Computational techniques for the verification of hybrid systems
 Proceedings of the IEEE
, 2003
"... Hybrid system theory lies at the intersection of the fields of engineering control theory and computer science verification. It is defined as the modeling, analysis, and control of systems that involve the interaction of both discrete state systems, represented by finite automata, and continuous sta ..."
Hybrid system theory lies at the intersection of the fields of engineering control theory and computer science verification. It is defined as the modeling, analysis, and control of systems that involve the interaction of both discrete state systems, represented by finite automata, and continuous state dynamics, represented by differential equations. The embedded autopilot of a modern commercial jet is a prime example of a hybrid system: the autopilot modes correspond to the application of different control laws, and the logic of mode switching is determined by the continuous state dynamics of the aircraft, as well as through interaction with the pilot. To understand the behavior of hybrid systems, to simulate, and to control these systems, theoretical advances, analyses, and numerical tools are needed. In this paper, we first present a general model for a hybrid system along with an overview of methods for verifying continuous and hybrid systems. We describe a particular verification
Mode estimation of probabilistic hybrid systems
 In Intl. Conf. on Hybrid Systems: Computation and Control
, 2002
"... Abstract. Modelbased diagnosis and mode estimation capabilities excel at diagnosing systems whose symptoms are clearly distinguished from normal behavior. A strength of mode estimation, in particular, is its ability to track a system’s discrete dynamics as it moves between different behavioral mode ..."
Abstract. Modelbased diagnosis and mode estimation capabilities excel at diagnosing systems whose symptoms are clearly distinguished from normal behavior. A strength of mode estimation, in particular, is its ability to track a system’s discrete dynamics as it moves between different behavioral modes. However, often failures bury their symptoms amongst the signal noise, until their effects become catastrophic. We introduce a hybrid mode estimation system that extracts mode estimates from subtle symptoms. First, we introduce a modeling formalism, called concurrent probabilistic hybrid automata (cPHA), that merge hidden Markov models (HMM) with continuous dynamical system models. Second, we introduce hybrid estimation as a method for tracking and diagnosing cPHA, by unifying traditional continuous state observers with HMM belief update. Finally, we introduce a novel, anytime, anyspace algorithm for computing approximate hybrid estimates. 1
Embedded Software
 Advances in Computers
, 2002
"... The science of computation has systematically abstracted away the physical world. Embedded software systems, however, engage the physical world. Time, concurrency, liveness, robustness, continuums, reactivity, and resource management must be remarried to computation. Prevailing abstractions of compu ..."
The science of computation has systematically abstracted away the physical world. Embedded software systems, however, engage the physical world. Time, concurrency, liveness, robustness, continuums, reactivity, and resource management must be remarried to computation. Prevailing abstractions of computational systems leave out these "nonfunctional" aspects. This chapter explains why embedded software is not just software on small computers, and why it therefore needs fundamentally new views of computation. It suggests component architectures based on a principle called "actororiented design," where actors interact according to a model of computation, and describes some models of computation that are suitable for embedded software. It then suggests that actors can define interfaces that declare dynamic aspects that are essential to embedded software, such as temporal properties. These interfaces can be structured in a "systemlevel type system" that supports the sort of designtime and runtime type checking that conventional software benefits from.
Constructing Invariants for Hybrid Systems
 IN HYBRID SYSTEMS: COMPUTATION AND CONTROL, LNCS 2993
, 2004
"... An invariant of a system is a predicate that holds for every reachable state. In this paper, we present techniques to generate invariants for hybrid systems. This is achieved by reducing the invariant generation problem to a constraint solving problem using methods from the theory of ideals over p ..."
An invariant of a system is a predicate that holds for every reachable state. In this paper, we present techniques to generate invariants for hybrid systems. This is achieved by reducing the invariant generation problem to a constraint solving problem using methods from the theory of ideals over polynomial rings. We extend our previous work on the generation of algebraic invariants for discrete transition systems in order to generate algebraic invariants for hybrid systems. In doing so, we present a new technique to handle consecution across continuous differential equations. The techniques we present allow a tradeoff between the complexity of the invariant generation process and the strength of the resulting invariants.
Optimal strategies in priced timed game automata
 In FSTTCS 04, LNCS 3328
, 2004
"... Abstract. Priced timed (game) automata extend timed (game) automata with costs on both locations and transitions. In this paper we focus on reachability games for priced timed game automata and prove that the optimal cost for winning such a game is computable under conditions concerning the nonzeno ..."
Abstract. Priced timed (game) automata extend timed (game) automata with costs on both locations and transitions. In this paper we focus on reachability games for priced timed game automata and prove that the optimal cost for winning such a game is computable under conditions concerning the nonzenoness of cost and we prove that it is decidable. Under stronger conditions (strictness of constraints) we prove that in case an optimal strategy exists, we can compute a statebased winning optimal strategy. 1
Computing differential invariants of hybrid systems as fixedpoints
, 2008
"... Abstract. We introduce a fixedpoint algorithm for verifying safety properties of hybrid systems with differential equations whose righthand sides are polynomials in the state variables. In order to verify nontrivial systems without solving their differential equations and without numerical errors, ..."
Abstract. We introduce a fixedpoint algorithm for verifying safety properties of hybrid systems with differential equations whose righthand sides are polynomials in the state variables. In order to verify nontrivial systems without solving their differential equations and without numerical errors, we use a continuous generalization of induction, for which our algorithm computes the required differential invariants. As a means for combining local differential invariants into global system invariants in a sound way, our fixedpoint algorithm works with a compositional verification logic for hybrid systems. To improve the verification power, we further introduce a saturation procedure that refines the system dynamics successively with differential invariants until safety becomes provable. By complementing our symbolic verification algorithm with a robust version of numerical falsification, we obtain a fast and sound verification procedure. We verify roundabout maneuvers in air traffic management and collision avoidance in train control.
Robust timed automata
 In Proceedings of HART 97
, 1997
"... Abstract. We de ne robust timed automata, which are timed automata that accept all trajectories \robustly": if a robust timed automaton accepts a trajectory, then it must accept neighboring trajectories also � and if a robust timed automaton rejects a trajectory, thenitmust reject neighbori ..."
Abstract. We de ne robust timed automata, which are timed automata that accept all trajectories \robustly&quot;: if a robust timed automaton accepts a trajectory, then it must accept neighboring trajectories also � and if a robust timed automaton rejects a trajectory, thenitmust reject neighboring trajectories also. We show that the emptiness problem for robust timed automata is still decidable, by modifying the region construction for timed automata. We then show that, like timed automata, robust timed automata cannot be determinized. This result is somewhat unexpected, given that in temporal logic, the removal of realtime equality constraints is known to lead to a decidable theory that is closed under all boolean operations. 1
KeYmaera: A hybrid theorem prover for hybrid systems
 IJCAR. VOLUME 5195 OF LNCS
, 2008
"... KeYmaera is a hybrid verification tool for hybrid systems that combines deductive, real algebraic, and computer algebraic prover technologies. It is an automated and interactive theorem prover for a natural specification and verification logic for hybrid systems. KeYmaera supports differential dyn ..."
KeYmaera is a hybrid verification tool for hybrid systems that combines deductive, real algebraic, and computer algebraic prover technologies. It is an automated and interactive theorem prover for a natural specification and verification logic for hybrid systems. KeYmaera supports differential dynamic logic, which is a realvalued firstorder dynamic logic for hybrid programs, a program notation for hybrid automata. For automating the verification process, KeYmaera implements a generalized freevariable sequent calculus and automatic proof strategies that decompose the hybrid system specification symbolically. To overcome the complexity of real arithmetic, we integrate real quantifier elimination following an iterative background closure strategy. Our tool is particularly suitable for verifying parametric hybrid systems and has been used successfully for verifying collision avoidance in case studies from train control and air traffic management.
Almost ASAP Semantics: From Timed Models to Timed Implementations
, 2003
"... In this paper, we introduce a parametric semantics for timed controllers called the Almost ASAP semantics. This semantics is a relaxation of the usual ASAP semantics (also called the maximal progress semantics) which is a mathematical idealization that can not be implemented by any physical devic ..."
In this paper, we introduce a parametric semantics for timed controllers called the Almost ASAP semantics. This semantics is a relaxation of the usual ASAP semantics (also called the maximal progress semantics) which is a mathematical idealization that can not be implemented by any physical device no matter how fast it is. On the contrary, any correct Almost ASAP controller can be implemented by a program on a hardware if this hardware is fast enough. We study the properties of this semantics, show how it can be analyzed using the tool HyTech, and illustrate its practical use on examples.
A classification of symbolic transition systems
 ACM TRANSACTIONS ON COMPUTATIONAL LOGIC
, 2005
"... We define five increasingly comprehensive classes of infinitestate systems, called STS1STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolica ..."
We define five increasingly comprehensive classes of infinitestate systems, called STS1STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolically by iteratively applying predecessor and Boolean operations on state sets, starting from a finite number of observable state sets. Any such iteration is guaranteed to terminate in that only a finite number of state sets can be generated. This enables model checking of the μcalculus.STS2 These are the systems with finite similarity quotients. They can be analyzed symbolically by iterating the predecessor and positive Boolean operations. This enables model checking of the existential and universal fragments of the μcalculus.STS3 These are the systems with finite traceequivalence quotients. They can be analyzed symbolically by iterating the predecessor operation and a restricted form of positive Boolean operations (intersection is restricted to intersection with observables). This enables model checking of all ωregular properties, including linear temporal logic.STS4 These are the systems with finite distanceequivalence quotients (two states are equivalent if for every distance d, the same observables can be reached in d transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new state sets are generated. This enables model checking of the existential conjunctionfree and universal disjunctionfree fragments of the μcalculus.STS5 These are the systems with finite boundedreachability quotients (two states are equivalent if for every distance d, the same observables can be reached in d or fewer transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new states are encountered (this is a weaker termination condition than above). This enables model checking of reachability properties.