What's Decidable about Hybrid Automata?

ACM Transactions on Embedded Computing Systems, 2013

We present a Monte-Carlo optimization technique for finding system behaviors that falsify a Metric Temporal Logic (MTL) property. Our approach performs a random walk over the space of system inputs guided by a robustness metric defined by the MTL property. Robustness is guiding the search for a falsifying behavior by exploring trajectories with smaller robustness values. The resulting testing framework can be applied to a wide class of Cyber-Physical Systems (CPS). We show through experiments on complex system models that using our framework can help automatically falsify properties with more consistency as compared to other means such as uniform sampling.

SIMULATION, 2011

Advanced mechatronic systems have to integrate existing technologies from mechanical, electrical and software engineering. They must be able to adapt their structure and behavior at runtime by reconfiguration to react flexibly to changes in the environment. Therefore, a tight integration of structural and behavioral models of the different domains is required. This integration results in complex reconfigurable hybrid systems, the execution logic of which cannot be addressed directly with existing standard modeling, simulation, and code-generation techniques. We present in this paper how our component-based approach for reconfigurable mechatronic systems, MECHATRONIC UML, efficiently handles the complex interplay of discrete behavior and continuous behavior in a modular manner. In addition, its extension to even more flexible reconfiguration cases is presented.

Acta Informatica

Few fuzzy temporal logics and modeling formalisms are developed such that their model checking is both effective and efficient. State-space explosion makes model checking of fuzzy temporal logics inefficient. That is because either the modeling formalism itself is not compact, or the verification approach requires an exponentially larger yet intermediate representation of the modeling formalism. To exemplify, Fuzzy Program Graph (FzPG) is a very compact, and powerful formalism to model fuzzy systems; yet, it is required to be translated into an equal Fuzzy Kripke model with an exponential blow-up should it be formally verified. In this paper, we introduce Fuzzy Computation Tree Logic (FzCTL) and its direct symbolic model checking over FzPG that avoids the aforementioned state-space explosion. Considering compactness and readability of FzPG along with expressiveness of FzCTL, we believe the proposed method is applicable in real-world scenarios. Finally, we study formal verification of fuzzy flip-flops to demonstrate capabilities of the proposed method. The majority of this work was done before the M.

Software Quality Journal

Many Java programs encode temporal behaviors in their source code, typically mixing three features provided by the Java language: (1) pausing the execution for a limited amount of time, (2) waiting for an event that has to occur before a deadline expires, and (3) comparing timestamps. In this work, we show how to exploit modern SMT solvers together with static analysis in order to produce a network of timed automata approximating the temporal behavior of a set of Java threads. We also prove that the presented abstraction preserves the truth of MTL and ATCTL formulae, two well-known logics for expressing timed specifications. As far as we know, this is the first feasible approach enabling the user to automatically model check timed specifications of Java software directly from the source code.

Mathematics in Computer Science, 2011

This paper identifies an industrially relevant class of linear hybrid automata (LHA) called reasonable LHA for which parametric verification of convex safety properties with exhaustive entry states can be verified in polynomial time and time-bounded reachability can be decided in nondeterministic polynomial time for non-parametric verification and in exponential time for parametric verification. Properties with exhaustive entry states are restricted to runs originating in a (specified) inner envelope of some mode-invariant. Deciding whether an LHA is reasonable is shown to be decidable in polynomial time.

Lecture Notes in Computer Science

Due to the risk of discharge sparks and ignition, there are strict rules concerning the safety of high voltage electrostatic systems used in industrial painting robots. In order to assure that the system fulfils its safety requirements, formal verification is an important tool to supplement traditional testing and quality assurance procedures. The work in this paper presents formal verification of the most important safety functions of a high voltage controller. The controller has been modelled as a finite state machine, which was formally verified using two different model checking software tools; Simulink Design Verifier and RoboTool. Five safety critical properties were specified and formally verified using the two tools. Simulink was chosen as a low-threshold entry point since MathWorks products are well known to most practitioners. RoboTool serves as a software tool targeted towards model checking, thus providing more advanced options for the more experienced user. The comparat...

Applied Sciences

In this paper, a hybrid realization model is proposed for the controllers of autonomous underwater vehicles (AUVs). This model is based on the model-based systems engineering (MBSE) methodology, in combination with the model-driven architecture (MDA), the real-time unified modeling language (UML)/systems modeling language (SysML), the extended/unscented Kalman filter (EKF/UKF) algorithms, and hybrid automata, and it can be reused for designing controllers of various AUV types. The dynamic model and control structure of AUVs were combined with the specialization of MDA concepts as follows. The computation-independent model (CIM) was specified by the use-case model combined with the EKF/UKF algorithms and hybrid automata to intensively gather the control requirements. Then, the platform-independent model (PIM) was specialized using the real-time UML/SysML to design the capsule collaboration of control and its connections. The detailed PIM was subsequently converted into the platform-s...

Proceedings of the 23rd International Conference on Hybrid Systems: Computation and Control, 2020

Hybrid Systems are systems having a mixed discrete and continuous behaviour that cannot be characterized faithfully using either only discrete or only continuous models. A good framework for hybrid systems should support their compositional description and analysis, since commonly systems are specified by a composition of smaller subsystems, to cope with the complexity of their monolithic representation. Moreover, since the reachability problem for hybrid systems is undecidable, one should investigate the conditions that guarantee approximate computability of composition, when only approximations to the exact problem data are available. In this paper, we propose an automata-based formalism (HIOA) for hybrid systems that is compositional and for which the evolution can be computed approximately. The main results are that the composition of compatible HIOA yields a pre-HIOA; a dominance result on the composition of HIOA by which we can replace any component in a composition by another one that exhibits the same external behaviour without affecting the behaviour of the composition; finally, the key result that the composition of two compatible upper(lower)-semicontinuous HIOA is a computable upper(lower)semicontinuous pre-HIOA, which entails that the evolution of the composition is upper(lower)-semicomputable. A discussion on how compositionality/computability are handled in state-of-art libraries for reachability analysis closes the paper. • Theory of computation → Timed and hybrid models; Computability.

International Journal of Aerospace Engineering, 2020

The aerospace industry needs to be provided with system solutions to technologically challenging and mission-critical problems. Based on the industrial control point of view, development engineers must take costs and existing standards into account in order to effectively design, implement, and deploy control systems with reasonable costs. The customization and reusability are important factors associated with the production of new applications in order to reduce their costs, resources, and development time. In this work, the Model-Driven Architecture (MDA)/Model-Based Systems Engineering (MBSE) approach combined with the real-time Unified Modeling Language (UML)/Systems Modeling Language (SysML), Unscented Kalman Filter (UKF) algorithm, and hybrid automata is specialized to obtain a hybrid control model in order to conveniently deploy controllers of Quadrotor Unmanned Aerial Vehicles (Q-UAVs). This hybrid control model also provides a real-time capsule pattern, which allows the des...

Journal of Advanced Transportation, 2020

This paper introduces a model-driven control realization, which is based on the systems engineering concepts of the model-driven architecture (MDA)/model-based systems engineering (MBSE) approach combined with the real-time UML/SysML, extended/unscented Kalman filter (EKF/UKF) algorithms, and hybrid automata, in order to conveniently deploy controllers of autonomous underwater vehicles (AUVs). This model also creates a real-time communication pattern, which can permit the designed components to be customizable and reusable in new application developments of different AUV types. The paper brings out stepwise adapted AUV dynamics for control that are then combined with the specialization of MDA/MBSE features as follows: the computation independent model (CIM) is defined by the specification of the use-case model together with hybrid automata to gather the requirement analysis for control; the platform-independent model (PIM) is then designed by specializing the real-time UML/SysML’s f...

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019

Matlab/Simulink is a development and simulation language that is widely used by the Cyber-Physical System (CPS) industry to model dynamical systems. There are two mainstream approaches to verify CPS Simulink models: model testing that attempts to identify failures in models by executing them for a number of sampled test inputs, and model checking that attempts to exhaustively check the correctness of models against some given formal properties. In this paper, we present an industrial Simulink model benchmark, provide a categorization of different model types in the benchmark, describe the recurring logical patterns in the model requirements, and discuss the results of applying model checking and model testing approaches to identify requirements violations in the benchmarked models. Based on the results, we discuss the strengths and weaknesses of model testing and model checking. Our results further suggest that model checking and model testing are complementary and by combining them, we can significantly enhance the capabilities of each of these approaches individually. We conclude by providing guidelines as to how the two approaches can be best applied together.

ACM Transactions on Cyber-Physical Systems, 2018

The use of robots in operating rooms improves safety and decreases patient recovery time and surgeon fatigue, but it introduces new potential hazards that can lead to severe injury or even the loss of human life. Thus, safety has been perceived as a crucial system property since the early days by the industry, the medical community, and the regulatory agents. In this article, we discuss the application of the mathematically rigorous technique known as Formal Verification to analyze the safety properties of a laser incision case study, and we assess its safe and predictable operation. Like all formal methods approaches, our analysis has three distinct components: a method to create a model of the system, a language to specify the properties, and a strategy to prove rigorously that the behavior of the model fulfills the desired properties. The model of the system takes the form of a hybrid automaton consisting of a discrete control part that operates in a continuous environment. The s...

Automata, Languages and Programming, 2005

This paper is concerned with the language inclusion problem for timed automata: given timed automata A and B, is every word accepted by B also accepted by A? Alur and Dill [5] showed that the language inclusion problem is decidable if A has no clocks and undecidable if A has two clocks (with no restriction on B). However, the status of the problem when A has one clock is not determined by [5]. In this paper we close this gap for timed automata over infinite words by showing that the one-clock language inclusion problem is undecidable. For timed automata over finite words, building on our earlier paper [19], we show that the one-clock language inclusion problem is decidable with nonprimitive recursive complexity. This reveals a surprising divergence between the theory of timed automata over finite words and over infinite words. Finally, we show that if ε-transitions or non-singular postconditions are allowed, then the one-clock language inclusion problem is undecidable over both finite and infinite words.

Journal of Control, Automation and Electrical Systems, 2016

The problem of avoiding oversaturated phenomena between two adjacent intersections by intelligent traffic control strategy is addressed in this paper. The complex traffic behavior in this urban area is viewed as a dynamical hybrid system that can be modeled by hybrid Petri nets (HPNs). The property analysis of HPN model that gives an evaluation of the system performance is very limited. The translation of this model into hybrid automata (HA) can avoid this drawback. The interest of this translation is to profit from the both models advantages while avoiding their disadvantages that associate the modeling power of HPN with the analysis capacities of HA. The resulting model can capture an important aspect of the traffic flow dynamics where the oversaturated traffic conditions are presented by forbidden locations. A reachability analysis is performed to check this model. An optimal supervised controller synthesis algorithm is elaborated to get an optimal plan with coordinated traffic signals that satisfy the imposed constraints where the forbidden locations are suppressed. The experiment results show that the coordination traffic signal obtained by the proposed control approach outperforms those obtained using the widely used signal timing optimization software SYNCHRO under various demand scenarios from unsaturated to oversaturated.

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019

Test automation requires automated oracles to assess test outputs. For cyber physical systems (CPS), oracles, in addition to be automated, should ensure some key objectives: (i) they should check test outputs in an online manner to stop expensive test executions as soon as a failure is detected; (ii) they should handle time-and magnitude-continuous CPS behaviors; (iii) they should provide a quantitative degree of satisfaction or failure measure instead of binary pass/fail outputs; and (iv) they should be able to handle uncertainties due to CPS interactions with the environment. We propose an automated approach to translate CPS requirements specified in a logic-based language into test oracles specified in Simulink-a widely-used development and simulation language for CPS. Our approach achieves the objectives noted above through the identification of a fragment of Signal First Order logic (SFOL) to specify requirements, the definition of a quantitative semantics for this fragment and a sound translation of the fragment into Simulink. The results from applying our approach on 11 industrial case studies show that: (i) our requirements language can express all the 98 requirements of our case studies; (ii) the time and effort required by our approach are acceptable, showing potentials for the adoption of our work in practice, and (iii) for large models, our approach can dramatically reduce the test execution time compared to when test outputs are checked in an offline manner.

Lecture Notes in Computer Science, 2009

We investigate the optimum reachability problem for Multi-Priced Timed Automata (MPTA) that admit both positive and negative costs on edges and locations, thus bridging the gap between the results of Bouyer et al. (2007) and of Larsen and Rasmussen (2008). Our contributions are the following: (1) We show that even the location reachability problem is undecidable for MPTA equipped with both positive and negative costs, provided the costs are subject to a bounded budget, in the sense that paths of the underlying Multi-Priced Transition System (MPTS) that operationally exceed the budget are considered as not being viable. This undecidability result follows from an encoding of StopWatch Automata using such MPTA, and applies to MPTA with as few as two cost variables, and even when no costs are incurred upon taking edges. (2) We then restrict the MPTA such that each viable quasi-cyclic path of the underlying MPTS incurs a minimum absolute cost. Under such a condition, the location reachability problem is shown to be decidable and the optimum cost is shown to be computable for MPTA with positive and negative costs and a bounded budget. These results follow from a reduction of the optimum reachability problem to the solution of a linear constraint system representing the path conditions over a finite number of viable paths of bounded length.

Formal Techniques for Distributed Objects, Components, and Systems, 2018

Cyber-Physical Systems (CPSs) are integrations of networking and distributed computing systems with physical processes. Although the range of applications of CPSs include several critical domains, their verification and validation often relies on simulation-test systems rather then formal methodologies. In this paper, we use a recent version of the expressive MODEST TOOLSET to implement a non-trivial engineering application, and test its safety model checker prohver as a formal instrument to statically detect a variety of cyber-physical attacks, i.e., attacks targeting sensors and/or actuators, with potential physical consequences. We then compare the effectiveness of the MODEST TOOLSET and its safety model checker in verifying CPS security properties when compared to other state-of-the-art model checkers.

Information and Computation, 2020

We consider Pareto analysis of reachable states of multi-priced timed automata (MPTA): timed automata equipped with multiple observers that keep track of costs (to be minimised) and rewards (to be maximised) along a computation. Each observer has a constant non-negative derivative which may depend on the location of the MPTA. We study the Pareto Domination Problem, which asks whether it is possible to reach a target location via a run in which the accumulated costs and rewards Pareto dominate a given objective vector. We show that this problem is undecidable in general, but decidable for MPTA with at most three observers. For MPTA whose observers are all costs or all rewards, we show that the Pareto Domination Problem is PSPACE-complete. We also consider an ε-approximate Pareto Domination Problem that is decidable without restricting the number and types of observers. We develop connections between MPTA and Diophantine equations. Undecidability of the Pareto Domination Problem is shown by reduction from Hilbert's 10 th Problem, while decidability for three observers is shown by a translation to a fragment of arithmetic involving quadratic forms.

International Journal on Software Tools for Technology Transfer, 2023

Traditionally, extensive vehicle testing is applied to assure the robustness and safety of automotive systems. This approach is highly challenged by increasing system complexity. Formal verification lends a powerful framework for model-based safety assurance, but due to the mixed discrete-continuous behavior of automotive systems, traditional tools for discrete program verification are helpful but not sufficient. In academia, during the last two decades new approaches arose for the formal verification of such mixed discrete-continuous systems. However, the industry is not fully aware of this development, the tools are seldom tried and their applicability is not well examined. In a Ford-RWTH research alliance project, we aimed at evaluating the potential of knowledge and technology transfer in this area. This paper has two main objectives. Firstly, we want to report on the state-of-the-art in the above-mentioned academic development in a generally understandable form, targeted to interested potential users. Secondly, we want to share our observations after testing different available tools for their applicability and usability in the automotive sector and as a conclusion devise some recommendations.

Hybrid Systems: Computation and Control

ions (also called symbolic models) are simple descriptions of continuous and hybrid systems that can be used in analysis and control. They are usually constructed in the form of transition systems with finitely many states. Such abstractions offer a very attractive approach to deal with complexity, while at the same time allowing for rich specification languages. Recent results show that, through the abstraction process, the resulting transition systems can be nondeterministic (i.e., if an input is applied in a state, several next states are possible). However, the problem of controlling a nondeterministic transition system from a rich specification such as a temporal logic formula is not well understood. In this paper, we develop a control strategy for a nondeterministic transition system from a specification given as a Linear Temporal Logic formula with a deterministic Büchi generator. Our solution is inspired by LTL games on graphs, is complete, and scales polynomially with the size of the Büchi automaton. An example of controlling a linear system from a specification given as a temporal logic formula over the regions of its triangulated state space is included for illustration.

International Journal of Control, 2012

In the last few years there has been a growing interest in the use of symbolic models for the formal verification and control design of purely continuous or hybrid systems. Symbolic models are abstract descriptions of continuous systems where one symbol corresponds to an "aggregate" of continuous states. In this paper we face the problem of deriving symbolic models for nonlinear control systems affected by disturbances. The main contribution of this paper is in proposing symbolic models that can be effectively constructed and that approximate nonlinear control systems affected by disturbances in the sense of alternating approximate bisimulation.

Springer eBooks, 2006

We present a computationally attractive technique to study the reachability of rectangular regions by trajectories of continuous multi-affine systems. The method is iterative. At each step, finer partitions and finite quotients that over-approximate the reachability properties of the initial system are produced. We exploit some convexity properties of multi-affine functions on rectangles to show that the construction of the quotient at each step requires only the evaluation of the vector field at the set of all vertices of all rectangles in the partition and finding the roots of a finite set of scalar affine functions. This methodology can be used for formal analysis of biochemical networks, aircraft and underwater vehicles, where multi-affine models are widely used.