Marvin Brieger,Stefan Mitsch,André Platzer

2024-08-09

Abstract:This article presents a relatively complete proof calculus for the dynamic logic of communicating hybrid programs dLCHP. Beyond traditional hybrid systems mixing discrete and continuous dynamics, communicating hybrid programs feature parallel interactions of hybrid systems. This not only compounds the subtleties of hybrid and parallel systems but adds the truly simultaneous synchronized evolution of parallel hybrid dynamics as a new challenge. To enable compositional reasoning about communicating hybrid programs nevertheless, dLCHP combines differential dynamic logic dL and assumption-commitment reasoning. To maintain the logical essence of dynamic logic axiomatizations, dLCHP's proof calculus presents a new modal logic view onto ac-reasoning. This modal view drives a decomposition of classical monolithic proof rules for parallel systems reasoning into new modular axioms, which yields better flexibility and simplifies soundness arguments. Adequacy of the proof calculus is shown by two completeness results: First, dLCHP is complete relative to the logic of communication traces and differential equation properties. This result proves the new modular modal view sufficient for reasoning about parallel hybrid systems, and captures modular strategies for reasoning about concrete parallel hybrid systems. The second result proof-theoretically aligns dLCHP and dL by proving that reasoning about parallel hybrid systems is exactly as hard as reasoning about hybrid systems, continuous systems, or discrete systems. This completeness result reveals the possibility of representational succinctness in parallel hybrid systems proofs.

Logic in Computer Science

Stefan Mitsch,Grant Olney Passmore,Andre Platzer

DOI: https://doi.org/10.1007/s11786-014-0176-y

2014-10-04

Abstract:Hybrid systems with both discrete and continuous dynamics are an important model for real-world cyber-physical systems. The key challenge is to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be model-driven engineering to develop hybrid systems in a well-defined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verification-driven engineering. Often, hybrid systems are rather complex in that they require expertise from many domains (e.g., robotics, control systems, computer science, software engineering, and mechanical engineering). Moreover, despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires nontrivial human guidance, since hybrid systems verification tools solve undecidable problems. It is, thus, not uncommon for development and verification teams to consist of many players with diverse expertise. This paper introduces a verification-driven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (i) graphical (UML) and textual modeling of hybrid systems, (ii) exchanging and comparing models and proofs, and (iii) managing verification tasks. This toolset makes it easier to tackle large-scale verification tasks.

Logic in Computer Science,Software Engineering

zhang yu,dong yunwei,feng wenlong,huang mengxing

DOI: https://doi.org/10.13328/j.cnki.jos.005214

2017-01-01

Abstract:Cyber-Physical System(CPS) tightly integrates control software and embedded components, incorporating software with control domains. CPSs are pervasive and often mission-critical, therefore, they must have high level of security. With the extensive use of information technology, embedded control software plays a greater role in such systems. The close interactions between control software and embedded components demand co-verification. In this paper, an automata-theoretic approach is presented to co-verification. Co-verification, which verifies control software and embedded components together, is essential to establish the correctness of a complete system. The foundation of this approach is a unified model for co-verification and reachability analysis of the model. The LTL formula is converted into a Büchi automata, which is interleaved with the execution of the unified model under analysis. An online-capture offline-replay approach is proposed to improve the usefulness for formal verification. Case studies on a suite of realistic examples show that the presented approach has major potential in verifying system level properties, therefore improving the high-assurance of system.

张学军,谢剑英,张苗苗

DOI: https://doi.org/10.3321/j.issn:1001-0920.2001.02.017

2001-01-01

Abstract:Aiming at reliability of programmable logic controller forcontinuous plants, an approach is presented to make the hybrid systems′ formal verification. The model is given out by using hybrid rectangular automata and the analysis of its quotient transition system′s reachability is presented. The principles of verification are given. The method is illustrated by an example of chemical process control.

Yuanrui Zhang,Hengyang Wu,Yixiang Chen,Frédéric Mallet

DOI: https://doi.org/10.1007/978-3-030-12988-0_7

2018-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a clock-based specification language for capturing causal and chronometric constraints between events in Real-Time Embedded Systems (RTESs). Due to the limitations of the existing verification approaches, CCSL lacks a full verification support for u0027unsafe CCSL specificationsu0027 and a unified proof framework. In this paper, we propose a novel verification approach based on theorem proving and SMT-checking. We firstly build a logic called CCSL Dynamic Logic (CDL), which extends the traditional dynamic logic with u0027signalsu0027 and u0027clock relationsu0027 as primitives, and with synchronous execution mechanism for modelling RTESs. Then we propose a sound and relatively complete proof system for CDL to provide the verification support. We show how CDL can be used to capture RTES and verify CCSL specifications by analyzing a simple case study.

Rafael C. Cardoso,Louise A. Dennis,Marie Farrell,Michael Fisher,Matt Luckcuck

DOI: https://doi.org/10.4204/EPTCS.329.2

2020-12-03

Abstract:Software engineering of modular robotic systems is a challenging task, however, verifying that the developed components all behave as they should individually and as a whole presents its own unique set of challenges. In particular, distinct components in a modular robotic system often require different verification techniques to ensure that they behave as expected. Ensuring whole system consistency when individual components are verified using a variety of techniques and formalisms is difficult. This paper discusses how to use compositional verification to integrate the various verification techniques that are applied to modular robotic software, using a First-Order Logic (FOL) contract that captures each component's assumptions and guarantees. These contracts can then be used to guide the verification of the individual components, be it by testing or the use of a formal method. We provide an illustrative example of an autonomous robot used in remote inspection. We also discuss a way of defining confidence for the verification associated with each component.

Software Engineering,Logic in Computer Science,Robotics

Miel Sharf,Bart Besselink,Karl Henrik Johansson

DOI: https://doi.org/10.48550/arXiv.2211.01298

2022-11-03

Abstract:Designing large-scale control systems to satisfy complex specifications is hard in practice, as most formal methods are limited to systems of modest size. Contract theory has been proposed as a modular alternative to formal methods in control, in which specifications are defined by assumptions on the input to a component and guarantees on its output. However, current contract-based methods for control systems either prescribe guarantees on the state of the system, going against the spirit of contract theory, or can only support rudimentary compositions. In this paper, we present a contract-based modular framework for discrete-time dynamical control systems. We extend the definition of contracts by allowing the assumption on the input at a time $k$ to depend on outputs up to time $k-1$, which is essential when considering the feedback connection of an unregulated dynamical system and a controller. We also define contract composition for arbitrary interconnection topologies, under the pretence of well-posedness, and prove that this notion supports modular design, analysis and verification. This is done using graph theory methods, and specifically using the notions of topological ordering and backward-reachable nodes. Lastly, we use $k$-induction to present an algorithm for verifying vertical contracts, which are claims of the form "the conjugation of given component-level contracts is a stronger specification than a given contract on the integrated system". These algorithms are based on linear programming, and scale linearly with the number of components in the interconnected network. A numerical example is provided to demonstrate the scalability of the presented approach, as well as the modularity achieved by using it.

Systems and Control,Dynamical Systems,Optimization and Control

Jeremiah Griffin,Mohsen Lesani,Narges Shadab,Xizhe Yin

DOI: https://doi.org/10.48550/arXiv.2004.01360

2020-04-03

Programming Languages

Abstract:Distributed systems are critical to reliable and scalable computing; however, they are complicated in nature and prone to bugs. To modularly manage this complexity, network middleware has been traditionally built in layered stacks of components. We present a novel approach to compositional verification of distributed stacks to verify each component based on only the specification of lower components. We present TLC (Temporal Logic of Components), a novel temporal program logic that offers intuitive inference rules for verification of both safety and liveness properties of functional implementations of distributed components. To support compositional reasoning, we define a novel transformation on the assertion language that lowers the specification of a component to be used as a subcomponent. We prove the soundness of TLC and the lowering transformation with respect to the operational semantics for stacks of distributed components. We successfully apply TLC to compose and verify a stack of fundamental distributed components.

Yuanrui Zhang,Hengyang Wu,Yixiang Chen,Frederic Mallet

DOI: https://doi.org/10.1016/j.scico.2020.102591

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:The Clock Constraint Specification Language (CCSL) is a clock-based specification language for real-time embedded systems. With logical clocks defined as first-class citizens, CCSL provides a natural way for describing clock constraints in synchronous systems — a classical model of concurrency for real-time embedded systems. In this paper, we propose a clock-based dynamic logic called CCSL Dynamic Logic (CDL) for the verification of CCSL specifications in synchronous systems. It extends the first-order dynamic logic with a synchronous execution mechanism in its program model and with CCSL primitives as terms in its logical formulae. We build a sound and relatively complete proof system for CDL to support the verification. Compared with previous approaches for verifying CCSL specifications, which are based on model checking and SMT checking techniques, our approach, which is based on theorem-proving, offers a unified verification framework in which both bounded and unbounded CCSL specifications can be verified. Technically, with the proof system of CDL, a complex CDL formula can be semi-automatically transformed into a set of quantifier-free, arithmetical first-order logic (QF-AFOL) formulae which can be checked by an SMT solver in an efficient way. As a case study, we analyze a simple synchronous system throughout the paper to illustrate how CDL works. We analyze and prove the soundness and completeness of the proof system for CDL. Currently, CDL is partially mechanized in Coq.

Xiong Xu,Shuling Wang,Bohua Zhan,Xiangyu Jin,Naijun Zhan,Jean-Pierre Talpin

DOI: https://doi.org/10.1145/3631483.3631487

2023-10-30

ACM SIGAda Ada Letters

Abstract:The design of safety-critical cyber-physical systems (CPSs) involve several dimensions, including physics, hardware rchitecture and software functionality. It is desirable to design CPSs by taking these issues into account uniformly and yet, few existing design workflows support this aim. For instance, AADL is an architecturecentric modelling formalism for CPSs, which focuses on modelling architecture and prototyping real-time hardware platforms, but it delegates physical and software behavioral models to so-called annexes. By contrast, Simulink/Stateflow (S/S) focuses on modelling interacting physical and software behaviors, but does not render the non-functional characteristics of their hardware platforms. To address this issue, in [1], we proposed the combination of AADL and S/S, called AADL S/S, to comodel CPSs and presented a method to uniformly analyse and verify them. AADL S/S provides a unified graphical co-modelling environment for CPS design and supports simulation through C code generation. Also, [1] presented a formal semantics of AADL S/S by translation to Hybrid Communicating Sequential Processes (HCSP), yielding a deductive verification framework of the combined models using Hybrid Hoare Logic (HHL). Additionally, [1] proved the correctness of the translation of AADL S/S to HCSP.

Tianhua Xu,Tao Tang,Chunhai Gao,Baigen Cai

DOI: https://doi.org/10.1109/IVS.2009.5164402

2009-01-01

Abstract:We formally verify hybrid safety properties of Automatic Collision Avoidance System (ACAS) in the European Train Control System (ETCS). We present a formal requirements, design decision, discrete design and the real-time program for ACAS and verify correctness using compositional verification rules based Weakly monotonic time extension of DC* (WDC*). The advantage of compositional proof rule is that it decomposes a large system into more manageable pieces and to prove the correctness of the whole system from that of its immediate constituents. WDC* provides an essential simplification in reasoning about the design of real-time properties in ACAS by means of true synchrony hypothesis and the super-dense computation.

Roland Groz,Keqin Li,Alexandre Petrenko,Muzammil Shahbaz

DOI: https://doi.org/10.1007/978-3-540-68524-1_16

2008-01-01

Abstract:Verification of a modular system composed of communicating components is a difficult problem, especially when the models of the components are not available. Conventional testing techniques are not efficient in detecting erroneous interactions of components because such interactions often occur as interleavings of events that are difficult to reproduce in a modular system. The problem of detecting intermittent errors in the absence of models of components is addressed in this paper. A method to infer a controllable approximation of components through testing is elaborated. Pie inferred finite state models of components are used to detect intermittent errors and other compositional problems in the system through reachability analysis. The models are refined at each analysis step thus making the approach iterative.

Samuel Teuber,Stefan Mitsch,André Platzer

2024-10-24

Abstract:While neural networks (NNs) have potential as autonomous controllers for Cyber-Physical Systems, verifying the safety of NN based control systems (NNCSs) poses significant challenges for the practical use of NNs, especially when safety is needed for unbounded time horizons. One reason is the intractability of analyzing NNs, ODEs and hybrid systems. To this end, we introduce VerSAILLE (Verifiably Safe AI via Logically Linked Envelopes): The first general approach that allows reusing control theory results for NNCS verification. By joining forces, we exploit the efficiency of NN verification tools while retaining the rigor of differential dynamic logic (dL). Based on provably safe control envelopes in dL, we derive specifications for the NN which is proven via NN verification. We show that a proof of the NN adhering to the specification is mirrored by a dL proof on the infinite-time safety of the NNCS. The NN verification properties resulting from hybrid systems typically contain nonlinear arithmetic and arbitrary logical structures while efficient NN verification merely supports linear constraints. To overcome this divide, we present Mosaic: An efficient, sound and complete verification approach for polynomial real arithmetic properties on piece-wise linear NNs. Mosaic partitions complex verification queries into simple queries and lifts off-the-shelf linear constraint tools to the nonlinear setting in a completeness-preserving manner by combining approximation with exact reasoning for counterexample regions. Our evaluation demonstrates the versatility of VerSAILLE and Mosaic: We prove infinite-time safety on the classical Vertical Airborne Collision Avoidance NNCS verification benchmark for two scenarios while (exhaustively) enumerating counterexample regions in unsafe scenarios. We also show that our approach significantly outperforms State-of-the-Art tools in closed-loop NNV.

Systems and Control,Artificial Intelligence,Machine Learning,Logic in Computer Science

François Laroussinie,Kim G. Larsen

DOI: https://doi.org/10.7146/brics.v2i19.19921

1995-01-01

BRICS Report Series

Abstract:A major problem in applying model checking to finite-state systems is the potential combinatorial explosion of the state space arising from parallel composition. Solutions of this problem have been attempted for practical applications using a variety of techniques. Recent work by Andersen [And95] proposes a very promising compositional model checking technique, which has experimentally been shown to improve results obtained using Binary Decision Diagrams. In this paper we make Andersen's technique applicable to systems described by networks of timed automata. We present a quotient construction, which allows timed automata components to be gradually moved from the network expression into the specification. The intermediate specifications are kept small using minimization heuristics suggested by Andersen. The potential of the combined technique is demonstrated using a prototype implemented in CAML.

Jeremiah Griffin,Mohsen Lesani,Narges Shadab,Xizhe Yin

DOI: https://doi.org/10.1145/3409005

2020-08-02

Proceedings of the ACM on Programming Languages

Abstract:Distributed systems are critical to reliable and scalable computing; however, they are complicated in nature and prone to bugs. To manage this complexity, network middleware has been traditionally built in layered stacks of components.We present a novel approach to compositional verification of distributed stacks to verify each component based on only the specification of lower components. We present TLC (Temporal Logic of Components), a novel temporal program logic that offers intuitive inference rules for verification of both safety and liveness properties of functional implementations of distributed components. To support compositional reasoning, we define a novel transformation on the assertion language that lowers the specification of a component to be used as a subcomponent. We prove the soundness of TLC and the lowering transformation with respect to a novel operational semantics for stacks of composed components in partially synchronous networks. We successfully apply TLC to compose and verify a stack of fundamental distributed components.

English Else

Huixing Fang,Jifeng He,Qiwen Xu,Huibiao Zhu,Longfei Zhu

2015-01-01

Abstract:Hybrid systems arise in real-time and embedded control systems with the interactions emerged between continuous physical environment and discrete digital controllers. In this paper, we propose an approach for the verification of hybrid systems which are constructed by a hybrid parallel modelling language, where the interaction between the controller and the environment is synchronized by signals. The proof rules with respect to the modelling language are illustrated in the style of Hoare triples. For an application of our approach, a water tank model is produced as a sequential hybrid model, then we verify the model with the satisfiability according to a design requirement. Moreover, for parallel hybrid model, a case of subway control system involving overlapping metro lines is presented and verified with respect to the collision avoidance requirement.

Jie LIU,Xiao-hua YANG,Hua LIU,Qu-jin WU,Xing CHEN

DOI: https://doi.org/10.11731/j.issn.1673-193x.2015.05.006

2015-01-01

Abstract:Digital reactor control system is a typical real-time hybrid system involving the physical dynamic evolu-tion process of reactor against time and the discrete control process of computer .Differential dynamic logic is a new theory for hybrid system verification .A new method to construct safety verification model of digital reactor control system based on differential dynamic logic was put forward , so as to verify whether the interaction between discrete logic control in reactor control system and the physical continuous change process of reactor continuity can guarantee the safety requirement of reactor .It improves the safety properties of design on digital reactor control system .

Xiaoxiang Zhai,Qiaoqiao Chen,Shunhui Ji,Bixin Li

DOI: https://doi.org/10.1109/qsic.2012.11

2012-01-01

Abstract:In CPS (cyber-physical systems), computation is integrated with physical processes, computer system is used to monitor and interact with the physical world to realize maximization of benefit and usage. The model and verification for cyber physical systems are two important and challenge problems because CPS has not only heterogeneous nature but also very complicated structure and relationships among its components. In this paper, a unified framework is proposed to model and verify CPS, where CPS is modeled in forms of HybridUML models, then these HybridUML models are transformed to different operating models of Differential Dynamic Logic (DL), and finally some CPS properties are specified using DDL equations and verified using DDL reasoning rules.

Jianmin Hou,Xuandong Li,Xiaocong Fan,Guoliang Zheng

DOI: https://doi.org/10.1145/272263.272359

1998-01-01

Abstract:A major problem in applying model checking to finite–state systems is the potential combinatorial explosion of the state space arising from parallel composition. Solutions of this problem have been attempted for practical applications using a variety of techniques. Recent work by Andersen [And95] proposes a very promising compositional model checking technique, which has experimentally been shown to improve results obtained using Binary Decision Diagrams. In this paper we make Andersen’s technique applicable to systems described by networks of timed automata. We present a quotient construction, which allows timed automata components to be gradually moved from the network expression into the specification. The intermediate specifications are kept small using minimization heuristics suggested by Andersen. The potential of the combined technique is demonstrated using a prototype implemented in CAML. ∗This work has been supported by the European Communities under CONCUR2, BRA 7166 †Basic Research in Computer Science, Centre of the Danish National Research Foundation. ‡Dept. of Computer Science, Aalborg University, Fredrik Bajers Vej 7-E, DK-9220 Aalborg, Denmark, (email: {fl,kgl}@iesd.auc.dk) fax: (45) 98.15.81.29