Results 1  10
of
55
The Theory of Hybrid Automata
, 1996
"... A hybrid automaton is a formal model for a mixed discretecontinuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discretecontinuous state spaces that was previously studied on pur ..."
Abstract

Cited by 685 (12 self)
 Add to MetaCart
A hybrid automaton is a formal model for a mixed discretecontinuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discretecontinuous state spaces that was previously studied on purely discrete state spaces only. In particular, various classes of hybrid automata induce finitary trace equivalence (or similarity, or bisimilarity) relations on an uncountable state space, thus permitting the application of various modelchecking techniques that were originally developed for finitestate systems.
Formal Methods: State of the Art and Future Directions
 ACM Computing Surveys
, 1996
"... ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, N ..."
Abstract

Cited by 425 (6 self)
 Add to MetaCart
ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, NY 10036 USA, fax +1 (212) 8690481, or permissions@acm.org. 2 \Delta E.M. Clarke and J.M. Wing About ProgramsMechanical verification, Specification techniques; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical LogicMechanical theorem proving General Terms: Software engineering, formal methods, hardware verification Additional Key Words and Phrases: Software specification, model checking, theorem proving 1. INTRODUCTION Hardware and software systems will inevitably grow in scale and functionality. Because of this increase in complexity, the likelihood of subtle errors is much greater. Moreover, some of these errors may cause catastrophic loss of money, time, or even huma...
What's Decidable about Hybrid Automata?
 Journal of Computer and System Sciences
, 1995
"... . Hybrid automata model systems with both digital and analog components, such as embedded control programs. Many verification tasks for such programs can be expressed as reachability problems for hybrid automata. By improving on previous decidability and undecidability results, we identify a boundar ..."
Abstract

Cited by 377 (16 self)
 Add to MetaCart
. Hybrid automata model systems with both digital and analog components, such as embedded control programs. Many verification tasks for such programs can be expressed as reachability problems for hybrid automata. By improving on previous decidability and undecidability results, we identify a boundary between decidability and undecidability for the reachability problem of hybrid automata. On the positive side, we give an (optimal) PSPACE reachability algorithm for the case of initialized rectangular automata, where all analog variables follow independent trajectories within piecewiselinear envelopes and are reinitialized whenever the envelope changes. Our algorithm is based on the construction of a timed automaton that contains all reachability information about a given initialized rectangular automaton. The translation has practical significance for verification, because it guarantees the termination of symbolic procedures for the reachability analysis of initialized rectangular autom...
HYTECH: The next generation
 In Proceedings of the 16th IEEE RealTime Systems Symposium
, 1995
"... Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety ..."
Abstract

Cited by 119 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety and timing requirements. While the original HyTech prototype was based on the symbolic algebra tool Mathematica, the new implementation is written in C ++ and builds on geometric algorithms instead of formula manipulation. The new HyTech o ers a cleaner and more expressive input language, greater portability, superior performance (typically two to three orders of magnitude), and new features such as diagnostic errortrace generation. We illustrate the e ectiveness of the new implementation by applying HyTech to the automatic parametric analysis of the generic railroad crossing benchmark problem [HJL93] and to an active structure control algorithm [ECB94]. 1
Liveness in Timed and Untimed Systems
, 1994
"... When proving the correctness of algorithms in distributed systems, one generally considers safety conditions and liveness conditions. The Input/Output (I/O) automaton model and its timed version have been used successfully, but have focused on safety conditions and on a restricted form of liveness c ..."
Abstract

Cited by 87 (17 self)
 Add to MetaCart
(Show Context)
When proving the correctness of algorithms in distributed systems, one generally considers safety conditions and liveness conditions. The Input/Output (I/O) automaton model and its timed version have been used successfully, but have focused on safety conditions and on a restricted form of liveness called fairness. In this paper we develop a new I/O automaton model, and a new timed I/O automaton model, that permit the verification of general liveness properties on the basis of existing verification techniques. Our models include a notion of environmentfreedom which generalizes the idea of receptiveness of other existing formalisms, and enables the use of compositional verification techniques.
Forward and Backward Simulations  Part II: TimingBased Systems
 Information and Computation
, 1995
"... A general automaton model for timingbased systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. These techniques include (1) refinements, (2) forward and backward simulations, (3) hybrid forwardbackward and backwardforward sim ..."
Abstract

Cited by 83 (23 self)
 Add to MetaCart
A general automaton model for timingbased systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. These techniques include (1) refinements, (2) forward and backward simulations, (3) hybrid forwardbackward and backwardforward simulations, and (4) history and prophecy relations. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. These results are (with one exception) analogous to the results for untimed systems in Part I of this paper. In fact, many of the results for the timed case are obtained as consequences of the analogous results for the untimed case.
Efficient Timed Reachability Analysis using Clock Difference Diagrams
 IN PROCEEDINGS OF THE 12TH INT. CONF. ON COMPUTER AIDED VERI
, 1998
"... One of the major problems in applying automatic verification tools to industrialsize systems is the excessive amount of memory required during the statespace exploration of a model. In the setting of realtime, this problem of stateexplosion requires extra attention as information must be kept no ..."
Abstract

Cited by 74 (12 self)
 Add to MetaCart
One of the major problems in applying automatic verification tools to industrialsize systems is the excessive amount of memory required during the statespace exploration of a model. In the setting of realtime, this problem of stateexplosion requires extra attention as information must be kept not only on the discrete control structure but also on the values of continuous clock variables. In this
Two examples of verification of multirate timed automata with Kronos
 In Proc. 1995 IEEE RealTime Systems Symposium, RTSS'95
, 1995
"... Multirate timed automata [2] are an extension of timed automata [3] where each clock has its own speed varying between a lower and an upper bound that may change from one control location to another. This formalism is wellsuited for specifying hybrid systems where the dynamics of the continuous var ..."
Abstract

Cited by 68 (12 self)
 Add to MetaCart
(Show Context)
Multirate timed automata [2] are an extension of timed automata [3] where each clock has its own speed varying between a lower and an upper bound that may change from one control location to another. This formalism is wellsuited for specifying hybrid systems where the dynamics of the continuous variables are defined or can be approximated by giving the minimal and maximal rate of change. To avoid the difficulties inherent in the verification of multirate timed automata, we follow the approach suggested in [8]. This approach consists of first transforming the multirate timed automata into timed automata and then applying the symbolic techniques implemented in Kronos. We show the practical interest of this approach analyzing two examples recently proposed in the literature and considered to be realistic case studies: the manufacturing plant of [10] and the Philips audio control protocol [4, 7]. 1 Introduction Multirate timed automata [2] are an extension of timed automata [3] where clo...
Efficient Verification of RealTime Systems: Compact Data Structure and StateSpace Reduction
 In Proc. of the 18th IEEE RealTime Systems Symposium
, 1997
"... During the past few years, a number of verification tools have been developed for realtime systems in the framework of timed automata (e.g. Kronos and Uppaal). One of the major problems in applying these tools to industrialsize systems is the huge memoryusage for the exploration of the statespac ..."
Abstract

Cited by 64 (10 self)
 Add to MetaCart
During the past few years, a number of verification tools have been developed for realtime systems in the framework of timed automata (e.g. Kronos and Uppaal). One of the major problems in applying these tools to industrialsize systems is the huge memoryusage for the exploration of the statespace of a network (or product) of timed automata, as the modelcheckers must keep information on not only the control structure of the automata but also the clock values specified by clock constraints. In this paper, we present a compact data structure for representing clock constraints. The data structure is based on an O(n 3 ) algorithm which, given a constraint system over realvalued variables consisting of bounds on differences, constructs an equivalent system with a minimal number of constraints. In addition, we have developed an onthefly reduction technique to minimize the spaceusage. Based on static analysis of the control structure of a network of timed automata, we are able to comp...
ProofChecking a Data Link Protocol
 Proceedings International Workshop TYPES'93
, 1993
"... . A data link protocol developed and used by Philips Electronics is modeled and verified using I/O automata theory. Correctness is computerchecked with the Coq proof development system. Key words: Communication Protocols, I/O Automata, ProofChecking, Protocol Verification, Type Theory. 1 Intr ..."
Abstract

Cited by 62 (8 self)
 Add to MetaCart
. A data link protocol developed and used by Philips Electronics is modeled and verified using I/O automata theory. Correctness is computerchecked with the Coq proof development system. Key words: Communication Protocols, I/O Automata, ProofChecking, Protocol Verification, Type Theory. 1 Introduction The datalink layer of a telecommunication protocol is verified and proofchecked. The protocol has been designed to communicate messages of arbitrary length over unreliable channels. The messages are transmitted in small packets or frames . The protocol does not rely on fairness of data transmission channels, i.e., repeated transmission of a frame does not guarantee its eventual arrival. For this reason, the number of retransmission attempts is limited and the protocol is called Bounded Retransmission Protocol. Reliable communication protocols are vital to the telecommunication industry. They are also of increasing importance to the electronics business because more and more prod...