Results 1  10
of
13
TAME: Using PVS strategies for specialpurpose theorem proving
 Annals of Mathematics and Arti cial Intelligence
, 2000
"... TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theo ..."
Abstract

Cited by 49 (14 self)
 Add to MetaCart
(Show Context)
TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata speci cations using the templates. Use of the TAME strategies simpli es the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for \automatic " proof and strategies designed to implement \natural " proof steps, i.e., proof steps that mimic the highlevel steps in typical natural language proofs. TAME's \natural " proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and e ciency in userde ned strategies such asthose used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of speci cations and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional \natural" proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.
Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing RealTime Systems
 In RTSS 2003: The 24th IEEE International RealTime Systems Symposium, Cancun,Mexico
, 2003
"... We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing realtime systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing realtime systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, and notions of composition and abstraction. We define safety and liveness properties for timed I/O automata, and a notion of receptiveness, and prove basic results about all of these notions. The TIOA framework is defined as a special case of the new Hybrid I/O Automata (HIOA) modeling framework for hybrid systems. Specifically, a TIOA is an HIOA with no external variables; thus, TIOAs communicate via shared discrete actions only, and do not interact continuously. This restriction is consistent with previous realtime system models, and gives rise to some simplifications in the theory (compared to HIOA). The resulting model is expressive enough to describe complex timing behavior, and to express the important ideas of previous timed automata frameworks.
The IOA Language and Toolset: Support for Designing, Analyzing, and Building Distributed Systems
, 1998
"... ..."
Hybrid I/O Automata Revisited
 Proceedings Fourth International Workshop on Hybrid Systems: Computation and Control (HSCC'01
, 2001
"... In earlier work, we developed a mathematical hybrid I/O automaton (HIOA) modeling... ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
(Show Context)
In earlier work, we developed a mathematical hybrid I/O automaton (HIOA) modeling...
Safety Verification for Automated Platoon Maneuvers: A Case Study
 Proceedings International Workshop on Hybrid and RealTime Systems (HART'97
"... A system consisting of two platoons of vehicles on a single track, plus controllers that operate the vehicles, plus communication channels, is modeled formally, using the hybrid input/output automaton model of Lynch, Segala, Vaandrager and Weinberg [7]. A key safety requirement of such a system is f ..."
Abstract

Cited by 22 (6 self)
 Add to MetaCart
(Show Context)
A system consisting of two platoons of vehicles on a single track, plus controllers that operate the vehicles, plus communication channels, is modeled formally, using the hybrid input/output automaton model of Lynch, Segala, Vaandrager and Weinberg [7]. A key safety requirement of such a system is formulated, namely, that the two platoons never collide at a relative velocity greater than a given bound v allow . Conditions on the controller of the second platoon are given, designed to ensure the safety requirement regardless of the behavior of the first platoon. The fact that these conditions suffice to ensure safety is proved. It is also proved that these conditions are "optimal", in that any controller that does not satisfy them can cause the safety requirement to be violated. The model includes handling of communication delays and uncertainty. The proofs use composition, invariants, levels of abstraction, together with methods of mathematical analysis. This case study...
Proving Safety Properties of the Steam Boiler Controller
"... In this paper we model a hybrid system consisting of a continuous steam boiler and a discrete controller. Our model uses the LynchVaandrager Timed Automata model to show formally that certain safety requirements can be guaranteed under the described assumptions and failure model. We prove increment ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
In this paper we model a hybrid system consisting of a continuous steam boiler and a discrete controller. Our model uses the LynchVaandrager Timed Automata model to show formally that certain safety requirements can be guaranteed under the described assumptions and failure model. We prove incrementally that a simple controller model and a controller model tolerating sensor faults preserve the required safety conditions. The specification of the steam boiler and the failure model follow the specification problem for participants of the Dagstuhl Meeting “Methods for Semantics and Specification.”
Verifying average dwell time of hybrid systems.
 ACM Trans. Embed. Comput. Syst.
, 2008
"... Average dwell time (ADT) properties characterize the rate at which a hybrid system performs mode switches. In this article, we present a set of techniques for verifying ADT properties. The stability of a hybrid system A can be verified by combining these techniques with standard methods for checkin ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Average dwell time (ADT) properties characterize the rate at which a hybrid system performs mode switches. In this article, we present a set of techniques for verifying ADT properties. The stability of a hybrid system A can be verified by combining these techniques with standard methods for checking stability of the individual modes of A. We introduce a new type of simulation relation for hybrid automataswitching simulationfor establishing that a given automaton A switches more rapidly than another automaton B. We show that the question of whether a given hybrid automaton has ADT τ a can be answered either by checking an invariant or by solving an optimization problem. For classes of hybrid automata for which invariants can be checked automatically, the invariantbased method yields an automatic method for verifying ADT; for automata that are outside this class, the invariant has to be checked using inductive techniques. The optimizationbased method is automatic and is applicable to a restricted class of initialized hybrid automata. A solution of the optimization problem either gives a counterexample execution that violates the ADT property, or it confirms that the automaton indeed satisfies the property. The optimization and the invariantbased methods can be used in combination to find the unknown ADT of a given hybrid automaton.
The Tempo Language User Guide and Reference Manual
, 2008
"... Tempo is a simple formal language for modeling distributed systems with (or without) timing constraints, as collections of interacting state machines called Timed Input/Output Automata. Tempo provides natural mathematical notations for describing systems, their properties, and relationships between ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Tempo is a simple formal language for modeling distributed systems with (or without) timing constraints, as collections of interacting state machines called Timed Input/Output Automata. Tempo provides natural mathematical notations for describing systems, their properties, and relationships between their descriptions at different levels of abstraction. An associated Tempo Toolkit supports several validation methods for systems described using Tempo, including static analysis, simulation, interactive proof using the PVS theoremprover, and modelchecking using the Uppaal modelchecker. This threepart document consists of: (I) an informal tutorial that describes the underlying mathematical Timed Input/Output Automata framework and demonstrates how to use the Tempo language to model typical timed systems; (II) a systematic description of the Tempo language
Safety Verification for Automated Vehicle Maneuvers
, 1998
"... In this thesis we formally model a system consisting of two vehicles moving along a single track, plus controllers that operate the vehicles, plus communication channels. The modeling formalism used is the Hybrid Automata model developed by Lynch, Segala, Vaandrager and Weinberg. We formulate a key ..."
Abstract
 Add to MetaCart
In this thesis we formally model a system consisting of two vehicles moving along a single track, plus controllers that operate the vehicles, plus communication channels. The modeling formalism used is the Hybrid Automata model developed by Lynch, Segala, Vaandrager and Weinberg. We formulate a key safety requirement of such a system, namely, that the two vehicles never collide at a relative velocity greater than a given bound, v allow . We give necessary and sufficient conditions for the controller of the follower vehicle to guarantee that the safety requirement is satisfied regardless of the behavior of the leading vehicle. The model includes handling of communication delays and uncertainty. The proofs use composition, invariants, and levels of abstraction, together with methods of mathematical analysis. This case study is derived from the California PATH intelligent highway project.