logics for hybrid systems - mse - mywebpages€¦ · this paper offers a tutorial survey and a...

Logics for Hybrid Systems

J. M. DAVOREN, MEMBER, IEEE,AND ANIL NERODE, MEMBER, IEEE

Invited Paper

Hybrid systems are heterogenous dynamical systems charac-terized by interacting continuous and discrete dynamics. Suchmathematical models have proved fruitful in a great diversity ofengineering applications, including air-traffic control, automatedmanufacturing, and chemical process control. The high-profileand safety-critical nature of the application areas has fostered alarge and growing body of work on formal methods for hybridsystems: mathematical logics, computational models and methods,and computer-aided reasoning tools supporting the formal speci-fication and verification of performance requirements for hybridsystems, and the design and synthesis of control programs forhybrid systems that are provably correct with respect to formalspecifications. This paper offers a synthetic overview of, andoriginal contributions to, the use of logics and formal methods inthe analysis of hybrid systems.

Keywords—Automata, computer-aided analysis, com-puter-aided software engineering, design automation, formallanguages, hybrid control systems, logic, software verification,temporal logic.

I. INTRODUCTION

A basic hybrid dynamical system is one whose statemay either evolve continuously for some duration of timeaccording to one set of differential equations or be abruptlyreset to a new value from which evolution is governedby another set of differential equations, with the switchestypically triggered by the occurrence of some discrete event.The coordinate variables of the state may take their valuesin the real numbers or in a discrete (usually finite) set. Thehybrid phenomena captured by such mathematical models ismanifested in a great diversity of complex engineering ap-plications, including air-traffic control, automotive control,robotics, automated manufacturing, and chemical process

Manuscript received October 18, 1999; revised March 14, 2000. Thiswork was supported by U.S. ARO under Grant DAA H04-96-1-0341.The work of J. M. Davoren was supported by U.S. ONR under Grant N00014-98-1-0535.

J. M. Davoren is with the Computer Sciences Laboratory, ResearchSchool of Information Sciences and Engineering, Australian NationalUniversity, Canberra, Australia (e-mail: [email protected]).

A. Nerode is with the Department of Mathematics, Cornell University,Ithaca, NY 14853 USA (e-mail: [email protected]).

Publisher Item Identifier S 0018-9219(00)06456-2.

control, as illustrated in companion papers in this specialissue. The last decade has seen considerable research effortin both computer science and control theory directed at thestudy of mixed discrete and continuous systems [1]–[10].In particular, the high-confidence and safety-critical natureof the application areas has fostered a large and growingbody of work on formal methodsfor hybrid systems:mathematical logics, computational models and methods,and computer-aided reasoning tools supporting the formalspecification and verification of performance requirementsfor hybrid systems, and the design and synthesis of controlstructures for hybrid systems that are provably correct withrespect to formal specifications. Broadly stated, formalmethods are a means tomathematicize, and thence tomech-anize, or render computational, what it means for a systemdesign to “get it right”: to correctly implement or satisfyprecisely stated, unambiguous performance specifications.This paper offers a tutorial survey and a fresh perspectiveon the use of logics and formal methods in the analysis andsynthesis of hybrid control systems.

A. Overview: Logics and Formal Methods for HybridSystems

The theory and practice of formal methods in the anal-ysis of computer hardware and software is well established.The field has been active for over 30 years, and has morerecently enjoyed some industrial and commercial success;the recent survey paper [11] gives an overview. Hardwaresystems and software programs are traditionally modeled aspurely discretesystems: state variables take their values indiscrete (finite or countable) sets, and state transitions aremodeled as occurring in a discrete, step-wise fashion. Theelementary system model is that of afinite-state automaton,the mathematics of which forms the core theory of computerscience. Within the discrete realm, these sequential state ma-chines have been enriched in many and various ways to incor-porate features of reactive, concurrent, and distributed com-puter systems. In the move to real-time and hybrid systems,researchers in the computer science tradition have similarlysought to extend formal methods by enriching their system

0018–9219/00$10.00 © 2000 IEEE

PROCEEDINGS OF THE IEEE, VOL. 88, NO. 7, JULY 2000 985

models and formal logics to deal with real-valued state vari-ables and state transitions that model evolution according todifferential equations.

Formal methods for the analysis of discrete systems fallroughly into three overlapping camps, which have carriedover to hybrid discrete+continuous systems:

• logic-basedapproaches [12]–[23];• automata-theoreticapproaches [18], [20], [24]–[28];• process algebraapproaches [28], [29];

with the reference lists intended as representative samples.Our focus is on logic-based approaches, although in thecourse of this paper, we will briefly discuss and give somepointers to the other two approaches and note some inter-re-lationships between the three.

Given the tutorial nature of this paper and the breadth ofits intended audience, we adopt the pedagogical course ofmaking a first pass through the key conceptual and technicalingredients, in several introductory subsections, with a viewto equipping the reader with a big picture overview of theenterprise, before embarking on the detailed technical devel-opment in the body of this paper.

In structuring our exposition, we draw on a paradigmframework for logic-based formal methods set out in theinfluential work of Manna and Pnueli in [12]–[14] and [30]and widely used in the field; the functional parts of theframework are illustrated in the lower gray box in Fig. 1.In [13], the framework is applied first to discrete reactivesystems, then to real-time extensions of reactive systems,and finally to a class of hybrid systems. Each system inthe classes under consideration is formally representedas some form oftransition system model , which is ageneralization of a finite automaton, and behavioral specifi-cations are formally encoded by formulasof a temporallogic extending the logic linear temporal logic (LTL ). Theformal mathematical semantics of these so-calledlinear orsequence-based temporal logics are such that a formulaistrue in , written , exactly when every executionsequence or trajectory of the system represented byhasthe property encoded by. The logicLTL , along with theso-calledbranchingor state-based temporal logics such ascomputation tree logic (CTL ) or (CTL ), are discussedin this special issue [31]. The syntactic primitives and thecorresponding semantic constructs of the latter temporallogics allow one to express behavioral properties ofsomeexecution sequences, as well asall execution sequences,starting from a state, and the formal semantics are suchthat means everystatein satisfies the propertyexpressed by .

In this paper, following [23] and [32], we will look to thelarger family ofmodal logics[33]–[35], which includes allthe standard temporal logics, and in particular, to the richlyexpressive “parent logic” called thepropositional modal -calculus(L ) [33], [36], [37]. The -calculus is well knownin the hybrid system literature, notably from the work of Hen-zinger and coworkers [20], [21], [38]. In earlier work on thecontrol theory of purely discrete systems, it was essentially

Fig. 1. Paradigm framework for logic-based formal methods.

rediscovered under the namemodular feedback logicby Ra-madge and Wonham in [39] as a formalism for stating andsolving supervisory control problems fordiscrete event sys-tems(DESs) [40].

We return to an introductory discussion of the logics andcomputationalapproaches to determining whethera little later. At this stage, the essential point is that a systemand its properties areformally representedas models and for-mulas of a mathematical logic. To be able to demonstratethe degree offaithfulnessof such formal representations, wemust first develop “preformal” mathematical models of hy-brid systems, and then identify and characterize in naturalmathematical language both the trajectories of such systemsand the sorts of properties we would like to reason formallyabout. This elementary point is illustrated in the upper partof Fig. 1. Note this is a separate issue from whether a partic-ular mathematical model is an adequate representation of theconcrete physical system it is intended to model. The latterissue is addressed in several branches of control theory, in-cluding studies ofsystem identification, and studies ofro-bustness. We return to robustness issues later in this paper;the idea there is that one has anominalmodel of a system to-gether with anuncertainty classcharacterizing how thetruemodel might differ from the nominal one [25].

B. Overview: Mathematical Models

As our basic mathematical model, we take a class of sys-tems known ashybrid automata, which have gained wide ac-ceptance since their introduction in [18] and [19]. The samemodel or generalizations of it are used in several other papersin this special issue [31], [41]–[43], and theswitched sys-temsconsidered in [44] are close relatives. A (basic) hybridautomaton is a closed system with a “built-in” control struc-ture determining when and how the system switches betweenits various discretemodes, where the continuous behavior ineach discrete mode is governed by a vector differential equa-tion (or differential inclusion).

In contrast, the supervisory control perspective on hybridsystems retains a clear separation betweenplantandcontrol;the theory is developed in this special issue [45] and adaptsDES control theory to the hybrid setting. Ahybrid control

986 PROCEEDINGS OF THE IEEE, VOL. 88, NO. 7, JULY 2000

systemconsists of a finite control automaton operating in aclosed feedback loop with a continuous plant, with commu-nication via AD and DA interface maps. This quintessentiallyhybrid configuration is closely related to the switching con-troller architecture in [41] and is the focus of earlier workby the second author [46], among many others. In Section II,we show how the resulting closed-loop system gives rise to abasic hybrid automaton, and is thus amenable to logic-basedformal specification and analysis. As an illustrative example,to which we return throughout the text, we consider the hy-brid control of a simple double-integrator plant in ; theexample is well known in the DES-based hybrid systems lit-erature and appears again in [45]. In the class of control prob-lems we examine, the task is to construct a hybrid controlsystemso thatthe associated hybrid automaton satisfies a pri-oritized list of performance specifications, the first of whichis safetyproperty.

Safety or invariance properties have gained the mostattention in studies of hybrid systems. These are prop-erties of the form: “All state trajectories of a system

starting from a set of initial states remain in aprescribed set at all times;” equivalently, in terms ofreachability: “The set of states -reachable fromis contained in .” For example, in an air-traffic controlexample, the “good” set could be the set of states inwhich the distance between any pair of aircraft is greaterthan some minimum separation value [42], [43]. Giventhis relation between safety and reachability, a good dealof research effort has focused directly on techniquesfor either computing exactly, or else approximating, thereachable regionsfor various classes of hybrid systems,with diverse approaches drawn from optimal control,game theory, and computational geometry; see, forexample, [41] and [42]. Other properties investigatedand formalized include qualitative temporal notions ofliveness (non-Zenoness, and switching modes infinitelyoften), deadlock freedom, eventuality, and fairness alonginfinite trajectories; qualitative ordering of events alongtrajectories; and quantitative timing properties of hybridor real-time trajectories [12], [13], [15], [16], [20], [21].

From the perspective of control and systems theory, theclassical concerns center on notions ofstability and of ro-bustnessof systems. For example, one basic notion ofsta-bility is the property: “For every , there is a

such that every -trajectory that starts within distancefrom an -invariant set always remains within of .”While a variety of mathematical formulations of these con-cepts have been proposed for hybrid and switched dynam-ical systems (stability is surveyed in this issue in [44]), therehas been little work to date on integrating these concernswithin a framework for formal methods [25], [47]. There isperhaps good reason for this. Coming as they do from com-puter science, formal methods traditionally lie in the realmof discrete mathematics, while these notions from controltheory lie squarely in the realm ofcontinuous mathematics.Well before hybrid systems, the classic systems theory textof Kalmanet al. [48] sought commonality between the twocompeting realms. In a chapter entitled “Automata theory:

the rapprochement with control theory” (written by Arbib),we find:

“One thing an automata theorist must often envy acontrol theorist is the use of continuity” (p. 179).

For hybrid automata theorists, it should go beyond envy. De-veloping ideas in [23], [46] and [49]–[51], we argue that acommon ground is to be found by adopting the languageand viewpoint ofgeneral topology, and that natural and im-posed topological and metric structure on the state spaces ofsystem models, and concepts of continuity with respect tosuch topologies, can and should be reflected in one’s formalmodels and logics.

C. Overview: Computational Models and Methods

Work on formal methods for hybrid and real-time sys-tems has produced a large variety of formal or computationalmodels. The common core is to be found in a very simpleclass of structures calledlabeled transition systemsor LTSmodelsfor short. An LTS model is an abstract structureconsisting simply of astate space of arbitrary cardinality;a collection ofbinary relations ; and a collectionof distinguishedsets of states [33], [52].

An LTS model is best viewed as anabstract dynam-ical system, or an abstract machine, whose mathematicalstructure is uniform across the discrete-continuous divide.When is a finite set and the collections of relations (cor-responding to an input alphabet) and of distinguished sub-sets (output alphabet) are both finite, such anis just anotational variant of a nondeterministicfinite automaton.In representing a basic hybrid automaton as an LTSmodel , the system state space is an uncountable set

where is a finite set of control modesand . One of the key insights in the hybrid sys-tems literature, dating back to [12], [13], and [18] andearlier work on (real-)timed automata[53], is that bothsorts of system dynamics—continuous evolution accordingto differential equations and discrete switches or resets ofstate—can be uniformly and faithfully represented as bi-nary transition relations over a hybrid state space. The dis-tinguished state sets include initial states, target or avoid-ance regions, and structural components of the hybrid au-tomaton.

Computational or algorithmic problems in formal verifi-cation take the form:

-

Given a formal of a system design,together with a specification formulaencoding a system property,the task is to ,and if not, produce a counter-examplewitnessing how to satisfy .

For a demarcated class of formal models and class of spec-ification formulas, an algorithmic solution is a “black-box”computer program, which takes as input a pair inthe given class and returns as output either the answer,preferably with a transcript of the steps taken to arrive at this

DAVOREN AND NERODE: LOGICS FOR HYBRID SYSTEMS 987

answer, or else a concrete counter-example toextractedfrom the model .

The computational focus brings out the issue of theformaldescriptionof models, as identified in Fig. 1. In order forit to be data for a computer program, the components ofthe formal model , and the underlying system model outof which is formed, must be precisely described in thesyntax of some formalism, such as a programming language,a graphical formalism like statecharts, or a more general-pur-pose formalism like first-order logic.

Some further introductory discussion of mathematicallogics is in order.First-order logicor predicate logic[34] isjust the logic that is used informally in the language of ev-eryday mathematics. For example, the standard definition ofa function being continuous at a point withrespect to a metric on is written in “informal” first-orderlogic, with variables ranging over the real numbers, as

This is “informal” since we use as an abbre-viation for and for

, and the terms and wouldformally be expanded to expressions built from the primi-tive function and constant symbols of the first-order languagein use. For example, could be ifthe language contained thesefunction symbols, plus constants for the integers and the re-lation symbol . In the formula above, the variableis notbound by an or quantifier, so it is called afree variable.Writing for that formula, the set-theoretical expression

means the subset of all points inat whichis continuous with respect to, and is said todefine

this set.A low-level formal description of an LTS model of a basic

hybrid automaton consists of a finite list of first-order for-mulas: formulas defining the state sets

, where the variable ranges over the fi-nite set of discrete states and the variablesrange over

(technically, this ismultisortedor typedfirst-order logic),and formulas with twodiscrete variables and real-valued variables, defining therelations . The semantics of high-level hybridprogramming languages such as SHIFT [54] and[55] can be given in terms of hybrid automata, and so admita low-level formal description of this kind.

Modal and temporal logicsare best viewed as fundamen-tally second-orderlogics for reasoning aboutsets of states,andoperationson sets of states, as distinct from first-orderlogics in which one reasons about elements in the domain ofinterpretation and functions and predicates of elements.

The formal semantics of the-calculus, and its (state-based) modal and temporal sublogics, define the meaning ordenotation set of a formula in a model .Formulas are built up starting frompropositional constants

that name the state sets in a model, and compounds areformed using the standard logical connectives or Boolean op-erations (“not”), (“and”), (“or”), (“ if...then...”) and

(“ iff”), together with variousmodalor temporal operators,which reflect the effect of state transitions according to therelations of a model. Among the basic modal operators arethe (relativized)boxanddiamondoperators. For relations, aformula reads “All -successors satisfy” or “ -actionsnecessarilybring about ,” while reads “Some -suc-cessor satisfies” or “ -actions canpossiblybring about .”Intuitively, is the set of states that satisfyin , and

exactly when .The two main methods for the verification of modal or

temporal logic properties aremodel checking algorithmsanddeductive proof systems. The essential task of a modelchecking algorithm is to recursivelycomputethe denotationset , and if the complement isnonempty, these states provide the required counter-exam-ples. For hybrid systems, this necessarily falls under theheadingsymbolic model checking, since over an infinitestate space, one needs a finitary syntactic or symbolic meansof representing sets of states and operations on them; overa finite state space, one can resort to explicit enumeration.When the component state sets and relations of a modelare formally defined in first-order logic, one can seek to usethe same representation (and in particular,quantifier-freefirst-order formulas) in the course of model checking. Asexamined in [31] in this special issue, thedecidability,or possibility of an algorithmic solution guaranteed toterminate on all inputs, for model checking of temporallogic properties for various classes of hybrid automata,depends crucially on the syntactic complexity and formof the first-order formulas defining the components of thesystems.

The other approach to formal verification is deductive, andthere are usually several different types ofdeductive proofsystemsthat can be developed for a logic. The simplest iscalled aHilbert-styleor axiomaticproof system, which con-sists of a collection of formulas designated asaxioms, and acollection ofinference rulesof the form

A Hilbert-style proof system is said to besoundwith re-spect to a class of models if for each in , each of theaxioms of is true in and whenever all of the premises ofan inference rule in are true in , then the conclusion ofthat rule is also true in . Deductive verification ofstarts with a list of formulas such that is im-mediate from the formal description of , or has otherwisealready been established, and then seeks a formal proof, orsequence of inference steps in, demonstrating that isa deductive consequenceof . By soundness, one can thenconclude . Hilbert-style axiomatizations are impor-tant for clarifying and understanding a logic, and are easyenough to use manually, but they do not readily lend them-selves to automated proof search or to the construction ofcounter-examples. Other types of deductive systems such astableaux systemsor Gentzen-styleproof systems [34], [56],which produce labeled tree or graph-style proofs, are bettersuited to these tasks.


A number of the logics developed for hybrid and real-timesystems consist of multisorted first-order logiccombinedwith some temporal operators to give a single formalism forbothdescription of system components and specification ofsystem properties; for example,temporal logics of actionsTLA+ and cTLA [16], [17] andextended duration calculusEDC [15], [28]. For these, deductive verification is the onlyavailable approach.

The bulk of the work on logics and formal methods forhybrid systems, as for discrete systems, has focused on the“after-the-fact” verification of a completed system design.We are interested in ways in which thesametechnical ma-chinery of model checking and deductive proof systems canbe used for the synthesis or construction of a system from anincomplete design.

-

Given a performance specification formula,and an or -description of a formal model,the task is to "fill in the blanks"and anor else determine that no such exists.

In the example control problem we consider in Section II,the blanks to fill in are an AD map and a finite control au-tomaton; together with the given plant model and DA map,the closed-loop system forms “a” hybrid automaton. We firstdescribe the construction in general terms, then return to itin later sections to show how modal logics can be used notonly to formalize the performance requirements, but also toformalize lower level decisions and computations required inthe course of the construction; we generate a list of simplerformulas that are true by construction, and from these we candeductively derive the desired specification formulas, so es-tablishing that the construction is correct.

For comparison, [41] in this special issue considers a classof control problems in which one starts with a complete hy-brid automaton , and the synthesis task is to find the largestsubsystem such that satisfies a safety property.While [41] does not use a logic framework, we will brieflysketch in Section V-C how that type of construction can beformalized in the -calculus, and its relation to similarmax-imal invariant subsetconstructions in DES control theory[39].

The body of this paper is roughly structured aroundFig. 1. In Section II, we examine mathematical models ofhybrid systems and their elementary properties and set upour hybrid control example. Section III covers transitionsystem models, and the formal representation of hybridautomata, plus a brief discussion of automata-theoretic andprocess algebra approaches to hybrid systems. The longerSection IV introduces and develops modal and temporallogics for the specification of system properties, while Sec-tion V surveys model checking and deductive proof systems,and logic-based approaches to the design and synthesisof control structures for hybrid systems. The concludingSection VI discusses related and ongoing work.

II. M ATHEMATICAL MODELS

A. Preliminaries

For reference, we include a glossary of notation in Table I,with the right-hand column giving the subsection in whichthe notation is defined.

As identified in the introduction, the elementary mathe-matical objects of interest arerelationsor set-valued func-tions, which are the nondeterministic analog of functions.Following the useful convention in set-valued analysis [57],the notation will be used to meanis a set-valued function, with set-values for each

(possibly ), or equivalently, isa relation, sometimes called thegraphof a set-valued func-tion. For points and , the expressions ,

, , and are to be read as synony-mous; in words, is an -successorof , or is an -pre-decessorof . Thedomainof a relation is theset . In computer scienceand DES theory, a relationis said to beenabledat points

. Unlike single-valued functions, every relationhas a naturalconverse(or inverse) ,

given simply by: iff .Some elementary relations of interest include: theidentity

function ; partial functionsformed by restricting to a domain , soiff and ; andset-valued constantmaps

, which means for each .The (sequential)compositionof relations and

will be written (abbreviated ) insequential (word) order, as is usual in computer science, butthe reverse of the usual order for functional composition; see[57] and [58]. Composition is explicitly defined byiff and . Given relations

and , their relational union(sumor choice)is just the union of and considered as

subsets of . For , the -fold compositionfor is defined inductively by and

. TheKleene staroperation (reflexive-transitive closure)produces the relation by taking the infinite unionof all the for . A regular expressionof relations isone formed using the operations of sequential composition,finite union and Kleene star.

A (nondeterministic)finite automatonis a structure, where is the finite set ofstates,

is the finite input alphabet, is the finiteoutput alphabet,is thetransition relation, and is

theoutput relation. The input–outputrelation ofis given by iff and

. A finite automaton is calleddeterministicif thetransition map and the output map are both single-valuedfunctions (but possibly onlypartial functions).

We also use some elementary notions from generaltopology; [59] is a useful text, and [58] and [60] developthe general topology of relations/set-valued maps. Recallthat atopology on a set is abstractly defined as a family

of subsets of that contains and and isclosed under finite intersections and arbitrary unions. The


Table 1GLOSSARY OFNOTATION

sets in are calledopen, and their complements arecalled closed. The topological interior of a set

is the largest open set contained in, while thedual closure is the smallest closed set containing.Sets will be equipped with the standard Euclideanmetric (subspace) topology unless otherwise indicated.

B. Basic Hybrid Automata and Their Trajectories

We take the standard ingredients of the popular hybridautomaton model [18]–[20], [31], but reformulate themslightly, keeping in clear view their subsequent representa-tion in a transition system model.

A continuous dynamical system on aset given by a Lipschitz continuous vector field

has, for each initial state , a unique so-lution (or integral curve) where contains0, for all , and .Under additional assumptions—for example,is compactand is continuously differentiable—the time domain of thesolutions may be extended to all of, and the system has aglobal flow with [61].For our purposes, it suffices to know that a flowis con-tinuous in both arguments separately and satisfies theflow

laws: and for alland , i.e., it respects as an additive group.

A semiflow is just a flow defined on thenonnegative time axis.

A more general class of systems is obtained by allowingthe continuous dynamics to be governed by adifferential in-clusion , where is a set-valuedvector field. As examined in the companion paper [31], thereis particular interest in dynamics of the form ,where is a rectangleor boxin , so and are fixed lower and upper bounds on therate of change in the coordinate. The associatedset-valuedflow is then given by the formula

. While the framework developed here canbe adapted to deal with differential inclusions, we focus onthe simpler and conceptually clearer basic case.

Definition 1: A (basic) hybrid automaton(HA) is asystem

where:

• is a finite set ofdiscrete states, also calledcontrolmodesor control locations;

• is thediscrete transition relationor controlgraph;

• is thecontinuous state space, the valuationspace for a vector of real-valued variables;

• for each discrete control mode :– is aflow on , giving the contin-

uous dynamics in mode;– is the set ofinvariant states for mode,

or thedomain of permitted evolutionwithin mode;

• for each discrete transition pair :– is a reset relation, defining the

possible successors of a pointupon switching from to ;

– is theguard regionor enabling eventfor a switch from to .

Thestate spaceis . The subset ofadmissiblestatesis . A set ofinitial states

may also be given. HA are usually representedgraphically as in Fig. 2.

The system is permitted to evolve according toonlywhile the state is in . The sets can arise fromphysical modeling considerations or decisions in system de-sign. In general, the reset relations can be arbitrary set-valuedmaps, and are operationally thought of as nondeterministicassignments triggered by the event of reaching a guard set.Particular reset relations of interest include the restrictionto of the identity function (i.e., the partial function

) [41] or the restriction to of a func-tion that is the identity on some real-valued coordinates andset-valued constant on the remainder [31].

Definition 2: A trajectoryof a hybrid automaton is afinite or infinite sequence such that foreach :


Fig. 2. Graphical representation of a basic hybrid automaton.

• the duration , with only ifis finite and ;

• the discrete state ;• the curve is such that for all

, and ; i.e.,is a continuous curve along the flow that lies

entirely inside , with interval if ;• if , then and the adjacent

end-points satisfy .The cumulative duration of a trajectory is the sum

. A -trajectory will be called jump-finite (jump-infinite) if is finite (infinite); time-finite(time-infinite) if ; and finite if it is so inboth senses.

The -reachability relation is defined by

there is a finite -trajectory

such that and

and and

In the reminder of this subsection, we develop just enoughof the mathematics of this class of systems to ground oursubsequent work in stating and solving a control problem,and formalizing system behavior and properties in formalmodel and logics.

The time linealong a hybrid trajectory is a lexicographi-cally ordered subset of , and atime positionis a pair

where is the step number and ; thestateof at time position is , and thecumulativetime at position is . Note that the resetactions are assumed to occurinstantaneously, between thetime positions and , which have the samecumulative time.

For each in an -trajectory , the defini-tion entails that and

. This means that if a flow can leave withoutfirst reaching a set , any trajectory with that behavior

will hit a dead endor becomeblockedat the topologicalboundary of . Also, if for some

, then trajectories reaching can also beblocked.

A finite -trajectory maybe concatenatedwith another (arbitrary) -trajectory

, with the resulting trajectory written, provided and . The

collection of all -trajectories is partially ordered by theprefix or extensionrelation , defined by iff either

or there is a -trajectory such that .An -trajectory ismaximalwith respect to iff either it isjump-infinite, or it is jump-finite and time-infinite, with theflow from remaining invariantly in , orelse it is finite with the last state a blockedstate.

A jump-infinite livenessproperty of a HA is the conditionthat every maximal -trajectory starting from a given set

is jump-infinite. A distinct liveness property is thenon-Zenocondition: there are no -trajectories that arejump-infinite but time-finite. Such trajectories are mathe-matically possible but not physically realizable; the Zenophenomena is a manifestation ofchatteringin classical con-trol theory. A simple sufficient (but not necessary) conditionfor a trajectory to be non-Zeno is theexistence of a such that for all .

For a state , the set is the collectionof all states that arereachedby some -trajectorystarting from , and the domainis just the admissible states. For any set ,the -reachable region from is the direct image

. When isgiven, the set is often referred to as , thereachable regionof . A set is -invariant if

implies ; equivalently, every -trajectorythat starts in always remains within . In particular,postimage sets (and ) are immediately

-invariant.

C. Closed-Loop Hybrid Control and Hybrid Automata

A quintessentiallyhybrid control configuration is a finitecontrol automaton operating in a closed feedback loop witha continuous plant, depicted in Fig. 3. This is the focus of aDES approach to the control of hybrid systems, developed indetail in this issue in [45]. Our purpose here is to show howsuch hybrid closed-loop systemsgive rise to basic hybridautomata and to lay the groundwork for the formulation ofa class of synthesis problems.

Under the DES approach, the finite control automaton isusually taken to bedeterministic, and both the AD-interfacemap (“generator”) and the DA-interface map

(“actuator”) are total, single-valuedfunctions.On the DA side, a control action symbol is mappedto a single constant input vector , whichis fed into the plant equation for use untilthe next control switch. The function thus determines afinite family of flows indexed by .On the AD side, the function determines a finitepartition


Fig. 3. Closed-loop hybrid control system.

of the plant state space , with equivalence classesindexed by plant events

. The discrete plant event signal instantaneously changesfrom to , and the new sent as input to the control au-tomaton, when the plant state hits (or crosses) thecommonboundary of the disjoint plant event re-gions and . (Recall the topological boundary operatorsatisfies .)

In [45], a chief object of study is the finiteDES plant au-tomaton, formed by taking the plant together with the ADand DA interface maps, with a view to adapting and applyingthe Ramadge–Wonham DES theory to the purely discreteclosed-loop system of DES controller and plant. Their for-mulation also differs slightly in that it associates plant eventswith dimensionalhypersurfaces, which separate intodisjoint regions; any finite collection of hypersurfaces willdefine a partition of , with the common boundary of anytwo equivalence classes’ lying in one of the hypersurfaces.The definition in [45] of the closed-loop trajectories onof their hybrid control systems is also more involved in thatit allows a fixed time delaybetween the time a new plantevent symbol is sent as input to the controller and the timethe controller outputs a new control action to the plant. Weignore that complication for now but return to it briefly inSection III-B.

Proposition 3: Given a hybrid control loop as in Fig. 3,with single-valued AD and DA interface maps, there is ahybrid automaton such that the trajectories of are inone–one correspondence with the closed-loop trajectories of

.In general, there will be many such hybrid automata.

For the simplest such system, suppose all we know about thefinite control automaton is its input–output relation

(which in general is set-valued even when the automatonis deterministic). A pair can be read as a basicinstruction of the controller: in the plant region, apply con-trol action . So an obvious choice for the set of con-trol modesof the hybrid automaton is

; for each , take , and takeas the mode-invariant. Edges

in the hybrid automaton control graphencode the (zero-delay) switching behavior of closed-looptrajectories by taking andtaking the reset relation as .

The two interface maps and determinediscretizationsof the plant state space and the plant input space

, respectively. A richer class of discretizations isobtained by allowingset-valuedinterface maps, as indicatedin Fig. 3. A set-valued DA map associates witheach control action symbol a set of input vectors

; the plant is then governed by the differential in-clusion , where ,as in the generalized hybrid automata considered in [31].

Developing ideas in [46], our interest here is more in theother side. A set-valued AD map determinesa family of possibly overlappingplant event regions

indexed by . Whenis total [dom ], such a family defines afinite cover

, and conversely, any finite cover of de-termines a total AD map . In defining whatwe mean by the closed-loop trajectories of a system witha set-valued AD map, the simplest way to do so is directlyin terms of an associated hybrid automaton, so that the ex-tension of Proposition 3 to the set-valued case will becometrue by definition. Assume the cover is nondegenerate, so

for . Then as before, let be the hybridautomaton in which , but now simply take

and for . If it is pos-sible to evolve under actionfrom a plant state ininto a state in , so causing a change in the setof symbols sent by to the controller, and if ,then put an edge , and take

and . Comingfull circle, the hybrid automaton representation can be usedto produce arealizationof a finite control automaton with thegiven I/O relation by taking itself as the internalstates, defining by iff

and , and taking asprojection onto .

The focus in [46], followed up in [62], is on thefinitetopologygenerated from a finite cover by takingall (finite) unions and intersections. In particular, when eachof the cover sets is open in the standard topology on

, the resulting finite topology is asubtopologyof thestandard topology on . We briefly return to a discussion offinite topologies in Section IV-H.

For synthesis, our interest is in general recipes forbuildinghybrid automata, from the ground up,so thatthe resultingsystem is guaranteed to satisfy a list of performance specifi-cations. We consider the following class of problems.

Problem 4: Given , and a plant model, together with a finite control action alphabet

and a DA map , the task is tocomplete thecontrol loop by constructing a finite plant event alphabet

, an AD map , and a controller I/O relation, so that the associated hybrid automaton

satisfies a prioritized list of performance specifications ofthe following form.


1) Safety: Given a proscribed set , no -tra-jectory shall ever enter the set ; the constructionmust produce a set that is invariantunder -trajectories, which will be taken as a set ofinitial states.

2) Event sequence behavior: Given a finite collection ofsets , , with , and aset-valued map prescribing an orderof traversal through the regions , every maximal

-trajectory starting in shall be such that when-ever it ever enters an , it remains therecontinuallyanduntil it crosses into for some .

3) Liveness: Every maximal -trajectory starting fromshall be jump-infinite and time-infinite (hence

nonZeno).To ensure the problem is well posed, assume that each,

as well as and the whole space , are connected sub-sets of ; for each , is alsoconnected; and there is a connected set such that

covers . This initial cover will then berefinedto produce a cover that gives an AD map.

D. Example Control Problem and Solution

We illustrate a general synthesis construction by way of asimple example. The same double integrator plant also ap-pears in [45], with different control objectives. The plant dy-namics over and are given by

i.e.,

The input-parametrized flow is definedby degree 2 polynomials

For the control action alphabet, we take ,and take a single-valued DA map given by

, and , for some fixedcontrol value . The resulting three flows are illustratedin Fig. 4.

Our concrete performance specifications are that theregion is the unit disk and the prescribed event sequence be-havior is to proceed with a clockwise motion. Visually, weare steering a point around the disk using sequenceschosen from three primitive control actions.

To solve this problem, we start by fixing a marginofmetric tolerance, with , and let be the open-ball around the unit disk (using the Euclidean metric on

), so . Westrengthen the safety requirement by this tolerance margin,and will look for the invariant set within thecomple-mentof . To encode the clockwise motion requirement,for each , let be the set of points

Fig. 4. Three flows of double integrator plant.

lying in the open th quadrant of and outside the closedunit disk, together with a-overlap into the th quad-rant, where if and if .For example

The prescribed order of traversal is then given by(single-valued), and the connected sets in

form an initial cover of with -overlaps. The syn-thesis procedure then consists of three stages.

Stage 1—Refining the Initial Cover:The strategy is toidentify all the subregions of from which a safety viola-tion is possibleunder one of the controls. For eachand , let - be the set of points in thatare within distance of some point in from which -con-trolled evolution canpossiblyleadinto . And letbe the set of points in from which -controlled evolutionalwaysremainsoutside . By construction, -and overlap with metric width . The subregions

of then consist of the nonempty connected com-ponents of all possible combinations of intersections

-

for subsets .Fig. 5 illustrates such a cover. For example, is

- , which (by handcalculation) is explicitly defined by conjunctions of degree2 polynomial inequalities

Similarly, is - -, and are the two connected compo-

nents of , and is- - . along with

is too small to draw, so its location in Fig. 5 is indicatedby ; likewise for and . For each , let

be the all- -unsafe region - . Inthe example, is that part of in theopen annulus of inner and outer radii 1 and . Set

, to give acover of 25 sets.

Stage 2—Determining the Control Modes and ControllerI/O Relation: . From the cover , the


Fig. 5. Finite cover ofX = .

first subtask is to determine a control law ad-equate for thesafetyrequirement. Our solution strengthensthe safety condition a little more by using the set

, which is the open disk of radius ;we will ensure that the complement of will be in-variant. Take to be the full product minus anymodes for which - . For ex-ample, , , and are eachdiscarded. For the danger regions , this willdiscardall modes , so these need to be separatelyconsidered. In the example, we put back in tothe modes

, , , and , as-signing default control actions in these danger zones. For thecore failure region , we extend the control alphabetbyadjoining a special symbol , with the associated trivialflow for all (i.e. ), and put

.The second subtask is to further refine to a subset

which is adequate for theevent sequencerequire-ment. Control mode pairs must be discardedif -evolution on leads directly to where

(for example, discard ), or if-evolution in never leaves and

(for example, discard and ). For thepositive content of thisuntil property, must be suchthat for each , there is at least onesequence in , with for

, that defines a switching sequence (withno cycles in the sub-regions) that leads from tofor some . The absence of such a sequenceis the reason for discarding and .Before setting , we must also check for coverageof the space : for each region , we need at least onecontrol action such that . This ensuresthat as an I/O relation, is total, and that in the final hybridautomaton , for each , there is a such that

.

Stage 3—Determining the Control Graph: .We put if ,and if and where ,then -evolution can lead from into (i.e.,edgesinto regions within only require overlap). Forthe jump-infinite livenessrequirement, the graph must befurther checked to ensure that for each , ,every point in can -evolve into some overlap switchingregion , for some .

Our hybrid automaton solution is illustrated in Fig. 6,with the labels for guards and resets omitted for readability.The required -invariant set is , andwe further claim that all -trajectories starting in re-main in until they cross into , and that all max-imal -trajectories starting in are both jump-infiniteand non-Zeno. Note that regions, with their defaultcontrol actions,couldcause pathologies,if a trajectory wereever to reach them. For example, anevolution from a pointin would head straight for . From points in

, we could produce a Zeno trajectory by switchingbetween modes and after successivetime durations , for some sufficiently large

, so the trajectory would always remain in .We return to this example at various points in the rest of

this paper. In particular, we will show how to succinctly char-acterize in modal logics theoperations on setsused to con-struct the sets- and from and ,and to formalize the decisions required in the course of theconstruction, so those decisions could be resolved using asuitable model checking tool. A more detailed account of thissynthesis procedure is given in a separate paper [32], and anextension that directly addresses robustness is given in [63].

III. COMPUTATIONAL AND FORMAL LOGIC MODELS

A. Labeled Transition Systems

We now turn to a more detailed examination of abstracttransition system models, which provide both a formalcomputational modelof system behavior and aformal logicmodelfor the semantics of modal and temporal logics.

Definition 5: A labeled transition system(LTS modelorgeneralized Kripke model) of signature is a structure

where

• is the state space, of arbitrary cardinality;• for eachrelation label(transitionor action label)

, is a relation on states;• for each atomic proposition(state predicate, event

label) , is a fixed subset of states.Thesignature of an LTS model is just the pair

of alphabets, possibly infinite, indexing the relations and thestate sets of . Anticipating the logics in Section IV, where

and will occur in the formal syntax of thelogic languages, the relation and the state set arethe semanticdenotationsin of the symbols and , re-spectively.


Fig. 6. Hybrid automaton solution for double integrator problem.

An LTS model is transparently a generalization of a finiteautomaton, obtained by merely dropping any assumptions offiniteness. The system transition relation for

is the consolidation of the component transition relations:

iff , and for the output map ,define iff ; the output orobservationat astate is thus the set of all atomic propositions satisfied by.

The discrete origins of transition system models are em-phasized in the notation of [20], [21], [31], and [38], whichuse for the state space and write the global transition rela-tion as a three-place relation . We modify thenotation because we want to render transparent the generalityof LTS models as abstract dynamical systems and the way inwhich trajectories and executions sequences are formed fromthecompositionof the component transition relations.

Automata-theoretic approachesto formal methods are in-timately related to logic-based work using linear temporallogics [64], [65] and overlap significantly with DES controltheory [40], [66]. The common focus is on thebehaviorof anabstract machineas characterized by an automaton formallanguage of finite or infinitewords over an alphabet, withwords encoding the qualitative ordering ofeventsand/orac-tions.

Definition 6: An execution sequence(computation se-quence, path, run) of an LTS model is a finite or infinitesequence over such that for

all , either or else and ,where is the empty word. (This is one way to treatfinite and infinite sequences together.) Theobservationaltraceof is the sequence or word over thealphabet , where the th observation

. For each state ,the set of traces of all execution sequencesstarting from is called thelanguageover generated by. When a set of initial states is given, via , the

language generated by , written , is the union of alllanguages for .

In automata-theoretic approaches to formal verification,properties of a machine are specified by another ma-chine of the same class (and signature). The veri-fication question in a logic-based approachis replaced by a question ofbehavioral inclusionbetween

and ; the basic relation is oflanguage inclusion:. For some automata-theoretic work,

and for linear temporal logics such as LTL, the definitionof is usually restricted to infinite words (-words)

[31], and the trace alphabetmay be just the ob-servation/event alphabet , or the transition/actionalphabet .

B. LTS Models of Hybrid Systems

In representing a hybrid automaton as an LTS model,one could, as a first pass, simply take the hybrid reacha-bility relation as the sole transition relationover the state space . With this relation, properties of theform “Some (all) -trajectories starting from ” can bereexpressed in terms of relational successors, as “Some (all)

-successors of ,” since a -successor is any state lyingon any -trajectory starting from. The temporal logic con-structs “At some time ” and “At all times ” can be givena clean semantics over-trajectories just using the rela-tion.

For both computational and conceptual reasons, this willnot suffice. Computationally, the relation is intractablesince it will very rarely have an explicit first-order descrip-tion; conceptually, it is a compound that needs analyzing.Going back to the definition of a hybrid trajectory, weneed the notion of control action or flow applied within aprescribed region.

Definition 7: For any semiflow and set, define a relation of (positive)

evolution along within by

That is, is a -successor of iff is a flow suc-cessor of along and in addition, all intermediate pointsalong the flow between and lie inside . A point thushas either a continuum of successors under , namely,every point on the maximal integral curve oflying insideand starting from , or it has just itself, or it has none if

. The (positive, or future)orbit relation [58]

is the unconstrained evolution relation: .Direct from the flow laws, the relation is reflexive, tran-

sitiveandweakly connected(meaning that if and

then either or ), andshares the same properties except reflexivity is restricted tothe domain . The evolution relation can be further decom-posed via the equation exactlywhen the set is -convex, in the sense that if

and , then [51]. For example, each


of the cover sets in the synthesis problem in Sec-tion II-D is convex with respect to each of the flows ,

, and .Definition 8: An LTS model for a hybrid automatonincludes the following components:

• state space ;• for each , theevolutionrelation

• for each , theresetrelation

• a finite collection of distinguished subsets of, in-cluding for each , and

for each ,plus any other sets of states of interest for the particularsystem.

The transition alphabet for includes symbolsfor and for . It follows from thedefinition that and

.The definition here is equivalent to that in [19], [21], and

[31]. Close relatives of these LTS models include theintegra-tion graphsof [67]; thegeneralized Kripke structuresof [26];and thephase transition systemsof [12]–[14]. The latter in-clude a distinguished real-valued variablefor global time,with the coordinate dynamics within any evolution,and the identity constraint in any reset relation.

We can now simply characterize the hybrid reachabilityrelation.

Proposition 9: Given a hybrid automaton over statespace , let be the finite unions

and of the component evolutionand reset relations of . Then the -reachability relation

is such that

iff

Hence, as a regular expression, .The proof just appeals to the definition of the sequen-

tial composition (and union) of relations. For each-tra-jectory , there is a correspondingexecution sequence

in alternating form. And conversely,for each execution sequence with alternating evolutionsand resets, of the form , there isa unique -trajectory which realizes this sequence.

The constrained evolution relations are called “time-ab-stract” (or better, “time-indeterminate”), since the timeduration along the integral curve is “quantified out” [20].This indeterminacy is exactly what is needed to capture theevent drivennature of hybrid trajectories. Variations canbe obtained by modifying the time quantification:uppertime-boundedor lower time-boundedvariants ofreplace by or , respec-

tively, for some constant , and anexact-timevariantdrops and substitutes in the body. Thetrajectories of systems with time delays between switchingflows, as in [45], may be characterized using more complexregular expressions involving these time-bounded relations.

In our synthesis procedure in Section II-D, the initial dataof the problem all live in the continuous world , anddiscrete states have to be constructed. This naturally leadsto a “purely continuous” LTS model, called , with

the plant state space and atomic propositions naming theinitial cover sets and . One can then work withevolution relations and, once the finalcover is constructed, reset relations .

The example also illustrates how the very generic structureof an LTS model can be used to representstaticor structuralrelations on a space, as well as dynamic transition relations.Recall our use of ametric toleranceparameter . Definea relation by: iff .So the set image is just the -ball around , and therelation is reflexive and symmetric, but not transitive. Apoint lies in the set - iff and thereis an that is a result of applying the compositerelation to . We resume this discussion inSection IV-D.

The notion of continuity for automata developed by Arbibin [48, § 6.4], is based on an abstracttolerance spaces ,for any reflexive and transitive relation, rather than topolog-ical spaces. Our source for the notion of a tolerance relation,as was Arbib’s, was work of the topologist Zeeman from theearly 1960s.

C. Richer Formal Models of Hybrid Systems

Process algebraapproaches to formal methods focus onthe algebraic character of operations used in the formationof complex systems out of simpler ones, parallel compositionbeing one such constructor. The work on HCSP in [28] ex-tends Hoare’s formalism ofcommunicating sequential pro-cesses(CSPs) to include continuous evolution as a primi-tive process, in addition to discrete actions and asynchronouscommunication, and the process constructors include quanti-tative timing constructs. To make the connection with transi-tion systems, the HCSP process expressions could be givena semantics as relations in an LTS model over a valuationspace of continuous and discrete variables plus communi-cation channels. The work in [29] uses Dijkstra’spredicatetransformers[68] to reason about the effect of actions or pro-cesses; these are essentially the same as the basic operatorsof modal logic, as discussed in Section IV below.

In work on discrete systems, there is a huge and well-es-tablished literature on the use ofpetri nets(in their manyvariations) for modeling systems consisting of a network ofinteracting subsystems in which the state is distributed; morerecently, some of this work has been extended to timed andhybrid systems. The recent dissertation by Cook [69] is a sub-stantial resource. In that work, ahybrid netmodel is given aformal representation as an LTS model, and property speci-fication is given in the modal -calculus.


Other formal models ofopenor reactivehybrid systems,whose behavior is influenced by that of an external environ-ment, arehybrid I/O automata(HIOA), introduced in [27]and used in this issue in [43], andhybrid reactive modules[70]. The state space for both these models is essentially ofthe form , where , and are the valu-ation spaces ofinternalor privatevariables,inputor controlinterfacevariables, andoutputor externalvariables, respec-tively, andactionsof such systems can represented as transi-tion relations on the product state space.

IV. PROPERTYSPECIFICATIONLANGUAGES AND LOGICS

A. Overview of Modal and Temporal Logics

The well-known temporal logics such asLTL or CTL ,first formulated for program and hardware verification in thelate 1970s and early 1980s in landmark papers [71], [72], be-long to a larger and older family ofmodal logics. Modal logicwas originally the province of philosophers interested in an-alyzing the concepts ofnecessityandpossibility. Symbolicmodal logics first appeared in 1912 in the work of Lewis,and modern approaches derive from the work of Kripke [73]in the early 1960s, who gave a formal semantics over modelswith a single “accessibility” relation between states referredto as “possible worlds;” these structures are known asKripkemodels, and LTS models are their generalization to multiplerelations. The survey articles [33], [37], [56], and [65], andthe textbooks [30], [34], [35], and [74], are good resourcesfor modal and temporal logics.

Fig. 7 is a schematic diagram of the family of logics withsemantics over transition system models. The solid arrowsindicate relations of inclusion or subsumption betweenlogics, in the sense that everything expressible in the firstcan also be expressed in the second. Among logics withsemantics over LTS models, indicated by boxes with solidoutlines, the propositional -calculusL [33], [36], [37]is the most expressive. Among the “nontemporal” modallogics, there ispropositional dynamic logic(PDL) [75],[76], and modal logics for reasoning about theknowledgeof an agent or process in a distributed system [74]. Boxeswith broken outlines indicate logics that require someextension or adaption of LTS models. These are topologicalmodal logics [23], real-time extensions of temporal logics[20], [21], [53], [77], interval temporal logics [15], [28],[78], [79], and alternating temporal logic(ATL) overgame models [80]; the latter logic has an extension to analternating -calculus, indicated by the broken line arrow.

Since virtually all the work on logic-based specification ofhybrid systems, and discrete systems before them, has beenwithin the narrower subfamily of temporal logics, our breakwith tradition needs some further explanation.

In Pnueli’s landmark paper [71], he identified the thennew temporal logics as falling under anendogenousor “in-ternal” approach to property specification. In branching tem-poral logics such asCTL or CTL (reviewed in this issue in[31], next-stepformulas have the semantics: “Some

Fig. 7. Family of propositional modal and temporal logics.

one-step successor satisfies,” where the one-step relationis and the component relations are abstractedaway. Behavior along execution sequences is captured bytaking the Kleene star of the one-step relation, and theal-ways formula has the semantics: “Alongall execu-tion sequences,all states satisfy .” The key point is thatin temporal logics, one can reason directly about executionsequences of a single system, but there is no facility withintheir formal languages to talk about how the behavior of anyone system iscomposedfrom its internal parts, or tocomparethe behavior of two or more systems.

The endogenous approach is in contrast with theex-ogenousor “external” approach, exemplified by the poly-modal logicPDL [75], [76], in which the component tran-sition relations of LTS models are “first-class objects,” ex-plicitly named in the syntax of the logic. InPDL, onereasons directly about the primitive relations of a model,and compound relations formed from them using the reg-ular expression constructors of composition, finite unionand Kleene star, and others such as the constructor.While the exogenous approach has been highly successfulfor purely discrete systems, where the component transi-tion relations have a homogeneous character, it is worthyof reexamination in the case ofhybrid systems, where theinternal components are necessarilyheterogenousin na-ture.

We start with an exposition of the base logic,propositionalpoly-modal logic(PML ), which can be taken as the commoncore of all modal and temporal logics over LTS models, andillustrate how to use it to express finitary properties of re-lations, and in particular, various steps in our synthesis pro-cedure from Section II-D. We then turn toL , which addsto PML the power to reason about infinitary constructionsof relations such as the Kleene star (so subsumingPDL), aswell as all the operators of temporal logics, and illustrate howit can be used to cleanly and simply express a wide variety ofproperties of hybrid automata. We also survey the literatureon temporal and modal logics for hybrid and timed systems,with a focus on quantitative real-time properties beyond whatis expressible inL , and on topological extensions ofPMLandL .


B. Propositional Poly-Modal Logic

Definition 10: The set of formulas ofPML inthe signature is inductively defined by the grammar

for atomic propositions and relation labels .The other propositional connectives can be defined in a

standard way: conjunction ,

implication , and equivalence

. In addition, weintroduce (“ true”) as an abbreviation for any fixed propo-sitional tautology, such as for some , and“ false” . The modal operators are pronounced“diamond- ,” and the dual “box- ” operators are defined by

. In the syntax of the branching temporallogic CTL [31], the singlenext-stepoperator replacesall the separate modal operators for , and a single

replaces all the operators .Semantically, a formula will denote a set of

states. The Boolean operations of negation and disjunctionclearly correspond to the set-theoretic operations of comple-ment and union. For modal formulas and , we needoperators built from the relations .

Analogous to the inverse-image operator of asingle-valued function, any relation deter-mines a dual pair ofpreimage operatorsPre :

mapping sets to sets, defined by

In words, iff there issome -successor ofthat lies in , while iff all -successors of

lie in . Note that the latter still holds when ,so there areno -successors of , hence

for any set . The duality between the oper-ators is with respect to set complement, and is given by:

.The preimage operators have appeared under various

names and notations, and in diverse settings, throughoutmathematics and computer science. From Dijkstra’sfamous text [68], they are known aspredicate trans-formers. In that work, the set is referred toas , the weakest liberal preconditionof undera relation , while the weakest preconditionis taken as , where

. A related transformer is the

postimage operatorPost , also called thedirect-image . For Dijkstra, this is , thestrongestpostconditionof under . In general topology, the purelytopological notions ofcontinuity for relations/set-valuedmaps are defined using the operators and

[57], [60]; we return to point this in Section IV-H.Definition 11: For formulas , thedenotation

set in an LTS model of signature is

defined by induction on the structure of formulas. For thebase case of , the denotation sets are given ascomponents of , and for compound formulas

for

For formulas , we say: is satisfiedat statein , written , if , and is true in ,written , if .

Let be thefamily of all sets of states in denoted by PML formulas.Then forms aBoolean algebraof sets, which is gen-erated from the atomic state sets for . The “top”element of the Boolean algebra is , the “bottom”element is , and it is partially ordered by inclu-sion , which corresponds to the implication connective inthe sense that iff .

The algebraic theory of relations and their operators onsets was developed in the 1940s and 1950s in the work ofTarski and Jónsson [81], [82]. In terms of that work, thealgebra is a Boolean algebra with operators, whichis closed under [and hence also ] foreach . In more modern terms, is a modal al-gebra [33], [51], the smallest of all modal algebras of sets

for , and we refer to it as theminimal modalalgebrafor .

C. Finitary Relational Properties in PML

The axioms for a Hilbert-style proof system forPML con-sist of the axioms of (classical) propositional logicPL (see[34]) plus the following:

The corresponding axioms and are ob-tained by Boolean duality. The inference rules forPMLconsist of the classicalmodus ponens, MP: from

and , infer , and the rule ofmodal necessitation,Nec: from , infer . (Thesoundnessof the latter

rule says if then .) These axiomsand rules characterizenormal modal operators [35]. Adominant theme within general modal logic is the studyof the correspondence between elementary properties ofbinary relations and formulas of modal logic [35], [56]. Forexample, the properties ofreflexivity, transitivity, andweakconnectedness, as possessed by the orbit relation of aflow, are characterized by the formula schemes, , and(the names being historical within modal logic)


Together with the normality axioms, these three formulaschemes axiomatize the modal logicS4.3.

The preimage operators are well behaved with respect tothe regular expression constructors ofsequential composi-tion andfinite unions, justifying the definitional extension ofPML by and . Wecan also conservatively extendPML with defined modalitiesfor compound relation symbols formed from formulas

, with the semantics . In the syntax of

PML , define .The expressiveness ofPML can be properly increased

by adjoining modalities and for the converse rela-tions, interpreted by the postimage operators; the temporallogic analogs are referred to aspastoperators. The additionalaxiom schemes are

In work on deductive verification using temporal logic,such as [12]–[14], and [30], it is standard practice to supple-ment the syntax of temporal logic with additional notationto expresssafety verificationor correctness conditions. Theso-calledHoare triplenotation is transcribed intothe language ofPML by the formula , which reads:“If holds, then all -successors satisfy;” in particular,

asserts that the set of-states is (future-)invariantunder the relation .

Working in an LTS model of a hybrid au-tomaton , we have and

. The formula asserts thatmeets the sensible design condition that resets under

always lead to . Extending the signature of by ad-joining relations for the unconstrainedflow or orbit re-lations on (replacing within the definition of in Definition 8), the formula

asserts that the flow cannot stay in for-ever.

Within PML , we are limited to the expression of proper-ties of -trajectories with afinite number of jumps. Letand denote the relational unionsand , respectively, ofthe component evolution and reset relations. Then for a fixed

, the modal formula denotes the set of statesfrom which there issome -trajectory with dis-

crete jumps that reaches a-state, while denotesthe set of states from whichevery -trajectorywith discrete jumps reaches the set of-states, and remainsthere throughout its final evolution interval. In order to reasonaboutarbitrary -trajectories, and to define modalitiesand , which correspond to the preimage operators of the

-reachability relation , we have to move to the-calculus.

D. Example Control Problem Revisited

Before making the infinitary move, we return to the ex-ample synthesis problem in Section II-D. As discussed at theend of Section III-B, we can work in an LTS model with

. Define the semantics of relation symbols by

and . Then the sets- and have the modal characterizations

-

This is because denotes the set of points withinofsome -state, so the -“closure,” while the dual de-notes the -“interior,” meaning the set of points all of whose-neighbors are still -states. The “fattening” with the outer

operator in - creates the overlaps. The sub-regions are then modally defined by conjunctions of- ’s and ’s. The nominated invariant set

is characterized by

The fact that each of the cover sets are convexwith respect to each of the flows is expressed by the for-mula

where , and likewise for the initial quadrantregions . This in turn implies

The safety control law is constructed so asto ensure that for each

is true in . In refining to deal with the event sequencerequirement, the reason for discarding is because

is true in , which means is fu-ture-invariant under the flow . The modeis discarded because the set isnonempty. For the positive content of the event sequence re-quirement, we have to produce a subset such thatfor each , there is at least one switchingsequence starting from in control

and leading through and into , with no cycles inthe subregions. For example, for each ,we keep because

is true in ; this says -evolution in inevitablyleadsto . Then we can keep because

Each quadrant can be systematically searched, startingwith the subregions that overlap with .

E. Propositional Modal -Calculus

Thepropositional modal -calculusL [36] is a logic ex-tendingPML by adjoining least () and greatest () fixed-point quantifiers. Semantically, this adds the mathematically


common and highly useful construct “theleastset suchthat ” or “the greatestset such that

,” where is an inclusion-monotonefunction mapping sets to sets. This fixed-point construct isthe essence of the notion ofinductive definability, includingthe iteration construct of the Kleene-starof regular expres-sions. The -calculus occupies a paramount place in formalmethods: the expressive power of the fixed-point quantifiersare such that it subsumes virtually all modal and temporallogics over LTS models, and formal verification bymodelcheckingfor all such logics is essentially based on a transla-tion into the -calculus [37]. In DES control theory, themod-ular feedback logicin [39] consists of propositional logic,Dijkstra’s predicate transformers, and least and greatest fixedpoints.

Definition 12: Let be a set of propositionalvariables (second-orderor set-valuedvariables). The set

of formulas of L in the signature isinductively defined by the grammar

for atomic propositions , propositional variables, and relation labels , with a further syntactic

restriction that is in only if every free oc-currence of in is within the scope of an even number ofnegations. Analogous with first-order quantification, a vari-able in the scope of or is said to bebound, andfree otherwise. A formula will be called asentenceif it contains no free variables, and the set of allsentences will be denoted .

Propositional variables are our means to talkaboutany or all subsets of states , in additionto particular constant sets . The fixed-pointconstructors give a special kind ofquantification oversubsets of states. Formulas are informally read “Thesmallestset such that ,” while the dual

is read “Thelargest setsuch that .” The expression meansthe formula resulting from by substituting for all freeoccurrences of , with a side condition to avoid unintendedclashes of variable names.

Definition 13: A variable assignmentin an LTSmodel , is any function: . For formulas and variable

assignments , the denotation set in an LTSmodel of signature is defined by induction onthe structure of formulas. For the propositional connectivesand modal operators inL , the semantic clauses are as forPML , with the addition of a subscript

where is the assignment that is the same asexceptfor assigning the set to the variable . For formulas

and assignments in , we say:is satisfiedat state in , written , if

, and is true in , written , iffor all assignments in .

For sentences , their denotation is indepen-dent of any variable assignment, and so written . Modelchecking forL applies only to sentences since the denota-tion has to be computed. Note thatPML formulas areall L sentences; i.e., .

The formal semantics say the set is the leastprefixed point(the intersectionof all such prefixed points)of the operator on sets given by

. The syntactic restriction on-formulas ensures that this operator is-monotone. The

Tarski–Knaster theorem for monotone operators on completelattices [such as ] guarantees that the least pre-fixedpoint exists, and is equal to the least fixed point.

In order to try tocomputethe denotation of a fixed-pointformula, as is required for model checking, one appeals to theHitchcock–Park fixed-point theorem. This result says the set

may be characterized as aunionof an -increasingchain ofapproximations, starting with , and formed by it-erating the operator until a fixed-point set is reached.The finite stages of the approximation sequence are explic-itly described by the denotations of formulas , wherethe “unwinding” sequence is recursively defined by

and for

The approximation up to stage(theordinal numberof )is the union over , but in general, the approxima-tion sequence may proceed pastand throughtransfiniteordinals, of cardinality less than or equal to that of, be-fore convergence occurs. There is a well-developed theoryof approximations of fixed points; for our purposes, it suf-fices to know that when the semantic operator dis-tributes over unions of countable-increasing chains of sets(a property also called “-continuous” [33], [52]), the or-dinal of convergence for is at worst . In particular,for the Kleene star constructor on relations, which is defin-able in the -calculus by , one has

The notion of abisimulation relationon or between LTSmodels is of fundamental importance, and a central concernof [31] in this special issue. A bisimulation equivalence isa type ofcongruencethat respects the component relationsand distinguished subsets of an LTS model. The fundamentalproperty of truth preservation is the following.

Proposition 14 ([33]): Given an LTS model of signa-ture , if is a bisimulation equivalence on , thenfor all sentences and all states

A corollary is that if has a bisimulation equivalenceof finite index , then for each sentence , its approx-


imation sequence is guaranteed to converge at some stage, so

This is because Proposition 14 entails that the denotation setof eachL sentence must be a union of equivalence classes.The quotient LTS model is then a fully discrete finiteautomatonsimulacrumof the original , which satisfies andmakes true all the same-calculus sentences.

F. Formalizing Properties of Hybrid Automata in

The modal -calculus provides a very rich formalism inwhich to formally express properties of hybrid automata.With the use of defined modalities fromPDL, the formulascan be rendered “human readable,” circumventing a standardcritique of the inscrutability of -calculus notation.

Let be an LTS model of a hybrid automaton. Sincethe -reachability relation satisfies , the diamondand box modalities for can be defined by

and thus

1) Invariance: denotes the largest -invariant setcontained in the set of -states, provided (where

) and hence ; in general,denotes the largest -invariant set contained in the set

of -states, the latter also including all of .2) Safety: is true in iff every -tra-

jectory that starts in a -state always remains in the set of-states.3) Reachability: denotes the region -reachable

from the set of -states, where .Applying the axioms -1 and -2, the formulas

and are equivalent.4) Jump-Infinite Liveness:Every maximal -trajectory

starting in a -state makes infinitely many discrete jumps,iff the sentence

is true in . The first conjunct says that from all states-reachable from -states, it is possible to evolve into one

of the guard sets, and the second says that for each, the flow

will eventually leave , and all resets from that part ofthat is -reachable from must lead to .

5) Inevitability: says that from every state-reachable from a -state, there is a -trajectory leading

to a -state.6) Eventuality: says that for

every -trajectory from a -state, if it ever reaches a-state, then it has a further extension that eventually

reaches a -state.7) Non-Zeno Liveness:A sufficient, but not necessary,

condition for the non-Zenoness of all-trajectories startingin a -state is the existence of a such that

where is the (strict) -upper-bounded evolution rela-tion.

8) Instances of Stability:For fixed and ,defineand likewise for . Then the sentence

says that is a -invariant set, and that every-trajectorythat starts within of always remains within of .

With propositional variables ranging over all subsets of thestate space, we have the machinery tocomparerelations. Therelational inclusion holds iffiff , i.e., for all possible assignments of aset to the free variable .

Comparison of relations allows us to formalize questionsof approximate verificationin L . Suppose we wish to verifya safety sentence in a systemwith complex nonlinear dy-namics, for which model checking is not possible (discussedin Section V-A). One then seeks out a simpler systemthat is anoverapproximationof , and for which modelchecking is possible. For example, could be chosen sothat each of the component evolution relations satisfy

, and the reset relations are the same, so , and hence. Then the approximate safety sentence

entails the desired safety sentence . How-ever, if model checking returned the answer thatis not true, so , then the implication

does not allow us to conclude anything about. The metric tolerance relations can also be used

to formalize notions oftightnessof approximations.The high-level idea ofrobustnessis that for a givennom-

inal model , and anuncertainty class of modelsthat are possiblevariationsof in some well-quantified re-spects, one wants to ascertain whether each of the models

possess the same qualitative or quantitative propertiesas [25]. As one approach to formalizing robustness, con-sider a class consisting of hybrid automata that differfrom in at most their evolution relations; for some fixed


, suppose the evolution relations satisfyfor each . This says that if is an integral curve of

witnessing an evolution in a variant , thenthere is an integral curveof starting from , witnessing

in the nominal system , such that lies within a-tubearound (see [25] and [47], which consider-tubes

around time sequences). Translating this relational inclusioninto modal formulas, we have

and hence

where

So for the verification of arobust safetyproperty, it wouldsuffice to prove , since this entails forany such variant . One can also work with the finitary ver-sions of the hybrid reachability relations restricted to somebounded finite number of resets.

G. Temporal Logics for Hybrid and Timed Systems

There are numerous proposals in the literature for the ex-tension to hybrid and timed systems of temporal logics de-veloped for discrete systems. Our focus here is on exten-sions of temporal logics, which specifically address issuesthat arise from working with real time, including the expres-sion ofquantitativetemporal requirements.

1) Branching Temporal Logics:Real-time extensionsof branching temporal logics includeTimedCTL (TCTL)[53], IntegratorCTL (ICTL) , and Timed -calculus (TL )[20], [21]. These logics were developed for reasoning aboutquite restricted classes of hybrid automata:timed automata,in which all real-valued coordinates areclocks, with dy-namics , and (so-called)linear hybrid automata,with straight line flows for some slopeor rate vector ; for both classes, all reset relationsand distinguished subsets are restricted to those definableby Boolean combinations of inequalities ,for constants . However, their semantics can becleanly extended to arbitrary hybrid automata in the mannerdeveloped here.

The first issue addressed is the appropriate semantics fortheuntil operators. Intuitively, we would like a stateto satisfy iff there issome -trajectory from

along which there is an-successor state at whichis satisfied, and is continuously satisfied at all-interme-diate states betweenand . In standardCTL ,is characterized by the-calculus translation

, with iteration of the “next-step” operator . OverLTS models of hybrid automata, where is , thisfails to capture the intended meaning ofholding continu-ously. The key to the solution in [20], [21] is a means to refer

to regionsof the state space through which a trajectory maypass. We reformulate this idea in our modal framework.

Any subset of hybrid states has a uniquedecomposition . Then for each con-trol mode , define the relativized -evolutionrelation

by

and for each discrete transition , define the rela-tivized -resetrelation by

For any -calculus sentence , de-

fine relations and

. So is justand likewise is just . Then define

Hence, , as one would expect. The char-acterization of in [20] and [21] replaces within the body of the -calculus formula because they wantto retain the implication ; for the defini-tion here, we have instead , and

.The hybridall-until construct, which expresses notions of

inevitability, is a yet more complicated creature, and we donot give a detailed treatment here. Intuitively, issatisfied at a state if along every maximal -trajec-tory starting from , there isan -successor at whichis satisfied, and is satisfied at all -intermediate states be-tween and . For example, theevent sequence requirementin our example control problem in Section II-D is formalizedby the sentence

In [21], an operator for hybrid trajectories is shown tobe -calculus definable, using and time-bounded all-until operators .

Quantitative time-bounded properties can be formalizedby extending the branching-time languages withspecifica-tion clocks, which are additional real-valued variables dis-tinct from system coordinate variables. If is a hybrid au-tomata over state space , then formulas inthe enriched language containingspecification clock vari-ables are interpreted in an expanded LTS model over

. Specification clocks have the continuous dy-namics in all control modes , and remain constantunder reset relations. The additional constructs of the lan-guage are atomic clock constraints, of the form

with constants , which can be treated asextra atomic propositions, and the “freeze” or “ clock-reset”construct , which corresponds to the action of starting atimer from zero. The formula is satisfied at all extended


states such that satisfies . Forexample, theTCTL formulaasserts that along all trajectories, a-state is followed by a

-state within 17 time units.2) Linear Temporal Logics:Formulas of linear temporal

logics are interpreted with respect toexecution sequencesortracesof transition system models (Definition 6). AnLTLformula in true in if it is satisfied by all infinite executionsequences starting from the designated set of initial statesof . This semantics can be related to the state-based se-mantics by working in a derived LTS model whose statespace is a suitable set of-length execution sequences ortraces of [33].

Much of the work on timed and hybrid extensions of lineartemporal logics has concentrated on the theory oftimed

-words, extending the rich relationship between (untimed)-languages, formulas ofLTL , and Büchi automata over-words [65], [77]. Over an arbitrary LTS model , atimed

execution sequenceis a pair , whereis an infinite execution sequence of , and isan infinite sequence of positive reals , interpretedas thedelaybetween the successive statesand under

the transition . A timed trace is definedsimilarly. Logics such asmetric temporal logicMTL [13]are obtained by extendingLTL with (integer endpoint)interval-bounded versions of theuntil, always,and some-timestemporal operators, and formulas are interpreted overtimed execution sequences or timed traces. For example,

is read “ holds until does, and that hap-pens in between 3 and 17 time units.” A similar extension ofLTL with time-bounded temporal operators is developed in[83]. The survey paper [77] examines the decidability andcomplexity of model checking for several variants ofMTLwith respect to LTS models of timed automata.

3) Interval Temporal Logics: Hybrid temporal logic(HTL ) [78], [79] extended duration calculus(EDC) of [15]and [28] are both first-order temporal logics that replacestates as instantaneous valuations of variables, with statefunctionsover an interval of time. In [78] and [79], the basicsemantic objects arephases , where(or ) is a time interval, and is a vector oftype-consistent functions of time andthat are piece-wise continuous (or smooth) if variableisreal-valued, and piecewise-constant for discrete. BothHTL andEDC have a “chop” operator, from which theuntil,always, andsometimestemporal operators are definable andinclude a means to refer to the duration for which a formulahas been satisfied.

H. Expressing Topological and Continuity Properties

Work on temporal logics for hybrid systems has focussedon the metric aspects ofreal time. Here, we turn our attentionto the metric and more generaltopologicalstructure ofrealspace. We have already seen how within the framework of(plain) modal logicPML , we can reason about some metricstructure using modalities and for concrete -tolerancerelations on metric spaces , and use these to

formalize some notions of stability and robustness. In [23]and [50], we show how modal logic also provides a means torepresent atopologyon the state space of an LTS or Kripkemodel.

Formally, we extend the syntax ofPML or L to includean additional “plain” or “unlabeled” box modality , andits dual diamond , with . A topologicalLTS model is an LTSmodel in which is a topological space. From Tarskiand McKinsey [84], the axioms for the box modalityof thewell-studied modal logicS4correspond exactly to the Kura-towski axioms for the topological interior operator , anddually theS4 diamond corresponds to the topological clo-sure . The additional semantic clauses for the extendedlanguage interpreted in topological LTS models are then

Call the resulting logicsTopPML andTopL (the prefixTalready being used fortimedextensions of temporal logics).TheS4axioms for are as follows:

In the enriched language, we can simply express topolog-ical properties of sets of states. A sentencedenotes anopen(closed) set in iff ( ) is true in .The sentence denotes the topologicalboundary

.We now have the resources with which to formalize

notions of continuity. In purely topological terms, asingle-valued function is continuousif for every open set in , the inverse-imageis open in . The corresponding notions for set-valuedmaps were introduced by Kuratowski and Bouligand in the1930s and use the preimage operators instead of the inverseimage [57], [58], [60].

Definition 15: A relation is saidto be lower semicontinuous(lsc) if for every open set in

, the preimage is open in ; issaid to beupper semicontinuous(usc) if for every open set

in , the preimage is open in ,or equivalently, for every closed set in , the set

is closed in ; and is calledcontinuousif it is both usc and lsc.

For a relation in a topological LTS model, the semicontinuity properties are simply expressed by

the formulas

-

-


The - formula asserts that for every subset , the in-clusion holds,and this is equivalent to the lsc property for ; likewise forthe usc property. From these simple modal characterizations,we can give a purely formal proof within the axiomatic proofsystem that each of the semicontinuity properties is inheritedunder finite compositions and finite unions of relations. Forthe infinitary Kleene star operation, ifis lsc then is lsc,but the corresponding result for usc relations does not hold ingeneral (basically because the infinite intersection of a familyof open sets need not be open).

We briefly mention two lines of enquiry opened up by con-sideration of semi-continuity properties of relations. The firstconfirms our interest infinite topologiesas combinatorialstructures, which shed some light ondiscretizationsof con-tinuous and hybrid spaces, and notions ofstability for suchdiscretizations. From [51], an LTS model has abisim-ulation equivalenceof finite index exactly when there is afinite topology on such that each of the transition rela-tions arecontinuouswith respect , and eachof the atomic sets is clopen (both closed and open)in . The partition determined by an equivalence relationgives the extreme case where all open sets are also closed, so

is actually a Boolean algebra.Returning to the example in Section II-D, the cover

generates a finite topologyon . As it stands, this is not asubtopologyof thestandard topology on (c.f. [46]), since will beopen-intersect-closed, but with an extraoperator in themodal characterization, it could be made so. As noted in[46], violations in continuity conditions forfinite topologiescan be finitarily detected. Looking at Fig. 5, we can seethat for the set in , its -pre-image

, which cuts across , isnot in . One can iteratively construct a finer topology

with respect to which each of the relationsfor are both lsc and usc by adding morepreimage sets.

The second line of enquiry looks at the semicontinuityproperties with respect to the standard topology as primitiveforms ofmetric stability. From [57] and [58], under the hy-potheses that is a compact metric space and the set image

is a closed for each , the semicontinuity proper-ties have an a- characterization: a relation isusc iff for all and all , there is a such thatfor all

and

and

In words, if is close to then the set image is nearlycontained in , in the sense that is contained in the-ball or tubearound , as illustrated in Fig. 8 for set-

images that are curves from. Similarly,is lsc iff whenever is close to then the set-imagenearly contains , in the sense that is contained inthe -ball around .

Fig. 8. The usc property in the compact metric setting.

For a hybrid automaton , consider the bounded-jumpversions of the -reachability relationgiven by . So is the set of allstates lying on some -trajectory from that has at most

discrete jumps. Let and bethe projections of and onto . Then under thehypotheses required for the metric- characterizations, thesemicontinuity properties for and express elemen-tary notions of stability of hybrid trajectories. A preliminarystudy of the usc property for hybrid reachability relations isgiven in [23].

V. METHODS ANDTOOLS FORFORMAL VERIFICATION AND

SYNTHESIS

A. Symbolic Model Checking

Model checking for all standard propositional modal andtemporal logics proceeds by first giving a translation into the

-calculus. The task is to compute the set , andso determine whether . The high-level algorithm forcomputing for a -calculus sentence is just the induc-tive definition of the formal semantics in Definitions 11 and13, recursively breaking a sentence into its subsentences. Forfixed-point sentences , one calls a recursive subproce-dure that computes the approximation sequence andreturns the answer if the sequence con-verges at stage.

The question then becomes: For which classes of LTSmodels is it the case that the high-level algorithm formodel checkingL sentences is a)effectively implementableand b) guaranteed toterminatein a finite number of steps onall inputs ?

The question would not be asked if one were only inter-ested infiniteLTS models. Indeed, a good measure of the suc-cess of formal methods for discrete systems can be attributedto the tractability of model checking over finite LTS models.For example, forCTL and the small fragment ofL neededto captureCTL , there are model-checking algorithms of timeand space complexity ; for the full -calculus,the time complexity is - [37]. Binary decisiondiagrams(BDDs) provide an efficient means to represent fi-nite sets of states, and the Boolean and modal operations onthem, and have been successfully used for model checkingsystems with upwards of states [37].

For general classes of LTS models, a primary means ofaddressing the issue b) of finite termination is via Proposi-tion 14. It suffices to identify classes of LTS models, allof which have a finite bisimulation quotient. As surveyed in[31], finite bisimulation results have been established, on theone hand, for the restricted class oftimed automata[24] and


some extensions, and on the other, for the mathematicallyricher class ofo-minimal hybrid automata[85], whose com-ponent flows , sets and , and resets in

are all first-order definable in ano-minimal(model-theoretic) structure expandingthe reals as an ordered Abelian group, but subject to the fur-ther restriction that the reset maps areset-valued con-stant(see also [51]). O-minimality is statable as a syntacticcondition on first-order definability, but its core content is atopological finiteness property: every set first-orderdefinable in an o-minimal structure has only finitely manyconnected components [86]. The class of o-minimal struc-tures over is quite rich. It includes the structure

of as areal closed field; the quan-tifier-free first-order formulas in the language

are Boolean combinations of equalitiesand inequalities ofpolynomials , and the sets

so definable are calledsemialgebraicsets. Theclass of o-minimal structures also includes the richer struc-ture obtained by adding the exponential function;the structure obtained by adding finitely many an-alytic functions restricted to a bounded rectangle; their com-bination ; and yet further expansions [85], [86].

Proof of finite termination is only half the question. For theissue a) of an effective implementation, one needs a finitarysyntactic means of representing sets of states that is closedunder the Boolean and preimage operators, and furthermore,that representation must bedecidablein the sense that it canbe determined by finite computation whether distinct rep-resentations are semantically equal. This requires that therebe aneffectively representableanddecidablemodal algebra

for such that (see [20] and [38]).Of the o-minimal structures over, the richest known

to have the required effectiveness and decidability is .By the famous Tarski–Seidenberg results, there is an algo-rithm that transforms any first-order formula in the language

into a quantifier-free formula in thatis equivalent over , so proving that all sets first-orderdefinable in are semialgebraic, and furthermore, thesemialgebraic sets are decidable. In contrast, the richer struc-ture does not have the quantifier elimination prop-erty (although it does have the weaker but significant prop-erty calledmodel completeness), and the decidability of itsfirst-order theory is still an open question.

For LTS models of hybrid automata, it suffices to con-sider the underlying LTS model over . Let

, , andbe a list of formulas in

defining the components of . The following recursivetranslation map takes as input anL sentence ,and if it terminates, it returns

for the least such that

Note that termination is not problematic forPML sentences.Applying the best available algorithm by Basuet al. [87](which significantly improves the version of Collins’ cylin-drical algebraic decomposition currently implemented in thecomputer algebra toolREDLOG [88]), the number of arith-metical operations required to perform this QElim procedureis bounded by , when the body of the ar-gument formula is defined by a total ofpolynomials invariables, each of at most degree. Checking equivalence oremptiness (unsatisfiability) of formulas in has abound of . The translation also extends to topolog-ical LTS models and sentences of topological extensions ofPML andL , where the topology is the standard metrictopology from ; this is because is semialgebraicwhenever is semialgebraic, with a computable descriptionin [86].

In our synthesis procedure illustrated by the examplein Section II-D, each of the computations and decisionsrequired in the course of the construction can be formulatedas a model checking task for finitaryPML sentences [32].The procedure can thus be effectively implemented forinstances of Problem 4 where the input data of the flows

for and the specification sets and areall semialgebraic. Our explicit semialgebraic descriptionof the set is an example of the output of quantifierelimination. By applying [89], this sort of procedure canalso be used when the continuous dynamics are given bycertain classes of linear differential equations whose flowscontain some exponential terms but for which the flowpreimage is semialgebraic whenever issemi-algebraic. Note that the presence of the exact resetmaps as well as the metric tolerancerelations mean that the LTS model of the final hybridautomaton is unlikely to have a finite quotient that meetsthe bisimulation conditions forall of the relations of themodel, but this does not pose a problem if one is not modelchecking infinitary fixed-point sentences.

The model checking tool HYTECH [90] is designed for therestricted class of linear or polyhedral hybrid automata, all ofwhose real components are first-order definable by Booleancombinations of equalities and inequalities of linear terms

. Rather than use quantifier elim-ination, a later version of HYTECH represents state sets in

as finite unions ofconvex polyhedra, given a vertex rep-resentation, and the Boolean operations and preimage oper-ator are implemented using a library of standard polyhedraloperations [21]. The work in [41] in this special issue de-scribes an algorithm forapproximatereachability and safetyanalysis of hybrid automata with linear differential equa-tions, where the state sets are represented as special kindsof convex polyhedra, and applies this technology to a classof synthesis problems. The model checking tools KRONOS

[91], COSPAN [92], and UPPAAL [93], all for the restricted


class of timed automata, represent convex data regions inby integer-valued matrices, with operations performed usingstandard matrix operations.

B. Deductive Proof Systems

Deductive methods for verification and analysis differfrom model checking in their methodology, their scope,and their degree of automation. Whereas model checkingseeks to translate a specification formula into the lowerlevel system description logic, or some other symbolicrepresentation, deductive methods work by directly ma-nipulating formulas in the high-level temporal or modalspecification logic. Model checking can be implementedas a completely automated analysis tool, but its scope isrestricted tosentencesof the -calculus (or its sublogicsor extensions) and to LTS models whose components havea sufficiently tractable first-order description. In contrast,deductive methods have a broader scope. They are appli-cable to all formulas of the specification logic, includingsuchL andTopL formulas with free as thoseexpressing relational comparison and continuity properties.Moreover, the inferences of a proof system are valid overthe largest class of formal models for which that system issound, often the universal class ofall models. Deductivemethods can be used not just for the verification of singleproperties, considered one at a time, but also for the largerenterprise of building up adeductive theoryor knowledgebase of formulas true in a model. The flip side is thatimplementations of deductive verification methods tend toonly be semiautomated, typically combining some degree ofautomated proof search, user-interactive proof construction,and automated proof checking.

The Hilbert-style proof system forL is due to Kozen[36]. On top of the axioms and rules forPML , this proofsystem forL has the fixed-point axiom

-f.p.

and the inference rules

Subst.

-f.p

For formulas , we write if there is aformal proof of in this proof system forL and say is atheoremof L . Thesoundnessof this proof system is quitestraightforward. This says, of all formulas ,if then is universallyvalid, meaning forall LTS models , of arbitrary cardinality and character.Thevalidity problemfor L , of determining whether a for-mula is valid, is EXPTIME complete [33].More recently, thecompletenessof Kozen’s axiomatizationhas been established, namely, that ifis valid, then .A drawback of the proof of this result in [94] is that it doesnot extend in any modular fashion to axiomatic extensions,

such as that forTopL , which adds theS4 axioms for(Section IV-H).

In trying to establish that using a proof systemfor L or TopL , one seeks to show that is a deductiveconsequenceof a list of formulas such that isalready known. In selecting, one has at one’s disposal ahierarchy of formulas that form aknowledge baseabout :

• formulas that are theorems of the proof system, that aretrue in all LTS models;

• formulas that are true in all models in the intendedclass, such as the LTS models of hybrid automata; thesearise as deductive consequences of definitions inLof modal/temporal operators like and , andformula schemes such as , and (Sec-tion IV-C) for symbols for the orbit relations of flows;

• formulas that have already been directly verified as truein , either deductively, or for sentences, perhaps bya call to a separate model checking tool.

To see a proof system in action, we give a formal proofin TopL that if a relation is lsc, then so is itsKleene star

Assumptiontheorem

: Mono: Subst

:theorem

: Mono:

: -f.p: Def.

Mono is the derived rule for any modal operator(boxor diamond): from , infer , andPL ispropositional logic.

From theL characterization of together with the dualinference rule -f.p in L , one can readily derive anobviousinvariance induction rulefor proving safety proper-ties of hybrid automata

Inv-

for eachfor each

The premises of the rule assert that the set of-states isin-variant under both evolution and reset relations, and thatis intermediatebetween and . This is a cleaner -cal-culus analog of the invariance rule inLTL -based logics usedfor the verification of safety properties for hybrid automatain [12]–[14] and implemented in the verification tool[95].

In the course of our controller synthesis construction inSection II-D, we generate a list ofPML formulas that are truein a model over the state space , using


a suitable model checking tool; a partial list is given in Sec-tion IV-D. The idea is that thesynthesisis self-verifying, inthe sense that the correctness of construction can be demon-strated by formally deducing theL formulas encoding per-formance specifications (given in Sections IV-F and IV-G)from this list ofPML formulas. For ease of discussion, wecontinue to work in rather than shift the analysis up tothe hybrid model over .

For the safety property , we useInv- . We only need to check ,

since the initiality condition and theevolution invariance are alreadyestablished. For each ,the reset , so it follows that

. Wethen need to prove ,but this is a propositional tautology, so we are done.The jump-infinite livenessproperty can also be formallyverified using Inv- to prove .For the non-Zeno livenessproperty, we need to calculatea lower bound on the time duration between resets,which could be done using the semialgebraic descrip-tions of the cover sets . For the event sequencerequirement expressed using (Section IV-G),the idea is that chains of local inevitability formulassuch as and

will entail.

The example illustrates how inference rules likeInv- can be used inconjunction with model

checking tools. Similar ideas are developed in [14], usingthe tool . This verification tool combines the modelchecking capability of automatically generating first-ordertranslations of candidate invariant sentences, such as

, with proof systems for LTL-basedlogics. In related work, envisaged for discrete systems butmore generally applicable, the general-purpose verificationenvironmentprototype verification system(PVS) [96] isused to give an integration of model checking and theoremproving; this is achieved by encoding the propositional

-calculus within the (classical) simply typed higher orderlogic on which PVS is based.

C. Controller Synthesis

In our example in Section II-D, we demonstrate oneway of formulating a controller synthesis problemfor hybrid systems within our logic framework.The cover and AD map was found usingsome custom-designed predecessor operators onsets, namely, - and

, applied to .By the nature of that construction, it did not involve anyiteration, but subject to the restriction on inclusion-mono-tonicity (which holds for - , but not for ), wecan iterate any set operator of our design.

Fixed points of operators on sets are a dominant theme inwork on controller synthesis for hybrid systems, and for DES

systems before them. Translating Ramadge and Wonham’smodular feedback logic[39] into modal logic (and extendingit from single-valued partial functions to arbitrary relations),themaximal control invariant subsetof a set of statesis obtained as the greatest fixed point of the operator

where is the subalphabet ofuncontrollableevents and is the component relation for event

of the system transition relation . Inwords, is the set of statesin such that for each un-controllable event , the -successors ofare all in .Control is effected by a supervisor’s being able to overridethe system transition relation anddisablecontrollable events

at states . A statefeedback supervisoris a map such that for all , and

is disabled by at if . From any con-trol invariant set , one can construct a state feedbacksupervisor whose application rendersan invariant set; themaximalcontrol invariant subset of then gives rise to theleast restrictivesupervisor to enforce the invariance of. In[39], modularity is considered with respect to conjunction ofpredicates; working withinL , a richer level of modularityis attainable.

The construction in [39] is specifically adapted to hybridsystems in [97], where the system model is essentially a hy-brid automaton over state space and ,with reset maps indexed by events , andfor , a supervisor can override and disable a resetat states . Earlier work on controller synthesis fortimed automata in [98] is along the same general lines.

In work on controller synthesis in this special issue, [41]considers a class of control problems in which one starts witha complete hybrid automaton , and the synthesis task isto find the largestsubsystem , in the sense thatthe state space and flows are the same, butand (with the resets always

), such that the subsystem satisfies a safetyproperty. Their solution is a greatest fixed-point constructionusing a customized predecessor operator on subsets of hy-brid states. Transcribed in modal logic, this operator is of theform

where denotes the relativized evolution relation de-fined in Section IV-G, requiring the substitution of asentence to give it concrete meaning. In words,is iniff is in , and either for some , there is a -evolutionfrom that remains in for all time, or else it is possible


to -evolve from for some time, while remaining within ,and then switch and still be in.

The controller synthesis problems considered in [42] aremore complex—their hybrid automata have continuous con-trol and disturbance inputs, and the task is to construct afeedback control map (with both discrete and continuousvalues), which restricts the behavior of the system so as tosatisfy a safety property. But there again, we see a greatestfixed-point construction of a maximal controlled invariantsubset. Due to quantification over control and disturbancefunctions and on a time interval(rather thanvaluesin and ), their controllable and uncon-trollable predecessor operators, and their two-place Reachoperator, require reformulation to be expressible using modaloperators. In earlier work in hybrid systems (with differingsystem models), fixed points of operators on sets were usedin [99]–[101] to characterize theviability kernelof a set ofstates as the largest subset invariant under hybrid trajectoriesand from which all hybrid trajectories are jump-infinite.

In a separate development, generalizations of LTS modelshave been formulated for settings where the natural modelis a gamebetween two or moreagents, with logics calledalternating temporal logicandalternating -calculusdevel-oped for the specification of system properties [80]. The for-malisms are general enough to cover the supervisory con-trol framework of discrete event systems, as well modulechecking and receptiveness problems for open discrete andhybrid systems.

VI. CONCLUSION

The primary goal of this work was to seek out and renderperspicuous unifying threads in the substantial literature onlogics and formal methods for hybrid systems. The key tosuch a unification is to be found by appreciating the gener-icness of relational transition system models as abstract dy-namical systems, and the power and simplicity of the-cal-culus as the “parent logic” for reasoning about them. A largertheme is howold resources—formal models, logics, proofsystems, decision procedures—can be put tonewuses in theformal analysis and synthesis of hybrid systems.

Of the many suggested in the text, several lines of futureresearch warrant special mention.

First, given the demand for maximally powerful modelchecking tools, there is a pressing need for investigation ofefficient quantifier eliminationfor the pre- or postimages ofpolynomial flows applied to semialgebraic sets, starting witha study of [87].

Given the intrinsic limits on algorithmic model checking,further investigation is required of the theory and practice ofapproximatingsystems with complex nonlinear dynamics bysystems with tractable semialgebraic (or simpler) flows.

There is much more to be done in deductive methods forthe -calculus and its extensions; in particular,tableauxproof systemsoffer the best available automated theoremprovers [56]. Further work is also needed on clean architec-tures for combining model checking and deductive methods,building on [95], [96].

To get full value out of our modal representation of topo-logical and metric structure, more study is needed of notionsof stability and robustness for hybrid systems framed in thelanguage of the general topology of relations and their inte-gration with the concepts developed from classical controltheory.

Given the natural occurrence of distributed, multiagent hy-brid systems, there is a clear need for further investigation oflogics for these systems, applying and building on [74] and[80].

ACKNOWLEDGMENT

The authors’ view of hybrid systems and logics for rea-soning about them has benefited from fruitful conversationsand exchanges with many people; in particular, they wouldlike to thank J. Remmel, W. Kohn, A. Yakhnis, S. Artemov,D. Kozen, D. Cook, J. Miller, K. Rudie, A. Walz, S. Sastry,G. Lafferriere, G. Pappas, J. Lygeros, M. Prandini, J. Hes-panha, R. Goré, N. Bonnette, B. Anderson, T. Brinsmead, S.Dey, and T. Moor. They also thank X. Krump for excellenttutorials on computer graphics.

REFERENCES

[1] R. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds.,HybridSystems: Springer-Verlag, 1993. LNCS 736.

[2] P. J. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, Eds.,HybridSystems II: Springer-Verlag, 1995. LNCS 999.

[3] A. Pnueli and J. Sifakis, Eds.,Theoret. Comput. Sci., 1995, vol. 138.(Special Issue on Hybrid Systems).

[4] R. Alur, T. A. Henzinger, and E. D. Sontag, Eds.,Hybrid SystemsIII : Springer-Verlag, 1996. LNCS 1066.

[5] O. Maler, Ed.,Hybrid and Real-Time Systems: International Work-shop HART’97: Springer-Verlag, 1997. LNCS 1201.

[6] P. J. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, Eds.,HybridSystems IV: Springer-Verlag, 1997. LNCS 1273.

[7] P. J. Antsaklis and A. Nerode, Eds.,IEEE Trans. Automat. Contr.,Apr. 1998, vol. 43. (Special Issue on Hybrid Control Systems).

[8] T. A. Henzinger and S. Sastry, Eds.,Hybrid Systems: Computationand Control (HSCC’98): Springer-Verlag, 1998. LNCS 1386.

[9] P. J. Antsaklis, W. Kohn, M. Lemmon, A. Nerode, and S. Sastry,Eds.,Hybrid Systems V: Springer-Verlag, 1999. LNCS 1567.

[10] F. W. Vaandrager and J. H. van Schuppen, Eds.,Hybrid Systems:Computation and Control (HSCC’99): Springer-Verlag, 1999.LNCS 1569.

[11] E. M. Clarke and J. M. Wing, “Formal methods: State of the artand future directions,”ACM Comput. Surveys, vol. 28, pp. 626–643,Dec. 1996. Rep. Strategic Directions in Computing Research FormalMethods Working Group, ACM Workshop, Aug. 1996.

[12] Z. Manna and A. Pnueli, “Verifying hybrid systems,” inHybrid Sys-tems, R. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds:Springer-Verlag, 1993, pp. 4–35. LNCS 736.

[13] , “Models for reactivity,” Acta Informatica, vol. 30, pp.609–678, 1993.

[14] Z. Manna and H. B. Sipma, “Deductive verification of hybridsystems using STeP,” inHybrid Systems: Computation and Control(HSCC’98), T. A. Henzinger and S. Sastry, Eds: Springer-Verlag,1998, pp. 305–318. LNCS 1386.

[15] Z. Chaochen, A. P. Ravn, and M. R. Hansen, “An extended dura-tion calculus for hybrid real-time systems,” inHybrid Systems, R.Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds: Springer-Verlag, 1993, pp. 36–59. LNCS 736.

[16] L. Lamport, “Hybrid systems in TLA+,” inHybrid Systems,R. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds:Springer-Verlag, 1993, pp. 77–102. LNCS 736.

[17] P. Herrmann, G. Graw, and H. Krumm, “Compositional specificationand structured verification of hybrid systems in cTLA,” inProc. 1stIEEE Int. Symp. Object-Oriented Real-Time Distributed Computing,1998, pp. 335–340.


[18] R. Alur, C. Courcoubetis, T. A. Henzinger, and P.-H. Ho, “Hybrid au-tomata: An algorithmic approach to the specification and verificationof hybrid systems,” inHybrid Systems, R. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, Eds: Springer-Verlag, 1993, pp. 209–229.LNCS 736.

[19] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho,X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine, “The algorithmicanalysis of hybrid systems,”Theoret. Comput. Sci., vol. 138, pp.3–34, 1995.

[20] T. A. Henzinger, “The theory of hybrid automata,” inProc. 11thAnnu. IEEE Symp. Logic Comput. Sci. (LICS’96), 1996, pp.278–292.

[21] R. Alur, T. A. Henzinger, and P.-H. Ho, “Automatic symbolic veri-fication of embedded systems,”IEEE Trans. Software Eng., vol. 22,pp. 181–201, 1996.

[22] Y. Zhang and A. K. Mackworth, “Constraint nets: A semantic modelfor hybrid dynamic systems,”Theoret. Comput. Sci., vol. 138, pp.211–239, 1995.

[23] J. M. Davoren, “On hybrid systems and the modal�-calculus,” inHybrid Systems V, P. J. Antsaklis, W. Kohn, M. Lemmon, A. Nerode,and S. Sastry, Eds: Springer-Verlag, 1999, pp. 38–69. LNCS 1567.

[24] R. Alur and D. L. Dill, “A theory of timed automata,”Theoret.Comput. Sci., vol. 126, pp. 183–235, 1994.

[25] C. Horn and P. J. Ramadge, “Robustness issues for hybrid systems,”in Proc. 34th Int. Conf. Decision Contr., CDC’95, 1995, pp.1467–1472.

[26] Y. Zhang and A. K. Mackworth, “Specification and verification ofhybrid dynamic systems with timed8-automata,” inHybrid SystemsIII , R. Alur, T. A. Henzinger, and E. D. Sontag, Eds: Springer-Verlag,1996, pp. 587–603. LNCS 1066.

[27] N. A. Lynch, R. Segala, F. Vaandrager, and H. B. Weinberg, “HybridI/O automata,” inHybrid Systems III, R. Alur, T. A. Henzinger, andE. D. Sontag, Eds: Springer-Verlag, 1996, pp. 496–510. LNCS 1066.

[28] Z. Chaochen, W. Ji, and A. P. Ravn, “A formal description of hybridsystems,” inHybrid Systems III, R. Alur, T. A. Henzinger, and E. D.Sontag, Eds: Springer-Verlag, 1996, pp. 511–530. LNCS 1066.

[29] M. Rönkkö and A. P. Ravn, “Actions systems with continuousbehaviour,” in Hybrid Systems V, P. J. Antsaklis, W. Kohn, M.Lemmon, A. Nerode, and S. Sastry, Eds: Springer-Verlag, 1999, pp.304–323. LNCS 1567.

[30] Z. Manna and A. Pnueli,Temporal Verification of Reactive Systems:Safety. New York: Springer-Verlag, 1995.

[31] R. Alur, T. A. Henzinger, G. Lafferriere, and G. Pappas, “Discreteabstractions of hybrid systems,”Proc. IEEE, vol. 88, pp. xxx–xxx,July 2000.

[32] J. M. Davoren, “Using modal logics for the formal analysisand synthesis of hybrid control systems,” Australian NationalUniversity, Computer Sciences Laboratory, RSISE, Tech. Rep.TR-ARP-02-2000, Jan. 2000.

[33] C. Stirling, “Modal and temporal logics,” inHandbook of Logic inComputer Science, S. Abramsky, D. M. Gabbay, and T. Maibaum,Eds. Oxford, U.K.: Oxford Univ. Press, Clarendon, 1992, vol. 2,pp. 477–563.

[34] A. Nerode and R. Shore,Logic for Applications, 2nd ed. Berlin,Germany: Springer-Verlag, 1997. Graduate Texts in Computer Sci-ence.

[35] R. Goldblatt,Logics of Time and Computation, 2nd ed. Stanford,CA: CLSI Publications, 1992.

[36] D. Kozen, “Results on the propositional�-calculus,” Theoret.Comput. Sci., vol. 27, pp. 333–354, 1983.

[37] E. A. Emerson, “Model checking and the mu-calculus,” inDescrip-tive Complexity and Finite Models, N. Immerman and P. G. Kolaitis,Eds: AMS, 1997, pp. 185–208.

[38] T. A. Henzinger and R. Majumdar, “A classification of symbolictransition systems,” inProc. 17th Int. Symp. Theoret. Aspects ofComputer Science (STACS’00): Springer-Verlag, 2000. LNCS.

[39] P. J. Ramadge and W. M. Wonham, “Modular feedback logic for dis-crete event systems,”SIAM J. Contr. Optim., vol. 25, pp. 1202–1218,1987.

[40] P. J. Ramadge and W. M. Wonham, “The control of discrete eventsystems,”Proc. IEEE, vol. 77, pp. 81–98, 1989.

[41] E. Asarin, O. Bournez, T. Dang, O. Maler, and A. Pnueli, “Effectivesynthesis of switching controllers for linear systems,”Proc. IEEE,vol. 88, pp. 1011–1025, July 2000.

[42] C. J. Tomlin, J. Lygeros, and S. S. Sastry, “A game theoretic ap-proach to controller design for hybrid systems,”Proc. IEEE, vol.88, pp. 949–970, July 2000.

[43] C. Livadas, J. Lygeros, and N. A. Lynch, “High-level modelingand analysis of the air traffic alert and collision avoidance system(TCAS),” Proc. IEEE, vol. 88, pp. 926–948, July 2000.

[44] R. De Carlo, M. Branicky, S. Pettersson, and B. Lennartson, “Per-spectives and results on the stability and stabilizability of hybrid sys-tems,”Proc. IEEE, vol. 88, pp. 1069–1082, July 2000.

[45] X. D. Koutsoukos, P. J. Antsaklis, J. A. Stiver, and M. D. Lemmon,“Supervisory control of hybrid systems,”Proc. IEEE, vol. 88, pp.1026–1049, July 2000.

[46] A. Nerode and W. Kohn, “Models for hybrid systems: Automata,topologies, controllability, observability,” inHybrid Systems,R. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds:Springer-Verlag, 1993, pp. 297–316. LNCS 736.

[47] V. Gupta, T. A. Henzinger, and R. Jagadeesan, “Robust timed au-tomata,” inHybrid and Real-Time Systems: International WorkshopHART’97, O. Maler, Ed: Springer-Verlag, 1997, pp. 331–345. LNCS1201.

[48] R. E. Kalman, P. L. Falb, and M. A. Arbib,Topics in MathematicalSystem Theory. New York: McGraw-Hill, 1969.

[49] S. N. Artemov, J. M. Davoren, and A. Nerode, “Logic, topologicalsemantics and hybrid systems,” inProc. 36th Int. Conf. DecisionContr., CDC’97, 1997, pp. 698–701.

[50] J. M. Davoren, “Modal Logics for Continuous Dynamics,” Ph.D.thesis, Dept. Mathematics, Cornell Univ., Jan. 1998.

[51] , “Topologies, continuity and bisimulations,”Theoret. Inform.Applicat., vol. 33, pp. 357–381, 1999.

[52] J. Sifakis, “A unified approach for studying the properties of transi-tion systems,”Theoret. Comput. Sci., vol. 18, pp. 227–258, 1982.

[53] R. Alur, C. Courcoubetis, and D. L. Dill, “Model-checking in densereal-time,”Inform. Computat., vol. 104, pp. 2–34, 1993.

[54] A. Deshpande, A. Göllü, and P. Varaiya, “SHIFT: A formalism and aprogramming language for dynamic networks of hybrid automata,”in Hybrid Systems IV, P. J. Antsaklis, W. Kohn, A. Nerode, and S.Sastry, Eds: Springer-Verlag, 1997, pp. 113–133. LNCS 1273.

[55] V. Gupta, R. Jagadeesan, and V. A. Saraswat, “Hybrid cc , hybridautomata and program verification,” inHybrid Systems III, R. Alur,T. A. Henzinger, and E. D. Sontag, Eds: Springer-Verlag, 1996, pp.52–75. LNCS 1066.

[56] R. Goré, “Tableaux methods for modal and temporal logics,”in Handbook of Tableaux Methods, M. D’Agistino et al.,Eds. Norwell, MA: Kluwer, 1999, pp. 297–396.

[57] J.-P. Aubin and H. Frankowska,Set-Valued Analysis. Boston, MA:Birkhäuser, 1990.

[58] E. Akin, The General Topology of Dynamical Sys-tems. Providence, RI: American Mathematical Society, 1993.

[59] J. R. Munkres,Topology: A First Course. Englewood Cliffs, NJ:Prentice-Hall, 1975.

[60] C. Berge,Topological Spaces, Including a Treatment of Multi-ValuedFunctions, Vector Spaces and Convexity. New York: Dover, 1997.

[61] J. Palis and W. de Melo,Geometric Theory of Dynamical Sys-tems. New York: Springer-Verlag, 1982.

[62] M. S. Branicky, “Topology of hybrid systems,” inProc. 32nd Conf.Decision Contr., 1993, pp. 2309–2314.

[63] J. M. Davoren and T. Moor, “Logic-based design and synthesis ofcontrollers for hybrid systems,” Australian National Univ., Dept.Syst. Eng., RSISE, Canberra, Australia, Tech. Rep., July 2000.

[64] M. Y. Vardi and P. Wolper, “Automata-theoretic techniques inthe modal logics of programs,”J. Comput. Syst. Sci., vol. 32, pp.182–221, 1986.

[65] E. A. Emerson, “Temporal and modal logic,” inHandbook of Theo-retical Computer Science, J. van Leeuwen, Ed. Amsterdam: Else-vier, 1990, pp. 997–1072.

[66] J. G. Thistle and W. M. Wonham, “Control of infinite behavior offinite automata,”SIAM J. Contr. Optim., vol. 32, pp. 1075–1097,1994.

[67] Y. Kesten, A. Pnueli, J. Sifakis, and S. Yovine, “Decidable inte-gration graphs,” inHybrid Systems, R. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, Eds: Springer-Verlag, 1993, pp. 179–208.LNCS 736.

[68] E. W. Dijkstra,A Discipline of Programming. Englewood Cliffs,NJ: Prentice-Hall, 1976.

[69] D. D. Cook, “A study in the modeling, verification and control ofhybrid systems,” Ph.D. dissertation, Dept. Electrical and ElectronicEngineering, Univ. of Melbourne, September 1999.


[70] R. Alur and T. A. Henzinger, “Modularity for timed and hybrid sys-tems,” inCONCUR 97: Concurrency Theory, A. Mazurkiewicz andJ. Winkowski, Eds: Springer-Verlag, 1997, pp. 74–88. Lecture Notesin Computer Science.

[71] A. Pnueli, “The temporal logic of programs,” inProc. 18th Annu.IEEE Symp. Foundations of Computer Science (FOCS’77), 1977, pp.46–57.

[72] E. A. Emerson and E. M. Clarke, “Characterizing correctness prop-erties of parallel programs as fixpoints,” inProc. 7th Int. Coll. Au-tomata, Languages and Programming: Springer-Verlag, 1981, pp.169–181. LNCS 85.

[73] S. Kripke, “Semantical analysis of modal logic I: Normal proposi-tional calculi,”Zeitschrift für mathematische Logik und Grundlagender Mathematik, vol. 9, pp. 67–96, 1963.

[74] R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi,Reasoning AboutKnowledge. Cambridge, MA: MIT Press, 1995.

[75] V. R. Pratt, “Semantical considerations on Floyd-Hoare logic,” inProc. 17th Annu. IEEE Symp. Foundations of Computer Science(FOCS’76), 1976, pp. 109–121.

[76] D. Kozen and J. Tiuryn, “Logics of programs,” inHandbook of The-oretical Computer Science, J. van Leeuwen, Ed. Amsterdam: El-sevier Science, 1990, pp. 789–840.

[77] T. A. Henzinger, “It’s about time: Real-time logics reviewed,” inCONCUR 97: Concurrency Theory, D. Sangiorgi and R. de Simone,Eds: Springer-Verlag, 1998, pp. 439–454. LNCS 1466.

[78] T. A. Henzinger, Z. Manna, and A. Pnueli, “Toward refiningtemporal specifications into hybrid systems,” inHybrid Systems,R. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds:Springer-Verlag, 1993, pp. 60–76. LNCS 736.

[79] A. Kapur, T. A. Henzinger, Z. Manna, and A. Pnueli, “Proving safetyproperties of hybrid systems,” inFTRTFT 94: Formal Techniquesin Real-time and Fault-tolerant Systems, H. Langmaack, W.-P. deRoever, and J. Vytopil, Eds: Springer-Verlag, 1994, pp. 431–454.LNCS 863.

[80] R. Alur, T. A. Henzinger, and O. Kupferman, “Alternating-time tem-poral logic,” in Proc. 38th Annu. Symp. Foundations of ComputerScience, 1997, pp. 100–109.

[81] A. Tarski, “On the calculus of relations,”J. Symbolic Logic, vol. 6,pp. 73–89, 1941.

[82] B. Jónsson and A. Tarski, “Boolean algebras with operators, part I,”Amer. J. Math., vol. 73, pp. 891–939, 1951.

[83] Y. Zhang and A. K. Mackworth, “Synthesis of hybrid constraint-based controllers,” inHybrid Systems III, R. Alur, T. A. Henzinger,and E. D. Sontag, Eds: Springer-Verlag, 1996, pp. 552–567. LNCS1066.

[84] J. C. C. McKinsey and A. Tarski, “The algebra of topology,”Ann.Math., vol. 45, pp. 141–191, 1944.

[85] G. Lafferriere, G. J. Pappas, and S. Sastry, “O-minimal hybrid sys-tems,”Math. Contr., Signals, Syst., vol. 13, pp. 1–21, 2000.

[86] L. van den Dries, Tame Topology and O-minimal Struc-tures. Cambridge, U.K.: Cambridge Univ. Press, 1998. LondonMath. Soc. Lecture Notes 2483.

[87] S. Basu, R. Pollack, and M.-F. Roy, “On the combinatorial and al-gebraic complexity of quantifier elimination,”J. ACM, vol. 43, pp.1002–1045, 1996.

[88] A. Dolzmann, T. Sturm, and V. Weispfenning, “Real quantifier elim-ination in practice,” inAlgorithmic Algebra and Number Theory, B.Matzat, G. Greuel, and G. Hiss, Eds. Berlin, Germany: Springer-Verlag, 1998, pp. 221–248.

[89] G. Lafferriere, G. J. Pappas, and S. Yovine, “A new class of decid-able hybrid systems,” inHybrid Systems: Computation and Con-trol (HSCC’99), F. W. Vaandrager and J. H. van Schuppen, Eds:Springer-Verlag, 1999, pp. 137–151. LNCS 1569.

[90] T. A. Henzinger, P.-H. Ho, and H. Wong-Toi, “A user guide toHyTech,” inTACAS 95: Tools and Algorithms for the Constructionand Analysis of Systems, E. Brinksma, W. R. Cleaveland, K. G.Larsen, T. Margaria, and B. Steffen, Eds: Springer-Verlag, 1995,pp. 41–71. LNCS 1019.

[91] C. Daws, A. Olivero, S. Tripakis, and S. Yovine, “The tool KRONOS,”in Hybrid Systems III, R. Alur, T. A. Henzinger, and E. D. Sontag,Eds: Springer-Verlag, 1996, pp. 208–219. LNCS 1066.

[92] R. Alur and R. P. Kurshan, “Timing analysis inCOSPAN,” in Hy-brid Systems III, R. Alur, T. A. Henzinger, and E. D. Sontag, Eds:Springer-Verlag, 1996, pp. 220–231. LNCS 1066.

[93] J. Bengtsson, K. G. Larsen, F. Larsson, P. Pettersson, and W. Yi,“UPPAAL: A tool suite for automatic verification of real-time sys-tems,” inHybrid Systems III, R. Alur, T. A. Henzinger, and E. D.Sontag, Eds: Springer-Verlag, 1996, pp. 232–243. LNCS 1066.

[94] I. Walukiewicz, “A note on the completeness of Kozen’s axiomati-zation of the propositional�-calculus,”Bull. Symbolic Logic, vol. 2,pp. 349–366, 1996.

[95] Z. Manna, N. Bjorner, and A. Browneet al., “An update on STeP:Deductive-algorithmic verification of reactive systems,” inToolSupport for System Specification, Development and Verification:Springer-Verlag, 1998. LNCS.

[96] S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. K.Srivas, “PVS: Combining specification, proof checking, andmodel checking,” in Computer-Aided Verification, CAV’96:Springer-Verlag, 1996, pp. 411–414. LNCS 1102.

[97] H. Chen and H.-M. Hanisch, “Control synthesis of hybrid systemsbased on predicate invariance,” inHybrid Systems V, P. J. Antsaklis,W. Kohn, M. Lemmon, A. Nerode, and S. Sastry, Eds: Springer-Verlag, 1999, pp. 1–15. LNCS 1567.

[98] O. Maler, A. Pnueli, and J. Sifakis, “On the synthesis of discretecontrollers for timed systems,” inProceedings of STACS’95, E. W.Mayr and C. Puech, Eds: Springer-Verlag, 1995, pp. 229–242. LNCS900.

[99] A. Nerode, J. B. Remmel, and A. Yahknis, “Controllers as fixed-points of set-valued operators,” inHybrid Systems II, P. J. Antsaklis,W. Kohn, A. Nerode, and S. Sastry, Eds: Springer-Verlag, 1995, pp.344–358. LNCS 999.

[100] W. Kohn, A. Nerode, J. B. Remmel, and A. Yahknis, “Viability inhybrid systems,”Theoret. Comput. Sci., vol. 138, pp. 141–168, 1995.

[101] A. Deshpande and P. Varaiya, “Viable control of hybrid systems,”in Hybrid Systems II, P. J. Antsaklis, W. Kohn, A. Nerode, and S.Sastry, Eds: Springer-Verlag, 1995, pp. 128–147. LNCS 999.

J. M. Davoren (Member, IEEE) receivedthe B.A. (Hons.) degree in mathematics andphilosphy from the University of Melbourne,Victoria, Australia, in 1991, and the M.S. degreein computer science and the Ph.D. degree inmathematics from Cornell University, Ithaca,NY, in 1994 and 1998, respectively.

From 1998 to 1999, she was a PostdoctoralFellow at the Center for Foundations of Intel-ligent Systems at Cornell University, with avisiting position in the Department of Electrical

Engineering and Computer Science at the University of California,Berkeley, from February to April 1999. Since September 1999, she hasbeen a Research Fellow at the Computer Sciences Laboratory in theResearch School of Information Sciences and Engineering, AustralianNational University, Canberra, Australia. Her research interests lie in thefields of mathematical logic, theoretical computer science, systems andcontrol theory, and general topology.

Anil Nerode (Member, IEEE) received the Ph.D.degree in mathematics from the University ofChicago, Chicago, IL, in 1956.

He was an NSF Postdoctoral Fellow withK. Gödel at the Institute for Advanced Studies(1957–1958) and a Visiting Assistant Professorat the University of California, Berkeley, withA. Tarski (1958–1959). In 1959, he joined theFaculty of Cornell University, Ithaca, NY, asan Assistant Professor in Mathematics, andserved as the Director of the Center for Applied

Mathematics from 1964 to 1965. He was also Chairman of the Departmentof Mathematics from 1982 to 1987 and the Director of the MathematicalSciences Institute from 1987 to 1996. He is currently the Director of theCenter for Foundations of Intelligent Systems and the Goldwin SmithProfessor of Mathematics and Computer Science. His research interestsinclude mathematical logic, computer science, and control engineering.He has published more than 150 papers and several books, and a sum-mary of his research up to 1993 appears in J. N. Crossleyet al. (Eds.),Logical Methods: A Symposium in Honor of Anil Nerode’s 60th Birthday(Birkhäuser: Boston, MA, 1993).


logics for hybrid systems - mse - mywebpages€¦ · this paper offers a tutorial survey and a...

Documents