- Email: [email protected]
ACTL strong negation and its application to hybrid system verification
Copyright © IFAC Discrete Event Systems. Reims. France. 2004
ELSEVIER
IFAC PUBLICATIONS www.elsevier.comfloc3lelifac
ACTL STRONG NEGATION AND ITS APPLICATION TO HYBRID SYSTEM VERIFICATION Alongkrit Chutinan' Zhi Han •• Bruce H. Krogh ••
• Fabrinet Co., Ltd., 294 Moo 8, Vibhavadi Rangsit Rd. , K ookot.. Lumlookka, Patumthanee 12130. Thailand ac4c~ece.cmu.edu
•• Dept. of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 15213. USA {zhihlkrogh}~ece.cmu.edu
Abstract: Model checking procedures for verifying properties of hybrid dynamic systems are based on the construction of finite-state abstractions. If the property is not satisfied by the abstraction , the verification is inconclusive and the abstraction needs to be refined so that a less conservative model can be checked. If the hybrid system does not satisfy' the property, this verify-refine procedure will usually not terminate. This paper introduces the concept of strong negation for ACTL as an auxiliary condition that can be verified to obtain a conclusive negative verification result from a finite-state abstraction in certain cases. A method for identifying a sufficient set of states to be refined when the verification is inconclusive is also presented. The concepts are illustrated with an example. Copyright © 2004 IFAC Keywords: Verification, hybrid system . model checking, abstraction , refinement
1. E\TRODl"CTIO:\
case , the only recourse is to refine the abstraction and try again with the hope that eventually an abstraction \vill be constructed for which the specification is true (Chutinan and Krogh. 2003 ).
A standard approach to hybrid system verification is to construct a fini t e-state abstraction (usually a quotient of the hybrid system) and apply model checking. That is, a conservatiw discrete model is constructed so that methods for verifying properties of discrete state systems can be applied to hybrid dynamic systems. The main restriction in this approach is that only universal properties can be verified, such as properties specified by the temporal logic ACTL. If the specification is true for the abstraction , it is true for the hybrid system since all possible hybrid trajectories are accounted for in the conservative abstraction. If the model checker returns a negati\'e result. one is assured the specification is false for the hybrid system only if the abstraction is a bisimulation of the hybrid system (Alur et aI. , 2000). As this is rarely the
Although the literature reports many successful applications of this approach to hybrid systems with non-trivial continuous dynamics (at least one success per tool), it is disconcerting that the refinement process will never terminate if the hybrid system really doesn't satisfy the specification. The concept of strong negation int roduced in this paper aims to offer some relief in this situation. In certain cases , checking the st rong negation condit ion will allow an abstraction-based verification tool to terminate with a conclusive negati\'e result. even if the abstraction is not a bisimulation of the hybrid system.
321
If no conclusive result is found , the abstraction must be refined. Often counterexamples (CEs ) are useful in the refinement procedure. The counterexample-guided refinement method for software systems has been studied in (Clarke et al.. 2000: Glusman et al., 2003). For verification of hybrid systems , methods based on the same idea have been proposed in (Clarke et aI., 2003 ) and (Alur et al.. 2003). In this paper we show that the strong negation condition can help to reduce the search space in the counterexampleguided abstraction refinement procedure. :-1ethods based on abstractions which 'strongly preserve' certain class of properties have been proposed for l1-calculus (Dams et al., 1997), for fractions of CTL* (Dams et al., 1993 ) and for modal transition systems (Godefroid et al.. 2001: Godefroid and Jagadeesan , 2002 ). Those techniques define tKO types of transitions in the abstract system: must - (or constrained ) t ransitions and may- (or free ) transitions. By distinguishing the two types of transitions in the model checking algorithm. conclusive negative results can be obtained for the concrete system . This technique is not applicable for ve rification of hybrid syst ems , hOKever, since the discrete abst rac tion of a hybrid system is based on reachability analysis for the continuous dynamics (Alur et al., 2000: Chutinan and Krogh , 2001 ), \"'here , in the terminology of (Godefroid et al. , 2001 ), all the t ransitions are may- transitions. To construct the must - transitions for a hybrid dynamical system, the post condition of each abstract state would have to be computed , which involves the most expensive computation in the verification procedure .
Definition 2. Given a labelled transition system T = (Q , -> , Qo , .c, L ), a partition P of Q is said to be consistent if and only if for all PEP and for all q, q' E P , L (q) = L (q' ) and q E Qo <===? q' E Qo· D efinition 3. ( Quotient Transition System) (QTS) Given a labelled transition system T = (Q , -> , Qo , .c, L ) and a consistent partition P of Q. the quotient transition system of T is defined as T / P = (P , ->p , Qo / P , .c , Lp ), where
(i) for all PP' E P , P ->p P' iff there exist q E P and q' E p i such that q -> q': (ii) Qo / P = {P E P I P ~ Qo}; and (iii) for all PEP , Lp (P ) = L (q) for some q E P. In words , a partition state in the QTS can make a transition to another partition state if one of its element states can make a transition to another element state in the destination partition state.
2.2 Computation Tree Logic (CTL)
CTL is a well-established temporal logic formalism for transition systems (Clarke et al.. 1999). The specification is formulat ed by attaching a fini te set of atomic propositions AP to each state in the transition system. Thus . we consider a labelled transit ion system of the form T = (Q,-> , Qo , 2 AP , L ) where L : Q -> 2 AP is a labeling function that assigns to each state in Q a set of atomic propositions that are true for that state. \Ve assume that the transition relation -> is total: that is, for all states q E Q there exists a state q' E Q such that q -> q'.
The folloKing sect ion introduces notation , definitions and background material. Section 3 presents the concept of strong negat ion for ACTL formulas and how it can be used to demonstrate an ACTL expression is not satisfied based on verification of an abstraction of a hybrid system. Section 4 concerns the construc tion of subgraphs for the abstraction that identify the collection of sets that need to be refined when the verificat ion of a quotient system is inconclusive. Section.) illustrates the application of strong negation Kith an example. The concluding section summarizes the contributions of th is paper and discusses directions for further \vork.
A CTL formula consists of temporal operators and the path quantifiers. A temporal operator specifies the system evolution along a single path of the computation tree. There are five basic temporal operators , X (next time). F (i n the future), G (globally ), U (until). and R (release ). The universal and existential path quantifiers. A and E , specify that the path assertion holds along all and some paths in the computation tree. respectively. \\'ell-formed CTL formulas are defined recursi\'ely in terms of its subformulas. For a detailed treat ment of CTL formulas. the reader is referred to (Clarke et al., 1999) . In this paper. we consider a class of CTL formulae called ACTL which allows
2. PRELnn='1ARIES 2.1 Quotient Trans ition Systems Definition 1. A labeled transition system T is a tuple T = ( Q. ~ . Q o,.c , L ), u'here Q is the set of states, ---->;; Q x Q is the set of transitions. Q o ~ Q is the set of initial states. is a countable set of labels. and L : Q -> is the labelling function.
.c
Abstraction-based verification of hybrid systems is based upon a transition-system semantics for hybrid automata (Henzinger , 1996) . A quotient transition system is constructed from a partition of the transition system state space. The partition must be consistent with the labelling function and the initial states in the folloKing sense.
.c
322
only universal assertions (Clarke et al., 1999). The syntax of an ACTL formula 'P is given by
I -,ap I f V f I f 1\ f l AX f i AF f I AG f I A f U f I A f R f. We write T, q F f to mean that the CTL formula f -+ ap
f holds at state q in T , and let SAT (T , J) = {q !T , q F J} denote the set of states for which the CTL formula f is true. This set can be computed using fixed-point iterations that are guaranteed to terminate for finite-state systems (Clarke et al., 1999 ). T will be dropped from these notations when the labelled transition system is clear from the context. The labelled transition system T is said to satisfy a CTL specification f , denoted T F f , if and only if Qo C SAT(T, J).
2.3 Verification Using Quotient Transition Systems The following proposition is the basis for verification of ACTL specifications based on quotient transition systems. Proposition 1. ( Ch utinan and K rogh, 2001) Given a labeled transition system T,an ACTL formula cp , and a consistent partition P, if T / P, P F cp then T , q F 'P for all q E P .
If model checking a QTS does not give a conclusive result, the partition can be refined to see if verification can be achieved with a less conservative QTS. Definition 4. (Refinement of Partitions). Given two partitions PI and P2 of Q , P2 is said to be a refinement of PI if and only if for all P2 E P2 , there exists PI E PI such that P 2 ~ PI·
If P2 is a refinement of PI , for any PI E PI either there exist a P 2 E P2 where PI = P2 or there exist a collection of sets {Pi , ... , P2k} C P2 such that PI = Uf=1 P~. vVe say state PI is refined by P2 for the second case. The refinement induces a surjective mapping Cl' : P 2 -+ PI such that Cl' (P2 ) = PI ~ PI
mula. A counterexample of T for the specification cp is a labelled transition system C such that
(i) C F -''P (ii) T simulates C (Clarke et al., 1999), and therefore T F -'cp. Vie will consider counterexamples constructed from subgraphs of the given transition system , where the graph G of a transition system T = (Q , -+ , Qo. C, L) is G T = (Q, -+), the set of states and transition relation for T. The labelling function and initial states are not included in the definition of the graph of T. 3. ACTL STRO:\G :-JEGATIO:\ This section introduces the concept of ACTL strong n'egation and shows how it can be used to demonstrate an ACTL expression is false based on QTS model checking. The strong negation of an ACTL formula is constructed as follows. Definition 6. Given an ACTL formula f , its strong negation If is defined by the following recursive rules . (i) !ap = ~ap (ii) ! ( ~ap ) = ap (iii) !(fV g ) ='fl\ lg (iv) !(f 1\ g ) ='fv 'g
(v) (vi) (vii) (viii) (ix)
'AX f = AX If 'AF f = AG !f !AG f = AF !f 'A fUg = A If R Ig !A f R 9 = A !f U 'g
Given an ACTL formula f, its strong negation If is also an ACTL formula . This fact can be proved easily by induction on the length of the ACTL formula. This is in contrast to the regular negation -'f , which may be an existential formula. The strong negation !f is called "strong" in the sense that it is the negation of f that applies to all paths in the computation tree. For any state q, t he following proposition states that q Hf implies q F -of. (Proofs of all propositions are given in (Chutinan et aI. , 2004 ) .) Proposition 2. Given a transition system T = ( Q , ~ , Qo , 2AP , L ) and an ACTL formula f , for any state q E Q , if q F'f then q -,f·
F
2 P2
Proposition 3. Given a transition system T, its quotient transition system T / P constructed from a consistent partition P , and an A CTL specification f , if there exists Po E Qo / P such that T / P , Po F!f, then T F f ·
\Vhen the partitions PI , P2 are consistent partitions, the function Cl' defines an abstraction relation between the quotient transition systems T / P I and T / P2 (Clarke et al. , 2003) . To identify a set of states that should be refined when a QTS does not satisfy an ACTL specification, we will use the following definition of a counterexample from (Clarke et aI. , 2002) .
In words , if the strong negation of an ACTL specification is true for any initial state of a QTS, the transition system does not satisfy the specification. Therefore, by augmenting the specification used for model checking a QTS to include the
Definition 5. (Counterexample). Let T be a labelled transition system , and r.p be an ACTL for-
323
strong negation of the specification, the verification process for a hybrid system can terminate with a conclusive negative result in the event that the strong negation of the given ACTL specification is true. The verification procedure using strong negation is illustrated in Fig. 1. In the step "verify rpv 'rp". the term I;; is true iff Qo/ P n S (T / P , ';p ) "# 0. This condition is easily verified by standard model checking since 'rp is an ACTL expression. Fig. 2. \\'itness graph for EF EG~f V EF EG-,g.
all witnesses for the given ECTL formula. The witness graph procedure recursively unwind the subformulas f of 'PE and construct the graph from the states in SAT (T , f).
Fig. 1. Hybrid system verification procedure. (''P is true iff Qo n S (T ''P ) "# 0)
4. COUI\TEREXA!vIPLES A:\D REFIl\EME\,T This section presents a method for identifying the set of QTS states to be refined when model checking of the QTS is inconclusive. We sho\\' that by incorporating the strong negation condit ion the set of to-be-refined states can be reduced. Our approach is motivated by counterexampleguided refinement procedures proposed for finitestate transition systems in (Clarke et aL 2000 ) and (Glusman et a!., 2003 ), for hybrid systems in (Alur et al , 2003 ) and (Clarke et al , 2003 ). In t hese papers , the QTS states to be refined at each iteration are identified from a single given counterexample. Our goal is to identify efficiently all stat es that need to be refined to guarantee t hat a conclusive result can be obtained, if a conclusive result is feasible based on refinement of the current QTS . We achieve this by constructing a subgraph for the QTS such that refinement of any st ate not included in the subgraph will not aid in the verification ; that is , by focusing on particular subgraph (called the refinement graph ), \\'e eliminate states that can be ignored in the refinement procedure. \Ve first consider the construction of a QTS subgraph. called the wi tness graph, which is a graph that represents all possible \\'itnesses for a giyen ECTL formula 'P E· The proposed procedure to obtain the witness graph is given in (Chutinan et aL 2004 ). This procedure is a modification of the witness algorithm com monly used in model checking tools to generate counterexamples. (Clarke et aL 2002 , 1999). The difference is that t he set of trajectories for our wit ness graph contains
324
Example 1. (witness graph ). Figure 2 illustrates the definition of the witness graph. The states labelled f and 9 denote that the atomic proposition f and 9 are true for the states. The ACTL specification AGAF f 1\ AGAFg denotes "On every path in the future , f and 9 are true infinitely often." The specification is false for the transition system, the witness graph of the negation 'P E = EFEG.....,f V EFEG~g are shown as the subgraph with bold lines.
The following proposition shows that the witness graph constructed above serves as a counterexampIe (CE) of the transition system, i.e. , the specification is valid if and only if the witness graph of the negation is empty. Propositi on 4· The wit ness graph for 'PE = is empty iff T f= ;p,4-
~r.pA
A refinement procedure constructs a new partition where one or more st ates is partitioned. An intuitiye implication from Prop. 4 is that the states to be refined can be restricted to the witness graph. (This is proved in (Chutinan et aL 2004). ) In fact . the set of states to be refined can be reduced eyen further by considering the strong negation condition. Consider a subformu la fA of 'PA, we know that its strong negation ''''A is invariant under refinement. Thereby refining these states does no t change the value of the subformula. From the property of the strong negation condition. t he corresponding sub-formula f E of t he negation yE = ~:,:; A is also invariant under refinement. Thus any state for which f E is true remains inside the witness graph after refinement. We can exclude such states from the refinement procedure by incorporating strong negation. The set of states to be refined is reduced from the witness graph to the refinement graph which is defined by the procedure RGraph (T Qo r. S ' (T, j) , j), where f is an ECTL formu la ,
5 '(Tf) ,
=
{0
,if
f EAP;(l)
5. EXA\1PLE
SAT (T, f) \ SAT(T, I ( ~f)) , if f ~ AP.
and RGraph is constructed from the witGraph procedure in (Chutinan et aI., 2004) using 5 ' (T f) to replace 5AT(T f). The function 5' differs from 5AT (T , f) in that it excludes the set of states ",·here 1 ( ~fE) is true. It can be easily seen that
This section demonstrates an application of the ACTL strong negation through a simple application example. The example is implemented in an abstraction-based hybrid system verification tool called CHECKl'vIATE (Chutinan and Krogh , 2001 , 2003 ).
\\"e consider a simplified automotive powertrain model with the transmission held at the first RCraph (T. Qons' (T. n. F ) ~ witCraph(T. Q onSAT(T, n, f) gear. The continuous dynamics of the system is :i; = Ax + b E lR s . The state variables comprising since the 5' (T, f E) function is a subset of 5 AT(T f E) the state vector x are Ts, the drive shaft torque,t', function. To show that the refinement graph conthe vehicle speed , Wt, the engine speed , tps, the tains all the states that need to be refined. we have throttle position , and sin_grade , the sine of the the following proposition. road grade , respectively. The derivatives of tps and sin_grade are set to zero since these are conProposition 5. (Reduced refinement states ). Given stant parameters. Our verification objective is to a transition system T , an ACTL specification 'PA. ensure that the system satisfies the specification consistent partitions PI , P2 , ",'here P 2 refines PI (to be discussed below) over a given set of initial with refinement function a, and T / P1 ~ YA , states. A detail discussion with verification result T / P 2 F= 'P A Let P 2 be the partition containing with CHECKMATE can be found in (Chutinan and the sets p~ defined for each P2 E P2 as Butts, 2002).
(P2 ) ~ RGraph (T / P j , QO / P ln P~_', __ {a (P2 )' Sifo ' (T / Pl ·<'?E ), <'?E) P2 ,
otherwise,
where 'PE = ~'P A , then T / P 2 F= yA By taking advantage of the refinement graph , the set of states to be refined is reduced by the strong negation condition compared with (Chutinan and Krogh , 2001: Clarke et al, 2003). The reduction of states to be refined is illust rated in the following example.
Starting from an initial condition, we would like to ensure that the throttle position provides the vehicle with enough power t o overcome the steepness of t he road grade. For a trajectory starting from any initial condition, if the vehicle reaches the speed of 1 m/ s within l.5 seconds. then the trajectory is a success. If the vehicle reaches the speed of -1 m / s the trajectory is a failure. If the time limit of l.5 seconds has expired before the vehicle reaches the speed of 1 m / s , then the trajectory is a time_limit. Following the discussions above, we write the ACTL speCification for our problem as
AF success 1\ AG
Example 2. Consider again the transition system in example l. The refinement graph for the same specification is shown in Fig. 3. The witness graph in Fig. 2 contains fi\'e states to refine. whereas by incorporating the strong negation condition, the number of states of the witness graph is reduced to three.
~t imeJimit.
The reachability analysis in CHECK.\I.HE yields the quotient transition system shown in Figure 4. Vle note that the quotient transition system in Figure 4 is actually an approximate quotient transition system (A QT5) because CHECKl'vlATE uses reachability approximations to compute the transitions between the partition states (Chutinan and Krogh , 2001 ). T here are three special states in the AQTS corresponding to the terminal states , success and failu re and time limit. The QTS constructed with strong negation checking is shown in Fig. 4. Initial State 2 of the quotient transition system in satisfies the strong negation. Thus, we conclude by Proposition 3 that the original powertrain system does not satisfy the specification and there is no need to refine the quotient transition system . As a comparison CHECK:-'IATE continue to refine the partition. The partit.ion after the 10 iterations is shown in Fig.
Fig. 3. Refinement graph for (.'lGAF f /\ AG.'lFg).
325
International Conference on Tools and Algorithms for the Construction and Analysis of Systems ( TA CAS). Springer, 2003. R. Alur , T . A. Henzinger, G. Lafferriere. and G. J. Pappas . Discrete abstractions of hybrid systems. In F. W . Vaan drager and J . H. Van Schuppen. editors, Proceedings of the IEEE, pages 971 - 84. 2000. A. Chut inan and K. R. Butts . Dynamic analysis of hybrid system models for design valid ation. Technical report . University of California, 2002. A. Chutinan , Z. Han , and B. H. Krogh. Actl strong negation and its applicat ion to hybrid veri fi cation . Technical report, Department of ECE , Carnegie Mellon I,;niversity, 2004 . A. Chutinan and B. H. Krogh . Verification of infi nite-state dynamic systems using approximate quotient transition systems. IEEE Transactions on Automatic Control, 46 (9) :140 1-1410, September 2001. A. Chutinan and B. H. Krogh . Computational techn iques for hybrid system verification . IEEE Transactions on Automatic Control , 48( 1):64- 75, January 2003 . E . Clarke, A . Fehnker, Z . Han , B . H. Krogh , J. Ouaknine , O. Stursberg, and M. Theobald Abst raction and counterexample-guided refinement in model checking of hybrid systems. International Journal of Foundations of Computer Science (IJFCS): Special Issue on Verifi cation and Analysis of Infinit e State Systems, 2003. E . Clarke. O. Grumberg , S. Jha , Y. Lu . and H. Veith. Counterexample-guided abstraction refinement . In Computer-Aided Verification ( CA V), volume 1855 of LNCS, pages 154-169 Springer, 2000. E . Clarke , S. J ha. Y. Lu , and H . Veith. Tree-li ke counterexamples in model checking. In 17th Annual IEEE Symposium on Logic in Computer Science (LCS), pages 19- 29 , 2002. E . ),1. Clarke, O. Grumberg. and D. A. Peled. Model Checking. The MIT Press, Camb ridge, MA, 1999. D. R. Dams , R . Gerth , and O . Grumberg. Generation of reduced models for checking fragments of ctl. In Cost as Courcoubetis , editor, Computer Atded Verification. Berlin , 1993 . number 697 in Lect ure );otes in Computer Science, Springer-Verlag. D . R. Dams , R . Gerth , and O. Grumberg. Abstract interpretation of reacti ve systems . ACM Transactions on Programming Languages and Systems. 19(2 ):253- 91 , March 1997. M. Glusman. G. Kamh i, S )''lador-Haim. R . Fraer, and M. Vardi . ),·f ultiple-counterexample guided iterative abstraction refinement : an industrial evaluation. In 9th International Conference on Tools and A lgorithms for the Construction and Analysis of Systems ( TA CAS). Springer . 2003. P. Godefroid , ),1. Hu th , and R . J agadeesan. Abstractionbased model checking using modal transition systems. In Proceedings of CONCUR '2001 (12 th International Conference on Concurrency Theory j, Aalborg. 2001. Lecture ~otes in Computer Science. Springer-Verlag. P. Godefroid and R . Jagad eesan. Automatic abst raction using gen eralized model check ing. In Proceedings of CA 1,/ '2002 (14th Conference on Computer Aided Verifi cation), Copenhagen. 2002. Lectu re ~otes in Computer Science, Springer-Verlag. T . A. Henzinger. The theory of hybrid automata. In Proceedings of the 11th A nnual Symposium on Logtc in Computer Science , pages 278- 292. IEEE Computer Society Press , 1996. Invited tutorial.
5. The two boundaries from closed-form solution are su perimposed \\'hich partitioned the states into success. time_limit and failure sets. The refinement o f CHECK~IATE is getting close to the boundar ies. however, it will never terminate since the system does not satisfies the specification. T he application of ACTL st r ong negation in th is case has helped avoid unnecessary computations.
,i
. .. :1" '.. ". -
._ ....
~ 'I ~
------"; .. ·· ..
i
....... .
.............
··>·. ·······1··
...... .
....
'".:" ....... ',0)
I;
o.
0'
~A
C· /
00
F ig. 4. QTS constructed using strong negation
,.
,,'
F ig. 5. CHECKMATE Partition a fter iteration 10
6. DISC'L'SS IO :\i This paper introduces the concept of ACTL strong negation that can be applied to a conservative abstraction to draw the conclusion that the underlying system fails a universal specification. As demonstrated in Section 5. ACTL strong negation can help avoid unnecessary refinement computations for the abstraction with respect to the AC TL specification. ACTL strong negation can be used to complement any \'erification procedure that involves abstraction refinement methods such as the counterexample-g71ided refinement ( Clarke et al.. 2000 , 2003 ) . The procedures described in th is paper have been implemented in a ne\\' version of Check\late , an abstraction-based model checker for hybrid systems (Chutinan and Krogh. 2003 ) .
REFERE!\'CES
R. Alur. T. Dang , and F . Ivancic. Counter-example gui ded predicate abstract ion of hybrid systems. In 9th
326
ELSEVIER
IFAC PUBLICATIONS www.elsevier.comfloc3lelifac
ACTL STRONG NEGATION AND ITS APPLICATION TO HYBRID SYSTEM VERIFICATION Alongkrit Chutinan' Zhi Han •• Bruce H. Krogh ••
• Fabrinet Co., Ltd., 294 Moo 8, Vibhavadi Rangsit Rd. , K ookot.. Lumlookka, Patumthanee 12130. Thailand ac4c~ece.cmu.edu
•• Dept. of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 15213. USA {zhihlkrogh}~ece.cmu.edu
Abstract: Model checking procedures for verifying properties of hybrid dynamic systems are based on the construction of finite-state abstractions. If the property is not satisfied by the abstraction , the verification is inconclusive and the abstraction needs to be refined so that a less conservative model can be checked. If the hybrid system does not satisfy' the property, this verify-refine procedure will usually not terminate. This paper introduces the concept of strong negation for ACTL as an auxiliary condition that can be verified to obtain a conclusive negative verification result from a finite-state abstraction in certain cases. A method for identifying a sufficient set of states to be refined when the verification is inconclusive is also presented. The concepts are illustrated with an example. Copyright © 2004 IFAC Keywords: Verification, hybrid system . model checking, abstraction , refinement
1. E\TRODl"CTIO:\
case , the only recourse is to refine the abstraction and try again with the hope that eventually an abstraction \vill be constructed for which the specification is true (Chutinan and Krogh. 2003 ).
A standard approach to hybrid system verification is to construct a fini t e-state abstraction (usually a quotient of the hybrid system) and apply model checking. That is, a conservatiw discrete model is constructed so that methods for verifying properties of discrete state systems can be applied to hybrid dynamic systems. The main restriction in this approach is that only universal properties can be verified, such as properties specified by the temporal logic ACTL. If the specification is true for the abstraction , it is true for the hybrid system since all possible hybrid trajectories are accounted for in the conservative abstraction. If the model checker returns a negati\'e result. one is assured the specification is false for the hybrid system only if the abstraction is a bisimulation of the hybrid system (Alur et aI. , 2000). As this is rarely the
Although the literature reports many successful applications of this approach to hybrid systems with non-trivial continuous dynamics (at least one success per tool), it is disconcerting that the refinement process will never terminate if the hybrid system really doesn't satisfy the specification. The concept of strong negation int roduced in this paper aims to offer some relief in this situation. In certain cases , checking the st rong negation condit ion will allow an abstraction-based verification tool to terminate with a conclusive negati\'e result. even if the abstraction is not a bisimulation of the hybrid system.
321
If no conclusive result is found , the abstraction must be refined. Often counterexamples (CEs ) are useful in the refinement procedure. The counterexample-guided refinement method for software systems has been studied in (Clarke et al.. 2000: Glusman et al., 2003). For verification of hybrid systems , methods based on the same idea have been proposed in (Clarke et aI., 2003 ) and (Alur et al.. 2003). In this paper we show that the strong negation condition can help to reduce the search space in the counterexampleguided abstraction refinement procedure. :-1ethods based on abstractions which 'strongly preserve' certain class of properties have been proposed for l1-calculus (Dams et al., 1997), for fractions of CTL* (Dams et al., 1993 ) and for modal transition systems (Godefroid et al.. 2001: Godefroid and Jagadeesan , 2002 ). Those techniques define tKO types of transitions in the abstract system: must - (or constrained ) t ransitions and may- (or free ) transitions. By distinguishing the two types of transitions in the model checking algorithm. conclusive negative results can be obtained for the concrete system . This technique is not applicable for ve rification of hybrid syst ems , hOKever, since the discrete abst rac tion of a hybrid system is based on reachability analysis for the continuous dynamics (Alur et al., 2000: Chutinan and Krogh , 2001 ), \"'here , in the terminology of (Godefroid et al. , 2001 ), all the t ransitions are may- transitions. To construct the must - transitions for a hybrid dynamical system, the post condition of each abstract state would have to be computed , which involves the most expensive computation in the verification procedure .
Definition 2. Given a labelled transition system T = (Q , -> , Qo , .c, L ), a partition P of Q is said to be consistent if and only if for all PEP and for all q, q' E P , L (q) = L (q' ) and q E Qo <===? q' E Qo· D efinition 3. ( Quotient Transition System) (QTS) Given a labelled transition system T = (Q , -> , Qo , .c, L ) and a consistent partition P of Q. the quotient transition system of T is defined as T / P = (P , ->p , Qo / P , .c , Lp ), where
(i) for all PP' E P , P ->p P' iff there exist q E P and q' E p i such that q -> q': (ii) Qo / P = {P E P I P ~ Qo}; and (iii) for all PEP , Lp (P ) = L (q) for some q E P. In words , a partition state in the QTS can make a transition to another partition state if one of its element states can make a transition to another element state in the destination partition state.
2.2 Computation Tree Logic (CTL)
CTL is a well-established temporal logic formalism for transition systems (Clarke et al.. 1999). The specification is formulat ed by attaching a fini te set of atomic propositions AP to each state in the transition system. Thus . we consider a labelled transit ion system of the form T = (Q,-> , Qo , 2 AP , L ) where L : Q -> 2 AP is a labeling function that assigns to each state in Q a set of atomic propositions that are true for that state. \Ve assume that the transition relation -> is total: that is, for all states q E Q there exists a state q' E Q such that q -> q'.
The folloKing sect ion introduces notation , definitions and background material. Section 3 presents the concept of strong negat ion for ACTL formulas and how it can be used to demonstrate an ACTL expression is not satisfied based on verification of an abstraction of a hybrid system. Section 4 concerns the construc tion of subgraphs for the abstraction that identify the collection of sets that need to be refined when the verificat ion of a quotient system is inconclusive. Section.) illustrates the application of strong negation Kith an example. The concluding section summarizes the contributions of th is paper and discusses directions for further \vork.
A CTL formula consists of temporal operators and the path quantifiers. A temporal operator specifies the system evolution along a single path of the computation tree. There are five basic temporal operators , X (next time). F (i n the future), G (globally ), U (until). and R (release ). The universal and existential path quantifiers. A and E , specify that the path assertion holds along all and some paths in the computation tree. respectively. \\'ell-formed CTL formulas are defined recursi\'ely in terms of its subformulas. For a detailed treat ment of CTL formulas. the reader is referred to (Clarke et al., 1999) . In this paper. we consider a class of CTL formulae called ACTL which allows
2. PRELnn='1ARIES 2.1 Quotient Trans ition Systems Definition 1. A labeled transition system T is a tuple T = ( Q. ~ . Q o,.c , L ), u'here Q is the set of states, ---->;; Q x Q is the set of transitions. Q o ~ Q is the set of initial states. is a countable set of labels. and L : Q -> is the labelling function.
.c
Abstraction-based verification of hybrid systems is based upon a transition-system semantics for hybrid automata (Henzinger , 1996) . A quotient transition system is constructed from a partition of the transition system state space. The partition must be consistent with the labelling function and the initial states in the folloKing sense.
.c
322
only universal assertions (Clarke et al., 1999). The syntax of an ACTL formula 'P is given by
I -,ap I f V f I f 1\ f l AX f i AF f I AG f I A f U f I A f R f. We write T, q F f to mean that the CTL formula f -+ ap
f holds at state q in T , and let SAT (T , J) = {q !T , q F J} denote the set of states for which the CTL formula f is true. This set can be computed using fixed-point iterations that are guaranteed to terminate for finite-state systems (Clarke et al., 1999 ). T will be dropped from these notations when the labelled transition system is clear from the context. The labelled transition system T is said to satisfy a CTL specification f , denoted T F f , if and only if Qo C SAT(T, J).
2.3 Verification Using Quotient Transition Systems The following proposition is the basis for verification of ACTL specifications based on quotient transition systems. Proposition 1. ( Ch utinan and K rogh, 2001) Given a labeled transition system T,an ACTL formula cp , and a consistent partition P, if T / P, P F cp then T , q F 'P for all q E P .
If model checking a QTS does not give a conclusive result, the partition can be refined to see if verification can be achieved with a less conservative QTS. Definition 4. (Refinement of Partitions). Given two partitions PI and P2 of Q , P2 is said to be a refinement of PI if and only if for all P2 E P2 , there exists PI E PI such that P 2 ~ PI·
If P2 is a refinement of PI , for any PI E PI either there exist a P 2 E P2 where PI = P2 or there exist a collection of sets {Pi , ... , P2k} C P2 such that PI = Uf=1 P~. vVe say state PI is refined by P2 for the second case. The refinement induces a surjective mapping Cl' : P 2 -+ PI such that Cl' (P2 ) = PI ~ PI
mula. A counterexample of T for the specification cp is a labelled transition system C such that
(i) C F -''P (ii) T simulates C (Clarke et al., 1999), and therefore T F -'cp. Vie will consider counterexamples constructed from subgraphs of the given transition system , where the graph G of a transition system T = (Q , -+ , Qo. C, L) is G T = (Q, -+), the set of states and transition relation for T. The labelling function and initial states are not included in the definition of the graph of T. 3. ACTL STRO:\G :-JEGATIO:\ This section introduces the concept of ACTL strong n'egation and shows how it can be used to demonstrate an ACTL expression is false based on QTS model checking. The strong negation of an ACTL formula is constructed as follows. Definition 6. Given an ACTL formula f , its strong negation If is defined by the following recursive rules . (i) !ap = ~ap (ii) ! ( ~ap ) = ap (iii) !(fV g ) ='fl\ lg (iv) !(f 1\ g ) ='fv 'g
(v) (vi) (vii) (viii) (ix)
'AX f = AX If 'AF f = AG !f !AG f = AF !f 'A fUg = A If R Ig !A f R 9 = A !f U 'g
Given an ACTL formula f, its strong negation If is also an ACTL formula . This fact can be proved easily by induction on the length of the ACTL formula. This is in contrast to the regular negation -'f , which may be an existential formula. The strong negation !f is called "strong" in the sense that it is the negation of f that applies to all paths in the computation tree. For any state q, t he following proposition states that q Hf implies q F -of. (Proofs of all propositions are given in (Chutinan et aI. , 2004 ) .) Proposition 2. Given a transition system T = ( Q , ~ , Qo , 2AP , L ) and an ACTL formula f , for any state q E Q , if q F'f then q -,f·
F
2 P2
Proposition 3. Given a transition system T, its quotient transition system T / P constructed from a consistent partition P , and an A CTL specification f , if there exists Po E Qo / P such that T / P , Po F!f, then T F f ·
\Vhen the partitions PI , P2 are consistent partitions, the function Cl' defines an abstraction relation between the quotient transition systems T / P I and T / P2 (Clarke et al. , 2003) . To identify a set of states that should be refined when a QTS does not satisfy an ACTL specification, we will use the following definition of a counterexample from (Clarke et aI. , 2002) .
In words , if the strong negation of an ACTL specification is true for any initial state of a QTS, the transition system does not satisfy the specification. Therefore, by augmenting the specification used for model checking a QTS to include the
Definition 5. (Counterexample). Let T be a labelled transition system , and r.p be an ACTL for-
323
strong negation of the specification, the verification process for a hybrid system can terminate with a conclusive negative result in the event that the strong negation of the given ACTL specification is true. The verification procedure using strong negation is illustrated in Fig. 1. In the step "verify rpv 'rp". the term I;; is true iff Qo/ P n S (T / P , ';p ) "# 0. This condition is easily verified by standard model checking since 'rp is an ACTL expression. Fig. 2. \\'itness graph for EF EG~f V EF EG-,g.
all witnesses for the given ECTL formula. The witness graph procedure recursively unwind the subformulas f of 'PE and construct the graph from the states in SAT (T , f).
Fig. 1. Hybrid system verification procedure. (''P is true iff Qo n S (T ''P ) "# 0)
4. COUI\TEREXA!vIPLES A:\D REFIl\EME\,T This section presents a method for identifying the set of QTS states to be refined when model checking of the QTS is inconclusive. We sho\\' that by incorporating the strong negation condit ion the set of to-be-refined states can be reduced. Our approach is motivated by counterexampleguided refinement procedures proposed for finitestate transition systems in (Clarke et aL 2000 ) and (Glusman et a!., 2003 ), for hybrid systems in (Alur et al , 2003 ) and (Clarke et al , 2003 ). In t hese papers , the QTS states to be refined at each iteration are identified from a single given counterexample. Our goal is to identify efficiently all stat es that need to be refined to guarantee t hat a conclusive result can be obtained, if a conclusive result is feasible based on refinement of the current QTS . We achieve this by constructing a subgraph for the QTS such that refinement of any st ate not included in the subgraph will not aid in the verification ; that is , by focusing on particular subgraph (called the refinement graph ), \\'e eliminate states that can be ignored in the refinement procedure. \Ve first consider the construction of a QTS subgraph. called the wi tness graph, which is a graph that represents all possible \\'itnesses for a giyen ECTL formula 'P E· The proposed procedure to obtain the witness graph is given in (Chutinan et aL 2004 ). This procedure is a modification of the witness algorithm com monly used in model checking tools to generate counterexamples. (Clarke et aL 2002 , 1999). The difference is that t he set of trajectories for our wit ness graph contains
324
Example 1. (witness graph ). Figure 2 illustrates the definition of the witness graph. The states labelled f and 9 denote that the atomic proposition f and 9 are true for the states. The ACTL specification AGAF f 1\ AGAFg denotes "On every path in the future , f and 9 are true infinitely often." The specification is false for the transition system, the witness graph of the negation 'P E = EFEG.....,f V EFEG~g are shown as the subgraph with bold lines.
The following proposition shows that the witness graph constructed above serves as a counterexampIe (CE) of the transition system, i.e. , the specification is valid if and only if the witness graph of the negation is empty. Propositi on 4· The wit ness graph for 'PE = is empty iff T f= ;p,4-
~r.pA
A refinement procedure constructs a new partition where one or more st ates is partitioned. An intuitiye implication from Prop. 4 is that the states to be refined can be restricted to the witness graph. (This is proved in (Chutinan et aL 2004). ) In fact . the set of states to be refined can be reduced eyen further by considering the strong negation condition. Consider a subformu la fA of 'PA, we know that its strong negation ''''A is invariant under refinement. Thereby refining these states does no t change the value of the subformula. From the property of the strong negation condition. t he corresponding sub-formula f E of t he negation yE = ~:,:; A is also invariant under refinement. Thus any state for which f E is true remains inside the witness graph after refinement. We can exclude such states from the refinement procedure by incorporating strong negation. The set of states to be refined is reduced from the witness graph to the refinement graph which is defined by the procedure RGraph (T Qo r. S ' (T, j) , j), where f is an ECTL formu la ,
5 '(Tf) ,
=
{0
,if
f EAP;(l)
5. EXA\1PLE
SAT (T, f) \ SAT(T, I ( ~f)) , if f ~ AP.
and RGraph is constructed from the witGraph procedure in (Chutinan et aI., 2004) using 5 ' (T f) to replace 5AT(T f). The function 5' differs from 5AT (T , f) in that it excludes the set of states ",·here 1 ( ~fE) is true. It can be easily seen that
This section demonstrates an application of the ACTL strong negation through a simple application example. The example is implemented in an abstraction-based hybrid system verification tool called CHECKl'vIATE (Chutinan and Krogh , 2001 , 2003 ).
\\"e consider a simplified automotive powertrain model with the transmission held at the first RCraph (T. Qons' (T. n. F ) ~ witCraph(T. Q onSAT(T, n, f) gear. The continuous dynamics of the system is :i; = Ax + b E lR s . The state variables comprising since the 5' (T, f E) function is a subset of 5 AT(T f E) the state vector x are Ts, the drive shaft torque,t', function. To show that the refinement graph conthe vehicle speed , Wt, the engine speed , tps, the tains all the states that need to be refined. we have throttle position , and sin_grade , the sine of the the following proposition. road grade , respectively. The derivatives of tps and sin_grade are set to zero since these are conProposition 5. (Reduced refinement states ). Given stant parameters. Our verification objective is to a transition system T , an ACTL specification 'PA. ensure that the system satisfies the specification consistent partitions PI , P2 , ",'here P 2 refines PI (to be discussed below) over a given set of initial with refinement function a, and T / P1 ~ YA , states. A detail discussion with verification result T / P 2 F= 'P A Let P 2 be the partition containing with CHECKMATE can be found in (Chutinan and the sets p~ defined for each P2 E P2 as Butts, 2002).
(P2 ) ~ RGraph (T / P j , QO / P ln P~_', __ {a (P2 )' Sifo ' (T / Pl ·<'?E ), <'?E) P2 ,
otherwise,
where 'PE = ~'P A , then T / P 2 F= yA By taking advantage of the refinement graph , the set of states to be refined is reduced by the strong negation condition compared with (Chutinan and Krogh , 2001: Clarke et al, 2003). The reduction of states to be refined is illust rated in the following example.
Starting from an initial condition, we would like to ensure that the throttle position provides the vehicle with enough power t o overcome the steepness of t he road grade. For a trajectory starting from any initial condition, if the vehicle reaches the speed of 1 m/ s within l.5 seconds. then the trajectory is a success. If the vehicle reaches the speed of -1 m / s the trajectory is a failure. If the time limit of l.5 seconds has expired before the vehicle reaches the speed of 1 m / s , then the trajectory is a time_limit. Following the discussions above, we write the ACTL speCification for our problem as
AF success 1\ AG
Example 2. Consider again the transition system in example l. The refinement graph for the same specification is shown in Fig. 3. The witness graph in Fig. 2 contains fi\'e states to refine. whereas by incorporating the strong negation condition, the number of states of the witness graph is reduced to three.
~t imeJimit.
The reachability analysis in CHECK.\I.HE yields the quotient transition system shown in Figure 4. Vle note that the quotient transition system in Figure 4 is actually an approximate quotient transition system (A QT5) because CHECKl'vlATE uses reachability approximations to compute the transitions between the partition states (Chutinan and Krogh , 2001 ). T here are three special states in the AQTS corresponding to the terminal states , success and failu re and time limit. The QTS constructed with strong negation checking is shown in Fig. 4. Initial State 2 of the quotient transition system in satisfies the strong negation. Thus, we conclude by Proposition 3 that the original powertrain system does not satisfy the specification and there is no need to refine the quotient transition system . As a comparison CHECK:-'IATE continue to refine the partition. The partit.ion after the 10 iterations is shown in Fig.
Fig. 3. Refinement graph for (.'lGAF f /\ AG.'lFg).
325
International Conference on Tools and Algorithms for the Construction and Analysis of Systems ( TA CAS). Springer, 2003. R. Alur , T . A. Henzinger, G. Lafferriere. and G. J. Pappas . Discrete abstractions of hybrid systems. In F. W . Vaan drager and J . H. Van Schuppen. editors, Proceedings of the IEEE, pages 971 - 84. 2000. A. Chut inan and K. R. Butts . Dynamic analysis of hybrid system models for design valid ation. Technical report . University of California, 2002. A. Chutinan , Z. Han , and B. H. Krogh. Actl strong negation and its applicat ion to hybrid veri fi cation . Technical report, Department of ECE , Carnegie Mellon I,;niversity, 2004 . A. Chutinan and B. H. Krogh . Verification of infi nite-state dynamic systems using approximate quotient transition systems. IEEE Transactions on Automatic Control, 46 (9) :140 1-1410, September 2001. A. Chutinan and B. H. Krogh . Computational techn iques for hybrid system verification . IEEE Transactions on Automatic Control , 48( 1):64- 75, January 2003 . E . Clarke, A . Fehnker, Z . Han , B . H. Krogh , J. Ouaknine , O. Stursberg, and M. Theobald Abst raction and counterexample-guided refinement in model checking of hybrid systems. International Journal of Foundations of Computer Science (IJFCS): Special Issue on Verifi cation and Analysis of Infinit e State Systems, 2003. E . Clarke. O. Grumberg , S. Jha , Y. Lu . and H. Veith. Counterexample-guided abstraction refinement . In Computer-Aided Verification ( CA V), volume 1855 of LNCS, pages 154-169 Springer, 2000. E . Clarke , S. J ha. Y. Lu , and H . Veith. Tree-li ke counterexamples in model checking. In 17th Annual IEEE Symposium on Logic in Computer Science (LCS), pages 19- 29 , 2002. E . ),1. Clarke, O. Grumberg. and D. A. Peled. Model Checking. The MIT Press, Camb ridge, MA, 1999. D. R. Dams , R . Gerth , and O . Grumberg. Generation of reduced models for checking fragments of ctl. In Cost as Courcoubetis , editor, Computer Atded Verification. Berlin , 1993 . number 697 in Lect ure );otes in Computer Science, Springer-Verlag. D . R. Dams , R . Gerth , and O. Grumberg. Abstract interpretation of reacti ve systems . ACM Transactions on Programming Languages and Systems. 19(2 ):253- 91 , March 1997. M. Glusman. G. Kamh i, S )''lador-Haim. R . Fraer, and M. Vardi . ),·f ultiple-counterexample guided iterative abstraction refinement : an industrial evaluation. In 9th International Conference on Tools and A lgorithms for the Construction and Analysis of Systems ( TA CAS). Springer . 2003. P. Godefroid , ),1. Hu th , and R . J agadeesan. Abstractionbased model checking using modal transition systems. In Proceedings of CONCUR '2001 (12 th International Conference on Concurrency Theory j, Aalborg. 2001. Lecture ~otes in Computer Science. Springer-Verlag. P. Godefroid and R . Jagad eesan. Automatic abst raction using gen eralized model check ing. In Proceedings of CA 1,/ '2002 (14th Conference on Computer Aided Verifi cation), Copenhagen. 2002. Lectu re ~otes in Computer Science, Springer-Verlag. T . A. Henzinger. The theory of hybrid automata. In Proceedings of the 11th A nnual Symposium on Logtc in Computer Science , pages 278- 292. IEEE Computer Society Press , 1996. Invited tutorial.
5. The two boundaries from closed-form solution are su perimposed \\'hich partitioned the states into success. time_limit and failure sets. The refinement o f CHECK~IATE is getting close to the boundar ies. however, it will never terminate since the system does not satisfies the specification. T he application of ACTL st r ong negation in th is case has helped avoid unnecessary computations.
,i
. .. :1" '.. ". -
._ ....
~ 'I ~
------"; .. ·· ..
i
....... .
.............
··>·. ·······1··
...... .
....
'".:" ....... ',0)
I;
o.
0'
~A
C· /
00
F ig. 4. QTS constructed using strong negation
,.
,,'
F ig. 5. CHECKMATE Partition a fter iteration 10
6. DISC'L'SS IO :\i This paper introduces the concept of ACTL strong negation that can be applied to a conservative abstraction to draw the conclusion that the underlying system fails a universal specification. As demonstrated in Section 5. ACTL strong negation can help avoid unnecessary refinement computations for the abstraction with respect to the AC TL specification. ACTL strong negation can be used to complement any \'erification procedure that involves abstraction refinement methods such as the counterexample-g71ided refinement ( Clarke et al.. 2000 , 2003 ) . The procedures described in th is paper have been implemented in a ne\\' version of Check\late , an abstraction-based model checker for hybrid systems (Chutinan and Krogh. 2003 ) .
REFERE!\'CES
R. Alur. T. Dang , and F . Ivancic. Counter-example gui ded predicate abstract ion of hybrid systems. In 9th
326