The algorithmic analysis of hybrid systems

2001

In a biological cell, cellular functions and the genetic regula- tory apparatus are implemented and controlled by a network of chemical reactions in which regulatory proteins can control genes that produce other regulators, which in turn control other genes. Further, the feed- back pathways appear to incorporate switches that result in changes in the dynamic behavior of the cell. This paper describes a hybrid systems approach to modeling the intra-cellular network using continuous differ- ential equations to model the feedback mechanisms and mode-switching to describe the changes in the underlying dynamics. We use two case studies to illustrate a modular approach to modeling such networks and describe the architectural and behavioral hierarchy in the underlying models. We describe these models using Charon [2], a language that allows formal description of hybrid systems. We provide preliminary sim- ulation results that demonstrate how our approach can help biologists in their analysis of noisy genetic circuits. Finally we describe our agenda for future work that includes the development of models and simulation for stochastic hybrid systems.1

1997

This paper addresses the analysis of slope-parametric hybrid automata: finding conditions on the slopes of the automaton variables, for some safety property to be verified. The problem is shown decidable in some practical situations (e.g. finding the running speeds of tasks in a real time application, for all tasks to respect their deadlines). The resolution technique generalizes polyhedral-based symbolic analysis and it involves reasoning about polyhedra with parametric shapes.

2004

In this paper we demonstrate a potential extension of formal verification methodology in order to deal with time-domain properties of analog and mixed-signal circuits whose dynamic behavior is described by differential algebraic equations. To model and analyze such circuits under all possible input signals and all values of parameters, we build upon two techniques developed in the context of hybrid (discrete-continuous) control systems. First, we extend our algorithm for approximating sets of reachable sets for dense-time continuous systems to deal with differential algebraic equations (DAEs) and apply it to a biquad low-pass filter. To analyze more complex circuits, we resort to bounded horizon verification. We use optimal control techniques to check whether a Δ-Σ modulator, modeled as a discrete-time hybrid automaton, admits an input sequence of bounded length that drives it to saturation.

2001

This paper describes the modeling language Charon for modular design of interacting hybrid systems. The language allows specification of architectural as well as behavioral hierarchy, and discrete as well as continuous activities. The modular structure of the language is not merely syntactic, but is exploited by analysis tools, and is supported by a formal semantics with an accompanying compositional theory of refinement. We illustrate the benefits of Charon in design of embedded control software using examples from automated highways concerning vehicle coordination.

Proceedings of the 17th international conference on Hybrid systems: computation and control - HSCC '14, 2014

The concept of hybrid automata provides a powerful framework to model and analyze real-world systems. Due to the structural complexity of hybrid systems it is important to ensure the scalability of analysis algorithms. We approach this problem by providing an effective generalisation of the recently introduced notion of quasi-equal clocks to hybrid systems. For this purpose, we introduce the concept of quasi-dependent variables. Our contribution is two-fold: we demonstrate how such variables can be automatically detected, and we present a transformation leading to an abstraction with a smaller state space which, however, still retains the same properties as the original system. We demonstrate the practical applicability of our methods on a range of industrial benchmarks.

Lecture Notes in Computer Science, 2011

We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an overapproximation of the reachable states. The algorithm improves over previous work by using variable time steps to guarantee a given local error bound. In addition, we propose an improved approximation model, which drastically improves the accuracy of the algorithm. The algorithm is implemented as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrate the scalability of the approach.

Model Checking Software, 2013

Hybrid systems represent an important and powerful formalism for modeling real-world applications such as embedded systems. A verification tool like SpaceEx is based on the exploration of a symbolic search space (the region space). As a verification tool, it is typically optimized towards proving the absence of errors. In some settings, e.g., when the verification tool is employed in a feedback-directed design cycle, one would like to have the option to call a version that is optimized towards finding an error path in the region space. A recent approach in this direction is based on guided search. Guided search relies on a cost function that indicates which states are promising to be explored, and preferably explores more promising states first. In this paper, an abstraction-based cost function based on pattern databases for guiding the reachability analysis is proposed. For this purpose, a suitable abstraction technique that exploits the flexible granularity of modern reachability analysis algorithms is introduced. The new cost function is an effective extension of pattern database approaches that have been successfully applied in other areas. The approach has been implemented in the SpaceEx model checker. The evaluation shows its practical potential.

Journal of Statistical Physics, 2005

We show that the bifurcation scenario in a high-dimensional system with interacting moving fronts can be related to the universal U-sequence which is known from the symbolic analysis of iterated one-dimensional maps. This connection is corroborated for a model of a semiconductor superlattice, which describes the complex dynamics of electron accumulation and depletion fronts. By a suitable Poincaré section we reduce the dynamics to a low dimensional iterated map, for which in the most elementary case the bifurcation points can be determined analytically.

Lecture Notes in Computer Science, 1997

We apply the symbolic analysis principle to pushdown systems. We represent (possibly in nite) sets of con gurations of such systems by means of nite-state automata. In order to reason in a uniform way about analysis problems involving both existential and universal path quanti cation (like model-checking for branching-time logics), we consider the more general class of alternating pushdown systems and use alternating nite-state automata as a representation structure for their sets of con gurations. We give a simple and natural procedure to compute sets of predecessors for this representation structure. We apply this procedure and the automata-theoretic approach to model-checking to de ne new model-checking algorithms for pushdown systems and both linear and branching-time properties. From these results we derive upper bounds for several model-checking problems, and we also provide matching lower bounds, using reductions based on some techniques introduced by Walukiewicz.

Lecture Notes in Computer Science, 2005

Symbolic model checking provides partially effective verification procedures that can handle systems with an infinite state space. So-called "acceleration techniques" enhance the convergence of fixpoint computations by computing the transitive closure of some transitions. In this paper we develop a new framework for symbolic model checking with accelerations. We also propose and analyze new symbolic algorithms using accelerations to compute reachability sets.

Lecture Notes in Computer Science, 2011

We propose to combine timed automata and linear hybrid automata model checkers for formal testing and monitoring of embedded systems with a hybrid behavior, i.e., where the correctness of the system depends on discrete as well as continuous dynamics. System level testing is considered, where requirements capture abstract behavior and often include non-determinism due to parallelism, internal counters and subtle state of physical materials. The goal is achieved by integrating the tools Uppaal [2] and PHAVer [3], where the discrete and hard real-time aspects are driven and checked by Uppaal TRON and strict inclusion of dynamical trajectories is verified by PHAVer. We present the framework, the underlying theory, and our techniques for integrating the tools. We demonstrate the applicability on an industrial case study.

Lecture Notes in Computer Science, 2011

Modern control systems are limited in their ability to react flexibly and autonomously to changing situations by the complexity inherent in analysing environments where many variables are present. We aim to use an agent approach to help alleviate this problem and are particularly interested in the control of satellite systems using BDI agent programming as pioneered by the PRS. Such systems need to generate discrete abstractions from continuous data and then use these abstractions in rational decision making. This paper provides an architecture and interaction semantics for an abstraction engine to interact with a hybrid BDI-based control system. Work funded by EPSRC grants EP/F037201/1 and EP/F037570/1 Abstract Continous Query Abstract Action Continuous Action Abstract Query Sense Act

AIAA Guidance, Navigation, and Control Conference and Exhibit, 2005

In this paper, we consider the problem of collision-free motion planning for multiple non- holonomic planar vehicles. Each vehicle is capable of moving at constant speed along paths with bounded curvature, and is aware of the position and heading of other vehicles within a certain sensing radius. No other information exchange is required between vehicles. We propose a spatially decentralized, cooperative hybrid control policy that ensures safety for arbitrary numbers of vehicles. Furthermore, we show that under certain conditions, the policy avoids dead- and livelock, and eventually all vehicles reach their intended targets. Simulations and experimental results are presented and discussed.

International Journal on Software Tools for Technology Transfer, 2011

Abstract For a system that can operate in multiple different modes, we define the switching logic synthesis problem as follows: given a description of the dynamics in each mode of the system, find the conditions for switching between the modes so that the resulting system ...

International Journal of Robust and Nonlinear Control, 2001

Models of complex dynamical systems are often built by connecting submodels of smaller parts. The key to this method is the operation of &interconnection' or &composition' which serves to de"ne the whole in terms of its parts. In the setting of smooth di!erential equations the composition operation has often been regarded as trivial, but a quite di!erent attitude is found in the discrete domain where several de"nitions of composition have been proposed and di!erent semantics have been developed. The non-triviality of composition carries over from discrete systems to hybrid systems. The paper discusses the compositionality issue in the context of discrete, continuous, and hybrid systems, mainly on the basis of a number of examples.

The International Journal of Robotics Research, 1998

Active vision-based robot design involves a variety of techniques and formalisms, from kinematics to control theory, signal processing and computer science. The programming of such systems therefore requires environments with many different functionalities, in a very integrated fashion in order to ensure consistency of the different parts. In significant applications, the correct specification of the global controller is not simple to achieve, as it mixes different levels of behavior, and must respect properties. In this paper we want to advocate the use of a strongly integrated environment able to deal with the design of such systems from the specification of both continuous and discrete parts down to the verification of dynamic behavior. The synchronous language Signal is used here as a candidate integrated environment for the design of active vision systems. Our experiments show that Signal, while not being an environment devoted to for robotics (but more generally dedicated to control theory and signal processing), presents functionalities and a degree of integration that are relevant to the safe design of active vision-based robotics system.

Complexus, 2004

This paper is devoted to the presentation of the main lines of an unified functional formalism for modelling complex industrial systems, that is to say systems that typically mix a big number of different software and physical devices. Our approach is based on a discrete non-standard representation of time. It captures both the hierarchical architecture and the temporal and data multi-scale structures of a complex industrial system. We show in particular in this paper how our formalism allows to recover in an totally unified way various sorts of simple systems such as Turing machines, elementary conservative physical systems and low level software/physical interfaces (sampler, modulator).

Mathematical Structures in Computer Science, 2013

ABSTRACT

Lecture Notes in Computer Science, 2004

Page 1. A Checker for Modal Formulae for Processes with Data Jan Friso Groote andTim AC Willemse ... Example 5. Consider a coffee-vending machine that produces either cappuccino or espresso on the insertion of a special coin. ...

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2009

This paper introduces Periodically Controlled Hybrid Automata (PCHA) for describing a class of hybrid control systems. In a PCHA, control actions occur roughly periodically while internal and input actions, may occur in the interim changing the discrete-state or the setpoint. Based on periodicity and subtangential conditions, a new sufficient condition for verifying invariance of PCHAs is presented. This technique is used in verifying safety of the planner-controller subsystem of an autonomous ground vehicle, and in deriving geometric properties of planner generated paths that can be followed safely by the controller under environmental uncertainties.

Lecture Notes in Computer Science, 2005

The Verification Support Environment (VSE) is a CASE-tool that supports the user in the formal development of software. It has a rather broad range of applicability as was already shown in several industrial applications, be it in the safety or in the IT-security domain. We claim that VSE is equally applicable in the domain of plan verification.

Lecture Notes in Computer Science, 2012

Lecture Notes in Computer Science, 2006

ACM Transactions on Embedded Computing Systems, 2014

Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulationbased testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.

Testing of Communicating Systems XIV, 2002

We present a test case generation method which conciliates theorem proving and model checking. Test purposes are expressed by timed regular expressions and then translated into a corresponding automaton using a certified function. This automaton is composed with the system specification and an execution is computed from this sub-specification by an automatic tool. The result is finally re-injected into the theorem prover to be checked.

Lecture Notes in Computer Science, 2005

Bounded model checking (BMC) is an automatic verification method that is based on finitely unfolding the system's transition relation. BMC has been successfully applied, in particular, for discovering bugs in digital system design. Its success is based on the effectiveness of satisfiability solvers that are used to check for a finite unfolding whether a violating state is reachable. In this paper we improve the BMC approach for linear hybrid systems. Our improvements are tailored to lazy satisfiability solving and follow two complementary directions. First, we optimize the formula representation of the finite unfoldings of the transition relations of linear hybrid systems, and second, we accelerate the satisfiability checks by accumulating and generalizing data that is generated during earlier satisfiability checks. Experimental results show that the presented techniques accelerate the satisfiability checks significantly.

Discrete Event Dynamic Systems, 2011

As a preliminary overview, this work provides first a broad tutorial on the fluidization of discrete event dynamic models, an efficient technique for dealing with the classical state explosion problem. Even if named as continuous or fluid, the relaxed models obtained are frequently hybrid in a technical sense. Thus, there is plenty of room for using discrete, hybrid and continuous model techniques for logical verification, performance evaluation and control studies. Moreover, the possibilities for transferring concepts and techniques from one modeling paradigm to others are very significant, so there is much space for synergy. As a central modeling paradigm for parallel and synchronized discrete event systems, Petri nets (PNs) are then considered in much more detail. In this sense, this paper is somewhat complementary to . Our presentation of fluid views or approximations of PNs has sometimes a flavor of a survey, but also introduces some new ideas or techniques. Among the aspects that distinguish the adopted approach are: the focus on the relationships between discrete and continuous PN models, both for untimed, i.e., fully non-deterministic abstractions, and timed versions; the use of structure theory of (discrete) PNs, algebraic and graph based concepts and results; and the bridge to Automatic Control Theory. After discussing observability and controllability issues, the most technical part in this work, the paper concludes with some remarks and possible directions for future research.

Lecture Notes in Computer Science, 2002

Lecture Notes in Computer Science, 2012

Many software engineering artefacts, such as source code or specifications, define a set of operations and impose restrictions to the ordering on which they have to be invoked. Enabledness Preserving Abstractions (EPAs) are concise representations of the behaviour space for such artefacts. In this paper, we exemplify how EPAs might be used for validation of software engineering artefacts by showing the use of EPAs to support some programming tasks on a simple C# class.

Lecture Notes in Computer Science, 2012

A recent technique used in falsification methods for hybrid systems relies on distance-based heuristics for guiding the search towards a goal state. The question is whether the technique can be carried over to reachability analyses that use regions as their basic data structure. In this paper, we introduce a box-based distance measure between regions. We present an algorithm that, given two regions, efficiently computes the box-based distance between them. We have implemented the algorithm in SpaceEx and use it for guiding the region-based reachability analysis of SpaceEx. We illustrate the practical potential of our approach in a case study for the navigation benchmark.

Lecture Notes in Computer Science, 1995

HvTEcrl is a tool for the automated analysis of embedded systems. This document, designed for the first-time user of HYTECH, guides the reader through the underlying system model, and through the input language for describing and analyzing systems. The guide gives several examples of usage, and some hints for gaining maximal computational efficiency from the tool.

Abstraction, Reformulation and Approximation, 2005

Verification of the incorrectness of programs and automata needs to be taken as seriously as the verification of correctness. However, there are no good general methods that always terminate and prove incorrectness. We propose one general method based on a lower bound approximation of the semantics of programs and automata. Based on the lower-bound approximation, it becomes easy to check whether certain error states are reached. This is in contrast to various abstract interpretation techniques that make an upper bound approximation of the semantics and test that the error states are not reached. The precision of our lower bound approximation is controlled by a single parameter that can be adjusted by the user of the MLPQ system in which the approximation method is implemented. As the value of the parameter decreases the implementation results in a finer program semantics approximation but requires a longer evaluation time. However, for all input parameter values the program is guaranteed to terminate. We use the lower bound approximation to verify the incorrectness of a subway train control automaton. We also use the lower bound approximation for a problem regarding computer security via trust management programs. We propose a trust management policy language extending earlier work by Li and Mitchell. Although, our trust management programming language is Turing-complete, programs in this language have semantics that lend themselves naturally to a lower-bound approximation. Namely, the lower bound approximation is such that no unwarranted authorization is given at any time, although some legitimate access may be denied.

Software & Systems Modeling, 2012

In the past, applying formal analysis, such as model checking, to industrial problems required a team of formal methods experts and a great deal of effort. Model checking has become popular, because model checkers have evolved to allow domain-experts, who lack model checking expertise, to analyze their systems. What made this shift possible and what roles did models play in this? That is the main question we consider here. We survey approaches that transform domain-specific input models into alternative forms that are invisible to the user and which are amenable to model checking using existing techniques-we refer to these as hidden models. We observe that keeping these models hidden from the user is in fact paramount to the success of the domain-specific model checker. We illustrate the value of hidden models by surveying successful examples of their use in different areas of model checking (hardware and software) and how a lack of suitable models hamper a new area (biological systems).

ACM Transactions on Embedded Computing Systems, 2013

We present a Monte-Carlo optimization technique for finding system behaviors that falsify a Metric Temporal Logic (MTL) property. Our approach performs a random walk over the space of system inputs guided by a robustness metric defined by the MTL property. Robustness is guiding the search for a falsifying behavior by exploring trajectories with smaller robustness values. The resulting testing framework can be applied to a wide class of Cyber-Physical Systems (CPS). We show through experiments on complex system models that using our framework can help automatically falsify properties with more consistency as compared to other means such as uniform sampling.

Lecture Notes in Computer Science, 2009

In this paper we present a procedure for representing the semantics of linear hybrid automata (LHAs) as constraint logic programs (CLP); flexible and accurate analysis and verification of LHAs can then be performed using generic CLP analysis and transformation tools. LHAs provide an expressive notation for specifying real-time systems. The main contributions are (i) a technique for capturing the reachable states of the continuously changing state variables of the LHA as CLP constraints; (ii) a way of representing events in the LHA as constraints in CLP, along with a product construction on the CLP representation including synchronisation on shared events; (iii) a framework in which various kinds of reasoning about an LHA can be flexibly performed by combining standard CLP transformation and analysis techniques. We give experimental results to support the usefulness of the approach and argue that we contribute to the general field of using static analysis tools for verification.

Formal Modeling and Analysis of Timed Systems, 2017

A promising technique for the formal verification of embedded and cyber-physical systems is flow-pipe construction, which creates a sequence of regions covering all reachable states over time. Flow-pipe construction methods can check whether specifications are met for all states, rather than just testing using a finite and incomplete set of simulation traces. A fundamental challenge when using flow-pipe construction on high-dimensional systems is the cost of geometric operations, such as intersection and convex hull. We address this challenge by showing that it is often possible to remove the need to perform high-dimensional geometric operations by combining two model transformations, direct time-triggered conversion and dynamics scaling. Further, we prove the overapproximation error in the conversion can be made arbitrarily small. Finally, we show that our transformation-based approach enables the analysis of a drivetrain system with up to 51 dimensions.

Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

at - Automatisierungstechnik, 2001

is with the Corporate Research and Development of Robert Bosch GmbH where he is concerned with software technology for car control systems. The results presented in this paper were developed while he was a Senior Scientist in the Process Control Laboratory at the University of Dortmund. His research interests are discrete event and hybrid systems, formal methods for the design and analysis of control software, and software technology.

International Journal on Software Tools for Technology Transfer, 2013

This paper develops a novel computational method for the falsification of safety properties specified by syntactically safe linear temporal logic (LTL) formulas φ for hybrid systems with general nonlinear dynamics and input controls. The method is based on an effective combination of robot motion planning and model checking. Experiments on a hybrid robotic system benchmark with nonlinear dynamics show significant speedup over related work. The experiments also indicate significant speedup when using minimized DFA instead of non-minimized NFA, as obtained by standard tools, for representing the violating prefixes of φ.

Mathematics in Computer Science, 2014

Computing the reachable set of hybrid dynamical systems in a reliable and verified way is an important step when addressing verification or synthesis tasks. This issue is still challenging for uncertain nonlinear hybrid dynamical systems. We show in this paper how to combine a method for computing continuous transitions via interval Taylor methods and a method for computing the geometrical intersection of a flowpipe with guard sets, to build an interval method for reachability computation that can be used with truly nonlinear hybrid systems. Our method for flowpipe guard set intersection has two variants. The first one relies on interval constraint propagation for solving a constraint satisfaction problem and applies in the general case. The second one computes the intersection of a zonotope and a hyperplane and applies only when the guard sets are linear. The performance of our method is illustrated on examples involving typical hybrid systems.

International Journal of Robotic Research, 2012

We study the problem of designing dynamically feasible trajectories and controllers that drive a quadrotor to a desired state in state space. We focus on the development of a family of trajectories defined as a sequence of segments, each with a controller parameterized by a goal state or region in state space. Each controller is developed from the dynamic model

International Journal of Systems Science, 2016

HAL is a multidisciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Electronic Proceedings in Theoretical Computer Science

Robots are soon going to be deployed in non-industrial environments. Before society can take such a step, it is necessary to endow complex robotic systems with mechanisms that make them reliable enough to operate in situations where the human factor is predominant. This calls for the development of robotic frameworks that can soundly guarantee that a collection of properties are verified at all times during operation. While developing a mission plan, robots should take into account factors such as human physiology. In this paper, we present an example of how a robotic application that involves human interaction can be modeled through hybrid automata, and analyzed by using statistical modelchecking. We exploit statistical techniques to determine the probability with which some properties are verified, thus easing the state-space explosion problem. The analysis is performed using the Uppaal tool. In addition, we used Uppaal to run simulations that allowed us to show non-trivial time dynamics that describe the behavior of the real system, including human-related variables. Overall, this process allows developers to gain useful insights into their application and to make decisions about how to improve it to balance efficiency and user satisfaction.

Proceedings of the 22nd ACM International Conference on Hybrid Systems: Computation and Control, 2019

The falsification of a hybrid system aims at finding trajectories that violate a given safety property. This is a challenging problem, and the practical applicability of current falsification algorithms still suffers from their high time complexity. In contrast to falsification, verification algorithms aim at providing guarantees that no such trajectories exist. Recent symbolic reachability techniques are capable of efficiently computing linear constraints that enclose all trajectories of the system with reasonable precision. In this paper, we leverage the power of symbolic reachability algorithms to improve the scalability of falsification techniques. Recent approaches to falsification reduce the problem to a nonlinear optimization problem. We propose to reduce the search space of the optimization problem by adding linear state constraints obtained with a reachability algorithm. We showcase the efficiency of our approach on a number of standard hybrid systems benchmarks demonstrati...

International Journal of Control, 2003

The problem of systematically synthesizing supervisory control laws that satisfy eventuality and efficiency requirements for hybrid systems modelled by hybrid automata is considered. Here, the efficiency requirement is specified by weighting the discrete transitions of the system. The optimization of the efficiency requirement is considered in the min-max sense due to the existence of disturbance inputs. Adopting a game theoretic approach, the high priority eventuality requirement is considered first and the class of controls, in which the low priority efficiency requirement should be optimized, is obtained. Then, a dynamic programming algorithm, which determines the value function of the optimization problem, is derived. A synthesis problem on a simplified batch process plant is considered to illustrate a potential application of the approach.

Real-Time Systems, 2015

that the use of the proposed model permits to analyse tasks with more general parameter values than other exact algorithms in the literature. Nevertheless, even with our approach the complexity remains too high for analysing practical task sets with more than 7 tasks.

International Journal of Software Engineering and Knowledge Engineering

Cyber-physical systems (CPSs) are pervasive in our daily life from mobile phones to auto-driving cars. CPSs are inherently complex due to their sophisticated behaviors and thus difficult to build. In this paper, we propose a framework to develop CPSs based on a model-driven approach with quality assurance throughout the development process. An agent-oriented approach is used to model individual physical and computation processes using high-level Petri nets, and an aspect-oriented approach is used to integrate individual models. The Petri net models are systematically mapped to classes and threads in Java, which are enhanced and extended with domain-specific functionalities. Complementary quality assurance techniques are applied throughout system development and deployment, including simulation and model checking of design models, model checking of Java code, and runtime verification of Java executable. We demonstrate our framework using a car parking system.

Proceedings of the 22nd ACM International Conference on Hybrid Systems: Computation and Control

This paper presents Verisig, a hybrid system approach to verifying safety properties of closed-loop systems using neural networks as controllers. We focus on sigmoid-based networks and exploit the fact that the sigmoid is the solution to a quadratic differential equation, which allows us to transform the neural network into an equivalent hybrid system. By composing the network's hybrid system with the plant's, we transform the problem into a hybrid system verification problem which can be solved using state-of-theart reachability tools. We show that reachability is decidable for networks with one hidden layer and decidable for general networks if Schanuel's conjecture is true. We evaluate the applicability and scalability of Verisig in two case studies, one from reinforcement learning and one in which the neural network is used to approximate a model predictive controller. CCS CONCEPTS • Theory of computation → Timed and hybrid models; • Software and its engineering → Formal methods; • Computing methodologies → Neural networks;

Lecture Notes in Computer Science, 2016

The increase of complexity in modelling systems and the chances of success when model-checking them tend to be inversely proportional. This mere observation justifies plainly the need to investigate alternative ways for verification. In this paper we present such an alternative which uses a compositional verification rule. The basic idea is to automatically compute local properties and combine them such that together they are strong enough to prove global safety properties of systems. In we showed how such a rule works in the framework of timed systems with a fixed number of components and in [3] how the whole approach can be extended to the parameterised case. The application of the compositional verification rule can be pushed even further with respect to two directions: (1) hybrid and (2) parametric systems. This is the subject of the present paper.

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019

Matlab/Simulink is a development and simulation language that is widely used by the Cyber-Physical System (CPS) industry to model dynamical systems. There are two mainstream approaches to verify CPS Simulink models: model testing that attempts to identify failures in models by executing them for a number of sampled test inputs, and model checking that attempts to exhaustively check the correctness of models against some given formal properties. In this paper, we present an industrial Simulink model benchmark, provide a categorization of different model types in the benchmark, describe the recurring logical patterns in the model requirements, and discuss the results of applying model checking and model testing approaches to identify requirements violations in the benchmarked models. Based on the results, we discuss the strengths and weaknesses of model testing and model checking. Our results further suggest that model checking and model testing are complementary and by combining them, we can significantly enhance the capabilities of each of these approaches individually. We conclude by providing guidelines as to how the two approaches can be best applied together.

ACM Transactions on Cyber-Physical Systems, 2018

The use of robots in operating rooms improves safety and decreases patient recovery time and surgeon fatigue, but it introduces new potential hazards that can lead to severe injury or even the loss of human life. Thus, safety has been perceived as a crucial system property since the early days by the industry, the medical community, and the regulatory agents. In this article, we discuss the application of the mathematically rigorous technique known as Formal Verification to analyze the safety properties of a laser incision case study, and we assess its safe and predictable operation. Like all formal methods approaches, our analysis has three distinct components: a method to create a model of the system, a language to specify the properties, and a strategy to prove rigorously that the behavior of the model fulfills the desired properties. The model of the system takes the form of a hybrid automaton consisting of a discrete control part that operates in a continuous environment. The s...

ACM Transactions on Embedded Computing Systems

Bounded model checking (BMC) is well-known to be undecidable even for simple hybrid systems. Existing work targeted for a wide class of non-linear hybrid systems reduces the BMC problem to the satisfiability problem of an SMT formula encoding the hybrid system dynamics. Consequently, the satisfiability of the formula is deduced with a δ -decision procedure. However, the encoded formula can be complex for large automaton and for deep exploration causing the decision procedure to be inefficient. Additionally, a generalized decision procedure can be inefficient for hybrid systems with simple dynamics. In this paper, we propose a BMC algorithm built upon the foundation of the CEGAR technique and targeted for hybrid systems with piecewise affine dynamics, modeled as a hybrid automaton. In particular, our algorithm begins by searching an abstract counterexample in the discrete state-space of the automaton. We check whether a discovered abstract counterexample is spurious or real by a two-...

ACM Transactions in Embedded Computing Systems, 2022

Proceedings Seventh IEEE International Conference on Engineering of Complex Computer Systems, 2001

Combining discrete state-machines with continuous behavior, hybrid systems are a well-established mathematical model for discrete systems acting in a continuous environment. As a priori infinite state systems, their computational properties are undecidable in the general model and the main line of research concentrates on model checking of finite abstractions of restricted subclasses of the general model. In our work, we use deductive methods, falling back upon the general-purpose theorem prover PVS. To do so we extend the classical approach for the verification of state-based programs by developing an inductive proof method to deal with the parallel composition of hybrid systems. It covers shared variable communication, labelsynchronization, and especially the common continuous activities in the parallel composition of hybrid automata. Besides hybrid systems and their parallel composition, we formalized their operational step semantics and a number of proof-rules within PVS, for one of which we give also a rigorous completeness proof. Moreover, the theory is applied to the verification of a number of examples.

Software & Systems Modeling, 2017

Model-based design methodologies are commonly used in industry for the development of complex cyber-physical systems (CPSs). There are many different languages, tools, and formalisms for model-based design, each with its strengths and weaknesses. Instead of accepting some weaknesses of a particular tool, an alternative Communicated by Prof. J. Sztipanovits, M. Broy, and H. Daembkes.

Proceedings of the 18th International Conference on Hybrid Systems: Computation and Control, 2015

This paper defines a suite of requirements for future hybrid cosimulation standards, and specifically provides guidance for development of a hybrid cosimulation version of the Functional Mockup Interface (FMI). A cosimulation standard defines interfaces that enable diverse simulation tools to interoperate. Specifically, one tool defines a component that forms part of a simulation model in another tool. We focus on components with inputs and outputs that are functions of time, and specifically on mixtures of discrete events and continuous time signals. This hybrid mixture is not well supported by existing cosimulation standards, and specifically not by FMI 2.0, for reasons that are explained in this paper. The paper defines a suite of test components, giving a mathematical model of an ideal behavior, plus a discussion of practical implementation considerations. The discussion includes acceptance criteria by which we can determine whether a standard supports definition of each component. In addition, we define a set of test compositions that define requirements for coordination between components, including consistent handling of timed events.

2018 Annual American Control Conference (ACC), 2018

In modern smart buildings modeled as hybrid systems, occupancy detection can be cast as observing the discrete states of a hybrid system using the available discrete and continuous system outputs. In this paper, we present a method to construct observers of the hybrid system to distinguish between different locations of the hybrid system by inferring metric temporal logic (MTL) formulae from the simulated trajectories. We first approximate the system behavior by simulating finitely many trajectories with time-robust tube segments around them. These time-robust tube segments account for both spatial and temporal uncertainties that exist in the hybrid system with initial state variations. The inferred MTL formulae classify different time-robust tube segments and thus can be used for classifying the hybrid system behaviors in a provably correct fashion. We implement our approach on a model of a smart building testbed to distinguish two cases of room occupancy.

Journal of Control, Automation and Electrical Systems, 2016

The problem of avoiding oversaturated phenomena between two adjacent intersections by intelligent traffic control strategy is addressed in this paper. The complex traffic behavior in this urban area is viewed as a dynamical hybrid system that can be modeled by hybrid Petri nets (HPNs). The property analysis of HPN model that gives an evaluation of the system performance is very limited. The translation of this model into hybrid automata (HA) can avoid this drawback. The interest of this translation is to profit from the both models advantages while avoiding their disadvantages that associate the modeling power of HPN with the analysis capacities of HA. The resulting model can capture an important aspect of the traffic flow dynamics where the oversaturated traffic conditions are presented by forbidden locations. A reachability analysis is performed to check this model. An optimal supervised controller synthesis algorithm is elaborated to get an optimal plan with coordinated traffic signals that satisfy the imposed constraints where the forbidden locations are suppressed. The experiment results show that the coordination traffic signal obtained by the proposed control approach outperforms those obtained using the widely used signal timing optimization software SYNCHRO under various demand scenarios from unsaturated to oversaturated.

International Journal on Software Tools for Technology Transfer, 2015

Hybrid systems represent an important and powerful formalism for modeling real-world applications such as embedded systems. A verification tool like SpaceEx is based on the exploration of a symbolic search space (the region space). As a verification tool, it is typically optimized towards proving the absence of errors. In some settings, e.g., when the verification tool is employed in a feedback-directed design cycle, one would like to have the option to call a version that B Sergiy Bogomolov

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019

Test automation requires automated oracles to assess test outputs. For cyber physical systems (CPS), oracles, in addition to be automated, should ensure some key objectives: (i) they should check test outputs in an online manner to stop expensive test executions as soon as a failure is detected; (ii) they should handle time-and magnitude-continuous CPS behaviors; (iii) they should provide a quantitative degree of satisfaction or failure measure instead of binary pass/fail outputs; and (iv) they should be able to handle uncertainties due to CPS interactions with the environment. We propose an automated approach to translate CPS requirements specified in a logic-based language into test oracles specified in Simulink-a widely-used development and simulation language for CPS. Our approach achieves the objectives noted above through the identification of a fragment of Signal First Order logic (SFOL) to specify requirements, the definition of a quantitative semantics for this fragment and a sound translation of the fragment into Simulink. The results from applying our approach on 11 industrial case studies show that: (i) our requirements language can express all the 98 requirements of our case studies; (ii) the time and effort required by our approach are acceptable, showing potentials for the adoption of our work in practice, and (iii) for large models, our approach can dramatically reduce the test execution time compared to when test outputs are checked in an offline manner.

Lecture Notes in Computer Science, 2009

We investigate the optimum reachability problem for Multi-Priced Timed Automata (MPTA) that admit both positive and negative costs on edges and locations, thus bridging the gap between the results of Bouyer et al. (2007) and of Larsen and Rasmussen (2008). Our contributions are the following: (1) We show that even the location reachability problem is undecidable for MPTA equipped with both positive and negative costs, provided the costs are subject to a bounded budget, in the sense that paths of the underlying Multi-Priced Transition System (MPTS) that operationally exceed the budget are considered as not being viable. This undecidability result follows from an encoding of StopWatch Automata using such MPTA, and applies to MPTA with as few as two cost variables, and even when no costs are incurred upon taking edges. (2) We then restrict the MPTA such that each viable quasi-cyclic path of the underlying MPTS incurs a minimum absolute cost. Under such a condition, the location reachability problem is shown to be decidable and the optimum cost is shown to be computable for MPTA with positive and negative costs and a bounded budget. These results follow from a reduction of the optimum reachability problem to the solution of a linear constraint system representing the path conditions over a finite number of viable paths of bounded length.

Synthesis Lectures on Computer Science, 2006

This monograph presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a timed I/O automaton, which captures its discrete interactions with its environment. The framework also defines what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and defines notions of simulations, which provide sufficient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time.

Proceedings of the 23rd International Conference on Hybrid Systems: Computation and Control, 2020

This paper describes a verification case study on an autonomous racing car with a neural network (NN) controller. Although several verification approaches have been recently proposed, they have only been evaluated on low-dimensional systems or systems with constrained environments. To explore the limits of existing approaches, we present a challenging benchmark in which the NN takes raw LiDAR measurements as input and outputs steering for the car. We train a dozen NNs using reinforcement learning (RL) and show that the state of the art in verification can handle systems with around 40 LiDAR rays. Furthermore, we perform real experiments to investigate the benefits and limitations of verification with respect to the sim2real gap, i.e., the difference between a system's modeled and real performance. We identify cases, similar to the modeled environment, in which verification is strongly correlated with safe behavior. Finally, we illustrate LiDAR fault patterns that can be used to ...

ACM Transactions on Embedded Computing Systems, 2021

This article addresses the problem of verifying the safety of autonomous systems with neural network (NN) controllers. We focus on NNs with sigmoid/tanh activations and use the fact that the sigmoid/tanh is the solution to a quadratic differential equation. This allows us to convert the NN into an equivalent hybrid system and cast the problem as a hybrid system verification problem, which can be solved by existing tools. Furthermore, we improve the scalability of the proposed method by approximating the sigmoid with a Taylor series with worst-case error bounds. Finally, we provide an evaluation over four benchmarks, including comparisons with alternative approaches based on mixed integer linear programming as well as on star sets.

Computer Aided Verification, 2021

This paper presents Verisig 2.0, a verification tool for closed-loop systems with neural network (NN) controllers. We focus on NNs with tanh/sigmoid activations and develop a Taylor-model-based reachability algorithm through Taylor model preconditioning and shrink wrapping. Furthermore, we provide a parallelized implementation that allows Verisig 2.0 to efficiently handle larger NNs than existing tools can. We provide an extensive evaluation over 10 benchmarks and compare Verisig 2.0 against three state-of-the-art verification tools. We show that Verisig 2.0 is both more accurate and faster, achieving speed-ups of up to 21x and 268x against different tools, respectively.

Soft Computing

To capture the dynamics of modern Cyber-Physical Systems, hybrid system models are introduced to combine their continuous dynamics with the discrete ones. Unfortunately, one important negative issue can affect hybrid system models: the so-called Zeno phenomenon, which results in an infinite number of discrete transitions in a finite amount of time occurring during the model’s simulation that leads to inconsistent results. In this context, the paper investigates the use of a recently proposed numerical algorithm, based on the Infinity Computer methodology, to handle the Zeno phenomenon and evaluate it with respect to standard numerical methods by considering the hybrid system models of two exemplary Cyber-Physical Systems: the Water tanks and the Thermostat.

ACM Transactions on Embedded Computing Systems, 2008

Average dwell time (ADT) properties characterize the rate at which a hybrid system performs mode switches. In this article, we present a set of techniques for verifying ADT properties. The stability of a hybrid system A can be verified by combining these techniques with standard methods for checking stability of the individual modes of A. We introduce a new type of simulation relation for hybrid automata— switching simulation —for establishing that a given automaton A switches more rapidly than another automaton B. We show that the question of whether a given hybrid automaton has ADT τ a can be answered either by checking an invariant or by solving an optimization problem. For classes of hybrid automata for which invariants can be checked automatically, the invariant-based method yields an automatic method for verifying ADT; for automata that are outside this class, the invariant has to be checked using inductive techniques. The optimization-based method is automatic and is applicab...

Lecture Notes in Computer Science, 2012

Recently, hybrid Petri nets with a single general one-shot transition (HPnGs) have been introduced together with an algorithm to analyze their underlying state space using a conditioning/deconditioning approach. In this paper we propose a considerably more efficient algorithm for analysing HPnGs. The proposed algorithm maps the underlying state-space onto a plane for all possible firing times of the general transition s and for all possible systems times t. The key idea of the proposed method is that instead of dealing with infinitely many points in the ts-plane, we can partition the state space into several regions, such that all points inside one region are associated with the same system state. To compute the probability to be in a specific system state at time τ , it suffices to find all regions intersecting the line t = τ and decondition the firing time over the intersections. This partitioning results in a considerable speed-up and provides more accurate results. A scalable case study illustrates the efficiency gain with respect to the previous algorithm.

ACM Transactions on Privacy and Security, 2020

We apply formal methods to lay and streamline theoretical foundations to reason about Cyber-Physical Systems (CPSs) and physics-based attacks, i.e., attacks targeting physical devices. We focus on a formal treatment of both integrity and denial of service attacks to sensors and actuators of CPSs, and on the timing aspects of these attacks. Our contributions are fourfold. (1) We define a hybrid process calculus to model both CPSs and physics-based attacks. (2) We formalise a threat model that specifies MITM attacks that can manipulate sensor readings or control commands to drive a CPS into an undesired state; we group these attacks into classes and provide the means to assess attack tolerance/vulnerability with respect to a given class of attacks, based on a proper notion of most powerful physics-based attack. (3) We formalise how to estimate the impact of a successful attack on a CPS and investigate possible quantifications of the success chances of an attack. (4) We illustrate our ...

Frontiers of Information Technology & Electronic Engineering, 2020

In this perspective article, we first recall the historic background of human-cyber-physical systems (HCPSs), and then introduce and clarify important concepts. We discuss the key challenges in establishing the scientific foundation from a system engineering point of view, including (1) complex heterogeneity, (2) lack of appropriate abstractions, (3) dynamic black-box integration of heterogeneous systems, (4) complex requirements for functionalities, performance, and quality of services, and (5) design, implementation, and maintenance of HCPS to meet requirements. Then we propose four research directions to tackle the challenges, including (1) abstractions and computational theory of HCPS, (2) theories and methods of HCPS architecture modelling, (3) specification and verification of model properties, and (4) software-defined HCPS. The article also serves as the editorial of this special section on cyber-physical systems and summarises the four articles included in this special section.

IET Cyber-Physical Systems: Theory & Applications, 2021

Ensuring that safety-critical cyber-physical systems (CPSs) continue to satisfy correctness and safety specifications even under faults or adversarial attacks is very challenging, especially in the presence of legacy components for which accurate models are unknown to the designer. Current techniques for secure-by-design systems engineering do not provide an end-to-end methodology for a designer to provide real-time assurance for safety-critical CPSs by identifying system dynamics and updating control strategies in response to newly discovered faults, attacks or other changes such as system upgrades. We propose a new methodology, along with an integrated framework implemented in MATLAB to guarantee the resilient operation of safety-critical CPSs with unknown dynamics. The proposed framework consists of three main components. The runtime monitor evaluates the system behaviour on-the-fly against its correctness specifications expressed as signal temporal logic formulas. The model synthesiser incorporates a sparse identification approach that is used to continually update the plant model and control policies to adapt to any changes in the system or the environment. The decision and control module designs a controller to ensure that the correctness specifications are satisfied at runtime. For evaluation, we apply our proposed framework to ensure the resilient operations of two CPS case studies. This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

Springer eBooks, 2021

Parametric timed automata are a powerful formalism for reasoning on concurrent real-time systems with unknown or uncertain timing constants. In order to test the efficiency of new algorithms, a fair set of benchmarks is required. We present an extension of the IMITATOR benchmarks library, that accumulated over the years a number of case studies from academic and industrial contexts. We extend here the library with several dozens of new benchmarks; these benchmarks highlight several new features: liveness properties, extensions of (parametric) timed automata (including stopwatches or multi-rate clocks), and unsolvable toy benchmarks. These latter additions help to emphasize the limits of state-of-the-art parameter synthesis techniques, with the hope to develop new dedicated algorithms in the future.

Hybrid Systems II, 1995

Lecture Notes in Computer Science, 2011

The Cayley-Hamilton theorem (CHT) is a classic result in linear algebra over fields which states that a matrix satisfies its own characteristic polynomial. CHT has been extended from fields to commutative semirings by Rutherford in 1964. However, to the best of our knowledge, no result is known for noncommutative semirings. This is a serious limitation, as the class of regular languages, with finite automata as their recognizers, is a noncommutative idempotent semiring. In this paper we extend the CHT to noncommutative semirings. We also provide a simpler version of CHT for noncommutative idempotent semirings.

Lecture Notes in Computer Science, 2009

We show that regarding finite automata (FA) as discrete, time-invariant linear systems over semimodules, allows to: (1) express FA minimization and FA determinization as particular observability and reachability transformations of FA, respectively; (2) express FA pumping as a property of the FA's reachability matrix; (3) derive canonical forms for FAs. These results are to our knowledge new, and they may support a fresh look into hybrid automata properties, such as minimality. Moreover, they may allow to derive generalized notions of characteristic polynomials and associated eigenvalues, in the context of FA.

Formal Methods in System Design, 2015

In this paper, we present a counterexample guided abstraction refinement (CEGAR) framework for systems modelled as rectangular hybrid automata. The main difference, between our approach and previous proposals for CEGAR for hybrid automata, is that we consider the abstractions to be hybrid automata as well, as opposed to finite state systems. We show that the CEGAR scheme is semi-complete for the class of rectangular hybrid automata and complete for the subclass of initialized rectangular automata. We have implemented the CEGAR based algorithm in a tool called Hare, that makes calls to HyTech to analyze the abstract models and validate the counterexamples. The experimental evaluations demonstrate the merits of the approach.

Numerical Software Verification, 2017

A Rapidly-exploring Random Tree (RRT) is an algorithm which can search a non-convex region of space by incrementally building a space-filling tree. The tree is constructed from random points drawn from system's state space and is biased to grow towards large unexplored areas in the system. RRT can provide better coverage of a system's possible behaviors compared with random simulations, but is more lightweight than full reachability analysis. In this paper, we explore some of the design decisions encountered while implementing a hybrid extension of the RRT algorithm, which have not been elaborated on before. In particular, we focus on handling non-determinism, which arises due to discrete transitions. We introduce the notion of important points to account for this phenomena. We showcase our ideas using heater and navigation benchmarks.

Formal Aspects of Computing, 2016

As autonomous systems become more prevalent, methods for their verification will become more widely used. Model checking is a formal verification technique that can help ensure the safety of autonomous systems, but in most cases it cannot be applied by novices, or in its straight “off-the-shelf” form. In order to be more widely applicable it is crucial that more sophisticated techniques are used, and are presented in a way that is reproducible by engineers and verifiers alike. In this paper we demonstrate in detail two techniques that are used to increase the power of model checking using the model checker S pin . The first of these is the use of embedded C code within Promela specifications, in order to accurately reflect robot movement. The second is to use abstraction together with a simulation relation to allow us to verify multiple environments simultaneously. We apply these techniques to a fairly simple system in which a robot moves about a fixed circular environment and learn...