Assume-Guarantee Reasoning for Hierarchical Hybrid Systems

The assume-guarantee paradigm is a powerful divide-and-conquer mechanism for decomposing a verification task about a system into subtasks about the individual components of the system. The key to assume-guarantee reasoning is to consider each component not in isolation, but in conjunction with assumptions about the context of the component. Assume-guarantee principles are known for purely concurrent contexts, which constrain the input data of a component, as well as for purely sequential contexts, which constrain the entry configurations of a component. We present a model for hierarchical system design which permits the arbitrary nesting of parallel as well as serial composition, and which supports an assume-guarantee principle for mixed parallel-serial contexts. Our model also supports both discrete and continuous processes, and is therefore well-suited for the modeling and analysis of embedded software systems which interact with real-world environments. Using an example of two cooperating robots, we show refinement between a high-level model which specifies continuous timing constraints and an implementation which relies on discrete sampling.

[1]  Nancy A. Lynch,et al.  Hybrid I/O automata , 1995, Inf. Comput..

[2]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[3]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[4]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[5]  Robert K. Brayton,et al.  Verifying Abstractions of Timed Systems , 1996, CONCUR.

[6]  Robert L. Grossman,et al.  Timed Automata , 1999, CAV.

[7]  T. Henzinger The theory of hybrid automata , 1996, LICS 1996.

[8]  강문설 [서평]「The Unified Modeling Language User Guide」 , 1999 .

[9]  Scott A. Smolka,et al.  A Compositional Semantics for Statecharts using Labeled Transition Systems , 1994, CONCUR.

[10]  C. A. Petri,et al.  Concurrency Theory , 1986, Advances in Petri Nets.

[11]  Edward A. Lee,et al.  Overview of the Ptolemy project , 2001 .

[12]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[13]  Thomas A. Henzinger Masaccio: A Formal Model for Embedded Components , 2000, IFIP TCS.

[14]  Pravin Varaiya,et al.  SHIFT: A Formalism and a Programming Language for Dynamic Networks of Hybrid Automata , 1996, Hybrid Systems.

[15]  David G. Messerschmitt,et al.  Overview of the Ptolemy Project , 1996 .

[16]  Vijay Kumar,et al.  Modular Specification of Hybrid Systems in CHARON , 2000, HSCC.

[17]  Thomas A. Henzinger,et al.  Modularity for Timed and Hybrid Systems , 1997, CONCUR.

[18]  Thomas A. Henzinger,et al.  Hybrid Systems: Computation and Control , 1998, Lecture Notes in Computer Science.

[19]  Thomas A. Henzinger,et al.  Reactive Modules , 1999, Formal Methods Syst. Des..

[20]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[21]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[22]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[23]  Rajeev Alur,et al.  Modular refinement of hierarchic reactive machines , 2000, POPL '00.