A Vision of Collaborative Verification-Driven Engineering of Hybrid Systems

Abstract. Hybrid systems with both discrete and continuous dynamics are an important model for real-world physical systems. The key challenge is how to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be model-driven engineering to develop hybrid systems in a well-defined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verification-driven engineering. Despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires significant human guidance, since hybrid systems verification tools solve undecidable problems. It is thus not uncommon for verification teams to consist of many players with diverse expertise. This paper introduces a verification-driven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (i) modeling hybrid systems, (ii) exchanging and comparing models and proofs, and (iii) managing verification tasks. This toolset makes it easier to tackle large-scale verification tasks.

Collaborative Verification-Driven Engineering of Hybrid Systems

Hybrid systems with both discrete and continuous dynamics are an important model for real-world cyber-physical systems. The key challenge is to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be model-driven engineering to develop hybrid systems in a well-defined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verification-driven engineering. Often, hybrid systems are rather complex in that they require expertise from many domains (e.g., robotics, control systems, computer science, software engineering, and mechanical engineering). Moreover, despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires nontrivial human guidance, since hybrid systems verification tools solve undecidable problems. It is, thus, not uncommon for development and verification teams to consist of many players with diverse expertise. This paper introduces a verification-driven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (i) graphical (UML) and textual modeling of hybrid systems, (ii) exchanging and comparing models and proofs, and (iii) managing verification tasks. This toolset makes it easier to tackle large-scale verification tasks

Uniform Substitution for Dynamic Logic with Communicating Hybrid Programs

This paper introduces a uniform substitution calculus for $\mathsf{dL}_\text{CHP}$, the dynamic logic of communicating hybrid programs. Uniform substitution enables parsimonious prover kernels by using axioms instead of axiom schemata. Instantiations can be recovered from a single proof rule responsible for soundness-critical instantiation checks rather than being spread across axiom schemata in side conditions. Even though communication and parallelism reasoning are notorious for necessitating subtle soundness-critical side conditions, uniform substitution when generalized to $\mathsf{dL}_\text{CHP}$ manages to limit and isolate their conceptual overhead. Since uniform substitution has proven to simplify the implementation of hybrid systems provers substantially, uniform substitution for $\mathsf{dL}_\text{CHP}$ paves the way for a parsimonious implementation of theorem provers for hybrid systems with communication and parallelism.Comment: CADE 202

Formally Verified Next-Generation Airborne Collision Avoidance Games in ACAS X

The design of aircraft collision avoidance algorithms is a subtle but important challenge that merits the need for provable safety guarantees. Obtaining such guarantees is nontrivial given the unpredictability of the interplay of the intruder aircraft decisions, the ownship pilot reactions, and the subtlety of the continuous motion dynamics of aircraft. Existing collision avoidance systems, such as TCAS and the Next-Generation Airborne Collision Avoidance System ACAS X, have been analyzed assuming severe restrictions on the intruder's flight maneuvers, limiting their safety guarantees in real-world scenarios where the intruder may change its course. This work takes a conceptually significant and practically relevant departure from existing ACAS X models by generalizing them to hybrid games with first-class representations of the ownship and intruder decisions coming from two independent players, enabling significantly advanced predictive power. By proving the existence of winning strategies for the resulting Adversarial ACAS X in differential game logic, collision-freedom is established for the rich encounters of ownship and intruder aircraft with independent decisions along differential equations for flight paths with evolving vertical/horizontal velocities. We present three classes of models of increasing complexity: single-advisory infinite-time models, bounded time models, and infinite time, multi-advisory models. Within each class of models, we identify symbolic conditions and prove that there then always is a possible ownship maneuver that will prevent a collision between the two aircraft

Europäische Betriebsräte: Genese, Formen und Dynamiken ihrer Entwicklung ; eine Typologie

"Der Artikel versucht, auf der Basis qualitativer Fallstudien die reale Vielfalt und unterschiedliche und uneinheitliche Praxis Europäischer Betriebsräte (EBR) mittels einer Typologie zu durchdringen und zu klassifizieren. Grundlegend für die Typenbildung ist eine konstitutionsanalytische Sicht, die den Gesamtprozess der Einrichtung und Entwicklung Europäischer Betriebsräte aus der dynamischen Wechselwirkung zwischen 'externen' Einflussfaktoren und 'internen' Konstitutionsbedingungen begreift. Innerhalb dieser übergreifenden Perspektive liegt der Typenbildung ein interessen- und akteursanalytischer Ansatz zugrunde. Sie setzt bei den institutionellen Voraussetzungen und der Praxis der Europäischen Betriebsräte an und bezieht zugleich das Handeln der Interaktionspartner (Management, nationale Arbeitnehmervertretung, Gewerkschaft) insoweit ein, wie dieses Handeln Möglichkeitsräume zukünftiger EBR-Praxis eröffnet, erweitert oder begrenzt. Die entsprechenden Prämissen und operationalen Kriterien werden im einzelnen entwickelt und daraus die vier Typen - symbolischer EBR, dienstleistender EBR, projektorientierter EBR, beteiligungsorientierter EBR - abgeleitet und anhand empirischen Materials 'mit Leben gefüllt'." (Autorenreferat)"This study develops typology in order to classify the diverse organisation and practice of European works councils. Qualitative case studies form the basis of the analysis. The typology is based on the notion that the establishment and development of European works councils must be understood as a dynamic interaction between external and internal influences on the constitution of European Works Councils. This framework is used to analyse the interests and behaviour of the key actors. It focuses on the institutional setting and the actual practice of European works councils and considers the role of individuals and institutions that interact with them (management, national employees organisations, and trade unions) and how their actions expand or restrict future role of European works councils. The study identifies four types of European works councils - symbolic, service-oriented, project-oriented, and participation-oriented - and presents empirical material on each type." (author's abstract