Results 1  10
of
121
A theory of timed automata
, 1999
"... Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of ..."
Abstract

Cited by 2659 (32 self)
 Add to MetaCart
(Show Context)
Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of realtime systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of realtime systems. Its definition provides a simple way to annotate statetransition graphs with timing constraints using finitely many realvalued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of realtime systems.
The Theory of Hybrid Automata
, 1996
"... A hybrid automaton is a formal model for a mixed discretecontinuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discretecontinuous state spaces that was previously studied on pur ..."
Abstract

Cited by 680 (13 self)
 Add to MetaCart
A hybrid automaton is a formal model for a mixed discretecontinuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discretecontinuous state spaces that was previously studied on purely discrete state spaces only. In particular, various classes of hybrid automata induce finitary trace equivalence (or similarity, or bisimilarity) relations on an uncountable state space, thus permitting the application of various modelchecking techniques that were originally developed for finitestate systems.
PHAVer: Algorithmic verification of hybrid systems past HyTech
, 2005
"... Abstract. In 1995, HyTech broke new ground as a potentially powerful tool for verifying hybrid systems – yet it has remained severely limited in its applicability to more complex systems. We address the main problems of HyTech with PHAVer, a new tool for the exact verification of safety properties o ..."
Abstract

Cited by 209 (8 self)
 Add to MetaCart
(Show Context)
Abstract. In 1995, HyTech broke new ground as a potentially powerful tool for verifying hybrid systems – yet it has remained severely limited in its applicability to more complex systems. We address the main problems of HyTech with PHAVer, a new tool for the exact verification of safety properties of hybrid systems with piecewise constant bounds on the derivatives. Affine dynamics are handled by onthefly overapproximation and by partitioning the state space based on userdefinable constraints and the dynamics of the system. PHAVer’s exact arithmetic is robust due to the use of the Parma Polyhedra Library, which supports arbitrarily large numbers. To manage the complexity of the polyhedral computations, we propose methods to conservatively limit the number of bits and constraints of polyhedra. Experimental results for a navigation benchmark and a tunnel diode circuit show the effectiveness of the approach. 1
Boolean and Cartesian Abstraction for Model Checking C Programs
, 2001
"... The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemente ..."
Abstract

Cited by 200 (15 self)
 Add to MetaCart
The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemented through a sourcetosource transformation into a `Boolean' C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worstcase complexity but feasible in practice.
Computing Simulations on Finite and Infinite Graphs
, 1996
"... . We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges ..."
Abstract

Cited by 186 (6 self)
 Add to MetaCart
(Show Context)
. We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges (assuming m n). For effectively presented infinite graphs, we present a symbolic similaritychecking procedure that terminates if a finite similarity relation exists. We show that 2D rectangular automata, which model discrete reactive systems with continuous environments, define effectively presented infinite graphs with finite similarity relations. It follows that the refinement problem and the 8CTL modelchecking problem are decidable for 2D rectangular automata. 1 Introduction A labeled graph G = (V; E;A; hh\Deltaii) consist of a (possibly infinite) set V of vertices, a set E ` V 2 of edges, a set A of labels, and a function hh\Deltaii : V ! A that maps each vertex v to a label hh...
Algorithmic analysis of nonlinear hybrid systems
 in Proc. CAV 95: Computeraided Verification, Lecture Notes in Computer Science
, 1995
"... Abstract—Hybrid systems are digital realtime systems that are embedded in analog environments. Modelchecking tools are available for the automatic analysis of linear hybrid automata, whose environment variables are subject to piecewiseconstant polyhedral differential inclusions. In most embedded ..."
Abstract

Cited by 136 (13 self)
 Add to MetaCart
(Show Context)
Abstract—Hybrid systems are digital realtime systems that are embedded in analog environments. Modelchecking tools are available for the automatic analysis of linear hybrid automata, whose environment variables are subject to piecewiseconstant polyhedral differential inclusions. In most embedded systems, however, the environment variables have differential inclusions that vary with the values of the variables, e.g., _x = x. Such inclusions are prohibited in the linear hybrid automaton model. We present two methods for translating nonlinear hybrid systems into linear hybrid automata. Properties of the nonlinear systems can then be inferred from the automatic analysis of the translated linear hybrid automata. The first method, called clock translation, replaces constraints on nonlinear variables by constraints on clock variables. The clock translation is efficient but has limited applicability. The second method, called linear phaseportrait approximation, conservatively overapproximates the phase portrait of a hybrid automaton using piecewiseconstant polyhedral differential inclusions. Both methods are sound for safety properties; that is, if we establish a safety property of the translated linear system, we may conclude that the original nonlinear system satisfies the property. When applicable, the clock translation is also complete for safety properties; that is, the original system and the translated system satisfy the same safety properties. The phaseportrait approximation method is not complete for safety properties, but it is asymptotically complete; intuitively, for every safety property, and for every relaxed nonlinear system arbitrarily close to the original, if the relaxed system satisfies the safety property, then there is a linear phaseportrait approximation that also satisfies the property. We illustrate both methods by using HYTECH—a symbolic model checker for linear hybrid automata—to automatically check properties of a nonlinear temperature controller and of a predator–prey ecology. Index Terms — Clock translation, formal verification, hybrid systems, HYTECH, linear hybrid automata, model checking, phaseportrait approximation, predator–prey ecologies.
Model Checking of RealTime Reachability Properties Using Abstractions
, 1998
"... . Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the sta ..."
Abstract

Cited by 88 (10 self)
 Add to MetaCart
(Show Context)
. Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the statespace while preserving reachability properties. Four exact , plus one safe abstractions are defined. In the main abstraction (simulation) a concrete state is mapped to a symbolic abstract state (a set of concrete states). The other four abstractions are defined on top of the simulation one. They can be computed onthefly in a completely orthogonal manner and thus can be combined to yield better reductions. A prototype implementation in the tool Kronos has permitted to verify two benchmark examples with a significant scaleup in size. 1 Introduction Model checking is an approach commonly used for the automatic verification of reachability properties. Given a system and a property p, reac...
Modularity for Timed and Hybrid Systems
, 1997
"... In a tracebased world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. In a realtime world, liveness is automatically present in ..."
Abstract

Cited by 82 (18 self)
 Add to MetaCart
(Show Context)
In a tracebased world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. In a realtime world, liveness is automatically present in the form of diverging time. The receptiveness condition, then, translates to the requirement that a module must be able to let time diverge no matter how the environment behaves. We study the receptiveness condition for realtime systems by extending the model of reactive modules to timed and hybrid modules. We define the receptiveness of such a module as the existence of a winning strategy in a game of the module against its environment. By solving the game on region graphs, we present an (optimal) Exptime algorithm for checking the receptiveness of propositional timed modules. By giving a fixpoint characterization of the game, we present a symbolic procedure for checking the re...
A brief history of process algebra
 Theor. Comput. Sci
, 2004
"... Abstract. This note addresses the history of process algebra as an area of research in concurrency theory, the theory of parallel and distributed systems in computer science. Origins are traced back to the early seventies of the twentieth century, and developments since that time are sketched. The a ..."
Abstract

Cited by 82 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This note addresses the history of process algebra as an area of research in concurrency theory, the theory of parallel and distributed systems in computer science. Origins are traced back to the early seventies of the twentieth century, and developments since that time are sketched. The author gives his personal views on these matters. He also considers the present situation, and states some challenges for the future.
Hierarchical Modeling and Analysis of Embedded Systems
, 2003
"... This paper describes the modeling language CHARON for modular design of interacting hybrid systems. The language allows specification of architectural as well as behavioral hierarchy and discrete as well as continuous activities. The modular structure of the language is not merely syntactic, but is ..."
Abstract

Cited by 79 (26 self)
 Add to MetaCart
(Show Context)
This paper describes the modeling language CHARON for modular design of interacting hybrid systems. The language allows specification of architectural as well as behavioral hierarchy and discrete as well as continuous activities. The modular structure of the language is not merely syntactic, but is exploited by analysis tools and is supported by a formal semantics with an accompanying compositional theory of refinement. We illustrate the benefits of CHARON in the design of embedded control software using examples from automated highways concerning vehicle coordination