Observability of Hybrid Automata byAbstraction ?

A. D’Innocenzo, M.D. Di Benedetto, and S. Di Gennaro

Department of Electrical Engineering and Computer Science, University of L’Aquila.adinnoce,dibenede,digennar@ing.univaq.it

Abstract. In this paper, we deal with the observability problem of aclass of Hybrid Systems whose output is a timed string on a finite al-phabet. We determine under which conditions it is always possible toimmediately detect, using the observed output, when the system entersa given discrete state. We illustrate how to construct a Timed Automatonthat is an abstraction of the given Hybrid System, and that preserves itsobservability properties. Moreover, we propose a verification algorithmwith polynomial complexity for checking the observability of the TimedAutomaton, and a constructive procedure for an observer of the discretestate.

1 Introduction

The issue of observability is an interesting open problem in the context ofHybrid Systems, whose significance is widely recognized in safety criticalapplications (e.g. Air Traffic Management) or failure detection applica-tions (e.g. software monitoring and telecommunications). Observabilityof Hybrid Systems was extensively studied in the literature (see e.g. in[3],[8],[14] and [17]), while observer design was considered e.g. in [4]. Inthis work, we provide a definition of observability of a hybrid systemwith respect to a discrete state (or set of discrete states): given a hybridmodel, we mark as ”critical” some discrete states that correspond to anunsafe behavior or to a failure. For each of such critical locations, thesystem is required to be observable.In [9] and [10], Hybrid Systems with no Guards and Resets were con-sidered and the discrete outputs of the system were used to characterizeobservability of a discrete location. The continuous inputs and outputswere used to enrich the measurable information with new discrete out-puts (signatures) characteristic of a specific continuous dynamics. How-ever, the generation of a signature requires a finite and non-zero time tobe generated, so that the detection of an unsafe operation or a failureis given with delay. In this paper, we analyze observability of HybridSystems where the observable output is a timed string on a finite al-phabet, the discrete transitions are triggered by guards and resets, andno continuous and discrete disturbances are present. The discrete tran-sitions are possibly non deterministic if the guard sets intersect, and we

? This work has been partially supported by European Commission under NoE HY-CON (contract n.511368)

suppose that a transition may not occur even if the continuous stateenters a guard set. Also, no delay is accepted for the detection of a crit-ical location. Building upon the results achieved in [5], [11] and [18] onreachability in a given time interval of Continuous and Hybrid Systems,the basic idea is to abstract a Hybrid Automaton H by a Timed Au-tomaton T , so that the timed output language generated by the formeris contained in or equal to the timed output language generated by thelatter. In other words, we propose a procedure to construct a TimedAutomaton that is an abstraction of the given Hybrid Automaton andpreserves observability of a given discrete state. Necessary and sufficientobservability conditions for a class of Timed Automata are given, andwe prove that observability of the given Hybrid Automaton is impliedby observability of the constructed Timed Automaton.In Section 2, we define the class of Hybrid Systems of interest, the lan-guages given by all timed executions and the associated timed observa-tions. Then, we define observability of a given discrete state. In Section3, we define a class of Timed Automata, provide necessary and sufficientobservability conditions, and propose an algorithm with polynomial com-plexity to verify observability of a given discrete state. We also relatethis work to the results obtained in [16] on Diagnosability of Timed Au-tomata. Moreover, we construct an observer of a given discrete state. InSection 4, we provide a procedure to construct a Timed Automaton froma given Hybrid Automaton, and prove that observability of the formerimplies observability of the latter.Some concluding remarks are offeredin the last section.

2 Basic definitions

2.1 Hybrid Automata

We consider a class of Hybrid Systems, where the continuous state evolvesfollowing linear autonomous dynamics, and the discrete state evolutiondepends only on the continuous state according to guard maps, possiblywith non deterministic transitions. We suppose that the only measurableoutput is the discrete one (the continuous output is not measurable), sothat the observed output is a timed string on a finite alphabet. Formally,

Definition 1. A Hybrid Automaton is a tupleH = (Ξ, Ξ0, S, E, Σ, η, G, Inv, R) (see [13]) where:

– Ξ = Q×X is the hybrid state space, where Q is a finite set of discretestates q1, q2, · · · qN , and X ⊆ Rn is the continuous state space.

– Ξ0 = Q0 ×X0 ⊆ Q×X is the set of initial discrete and continuousconditions.

– S associates to each discrete state q ∈ Q autonomous continuous-time linear dynamics as x = A(q)x, where A(q) ∈ Rn×n.

– Σ is the finite alphabet of discrete output symbols {ε, σ1, σ2, · · ·σr} ,where ε is the null symbol that corresponds to an unobservable output.

– E ⊆ Q×Q is a collection of edges.– η : E → Σ is the output function.

– G : E → 2X associates a guard set to each edge.– Inv : Q → 2X is the invariant mapping.– R : X × E → 2X is the reset mapping.

Note that the discrete output symbols are associated with discrete transi-tions, and not with discrete states. We assume that Inv(q) = X, ∀q ∈ Q,and that guard conditions are enabling conditions: even if the continuousstate enters a guard set, the corresponding transition may not take place.This assumption guarantees that the system is non-blocking. Moreover,we assume that there is no cycle of edges associated with unobservableoutput. Let Eq→ = {(q, q) ∈ E : q ∈ Q} be the set of all edges start-ing from q, and E→q = {(q, q) ∈ E : q ∈ Q} the set of all edges endingin q. Furthermore, let Eε

q→ = {e ∈ Eq→ : η(e) = ε} be the set ofall edges starting from q and whose output is the empty string, andEε→q = {e ∈ E→q : η(e) = ε} the set of all edges ending in q and whose

output is the empty string.We introduce a hybrid time basis τ = {Ii}i≥0 of H as a finite or infinitesequence of intervals Ii = [ti, t

′i] such that [13]

1. Ii is closed if τ is infinite; Ii might be right-open if it is the lastinterval of a finite sequence τ ;

2. ti ≤ t′i for all i and t′i−1 ≤ ti for i > 0.An execution of H is a collection χ = (τ, x, q), with x, q satisfying thecontinuous and discrete dynamics of H and their interactions (Invariant,Guard and Reset functions). To each execution χ we associate a uniquetimed string ρ as a finite or infinite sequence q(I0), ∆0, q(I1), ∆1, · · ·where q(Ii) ∈ Q and ∆i = (ti+1 − ti) ∈ R+ ∪ {0,∞}. Namely, ρ is atimed execution of the discrete state of H, where q(Ii) is the discretestate in the time interval Ii = [ti, ti+1) and ∆i the dwell time in thatstate.We define L(H) the language of all finite prefixes of all timed executionsρ associated to all executions χ of H. Given a discrete state qc ∈ Q, wedefine Lqc(H) the language of timed strings ρ in L(H) such that the lastdiscrete state visited is qc. More formally

Lqc(H) ={ρ = q(I0), ∆0, · · · , q(Is), ∆s ∈ L(H) : q(Is) = qc, ∆s ∈ R+}

Clearly,

Lqi(H) ∩ Lqj (H) = ∅for each qi 6= qj with i, j = 1, · · · , N and i 6= j. Furthermore,

⋃q∈Q

Lq(H) = L(H)

Thus, Lqi(H) for i = 1, · · · , N partitions L(H). Let Q ⊆ Q. Then,

LQ(H) =⋃

q∈Q

Lq(H)

Given a finite discrete execution ρ = q(I0), ∆0, · · · , q(Is), ∆s we definethe associated observed timed string as follows. Consider the projection

P (ρ), obtained from ρ first by replacing q(I0) with ε and q(Ii) with σi =η(q(Ii−1), q(Ii)) for i = 1, · · · , s, then by erasing all ε (unobservable)symbols and adding the delays between successive symbols. The resultingstring is a finite sequence P (ρ) = ∆0, σ1, ∆1, · · · , σs′ , ∆s′ with s′ ≤ sand ∆s′ ≥ ∆s. We call P (ρ) the observed output timed string of ρ,and P(H) = {P (ρ) : ρ ∈ L(H)} the language given by the projections ofall strings in L(H). P(H) is the language that contains all finite lengthobserved output timed strings of H.

2.2 Observability of Hybrid Automata

Given a Hybrid Automaton H and a discrete state qc ∈ Q, our objectiveis to detect immediately whether the current state is qc. This propertyof qc is called observability and is formally defined as follows:

Definition 2. Given a Hybrid Automaton H, a discrete state qc ∈ Q isobservable if

ρ ∈ Lqc(H), ρ′ ∈ L(H)r Lqc(H) ⇒ P (ρ) 6= P (ρ′) (1)

Definition 2 states that a state qc is observable if, for each execution thatdrives the system to qc, there exists no other execution with the sameobserved output such that the system may be in a different discretestate at the same time. In other words, a state qc is observable if, foreach execution of H, the timed output of the system allows to detectat each time instant whether the current state is qc. Conversely, if thecondition of Definition 2 does not hold, there exist two executions ρ′ andρ′′ of the same time length t and the same observed output such that,at time t, the current state is respectively q′ = qc for the execution ρ′,and q′′ 6= qc for the execution ρ′′. It is then clearly impossible to decidewhether the system is currently in qc at time t.If we are interested in detecting immediately whether the current statebelongs to a set Qc, then a similar definition can be given:

Definition 3. Given a Hybrid Automaton H, the set Qc ⊂ Q is observ-able if

ρ ∈ LQc(H), ρ′ ∈ L(H)r LQc(H) ⇒ P (ρ) 6= P (ρ′)

Our results are given with respect to Definition 2 but can be triviallyextended to Definition 3 (see Section 4).Given a Hybrid Automaton H, an observer of the discrete state qc is adecision block whose input is the timed observed output of H and whoseoutput is 1 (or true) if the current state of H is qc and 0 (or false) ifthe current state of H is not qc.

Definition 4. Given a Hybrid Automaton H, an observer of the discretestate qc ∈ Q is a function

O : P(H) → {0, 1}such that

O(P (ρ)) =

{1 if ρ ∈ Lqc(H)0 if ρ /∈ Lqc(H)

The following proposition formalizes the equivalence between observabil-ity and the existence of an observer.

Proposition 1. Given a Hybrid Automaton H, a state qc is observableif and only if an observer of qc exists.

3 Observability of Timed Automata

The flow chart diagram in Figure 1 shows the whole verification proce-dure of observability of a discrete state qc of a given Hybrid AutomatonH. The first step is the construction of an abstraction T of H: Algo-rithm 4 will be defined in Section 4, and we will see that T belongs toa special class of Timed Automata. In this section, we first define thisclass. Then, starting from T , we show in Algorithm 1 how to constructa system T that does not contain unobservable outputs and preservesthe observability property of T . Algorithm 3 applied to the system Tor T verifies whether a given discrete state qc is observable for T . Oncewe have solved the observability problem on the special class of timedautomata of interest, we will state in Section 4 the main result of thiswork: observability of T implies observability of H.

Fig. 1. Verification procedure of observability for the Hybrid Automaton H

A Timed Automaton is a class of Hybrid Automata where the dynamicsof the continuous variables have constant slope 1 for each discrete loca-tion (e.g. clocks), the initial continuous state is a singleton set for eachdiscrete location, the guards are rectangular sets, and the reset map is afunction (deterministic reset):

Definition 5. A Timed Automaton T is a Hybrid Automaton H suchthat [1]:

– the continuous state space X = (R+)n.– for all q0 ∈ Q0, if (X0, q0) ⊂ Ξ0 then X0 is a singleton set.– S = SI is such that A(q) = In×n ∀q ∈ Q.– for any edge e the set G(e) is a rectangular set.– for any discrete state q the set Inv(q) is a rectangular set.– for any edge e and any x ∈ G(e) the set R(x, e) is a singleton set.

As such, definitions of executions and languages L(T ) and P(T ), and ofobservability and observer can be given as in the previous section.

Remark 1. In [16] a procedure is proposed to verify if a Timed Automa-ton is diagnosable, and it is proved that the diagnosability verificationproblem is in PSPACE. By Definitions 2 and 4, and by definition of0-Diagnosability ([16]), it is possible to prove that, given a Timed Au-tomaton T , a discrete state qc ∈ Q is observable if and only if all edgese ∈ E→q ∪ Eq→ are 0-Diagnosable.

As a consequence Remark 1, the observability verification problem ofTimed Automata is in PSPACE. However, the Timed Automaton Tthat will be constructed in Section 4 as an abstraction of a given HybridAutomatonH has the following properties: X = R+, Inv(q) = X ∀q ∈ Q,and R(x, e) = 0 ∀e ∈ E, x ∈ G(e). We will prove in Proposition 5 that theobservability verification problem for this subclass of Timed Automata isin PTIME. To this purpose, we first introduce a procedure (Algorithm 1)that constructs, given T , a Timed Automaton T without unobservableoutputs, such that qc is observable for T if and only if qc is observablefor T . This procedure is necessary since Algorithm 3 that is proposedlater for checking observability of a state of T can only be applied ifthe system does not contain edges associated to unobservable outputs.Removing unobservable edges from a Discrete Event System in order topreserve the output language is a classical problem [15]. We define here aprocedure to preserve the output timed language of a Timed Automaton.Under the assumption that the guard sets are rectangular time intervals

on R+ of the type G(e) =K⋃

k=1

〈ak, bk〉, we define a sum operation:

G(e′) + G(e′′) =

K′⋃

k′=1

K′′⋃

k′′=1

〈a′k′ + a′′k′′ , b′k′ + b′′k′′〉

where 〈·, ·〉 can be open or closed intervals.It is easy to prove that G(e′) + G(e′′) is still a rectangular interval, andthat the commutative, associative and transitive properties hold. Givena sequence of edges e1, · · · , en, we define

δ(e1, · · · , en) =

n∑i=1

G(ei)

Remark 2. δ(e1, · · · , en) is a rectangular interval, and

t ∈ δ(e1, · · · , en) ⇔ ∃t1 ∈ G(e1), · · · , ∃tn ∈ G(en) : t =

n∑i=1

ti

Algorithm 1. Given a Timed Automaton T , defineT := (Ξ, Ξ0, S, E, Σ, η, G, ˜Inv, R) = T , then proceed as follows:

1 For all q ∈ Q such that Eεq→ 6= ∅ and E→q \ Eε

→q 6= ∅, do:

1.1 For all e1 = (q, q1) , · · · , en = (qn−1, qn) , en+1 = (qn, q) suchthat η(e1) = · · · = η(en) = ε and η(en+1) = σ 6= ε, do:

1.1.1 If there exists e = (q, q) such that η(e) = σ is not in E,then add e to E, and let η(e) = σ and G(e) = δ(e1, · · · , en+1).

1.1.2 Else If e = (q, q) such that η(e) = σ is in E, then G(e) =G(e) ∪ δ(e1, · · · , en+1).

2 Erase all states q ∈ Q such that E→q \ Eε→q = ∅;

3 Erase all hanging and unobservable edges.

By construction, T does not contain any edge associated with an unob-servable output.

Remark 3. By construction of T , it is possible that some edge e = (q′, q′′)is associated to many output symbols σ1, · · · , σm and guardsG(e, σ1), · · · , G(e, σm). In order to associate only a single output symboland a guard to each edge, we can split q′ (or q′′) in the set of statesq′1, · · · , q′′m such that η(q′i, q

′′) = σi and G(q′i, q′′) = G(e, σi). Since we

can equivalently split q′ or q′′, we assume without loss of generality thata critical state qc is never split in T .

Remark 4. Let Tε be the restriction of the graph (Q, E) of T inducedby the edges associated with an unobservable output. We define Nε themaximum cardinality of the connected components of Tε: with the as-sumption that there are no cycles of edges associated to unobservableoutput, the complexity of Algorithm 1 is polynomial with Nε.

Remark 5. Eε→qc

= Eεqc→ = ∅ is clearly a necessary condition for qc

to be observable. Thus, it is reasonable to apply Algorithm 1 only ifEε→qc

= Eεqc→ = ∅, so that qc is never erased from T .

Proposition 2. Given a Timed Automaton T , let T be obtained by Al-gorithm 1 and qc ∈ Q such that Eε

→qc= Eε

qc→ = ∅. Then, for each

execution ρ ∈ L(T ), there exists an execution ρ ∈ L(T ) such that:

1. P (ρ) = P (ρ);2. ρ ∈ Lqc(T ) ⇒ ρ ∈ Lqc(T ) and ρ /∈ Lqc(T ) ⇒ ρ /∈ Lqc(T )

Viceversa, for each execution ρ ∈ L(T ) there exists an execution ρ ∈L(T ) such that:

1. P (ρ) = P (ρ);2. ρ ∈ Lqc(T ) ⇒ ρ ∈ Lqc(T ) and ρ /∈ Lqc(T ) ⇒ ρ /∈ Lqc(T )

Proof. Let ρ ∈ L(T ): if there is no edge e : η(e) = ε in ρ, then ρ = ρ ∈L(T ), because Algorithm 1 does not modify edges with observable outputs.Otherwise, let ρ = · · · qi−1, ∆i−1, qi, ∆i, · · · qi+n, ∆i+n, qi+n+1 · · · whereek = (qk−1, qk). If η(ei) = σi 6= ε, η(ei+1) = · · · = η(ei+n) = ε and

η(ei+n+1) = σi+n+1 6= ε, then P (ρ) = · · ·σi,i+n∑k=i

∆k, σi+n+1 · · · . By con-

struction of T , and for each ∆ ∈ δ(ei+1, · · · , ei+n+1), there exists a pathρ = · · · qi, ∆, qi+n+1 · · · such that P (ρ) = · · · , σi, ∆, σi+n+1, · · · . Thefirst part of this proof shows that ∃ρ : P (ρ) and P (ρ) are equal for all sym-

bols except ∆. However, Remark 2 shows thati+n∑k=i

∆k ∈ δ(ei+1, · · · , ei+n+1),

thus ∃ρ : ∆ =i+n∑k=i

∆k. Consider now ρ and the constructed string ρ: if

ρ ∈ Lqc(T ) then ρ ∈ Lqc(T ) because qc is not erased by Algorithm 1;otherwise, if ρ ∈ Lq(T ) where q 6= qc, then ρ ∈ Lq(T ) where q = q orq is erased by Algorithm 1, and thus q 6= qc. The inverse can be provedsimilarly.

Some consequences of Proposition 2 are stated below. In particular, itis possible to study the observability of a given Timed Automaton on anew Timed Automaton without unobservable outputs.

Corollary 1. Given T , and T constructed by Algorithm 1, the followinghold:

1. P(T ) = P(T ).2. Given a discrete state qc ∈ Q, then qc is observable for T if and only

if qc is observable for T .

Proof. (1) By Proposition 2. (2) Let qc be observable for T but not for T .Then there exist ρ′, ρ′′ ∈ L(T ) such that ρ′ ∈ Lqc(T ), ρ′′ ∈ L(T )rLqc(T )and P (ρ′) = P (ρ′′). By Proposition 2, there exist ρ′ and ρ′′ ∈ L(T ) suchthat ρ′ ∈ Lqc(T ), ρ′′ ∈ L(T ) r Lqc(T ) and P (ρ′) = P (ρ′′), that is acontradiction. The same holds assuming qc observable for T but not forT .

In what follows, we assume without loss of generality that the TimedAutomaton T does not contain any unobservable output symbol. Wegive now a method for verifying observability of a discrete state qc ofT : the idea of the proposed procedure is intuitively described as follows:given qc ∈ Q and a pair of initial states q′0, q

′′0 ∈ Q0, we construct the

Timed Automata Tq′0 and Tq′′0 , that are equal to T except for the set

of initial states: more precisely, Q′0 = {q′0} and Q′′0 = {q′′0 }. From Tq′0and Tq′′0 , we construct a system Tq′0,q′′0 , whose discrete state space isQ × Q, and such that L(qc,q)(Tq′0,q′′0 ) is the language of all executions

ρ′ ∈ Lqc(Tq′0) and ρ′′ ∈ Lq(Tq′′0 ) with P (ρ′) = P (ρ′′). We will prove thatchecking emptiness of L(qc,q)(Tq′0,q′′0 ) for each q ∈ Q \ {qc} and for each

(q′0, q′′0 ) ∈ Q0 ×Q0 verifies observability of qc.

Given two Timed Automata Tq′0 and Tq′′0 as defined above, we propose aprocedure to construct a Timed Automaton Tq′0,q′′0 :

Algorithm 2. Given Tq′o = (Q× R+, (q′0, 0), SI, E, Σ, η, G, Inv, R) and

Tq′′0 = (Q× R+, (q′′0 , 0), SI, E, Σ, η, G, Inv, R), proceed as follows:

1 Initialize Tq′0,q′′0 := (Q × R+, (Q0 × 0), SI, E, Σ, η, G, ˜Inv, R), where

Q ⊆ Q×Q;2 Initialize Q = Q0 := (q′0, q

′′0 ), E := ∅;

3 For each unvisited state q = (q′, q′′) ∈ Q do:

1.1 For each e′, e′′ ∈ E : e′ = (q′, q′), e′′ = (q′′, q′′)∧η(e′) = η(e′′) =σ do:

1.1.1 Q := Q ∪ (q′, q′′) and ˜Inv((q′, q′′)) = Inv(q′) ∩ Inv(q′′);1.1.2 E := E ∪ e := ((q′, q′′), (q′, q′′));

1.1.3 η(e) := σ, G(e) := G(e′) ∩G(e′′) and R(x, e) = 0;1.2 Mark q as visited;

Lemma 1. Given a Timed Automaton T without unobservable outputsand two strings ρ′ = q′0, ∆

′0, · · · , q′s, ∆

′s, ρ

′′ = q′′0 , ∆′′0 , · · · , q′′s , ∆′′

s of thelanguage L(T ) such that P (ρ′) = P (ρ′′), then ∆′

i = ∆′′i ∀i = 1, · · · , s

Proof. Trivial, because no symbols are erased from P (ρ′) and P (ρ′′).

Proposition 3. Let Tq′0 , Tq′′0 be given and Tq′0,q′′0 computed with Algo-rithm 2, then ρ ∈ L(q′,q′′)(Tq′0,q′′0 ) if and only if there exist two executions

ρ′ ∈ Lq′(Tq′0), ρ′′ ∈ Lq′′(Tq′′0 ) such that P (ρ′) = P (ρ′′) = P (ρ)

Proof. (⇐) Consider the strings ρ′ = q′0, ∆0, q′1, ∆1, · · · , q′, ∆ ∈ Lq′(Tq′0)

and ρ′′ = q′′0 , ∆0, q′′1 , ∆1, · · · , q′′, ∆ ∈ Lq′′(Tq′′0 ) such that P (ρ′) = P (ρ′′).

By construction of Tq′0,q′′0 , q0 = (q′0, q′′0 ) ∈ Q0, q1 = (q′1, q

′′1 ) ∈ Q and

e = ((q′0, q′′0 ), (q′1, q

′′1 )) ∈ E. Clearly, ∆0 ∈ G((q′0, q

′1)) ∩ G((q′′0 , q′′1 )) =

G(e), thus the string ρ = q0, ∆, q1, 0 ∈ L(q′1,q′′1 )(Tq′0,q′′0 ). Furthermore, by

construction, η(e) = η((q′0, q′1)) = η((q′′0 , q′′1 )). Iterating, we construct a

string ρ = q0, ∆0, · · · , q, ∆ ∈ L(q′,q′′)(Tq′0,q′′0 ) such that P (ρ) = P (ρ′) =

P (ρ′′) and q = (q′, q′′).(⇒) As above, given ρ ∈ L(q′,q′′)(Tq′0,q′′0 ) we can construct ρ′ ∈ Lq′(Tq′0)

and ρ′′ ∈ Lq′′(Tq′′0 ) such that P (ρ′) = P (ρ′′) = P (ρ).

The following proposition provides necessary and sufficient conditions ofobservability of qc ∈ Q:

Proposition 4. Given a Timed Automaton T , a discrete state qc isobservable if and only if

∀q ∈ Q \ {qc}, ∀(q′0, q

′′0

) ∈ Q0 ×Q0,L(qc,q)(Tq′0,q′′0 ) = ∅

Proof. (Necessity) Suppose qc is observable, and suppose there exist (q′0, q′′0 )

and q 6= qc such that L(qc,q)(Tq′0,q′′0 ) 6= ∅: it implies that there exist two

executions ρ′ starting from q′0 and ending in qc and ρ′′ starting from q′′0and ending in q such that P (ρ′) = P (ρ′′), that is a contradiction.(Sufficiency) Suppose qc is not observable. Then there exist two execu-tions ρ′ starting from q′0 and ending in qc and ρ′′ starting from q′′0 andending in q such that P (ρ′) = P (ρ′′), thus L(qc,q)(Tq′0,q′′0 ) 6= ∅, that is acontradiction.

Intuitively, we compute, for each pair of initial states q′0, q′′0 and for each

q 6= qc the language L(qc,q)(Tq′0,q′′0 ), that is the intersection between the

language of executions starting from q′0 and ending in qc, and the lan-guage of executions starting from q′′0 and ending in q 6= qc, such thatthe observation string is equal. If such language is not empty, there existtwo executions with the same observation, such that the first drives thesystem in qc, but not the second. Checking emptiness of L(qc,q)(Tq′0,q′′0 )

for each pair (q′0, q′′0 ) ∈ Q0×Q0 and for each q ∈ Q\{qc} verifies observ-

ability of qc. We define now an algorithm that checks if a discrete stateqc is observable for a given Timed Automaton T :

Algorithm 3. Let a Timed Automaton T = (Ξ, Ξ0, SI, E, Σ, η, G, Inv, R)be given:

1 For each pair (q′0, q′′0 ) ∈ Q0 ×Q0 do:

1.1 Compute Tq′0,q′′0 by Algorithm 2: for each q 6= qc do:

1.2.1 If L(qc,q)(Tq′0,q′′0 ) 6= ∅, then return False;

2 return True;

Remark 6. Consider a graph G obtained removing from the graph (Q, E)of Tq′0,q′′0 all edges whose guard set is the empty set: it is clear, becauseof the assumption that the clocks are always reset to zero, that checkingemptiness of L(qc,q)(Tq′0,q′′0 ) can be reduced to a reachability problem onG.

We now show that the complexity of Algorithm 3 is polynomial with thenumber of discrete states of T :

Proposition 5. The observability verification problem for the studiedclass of Timed Automata is in PTIME.

Proof. The first loop on Q0 × Q0 requires N20 iterations, where N0 =

|Q0| ≤ |Q| = N . Algorithm 2 has complexity o(N4). Remark 6 impliesthat checking emptiness of L(qc,q)(Tq′0,q′′0 ) has quadratic complexity with

the number of discrete states of Tq′0,q′′0 , that is (N2)2. Iterating for eachq 6= qc requires N−1 steps. Therefore, the overall complexity of Algorithm3 is o(N2

0 ·N4 ·N4 ·N) ≤ o(N11).

We conclude this section proposing an observer of a discrete state of T .Given an output string p = ∆0, σ1, ∆1, · · · , σs, ∆s, we define a functionq : P(T ) → 2Q. For, let q0(p) = Q0 and

qk+1(p) = {q ∈ Q|∃e ∈ E, q ∈ qk(p) : e = (q, q)∧∆k ∈ G(e)∧η(e) = σk+1}

for k = 0, 1, · · · , s. We define q(p) := qs(p). Clearly, q(p) = {q ∈ Q|∃ρ ∈Lq(T ) : P (ρ) = p}. That is, q(p) is the set of discrete states where T canbe driven by an execution starting from some q0 ∈ Q0 and whose outputis p. Let us define a function Oqc : P(T ) → {0, 1} as follows:

Oqc(P (ρ)) =

{1 if q(P (ρ)) = {qc}0 if q(P (ρ)) 6= {qc} (2)

for each execution ρ ∈ L(T ). The following holds:

Proposition 6. Let qc be observable for T , then Oqc defined by (2) isan observer of the discrete state qc for T .

Proof. It is clear that for each P (ρ) ∈ P(T ), then ρ ∈ Lq(P (ρ))(T ).Furthermore, let qc is observable for T : Definition 2 clearly implies thatif qc ∈ q(P (ρ)), then q(P (ρ)) = {qc}. By these considerations followsthat if q(P (ρ)) = {qc} then ρ ∈ Lqc(T ), and if q(P (ρ)) 6= {qc} thenρ /∈ Lqc(T ), thus Definition 4 is fulfilled.

4 Abstraction of Hybrid Automata

In this section, for a given Hybrid Automaton H, we propose a procedureto construct a Timed Automaton T that is an abstraction ofH, and provethat observability of T implies observability of H.Let a discrete state q ∈ Q and the associated continuous dynamics x =A(q)x be given. We define Rei(q) = <(R(·, ei)) as the range of the resetassociated to an edge ei ∈ E→q and Gej (q) = G(ej) as the domainof the reset associated to an edge ej ∈ Eq→. Furthermore, we defineRe0(q0) = X0 for (X0, q0) ∈ Ξ0 as the set of initial continuous states foreach initial discrete state.From [18], given a set of initial states X0, we can define the reach set ofthe linear system x = Ax on the interval [t1, t2] as

Reach[t1,t2](A, X0) = {xf ∈ X|∃t ∈ [t1, t2], ∃x0 ∈ X0 : xf = eAtx0}.Given a set of final states Xf ⊆ X, we define [tmin, tmax] as the timeinterval such that

Reach[0,tmin](A, X0) ∩Xf = ∅Reach[tmin,tmax](A, X0) ∩Xf 6= ∅Reach[tmax,∞)(A, X0) ∩Xf = ∅

With the assumption that X0, Xf are polytopes, and following [18], itis possible to compute an interval [t∗min, t∗max] ⊇ [tmin, tmax], such thatif eAtx0 ∈ Xf and x0 ∈ X0, then t ∈ [t∗min, t∗max]. On the basis of thisresult, and assuming that Gej (q) and Rei(q) are polytopes, it is possibleto compute a rectangular time interval ∆ei,ej (q) such that

∀x0 ∈ Rei(q), ∀t ∈ R+ : eA(q)tx0 ∈ Gej (q) ⇒ t ∈ ∆ei,ej (q) (3)

The algorithm proposed in [18] is very fast, even for high dimensionalcontinuous state spaces, but there is no analysis on the size of the over-approximation error. Then, in order to calculate ∆ei,ej (q), we can usethe result in [5], which provides a procedure to compute a sequence ofpolytopes (a flow pipe) that are over-approximations of the reach sets

Reach[0,∆t](A, X0), Reach[∆t,2∆t](A, X0), · · ·for arbitrary small ∆t. By computing, for each of these sets, the intersec-tion with Xf , it is possible to determine each ∆ei,ej (q) with an arbitrarysmall error, but with an explosion of the computation time. An interest-ing point of this method is that it can be applied to non-linear continuousdynamics. Another similar procedure is presented in [11]: with the as-sumption that Gej (q) and Rei(q) are zonotopes (that is a subclass ofpolytopes), the computation time considerably decreases. In what fol-lows, we assume the knowledge of ∆ei,ej (q) ∀q ∈ Q, ei ∈ E→q, ej ∈ Eq→,and of ∆e0,ej (q0) ∀q0 ∈ Q0, ej ∈ Eq0→.Given a Hybrid AutomatonH, we now propose an algorithm to constructa Timed Automaton T . Then, we will prove that observability of Timplies observability of H. In this algorithm, we will define a function

T : Q → Q, that is a surjection from the discrete state space of T to thediscrete state space of H.

Algorithm 4. Let H = (Q×X, Q0×X0, S, E, Σ, η, G, Inv, R) be a givenHybrid Automaton:

1 Initialize T := (Q× R+, Q0 × {0}, SI, E, Σ, η, G, ˜Inv, R),where Q = Q0 = E = ∅;

2 For each qk ∈ Q do:

2.1 Let E→qk = {e1, · · · er}: assign Q := Q ∪ {qk,e1 , · · · , qk,er};2.2 T (qk,ei) := qk ∀ei ∈ E→qk ;2.3 If qk ∈ Q0 then Q := Q ∪ {qk,e0}, Q0 := Q0 ∪ {qk,e0} and

T (qk,e0) := qk;

2 If ej = (qk, qk′) ∈ E then (qk,ei , qk′,ej) ∈ E;

3 η(qk,ei , qk′,ej) = η((qk, qk′));

4 G(qk,ei , qk′,ej) = ∆ei,ej (qk);

5 ˜Inv = R+ ∀q ∈ Q;6 R(x, e) = 0 ∀e ∈ E;

Proposition 7. Given a Hybrid Automaton H, let T be obtained byAlgorithm 4 and qc ∈ Q. Then, for each execution ρ ∈ L(H), there existsan execution ρ ∈ L(T ) such that

1. P (ρ) = P (ρ)2. ρ ∈ Lqc(H) ⇒ ρ ∈ LT−1(qc)(T ) and ρ /∈ Lqc(H) ⇒ ρ /∈ LT−1(qc)(T )

Proof. Consider the string ρ = qk0 , ∆0, qk1 , ∆1, · · · , qks , ∆s ∈ Lqks(H)

and let e1 = (qk0 , qk1) ∈ E. By construction of T , qk0,e0 ∈ Q0, ∃e1 ∈E and qk1,e1 ∈ T−1(qk1) such that e1 = ((qk0,e0 , qk1,e1)). (3) impliesthat ∆0 ∈ ∆e0,e1(qk0) = G(e1). Thus, for each qk1 ∈ Q the stringρ = qk0,e0 , ∆0, qk1,e1 , 0 ∈ LT−1(qk1 )(T ). Furthermore, by construction,

η(e1) = η((qk0 , qk1)). Iterating, we construct from ρ a stringρ = qk0,e0 , ∆0, · · · , qks,es , ∆s ∈ LT−1(qks )(T ) such that P (ρ) = P (ρ).

Given a Hybrid Automaton H, we assume the Timed Automaton T begiven by Algorithm 4.

Corollary 2. P(H) ⊆ P(T ).

Proof. The statement of Proposition 7 is clearly an inclusion of the lan-guages of observations.

The following proposition is a generalization of Proposition 4 accordingto Definition 3:

Proposition 8. Given a Timed Automaton T , a set of discrete statesQc ⊂ Q is observable if and only if

∀qc ∈ Qc, q ∈ Q \Qc, ∀(q′0, q

′′0

) ∈ Q0 ×Q0,L(qc,q)(Tq′0,q′′0 ) = ∅ (4)

Proof. Similar to Proposition 4.

It is easy to see that checking condition (4) can be done with a slightmodification to Algorithm 3, namely by replacing line 1.2 with the fol-lowing:

1.1 Compute Tq′0,q′′0 by Algorithm 2: for each qc ∈ Qc and for eachq ∈ Q \Qc do:

We can now state the main result:

Theorem 1. Given H and T , then qc is observable for H if T−1(qc) isobservable for T .

Proof. Let T−1(qc) be observable for T but qc is not for H. Then ∃ρ′, ρ′′ ∈L(H) such that ρ′ ∈ Lqc(H), ρ′′ ∈ L(H) r Lqc(H) and P (ρ′) = P (ρ′′).By Proposition 7, ∃ρ′, ρ′′ ∈ L(T ) such that ρ′ ∈ LT−1(qc)(T ), ρ′′ ∈L(T )r LT−1(qc)(T ) and P (ρ′) = P (ρ′′), that is a contradiction.

If we assume that(i) The time intervals ∆ei,ej (q) can be computed exactly, that is when

the linear system has a certain structure [2],[12].(ii) For the system H the following holds:

R(x, e) = <(R(·, e)) ∀e ∈ E, ∀x ∈ G(e)

that is, given an edge e and guard set G(e), then each continuousstate x ∈ G(e) is non-deterministically reset by R(x, e) to the set<(R(·, e)).

then, we can state the following:

Proposition 9. Given H, T and qc ∈ Q, and assume that (i) and (ii)hold. Then, for each execution ρ ∈ L(T ), there exists an execution ρ ∈L(H) such that1. P (ρ) = P (ρ)2. ρ ∈ LT−1(qc)(T ) ⇒ ρ ∈ Lqc(H) and ρ /∈ LT−1(qc)(T ) ⇒ ρ /∈ Lqc(H)

Proof. Consider the string ρ = qk0,e0 , ∆0, qk1,e1 , ∆1, · · · , qks,es , ∆s ∈LT−1(qks )(T ) and let e1 = (qk0,e0 , qk1,e1) ∈ E. By construction of T ,

qk0 = T (qk0,e0) ∈ Q0, qk1 = T (qk1,e1) ∈ Q and e1 = (qk0 , qk1) ∈ E.By assumption (i), follows that if ∆0 ∈ G(e1) = ∆e0,e1(qk0), then∃x0 ∈ Re0(qk0) : eA(qk0 )∆0x0 ∈ Ge1(qk0). Since Re0(qk0) is the setof initial continuous states of H for the initial discrete state qk0 , thenfor each qk1,e1 ∈ Q the string ρ = qk0 , ∆0, qk1 , 0 ∈ Lqk1

(H). Further-more, by construction, η(qk0 , qk1) = η(qk0,e0 , qk1,e1). These considera-tions can be iterated to the rest of the string ρ since, under assump-tion (ii), each x ∈ G(ei) is non-deterministically reset by the functionR(x, ei) to the same set <(R(·, ei)) when the transition ei = (qki−1 , qki)has occurred. Therefore, we can construct from ρ, by iteration, a stringρ = qk0 , ∆0, · · · , qks , ∆s ∈ Lqks

(H) such that P (ρ) = P (ρ).

Proposition 9 has the following consequences:

Corollary 3. P(H) = P(T ).

Theorem 2. Given H and T , let assumptions (i) and (ii) hold. Then,qc is observable for H if and only if T−1(qc) is observable for T .

Proof. By Theorem 1 and Propositions 7 and 9.

5 Conclusions

In this work, we tackled the problem of immediate detection of a criticalstate - corresponding to a dangerous situation - by providing a definitionof observability of the discrete state for a class of Hybrid Systems whoseoutput is a timed string on a finite alphabet. We proposed a procedureto construct a Timed Automaton that is an abstraction of the givensystem, and for which observability is easier to determine. We providedalgorithms to check observability of the abstraction and to construct anobserver of a given discrete state. Finally, we proved that observabil-ity of the abstraction implies observability of the given hybrid system,and provided conditions under which this implication can be reversed.In some future work, the authors wish to extend these results to Hy-brid Systems with continuous output, and to simple classes of StochasticHybrid Systems.

6 Acknowledgement

The first author wishes to thank George Pappas and Antoine Girardfor the interesting discussions on bisimulation and observability of Hy-brid Systems that originated this work, during a visiting period at theDepartment of Electrical and Systems Engineering at the University ofPennsylvania.

References

1. R. Alur, T. Henzinger, G. Lafferriere, and G. Pappas. Discrete ab-stractions of hybrid systems, Proccedings of the IEEE, 88(2), July2000, pp. 971-984.

2. H. Anai and V.Weispfenning. Reach set computations using realquantifier elimination, Hybrid Systems: Computation and Control2001, Lecture Notes in Computer Science, M. D. Di Benedetto andA. L. Sangiovanni-Vincentelli, Eds., vol. 2034, Springer Verlag, 2001,pp. 63-76.

3. M. Babaali and G. J. Pappas. Observability of switched linear sys-tems in continuous time. Hybrid Systems: Computation and Con-trol 2005, In Lecture Notes in Computer Science, M. Morari and L.Thiele, Eds., vol. 3414, Springer-Verlag, 2005, pp. 103–117.

4. A. Balluchi, L. Benvenuti, M.D. Di Benedetto, A.L. Sangiovanni-Vincentelli. Design of Observers for Hybrid Systems, Hybrid Sys-tems: Computation and Control 2002, In Lecture Notes in ComputerScience, C.J. Tomlin and M.R. Greensreet, Eds., vol. 2289, Springer-Verlag, 2002, pp.76-89.

5. A. Chutinan and B. Krogh. Computing polyhedral approximationsto flow pipes for dynamic systems, In Proceedings of the 37th IEEEConference on Decision and Control, Tampa, FL, Dec. 1998, pp.2089-2094.

6. A. Chutinan, and B.H. Krogh. Computing approximating automatafor a class of linear hybrid systems. In Hybrid Systems V, LectureNotes in Computer Science, Springer-Verlag, 1998, pp.16-37.

7. E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking, TheMIT Press, Cambridge, Massachusetts, 2002.

8. E. De Santis, M.D. Di Benedetto, and G. Pola. On Observabilityand Detectability of continuous-time Switching Linear Systems. InProceedings of the 42nd IEEE Conference on Decision and Control,CDC 03, Maui, Hawaii, USA, Dec. 2003, pp. 5777 - 5782.

9. M.D. Di Benedetto, S. Di Gennaro, and A.D’Innocenzo. Critical Ob-servability and Hybrid Observers for Error Detection in Air TrafficManagement, 13th Mediterranean Conference on Control and Au-tomation, Limassol, Cyprus, June 27-29, 2005.

10. M.D. Di Benedetto, S. Di Gennaro, and A.D’Innocenzo. Error De-tection within a Specific Time Horizon and Application to Air Traf-fic Management. In Proceedings of the Joint 44th IEEE Conferenceon Decision and Control and European Control Conference (CDC-ECC’05), Seville, Spain, Dec. 2005, pp. 7472-7477.

11. A. Girard. Reachability of Uncertain Linear Systems using Zono-topes, Hybrid Systems: Computation and Control 2005, In LectureNotes in Computer Science, M. Morari and L. Thiele, Eds., vol. 3414,Springer-Verlag, 2005, pp. 291-305.

12. G. Lafferriere, G. J. Pappas, and S. Yovine, Symbolic reachabilitycomputations for families of linear vector fields, Journal of SymbolicComputation, vol. 32, no. 3, September 2001, pp. 231253.

13. J. Lygeros, C. Tomlin, S. Sastry, Controllers for reachability specica-tions for hybrid systems, Automatica, Special Issue on Hybrid Sys-tems, vol. 35, 1999.

14. M. Oishi, I. Hwang and C. Tomlin, Immediate Observability of Dis-crete Event Systems with Application to User-Interface Design. InProceedings of the 42nd IEEE Conference on Decision and Control,Maui, Hawaii USA, Dec. 2003, pp. 2665-2672.

15. C.M. Ozveren, and A.S. Willsky. Observability of Discrete Event Dy-namic Systems, IEEE Transactions on Automatic Control, Vol. 35,1990, pp. 797-806.

16. S. Tripakis. Fault Diagnosis for Timed Automata, In Lecture Notesin Computer Science, 2469, W. Damm and E.-R. Olderog, Eds.,Springer-Verlag, 2002, pp. 205-221.

17. R. Vidal, A. Chiuso, S. Soatto and S. Sastry. Observability of LinearHybrid Systems. Hybrid Systems: Computation and Control, LectureNotes in Computer Science, A. Pnueli and O. Maler, Eds., vol. 2623,Springer Verlag, 2003, pp. 526-539.

18. H. Yazarel and G. J. Pappas. Geometric programming relaxationsfor linear system reachability. In Proceedings of the 2004 AmericanControl Conference, Boston, MA, June 2004.

19. T. Yoo and S. Lafortune, On The Computational Complexity OfSome Problems Arising In Partially-observed Discrete-Event Sys-tems, In Proceedings of the 2001 American Control Conference, Ar-lington , Virginia , June, 25-27, 2001.