We present a general framework for the formal specification and algorithmic analysis of hybrid systems. A hybrid system consists of a discrete program with an analog environment. We model hybrid systems as nite automata equipped with variables that evolve continuously with time according to dynamical laws. For verification purposes, we restrict ourselves to linear hybrid systems, where all variables follow piecewise-linear trajectories. We provide decidability and undecidability results for classes of linear hybrid systems, and we show that standard program-analysis techniques can be adapted to linear hybrid systems. In particular, we consider symbolic model-checking and minimization procedures that are based on the reachability analysis of an infinite state space. The procedures iteratively compute state sets that are definable as unions of convex polyhedra in multidimensional real space. We also present approximation techniques for dealing with systems for which the iterative procedures do not converge.

This paper provides a Safety Checklist for usc during the analysis of software requirements for spacecraft and other safety-critical, embedded systems, The checklist specifically targets the two most common causes of safety-related software errors: (1) inadequate interface requirements and (2) discrepancies between the documented requirements and the requirements actually needed for correct functioning of the system. Use of the checklist to enhance the software-recluirements analysis is shown to reduce the number of safety-related software errors. I.

Safety critical computers increasingly a#ect nearly every aspect of our lives. Computers control the planes we #y on, monitor our health in hospitals and do our work in hazardous environments. Computers with software de#ciencies that fail to meet stringent timing constraints have resulted in catastrophic failures. This paper surveys formal methods for specifying, designing and verifying real-time systems, so as to improve their safety and reliability. # To appear in Journal of Systems and Software,Vol. 18, Number 1, pages 33#60, April 1992. Jonathan Ostro# is with the Department of Computer Science, York University 4700 Keele Street, North York, Ontario, Canada, M3J 1P3. This work is supported by the Natural Sciences and Engineering Research Council of Canada. 1 CONTENTS 2 Contents 1 Introduction 3 2 De#ning the terms 6 2.1 Major issues that formal theories must address ::::::: 13 3 Real-Time Programming Languages 14 4 Structured Methods and#or Graphical Languages 15 4.1 Str...

The goal of the Provably Correct Systems project (ProCoS) is to develop a mathematical basis for development of embedded, real-time, computer systems. This survey paper introduces novel specification languages and verification techniques for four levels of development: 1) Requirements definition and design; 2) Program specifications and their transformation to parallel programs; 3) Compilation of programs to hardware; 4) and Compilation of real-time programs to conventional processors.

We study the reachability problem for hybrid automata. Automatic approaches, which attempt to construct the reachable region by symbolic execution, often do not terminate. In these cases, we require the user to guess the reachable region, and we use a theorem prover (Pvs) to verify the guess. We classify hybrid automata according to the theory in which their reachable region can be defined finitely. This is the theory in which the prover needs to operate in order to verify the guess. The approach is interesting, because an appropriate guess can often be deduced by extrapolating from the first few steps of symbolic execution.

This paper describes our experiences in restructuring multi-perspective requirements speci#cations in order to facilitate the identi#cation and analysis of inconsistencies and management of change. A partial, heterogeneous and reasonably large requirements speci#cation from a NASA project was analysed and decomposed into a structure of #viewpoints", where each viewpoint encapsulates partial requirements of some system components described in the speci#cation. Relationships between viewpoints were identi#ed which included not only the interactions explicitly stated in the requirements but also some implicit and potentially problematic inter-dependencies. The restructuring process and a #rst informal analysis of the resulting relationships enabled the detection of inconsistencies and the de#nition of some interesting domain-dependent consistency rules. We believe that this restructuring into viewpoints also facilitated requirements understanding through partitioning, and re...