Results 1  10
of
77
The Theory of Hybrid Automata
, 1996
"... A hybrid automaton is a formal model for a mixed discretecontinuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discretecontinuous state spaces that was previously studied on pur ..."
Abstract

Cited by 483 (9 self)
 Add to MetaCart
A hybrid automaton is a formal model for a mixed discretecontinuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discretecontinuous state spaces that was previously studied on purely discrete state spaces only. In particular, various classes of hybrid automata induce finitary trace equivalence (or similarity, or bisimilarity) relations on an uncountable state space, thus permitting the application of various modelchecking techniques that were originally developed for finitestate systems.
What's Decidable about Hybrid Automata?
 Journal of Computer and System Sciences
, 1995
"... . Hybrid automata model systems with both digital and analog components, such as embedded control programs. Many verification tasks for such programs can be expressed as reachability problems for hybrid automata. By improving on previous decidability and undecidability results, we identify a boundar ..."
Abstract

Cited by 266 (14 self)
 Add to MetaCart
. Hybrid automata model systems with both digital and analog components, such as embedded control programs. Many verification tasks for such programs can be expressed as reachability problems for hybrid automata. By improving on previous decidability and undecidability results, we identify a boundary between decidability and undecidability for the reachability problem of hybrid automata. On the positive side, we give an (optimal) PSPACE reachability algorithm for the case of initialized rectangular automata, where all analog variables follow independent trajectories within piecewiselinear envelopes and are reinitialized whenever the envelope changes. Our algorithm is based on the construction of a timed automaton that contains all reachability information about a given initialized rectangular automaton. The translation has practical significance for verification, because it guarantees the termination of symbolic procedures for the reachability analysis of initialized rectangular autom...
HYTECH: The next generation
 In Proceedings of the 16th IEEE RealTime Systems Symposium
, 1995
"... Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety ..."
Abstract

Cited by 102 (7 self)
 Add to MetaCart
Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety and timing requirements. While the original HyTech prototype was based on the symbolic algebra tool Mathematica, the new implementation is written in C ++ and builds on geometric algorithms instead of formula manipulation. The new HyTech o ers a cleaner and more expressive input language, greater portability, superior performance (typically two to three orders of magnitude), and new features such as diagnostic errortrace generation. We illustrate the e ectiveness of the new implementation by applying HyTech to the automatic parametric analysis of the generic railroad crossing benchmark problem [HJL93] and to an active structure control algorithm [ECB94]. 1
Linear Parametric Model Checking of Timed Automata
, 2002
"... We present an extension of the model checker Uppaal, capable of synthesizing linear parameter constraints for the correctness of parametric timed automata. A symbolic representation of the (parametric) state space in terms of parametric difference bound matrices is shown to be correct. A second cont ..."
Abstract

Cited by 61 (3 self)
 Add to MetaCart
We present an extension of the model checker Uppaal, capable of synthesizing linear parameter constraints for the correctness of parametric timed automata. A symbolic representation of the (parametric) state space in terms of parametric difference bound matrices is shown to be correct. A second contribution of this paper is the identification of a subclass of parametric timed automata (L/U automata), for which the emptiness problem is decidable, contrary to the full class where it is known to be undecidable. Also, we present a number of results that reduce the verification effort for L/U automata in certain cases. We illustrate our approach by deriving linear parameter constraints for a number of wellknown case studies from the literature (exhibiting a flaw in a published paper).
Symbolic Techniques for Parametric Reasoning about Counter and Clock Systems
 Proceedings of the 12th CAV, volume 1855 of LNCS
, 2000
"... We address the problem of automatic analysis of parametric counter and clock automata. We propose a semialgorithmic approach based on using (1) expressive symbolic representation structures called Parametric DBM's, and (2) accurate extrapolation techniques allowing to speed up the reachability ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
We address the problem of automatic analysis of parametric counter and clock automata. We propose a semialgorithmic approach based on using (1) expressive symbolic representation structures called Parametric DBM's, and (2) accurate extrapolation techniques allowing to speed up the reachability analysis and help its termination. The techniques we propose consist in guessing automatically the effect of iterating a control loop an arbitray number of times, and in checking that this guess is exact. Our approach can deal uniformly with systems that generate linear or nonlinear sets of configurations. We have implemented our techniques and experimented them on nontrivial examples such as a parametric timed version of the Bounded Retransmission Protocol. 1
A Constraint Oriented Proof Methodology Based on Modal Transition Systems
 In BRICS Notes
, 1995
"... In this paper, we present a constraintoriented statebased proof methodology for concurrent software systems which exploits compositionality and abstraction for the reduction of the verification problem under investigation. Formal basis for this methodology are Modal Transition Systems allowing loo ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
In this paper, we present a constraintoriented statebased proof methodology for concurrent software systems which exploits compositionality and abstraction for the reduction of the verification problem under investigation. Formal basis for this methodology are Modal Transition Systems allowing loose statebased specifications, which can be refined by successively adding constraints. Key concepts of our method are projective views, separation of proof obligations, Skolemization and abstraction. The method is even applicable to real time systems. 1 Introduction The use of formal methods and in particular formal verification of concurrent systems, interactive or fully automatic, is still limited to very specific problem classes. For statebased methods this is mainly due to the state explosion problem: the state graph of a concurrent systems grows exponentially with the number of its parallel components, leading to an unmanageable size for most practically relevant systems. Consequentl...
Are Timed Automata Updatable?
, 2000
"... In classical timed automata, as de ned by Alur and Dill [AD90, AD94] and widely since studied, the only operation allowed to modify the clocks is the reset operation. For instance, a clock can neither be set to a nonnull constant value, nor be set to the value of another clock, nor, in a nondeterm ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
In classical timed automata, as de ned by Alur and Dill [AD90, AD94] and widely since studied, the only operation allowed to modify the clocks is the reset operation. For instance, a clock can neither be set to a nonnull constant value, nor be set to the value of another clock, nor, in a nondeterministic way, to some value lower or higher than a given constant. In this paper we study in details such updates which can be very useful for modelization purposes. We characterise in a thin way the frontier between decidable and undecidable. Our main contributions are the following:  We exhibit many classes of updates for which emptiness is undecidable. A surprising result is that these classes depend on the clock constraints that are used diagonalfree or not whereas it is well known that these two kinds of constraints are equivalent for classical timed automata.  We propose a generalization of the region automaton proposed by Alur and Dill to handle with larger classes of updates. ...
The Observational Power of Clocks
, 1994
"... We develop a theory of equivalences for timed systems. Two systems are equivalent iff external observers cannot observe differences in their behavior. The notion of equivalence depends, therefore, on the distinguishing power of the observers. The power of an observer to measure time results in untim ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
We develop a theory of equivalences for timed systems. Two systems are equivalent iff external observers cannot observe differences in their behavior. The notion of equivalence depends, therefore, on the distinguishing power of the observers. The power of an observer to measure time results in untimed, clock, and timed equivalences: an untimed observer cannot measure the time difference between events; a clock observer uses a clock to measure time differences with finite precision; a timed observer is able to measure time differences with arbitrary precision. We show that the distinguishing power of clock observers grows with the number of observers, and approaches, in the limit, the distinguishing power of a timed observer. More precisely, given any equivalence for untimed systems, two timed systems are kclock congruent, for a nonnegative integer k, iff their compositions with every environment that uses k clocks are untimed equivalent. Both kclock bisimulation congruence and kcloc...