Results 1  10
of
15
A Vision of Collaborative VerificationDriven Engineering of Hybrid Systems
"... Abstract. Hybrid systems with both discrete and continuous dynamics are an important model for realworld physical systems. The key challenge is how to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be modeldriven engineering to develop hy ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Hybrid systems with both discrete and continuous dynamics are an important model for realworld physical systems. The key challenge is how to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be modeldriven engineering to develop hybrid systems in a welldefined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verificationdriven engineering. Despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires significant human guidance, since hybrid systems verification tools solve undecidable problems. It is thus not uncommon for verification teams to consist of many players with diverse expertise. This paper introduces a verificationdriven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (i) modeling hybrid systems, (ii) exchanging and comparing models and proofs, and (iii) managing verification tasks. This toolset makes it easier to tackle largescale verification tasks. 1
Characterizing Algebraic Invariants by Differential Radical Invariants ⋆
"... Abstract We prove that any invariant algebraic set of a given polynomial vector field can be algebraically represented by one polynomial and a finite set of its successive Lie derivatives. This socalled differential radical characterization relies on a sound abstraction of the reachable set of solu ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract We prove that any invariant algebraic set of a given polynomial vector field can be algebraically represented by one polynomial and a finite set of its successive Lie derivatives. This socalled differential radical characterization relies on a sound abstraction of the reachable set of solutions by the smallest variety that contains it. The characterization leads to a differential radical invariant proof rule that is sound and complete, which implies that invariance of algebraic equations over realclosed fields is decidable. Furthermore, the problem of generating invariant varieties is shown to be as hard as minimizing the rank of a symbolic matrix, and is therefore NPhard. We investigate symbolic linear algebra tools based on Gaussian elimination to efficiently automate the generation. The approach can, e.g., generate nontrivial algebraic invariant equations capturing the airplane behavior during takeoff or landing in longitudinal motion.
Efficiency Analysis of Formally Verified Adaptive Cruise Controllers
"... Abstract — We consider an adaptive cruise control system in which control decisions are made based on position and velocity information received from other vehicles via V2V wireless communication. If the vehicles follow each other at a close distance, they have better wireless reception but collisio ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract — We consider an adaptive cruise control system in which control decisions are made based on position and velocity information received from other vehicles via V2V wireless communication. If the vehicles follow each other at a close distance, they have better wireless reception but collisions may occur when a follower car does not receive notice about the decelerations of the leader car fast enough to react before it is too late. If the vehicles are farther apart, they would have a bigger safety margin, but the wireless communication drops out more often, so that the follower car no longer receives what the leader car is doing. In order to guarantee safety, such a system must return control to the driver if it does not receive an update from a nearby vehicle within some timeout period. The value of this timeout parameter encodes a tradeoff between the likelihood that an update is received and the maximum safe acceleration. Combining formal verification techniques for hybrid systems with a wireless communication model, we analyze how the expected efficiency of a provablysafe adaptive cruise control system is affected by the value of this timeout. I.
Differential game logic
 CoRR
, 2014
"... Differential game logic (dGL) is a logic for specifying and verifying properties of hybrid games, i.e. games that combine discrete, continuous, and adversarial dynamics. Unlike hybrid systems, hybrid games allow choices in the system dynamics to be resolved adversarially by different players with di ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Differential game logic (dGL) is a logic for specifying and verifying properties of hybrid games, i.e. games that combine discrete, continuous, and adversarial dynamics. Unlike hybrid systems, hybrid games allow choices in the system dynamics to be resolved adversarially by different players with different objectives. The logic dGL can be used to study the existence of winning strategies for such hybrid games, i.e. ways of resolving the player’s choices in some way so that he wins by achieving his objective for all choices of the opponent. Hybrid games are determined, i.e. from each state, one player has a winning strategy, yet computing their winning regions may take transfinitely many steps. The logic dGL, nevertheless, has a sound and complete axiomatization relative to any expressive logic. Separating axioms are identified that distinguish hybrid games from hybrid systems. Finally, dGL is proved to be strictly more expressive than the corresponding logic of hybrid systems. 1
Refactoring, Refinement, and Reasoning A Logical Characterization for Hybrid Systems
"... Abstract. Refactoring of code is a common device in software engineering. As cyberphysical systems (CPS) become ever more complex, similar engineering practices become more common in CPS development. Proper safe developments of CPS designs are accompanied by a proof of correctness. Since the inhe ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Refactoring of code is a common device in software engineering. As cyberphysical systems (CPS) become ever more complex, similar engineering practices become more common in CPS development. Proper safe developments of CPS designs are accompanied by a proof of correctness. Since the inherent complexities of CPS practically mandate iterative development, frequent changes of models are standard practice, but require reverification of the resulting models after every change. To overcome this issue, we develop proofaware refactorings for CPS. That is, we study model transformations on CPS and show how they correspond to relations on correctness proofs. As the main technical device, we show how the impact of model transformations on correctness can be characterized by different notions of refinement in differential dynamic logic. Furthermore, we demonstrate the application of refinements on a series of safetypreserving and livenesspreserving refactorings. For some of these we can give strong results by proving on a metalevel that they are correct. Where this is impossible, we construct proof obligations for showing that the refactoring respects the refinement relation. 1
15424: Foundations of CyberPhysical Systems Lecture Notes on Choice & Control
"... In the previous lecture, we have seen the beginning of cyberphysical systems, yet emphasized their continuous part in the form of differential equations x ′ = θ. The sole interface between continuous physical capabilities and cyber capabilities was by way of their evolution domain. The evolution d ..."
Abstract
 Add to MetaCart
(Show Context)
In the previous lecture, we have seen the beginning of cyberphysical systems, yet emphasized their continuous part in the form of differential equations x ′ = θ. The sole interface between continuous physical capabilities and cyber capabilities was by way of their evolution domain. The evolution domain H in a continuous program x ′ = θ & H
From Safety to Guilty & from Liveness to Niceness
"... Abstract—Robots are solving challenging tasks that we want them to be able to perform (liveness), but we also do not want them to endanger their surroundings (safety). Formal methods provide ways of proving such correctness properties, but have the habit of only saying “yes ” when the answer is “yes ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract—Robots are solving challenging tasks that we want them to be able to perform (liveness), but we also do not want them to endanger their surroundings (safety). Formal methods provide ways of proving such correctness properties, but have the habit of only saying “yes ” when the answer is “yes ” (soundness). More often than not, formal methods say “no”: They find out that the system is neither safe nor live, because there are “unexpected” circumstances in which the robot just cannot do what we expect it to. Inspecting those unexpected circumstances is informative, and identifies constraints on reasonable behavior of the environment. This ultimately leads from safety to the question of who is guilty depending on whose action caused the safety violation. It also leads from liveness to the question of what behavior of the environment is nice enough so that the robot can finish its task. I. FORMAL METHODS FOR ROBOTICS Robots often interact with a dynamically changing environment and in close proximity to humans or critical infrastructure. Thus, safety is key. But we also want a robot to complete some useful task or achieve a particular goal (liveness). Formal verification methods help to exhaustively analyze a robot and its control algorithms for correctness. This paper is based on our experience with formal verification of safety and liveness properties of autonomous robotic ground vehicles [2]. The overall challenge arises, because robots not only execute discrete (control) algorithms, but they also interact with the real world through sensors and actuators. For verification purposes, thus, we need to take the discrete control algorithms and the continuous physical behavior of both our own robot and the environment into account. Hybrid systems are a suitable mathematical model to describe systems with interacting discrete and continuous behavior. We focus on theorem proving for hybrid systems as verification method, and use differential dynamic logic [4] implemented in the KeYmaera prover [5] and the modeling tool Sphinx [3] to illustrate the challenges that arise from analyzing safety and liveness questions.
Logical Analysis of Hybrid Systems  A Complete Answer to a Complexity Challenge
, 2012
"... Hybrid systems have a complete axiomatization in differential dynamic logic relative to continuous systems. They also have a complete axiomatization relative to discrete systems. Moreover, there is a constructive reduction of properties of hybrid systems to corresponding properties of continuous sys ..."
Abstract
 Add to MetaCart
Hybrid systems have a complete axiomatization in differential dynamic logic relative to continuous systems. They also have a complete axiomatization relative to discrete systems. Moreover, there is a constructive reduction of properties of hybrid systems to corresponding properties of continuous systems or to corresponding properties of discrete systems. We briefly summarize and discuss some of the implications of these results.
Lecture Notes on Lexical Analysis 15411: Compiler Design
"... Lexical analysis is the first phase of a compiler. Its job is to turn a raw byte or character input stream coming from the source file into a token stream by chopping the input into pieces and skipping over irrelevant details. The primary benefits of doing so include significantly simplified jobs ..."
Abstract
 Add to MetaCart
Lexical analysis is the first phase of a compiler. Its job is to turn a raw byte or character input stream coming from the source file into a token stream by chopping the input into pieces and skipping over irrelevant details. The primary benefits of doing so include significantly simplified jobs
Lecture Notes on Dynamical Systems & Dynamic Axioms
 15424: FOUNDATIONS OF CYBERPHYSICAL SYSTEMS
, 2013
"... ..."