HRELTL: A temporal logic for hybrid systems

Information and Computation 245 (2015) 54–71

Contents lists available at ScienceDirect

Information and Computation www.elsevier.com/locate/yinco

HRELTL: A temporal logic for hybrid systems Alessandro Cimatti, Marco Roveri, Stefano Tonetta ∗ Fondazione Bruno Kessler, via Sommarive 18, Trento, Italy

a r t i c l e

i n f o

Article history: Received 28 February 2014 Received in revised form 15 October 2014 Available online 23 June 2015 Keywords: Temporal logic Hybrid traces SAT SMT

a b s t r a c t Hybrid traces are useful to describe behaviors of dynamic systems where continuous and discrete evolutions are combined. The ability to represent sets of traces by means of formulas in temporal logic has recently found important applications in various fields, such as requirements analysis, compositional verification, and contract-based design. In this paper we present HRELTL, a temporal logic to characterize hybrid traces. The logic is highly expressive: it allows the description of continuous behaviors, by expressing mathematical constraints over derivatives, and discrete behaviors, by constraining values of variables across instantaneous transitions. HRELTL combines the power of temporal operators and regular expressions, and enjoys important properties such as sampling invariance. We demonstrate that the satisfiability problem for a fragment of HRELTL allows for a satisfiability-preserving reduction to RELTL(RA), a logic over discrete traces with atoms in non-linear Real Arithmetic for which automated reasoning procedures are being developed. © 2015 Elsevier Inc. All rights reserved.

1. Introduction Requirements have a fundamental role in the development of safety-critical systems. Their quality, formalization, validation, and refinement have started to emerge as pervasive problems in the design of complex systems. According to some NASA studies [50,51], many software bugs can be traced back to flaws in requirements. Also the European Railway Agency (ERA) [34] and the European Space Agency (ESA) [35], in the last years, issued different calls to tenders focused on the formalization, validation, and refinement of requirements (see, e.g., [37] and [41]). The need for design approaches that rely on formal properties is continuously increasing. In the hardware sector, property-based specification languages (e.g. PSL [33], SVA [68]) have been defined and are increasingly used in practice, in various phases of the development process [10,14,49]. This is made possible by a wealth of results in (finite-state) temporal logic, and the by availability of techniques [9–11,30,31,56,66,69] together with suitable tools [12,15,19] for temporal satisfiability and model checking, which provide a substantial technological basis. Many real-world domains (e.g. railway, space, industrial control), however, cannot be suitably modeled as finite-state. The requirements are intended to constrain the evolution over time of a combination of discrete and continuous variables. The formal modeling of requirements for such hybrid domains in the form of temporal logic poses substantial challenges: on the one side, the evolution over continuous time calls for a high degree of expressiveness; on the other side, the high expressiveness leads to highly intractable problems.

*

Corresponding author. E-mail addresses: [email protected] (A. Cimatti), [email protected] (M. Roveri), [email protected] (S. Tonetta). URLs: https://es.fbk.eu/people/cimatti (A. Cimatti), https://es.fbk.eu/people/roveri (M. Roveri), https://es.fbk.eu/people/tonetta (S. Tonetta).

http://dx.doi.org/10.1016/j.ic.2015.06.006 0890-5401/© 2015 Elsevier Inc. All rights reserved.

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

55

In this paper, we are interested in exploring formal methods for property-based design, where behaviors of hybrid systems are expressed as formulas in temporal logics. We make two key contributions. First, we define a suitable logic for the representation of requirements in hybrid domains. The logic, called Hybrid Linear Temporal Logic with Regular Expressions (HRELTL), is interpreted over hybrid traces. This allows the evaluation of constraints on continuous evolutions as well as discrete changes. The basic atoms (predicates) of the logic include continuous variables and their derivatives over time, and are interpreted over time intervals. This is known to be a nontrivial issue: see for instance [32,48,55] for a discussion on which type of intervals and hybrid traces must be considered. The semantics relies on the assumption of finite variability, such that each interval of a hybrid trace can be split if it does not have a uniform evaluation of predicates in the temporal formulas under analysis (cf. [32,55]). Particular attention has been paid to make sure that the semantics of the formulas is independent from such splitting (sample invariance) [32]. The logic encompasses regular expressions and linear-time operators. Suitable choices have been made to interpret the “next” operator and regular expressions over the time intervals. We then focus on the polynomial fragment of HRELTL, which restricts the constraints on derivatives to linear constraints on the derivatives of the same order. Although this fragment cannot express general linear differential equations, by expressing linear constraints over the derivatives of continuous variables, it is able to capture typical requirements of embedded systems. In fact, in many cases, the specific definition of the dynamics (e.g., a braking curve) is part of the system design, but not of the system requirements, which instead define just the intended purpose of the dynamics (e.g., to stop in time). Second, we define a translation method for automated verification. The translation maps the satisfiability problem for the polynomial fragment of HRELTL into an equi-satisfiable problem in RELTL(RA), a logic for discrete traces over real-valued variables (i.e., the discrete-time formula is satisfiable if and only if the original formula is satisfiable). Within the scope of the translation, if the formula is satisfiable, then there exists a piecewise-polynomial solution. In the translation, the behavior continuity over the hybrid trace is encoded into a set of additional quantifier-free constraints on the corresponding discrete traces. The result has non-negligible practical implications. Indeed, the equi-satisfiable RELTL(RA) obtained from the translation can in turn be reduced to a fair reachability problem for an infinite-state transition system by means of extended automata-theoretic techniques. This makes it possible to apply techniques for model checking of infinite-state systems, e.g. based on Satisfiability Modulo Theories [15,21]. Our work has been inspired by and applied within the EuRailCheck project, funded by the European Railway Agency in response to the ITT [38]. The aim of the project was to develop a methodology supported by a tool for the validation of requirements in railway domains. Within the project, we collaborated with domain experts in a team that tackled the formalization of substantial fragments of the European Train Control System (ETCS) specification. With regard to the hybrid aspects of ETCS requirements, the formalization and the validation were based on a subset of the language and techniques described in this paper, and were successfully applied by the domain experts [18,25]. The HRELTL logic has also been used in the European ARTEMIS project SafeCer [65] for developing a contract-based framework for compositional verification and reuse of components. The tool OCRA [20] supports such framework using LTL or HRELTL as specification language for the contracts. The tool and the HRELTL logic have been also used within the FoReVer [41] project, and validated by the industrial partners within the space domain. Note that these works have been so far limited to the linear fragment of HRELTL presented in [27]. This paper extends [27] to the polynomial fragment. Structure of the paper. In Section 2 we describe the applicative and representational challenges. In Section 3 we discuss RELTL(RA). In Section 4 we define the syntax and semantics of HRELTL. In Section 5 we present the reduction from HRELTL to RELTL(RA), and prove the equi-satisfiability property. In Section 6 we discuss the related work. In Section 7 we draw some conclusions, and outline directions for future work. 2. Motivations In this section, we motivate our work along two dimensions: the challenges for the representation of hybrid real-world domains, and the property-based design flows that apply satisfiability checking. 2.1. Properties for complex hybrid systems The representation of temporally extended behaviors of hybrid systems [45] by means of properties poses multiple challenges. First of all, we inherit all the issues of the discrete setting, as tackled for example in the setting of assertion-based hardware design with languages such as SVA (System Verilog Assertions) [68] and PSL (Property Specification Language) [33]. These languages include important features, most notably a combination of temporal operators [62] and regular expressions. In the hybrid case, the logic must be able to represent the behaviors of a physical system evolving over continuous time, and its interactions with a digital component. Example 1. We consider a paradigmatic example inspired by the ETCS specification [36] (see Fig. 1). We reason about a train connected in a closed loop with a computer-based discrete control system. The train is characterized by position, speed and acceleration. The controller fixes the acceleration. The train is subject to a speed limit, which may change depending on the position of the train. The train is allowed to go above the given speed limit. However, if it remains above it for a given amount of time, then it is required that the speed is reduced until it halts.

56

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

Fig. 1. Example of behavior related to the ETCS specification. On left, the speed limit V L is plotted against the position x of the train. On the right, the position x and the speed x˙ are plotted against time.

The first challenge is to represent the complex dynamics over continuous variables, such as speed, position, and acceleration. This requires the ability to explicitly reference derivatives at various degrees, for example to express nonlinear relations, or differential equations. Given that we are dealing with continuous variables (e.g. position and speed), which are clearly related, we may expect a number of “obvious” properties. For example, that if speed is first below the limit, and later above it, there must be a point in time when it is equal to the speed limit. It must be possible to specify whether variables are continuous. For example, position and speed are, while acceleration can have instantaneous changes (e.g. breaking starts) in response to an instantaneous mode transition. Another example of instantaneous change is, for example, the fact that the speed limit varies depending on the position of the train switching from zone to zone. It should be possible to represent time elapse, and to model timers, clocks and stopwatches. We may also need to represent the monitoring of conditions (whether the speed is above limit), to trigger instantaneous transitions, and to measure the duration of intervals where such conditions hold. Notice that the speed limit depends on the position (represented in Fig. 1, left, in the position/velocity space), and thus only indirectly on time (Fig. 1, right). The evolution of continuous and discrete dynamics are intertwined: for example, the discrete changes in acceleration are determined by mode changes in the control, e.g. by the activation of the breaking system, triggered in turn by the timer reaching a given threshold. 2.2. Temporal satisfiability for property-based design Requirements validation. Flaws in the requirements may have severe consequences in the later stages of the development [50,51]. Requirements validation (i.e. showing that the requirements capture the design intent) is widely acknowledged as a problem by industry [38]. Increasing interest is being shown towards formal methods for requirements [29,39,60,63]. In such approaches, referred to as property-based, the requirements are represented as statements in some temporal logics. This allows a correspondence between the informal requirements and the formal statement, and gives the ability to reason at the level of abstraction of the requirements engineer. Typical analysis functionalities include the ability to check whether the specification is consistent, whether it is strict enough to rule out some undesirable behaviors, and whether it is weak enough not to rule out some desirable scenarios. These analysis functionalities can in turn be obtained by reduction to temporal logics satisfiability [60]. Consider an informal specification Req1 , . . . , Reqn , formalized as φ1 , . . . , φn . The absence of contradictions is specified  as i.e. it does forbid some undesirable i φi being satisfiable. In order to check whether a specification is strict enough,  behavior ¬α , we can check whether i φi → α is valid (alternatively, whether i φi ∧ ¬α is unsatisfiable). Finally, in order to check  if the specification is sufficiently permissive, i.e. it does not forbid some desirable behavior β , we can check that the i φi ∧ β is satisfiable. This approach is implemented in the RAT tool for requirements analysis [10]. Assume-guarantee reasoning. Temporal satisfiability plays a role in the assume-guarantee approach to property verification [1,57]. The starting point is a global verification task M | φ , i.e. checking whether the system M entails a property φ . Based on decomposition of M into a composition M 1 ×. . .× M n of interconnected components, the idea of assume-guarantee reasoning is to identify a set of suitable properties φ1 , . . . , φn that, if satisfied locally on each M i , entail the overall property φ . We trade M | φ for a number of local (hopefully simpler) verification tasks M 1 | φ1 , . . . , M n | φn . In addition, it is necessary to prove that a combination of the local properties is sufficient to entail the global property. Formally, this can be sees as (φ1 , . . . , φn ) | φ , where  defines the combination of the local properties. For example, if the M i components are asynchronously composed, then the  operator must take into account the interleaving of the models. The problem can be reduced to checking a validity problem (i.e. (φ1 , . . . , φn ) → φ ), which in turn amounts to checking whether the formula (φ1 , . . . , φn ) ∧ ¬φ is unsatisfiable. Contract-based design. Contract-based design, first conceived for software specifications [58] and now also applied to embedded systems (cfr. e.g., [7,8]), structures the component properties into contracts. A contract specifies the properties assumed to be satisfied by the component environment (assumptions), and the properties guaranteed by the component in response (guarantees). Contract-based reasoning closely follows the stepwise refinement, provides a clean framework for compositional verification of the global properties of a system, and enables the principled reuse of trusted components.

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

57

In the contract framework proposed in [28], assumptions and guarantees are specified as temporal formulas. Let component C ◦ be decomposed into C 1 × . . . × C n . Each component C i is associated with contract  A i , G i , with A i , G i sets of temporal formulas. Checking the correctness of contracts refinement is supported by generating a set of sufficient and necessary conditions. These proof obligations are temporal logic formulas obtained from assumptions and guarantees, so that they are valid if and only if the contracts refinement is correct. More formally,  A ◦ , G ◦  is correctly refined by  A 1 , G 1 , . . . ,  An , G n  iff the following proof obligations hold:

( A 1 → G 1 ), . . . , ( An → G n ) | ( A ◦ → G ◦ ) A ◦ , ( A 2 → G 2 ), . . . , ( A n → G n ) | A 1

... A ◦ , ( A 1 → G 1 ), . . . , ( A i −1 → G i −1 ),

( A i +1 → G i +1 ) . . . , ( An → G n ) | A i ... A ◦ , ( A 1 → G 1 ), . . . , ( A n−1 → G n−1 ) | A n . 3. RELTL modulo real arithmetic 3.1. RELTL(RA): syntax RELTL is a logic extracted from PSL [33], formally defined for examples in [14,26]. It combines LTL [62] with regular expressions. Here, we define RELTL(RA), an extension of RELTL beyond the Boolean case. There are two key variations. The first one is that we have individual variables that are interpreted over the domain of real numbers (denoted by R), and a first-order signature composed of arithmetic constants (from R), the functional symbols + and ·, and the relational symbols = and <. Atoms are built by applying relational symbols to terms. The second extension is to allow for terms built by applying a next operator to individual variables, so that it is possible to predicate in the same atom over the value of individual variables in the current and next time point. We work in the setting of Satisfiability Modulo Theory (SMT) [6], and we call the logic RELTL(RA) (for RELTL modulo Real Arithmetic). Hereafter we consider the set of variables V as the union of V B ∪ V R . Definition 1. Let v ∈ V R be an individual real variable and b ∈ V B be a Boolean variable. Let c ∈ R be a constant. An Atomsra defined as follows:

α is

t ::= c | v | next( v ) | t + t | t · t

α ::= b | t = t | t < t | t > t | t ≤ t | t ≥ t Let us define Semi-Extended Regular Expressions (SERE), i.e., standard regular expressions extended with the conjunction operator. Definition 2. Let α ∈ Atomsra be an atom. A SERE r is defined as follows:

r ::=

α |  | r ∗ | r ; r | r | r | r && r

Definition 3. Let α ∈ Atomsra be an atom and r be a SERE. An RELTL(RA) formula β is defined as follows:

β ::= α | ¬β | β ∧ β | X β | β U β | r 3→ β The X (“next-time”) and the U (“until”) operators are the standard temporal operators from LTL. The 3→ (“suffix conjunction”) operator combines a SERE with another temporal formula. We refer to V as “current state” variables. As usual, we use the “primed” notation V for the set of variables obtained by applying the next operator to the variables in V . We write φ( V ) for an expression φ that contains current state variables only, and φ( V , V ) if it also contains next state variables. We write φ[ V / V ] to denote the expression obtained by parallel substitution of each variable v ∈ V occurring in φ with next( v ).

58

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

We also use the following standard abbreviations:

= ˙ p ∨ ¬p

⊥= ˙ ¬

ϕ1 ∨ ϕ2 = ˙ ¬(¬ϕ1 ∧ ¬ϕ2 ) Fϕ= ˙ Uϕ ˙ ¬(¬ϕ1 U ¬ϕ2 ) ϕ1 R ϕ2 =

ϕ1 → ϕ2 = ˙ ¬ϕ1 ∨ ϕ2 Gϕ= ˙ ¬ F ¬ϕ ϕ1 W ϕ2 = ˙ ϕ1 U ϕ2 ∨ G ϕ1 r |→ ϕ = ˙ ¬r 3→ ¬ϕ

r+ = ˙ r; r∗ r! = ˙ r 3→ 

Example 2. The RELTL(RA) formula G ((x = 0; x = 0; x = 0) |→ F ((a; b; c )!)) specifies that any sequence of three 0 values of x is followed eventually by sequence a; b; c. The RELTL(RA) formula G (angry → (x = 0 ∧ ((next(x) = x + 1 && x ≤ 10 && ¬speak)∗)!)) specifies that whenever angry is true x is reset and used to count to 10 before speak can be true. 3.2. RELTL(RA): semantics We interpret RELTL(RA) terms and atoms according to the standard first-order semantics J K, restricted to the structure of real arithmetic ra = ˙ R, +, ·, <. With a slight abuse of notation, we use c for Jc Kra for all c ∈ R, + for J+Kra , · for J·Kra . An assignment for V = V B ∪ V R is a function μ mapping each b ∈ V B to B, and each v ∈ V R to R. We denote by ( V ) the set of assignments to V . Given an atom α ( V ), we write μ |ra α to denote that μ satisfies α . We write μ for the assignment over V such that μ (next( v )) = μ( v ) for all v ∈ V . Given an atom α ( V , V ), we write μ ∪ μ |ra α to denote that the union of μ and μ (seen as union of functions with disjoint domains) satisfies α . RELTL(RA) is interpreted over discrete traces, suitably generalized to deal with real-valued variables. A discrete trace over V is an infinite sequence of assignments for V , i.e. σ : N → ( V ). For all i ≥ 0, we denote by σ[i ] the i + 1-th element of the sequence σ . The interpretation for RELTL(RA) is very close to the case for RELTL. The difference is the interpretation of atoms, that spans across two consecutive time points, due to next operator. We start from the definition of the semantics of SEREs. They are interpreted on a finite subsequence of trace. We denote by σ , i , j |≡ r the fact that the subsequence σ[i ] , . . . , σ[ j ] satisfies the regular expression r. Therefore, the empty regular expression  is satisfied by an empty sequence (i.e., whenever i > j). Definition 4 (SERE semantics). Let σ be a trace over V , α ( V , V ) ∈ Atomsra and i , j ∈ N.

• • • • • •

σ , i , j |≡ α ( V , V ) iff i = j and σ[i] ∪ σ[ i+1] |ra α ( V , V ); σ , i , j |≡  iff i > j; σ , i , j |≡ r1 | r2 iff σ , i , j |≡ r1 or σ , i , j |≡ r2 ; σ , i , j |≡ r1 && r2 iff σ , i , j |≡ r1 and σ , i , j |≡ r2 ; σ , i , j |≡ r1 ; r2 iff there exists i ≤ h ≤ j + 1 such that σ , i , h − 1 |≡ r1 and σ , h, j |≡ r2 ; σ , i , j |≡ r ∗ iff i > j, or there exists i ≤ h ≤ j such that σ , i , h |≡ r and σ , h + 1, j |≡ r ∗.

Definition 5 (RELTL semantics). Let σ be a trace over V and α ( V , V ) ∈ Atomsra .

• • • • • •

σ , i | α ( V , V ) iff σ[i] ∪ σ[ i+1] |ra α ( V , V ); σ , i | ¬φ iff σ | φ ; σ , i | φ ∧ ψ iff σ , i | φ and σ , i | ψ ; σ , i | X φ iff σ , i + 1 | φ ; σ , i | φ U ψ iff, for some j ≥ i, σ , j | ψ and, for all i ≤ k < j, σ , k | φ ; σ , i | r 3→ φ iff, for some j ≥ i, σ , i , j |≡ r and σ , j | φ .

3.3. RELTL(RA): satisfiability checking Definition 6. Given an RELTL(RA) formula φ , the satisfiability problem is the problem of checking if there exists a trace σ such that σ | φ . The satisfiability problem of RELTL(RA) is clearly undecidable since with the G and next operators we can encode standard abstract machines such as two-counter machines and with the F operator we can encode undecidable problems such as reachability. Nevertheless, infinite-state model checking techniques, though not complete, can be applied to tackle the satisfiability problem of RELTL(RA). These techniques are based on efficient SMT-based algorithms and are becoming more and more efficient (see for example some recent advances in [21,22]).

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

59

We reduce the satisfiability of RELTL(RA) to fair reachability in a Fair Transition System (FTS) [54], which is a symbolic representation of infinite-state systems. First-order formulas are used to represent the initial set of states I , the transition relation T , and each fairness condition ψ ∈ F . To check the satisfiability of an RELTL(RA) formula φ we build a fair transition system S φ and we check whether the language accepted by S φ is not empty with standard techniques. In the case of Boolean RELTL, there exist efficient techniques to convert a temporal formula φ into an equivalent FTS S φ (see, e.g., [26]). The check for the satisfiability of φ is typically performed verifying that the language accepted by S φ is not empty. In the general case, the compilation of an RELTL(RA) formula φ is performed as follows. First, for every predicate p in φ , we introduce a new Boolean variable a p . Second, we consider the Boolean abstraction φ A of φ where every predicate p has been substituted with the corresponding Boolean  variable a p . Therefore, φ results equi-satisfiable to φ A ∧ p ∈φ G (a p ↔ p ). If φ A is equivalent to the FTS S φ A , then φ A ∧   p ∈φ G (a p ↔ p ) is equivalent to the FTS S φ obtained by adding p ∈φ (a p ↔ p ) to the transition condition of S φ A . We can check the satisfiability of φ , by checking the non-emptiness of the language accepted by S φ [24]. 4. HRELTL: a logic for hybrid traces 4.1. Hybrid traces Let V be a given set of variables. Intuitively, these are divided into continuous and discrete variables, and the latter are divided into real and Boolean variables. Formally, let us consider the set df of smooth real functions with real values R → R (i.e., df = C ∞ (R, R)). We assume that the domain of the variables in V is df, i.e. ( v ) = df for every v ∈ V . For simplicity, we identify the domain of discrete variables as the set of constant real functions. Thus, for example, the Boolean values can be seen as the real functions that constantly maps to 0 or to 1. A state s is an assignment to the variables of V (s : V →  ) that respects the type of each variable (in particular, discrete variables are assigned to constant functions). We write  V for the set of states. We denote by ˙f the first derivative of a differentiable function f . We denote by f (n) the n-th derivative of a smooth function f . In order to have a more uniform notation, we sometimes use f (0) as synonym for f and f (1) for ˙f . Let I be an interval of R or N; we denote by le( I ) and ue( I ) the lower and upper endpoints of I , respectively. We denote with R+ the set of non-negative real numbers. Hybrid traces describe the evolution of variables in every point of time. Such evolution is allowed to have a countable number of discontinuous points. The model of time is based on intervals and is weakly monotonic: the time can remain the same on consecutive timepoints, which correspond to instantaneous changes in the discrete part of the model. These points are usually called discrete changes, while we refer to the period of time between two discrete steps as timed evolution. Hybrid traces, also used in [27,32], are an extension of timed state sequences [3], where the states are defined as above over continuous functions and the model of time is weakly monotonic and based on intervals.

˙  f 0 , I 0 ,  f 1 , I 1 ,  f 2 , I 2 , . . . such that, for all i ∈ N, Definition 7 (Hybrid trace). A hybrid trace over V is an infinite sequence σ = • the intervals are adjacent,  i.e. ue( I i ) = le( I i +1 ); • the intervals cover R+ : i ∈N I i = R+ (I 0 is left closed and le( I 0 ) = 0); • f i ∈ V . We denote by

σ[i] .i the i + 1-th interval I i of σ , with σ[i] .s the i + 1-th state of σ , and with σ[i] . v the function σ[i] .s( v ) (n)

and with σ[i ] . v (n) its n-th derivative σ[i ] .s( v ). We have a discrete change when a right-closed interval is followed by a left-closed interval. Note that the sequence of intervals must be infinite even if there are finitely many discrete changes. We remark that, with respect to [27], we are relaxing the hypothesis that functions have the same value on the end points of open intervals. This allows discontinuous points not only in discrete changes but also in a timed evolution. Example 3. Fig. 2 shows the evolution of two continuous variables (speed and limit) and a discrete variable (warning). The evolution presents two discrete steps and three timed evolutions. The figure shows two possible sequences, respectively with 10 and 14 intervals. We notice that different traces may describe the same dynamics. Intuitively, a trace is a sampling refinement of another one if it has been obtained by splitting an open interval into two parts by adding a sampling point in the middle [32]. In Fig. 2, TRACE2 refines TRACE1 by exposing two more points. Definition 8 (Partitioning function). (See [32].) A partitioning function μ is a sequence μ0 , μ1 , μ2 , . . . of non-empty, adjacent and disjoint intervals of N partitioning N. Formally, i ∈N μi = N and ue(μi ) = le(μi +1 ) − 1. Definition 9 (Trace sampling refinement). (See [32].) A hybrid trace ρ is a sampling refinement of σ by the partitioning μ (denoted by  j ∈μi ρ[ j ] .i and, for all j ∈ μi , ρ[ j ] .s = σ[i ] .s.

ρ μ σ ) iff, for all i ∈ N, σ[i] .i =

60

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

Fig. 2. Possible evolution of two continuous variables (speed and limit) and a discrete variable (warning), and two possible hybrid traces that represent it. TRACE2 is a refinement of TRACE1.

4.2. HRELTL: syntax In HRELTL, next( v ) denotes the value of v after a discrete step and while der( v , n) denotes the n-th derivative of v. We use der( v ) as abbreviation of der( v , 1). If V is the set of variables, we denote by V˙ n the set of n-th derivatives. To uniform  notation we use V˙ 0 as synonym of V . We denote by V˙ ∗ = n∈N V˙ n and with V˙ ∗ the set of next variables. Finally, we use lcont( v ) and rcont( v ) to denote respectively that v is continuous from the left and from the right. HRELTL is built over a set of basic atoms, which are real arithmetic predicates over V˙ ∗ and V˙ ∗ . Definition 10. Let w be a continuous variable, v a discrete real variable, b a Boolean variable, c a constant. An Atomsdf as follows:

α is defined

u ::= w |der(u ) t ::= c | v | u |next( v ) | next(u ) | t + t | t · t

α ::= b | t = t | t < t | t > t | t ≤ t | t ≥ t |lcont(u ) | rcont(u ) We denote by Pred the set of predicates over V˙ ∗ only (without next) and with Prednext the predicates over V˙ ∗ ∪ V˙ ∗ containing at least one variables in V˙ ∗ . Thus, the atomic formulas Atomsdf of HRELTL are given by Atomsdf = ˙ Pred ∪ Prednext ∪ {lcont( v ), rcont( v )} v ∈ V˙ ∗ . We denote by p the predicate obtained from p by replacing < with ≥, > with ≤, = with = and vice versa. We denote by p  the predicate obtained from p by substituting the top-level operator with , for ∈ {<, >, =, ≤, ≥, =}. Example 4. next(x) = 0 is an example of predicate in Prednext , while x ≤ y + z, der(x) ≤ d and der(x, 2) = 3 are in Pred. The HRELTL syntax is defined by combining Atomsdf with extended regular expressions (SEREs) and temporal operators from LTL. Thus, an HRELTL formula is defined as an RELTL formula replacing propositions with atoms in Atomsdf . Definition 11. Let α ∈ Atomsdf be an atom. An HRELTL formula β is defined as follows:

r ::=

α |  | r ∗ | r ; r | r | r | r && r

β ::= α | ¬β | β ∧ β | X β | β U β | r 3→ β Besides the abbreviations defined for RELTL(RA), we introduce step = ˙ X , which is true iff there is a discrete step, change(x) = ˙ next(x) = x, which is true if there is a discrete change of x, cont(x) = ˙ lcont(x) ∧ rcont(x), which is true when x is continuous from the left and from the right, and jump(x) = ˙ ¬cont(x) ∨ change(x). Example 5. The following formulas are in HRELTL: – G (warning = 1 → (warning = 1 U speed ≤ limit)) – (G (¬jump(x) ∧ ¬jump(der(x))) ∧ (x = 0 ∧ F (x > 0 ∧ F (x = 0)))) → F der(x) = 0 Example 6. The following formula characterizes a continuous variable with continuous derivative such as the position of a train:

G (¬jump(x) ∧ ¬jump(der(x))) The following formulas defines a timer that tracks how much time the speed of the train remains above the limit:

G (der(x) > V L → der( T ) = 1) ∧ G (der(x) ≤ V L → T = 0) ∧ G (lcont( T ) ∧ ¬change( T ) ∧ (der(x) = V L ∨ T = 0 ∨ rcont( T )))

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

61

The following formula formalizes the requirements of Example 1 that if speed remains above the limit too long the brake must be issued until the train stops:

G ( T > timeout → X (der(x, 2) < 0 U der(x) = 0)) 4.3. HRELTL: semantics Some choices underlie the definition of the semantics in order to guarantee that the satisfaction of a formula by a hybrid trace does not depend on the sampling of timed evolutions, rather it depends only on the discrete steps and on the shape of the functions that describe the timed evolutions (sampling invariance [32]). Other choices have been taken to make the formalization of requirements more natural. In particular, X and next cannot be interpreted as in the discrete case, because otherwise a sampling refinement would be able to change the truth of a formula. Consider for example a trace in which X b were true in the open interval (0, 2) and b were false in such interval. Then, splitting the interval into (0, 1] and (1, 2) would make X b false in (0, 1]. Therefore, we define the semantics so that predicates in Prednext can be true only in discrete steps. Definition 12 (Atomsdf semantics). Let σ be a hybrid trace. We interpret atoms over continuous functions as follows.

• • • •

if p ∈ Pred, σ , i |df p iff, for all t ∈ σ[i ] .i, σ[i ] .s(t ) |ra p. if p ∈ Prednext , σ , i |df p iff σ[i ] .i = [t , t ] for some t ∈ R and σ[i +1] .i is left-closed and σ[i ] .s(t ) ∪ ρ[i +1] .s(t ) |ra p. if α = lcont( v ), σ , i |df α iff if σ[i ] .i = [t , t ] for some t ∈ R and σ[i −1] .i is right-open then σ[i ] . v (t ) = σ[i −1] . v (t ). if α = rcont( v ), σ , i |df α iff if σ[i ] .i = [t , t ] for some t ∈ R and σ[i +1] .i is left-open then σ[i ] . v (t ) = σ[i +1] . v (t ). Note that, for all i ∈ N, for all v ∈ V ,

σ[i] . v is defined on all reals, and thus also on the endpoints of the interval.

Definition 13 ( A-fine). Given a set A ⊆ Atomsdf of atoms, we say that a hybrid trace sampling refinement ρ μ σ , for all i ∈ N, for all j ∈ μi , ρ , j |df α iff σ , i |df α .

σ is A-fine iff, for every α ∈ A, for every

Definition 14 (Finite variability). (See [64].) Given a formula φ , let A φ be the set of atoms in φ . We say that a formula φ has the property of finite variability iff for every trace σ , there exists a sampling refinement of σ that is A-fine. In the following, we always assume the finite variability of formulas. To ensure this, we only have to consider the predicates in Pred, since, for the other atoms, there is always such refinement, by simply considering all intervals to be either singular or open. In order to ensure the finite variability, one may consider only piecewise analytic functions as done in [27]. Example 7. Consider the hybrid traces of Fig. 2. TRACE1 is not fine for limit > 0 because the rightmost interval in the figure covers points in which limit is positive and others in which it is 0. Similarly, the trace is not fine for der(speed) = 0 because of the leftmost open interval. Finally the trace is not fine for the next-predicate next(warning) = 1: the first interval does not satisfy the predicate, but if we split it as done in TRACE 2, the predicate is true in the third singular interval. In fact, TRACE2 is fine for these three predicates. In order to ensure sample invariance, the predicates inside a SERE can be true over a sequence of more than one moment. This is different from the standard discrete approach, where they are usually true only if evaluated on just one state. Moreover, we require that if a sequence satisfies the concatenation or repetition of two SEREs, the sequence must contain a discrete step. Definition 15 (SERE semantics).

• • • • •

σ , i , j |≡  iff i > j; σ , i , j |≡ α iff for all k, i ≤ k ≤ j, σ , k |df α , and there is no discrete step between i and j (i.e. for all k, i ≤ k < j, I k ∩ I k+1 = ∅); σ , i , j |≡ r1 | r2 iff σ , i , j |≡ r1 or σ , i , j |≡ r2 ; σ , i , j |≡ r1 && r2 iff σ , i , j |≡ r1 and σ , i , j |≡ r2 ; σ , i , j |≡ r1 ; r2 iff one of the following holds: – σ , i , j |≡ r1 and σ , j + 1, j |≡ r2 (i.e., r2 accepts the empty word); – σ , i , i − 1 |≡ r1 and σ , i , j |≡ r2 (i.e., r1 accepts the empty word); – there exists a discrete step at k (I k ∩ I k+1 = ∅), i ≤ k < j, such that σ , i , k |≡ r1 and σ , k + 1, j |≡ r2 ; • σ , i , j |≡ r ∗ iff either i > j, or σ , i , j |≡ r, or there exists a discrete step at k ( I k ∩ I k+1 = ∅), i ≤ k < j, such that σ , i , k |≡ r and σ , k + 1, j |≡ r ∗.

62

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

Definition 16 (Formulas semantics).

• • • • • •

σ , i | α iff σ , i |df α ; σ , i | ¬φ iff σ , i | φ ; σ , i | φ ∧ ψ iff σ , i | φ and σ , i | ψ ; σ , i | X φ iff there is a discrete step at i (i.e. I i ∩ I i+1 = ∅), and σ , i + 1 | φ ; σ , i | φ U ψ iff, for some j ≥ i, σ , j | ψ and, for all i ≤ k < j, σ , k | φ ; σ , i | r 3→ φ iff, there exists a discrete step at j ≥ i (I j ∩ I j+1 = ∅) such that σ , i , j |≡ r and σ , j | φ .

A hybrid trace σ is a ground [32] for a formula φ iff it is fine for all predicates of φ . Given an HRELTL formula φ , and a hybrid trace σ ground for φ , we say that σ | φ iff there exists a sampling refinement ρ of σ such that ρ is ground for φ and ρ | φ . For example, the hybrid traces depicted in Fig. 2 satisfy the formula of Example 5. The following theorem guarantees that the semantics is well defined. Theorem 1 (Sample invariance). Assuming the finite variability of formulas, if traces satisfy the same formulas.

σ , 0 | φ ; we say that σ | φ iff

ρ is a sampling refinement of σ , then the two hybrid

In order to prove the theorem, we first prove the following lemmas. Lemma 1. Given two hybrid traces σ and ρ , if σ is ground for φ and ρ μ σ , then, for all i ∈ N, for all j ∈ μi , σ , i | α iff ρ , j | α . Proof. If σ[i ] .i = [t , t ] then ρ[ j ] .i = σ[i ] .i and thus σ , i | α iff ρ , j | α . Suppose σ[i ] .i = (t , t ). If α contains only variables in V˙ ∗ , σ , i | α iff, for all t ∈ σ[i ] .i, f i (t ) | α . Since σ is ground, this holds iff, for all t ∈ ρ[ j ] .i, f j (t ) | α . If α contains variables in V next then σ , i | α and ρ , j | α . If α = lcont( v ) or α = lcont( v ), then σ , i | α and ρ , j | α . 2 Lemma 2. If σ is a trace ground for φ and ρ is a sampling refinement of σ by the partitioning μ, then for all i , j ∈ N, for all i ∈ μi , j ∈ μ j , for all SERE r that occur in φ , σ , i , j | r iff ρ , i , j | r. Proof. We prove the lemma by induction on the definition of r:

• If r = α , for some atom α , and i = j, then i and j are indexes of the same continuous evolution. Since σ is ground, σ , i | α iff ρ , j | α . Thus, σ , i , j | α iff ρ , i , j | α . Suppose now r = α and i < j. By definition of sampling refine• • • •

ment, there are no discrete steps between i and j iff there are no discrete steps between i and j . Moreover, since the trace is ground for α , σ , k | α for all k, i ≤ k ≤ j, iff σ , k | α for all k , i ≤ k ≤ j . If r =  , then σ , i , j | r iff i > j. Though, i > j iff i > j . Suppose r = r1 ∗. This case is proved by induction on j − i. As for the base case, i > j iff i > j . For the inductive hypothesis on r, σ , i , j | r, iff σ , i , j | r for all i , j ∈ N, for all i ∈ μi , j ∈ μ j . Thus, if i ≤ k < j, σ , i , k | r, σ , k + 1, j | r ∗ iff σ , i , k | r, σ , k + 1, j | r ∗. Finally, note that if I k ∩ I k +1 = {t }, then k ∈ μk iff k + 1 ∈ μk +1 . The cases r = r1 ; r2 is similar to the previous one. The cases r1 |r2 and r1 &&r2 can be proved directly from the inductive hypothesis. 2

Lemma 3. If two hybrid traces σ and ρ are ground for a formula φ and they are one a sampling refinement of the other, then σ | φ iff ρ | φ . Proof. We prove by induction on φ that, for all i ∈ N, for all j ∈ μi ,

σ , i | φ iff ρ , j | φ .

• Suppose α is an atom; then the claim is true by Lemma 1. • Suppose φ is in the form ¬φ1 , φ1 ∧ φ2 , X φ1 , φ1 U φ2 . Then the claim follows directly from the inductive hypothesis. • Suppose φ is in the form r 3→ φ1 . Then for Lemma 2, σ , i , k | r, iff σ , i , k | r for all i , k ∈ N, for all i ∈ μi , k ∈ μk . Thus, if i ≤ k, σ , i , k | r, σ , k | φ1 then σ , j , k | r, σ , k | φ1 for some k ∈ μk (since μk is not empty). If σ , j , k | r, σ , k | φ1 for some k ∈ μk , then i ≤ k, σ , i , k | r, σ , k | φ1 . 2 Proof of Theorem 1. By assumption, both traces σ and ρ have a sampling refinement ground for φ , named resp. σG and ρG . Since σ μ1 ρ , σG μ2 σ , there exists a refinement μ3 such that σG μ3 ρ . Since ρG μ4 ρ , there exists a sampling refinement that merges the splitting of μ3 and μ4 , thus refining both σG and ρG . For Lemma 3, σG | φ iff | φ iff ρG | φ . 2

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

63

Remark 1. Thanks to Theorem 1, without loss of generality, we can henceforth consider only hybrid traces in which the intervals are either open or singular. In fact, any trace has a sampling refinement in such form, and since we are interested in satisfiability, given a formula φ , it is sufficient to look for a trace in this form satisfying φ . Remark 2. As noted before, differently from the logic defined in [27], the variables may have discontinuous points during a timed evolution. This allows formulas like G ((der(x) = 1) ∧ (b ↔ x ≥ 0)) to be satisfiable even if b is Boolean (thus satisfying G (b = 0 ∨ b = 1)) and x is a continuous variable without discontinuous points (thus satisfying G (¬jump(x))). Note that this was not the case with the semantics given in [27]. We can obtain the previous semantics by restricting the hybrid traces not to have such discontinuity for a discrete variable v by asserting G (cont( v )). Example 8. Consider the formula φ1 := G F b that may represent an abstract property which specifies that b is true infinitely many times. The property may be refined into a more concrete specification φ2 := x < 0 ∧ G (x < 0 → F (der(x) > 0 U x ≥ 0)) ∧ G (¬jump(x)). We can prove that φ2 entails φ1 under the condition that G (b ↔ x ≥ 0) (i.e., that (φ1 ∧ G (b ↔ x ≥ 0)) → φ2 is valid). In case we add also G (cont(b)) (as in the semantics defined in [27]), the implication would be vacuously valid in the sense that (φ1 ∧ G (b ↔ x ≥ 0)) ∧ G (cont(b)) is unsatisfiable. 4.4. Discrete variables and polynomial fragment In the  following, we assume that we are given a subset V D ⊆ V of discrete variables and we restrict the hybrid traces to satisfy v ∈ V D G (der( v ) = 0).  The polynomial fragment of HRELTL is the fragment where, for every predicate p ∈ Pred, for some d ≥ 0, p is in the form v ∈ V a v · der( v , d)  a0 , where a0 , . . . , an are arithmetic predicates over variables in V D , and ∈ {<,>,=,≤,≥, =}. Example 9. The predicate x ≤ y + z is in the polynomial fragment, while der(x, 4) ≤ d is in the fragment only if d is a discrete variable. Henceforth, we consider only the polynomial fragment. Note that, we can encode the reachability problem for linear hybrid automata into the satisfiability problem of a linear HRELTL formula. In fact, also in linear hybrid automata, the derivatives of continuous variables can be compared only with constants or other derivatives. Despite the undecidability of the satisfiability problem, we provide automatic techniques to look for satisfying hybrid traces, by constructing an equisatisfiable discrete problem. 5. From polynomial HRELTL to RELTL(RA) 5.1. Overview of the translation We now present a translation of formulas of the polynomial fragment HRELTL into equi-satisfiable formulas of RELTL(RA). Therefore, we assume that the predicates in the formulas are linear in the continuous variables or in its derivatives of a given order, as defined in Section 4.4. The translation maps a polynomial HRELTL formula φ into an equisatisfiable RELTL(RA) formula τ (φ), i.e. a formula that is satisfiable if and only if ψ is satisfiable. The translation maps continuous variables into (discrete) real variables and introduces additional variables to represent the time model and the derivatives of continuous variables. The resulting formula τ (φ) is in the form ψι ∧ ψPREDφ ∧ τ (φ), where:

• ψι constrain the variables representing the time model to encode well-defined hybrid traces, • ψPredφ constrain the variables representing the continuous variables and their derivatives to encode a trace that is fine for the predicates in φ ; • τ (φ) is the application of a recursive translation that maintains the temporal structure of the formula, while transforming the atomic predicates to take into account the discretization. The proof of equisatisfiability uses two mappings  and ϒ respectively from hybrid traces to discrete traces and backwards from discrete traces to hybrid traces. Intuitively, if σ | φ then (σ ) | τ (φ), while if ρ | τ (φ) then ϒ(ρ ) | φ . In the following, we detail this translation and the proof of the equisatisfiability of the result. In order to understand better the approach we start with the details of the mappings. 5.2. Mapping from hybrid traces to discrete traces and backwards Before defining the mappings, we define precisely the set of variables considered in the discrete traces. We introduce two real variables δt and ζ , respectively to track the time elapsed at every step and to enforce the non-Zeno property (i.e. to guarantee that time diverges). We introduce a Boolean variable ι that tracks if the current state samples a singular interval or an open interval.

64

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

For every variable v ∈ V , let n( v ) be the highest order of derivatives of v used in the input formula. For every variable v ∈ V , for every d, 1 ≤ d ≤ n( v ), we introduce a variable v d to represent the d-th derivative of v. Moreover, we introduce v ln( v ) and v nr ( v ) for every variable v ∈ V . Let V d = { v d } v ∈ V . In order to have a more uniform notation, we use v 0 and V 0 to refer to v and V . Overall, given a formula φ over the variable V , the translated formula will have the following variables:

τ ( V ) := {ι, ζ, δt } ∪





{ v d } ∪ { v ln( v ) , v nr ( v ) }

v ∈ V 0≤d≤n( v )

We now define a mapping from the hybrid traces over V to the discrete traces over τ ( V ), and vice versa. Intuitively,  samples the value of continuous variables in the middle of open intervals. Therefore, the i-th state in the original trace corresponds to the i-th state in the target state. ι is true when the corresponding interval is singular (in the TRACE2 of Fig. 2, it would be true at positions 0, 2, 5, 6, 8, 10, 11, 13, . . .). δt stores the size of the corresponding interval. ζ accumulates the sum of δt until is greater than 1 and then it is reset and restart counting. Definition 17. Given a hybrid trace σ over V , the discrete trace ρ = (σ ) over τ ( V ) is defined as follows: for all i ∈ N,

• t i = t if σ[i ] .i = [t , t ], and t i = (t + t )/2 if σ[i ] .i = (t , t ); • ρ[i ] ( v d ) = σ[i ] . v (d) (t i ) for every variable v ∈ V , for every d such that 0 ≤ d ≤ n(d); • if σ[i ] .i = (t , t ) then ρ[i ] ( v nr (d) ) = (σ[i ] . v (n(d)−1) (t ) − σ[i ] . v (n(d)−1) (t i ))/(t − t i ) and ρ[i ] ( v ln(d) ) = (σ[i ] . v (n(d)−1) (t i ) −

σ[i] . v (n(d)−1) (t ))/(t i − t ) for every variable v ∈ V ; if σ[i] .i = [t , t ] then ρ[i] ( v nr (d) ) = ρ[i] ( v ln(d) ) = σ[i] . v (n(d)) (t ) for every variable

v ∈ V; • ρ[i ] (ι) =  if σ[i ] .i = [t , t ], and ρ[i ] (ι) = ⊥ if σ[i ] .i = (t , t ); • ρ[i ] (δt ) = t i +1 − t i ; • if i = 0 or if ρ[i −1] (ζ ) ≥ 1, ρ[i ] (ζ ) = 0, else ρ[i ] (ζ ) = ρ[i −1] (ζ ) + ρ[i −1] (δt ).

We then define the mapping in the opposite direction. Intuitively, ϒ construct the continuous dynamics from the value of the derivatives. Definition 18. Given a discrete trace ρ over τ ( V ), the hybrid trace σ = ϒ(ρ ) over V is defined as follows: for all i ∈ N,

 • t i = 0≤ j t i ; 5.3. Definition of the translation We define a formula ψι that encodes the possible evolution of δt and ι:

ψι := ι ∧ ζ = 0 ∧ G ((ι ∧ δt = 0 ∧ X (ι)) ∨ (ι ∧ δt > 0 ∧ X (¬ι)) ∨ (¬ι ∧ δt > 0 ∧ X (ι))) ∧ G ((ζ − ζ = δt ) ∨ (ζ ≥ 1 ∧ ζ = 0)) ∧ G F (ζ ≥ 1 ∧ ζ = 0) In particular, we force there to be a discrete step, which is characterized by two consecutive singular intervals, if and only if δt = 0.  1 For every variable v ∈ V , for every d, 1 ≤ d < n( v ), we use the following abbreviations v dr = ˙ d≤ j ≤n( v ) ( j −d)! next( v j ) ·

(−δt ) j −d and v ld = ˙



1 j −d . d≤ j ≤n( v ) ( j −d)! prev( v j ) · (prev(δt ))

Let V dl = { v ld } v ∈ V and V dr = { v dr } v ∈ V .



d Without loss of generality, we can assume that every predicate p is in the form v a v v  a for some d. In this case, l d we say that the order of p is d. We denote by p the predicate obtained by substituting v with v ld and, similarly, with p r

the predicate obtained by substituting v d with v dr .

Example 10. Let us consider the formula G (der(x) = 3) ∧ x > c. Then n(x) = 1. If p is x > c, then p r is xr > c, i.e., −next(x1 ) · δt + next(x) > c. We denote by p˙ the derivative of a predicate over time. If p is in the form Similarly, we denote by p (d) the d-th derivative of p.

 v

a v v d  a, then p˙ is

 v

a v v d+1  0.

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

65

Let Predφ be the set of the predicates p of Pred occurring in φ . Let Pred∗φ the closure of Predφ under derivation, i.e.,

we defined Pred∗φ as { p (d) | p ∈ Predφ , and the order of p is greater than d}.

Example 11. Let us consider for example the formula der(x, 2) ≥ 3. In this case, Pred∗φ would contain der(x, 2) ≥ 3, der(x) ≥ 0, and x ≥ 0. Example 12. Consider as φ the conjunction of the formulas of Example 6. In this case, n(x) = 2 and n( T ) = 1. The set Predφ is {der( T ) = 1, der(x) > V L , der(x) ≤ V L , T = 0, T > timeout, der(x, 2) < 0, der(x) = 0}. Then Pred∗φ = {der( T ) = 1, der(x) > V L , der(x) ≤ V L , T = 0, T > timeout, der(x, 2) < 0, der(x) = 0, x > 0, x ≤ 0, der(x) < 0, x < 0, x = 0}. The following formula ψPredφ encodes the condition that a trace is Pred∗φ -fine:

ψPREDφ := G ( (δt > 0 ∧ ι)

→



( X ( p = ) → pr= ) ( X ( p < ) → ¬ pr> ) ( X ( p > ) → ¬ pr< ))  (δt > 0 ∧ ¬ι) → p ∈Pred∗ ( ( p = → X ( pl= )) p ∈Pred∗φ (

φ

∧ ∧ ∧ ∧

(1)

( p < → ¬ X ( pl> )) ∧ ( p > → ¬ X ( pl< ))))

The first and fourth lines encode that if p = holds in an open interval, then p = holds on the endpoints too. The other parts encode that if p < holds we cannot move to an immediately following state where p > holds (and vice versa) without passing through a state where p = holds. Example 13. Consider as φ the conjunction of the formulas of Example 6. After simplifying the conjunction of the same formulas, the subformula p ∈Pred∗ (( X ( p = ) → p r= ) ∧ ( X ( p < ) → ¬ p r> ) ∧ ( X ( p > ) → ¬ p r< )) in ψPredφ results in the following formula: φ

( X ( T 1 = 1) → ( T 1r ) = 1) ∧ ( X ( T 1 > 1) → ¬( T 1r < 1)) ∧ ( X ( T 1 < 1) → ¬( T 1r > 1)) ∧ ( X ( T = 0) → (next( T ) − T 1r δt = 0)) ∧ ( X ( T > 0) → ¬(next( T ) − T 1r δt < 0)) ∧ ( X ( T < 0) → ¬(next( T ) − T 1r δt > 0)) ∧ ( X ( T = timeout) → (next( T ) − T 1r δt = timeout)) ∧ ( X ( T > timeout) → ¬(next( T ) − T 1r δt < timeout)) ∧ ( X ( T < timeout) → ¬(next( T ) − T 1r δt > timeout)) ∧ ( X (x2 = 0) → (xr2 ) = 0) ∧ ( X (x2 > 0) → ¬(xr2 < 0)) ∧ ( X (x2 < 0) → ¬(xr2 > 0)) ∧ ( X (x1 = 0) → (next(x1 ) − xr2 δt = 0)) ∧ ( X (x1 > 0) → ¬(next(x1 ) − xr2 δt < 0)) ∧ ( X (x1 < 0) → ¬(next(x1 ) − xr2 δt > 0)) ∧ ( X (x1 = V L ) → (next(x1 ) − xr2 δt = V L )) ∧ ( X (x1 > V L ) → ¬(next(x1 ) − xr2 δt < V L )) ∧ ( X (x1 < V L ) → ¬(next(x1 ) − xr2 δt > V L )) ∧ ( X (x = 0) → (next(x) − next(x1 )δt + xr2 δt2 = 0)) ∧ ( X (x < 0) → ¬(next(x) − next(x1 )δt + xr2 δt2 > 0)) ∧ ( X (x > 0) → ¬(next(x) − next(x1 )δt + xr2 δt2 < 0))

66

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

Finally, we define the partial translation

• • • •

τa ( p ) = ˙ p if p ∈ Pred; τa ( p next ) = ˙ (δt = 0) ∧ p next if p next ∈ Pred; τa (lcont( v )) = ˙ ((ι ∧ Y δt > 0) → v = v l )1 ; τa (rcont( v )) = ˙ ((ι ∧ δt > 0) → v = v r ).

The translation

• • • • • •

τr of SEREs is defined as:

τr ( p ) = (δt > 0 ∧ τa ( p ))∗ ; τa ( p ); 2 τr ( ) =  ; τr (r ∗) =  | {τr (r ) && {∗ ; δt = 0}}∗ ; τr (r ); τr (r1 ; r2 ) = {{ && τr (r1 )} ; τr (r2 )} | {τr (r1 ) ; { && τr (r2 )}} | {{τr (r1 ) && {∗ ; δt = 0}} ; τr (r2 )}; τr (r1 | r2 ) = τr (r1 ) | τr (r2 ); τr (r1 && r2 ) = τr (r1 ) && τr (r2 ).

The translation

• • • • • •

τ (φ) recursively over φ . The translation τa of predicates is defined as:

τ of temporal formulas is defined as:

τ ( p ) = τa ( p ); τ (¬φ1 ) = ¬τ (φ1 ); τ (φ1 ∧ φ2 ) = τ (φ1 ) ∧ τ (φ2 ); τ ( X φ1 ) = δt = 0 ∧ X τ (φ1 ); τ (φ1 U φ2 ) = τ (φ1 ) U τ (φ2 ); τ (r 3→ φ) = {τr (r ) && {∗ ; δt = 0}} 3→ τ (φ).

Example 14. Consider as φ the conjunction of the formulas of Example 6. Therefore, φ is:

G (¬jump(x) ∧ ¬jump(der(x))) ∧ G (der(x) > V L → der( T ) = 1) ∧ G (der(x) ≤ V L → T = 0) ∧ G (lcont( T ) ∧ ¬change( T ) ∧ (der(x) = V L ∨ T = 0 ∨ rcont( T ))) ∧ G ( T > timeout → X (der(x, 2) < 0 U der(x) = 0)). In this case, τ (φ) is:

G (¬(((ι ∧ Y δt > 0) ∧ x = xl ) ∨ ((ι ∧ δt > 0) ∧ x = xr ) ∨ (δt = 0 ∧ next(x) = x)) ∧

(¬(((ι ∧ Y δt > 0) ∧ x1 = xl1 ) ∨ ((ι ∧ δt > 0) ∧ x1 = xr1 ) ∨ (δt = 0 ∧ next(x1 ) = x1 )))) ∧ G (x1 > V L → T 1 = 1) ∧ G (x1 ≤ V L → T = 0) ∧ G (((ι ∧ Y δt > 0) → T = T l ) ∧ ¬(δt = 0 ∧ next( T ) = T ) ∧

(x1 = V L ∨ T = 0 ∨ ((ι ∧ δt > 0) → T = T r ))) ∧ G ( T > timeout → X (x2 < 0 U x1 = 0)) As anticipated in the previous section, the overall translation

τ (φ) := ψι ∧ ψPREDφ ∧ τ (φ).

τ is defined as: (2)

Remark 3. If φ contains only quantifier-free predicates then also τ (φ) is quantifier-free. In general, the predicates in τ (φ) are non-linear, since it may contain polynomials over discrete variables or multiplications of a continuous variable with discrete variables. In fact, φ may contain non-linear predicates even in the case φ is in the linear fragment of HRELTL (see Example 10). Finally, note that if φ does not contain SEREs, then the translation is linear in the size of φ .

1 Y is the past operator dual to X ; without introducing past operators, we consider Y δt > 0 as an abbreviation for a fresh Boolean variable y such that ¬ y ∧ G (( X y ) ↔ (δt > 0)) holds. 2 This has the effect that τr ( pnext ) = τa ( pnext ) = (δt = 0 ∧ pnext ).

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

67

5.4. Proof of equisatisfiability Theorem 2 (Equi-satisfiability). Let us consider a formula φ in the polynomial fragment of HRELTL and let us assume finite variability of φ . If σ is Pred∗φ -fine and σ | φ , then (σ ) | τ (φ). If ρ is a discrete trace such that ρ | τ (φ), then ϒ(ρ ) | φ and ϒ(ρ ) is ground for φ . Thus φ and τ (φ) are equi-satisfiable (i.e., φ is satisfiable iff τ (φ) is satisfiable). In order to prove the theorem, we first prove the following lemmas, which state that if σ is a hybrid trace ground for φ then (σ ) | ψι ∧ ψPredφ . Vice versa, if ρ | ψι ∧ ψPredφ , then ϒ(ρ ) is a hybrid trace ground for φ . Lemma 4. If σ a hybrid trace, then (σ ) | ψι . If ρ | ψι , then the intervals of ϒ(ρ ) are adjacent and cover R+ . Proof. Suppose σ is a hybrid trace. Let ρ = (σ ). Then σ[0] .i = [0, 0] and ρ0 (ι) = . If σ[i ] .i = σ[i +1] .i = [t , t ] then ρi (ι) = ρi+1 (ι) =  and ρi (δt ) = 0. If σ[i] .i = [t , t ] and σ[i+1] .i = (t , t ) then ρi (ι) = , ρi (δt ) = (t − t )/2 > 0 and ρi+1 (ι) = ⊥. If σ[i] .i = (t , t ) and σ[i+1] .i = [t , t ] then ρi (ι) = ⊥, ρi (δt ) = (t − t )/2 > 0 and ρi+1 (ι) = . ρ0 (ζ ) = 0, thus ρ | ζ = 0. For all i ≥ 0, either ρi | ζ ≥ 1 and ρi +1 (ζ ) = 0 or ρi +1 (ζ ) − ρi (ζ ) = δt . Thus, ρ | G ((ζ − ζ = δt ) ∨ (ζ ≥ 1 ∧ ζ = 0)). Finally,  + i ∈N σ[i ] .i = R so that the sequence {t i }i ∈N must be divergent. Then, the sequence cannot be bounded, which means that for i ≥ 0, there exists j ≥ i such that t j − t i ≥ 1 and therefore ρ | G F (ζ ≥ 1 ∧ ζ = 0). Suppose ρ | ψι . Let σ = ϒ(ρ ). Then σ[0] .i = [0, 0]. Moreover, for all i ≥ 0, there exists j ≥ i such that ρ j (ζ ) = 0 and h ≥  j such that ρh (ζ ) ≥ 1. Therefore th − t i ≥ 1. Therefore the sequence {t i } diverges, and so i ∈N σ[i ] .i = R+ . If ρi (ι) = ρi +1 (ι) =  then σ[i ] .i = σ[i +1] .i = [t i , t i ]. If ρi (ι) = , and ρi +1 (ι) = ⊥ then σ[i ] .i = [t i , t i ] and σ[i +1] .i = (t i , t i +2 ). If ρi (ι) = ⊥, and ρi+1 (ι) =  then σ[i] .i = (t i−1 , t i+1 ) and σ[i+1] .i = [t i+1 , t i+1 ]. Therefore the intervals of σ are adjacent. 2 Lemma 5. Let us be given an interval [t , t ] and a function g over such interval such that g˙ ≥ 0 or g˙ ≤ 0 over the interval. Suppose g (t )  0 and g (t )  0 for ∈ {=, ≥, ≤, <, >}. Then g ( )  0 for all  ∈ (t , t ). Proved in [23]. Lemma 6. If σ is Pred∗φ -fine, (σ ) | ψPredφ . If ρ | ψPredφ , then ϒ(ρ ) is ground for φ . Proof. Suppose σ is Pred∗φ -fine. We prove by contradiction that (σ ) | ψPredφ . Let ρ = (σ ). Suppose ρ[i ] .i = [t , t ], ρ[i+1] .i = (t , t ), and ρ , i | X ( p = ) → pr= , i.e., ρ , i | X ( p = ) ∧ pr= . Since p = is an open set and σ[i+1] .s is continuous, 1 by topology f i− +1 ( p = ) must be open. Thus, there exists an interval of t where p = is satisfied and therefore there exists

t ∈ (t , t ) such that σ[i +1] .s(t

) | p = , which violates the hypothesis that σ is Pred∗φ -fine. Suppose ρ does not satisfy ( X p < → ¬ pr> ) for some p ∈ PRED, then by Bolzano’s theorem, we can pick a point in the interval such that p = holds, which violates the hypothesis that σ is Pred∗φ -fine. The other cases in ψPredφ are similar so that by contradiction we conclude that ρ | ψPredφ . Suppose ρ | ψPredφ . Let σ = ϒ(ρ ). Consider a predicate p occurring in φ over the set V d for some d, 0 ≤ d < n. Consider an open interval σ[i ] .i = (t , t ) of σ and suppose σ[i ] .s(t i ) | p = . Then, by hypothesis, σ[i ] .s(d) (t ) = ρ[i −1] ( V rd ) | p = and σ[i ] .s(d) (t ) = ρ[i +1] ( V ld ) | p = . Since p˙ = (σ[i ] .s) is uniform over [t , t i ] and [t i , t ], by Lemma 5, σ[i ] .s(t

) | p = for all t

∈ (t , t ). Suppose σ[i ] .s(t i ) | p < then, by hypothesis, σ[i ] .s(t ) | ¬ p > and σ[i ] .s(t ) | ¬ p > . Since p˙ > (σ[i ] .s) is uniform over [t , t i ] and [t i , t ], by Lemma 5, σ[i ] .s(t

) | p < for all t

∈ (t , t ). The case for p > is similar. Finally consider a predicate p (n)

over V n . Since f i

is constant the predicate is uniform in (t , t ). We conclude that

σ is ground. 2

Lemma 7. If σ is ground for a predicate p, σ , i | p iff (σ ), i | τa ( p ). Proof. Let

ρ = (σ ).

• Suppose p is a predicate over V d . If σ , i | p then, for all t ∈ σ[i ] .i, σ[i ] .s(d) (t ) | p and in particular σ[i ] .s(d) (t i ) | p, i.e., ρ[i] | p. Vice versa, if ρ[i] | p, then σ[di] (t i ) | p, and since σ is ground for p, for all t ∈ σ[i] .i, σ[i] (t ) | p. • σ , i | p next iff σ[i ] .i = σ[i +1] .i = [t , t ] and σ[i ] .s(t ), σ[i +1] .s(t ) | p next , i.e. si (t ), si +1 (t ) | p next and (σ ), i | δt = 0. • Suppose σ , i | lcont( v ) and σ[i ] .i = [t , t ]. Then, if σ[i −1] .i is right-open, σ[i ] . v (t ) = σ[i −1] . v (t ) iff ρ[i ] ( v ) = ρ[i ] ( v l ). • Suppose σ , i | rcont( v ) and σ[i ] .i = [t , t ]. Then, if σ[i +1] .i is left-open, σ[i ] . v (t ) = σ[i +1] . v (t ) iff ρ[i ] ( v ) = ρ[i ] ( v r ). 2 Lemma 8. If σ is ground for a SERE r, then σ , i , j | r iff (σ ), i , j | τr (r ).

68

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

Proof.

• σ , i , j | p iff, for all k, i ≤ k < j, there is no discrete step at k (I k = I k+1 ), and, for all k, i ≤ k ≤ j, σ , k | p; thus, σ , i , j | p, iff for all k, i ≤ k < j, (σ ), k | δt > 0, and, for all k, i ≤ k ≤ j, (σ ), k | τa ( p ) (for Lemma 7); • σ , i , j |  iff i > j iff (σ ), i , j |  ; • σ , i , j | r ∗ iff i > j, or σ , i , j | r, or there exists a discrete step at k ( I k = I k+1 ), i ≤ k < j, such that σ , i , k | r, σ , k + 1, j | r ∗; the first case holds iff (σ ), i , j |  ; the second case iff there exist n discrete steps at k1 , k2 , . . . , kn such that I ki = I ki +1 and σ , i , k1 | r, σ , k1 , k2 | r, . . . σ , kn , j | r iff (for inductive hypothesis) (σ ), i , k1 | τr (r ), (σ ), k1 + 1, k2 | τr (r ), . . . (σ ), kn + 1, j | τr (r ), and (σ ), k1 | δt = 0, (σ ), k1 + 1, k2 | δt = 0, . . . (σ ), kn + 1, j | δt = 0; • σ , i , j | r1 ; r2 iff σ , i , j | r1 , σ , j + 1, j | r2 (i.e., r2 accepts the empty word), or σ , i , i − 1 | r1 , σ , i , j | r2 (i.e., r1 accepts the empty word), or there exists a discrete step at k (I k = I k+1 ), i ≤ k < j, such that σ , i , k | r1 , σ , k + 1, j | r2 ; the first case holds, by induction, iff (σ ), i , j | r1 , (σ ), j + 1, j | r2 and thus iff (σ ), i , j | τr (r1 ) ; { && τr (r2 )}; the second case holds, by induction, iff (σ ), i , i − 1 | r1 , (σ ), i , j | r2 and thus iff (σ ), i , j | { && τr (r1 )} ; τr (r2 ); the third case holds, by induction, iff (σ ), i , i − 1 | r1 , (σ ), i , j | r2 and thus iff (σ ), i , j | { && τr (r1 )} ; τr (r2 ); • σ , i , j | r1 | r2 iff σ , i , j | r1 or σ , i , j | r2 iff (by inductive hypothesis) (σ ), i , j | τr (r1 ) or (σ ), i , j | τr (r2 ); • σ , i , j | r1 && r2 iff σ , i , j | r1 and σ , i , j | r2 iff (by inductive hypothesis) (σ ), i , j | τr (r1 ) and (σ ), i , j | τr (r2 ). 2 Lemma 9. If σ is ground for φ , then σ , i | φ iff (σ ), i | τ (φ). Proof.

• • • • •

σ , i | p iff (σ ), i | p for Lemma 7; σ , i | ¬φ iff σ , i | φ iff (σ ), i | τ (φ) (by inductive hypothesis); σ , i | φ ∧ ψ iff σ , i | φ and σ , i | ψ iff (σ ), i | τ (φ) and (σ ), i | τ (ψ); σ , i | X φ iff there is a discrete step at i (σ[i] .i = σ[i+1] .i), and σ , i + 1 | φ iff (σ ), i | δt = 0 and (σ ), i | τ ( X φ); σ , i | φ U ψ iff, for some j ≥ i, σ , j | ψ and, for all i ≤ k < j, σ , k | φ iff (σ ), j | τ (ψ) and, for all i ≤ k < j, (σ ), k | τ (φ); • σ , i | r 3→ φ iff, there exists a discrete step at j ≥ i (I j = I j +1 ) such that σ , i , j | r, and σ , j | φ iff (σ ), i , j | τr (r ), and (σ ), j | τ (φ). 2 Lemma 10. If ρ | ψι ∧ ψPREDφ , ρ , i | τ (φ) iff ϒ(ρ ), i | φ . Proof. Let

σ = ϒ(ρ ).

• ρ , i | p iff σ[i ] .s(t i ) | p, and since ϒ(ρ ) is ground, iff for all t ∈ σ[i ] .i, σ[i ] .s(t ) | p. • ρ , i | (δt = 0) ∧ p next iff σ[i ] .i = σ[i +1] .i = [t , t ] and σ[i ] .s(t ), σ[i +1] .s(t ) | p next . • ρ , i | ((ι ∧ Y δt > 0) → v = v l ) ∧ ((ι ∧ δt > 0) → v = v r ) iff, if σ[i ] .i = [t , t ] and ϒ(ρ )i −1 .i is right-open then σ[i ] . v (t ) = σ[i−1] . v (t ) and if σ[i] .i = [t , t ] and σ[i+1] .i is left-open then σ[i] . v (t ) = σ[i+1] . v (t ). • The other cases result directly from the inductive hypothesis similarly to Lemmas 8 and 9. 2 Proof of Theorem 2. Suppose σ | φ . Then for Lemmas 4 and 6, (σ ) | ψι ∧ ψPREDφ . For Lemma 9, (σ ) | τ (φ). Thus, (σ ) | τ (φ). Suppose ρ | τ (φ). Then ρ | τ (φ), and, for Lemma 10, ϒ(ρ ) | φ . Finally, for Lemma 4, ϒ(ρ ) is a hybrid trace and, for Lemma 6, it is ground for φ . 2 6. Related work To the best of our knowledge, HRELTL is the first temporal logic with predicates over the derivatives of continuous variables and over discrete changes. A preliminary version of HRELTL was first proposed in [27]. In this paper, we extended it in different directions: first, we introduced predicates to constrain also higher-order derivatives, and proved that a formula is satisfiable iff it has a piecewise polynomial solution; second, we generalized the traces to have discontinuous points even when time elapses, and introduced special operators to control the continuity in such points; third, we simplified the translation by avoiding to distinguish between left and right derivatives; finally, we revised the encoding of non-Zenoness that was wrongly too simple in [27]. More recently, HyLTL was proposed in [13], which also uses constraints over derivatives and discrete changes. HyLTL appears to be more limited than HRELTL to represent realistic requirements. In fact, the semantics is based on a strict alternation of continuous and discrete transitions. This has the following important impacts. First, a predicate over continuous variables can change truth value only after a discrete transition; therefore formulas such as F (der(speed) = 0) are not

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

69

satisfied by trajectories such as TRACE1 in Fig. 2 even if there is time point in which the derivative of speed is 0. Second, even in the presence of discrete transitions, formulas such as x ≤ 0 U x > 0 are not satisfiable unless using discontinuous changes of x: any discrete transition that does not change x cannot satisfy a transition from x ≤ 0 to x > 0. In principle, HyLTL can use richer operators in the constraints such as trascendental functions. However, the verification approach relies on a translation to fair hybrid automata, for which there is no tool support for fair reachability (the use of Phaver [42] in [13] assumes that counterexamples are in a lasso-shape form). Our work is inspired by the ones of [32,48,52,55]. [52,55] face the problem of the observability of predicates during continuous evolutions, and define phase transition systems, which are a symbolic version of hybrid automata. In [32], LTL with continuous and hybrid semantics is compared with the discrete semantics. It is proved that a positive answer to the model checking problem and to the validity problem with the discrete semantics implies a positive answer to the corresponding problem in the continuous semantics. Notably, the hybrid semantics of the logic relies on the hybrid traces accepted by a hybrid system (while our definition is independent). [48] formally defines a continuous semantics for LTL without next operator and derivatives. In all these works, there is no attempt to solve the satisfiability problem for LTL with the continuous semantics. Many logics have been introduced to describe properties of timed systems (see [4,5] for a survey), but none of them can force the continuity of functions, because the semantics is discrete, though in some cases even a dense time domain is considered. Hybrid systems [45,55] assume that some functions are continuous but the logic used to express the properties is discrete. In [43,47], a translation from dense time to discrete time is proposed for a particular class of specifications, but only discrete semantics is considered. In [67], the discretization of hybrid systems is obtained with an over-approximation, while our translation produces an equi-satisfiable discrete formula. In [44], a framework for specifying requirements of hybrid systems is proposed. However, the techniques are model based, and the requirements are formalized in a tabular notation, which can be seen as a symbolic representation of an automaton. In [61], a hybrid dynamic logic is proposed for the verification of hybrid systems and it was used to prove safety properties for ETCS. The approach is still model-based since the description of the system implementation is embedded in the logical formula. The regular expression operations are used to define hybrid programs, that represent the hybrid systems. Properties of hybrid programs are expressed with the modalities of first-order dynamic logic. As in RELTL, we use regular expressions with a linear semantics. Moreover, the constraints on the continuous evolution are part of the requirements rather than the system description. In [2,45], linear hybrid automata are defined and a symbolic procedure is proposed to check their emptiness. Besides the different property-based approach that we propose, our techniques differ in the following points. First, instead of a finite set of states, the discrete modes are represented by the infinite (uncountable) set of assignments to the discrete variables. Second, using hybrid automata, the designer has to represent a predicate with one or more discrete locations with the predicate as invariant. This however is limited by the fact that invariants hold on closed time intervals and must be convex. Instead, we associate predicates to also open time intervals and force the convexity in the encoding. Related to the encoding of invariants that hold in a continuous evolution, also [70] faces the problem of concave conditions, and splits concave time conditions into convex segments. The condition (1) of our translation has the purpose to split the trace into convex regions in an analogue way. In [53], a continuous semantics to a temporal logic which does not consider next operators and derivatives is presented. The paper addresses the problem of monitoring temporal properties of circuits with continuous signals. On a different line of research, Duration Calculus (DC) [16] specifies requirements of real-time systems with predicates over the integrals of Boolean functions over finite intervals of time. Extensions of DC such as Extended Duration Calculus [17] can specify properties over continuous and differentiable functions. DC has been used to specify properties for ETCS [40]. Similarly to DC, Hybrid Temporal Logic (HTL) [46] uses the “chop” operator to express the temporal succession and can express temporal constraints on the derivatives of dynamic functions. Both DC and HTL interpret formulas over intervals of time (rather than infinite sequences of intervals). On the contrary, HRELTL is based on RELTL, which has been consolidated as specification language at the industrial level. HRELTL has the advantage to allow the reuse of requirements analysis techniques for RELTL. 7. Conclusions and future work In this paper we have described the HRELTL logic for hybrid traces combining discrete and continuous variables. HRELTL can capture many important aspects that are required to model the behaviors of complex hybrid systems, including continuous time and derivatives, regular expressions, and temporal operators. The logic enjoys the important property of sample invariance. The second contribution is to show how the polynomial fragment of HRELTL can be reduced, preserving satisfiability, to RELTL(RA), a temporal logic over discrete traces with Boolean and real-valued variables, and atoms interpreted over non-linear arithmetic. Despite the undecidability of HRELTL and of RELTL(RA), the work opens up the possibility to analyze specification by means of automata-theoretic techniques combined with verification engines for the fair reachability of (infinite state) symbolic fair transition systems.

70

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

In the future, we will proceed along several directions. First, we will investigate the existence of decidable subclasses of HRELTL. Second, we will devise more effective and efficient techniques for the analysis of infinite-state transition systems, possibly based on the application of abstractions [59], and on automated abstraction-refinement loops. Finally, we will consider the application of HRELTL to the modeling of a practical complex system in the setting of contract-based design. In addition to stressing the representational capabilities of HRELTL, the activity will suggest other interesting functionalities oriented to the analysis of the specifications (e.g. unsatisfiable core extraction, parameter synthesis). References [1] M. Abadi, L. Lamport, Conjoining specifications, ACM Trans. Program. Lang. Syst. 17 (3) (1995) 507–534. [2] R. Alur, C. Courcoubetis, T.A. Henzinger, P.-H. Ho, Hybrid automata: an algorithmic approach to the specification and verification of hybrid systems, in: Hybrid Systems, 1992, pp. 209–229. [3] R. Alur, T. Feder, T.A. Henzinger, The benefits of relaxing punctuality, J. ACM 43 (1) (1996) 116–146. [4] R. Alur, T.A. Henzinger, Logics and models of real time: a survey, in: Rex Workshop, 1991, pp. 74–106. [5] R. Alur, T.A. Henzinger, Real-time logics: complexity and expressiveness, Inf. Comput. 104 (1) (1993) 35–77. [6] C.W. Barrett, R. Sebastiani, S.A. Seshia, C. Tinelli, Satisfiability modulo theories, in: Handbook of Satisfiability, 2009, pp. 825–885. [7] S.S. Bauer, A. David, R. Hennicker, K.G. Larsen, A. Legay, U. Nyman, A. Wasowski, Moving from specifications to contracts in component-based design, in: Fase, 2012, pp. 43–58. [8] A. Benveniste, B. Caillaud, A. Ferrari, L. Mangeruca, R. Passerone, C. Sofronis, Multiple viewpoint contract-based specification and design, in: Fmco, 2007, pp. 200–225. [9] A. Biere, K. Heljanko, T.A. Junttila, T. Latvala, V. Schuppan, Linear encodings of bounded ltl model checking, Log. Methods Comput. Sci. 2 (5) (2006). [10] R. Bloem, R. Cavada, I. Pill, M. Roveri, A. Tchaltsev, RAT: a tool for the formal analysis of requirements, in: Cav, 2007, pp. 263–267. [11] A.R. Bradley, Sat-based model checking without unrolling, in: Vmcai, 2011, pp. 70–87. [12] R.K. Brayton, G.D. Hachtel, A.L. Sangiovanni-Vincentelli, F. Somenzi, A. Aziz, S. Cheng, S.A. Edwards, S.P. Khatri, Y. Kukimoto, A. Pardo, S. Qadeer, R.K. Ranjan, S. Sarwary, T.R. Shiple, G. Swamy, T. Villa, Vis: a system for verification and synthesis, in: Cav, 1996, pp. 428–432. [13] D. Bresolin, HyLTL: a temporal logic for model checking hybrid systems, in: Has, 2013, pp. 73–84. [14] D. Bustan, A. Flaisher, O. Grumberg, O. Kupferman, M.Y. Vardi, Regular vacuity, in: Charme, 2005, pp. 191–206. [15] R. Cavada, A. Cimatti, M. Dorigatti, A. Mariotti, A. Micheli, S. Mover, A. Griggio, M. Roveri, S. Tonetta, The nuXmv symbolic model checker, Fondazione Bruno Kessler, 2014. [16] Z. Chaochen, C.A.R. Hoare, A.P. Ravn, A calculus of durations, Inf. Process. Lett. 40 (5) (1991) 269–276. [17] Z. Chaochen, A.P. Ravn, M.R. Hansen, An extended duration calculus for hybrid real-time systems, in: Hybrid Systems, 1992, pp. 36–59. [18] A. Chiappini, A. Cimatti, L. Macchi, O. Rebollo, M. Roveri, A. Susi, S. Tonetta, B. Vittorini, Formalization and validation of a subset of the European train control system, in: Icse (2), 2010, pp. 109–118. [19] A. Cimatti, E.M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, A. Tacchella, NuSMV 2: an OpenSource tool for symbolic model checking, in: Cav, 2002, pp. 359–364. [20] A. Cimatti, M. Dorigatti, S. Tonetta, OCRA: a tool for checking the refinement of temporal contracts, in: Ase, IEEE, 2013, pp. 702–705. [21] A. Cimatti, A. Griggio, S. Mover, S. Tonetta, IC3 modulo theories via implicit predicate abstraction, in: Tacas, 2014. [22] A. Cimatti, A. Griggio, S. Mover, S. Tonetta, Verifying LTL properties of hybrid systems with K-liveness, in: Computer Aided Verification – Proceedings of the 26th International Conference, CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18–22, 2014, pp. 424–440. [23] A. Cimatti, S. Mover, S. Tonetta, A quantifier-free SMT encoding of non-linear hybrid automata, in: Fmcad, 2012, pp. 187–195. [24] A. Cimatti, M. Roveri, A. Susi, S. Tonetta, Object models with temporal constraints, in: Sefm 2008, IEEE Press, 2008, pp. 249–258. [25] A. Cimatti, M. Roveri, A. Susi, S. Tonetta, Validation of requirements for hybrid systems: a formal approach, ACM Trans. Softw. Eng. Methodol. 21 (4) (2012) 22. [26] A. Cimatti, M. Roveri, S. Tonetta, Symbolic compilation of PSL, IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 27 (10) (2008) 1737–1750. [27] A. Cimatti, M. Roveri, S. Tonetta, Requirements validation for hybrid systems, in: Cav, 2009, pp. 188–203. [28] A. Cimatti, S. Tonetta, A property-based proof system for contract-based design, in: Seaa, 2012. [29] K. Claessen, A coverage analysis for safety property lists, in: Fmcad, IEEE, 2007, pp. 139–145. [30] K. Claessen, N. Sörensson, A liveness checking algorithm that counts, in: Fmcad, 2012, pp. 52–59. [31] E.M. Clarke, O. Grumberg, K. Hamaguchi, Another look at LTL model checking, Form. Methods Syst. Des. 10 (1) (1997) 47–71. [32] L. de Alfaro, Z. Manna, Verification in continuous time by discrete reasoning, in: Amast, 1995, pp. 292–306. [33] C. Eisner, D. Fisman, A Practical Introduction to Psl (Series on Integrated Circuits and Systems), Springer-Verlag New York, Inc., 2006. [34] European railway agency, http://www.era.europa.eu. [35] European space agency, http://www.esa.int. [36] ERTMS/ETCS — baseline 3: system requirements specifications. SUBSET-026-1, i3.0.0, http://www.era.europa.eu/core/ertms/Pages/FirstETCSSRS300.aspx, 2008. [37] EuRailCheck project, https://es.fbk.eu/projects/eurailcheck/. [38] Feasibility study for the formal specification of ETCS functions, Call for tender, http://www.era.europa.eu/The-Agency/Procurement/Pages/ERA-2007ERTMS-OP-01.aspx, 2007. [39] H. Eveking, M. Braun, M. Schickel, M. Schweikert, V. Nimbler, Multi-level assertion-based design, in: Memocode, IEEE, 2007, pp. 85–86. [40] J. Faber, R. Meyer, Model checking data-dependent real-time properties of the European train control system, in: Fmcad, 2006, pp. 76–77. [41] FoReVer project, https://es.fbk.eu/projects/forever/. [42] G. Frehse, PHAVer: algorithmic verification of hybrid systems past HyTech, in: Hscc, 2005, pp. 258–273. [43] C.A. Furia, M. Pradella, M. Rossi, Automated verification of dense-time MTL specifications via discrete-time approximation, in: Fm, 2008, pp. 132–147. [44] C.L. Heitmeyer, Requirements specifications for hybrid systems, in: Hybrid Systems, 1995, pp. 304–314. [45] T.A. Henzinger, The theory of hybrid automata, in: Lics, 1996, pp. 278–292. [46] T.A. Henzinger, Z. Manna, A. Pnueli, Towards refining temporal specifications into hybrid systems, in: Hybrid Systems, 1992, pp. 60–76. [47] T.A. Henzinger, Z. Manna, A. Pnueli, What good are digital clocks?, in: Icalp, 1992, pp. 545–558. [48] A. Kapur, Interval and point-based approaches to hybrid system verification, Ph.D. thesis, Stanford University, Stanford, CA, USA, 1998. [49] O. Kupferman, M.Y. Vardi, Vacuity detection in temporal model checking, Int. J. Softw. Tools Technol. Transf. 4 (2) (2003) 224–233. [50] R.R. Lutz, I.C. Mikulski, Requirements discovery during the testing of safety-critical software, in: Icse, 2003, pp. 578–585. [51] R.R. Lutz, I.C. Mikulski, Resolving requirements discovery in testing and operations, in: Re, IEEE Computer Society, 2003, p. 33. [52] O. Maler, Z. Manna, A. Pnueli, From timed to hybrid systems, in: Rex Workshop, 1991, pp. 447–484.

A. Cimatti et al. / Information and Computation 245 (2015) 54–71

71

[53] O. Maler, D. Nickovic, A. Pnueli, Checking temporal properties of discrete, timed and continuous behaviors, in: Pillars of Computer Science, 2008, pp. 475–505. [54] Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems: Specification, Springer-Verlag, 1992. [55] Z. Manna, A. Pnueli, Verifying hybrid systems, in: Hybrid Systems, 1992, pp. 4–35. [56] K.L. McMillan, Interpolation and SAT-based model checking, in: Cav, 2003, pp. 1–13. [57] K.L. McMillan, Circular compositional reasoning about liveness, in: Charme, 1999, pp. 342–345. [58] B. Meyer, Applying “Design by contract”, Computer 25 (10) (1992) 40–51. [59] S. Mover, A. Cimatti, A. Tiwari, S. Tonetta, Time-aware relational abstractions for hybrid systems, in: Emsoft, IEEE, 2013, pp. 1–10. [60] I. Pill, S. Semprini, R. Cavada, M. Roveri, R. Bloem, A. Cimatti, Formal analysis of hardware requirements, in: Dac, 2006, pp. 821–826. [61] A. Platzer, Differential dynamic logic for verifying parametric hybrid systems, in: Tableaux, 2007, pp. 216–232. [62] A. Pnueli, The temporal logic of programs, in: Proceedings of 18th IEEE Symp. on Foundation of Computer Science, 1977, pp. 46–57. [63] The PROSYD project on property-based system design, http://www.prosyd.org, 2007. [64] A.M. Rabinovich, On the decidability of continuous time specification formalisms, J. Log. Comput. 8 (5) (1998) 669–678. [65] SafeCer project, http://www.safecer.eu. [66] M. Sheeran, S. Singh, G. Stålmarck, Checking safety properties using induction and a sat-solver, in: Fmcad, 2000, pp. 108–125. [67] A. Tiwari, Abstractions for hybrid systems, Form. Methods Syst. Des. 32 (1) (2008) 57–83. [68] S. Vijayaraghavan, M. Ramanathan, A Practical Guide for SystemVerilog Assertions, Springer, 2005. [69] Y. Vizel, O. Grumberg, Interpolation-sequence based model checking, in: Fmcad, IEEE, 2009, pp. 1–8. [70] F. Wang, Time-progress evaluation for dense-time automata with concave path conditions, in: Atva, 2008, pp. 258–273.