ACTL strong negation and its application to hybrid systems verification

ACTL strong negation and its application to hybrid systems verification

ARTICLE IN PRESS Control Engineering Practice 14 (2006) 1259–1267 www.elsevier.com/locate/conengprac ACTL strong negation and its application to hyb...

343KB Sizes 2 Downloads 99 Views

ARTICLE IN PRESS

Control Engineering Practice 14 (2006) 1259–1267 www.elsevier.com/locate/conengprac

ACTL strong negation and its application to hybrid systems verification$ Zhi Hana,, Alongkrit Chutinanb, Bruce H. Krogha a

Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA, USA b The MathWorks, Inc., 3 Apple Hill Dr, Natick, MA 01760-2098, USA Available online 20 March 2006

Abstract Model checking procedures for verifying properties of hybrid dynamic systems are based on the construction of finite-state abstractions. If the property is not satisfied by the abstraction, the verification is inconclusive and the abstraction needs to be refined so that a less conservative model can be checked. If the hybrid system does not satisfy the property, this verify–refine procedure usually will not terminate. This paper introduces the concept of strong negation for ACTL formulas as an auxiliary condition that can be verified to obtain a conclusive negative verification result from a finite-state abstraction in certain cases. The concepts are illustrated with an example from automotive powertrain control. r 2006 Elsevier Ltd. All rights reserved. Keywords: Verification; Hybrid systems; Model checking; Abstraction

1. Introduction Recently, there has been a considerable interest in extending methods for formal verification of discrete systems, such as digital circuit designs, to control systems with hybrid dynamics. The goal of formal verification is to demonstrate that a specification for the system is satisfied for all possible system behaviors, starting from a given set of initial conditions and possibly for ranges of system parameters. Because the sets of reachable states for continuous dynamic systems can only be approximated in most cases, current methods for hybrid system verification will usually not terminate when a specification is not satisfied. Thus, current methods can provide positive verification results, but will not provide negative results. This paper presents a method for discovering when a specification will fail using existing tools by augmenting the $ A preliminary version of this paper appeared in the Preprints of the IFAC-Conference Workshop on Discrete Event Systems, Reims, France, September 2004. Corresponding author. E-mail addresses: [email protected] (Z. Han), [email protected] (A. Chutinan), [email protected] (B.H. Krogh).

0967-0661/$ - see front matter r 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.conengprac.2006.02.009

given specification with an additional term called the strong negation of the specification. The standard approach to hybrid system verification is to construct a finite-state abstraction so that methods for verifying properties of discrete state systems can be applied to hybrid dynamic systems (Alur, Henzinger, Lafferriere, & Pappas, 2000; Chutinan & Krogh, 2001). The main restriction in this approach is that only universal properties can be verified. A universal property is a property that is asserted over all possible behaviors of the system. For example, the statement that ‘‘the speed of the car remains between the lower and upper speed limits for all possible trajectories’’ is a universal property. Various topics devoted to universal properties can be found in the formal verification literature. In particular, this paper focuses on the universal properties specified by a class of computation tree logic (CTL) called ACTL (Clarke, Grumberg, & Peled, 1999). For a universal property, if the specification is true for the abstraction, it is true for the hybrid system, since all possible hybrid trajectories are accounted for in the conservative abstraction. If the model checker returns a negative result, one is assured the specification is false for the hybrid system only if the abstraction is an absolute equivalent representation, called a bisimulation, of the

ARTICLE IN PRESS 1260

Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

original hybrid system (Alur et al., 2000). As this is rarely the case, the only recourse is to refine the abstraction; that is, to make the abstraction less conservative, and then try again with the hope that eventually an abstraction will be constructed for which the specification is true. In certain cases, checking the strong negation condition introduced in this paper will allow an abstraction-based verification tool to terminate with a conclusive negative result, even if the abstraction is not a bisimulation of the hybrid system. Methods based on abstractions which ‘‘strongly preserve’’ certain classes of properties have been proposed for various verification frameworks (Dams, Gerth, & Grumberg, 1997, 1993; Godefroid, Huth, & Jagadeesan, 2001; Godefroid & Jagadeesan, 2002). These frameworks have two types of transitions in the abstraction: must-transitions and may-transitions. A transition in the abstraction is a must-transition if there exists at least one corresponding actual transition in the underlying system, otherwise it is labeled as a may-transition, where the corresponding transition may or may not exist in the actual system. By distinguishing the two types of transitions in the algorithm, conclusive negative results can be obtained for the system. This technique is not applicable for verification of hybrid systems, however, since the finite-state abstraction of a hybrid system is based on reachability analysis for the continuous dynamics (Alur et al., 2000; Chutinan & Krogh, 2001), where all transitions are may-transitions. To construct the must-transitions for a hybrid dynamic system, the set of states reachable from each abstract state has to be computed, which is the most expensive computation in the verification procedure because it involves the computation of sets of reachable states for continuous dynamic systems. For background, the following section describes CHECKMATE, a MATLAB-based tool for hybrid system verification. Section 3 introduces the basic definitions used in formal verification. Section 4 presents strong negation for ACTL formulas and shows how it can be used to demonstrate how an ACTL expression is not satisfied based on verification of an abstraction of a hybrid system. Section 5 illustrates the application of strong negation to provide conclusive negative results. The concluding section summarizes the contributions of this paper and discusses directions for further work. 2. Hybrid system verification using CHECKMATE This section introduces CHECKMATE, a tool developed at Carnegie Mellon University to perform simulation and formal verification of hybrid dynamical systems (Chutinan & Krogh, 2003; Silva, Richeson, Krogh, & Chutinan, 2000). CHECKMATE is developed in the MATLAB-SIMULINK environment. In contrast to tools like HYTECH (Alur, Henzinger, & Ho, 1996), where only linear hybrid automata are considered, CHECKMATE verifies hybrid system models with linear or nonlinear continuous dynamics and polyhedral guard conditions. CHECKMATE

models assume urgent semantics: if one of the polyhedral thresholds is enabled, the system makes a switch immediately. Due to the complexity in polyhedra computation, CHECKMATE has been limited to hybrid dynamic systems with order less than 6. The CHECKMATE software and its document are available at http://www.ece.cmu.edu/ webk/checkmate. Hybrid systems are modeled in CHECKMATE using SIMULINK block diagrams, and formal specifications of desired properties are expressed as ACTL formulas (defined in Section 3). The basic structure of a CHECKMATE model is a closed loop consisting of a switched continuous system block (SCSB), a set of polyhedral threshold blocks (PTHBs) and a finite state machine block (FSMB). The following paragraphs describe these blocks. An SCSB models the continuous dynamics of the hybrid system. The continuous dynamics in CHECKMATE are modeled with state equations of the form x_ ¼ f d ðxÞ, where d is the discrete mode of the system. To model the switching behavior of the hybrid system, the SCSB block has a input port d which is the discrete state of the hybrid model. For different values of the discrete states, the SCSB selects different sets of ODEs. The discrete state input is generated from the FSMB (described below). PTHBs represent convex polyhedral sets described by fxjCxpdg. CHECKMATE models hybrid systems that switch when the state reaches boundaries of polyhedral sets in the state space. An FSMB models the switching scheme of the hybrid systems using a STATEFLOW chart. The inputs to the chart are the events generated by PTHBs. The outputs of the chart are the discrete states, which govern the switching of the SCSB. The verification procedure of CHECKMATE is based on approximating the infinite-state transition system using the abstraction framework called the approximate quotient transition system (QTS) (Chutinan & Krogh, 2001). Flowpipes are the sets of states reachable along trajectories starting from a given set of initial states. The boundaries of the polyhedral thresholds are partitioned into polyhedral regions that represent the set of states reached by the flowpipe. The computations of reachable states (flowpipes) continues until all reachable boundaries have been partitioned. This creates the initial QTS. The QTS is discussed in Section 3. Fig. 1a shows an overview of the CHECKMATE verification procedure. Given an ACTL formula j and a CHECKMATE model, CHECKMATE first converts the model into an equivalent hybrid automaton model (Henzinger, 1996). Then an initial partition of the hybrid automaton is computed using flow-pipe computations (Chutinan & Krogh, 2003). The QTS is then verified against the given ACTL specification j using standard model checking techniques for finite transition systems (Clarke et al., 1999). If the verification fails due to the coarseness of the partition for the QTS, the partition is refined to get a tighter approximation. The process can be repeated until the QTS

ARTICLE IN PRESS Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

1261

Fig. 2. Example of (a) a transition system, (b) a computation tree, and (c) a quotient transition system.

Fig. 2a shows an example of a transition system with Q ¼ fu0 ; u1 ; u2 ; u3 g, Q0 ¼ fu0 g, and L ¼ 2fa;b;c;d;eg . The transitions between the states are indicated by the arrows. Each state is also labeled by a subset of the label set L. This subset of labels represents the set of properties that are true for the state. Definition 2. Given a labeled transition system T ¼ ðQ; !; Q0 ; L; LÞ, a partition P of Q is said to be consistent if and only if for all P 2 P and for all q; q0 2 P, LðqÞ ¼ Lðq0 Þ and q 2 Q0 () q0 2 Q0 .

Fig. 1. Overview of the CHECKMATE verification procedure. (a) Original CHECKMATE verification procedure without ACTL strong negation; (b) CHECKMATE verification procedure with ACTL strong negation.

satisfies the specification or the user terminates the verification procedure. 3. Transition systems and ACTL specifications Abstraction-based verification of hybrid systems is based upon a transition-system semantics for hybrid automata (Henzinger, 1996). A QTS is constructed from a partition of the state space of a given transition system. The partition must be consistent with the labeling function and the initial states. These concepts are defined formally as follows. Definition 1. A labeled transition system T is a tuple T ¼ ðQ; !; Q0 ; L; LÞ, where Q is the set of states, ! Q  Q is the set of transitions, Q0  Q is the set of initial states, L is a countable set of labels, and L : Q ! L is the labeling function.

Definition 3 (QTS, Henzinger, 1995). Given a labeled transition system T ¼ ðQ; !; Q0 ; L; LÞ and a consistent partition P of Q, the QTS of T is defined as T=P ¼ ðP; !P ; Q0 =P; L; LP Þ, where (i) for all P; P0 2 P, P!P P0 iff there exist q 2 P and q0 2 P0 such that q ! q0 ; (ii) Q0 =P ¼ fP 2 PjP  Q0 g; and (iii) for all P 2 P, LP ðPÞ ¼ LðqÞ for some q 2 P. Fig. 2c shows an example of a quotient transition system for the transition system in Fig. 2a constructed from the partition P ¼ fP0 ; P1 ; P2 g where P0 ¼ fu0 g, P1 ¼ fu1 ; u3 g, and P2 ¼ fu2 g. Note that the partition P is consistent since all states contained in each Pi have the same labels and the initial state set is partitioned separately from non-initial states. As Fig. 2c also illustrates, a partition state in the QTS can make a transition to another partition state if one of its element states can make a transition to another element state in the destination partition state. CTL is a well-established temporal logic formalism for transition systems (Clarke et al., 1999). The specification is

ARTICLE IN PRESS Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

1262

formulated by attaching a finite set of atomic propositions (AP) to each state in the transition system. Thus, we consider a labeled transition system of the form T ¼ ðQ; !; Q0 ; 2AP ; LÞ, where L : Q ! 2AP is the labeling function that assigns to each state in Q a set of atomic propositions that are true for that state. The example in Fig. 2a is already in the form required by the CTL formalism. Under the CTL formalism, the system evolutions are characterized by the unfolding of the transition system into a computation tree. The computation tree for the transition system in Fig. 2a is shown in Fig. 2b. A CTL formula specifies the system behaviors in terms of the atomic propositions along the paths in the computation tree. There are two basic types of operators in a CTL formula, the temporal operators and the path quantifiers. A temporal operator specifies the system evolution along a single path of the computation tree. The five temporal operators are X, F, G, U, and R. The operator X (‘‘next time’’) asserts that a property holds at the next state along the path. The operator F (‘‘in the future’’) asserts that a property holds at some future state along the path (including the current state). The operator G (‘‘globally’’) asserts that a property holds globally, i.e. at every state along the path. The operator U (‘‘until’’) involves two properties: the assertion f U g requires that g holds at some state along the path (including the current state) and that f holds at every state along the path prior to the occurrence of g. The operator R (‘‘release’’) is the logical dual of the U operator: the assertion f R g requires that g holds along the path up to and including the first state where f holds. In other words, g is ‘‘released’’ when f holds. The property f is not required to hold eventually, however. The path quantifiers are used to identify the scope of the property specified by the temporal operators. The universal and existential path quantifiers, A and E, specify that the path assertion holds along all and some paths, respectively, starting from a given state in the computation tree. Well-formed CTL formulas are defined recursively in terms of subformulas by the grammar

u2 repeating forever) clearly satisfies this formula, and therefore we write u0  EF EG e. Finally, we write u0 jAF e because the property e is never true for the cyclic path u0 u1 u3 . . . (with the pattern u0 u1 u3 repeating forever). Let SAT ðT; f Þ denote fqjT; q  f g, the set of states for which the CTL formula f is true. This set can be computed using fixed-point iterations that are guaranteed to terminate for finite-state systems (Clarke et al., 1999). The labeled transition system T is said to satisfy a CTL specification f, denoted T  f , if and only if Q0  SATðT; f Þ. In this paper, we consider a class of CTL formulae called ACTL, which allows only universal assertions (Clarke et al., 1999). The syntax of an ACTL formula is given by f ! apj:apjf _ f jf ^ f jAXf jAFf jAG f jA f U f jAf R f . The following proposition is the basis for verification of ACTL specifications based on quotient transition systems. Proposition 1 (Clarke et al., 1999). Given a labeled transition system T, an ACTL formula j, and a consistent partition P, if T=P; P  j then T; q  j for all q 2 P. If model checking a QTS does not give a conclusive result, the partition can be refined to see if verification can be achieved with a less conservative QTS. Definition 4 (Refinement of partitions). Given two partitions P1 and P2 of Q, P2 is said to be a refinement of P1 if and only if for all P2 2 P2 , there exists P1 2 P1 such that P2  P1 . If P2 is a refinement of P1 , for any P1 2 P1 either there exist a P2 2 P2 where P1 ¼ P2 or thereSexist a collection of sets fP12 ; . . . ; Pk2 g  P2 such that P1 ¼ ki¼1 Pi2 . We say state P1 is refined by P2 for the second case. The refinement induces a surjective mapping a : P2 ! P1 such that aðP2 Þ ¼ P1 ) P1  P2 . When the partitions P1 ; P2 are consistent partitions, the function a defines an abstraction relation between the quotient transition systems T=P1 and T=P2 (Clarke et al., 2003).

f ! apj:f jf _ f jf ^ f jAX f jAF f jAG f jA f U f jA f R f jEX f jEF f jEG f jE f U f jE f R f , where ap denotes an atomic proposition. We let Fj denote the set of subformulas for a given CTL formula j. We write T; q  f and T; qjf to mean that the CTL formula f holds and does not hold at state q in T, respectively. T is dropped from these notations when the labeled transition system is clear from the context. A few examples follow to illustrate the use of this notation for the transition system T in Fig. 2a. We write u0  EX d because there exists a path from u0 such that d is true in the next step, namely the path from u0 to u1 . The formula EF EG e reads ‘‘there exists a path leading to another path in the future such that e is true forever’’. The path u0 u2 u2 . . . (with

4. Strong negation This section introduces the concept of ACTL strong negation and shows how it can be used to demonstrate an ACTL expression is false based on QTS model checking. The concept of strong negation is best explained with an example. Consider the ACTL formula AGap, where ap is an atomic proposition. Recall that AGap means that ap is true at every state along all trajectories. The standard negation :AGap means that there exists at least one trajectory that reaches a state at which ap is not true, which is equivalent to the CTL statement EG:ap. Note that this means :AGap is not equivalent to an ACTL formula. The strong negation of AGap, denoted !AGap, means that along all trajectories there is a state at which ap is not true.

ARTICLE IN PRESS Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

This statement is equivalent to the ACTL expression AF:ap. The strong negation of any ACTL formula is defined as follows. Definition 5. Given an ACTL formula f, its strong negation !f is defined by the following recursive rules: (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix)

!ap ¼ :ap, !ð:apÞ ¼ ap, !ðf _ gÞ ¼ !f ^ !g, !ðf ^ gÞ ¼ !f _ !g, !AX f ¼ AX !f , !AF f ¼ AG !f , !AG f ¼ AF !f , !A f Ug ¼ A !f R !g, !A f R g ¼ A !f U !g.

Given an ACTL formula f, the above definition implies its strong negation !f is also an ACTL formula. This fact can be proved easily by induction on the length of the ACTL formula. This is in contrast to the regular negation :f , which is an existential formula, and is therefore not an ACTL statement. The strong negation !f is called ‘‘strong’’ in the sense that it is the negation of f that applies to all paths in the computation tree. We now develop the application of strong negation for model checking. The following proposition states that for any state q, q  !f implies q  :f . In other words, strong negation (which can be checked using ACTL model checking) implies standard negation (which cannot be checked using ACTL model checking). Proposition 2. Given a transition system T ¼ ðQ; !; Q0 ; 2AP ; LÞ and an ACTL formula f, for any state q 2 Q, if q  !f then q  :f . Proof. See the Appendix. The following proposition provides the basis for using strong negation in hybrid system model checking. In words, it states that if the strong negation of an ACTL specification is true for any initial state of a QTS, the transition system does not satisfy the specification. Proposition 3. Given a transition system T, its quotient transition system T=P constructed from a consistent partition P, and an ACTL specification f, if there exists P0 2 Q0 =P such that T=P; P0  !f , then T 0 jf . Proof. Since !f is an ACTL formula, we have by Proposition 1 that T=P; P0  !f implies T; q0  !f for some q0 2 P0 . By Proposition 2, we have that T; q0  :f , or T; q0 jf . Since q0 2 P0  Q0 by Definition 3, we have that T 0 jf . & This result is applied as follows. Given an ACTL specification f, the specification is augmented to include the strong negation of the specification, that is, the specification given to the model checker is f _ !f , which

1263

is an ACTL expression. The verification process for a hybrid system can then terminate with a conclusive negative result in the event that the strong negation of the given ACTL specification is true. The CHECKMATE verification procedure using strong negation is illustrated in Fig. 1b. In the step ‘‘verify j _ !j’’, the term !j is true iff Q0 =P \ SAT ðT=P; !jÞa;. This condition is easily verified by standard model checking since !j is an ACTL expression. 5. Example This section illustrates the application of the ACTL strong negation. The example is part of an industrial application of hybrid system formal verification to automobile powertrain design validation (Chutinan & Butts, 2002). The problem under consideration is: given a nominal powertrain model configuration, find the range of parameter values for throttle position, tps, and the constant grade, grade, that yields a positive steady-state vehicle speed. The problem is important because its solution is useful for a number of other design validation problems. The reader is referred to Chutinan and Butts (2002) for a complete discussion on the verification problem and modeling of the physical system. To reduce the computational complexity, the dynamic model of the powertrain control system is simplified to retain only the parts that are related to the problem. Since shifting of the transmission is not of interest in this problem, we assume that the transmission is locked at the first gear and discard the dynamics corresponding to the transmission system. As a result, the original multi-modal hybrid system model is reduced to a simplified affine dynamic model of the automotive powertrain. The continuous dynamics of the system is x_ ¼ Ax þ b, where 3 2 6:74 21:75 81:27 0 0 7 6 6 1:77 0 0 0 9:50 7 7 6 7 6 6 0 0 28:06 0 7 A ¼ 6 19:92 7, 7 6 6 0 0 0 0 0 7 5 4 0 0 0 0 0 2 3 3 2 T 0 s 6 7 7 6 7 6 6 0 7 v 7 7 6 6 7 7 6 6 7. 7 6 6 o b ¼ 6 4:96 7; x ¼ 6 t 7 7 7 6 6 7 6 6 0 7 tps 5 5 4 4 sin_grade 0 The state variables comprising the state vector x are: T s , the drive shaft torque; v, the vehicle speed; ot , the engine speed; tps, the throttle position; and sin_grade, the sine of the road grade. The state variables tps and sin_grade are constant parameters (derivatives set to zero) added to the state equations to allow analysis of the automobile

ARTICLE IN PRESS 1264

Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

response over a range of possible throttle angle and road grade values. Our verification objective is to ensure that the system satisfies the specification (to be discussed below) over the following range of initial states: 0:05pT s p0:05 ð1000 NmÞ, veh_speed ¼ 0 ðm=sÞ, 0:5pot p0:7 ð100 rad=sÞ, 0ptpsp1 ð100 %Þ, sinð0Þpsin_gradepsinð0:5Þ. Starting from an initial condition, we would like to ensure that the throttle position provides the vehicle with enough power to overcome the steepness of the road grade. To capture this requirement, we build the CHECKMATE model shown in Fig. 3a. The affine continuous dynamics is implemented in the continuous system block dynamics. Two threshold blocks, positive_speed and negative_speed,

with the guard conditions shown in Fig. 3b along with the finite-state machine block monitor whose detail is shown in Fig. 3c, are used to implement the following trajectory acceptance criteria for the specification. For a trajectory starting from any initial condition satisfying the constraints given above, if the vehicle reaches the speed of 1 m=s within 1:5 s, then the trajectory is a success. If the vehicle reaches the speed of 1 m=s, then the trajectory is a failure. If 1:5 s has expired before the vehicle reaches the speed of 1 m=s, the trajectory is said to reach the time limit. In the example, a trajectory reaches the time limit is also regarded as a bad design. Note that the system is an affine dynamic system, it is modeled as a hybrid dynamic system in CHECKMATE only to encode the specification to verify this part of the model. Also note that the guard condition for the 1.5-s time limit is missing from the CHECKMATE model. Typically, a timer t with the derivative t_ ¼ 1 must be added to the system states to enable the user to make an assertion about time. Doing so will increase the computation time for verification, however, since the timer will increase the dimension of the system. Fortunately, since all computation in our model stops after the first threshold is reached, we can check to see if the 1.5-s time limit is reached by simply setting the CHECKMATE parameter max_time, which represents the time limit for the reachability computation, to 1:5 s. CHECKMATE will report if max_time is reached. The ACTL specification for our problem is then AF success ^ AG:time_limit.

Fig. 3. CHECKMATE model for the simplified powertrain system with state machine for monitoring success or failure of the initial condition.

Note that for the CHECKMATE model of this example an equivalent way to specify the property is AG:failure ^ AG:time_limit. The specification requires that the finite-state machine, called a monitor, eventually enters the state success and that the reachability analysis from any partition state is conclusive before the time limit is reached. CHECKMATE uses polyhedra to represent the partition states in the QTS. The approximation parameters are set so that the polytopes in the continuous state space are never split in the T s , v, and ot directions. Fig. 4 shows the 3-D projection of the initial partition of the 5-D initial condition set generated by CHECKMATE. This 3-D projection completely represents the 5-D partition since v ¼ 0 and 0:5pot p0:7 for all of the polytopes in the partition. Moreover, we will only show the projections of the partition onto the (tps,sin_grade) plane in the sequel to further simplify the visualization of our results since the polytopes are never split in the T s direction. The reader is encouraged to keep Fig. 4 in mind when viewing the 2-D projection results. The reachability analysis in CHECKMATE yields the QTS shown in Fig. 5. We note that the QTS in Fig. 5 is actually an approximate QTS because CHECKMATE uses reachability approximations to compute the transitions between the partition states (Chutinan & Krogh, 2001). There are two special states in the QTS corresponding to the terminal states in Fig. 3c, success and failure. There is also one other

ARTICLE IN PRESS Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

special state, time limit, which corresponds to the case where the reachability computation in CHECKMATE is terminated by the time limit. The strong negation of the ACTL specification is AG:success _ AF time_limit. We see that initial state 2 of the quotient transition system in Fig. 5 satisfies the strong negation. Thus, we conclude by Proposition 3 that the original powertrain system does not satisfy the specification and there is no need to refine the quotient transition system. The application of ACTL strong negation in this case has helped avoid unnecessary computations since the original implementation of CHECKMATE would continue to refine the partition without ever concluding that the system fails the ACTL specification.

1265

To further demonstrate the application of ACTL strong negation, we note that even though the system does not satisfy the specification for the entire set of the initial conditions as originally stated, there may still exist subsets of initial conditions that satisfy the specification. In other words, the system may still be able to meet the specification with tighter constraints on the initial conditions. Thus, one may continue with successive abstraction refinements even though the verification has failed in an attempt to identify a ‘‘good’’ set of initial conditions for the system operation. In the context of our example, we would like to find ranges of tps and sin_grade such that the vehicle can climb up the grade successfully. After 10 iterations of refinements, CHECKMATE produces the partition for the initial condition set shown in Fig. 6. The initial condition set is gradually separated in each iteration into three regions, namely the 0.5 0.45 Iteration 10 0.4

sin(grade)

0.35

failure

0.3 0.25 0.2

time limit

0.15 0.1

success

0.05 0

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

tps Fig. 4. Complete partition in 3-D for the initial condition set in iteration 0. Fig. 6. Partition for initial condition set in iteration 10.

failure 0.5 0.45 0.4 2

sin(grade)

0.35

4

0.3 0.25

time limit

0.2 0.15 1

3

0.1 0.05 0

5

0

0.1

0.2

6

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

tps

success Fig. 5. Partition for initial condition set in iteration 0.

1

ARTICLE IN PRESS 1266

Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267

regions that go to the states failure, time limit, and success, respectively. Driven by the ACTL specification, the initial states that will be refined in the next iteration, called the tobe-refined (TBR) states, are the ones that stretch across the boundary between any two of the three regions. In Fig. 6, TBR states are depicted by the lightly shaded rectangles. We note that the initial states that lie completely above the boundary of the success region satisfy the ACTL strong negation since they can never reach the state success. Consequently, the refinement of these states would not yield a better approximation for the boundary between the ‘‘good’’ (success) and the ‘‘bad’’ (time limit and failure) initial states. We see that strong negation eliminates a great deal of unnecessary refinements by comparing Fig. 6, which was generated by CHECKMATE without using strong negation, with Fig. 5, which is the result using strong negation. 6. Discussion This paper presents the new concept of ACTL strong negation that can be applied to a conservative abstraction of a hybrid system to draw the conclusion that the underlying system fails a universal specification. As demonstrated in Section 5, ACTL strong negation can help to avoid unnecessary refinement computations for the abstraction with respect to the ACTL specification. The procedures described in this paper have been implemented in a new version of CHECKMATE, an abstraction-based model checker for hybrid systems (Chutinan & Krogh, 2003). As illustrated by the example in Section 5, strong negation can reduce significantly the number of iterations needed to verify that a specification is false. Methods for reducing iterations in hybrid system verification are critical for practical applications because the computation times for each iteration can be several minutes, even for relatively simple systems. Our current research is focusing on additional methods for reducing the complexity of hybrid system verification and the application of these methods to systems of industrial interest. Appendix. Proof of Proposition 2 The reader is referred to Clarke et al. (1999) for the CTL identities used in this proof, e.g. A f R g :E½:f U:g . Proof. We prove this by induction on the length of the ACTL formula f. Basis step: ACTL formulae of the shortest length are f ¼ ap and f ¼ :ap where ap 2 AP. In these cases, the proposition is trivially true since !f ¼ :f . Inductive step: Suppose the proposition holds for all subformulas g and h, we show that the proposition also holds for any formula f produced by any production in the ACTL grammar.

(i) f ¼ g _ h. In this case, !f ¼ !g ^ !h. Thus, q  !f implies that q  !g and q  !h. By the inductive assumption, q  :g and q  :h. Thus, q  :g ^ :h, or equivalently, q  :f . (ii) f ¼ g ^ h. This follows by a similar argument to case (i). For the rest of the productions, we consider any path q0 q1 q2 . . . in T starting with q0 ¼ q. (iii) f ¼ AX g. In this case, q  !f implies that q  AX !g. Thus, q1  !g. By the inductive assumption, q1  :g. Consequently, q  EX :g, or equivalently, q  :f . (iv) f ¼ AF g. In this case, q  !f implies that q  AG !g. Thus, qj  !g for all jX0. By the inductive assumption, qj  :g for all jX0. Consequently, q  EG :g, or equivalently, q  :f . (v) f ¼ AG g. In this case,q  !f implies that q  AF !g. Thus, qk  !g for some kX0. By the inductive assumption, qk  :g. Consequently, q  EF :g, or equivalently, q  :f . (vi) f ¼ A gU h. In this case, it is easier to show that q  !f implies q  :f by contrapositive, i.e. we show that q  f implies q  :ð!f Þ. Suppose that q  f , then qk  h for some kX0 and qj  g for all 0pjok. By the contrapositive of the inductive assumption, qk  :ð!hÞ and qj  :ð!gÞ for all 0pjok. Consequently, q  E :ð!gÞU :ð!hÞ. Since E :ð!gÞU :ð!hÞ ¼ :ðA !gR !hÞ, we have that q  :ð!f Þ. (vii) f ¼ A gR h. In this case, q  !f implies that q  A !gU !h. Thus, qk  !h for some kX0 and qj  !g for all 0pjok. By the inductive assumption, qk  :h and qj  :g for all 0pjok. Consequently, q  E :gU :h, or equivalently, q  :f . &

References Alur, R., Henzinger, T. A., & Ho, P.-H. (1996). Automatic symbolic verification of embedded systems. IEEE Transactions on Software Engineering, 22(3), 181–201. Alur, R., Henzinger, T. A., Lafferriere, G., & Pappas, G. J. (2000). Discrete abstractions of hybrid systems. In F.W. Vaandrager, & J.H.V. Schuppen (Eds.), Proceedings of the IEEE (pp. 971–984). Chutinan, A., & Butts, K. R. (2002). Dynamic analysis of hybrid system models for design validation. Technical report, University of California. Chutinan, A., & Krogh, B. H. (2001). Verification of infinite-state dynamic systems using approximate quotient transition systems. IEEE Transactions on Automatic Control, 46(9), 1401–1410. Chutinan, A., & Krogh, B. H. (2003). Computational techniques for hybrid system verification. IEEE Transactions on Automatic Control, 48(1), 64–75. Clarke, E., Fehnker, A., Han, Z., Krogh, B. H., Ouaknine, J., Stursberg, O., et al. (2003). Abstraction and counterexample-guided refinement in model checking of hybrid systems. International journal of foundations of computer science (IJFCS): Special issue on verification and analysis of infinite state systems. 14(4), 583–604. Clarke, E. M., Grumberg, O., & Peled, D. A. (1999). Model checking. Cambridge, MA: MIT Press. Dams, D. R., Gerth, R., & Grumberg, O., 1993. Generation of reduced models for checking fragments of ctl. In C. Courcoubetis (Ed.), Computer aided verification. Lecture notes in computer science (Vol. 697). Berlin: Springer.

ARTICLE IN PRESS Z. Han et al. / Control Engineering Practice 14 (2006) 1259–1267 Dams, D. R., Gerth, R., & Grumberg, O. (1997). Abstract interpretation of reactive systems. ACM Transactions on Programming Languages and Systems, 19(2), 253–291. Godefroid, P., Huth, M., & Jagadeesan, R. (2001). Abstraction-based model checking using modal transition systems. In Proceedings of CONCUR’2001 (12th international conference on concurrency theory). Lecture notes in computer science. Aalborg: Springer. Godefroid, P., & Jagadeesan, R., 2002. Automatic abstraction using generalized model checking. In Proceedings of CAV’2002 (14th conference on computer aided verification). Lecture notes in computer science. Copenhagen: Springer.

1267

Henzinger, T. A. (1995). Hybrid automata with finite bimulations. In Z. Fu¨lo¨p, & F. Ge´cseg (Eds.), ICALP 95: Automata, languages and programming (pp. 324–335). Berlin: Springer. Henzinger, T. A. (1996). The theory of hybrid automata. In Proceedings of the 11th annual symposium on logic in computer science (pp. 278–292). Silver Spring, MD: IEEE Computer Society Press invited tutorial. Silva, B. I., Richeson, K., Krogh, B. H., & Chutinan, A. (2000). Modeling and verification of hybrid dynamical system using CHECKMATE. In ADPM2000: The fourth international conference of automation of mixed processes.