systems without terminal states and with the same set AP of atomic propositions. Then the following statements are equivalent: 1. T races(T S 1 ) = T races(T S 2 ) (this condition is called trace equivalence); 2. T S 1 and T S 2 satisfy the same LT properties. One of the factors the complexity of verication algorithms for satisfaction of LT properties by transition systems depends on is the size (e.g., number of states, number of transitions, etc.) of the transition system. If there is a trace inclusion or trace equivalence relation between two transition systems, and if one of the transition systems is smaller than the other one, the above results can be used to deduce conclusions on the behaviors of the larger system by doing verication on the smaller system (sometimes leading to signicant computational gains).

1.2

Types of linear-time properties

Denition 3 An LT property Pinv over AP is an invariant (or invariance property) if there is a propositional logic formula over AP such that Pinv = A0 , A1 , A2 , . . . (2AP ) | j 0, Aj |= . The formula is called an invariant condition for Pinv . Invariance properties with invariant condition will be denoted as P for simplicity. Example 3 P1 in example 1 is an invariance property with invariant condition = (r g ). Denition 4 An LT property Psaf e over AP is a safety property if there exists a set of nite strings L (2AP ) such that (2AP ) \ Psaf e = L.(2AP ) . (1) Here L.(2AP ) = { w (2AP ) | L and w (2AP ) }. Any nite word L is a bad prex of Psaf e . The set of all bad prexes (i.e., the largest possible L) is denoted by BadP ref (Psaf e ). 3

Safety properties roughly tell nothing bad ever happens. For a given safety property Psaf e , all innite words not in Psaf e (left hand side of (1)) have a bad prex, a prex that cannot be completed in anyway to a word that is in Psaf e . Example 4 P1 in example 1 is a safety property. Indeed, any invariance property P is a safety property with BadP ref (P ) = {w0 Aw1 (2AP ) | w0 , w1 (2AP ) , A |= }. Example 5 P3 in example 1 is a safety property with BadP ref (P3 ) = {w1 AA w2 (2AP ) | w1 , w2 (2AP ) , A = {g }, A = {r}}. Example 6 P4 in example 1 is a safety property with BadP ref (P4 ) = {Aw (2AP ) | w (2AP ) , A = {r}}. Example 7 P = (2AP ) is a safety property with BadP ref (P ) = .

References
[1] Baier, Christel, and Joost-Pieter Katoen. Principles of model checking. Vol. 26202649. Cambridge: MIT press, 2008. [2] Alpern, Bowen, and Fred B. Schneider. Dening liveness. Information processing letters 21, no. 4 (1985): 181-185.