Public reporting burden lor the collection of information is estimated
Final Report: June 1995 -3May 1998

Summary of Completed Project
We developed formal methods and tools for the design, verification, and control of embedded systems. This was accomplished by extending techniques, based on automata theory and temporal logic, from the analysis of time-independent reactive systems to real-time embedded systems. As system specification language for embedded systems, we introduced hybrid automata, which equip traditional discrete automata with real-numbered clock variables and continuous environment variables. As requirements specification languages, we introduced temporal logics with clock variables for expressing timing constraints.
Since the state spaces of systems with real-numbered clock variables are infinite, all verification must proceed symbolically. Symbolic verification methods are based either on deductive reasoning, using proof rules-for symbolic logics, or on algorithmic analysis, using model checking procedures that operate on symbolic representations of state sets. We developed proof calculi for checking if a hybrid automaton satisfies linear-time clock properties, and we developed and implemented symbolic procedures for checking if a piecewise-linear hybrid automaton satisfies branching-time clock properties. The continuous variables of piecewise-linear hybrid automata follow trajectories within piecewise-linear envelopes, which can be used to approximate conservatively the behavior of more general, nonlinear systems.
Our algorithms have been implemented in the tool HYTECH, the first model checker for hybrid (mixed discrete-continuous) systems. We applied HYTECH to benchmark case studies in railway control, steam-boiler control, manufacturing-system and audio-system control. We also established the theoretical complexity of various formulations of the verification and control problems for hybrid systems, and we identified the exact boundary between decidability and undecidability of real-time reasoning. 
Deliverables PhD Dissertations Publications
Keywords
Modeling, verification, and control of real-time and hybrid systems.
Report
We made progress in the following two directions. , we extended the model of hybrid automata to permit the compositional description and design of embedded systems.
Real
Our specific accomplishments are described below.
A Models and Logics for Real-time Systems
[Al] Rajeev Alur, Thomas A. Henzinger, "Real-time system = discrete system + clock variables," Software Tools for Technology Transfer 1, 1997, pp. 86-109. (Also appeared as Technical Report UCB/ERL-M97/78, University of California at Berkeley, October 1997.)
Programs such as device drivers and embedded controllers must explicitly refer and react to time. For this purpose, a variety of language constructs-including delays, timeouts, and watchdogs-have been put forward. We advocate an alternative proposal, namely, to designate certain program variables as clock variables. The value of a clock variable changes as time advances. Timing constraints can be expressed, then, by conditions on clock values. A single new language construct-the guarded wait statement-suffices to enforce the timely progress of a program. We illustrate the use of clock variables and guarded wait statements with real-time applications such as round-robin (timeout-driven) and priority (interrupt-driven) scheduling. Clock variables generalize naturally to variables that measure environment parameters other than time. This observation leads to a language for hybrid (mixed digital-analog) applications such as embedded process control. This paper introduces, gently but rigorously, the clock approach to real-time programming. We present with mathematical precision, assuming no prerequisites other than familiarity with logical and programming notations, the concepts that are necessary for understanding, writing, and executing clock programs. In keeping with an expository style, all references are clustered in bibliographic remarks at the end of each section. The first appendix presents proof rules for verifying temporal properties of clock programs. The second appendix points to selected literature on formal methods and tools for programming with clocks. In particular, the timed automaton, which is a finite-state machine equipped with clocks, has become a standard paradigm for realtime model checking; it underlies the tools HYTECH, KRONOS, and UPPAAL, discussed elsewhere in this volume.
[A2] Thomas A. Henzinger, J. A specification formalism for reactive systems defines a class of u-languages. We call a specification formalism fully decidable if it is constructively closed under boolean operations and has a decidable satisfiability (nonemptiness) problem. There are two important, robust classes of w-languages that are definable by fully decidable formalisms. The uj-regular languages are definable by finite automata, or equivalently, by the Sequential Calculus. The counter-free co-regular languages are definable by temporal logic, or equivalently, by the first-order fragment of the Sequential Calculus. The gap between both classes can be closed by finite counting (using automata connectives), or equivalently, by projection (existential second-order quantification over letters).
A specification formalism for real-time systems defines a class of timed w-languages, whose letters have real-numbered time stamps. Two popular ways of specifying timing constraints rely on the use of clocks, and on the use of time bounds for temporal operators. However, temporal logics with clocks or time bounds have undecidable satisfiability problems, and finite automata with clocks (so-called timed automata) are not closed under complement. Therefore, two fully decidable restrictions of these formalisms have been proposed. In the first case, clocks are restricted to event clocks, which measure distances to immediately preceding or succeeding events only. In the second case, time bounds are restricted to nonsingular intervals, which cannot specify the exact punctuality of events. We show that the resulting classes of timed w-languages are robust, and we explain their relationship.
First, we show that temporal logic with event clocks defines the same class of timed w-languages as temporal logic with nonsingular time bounds, and we identify a firstorder monadic theory that also defines this class. Second, we show that if the ability of finite counting is added to these formalisms, we obtain the class of timed u?-languages that are definable by finite automata with event clocks, or equivalently, by a restricted second-order extension of the monadic theory. Third, we show that if projection is added, we obtain the class of timed w-languages that are definable by timed automata, or equivalently, by a richer second-order extension of the monadic theory. These results identify three robust classes of timed w-languages, of which the third, while popular, is not definable by a fully decidable formalism. By contrast, the first two classes are definable by fully decidable formalisms from temporal logic, from automata theory, and from monadic logic. Since the gap between these two classes can be closed by finite counting, we dub them the timed u-regular languages and the timed counter-free to-regular languages, respectively. This paper presents a complete axiomatization of fully decidable propositional realtime linear temporal logics with past: the Event Clock Logic (ECL) and the Metric Interval Temporal Logic with past (MITL). The completeness proof consists of an effective proof building procedure for ECL. From this result we obtain a complete axiomatization of MITL by providing axioms translating MITL formulae into ECL formulae, the two logics being equally expressive. Our proof is structured to yield a similar axiomatization and procedure for interesting fragments of these logics, such as the linear temporal logic of the real numbers (LTR).
[ We summarize and reorganize some of the last decade's research on real-time extensions of temporal logic. Our main focus is on tableau constructions for model checking linear temporal formulas with timing constraints. In particular, we find that a great deal of real-time verification can be performed in polynomial space, but also that considerable care must be exercised in order to keep the real-time verification problem in polynomial space, or even decidable. We present a verification algorithm for duration properties of real-time systems. While simple real-time properties constrain the total elapsed time between events, duration properties constrain the accumulated satisfaction time of state predicates. We formalize the concept of durations by introducing duration measures for timed automata. A duration measure assigns to each finite run of a timed automaton a real number -the duration of the run-which may be the accumulated satisfaction time of a state predicate along the run. Given a timed automaton with a duration measure, an initial and a final state, and an arithmetic constraint, the duration-bounded reachability problem asks if there is a run of the automaton from the initial state to the final state such that the duration of the run satisfies the constraint. Our main result is an (optimal) PSPACE decision procedure for the duration-bounded reachability problem. A hybrid system is a dynamical system whose behavior exhibits both discrete and continuous change. A hybrid automaton is a mathematical model for hybrid systems, which combines, in a single formalism, automaton transitions for capturing discrete change with differential equations for capturing continuous change. In this survey, we demonstrate symbolic algorithms for the verification and controller synthesis of linear hybrid automata, a subclass of hybrid automata that can be analyzed automatically.
B Verification and Control of Hybrid Systems
[ A hybrid system consists of a collection of digital programs that interact with each other and with an analog environment. Examples of hybrid systems include medical equipment, manufacturing controllers, automotive controllers, and robots. The formal analysis of the mixed digital-analog nature of these systems requires a model that incorporates the discrete behavior of computer programs with the continuous behavior of environment variables, such as temperature and pressure. Hybrid Automata capture both types of behavior by combining finite automata with differential inclusions (i.e. differential inequalities). HYTECH is a symbolic model checker for linear hybrid automata, an expressive, yet automatically analyzable, subclass of hybrid automata. A key feature of HYTECH is its ability to perform parametric analysis, i.e. to determine the values of design parameters for which a linear hybrid automaton satisfies a temporal requirement.
[B3] Thomas A. Henzinger, Pei-Hsin Ho, Howard Wong-Toi, "Algorithmic analysis of nonlinear hybrid systems," IEEE Transactions on Automatic Control 43, 1998, pp. 540-554.
Hybrid systems are digital real-time systems that are embedded in analog environments. Model-checking tools are available for the automatic analysis of linear hybrid automata, whose environment variables are subject to piecewise-constant polyhedral differential inclusions. In most embedded systems, however, the environment variables have differential inclusions that vary with the values of the variables, e.g., x -x. Such inclusions are prohibited in the linear hybrid automaton model. We present two methods for translating nonlinear hybrid systems into linear hybrid automata. Properties of the nonlinear systems can then be inferred from the automatic analysis of the translated linear hybrid automata.
The first method, called clock translation, replaces constraints on nonlinear variables by constraints on clock variables. The clock translation is efficient but has limited applicability. The second method, called linear phase-portrait approximation, conservatively overapproximates the phase portrait of a hybrid automaton using piecewise-constant polyhedral differential inclusions. Both methods are sound for safety properties; that is, if we establish a safety property of the translated linear system, we may conclude that the original nonlinear system satisfies the property. When applicable, the clock translation is also complete for safety properties; that is, the original system and the translated system satisfy the same safety properties. The phase-portrait approximation method is not complete for safety properties, but it is asymptotically complete; intuitively, for every safety property, and for every relaxed nonlinear system arbitrarily close to the original, if the relaxed system satisfies the safety property, then there is a linear phase-portrait approximation that also satisfies the property.
We illustrate both methods by using HYTECH-a symbolic model checker for linear hybrid automata-to automatically check properties of a nonlinear temperature controller and of a predator-prey ecology.
[B4] Thomas A. Henzinger, Vlad Rusu, "Reachability verification for hybrid automata," We study the reachability problem for hybrid automata. Automatic approaches, which attempt to construct the reachable region by symbolic execution, often do not terminate. In these cases, we require the user to guess the reachable region, and we use a theorem prover (Pvs) to verify the guess. We classify hybrid automata according to the theory in which their reachable region can be defined finitely. This is the theory in which the prover needs to operate in order to verify the guess. The approach is interesting, because an appropriate guess can often be deduced by extrapolating from the first few steps of symbolic execution. Rectangular automata are well suited for approximate modeling of continuousdiscrete systems. The exact analysis of these automata is feasible for small examples but can encounter severe numerical problems for even medium-sized systems. This paper presents an analysis algorithm that uses conservative overapproximation to avoid these numerical problems. The algorithm is demonstrated on a simple benchmark system consisting of two connected tanks. Rectangular hybrid automata model digital control programs of analog plant environments. We study rectangular hybrid automata where the plant state evolves continuously in real-numbered time, and the controller samples the plant state and changes the control state discretely, only at the integer points in time. We prove that rectangular hybrid automata have finite bisimilarity quotients when all control transitions happen at integer times, even if the constraints on the derivatives of the variables vary between control states. This is sharply in contrast with the conventional model where control transitions may happen at any real time, and already the reachability problem is undecidable. Based on the finite bisimilarity quotients, we give an exponential algorithm for the symbolic sampling-controller synthesis of rectangular automata. We show our algorithm to be optimal by proving the problem to be EXPTIME-hard. We also show that rectangular automata form a maximal class of systems for which the sampling-controller synthesis problem can be solved algorithmically.
[B7] Rajeev Alur, Thomas A. Henzinger, "Modularity for timed and hybrid systems," In a trace-based world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. For example, physical realizability, assume-guarantee reasoning about live trace inclusion, and controller synthesis for live trace inclusion all depend on the receptiveness condition. In a real-time world, liveness is automatically present in the form of diverging time. The receptiveness condition, then, translates to the requirement that a module must be able to let time diverge no matter how the environment behaves. We study the receptiveness condition for real-time systems by extending the model of Reactive Modules to timed and hybrid modules. We define the receptiveness of such a module as the existence of a winning strategy in a game of the module against its environment. By solving the game on region graphs, we present an (optimal) EXPTIME algorithm for checking the receptiveness of propositional timed modules. By giving a fixpoint characterization of the game, we present a symbolic procedure for checking the receptiveness of linear hybrid modules. Finally, we present an assume-guarantee principle for reasoning about timed and hybrid modules, and a method for synthesizing receptive controllers of timed and hybrid modules.
