We present a general framework for the formal specification and algorithmic analysis of hybrid systems. A hybrid system consists of a discrete program with an analog environment. We model hybrid systems as nite automata equipped with variables that evolve continuously with time according to dynamical laws. For verification purposes, we restrict ourselves to linear hybrid systems, where all variables follow piecewise-linear trajectories. We provide decidability and undecidability results for classes of linear hybrid systems, and we show that standard program-analysis techniques can be adapted to linear hybrid systems. In particular, we consider symbolic model-checking and minimization procedures that are based on the reachability analysis of an infinite state space. The procedures iteratively compute state sets that are definable as unions of convex polyhedra in multidimensional real space. We also present approximation techniques for dealing with systems for which the iterative procedures do not converge.

A hybrid automaton is a formal model for a mixed discrete-continuous system. We classify hybrid automata acoording to what questions about their behavior can be answered algorithmically. The classification reveals structure on mixed discrete-continuous state spaces that was previously studied on purely discrete state spaces only. In particular, various classes of hybrid automata induce finitary trace equivalence (or similarity, or bisimilarity) relations on an uncountable state space, thus permitting the application of various model-checking techniques that were originally developed for finite-state systems.

We introduce the framework of hybrid automata as a model and specification language for hybrid systems. Hybrid automata can be viewed as a generalization of timed automata, in which the behavior of variables is governed in each state by a set of differential equations. We show that many of the examples considered in the workshop can be defined by hybrid automata. While the reachability problem is undecidable even for very restricted classes of hybrid automata, we present two semidecision procedures for verifying safety properties of piecewise-linear hybrid automata, in which all variables change at constant rates. The two procedures are based, respectively, on minimizing and computing fixpoints on generally infinite state spaces. We show that if the procedures terminate, then they give correct answers. We then demonstrate that for many of the typical workshop examples, the procedures do terminate and thus provide an automatic way for verifying their properties. 1 Introduction More and...

In this paper we consider a class of hybrid systems, namely dynamical systems with piecewise-constant derivatives (PCD systems). Such systems consist of a partition of the Euclidean space into a finite set of polyhedral sets (regions). Within each region the dynamics is defined by a constant vector field, hence discrete transitions occur only on the boundaries between regions where the trajectories change their direction. With respect to such systems we investigate the reachability question: Given an effective description of the systems and of two polyhedral subsets P and Q of the state-space, is there a trajectory starting at some x 2 P and reaching some point in Q? Our main results are a decision procedure for two-dimensional systems, and an undecidability result for three or more dimensions. 1 Introduction 1.1 Motivation Hybrid systems (HS) are systems that combine intercommunicating discrete and continuous components. Most embedded systems belong to this class since they operate...

Linear Relation Analysis [CH78] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous programs and linear hybrid systems.

When proving the correctness of algorithms in distributed systems, one generally considers safety conditions and liveness conditions. The Input/Output (I/O) automaton model and its timed version have been used successfully, but have focused on safety conditions and on a restricted form of liveness called fairness. In this paper we develop a new I/O automaton model, and a new timed I/O automaton model, that permit the verification of general liveness properties on the basis of existing verification techniques. Our models include a notion of environment-freedom which generalizes the idea of receptiveness of other existing formalisms, and enables the use of compositional verification techniques.

We present a new application of the abstract interpretation by means of convex polyhedra, to a class of hybrid systems, i.e., systems involving both discrete and continuous variables. The result is an efficient automatic tool for approximate, but conservative, verification of reachability properties of these systems. 1 Introduction Timed automata [AD90] have been recently introduced to model real-time systems. A timed automaton is a finite automaton associated with a finite set of clocks, each clock counting the continuous elapsing of time. Each transition of the automaton can be guarded by a simple linear condition on the clock values, and can result in resetting some clocks to zero. A nice feature of this model is that it can be abstracted into a finite state system, and that all the standard verification problems (reachability, TCTL model-checking [ACD90, HNSY92]) are decidable. However, many interesting extensions of this model have been shown to lose this decidability propert...

Introduction The paper presents a model for hybrid systems, that is, systems that combine discrete and continuous components. Such systems are usually reactive real-time systems used to control an environment evolving over time. A main assumption is that a run of a hybrid system is a sequence of two-phase steps. The first phase of a step corresponds to a continuous state transformation usually described in terms of some parameter representing the time elapsed during this phase. In the second phase the state is submitted to a discrete change taking zero time. To illustrate this assumption, consider a temperature regulator commanding a heater so as to maintain the temperature ` of a room between two given bounds ` min and ` max . A run of such a system is a sequence of steps determined by the alternating state changes of the heater from ON to OFF<F26.

. Hybrid systems are modeled as phase transition systems with sampling semantics. By identifying a set of important events it is ensured that all significant state changes are observed, thus correcting previous drawbacks of the sampling computations semantics. A proof rule for verifying properties of hybrid systems is presented and illustrated on several examples. Keywords: Temporal logic, real-time, specification, verification, hybrid systems, statecharts, proof rules, phase transition system, sampling semantics, important events. 1 Introduction Hybrid systems are reactive systems that intermix discrete and continuous components. Typical examples are digital controllers that interact with continuously changing physical environments. A formal model for hybrid systems was proposed in [MMP92], based on the notion of phase transition systems (PTS). Two types of semantics were considered in [MMP92]. The first semantics, to which we refer here as the super dense semantics, is based on hyb...

In this work we suggest a novel methodology for synthesizing switching controllers for continuous and hybrid systems whose dynamics are defined by linear differential equations. We formulate the synthesis problem as finding the conditions upon which a controller should switch the behavior of the system from one "mode" to another in order to avoid a set of bad states, and propose an abstract algorithm which solves the problem by an iterative computation of reachable states. We have implemented a concrete version of the algorithm, which uses a new approximation scheme for reachability analysis of linear systems.