Modeling, Verification and Testing using Timed and Hybrid Automata

ion. The main idea of this approach is to start with a rough (conservative and often discrete) approximation of a hybrid system and then iteratively refine it. This refinement is often local in the sense that it uses the previous analysis results to determine where the approximation error is too large to prove the property (see for example [96, 8, 28]). A popular abstraction approach is predicate abstraction where a conservative abstraction can be constructed by mapping the infinite set of states of the hybrid system to a finite set of abstract states using a set of predicates. The property is then verified in the abstract system. If it holds in the abstract system, it also holds in the concrete hybrid system. Oth1.3. EXHAUSTIVE VERIFICATION 25 erwise, a counter-example can be generated. If the abstract counter-example corresponds to a concrete trajectory, then the hybrid system does not satisfy the property; otherwise, the abstract counter-example is spurious because the abstraction is too conservative, and the abstraction can then be refined to achieve a better precision. In the following, we illustrate this approach by explaining the method using polynomials proposed in [96]. The continuous state space R is partitioned using the signs of a set of polynomials. As an example, an abstract state s defined by g1(x) 0 corresponds to a (possibly infinite) set c(s) of concrete states. Then, the abstract transition over-approximates the concrete one such that there is a transition from s to s′ if there exists a trajectory from a concrete state in c(s) to another concrete state in c(s′). More precisely, in this method, first the set of polynomials is saturated by adding all the high-order derivatives of the initial polynomials. Then, by looking at the sign of the polynomials, it is possible to decide whether a trajectory can go from one abstract state to another. For example, if there are only two polynomials g1 and g2 such that g2 = ġ1. Suppose that the abstract state s satisfies g1 = 0 and g2 > 0, then the new sign of g1 is positive and from s we add a transition to s′ satisfying gi > 0. The abstraction can be refined by adding more polynomials. Another abstraction method in [8] uses linear predicates to partition the continuous state space, and thus each abstract c(s) is a convex polyhedron. The abstract transition from s to s′ is determined by computing the reachable set from c(s) and check whether it reaches c(s′). This is less expensive than the reachability computation on the hybrid system which requires handling accumulated reachable sets with geometric complexity that grows after successive continuous and discrete evolutions. Box decompositions are also commonly used to define abstract systems, such as in [90, 59]. The abstract system can then be built by exploiting the properties of the system’s vector fields over such decompositions. The method proposed in [59] makes use of the following special property of multi-affine systems: the value of a multi-affine function f(x) with x inside some box can be expressed as a linear combination of the values of f at the vertices of the box. Using this, one can determine whether the derivative vector on the boundary 8Multi-affine systems are a particular class of polynomial systems such that if all the variables xi are constant, the derivatives are linear in xj with j not equal to i. 26CHAPTER 1. MODELING, VERIFICATION AND TESTING USING TIMED AND HYBRID AUTOMATA of a box points outwards or inwards, in order to over-approximate the reachability between adjacent boxes. While discrete abstractions allow benefiting from the well-developed verification algorithms for discrete systems, they might be too coarse to preserve interesting properties. Timed abstractions can be built by adding bounds on the time for the system to reach from one abstract state to another. A generalization of this idea is called hybridization [12] involving approximating a complex system with a simpler system, for which more efficient analysis tools are available. To this end, using a partition of the state space, one can approximate locally the system’s dynamics in each region by a simpler dynamics. Globally, the dynamics changes when moving from one region to another, and the resulting approximate system behaves like a hybrid system and this approximation process is therefore called hybridization. Then, the resulting system is used to yield approximate analysis results for the original system. The usefulness of this approach (in terms of accuracy and computational tractability) depends on the choice of the approximate system. For example, the hybridization methods using piecewise affine approximate systems, proposed in [12], allows approximating a nonlinear system with a good convergence rate and, additionally, preserving the attractors of the original system. In addition, the resulting approximate systems can be handled by the existing tools for piecewise affine systems (presented earlier in this section). 1.4 Partial verification Exhaustive verification is desirable since, if it succeeds, it guarantees that a model satisfies a property. But exhaustive verification has its limitations as we have seen: state-explosion or even undecidability. In fact, state-explosion is a phenomenon that is also prevalent in the exhaustive verification of much simpler, finite-state models. This phenomenon has so far hindered a wider adoption of exhaustive verification in industrial applications, because the size of the problems tackled there is far too big to treat exhaustively. Instead, practitioners use simulation as their main verification tool. Even though simulation cannot prove that a 9The term “verification” usually denotes simulation-based verification in industrial jargon, whereas “formal verification” is used to denote exhaustive verification. 1.4. PARTIAL VERIFICATION 27 property is satisfied, it can certainly reveal cases where it is not satisfied, that is, potential bugs of the real system, its model, or its specification. An advantage of simulation is that it has some time-scalability properties: running 200 simulations is better (i.e., likely to discover more bugs) than running 100 simulations, and running longer simulations is also better. Moreover, if 100 simulations can be run in one day, say, then in two days we can most likely run 200 simulations. In contrast, most exhaustive verification tools suffer from a “hitting the wall” type of problem. Once they exhaust the main memory of the computer that they run on, they start using disk space, which involves a lot of swapping on the OS side. Disk swapping virtually takes all processing time, leading verification to a halt. This means that the number of new states that are explored per unit of time radically decreases to practically zero, as illustrated in Figure 1.14. Usually this wall is hit after relatively little time, in the order of minutes. Then, running the tool for many hours will not improve the number of states that are explored compared to running it for ten minutes. This is not time-scalable.

[1]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[2]  Vijay Kumar,et al.  Sampling-based Algorithm for Testing and Validating Robot Controllers , 2006, Int. J. Robotics Res..

[3]  Pravin Varaiya,et al.  Ellipsoidal Techniques for Reachability Analysis , 2000, HSCC.

[4]  Patricia Bouyer,et al.  Forward Analysis of Updatable Timed Automata , 2004, Formal Methods Syst. Des..

[5]  Olaf Stursberg,et al.  On Systematic Simulation of Open Continuous Systems , 2003, HSCC.

[6]  P. Varaiya,et al.  Ellipsoidal Toolbox (ET) , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[7]  Sriram Sankaranarayanan,et al.  Symbolic Model Checking of Hybrid Systems Using Template Polyhedra , 2008, TACAS.

[8]  Radu Grosu,et al.  Deep Random Search for Efficient Model Checking of Timed Automata , 2006, Monterey Workshop.

[9]  Gerard J. Holzmann,et al.  An Analysis of Bitstate Hashing , 1995, Formal Methods Syst. Des..

[10]  Jean-Marc Vincent,et al.  Resource-Aware Verification Using Randomized Exploration of Large State Spaces , 2008, SPIN.

[11]  Steven M. LaValle,et al.  Planning algorithms , 2006 .

[12]  Adnan Aziz,et al.  Constraint-based verification , 2006 .

[13]  Alan J. Hu Distance-Guided Hybrid Verification with GUIDO , 2006, 2006 IEEE International High Level Design Validation and Test Workshop.

[14]  Eugene Asarin,et al.  The d/dt Tool for Verification of Hybrid Systems , 2002, CAV.

[15]  Jan Tretmans,et al.  Testing Concurrent Systems: A Formal Approach , 1999, CONCUR.

[16]  Andreas Kuehlmann,et al.  Stimulus generation for constrained random simulation , 2007, 2007 IEEE/ACM International Conference on Computer-Aided Design.

[17]  Michael S. Branicky,et al.  Sampling-Based Reachability Algorithms for Control and Verification of Complex Systems , 2005 .

[18]  Alexandre M. Bayen,et al.  Computational techniques for the verification of hybrid systems , 2003, Proc. IEEE.

[19]  Karlis Cerans,et al.  Deciding Reachability for Planar Multi-polynomial Systems , 1996, Hybrid Systems.

[20]  Rajeev Alur,et al.  Counterexample-guided predicate abstraction of hybrid systems , 2006, Theor. Comput. Sci..

[21]  Stavros Tripakis,et al.  Model Checking of Real-Time Reachability Properties Using Abstractions , 1998, TACAS.

[22]  Rajeev Alur,et al.  Counterexample-guided predicate abstraction of hybrid systems , 2003, Theor. Comput. Sci..

[23]  Pravin Varaiya,et al.  Decidability of Hybrid Systems with Rectangular Differential Inclusion , 1994, CAV.

[24]  Joseph Sifakis,et al.  Compositional Specification of Timed Systems (Extended Abstract) , 1996, STACS.

[25]  Patricia Bouyer,et al.  Are Timed Automata Updatable? , 2000, CAV.

[26]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[27]  A. Tiwari Formal Semantics and Analysis Methods for Simulink Stateflow Models , 2001 .

[28]  Vijay Kumar,et al.  Adaptive RRTs for Validating Hybrid Robotic Control Systems , 2004, WAFR.

[29]  Dragan Bošnački,et al.  Digitization of Timed Automata , 1999 .

[30]  Sasan Iman,et al.  The e Hardware Verification Language , 2004, Springer US.

[31]  Calin Belta,et al.  Reachability analysis of multi-affine systems , 2006, HSCC.

[32]  Thao Dang Model-Based Testing of Hybrid Systems , 2011, Model-Based Testing for Embedded Systems.

[33]  Ali Jadbabaie,et al.  Safety Verification of Hybrid Systems Using Barrier Certificates , 2004, HSCC.

[34]  Christos H. Papadimitriou,et al.  On the Random Walk Method for Protocol Testing , 1994, CAV.

[35]  David L. Dill,et al.  Timing Assumptions and Verification of Finite-State Concurrent Systems , 1989, Automatic Verification Methods for Finite State Systems.

[36]  Lydia E. Kavraki,et al.  Hybrid Systems: From Verification to Falsification , 2007, CAV.

[37]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[38]  Thierry Jéron,et al.  Using On-The-Fly Verification Techniques for the Generation of test Suites , 1996, CAV.

[39]  Antoine Girard,et al.  Efficient Computation of Reachable Sets of Linear Time-Invariant Systems with Inputs , 2006, HSCC.

[40]  Stavros Tripakis,et al.  Extending Promela and Spin for Real Time , 1996, TACAS.

[41]  Insup Lee,et al.  Robust Test Generation and Coverage for Hybrid Systems , 2007, HSCC.

[42]  Bruce H. Krogh,et al.  Verification of Polyhedral-Invariant Hybrid Automata Using Polygonal Flow Pipe Approximations , 1999, HSCC.

[43]  Amir Pnueli,et al.  Reachability Analysis of Planar Multi-limear Systems , 1993, CAV.

[44]  Amir Pnueli,et al.  Orthogonal Polyhedra: Representation and Computation , 1999, HSCC.

[45]  David Lee,et al.  Principles and methods of testing finite state machines-a survey , 1996, Proc. IEEE.

[46]  Peter J Seiler,et al.  SOSTOOLS: Sum of squares optimization toolbox for MATLAB , 2002 .

[47]  Joseph Sifakis,et al.  Modeling Urgency in Timed Systems , 1997, COMPOS.

[48]  S. Sastry,et al.  On the existence of executions of hybrid automata , 1999, Proceedings of the 38th IEEE Conference on Decision and Control (Cat. No.99CH36304).

[49]  Steven M. LaValle,et al.  RRT-connect: An efficient approach to single-query path planning , 2000, Proceedings 2000 ICRA. Millennium Conference. IEEE International Conference on Robotics and Automation. Symposia Proceedings (Cat. No.00CH37065).

[50]  Antoine Girard,et al.  Verification Using Simulation , 2006, HSCC.

[51]  Thomas A. Henzinger,et al.  What Good Are Digital Clocks? , 1992, ICALP.

[52]  Thierry Jéron,et al.  Bounded-memory Algorithms for Verification On-the-fly , 1991, CAV.

[53]  Olaf Stursberg,et al.  Efficient Representation and Computation of Reachable Sets for Hybrid Systems , 2003, HSCC.

[54]  William W. L. Chen On irregularities of distribution. , 1980 .

[55]  Tarik Nahhal,et al.  Test Coverage for Continuous and Hybrid Systems , 2007, CAV.

[56]  Ian M. Mitchell,et al.  Reachability Analysis Using Polygonal Projections , 1999, HSCC.

[57]  Stavros Tripakis,et al.  State Identification Problems for Timed Automata , 2005, TestCom.

[58]  Johannes Schumacher,et al.  An Introduction to Hybrid Dynamical Systems, Springer Lecture Notes in Control and Information Sciences 251 , 1999 .

[59]  Antoine Girard,et al.  Hybridization methods for the analysis of nonlinear systems , 2007, Acta Informatica.

[60]  Vijay Kumar,et al.  Hierarchical modeling and analysis of embedded systems , 2003, Proc. IEEE.

[61]  Alberto Bemporad,et al.  HYSDEL-a tool for generating computational hybrid models for analysis and synthesis problems , 2004, IEEE Transactions on Control Systems Technology.

[62]  Stavros Tripakis,et al.  The Tool KRONOS , 1996, Hybrid Systems.

[63]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[64]  Anuj Puri Dynamical Properties of Timed Automata , 2000, Discret. Event Dyn. Syst..

[65]  Mato Baotic,et al.  Multi-Parametric Toolbox (MPT) , 2004, HSCC.

[66]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[67]  Hong Zhu,et al.  Software unit test coverage and adequacy , 1997, ACM Comput. Surv..

[68]  Thao Dang A Reachability-Based Technique for Idle Speed Control Synthesis , 2005, Int. J. Softw. Eng. Knowl. Eng..

[69]  Ashish Tiwari,et al.  Nonlinear Systems: Approximating Reach Sets , 2004, HSCC.

[70]  Rajeev Alur,et al.  Minimization of Timed Transition Systems , 1992, CONCUR.

[71]  Stavros Tripakis,et al.  Conformance testing for real-time systems , 2009, Formal Methods Syst. Des..

[72]  Jean-François Raskin,et al.  Almost ASAP semantics: from timed models to timed implementations , 2005, Formal Aspects of Computing.

[73]  Steven M. LaValle,et al.  Rapidly-Exploring Random Trees: Progress and Prospects , 2000 .

[74]  Insup Lee,et al.  Model-based testing and monitoring for hybrid embedded systems , 2004, Proceedings of the 2004 IEEE International Conference on Information Reuse and Integration, 2004. IRI 2004..

[75]  Robert K. Brayton,et al.  Probabilistic state space search , 1999, 1999 IEEE/ACM International Conference on Computer-Aided Design. Digest of Technical Papers (Cat. No.99CH37051).

[76]  Gerardo Lafferriere,et al.  A New Class of Decidable Hybrid Systems , 1999, HSCC.

[77]  Stavros Tripakis,et al.  Checking timed Büchi automata emptiness on simulation graphs , 2009, TOCL.

[78]  Stavros Tripakis,et al.  Folk Theorems on the Determinization and Minimization of Timed Automata , 2003, FORMATS.

[79]  Joël Ouaknine,et al.  Abstraction and Counterexample-Guided Refinement in Model Checking of Hybrid Systems , 2003, Int. J. Found. Comput. Sci..

[80]  Pravin Varaiya,et al.  What's decidable about hybrid automata? , 1995, STOC '95.

[81]  Thomas A. Henzinger,et al.  Hybrid Automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems , 1992, Hybrid Systems.

[82]  Stavros Tripakis,et al.  Analysis of Timed Systems Using Time-Abstracting Bisimulations , 2001, Formal Methods Syst. Des..

[83]  Rob A. Rutenbar,et al.  Time Domain Verification of Oscillator Circuit Properties , 2006, Electron. Notes Theor. Comput. Sci..

[84]  Stavros Tripakis,et al.  Real-Time Testing with Timed Automata Testers and Coverage Criteria , 2004, FORMATS/FTRTFT.

[85]  Stavros Tripakis,et al.  Conformance testing for real-time systems , 2004, SPIN.

[86]  Stavros Tripakis,et al.  Fault Diagnosis for Timed Automata , 2002, FTRTFT.

[87]  Oded Maler,et al.  Systematic Simulation Using Sensitivity Analysis , 2007, HSCC.

[88]  S. Tripakis What is Resource-Aware Verification ? , 2008 .

[89]  Stavros Tripakis,et al.  Verification of Hybrid Systems with Linear Differential Inclusions Using Ellipsoidal Approximations , 2000, HSCC.

[90]  Oded Maler,et al.  Reachability Analysis via Face Lifting , 1998, HSCC.

[91]  Antoine Girard,et al.  Zonotope/Hyperplane Intersection for Hybrid Systems Reachability Analysis , 2008, HSCC.

[92]  Tarik Nahhal,et al.  Using Disparity to Enhance Test Generation for Hybrid Systems , 2008, TestCom/FATES.

[93]  Stavros Tripakis,et al.  Implementation of Timed Automata: An Issue of Semantics or Modeling? , 2005, FORMATS.

[94]  Hirokazu Anai,et al.  Reach Set Computations Using Real Quantifier Elimination , 2001, HSCC.

[95]  Rajeev Alur,et al.  Timed Automata , 1999, CAV.

[96]  Antoine Girard,et al.  Reachability of Uncertain Linear Systems Using Zonotopes , 2005, HSCC.

[97]  Eugene Asarin,et al.  Widening the Boundary between Decidable and Undecidable Hybrid Systems , 2002, CONCUR.

[98]  Emilio Frazzoli,et al.  Incremental Search Methods for Reachability Analysis of Continuous and Hybrid Systems , 2004, HSCC.

[99]  Olivier Bournez,et al.  Approximate Reachability Analysis of Piecewise-Linear Dynamical Systems , 2000, HSCC.

[100]  Joël Ouaknine,et al.  Revisiting digitization, robustness, and decidability for timed automata , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[101]  Robert E. Tarjan,et al.  Three Partition Refinement Algorithms , 1987, SIAM J. Comput..

[102]  Stefan Ratschan,et al.  Safety verification of hybrid systems by constraint propagation-based abstraction refinement , 2007, TECS.

[103]  Ian M. Mitchell,et al.  A Toolbox of Hamilton-Jacobi Solvers for Analysis of Nondeterministic Continuous and Hybrid Systems , 2005, HSCC.

[104]  Joseph Sifakis,et al.  An Approach to the Description and Analysis of Hybrid Systems , 1992, Hybrid Systems.

[105]  David Lee,et al.  An Efficient Algorithm for Minimizing Real-Time Transition Systems , 1997, Formal Methods Syst. Des..

[106]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[107]  Conclusions , 1989 .

[108]  Satoshi Yamane,et al.  The symbolic model-checking for real-time systems , 1996, Proceedings of the Eighth Euromicro Workshop on Real-Time Systems.

[109]  Bernard Berthomieu,et al.  An Enumerative Approach for Analyzing Time Petri Nets , 1983, IFIP Congress.

[110]  Stavros Tripakis,et al.  Efficient Verification of Timed Automata Using Dense and Discrete Time Semantics , 1999, CHARME.

[111]  Ivana Černá,et al.  Enhancing random walk state space exploration , 2005, FMICS '05.