VeriSiMPL: Verification via biSimulations of MPL Models

VeriSiMPL (“very simple”) is a software tool to obtain finite abstractions of Max-Plus-Linear (MPL) models. MPL models (Sec. 2), specified in MATLAB, are abstracted to Labeled Transition Systems (LTS). The LTS abstraction is formally put in relationship with the concrete MPL model via a (bi)simulation relation. The abstraction procedure (Sec. 3) runs in MATLAB and leverages sparse representations, fast manipulations based on vector calculus, and optimized data structures such as Difference-Bound Matrices. LTS abstractions can be exported to structures defined in the PROMELA language. This enables the verification of MPL models against temporal specifications within the SPIN model checker (Sec. 4). The toolbox is available at http://sourceforge.net/projects/verisimpl/ 1 Motivations and Goals Max-Plus-Linear (MPL) models are discrete-event systems [1],[5] with continuous variables that express the timing of the underlying sequential events. MPL models are employed to describe the timing synchronization between interleaved processes, and as such are widely employed in the analysis and scheduling of infrastructure networks, such as communication and railway systems [2] and production and manufacturing lines [1],[6]. They are related to a subclass of Timed Petri Nets, namely Timed-Event Graphs [1]. MPL models are classically analyzed by algebraic [7] or geometric techniques [8] over the max-plus algebra, which allows investigating properties such as transient and periodic regimes [1], or ultimate dynamical behavior [9]. They can be simulated via the max-plus toolbox Scilab [3]. The recent work in [4] has explored a novel, alternative approach to analysis, which is based on finite-state abstractions of MPL models. The objective of this new approach is to allow a multitude of available tools that has been developed for finite-state models to be employed over MPL systems. We are in particular interested downstream in the Linear Temporal Logic (LTL) model checking of MPL models via LTS abstractions. This article presents VeriSiMPL, a software toolbox that implements and tests the abstraction technique in [4]. 2 Nuts and bolts of Max-Plus-Linear models Define IRε and ε respectively as IR ∪ {ε} and −∞. For a pair x, y ∈ IRε, we define x ⊕ y = max{x, y} and x ⊗ y = x + y. Max-plus algebraic operations are extended to matrices as follows: if A,B ∈ IR ε and C ∈ IR n×p ε , then [A ⊕ B](i, j) = A(i, j) ⊕ B(i, j) and [A ⊗ C](i, j) = ⊕n k=1 A(i, k) ⊗ C(k, j), for all i, j. An MPL model [1, Corollary 2.82] is defined as: x(k) = A⊗ x(k − 1)⊕B ⊗ u(k), ⋆ The authors are with the Delft Center for Systems & Control, TU Delft. ⋆⋆ A. Abate is also with the Department of Computer Science, University of Oxford. where A ∈ IR ε , B ∈ IR n×m ε , x(k) ∈ IR n ε , u(k) ∈ IR m ε , for k ∈ IN. In this work, the state and input spaces are taken to be IR and IR, respectively: the independent variable k denotes an increasing discrete-event counter, whereas the n-dimensional state variable x defines the (continuous) timing of the discrete events and the m-dimensional input u characterizes external schedules. If the input matrix B contains at least a finite (not equal to ε) element, the MPL model is called nonautonomous, otherwise it is called autonomous since it evolves under no external schedule. Nonautonomous models embed nondeterminism in the form of a controller input. Implementation: VeriSiMPL accepts MPLmodels written in MATLAB [10]. For practical reasons, the state matrix A is assumed to be row-finite, namely characterized in each row with at least one element different from ε. Example: Consider the following two-dimensional autonomous MPL model from [1, p. 4], representing the scheduling of train departures from two connected stations i = 1, 2 (event k denotes the k-th departure at time xi(k) for station i):