discrete abstractions of hybrid systems - proceedings of the ieee

Discrete Abstractions of Hybrid Systems

RAJEEV ALUR, MEMBER, IEEE, THOMAS A. HENZINGER, MEMBER, IEEE,GERARDO LAFFERRIERE,AND GEORGE J. PAPPAS, MEMBER, IEEE

Invited Paper

A hybrid system is a dynamical system with both discrete andcontinuous state changes. For analysis purposes, it is often usefulto abstract a system in a way that preserves the properties being an-alyzed while hiding the details that are of no interest. We show thatinteresting classes of hybrid systems can be abstracted to purelydiscrete systems while preserving all properties that are definablein temporal logic. The classes that permit discrete abstractions fallinto two categories. Either the continuous dynamics must be re-stricted, as is the case for timed and rectangular hybrid systems, orthe discrete dynamics must be restricted, as is the case for o-min-imal hybrid systems. In this paper, we survey and unify results fromboth areas.

Keywords—Abstraction, decidability, hybrid systems, logic,model checking.

I. INTRODUCTION

Hybrid systems combine both digital and analog com-ponents in a way that is useful for the analysis and designof distributed, embedded control systems. Hybrid systemshave been used as mathematical models for many importantapplications, such as automated highway systems [40],[50], [79], air-traffic management systems [49], [51], [74],embedded automotive controllers [12], [59], manufacturingsystems [64], chemical processes [28], robotics [6], [71],real-time communication networks, and real-time circuits

Manuscript received October 1, 1999; revised April 14, 2000. Thiswork was supported by DARPA under Grant F33615-98-C-3614, byDARPA/NASA under Grant NAG2-1214, by DARPA under GrantF33615–00–1707, by ARO MURI under Grant DAAH-04-96-1-0341,by DARPA/ITO under the MARS program, by NSF CAREER awardsCCR-9501708 and CCR97-34115, and by a Sloan faculty fellowship.

R. Alur is with the University of Pennsylvania, Philadelphia, PA19104 USA and also with the Computing Science Research Center, BellLaboratories, Lucent Technologies, Murray Hill, NJ 07974 USA (e-mail:[email protected]).

G. J. Pappas is with the University of Pennsylvania, Philadelphia, PA19104 USA (e-mail: [email protected]).

T. A. Henzinger is with the University of California at Berkeley, Berkeley,CA 94720 USA (e-mail: [email protected]).

G. Lafferriere is with Portland State University, Portland, OR 97207 USA(e-mail: [email protected]).

Publisher Item Identifier S 0018-9219(00)06460-4.

[53]. Their wide applicability has inspired a great deal ofresearch from both control theory and theoretical computerscience [1], [2], [7], [9], [10], [29], [31], [52], [75].

Many of the above motivating applications aresafety crit-ical and require guarantees of safe operation. Consequently,much research focuses on formalanalysis and designof hybrid systems. Formal analysis of hybrid systems isconcerned with verifying whether a hybrid system satisfiesa desired specification, like avoiding an unsafe region ofthe state space. The process of formal design consists ofsynthesizing controllers for hybrid systems in order to meeta given specification. Both directions have received largeattention in the hybrid systems community, and the reader isreferred to [3], [11], [23], [25], [33], [42], [55], and [73] forexpositions to much of the research in the field.

In this paper, we are interested in the formal analysis ofhybrid systems. The formal analysis of large-scale, hybridsystems is typically a very difficult process due to the com-plexity and scale of the system. This makes the use ofcom-putationalor algorithmic approaches to the verification ofhybrid systems very desirable, whenever possible. We aretherefore interested in developing computational procedures,which, given a hybrid system and a desired property, willverify in a finite number of steps whether the system satis-fies the specification or not. Given a class of hybrid systems

and a class of desired properties, a class of verificationproblems is calleddecidableif there exists a computationalprocedure that, givenanysystem andany ,will decide in a finite number of steps whether satisfies

. Decidability is not an issue in the verification of purelydiscrete systems modeled by finite-state machines, since inthe worst case verification can be performed by exhaustivelysearching the whole state space. However, in the case of hy-brid systems, decidability is a central issue in algorithmicanalysis, because of the uncountability of the state space. Themain focus of this paper is on identifying decidable verifica-tion problems for hybrid systems.

A natural way to show that a class of analysis problemsis decidable is the process ofabstraction. Given a hybrid

0018–9219/00$10.00 © 2000 IEEE

PROCEEDINGS OF THE IEEE, VOL. 88, NO. 7, JULY 2000 971

system and some desired property, one extracts a finite, dis-crete system while preserving all properties of interest. Thisis achieved by constructing suitable,finite, andcomputablepartitions of the state space of the hybrid system. By ob-taining discrete abstractions that are finite and preserve prop-erties of interest, analysis can be equivalently performed onthe finite system, which requires only a finite number ofsteps. Checking the desired property on the abstracted systemshould beequivalent tochecking the property on the originalsystem. Only if no equivalent abstraction can be found mayone be content with asufficientabstraction, where checkingthe desired property on the abstracted system is sufficient forchecking the property on the original system [20].

In this paper, we focus onequivalent discrete abstractionsof hybrid systemsalong with the classes of properties theypreserve. We show that there are many interesting classes ofhybrid systems that can be abstracted by finite systems foranalysis purposes. Properties about the behavior of a systemover time are naturally expressible in temporal logics, suchas linear temporal logic (LTL) and computation tree logic(CTL) [26]. Preserving LTL properties leads to special par-titions of the state space given bylanguage equivalence re-lations, whereas CTL properties are abstracted bybisimula-tions. A detailed exposition to the use of various logics in hy-brid systems can be found in [23]. Similar concepts and con-structions, but from a hierarchical control perspective, can befound in [16] and [61]–[63].

There are immediate obstacles due to undecidability. Forexample, in [37], it was shown that checkingreachability(whether a certain region of the state space can be reached) isundecidable for a very simple class of hybrid systems, wherethe continuous dynamics involves only variables that proceedat two constant slopes. These results immediately imply thatmore general classes of hybrid systems cannot have finitebisimulation or language equivalence quotients. Therefore,our search for discrete abstractions of hybrid systems is lim-ited by this result. Given this limit, we show that hybrid sys-tems that can be abstracted fall into two classes. In the firstclass, the continuous behavior of the hybrid system must berestricted, as in the case of timed automata [5], multirate au-tomata [4], [58], and rectangular automata [37], [68]. In thesecond class, the discrete behavior of the hybrid system mustbe restricted, as in the case of order-minimal hybrid systems[44]–[46].

In this paper, we present in a unified way all these results,which collectively define a very tight boundary between de-cidable and undecidable questions about hybrid systems. Wedo not focus on complexity issues or the implementationof these algorithms by verification tools like KRONOS[24],COSPAN [8], UPAAL [48], and HYTECH [35]. It should benoted that, in practice, the algorithms implemented by theabove tools work directly on the original system and do notconstruct an equivalent finite abstraction first. However, thedecidability results presented in this paper for finite abstrac-tions provide correctness and termination arguments for thealgorithms implemented by the tools [37]–[39]. Therefore,the approach described in this paper should be understood astheoretical background underlying the implementations.

More specifically, in Section II, we introduce the readerto the notion of transition systems, which should be thoughtof as graphs with a possibly infinite number of nodes (repre-senting states) and edges (representing transitions). Desiredproperties of transition systems will be expressed as formulasin various temporal logics. We will review the important no-tions of language equivalencies and bisimulations of transi-tion systems, along with temporal logic properties they pre-serve, namely, LTL and CTL. In Section III, after a generaldefinition of hybrid systems, we describe the transition sys-tems generated by our hybrid system model. This allows usto apply the framework of Section II to the various classesof hybrid systems we consider in this paper. We then imme-diately present some undecidability results, which provide aclear boundary for applying the framework of Section II. Asa result, our search for decidable classes of hybrid systemsis limited by this boundary. This forces us to consider hy-brid systems with either simple continuous dynamics (Sec-tion IV), or simple discrete dynamics (Section V). The latterare based on various first-order logical theories. A brief in-troduction to first-order logic is given in Appendix A.

II. TRANSITION SYSTEMS

Transition systems are graph models, possibly with an in-finite number of states or transitions.

Definition 2.1 (Transition Systems):A transition systemconsists of

• a (possibly infinite) set of states;• a finite alphabet of propositions;• a transition relation ;• a satisfaction relation ;• a set of initial states.

A state ispredecessorof a state , and is asuccessorof , written if the transition relation containsthe pair . A state satisfiesa proposition written

if the satisfaction relation contains the pair .The transition system is finite if the cardinality of isfinite, and it is infinite otherwise. We assume that every tran-sition system isdeadlock free, that is, for every state ,there exists a state such that .

A region is a subset of the states. The sets ofpredecessor and successor states ofare

(2.1)

(2.2)

The set of states that are accessible fromin two transitionsis and is denoted by . In general,

consists of the states that are accessible fromintransitions. is defined similarly. Then

(2.3)

(2.4)

are the set of states that arebackwardandforward reachablefrom , that is, accessible in any number of transitions. In

972 PROCEEDINGS OF THE IEEE, VOL. 88, NO. 7, JULY 2000

particular, is the set ofreachable statesof thetransition system and is denoted by .

A problem that is of great interest for transition systemsis the reachability problem. Given a proposition , wewrite for the set of states that satisfy

.Problem 2.2 (Reachability Problem):Given a transition

system and a proposition , is?

If the proposition encodes an undesirable or unsafe re-gion of the state space, then solving reachability correspondsto checking if the system is safe. In this paper, we are in-terested in computational approaches to the solution of thereachability problem. The following algorithm computes thereachable space until either a state satisfyingis reached orno more reachable states can be added.

Algorithm 1 (Forward Reachability)initially ;while true do

if return “unsafe” end if ;if return “safe” end if ;

end while

A backward reachability algorithm that starts with andchecks whether can be similarly con-structed. Such iterative algorithmic approaches to checkingsystem properties are guaranteed to terminate if the statespace of the transition system is finite, since in the worstcase they can only visit a finite number of states. If the statespace is infinite, then there is, in general, no guarantee thatthe forward reachability algorithm will terminate within a fi-nite number of iterations of the loop. It could continue addingstates forever without ever reaching the target regionora fixed point such that . In this paper, ourgoal is to find classes of infinite transition systems whoseanalysis can be performed onequivalentbut finite transitionsystems. This is accomplished by constructing suitable finitequotients ordiscrete abstractionsof the original system inthe sense that they preserve the properties of interest whileomitting detail.

In addition to reachability, the desired system specifica-tion may require more detailed system properties. For ex-ample, one may wish to encode the requirement that a systemfailure is eventually followed by a return to the normal modeof operation. More abstractly, if the transition system visitsa region , encoding a failure, then eventually it will reacha region , encoding normal operation. Such properties canbe encoded as formulas in temporal logic [65]. Formulas oftemporal logic are thus used to formally specify properties ofsystems, such as reachability, invariance, or response proper-ties. In the sequel, after defining the notion of quotient tran-sition systems, two kinds of equivalence relations,languageequivalencesand bisimulations, are considered along withtwo popular temporal logics, LTL and CTL, whose proper-ties they preserve.

An equivalence relation on the state spaceis proposition preservingif for all states and allpropositions , if and , then ; thatis, the region is a union of equivalence classes. Given aproposition-preserving equivalence relation, the definitionof quotient transition system is natural. Let denotethe quotient space, that is, the set of equivalence classes. For aregion , we denote by the collection of all equivalenceclasses that intersect. The transition relation on thequotient space is defined as follows: for , wehave iff there exist two states and

such that . The satisfaction relation on thequotient space is defined as follows: for , we have

iff there exists a state such that .The quotient transition system is then ,

.1) Language Equivalences Preserve Linear Temporal

Properties: Let be a state of the transition system. Given a state , letbe the set of propositions that

are satisfied by . A trajectory generated from is aninfinite sequence such that and for all

, we have . This trajectory defines theword The set of words that are defined bytrajectories generated fromis denoted by and calledthe languageof the state . The set of wordsthat are defined by trajectories generated from initial statesis denoted by and called thelanguageof the transitionsystem .

Definition 2.3 (Language Equivalencies):Let be a tran-sition system with state space. An equivalence relationon is a language equivalence ofif for all states ,if , then .

Note that every language equivalence is propositionpreserving. Every language equivalence partitions thestate space and gives rise to the quotient transition system

, which is called alanguage equivalence quotientof .The formulas of LTL are interpreted over words, and hencethe properties expressed in LTL are preserved by languageequivalence quotients.

Definition 2.4 (Linear Temporal Logic [66], [54]):Theformulas of LTL are defined inductively as follows.

• Propositions: Every proposition is a formula.• Formulas: If and are formulas, then the fol-

lowing are also formulas:

The formulas of LTL are interpreted over infinitesequences of sets of propositions. Consider a word

, where each is a set of propositions.The satisfaction of a propositionat position of word

is denoted by (which should not be confusedwith the satisfaction relation , which tells us whether astate satisfies a proposition), and holds iff . We canthen recursively define the semantics for any LTL formulaas follows.

ALUR et al.: DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS 973

• if either or.

• if .• if .• if there is a such that

and for all , we have .

A word satisfiesan LTL formula if . Fromand , which stand for negation and disjunction, respec-

tively, we can also define conjunction, implication , andequivalence . Thetemporal operators and are calledthe nextanduntil operators. The formula holds for aword iff the subformula is true for the suffix

The formula intuitively expresses the prop-erty that is true until becomes true. Using the next anduntil operators, we can also define the following temporaloperators in LTL:

• Eventually: true ;• Always: .

Therefore, indicates that becomes eventually true,whereas indicates that is true at all positions of aword. The LTL formula is true for words that satisfyinfinitely often, whereas a word satisfies if becomeseventually true and then stays true forever.

A transition system satisfiesan LTL formula if someword in the language satisfies . For example, if isa proposition encoding an unsafe region, then violation ofsafety can be expressed as . Violation of the more elabo-rate requirement that visiting region will eventually befollowed by visiting region , is expressed by the formula

.Problem 2.5 (LTL Model Checking Problem):Given a

transition system and an LTL formula , determine ifsatisfies .

Since reachability can be expressed by an LTL formula ofthe form , it is immediate that Problem 2.2 is containedin Problem 2.5. Given the definition of language equivalence,the following theorem should come as no surprise.

Theorem 2.6 (Language Equivalencies Preserve LTLProperties): Let be a transition system and let bea language equivalence of. Then satisfies the LTLformula if and only if the language equivalence quotient

satisfies .Therefore, given a transition systemand an LTL formula

, we can equivalently perform the model checking problemon . In general, language equivalence quotients are notfinite. If, however, we aregivena finite language equivalencequotient of a transition system, then using the above the-orem, LTL model checking can be decided for.

2) Bisimulations Preserve Branching Temporal Proper-ties: We now define a different way of partitioning the statespace along with a class of properties it preserves.

Definition 2.7 (Bisimulations [57]):Let ,be a transition system. A proposition-preserving

equivalence relation on is a bisimulation of if forall states , if , then for all states ,if , there exists a state such that and

.

If is a bisimulation, then the quotient transition systemis called abisimulation quotientof . The crucial

property of bisimulations is that for every equivalence class, the predecessor region is a union of

equivalence classes. Therefore, if , thenis either the empty set or all of . It is

not difficult to check that every bisimulation is a languageequivalence, but a language equivalence is not necessarilya bisimulation.

CTL is a temporal logic, which, contrary to LTL, containsexistential quantifiers that range over trajectories.

Definition 2.8 (Computation Tree Logic [19], [69]):Theformulas of CTL are defined inductively as follows.

• Propositions: Every proposition is a formula.• Formulas: If and are formulas, then the fol-

lowing are also formulas:

The difference between the semantics of LTL and CTL isthat LTL formulas are interpreted over words, whereas CTLformulas are interpreted over the tree of trajectories gener-ated from a given state of a transition system. More precisely,the state of the transition system satisfies the proposi-tion if , as usual, and the semantics of any CTLformula is then recursively defined as follows.

• if either or .• if .• if there exists a state such that

and .• if there exists a trajectory gen-

erated from such that for all , we have .• if there exists a trajectory

generated from such that for some ,and for all , we have .

As in LTL, we can define , , and from and .The temporal operators , , and are calledpos-sibly next, possibly always, andpossibly until, as they referto the existence of a trajectory from a given state. Thepos-sibly eventuallyoperator is defined astrue . Addi-tional temporal operators, which refer to all trajectories froma given state, can be defined as follows:

• inevitably next: ;• inevitably always: ;• inevitably eventually: ;

A transition system satisfiesa CTL formula if someinitial state of satisfies . For example, reachability canbe captured in CTL by the formula . The CTL formula

encodes the requirement that there is some reach-able state from which all trajectories stay within the region

.Problem 2.9 (CTL Model Checking Problem):Given a

transition system and a CTL formula , determine ifsatisfies .

As in LTL model checking, Problem 2.2 is containedin Problem 2.9. However, Problem 2.5 is incomparableto Problem 2.9, as there are requirements which can be


expressed in LTL but not in CTL (such as the requirement), and there are requirements which can be expressed

in CTL but not in LTL (such as the requirement )[26]. The following theorem shows that bisimulationspreserve CTL properties.

Theorem 2.10 (Bisimulation preserves CTL properties[15]): Let be a transition system and let be a bisimu-lation of . Then satisfies the CTL formula if and onlyif the bisimulation quotient satisfies .

Therefore, CTL model checking for can be performedequivalently on . Bisimulations can be computed usingthe following algorithm. If the algorithm terminates withina finite number of iterations of the loop, then there is a fi-nite bisimulation quotient, and the algorithm returns a finitepartition of the state space which is the coarsest bisimulation(i.e., the bisimulation with the fewest equivalence classes).

Algorithm 2 (Bisimulation Algorithm[14], [41])initially ;while there exist such that

do;

end while ;return

Therefore, in order to show that CTL model checking canbe decided for a transition system, it suffices to show thatthe bisimulation algorithm terminates on and that eachstep of the algorithm iscomputableor effective. This meansthat we must be able to represent (possibly infinite) state setssymbolically, perform Boolean operations, check emptiness,and compute the predecessor operation on the symbolicrepresentation of state sets [33].

Even though LTL and CTL are incomparable, they areboth sublogics of CTL, a more expressive temporal logic,and of a fixed-point logic called the-calculus[23], [26].Bisimulations preserve not only CTL properties accordingto Theorem 2.10 but also all CTLand -calculus properties[15].

III. H YBRID SYSTEMS

In this section, we apply the framework presented in Sec-tion II to transition systems generated by hybrid systems. Wethen immediately present various barriers for obtaining finitediscrete abstractions for general hybrid systems by showingclasses of hybrid systems whose reachability problems areundecidable. We start with a definition of hybrid systems.

Definition 3.1 (Hybrid Systems [3]):A hybrid system is atuple with the following com-ponents.

• is a finite set oflocations, and is a nonnegativeinteger called thedimensionof . The state space ofis . Each state thus has the form ,where is thediscretepart of the state andis thecontinuouspart.

• is the set of initial states.• : assigns to each state a set

, which constrains the time derivative ofthe continuous part of the state. Thus in discrete loca-tion , the continuous part of the state satisfies thedif-ferential inclusion .

• : assigns to each location aninvariant set , which constrains the valueof the continuous part of the state while the discrete partis .

• is a relation capturing discontinuous statechanges.

We refer to the individual coordinates of the continuouspart of the state space as real-valuedvariables, and weview the continuous part of a state as anassignment of values to the variables.

Hybrid systems are typically represented as finite graphswith vertices and edges defined by

for some and

With each vertex , we associate aninitial set definedas

With each edge , we associate aguard setdefined as

for some

and a set-valuedresetmap

Trajectories of the hybrid system originate at anyinitial state and consist of concatenations ofcontinuous flowsanddiscrete jumps. Continuous flows keepthe discrete part of the state constant, and the continuouspart evolves over time according to the differential inclu-sions , as long as remains inside the invariantset . If during the continuous flow it happens that

for some , then the edgebecomesenabled. The state of the hybrid system may

then instantaneously jump from to any with. Then the process repeats, and the contin-

uous part of the state evolves according to the differentialinclusions . Even though Definition 3.1 placesno well-posedness conditions on the class of hybrid systemswe consider, the results presented in this paper will assumestrong restrictions regarding the types of, , , andthat are permitted.

Example 3.2:Fig. 1 is a graphical illustration of a spe-cial kind of hybrid system, called atimed automaton, whichis a finite-state machine coupled with real-valuedclockvari-ables. This timed automaton consists of two locationsand

and two variables and , which always evolve in


under the differential equations and . There-fore and simply measure time. The initial state of thesystem is , and the invariant sets asso-ciated with the locations and are and ,respectively. There are two edges, and

. The guard of is the set and the reset mapis , whereas the guard and reset of

are and , respectively. No-tice that the identity map on thevariable on the edge issuppressed from Fig. 1. A simple reachability specificationmay require that the timed automaton never enters the region

and .

A. Rectangular, Multirate, and Timed Automata

Consider the space with the variables .A rectangular setis defined by a conjunction of linear(in)equalities of the form , where is one of

, and . For a rectangular set , letbe its projection onto theth coordinate. Thus a rectangularset is of the form , where each

is a bounded or unbounded interval.Definition 3.3 (Rectangular Automata [37]):A rectan-

gular automaton is a hybrid system that satisfies the fol-lowing constraints.

• For every location , the sets andare rectangular sets.

• For every location , there is a rectangular setsuch that for all .

• For every edge , the set is a rectan-gular set, and there is a rectangular setand a subset

such that for all

Reset for all

if then else

Therefore, in a rectangular automaton, the derivative of eachvariable stays between two fixed bounds, which may be dif-ferent in different locations. This is because in each location, the differential inclusions are constant and coordinate-wise

decoupled, that is, for all . With eachdiscrete jump across an edge, the value of a variable iseither left unchanged (if ), or reset nondeterministi-cally to a new value within some fixed, constant interval(if ). An example of a rectangular automaton is shownin Fig. 2.

A rectangular automaton isinitialized if for every edgeand all , Reset ,

then . In other words, if after a discretejump the bounds on the derivative of a variable change, thenits value must be nondeterministically reset (“reinitialized”)within a fixed interval. The rectangular automaton of Fig. 2is initialized.

Definition 3.4 (Multirate Automata [3]):A multirateautomaton is a rectangular automaton that satisfies thefollowing constraints.

• For each location , the set is either emptyor a singleton set.

Fig. 1. Timed automaton.

Fig. 2. Rectangular automaton.

• For each edge , the set is a singleton set.• For each location , the set is a singleton set.

Therefore, in a multirate automaton, each variable followsconstant, rational slope, which may be different in differentlocations. Multirate automata may or may not be initialized.

Definition 3.5 (Timed Automata [5]):A timed automatonis a multirate automaton such that foreach location .

Therefore, in a timed automaton, in every location eachvariable follows the constant slope 1, that is, for all

. Each is thus referred to as a clock variable.Notice that timed automata are initialized by definition, be-cause the differential inclusion never changes.

B. Transition Systems of Hybrid Systems

Let be a hybrid system, andlet be a finite set of subsets of . The hybrid systemgenerates a transition systemwith respect to . Set and . Set

, that is, the propositions are the locations andthe given sets in . For , define iff ,and for , define iff . Finally, define

as follows.Discrete transitions: for

iff and .Continuous transitions: iff

and there exists a real and a differentiable curve:with , , for all

we have , and for all we have.

The continuous transitions are time-abstract transitionsin the sense that the time it takes to reach one state fromanother is ignored.


Having defined the transition system of a hybrid systemallows us to proceed with the conceptual framework pre-sented in Section II, and determine language equivalence andbisimulation quotients of hybrid systems. The next subsec-tion presents some immediate barriers in obtaining such dis-crete abstractions, which are finite.

C. Undecidability Barriers

A variable is atwo-slopevariable if there existsuch that for all locations , either

or . The rationals and are theslopesof . The variable is a one-slopevariable if .Note that a clock variable is a one slope variable with slope

. The following theorem presents an imme-diate obstacle in obtaining finite discrete abstractions of hy-brid systems.

Theorem 3.6 (Undecidability of Uninitialized MultirateAutomata [37]): Consider the class of multirate automatawith clock variables and one two slope variable withslopes . The reachability problem (Problem 2.2) isundecidable for this class.

In other words, there is no computational procedure thattakes as input any multirate automaton from the givenclass, and a proposition, and determines if any trajectoryvisits a state that satisfies. The proof of the undecidabilityresult proceeds by a reduction from the halting problem fortwo counter machines, and can be found in [37]. Theorem 3.6shows that initialization is a necessary condition for decid-ability. An additional necessary condition is provided by thefollowing theorem, which shows that any violation of rect-angularity, namely, the coupling variables, also leads to un-decidability.

Theorem 3.7 (Undecidability of Coupling Variables inMultirate Automata [37]): Suppose we generalize the defi-nition of multirate automata so to permit 1) the intersectionof rectangular guard sets with inequalities of theform , 2) the intersection of rectangular invariantsets with inequalities of the form , or 3) resetmaps of the form , for . Considera class of multirate automata that are generalized in one ofthese three ways and that have clock variables anda one-slope variable with slope . The reachabilityproblem (Problem 2.2) is undecidable for this class.

Since the reachability problem is a special case of LTL andCTL model checking, it is clear from Theorems 3.6 and 3.7that Problems 2.5 and 2.9 are also undecidable for very re-strictive classes of hybrid systems. Consequently, it must beimpossible to construct finite language equivalence or bisim-ulation quotients for transition systems , where is ahybrid system of Theorem 3.6 or 3.7 and .

The above negative results force us to consider hybrid sys-tems with either simpler discrete dynamics or simpler contin-uous dynamics, in order for the framework of Section II to besuccessful. In the next two sections, we survey such results,which, in conjunction with Theorems 3.6 and 3.7, define atight boundary between decidability and undecidability formodel checking of hybrid systems.

IV. RESTRICTING THEFLOWS

In this section, we obtain discrete abstraction of hybridsystems with restricted continuous dynamics. We first con-sider timed automata, which have finite bisimulation quo-tients of a very intuitive structure.

A. Timed and Multirate Automata

A timed automaton is defined by a finite graph ,a dimension , and linear inequalities of the form ,where , which define initial, invariant, and guard sets,as well as reset maps. Even though the timed automata de-fined in Section III-A allow rational constants in their defi-nition, in this section we consider timed automata with onlyinteger constants. There is no loss of generality in this as-sumption, because a finite number of rationals can always berescaled to integers. Furthermore, we restrict the clock vari-ables to range over the nonnegative reals. There is also no lossof generality in this assumption, because every clock variableof a timed automaton is bounded from below by initial setsand reset maps. Let be the largest integer that is com-pared to in the definition of . For example, in Fig. 1, thelargest integer that is compared to is ten (in the reset mapof ), which is also the largest integer to whichis com-pared (in the invariant set of ).

Given a nonnegative real , let stand for thefloor function, let stand for the ceiling function, and let

stand for the fractional part of; that is .We define the following equivalence relations on and on

, the state space of .Definition 4.1 (Region Equivalence [5]):Two vectors

and in are regionequivalent, written , if the following two conditionsare satisfied.

• For all , we have either both and, or both and .

• For all , if and ,then iff .

Two states and in are region equivalent,, if both and .

Therefore, two states of are region equivalent if theyagree on the discrete parts, on the integral parts of all clockvalues, and on the ordering of the fractional parts of all clockvalues. The integral parts of the clock values determinewhether or not a particular clock constraint is met, whereasthe ordering of the fractional parts determines which clockwill change its integral part first. For example, if two clocks

and are between 0 and 1 in a state, then an edge whoseguard set is defined by the clock constraint can befollowed by an edge that is guarded by the clock constraint

, depending on whether or not the current clock valuessatisfy . Furthermore, since each clock variableis never compared with constants greater than, then theactual value of , once it exceeds , is of no consequencein determining the validity of any clock constraints.

Example 4.2:The nature of the equivalence classes de-fined by can be best understood using a planar example.


Fig. 3. Equivalence classes of planar region equivalence.

Consider with and . Theequivalence classes are shown in Fig. 3. Note that there areonly a finite number of classes, at most ,where is the number of clock variables. Thus, the numberof classes is exponential in the dimension and in the size ofclock constraints (each constant requires bits forrepresentation in a clock constraint).

If we are given a finite set of rectangular sets, then wedefine the region equivalence relation on the states ofthe timed automaton just like , except that the con-stants are taken to be maximal also with respect to theconstants that define the sets in. The following is the maintheorem about timed automata.

Theorem 4.3 (Bisimulations of Timed Automata [5]):Letbe a timed automaton, and letbe a finite set of rectan-

gular sets. Then the region equivalence relation is abisimulation of the transition system .

Since the region equivalence relation has a finitenumber of equivalence classes and the corresponding quo-tient transition system can be constructed effectively, we ob-tain the following corollary.

Corollary 4.4: The LTL and CTL model checkingproblems (Problems 2.5 and 2.9) can be decided for timedautomata, provided every proposition occurring in temporalformulas is either an automaton location or a rectangular set.

The above result was the first successful extraction of afinite discrete abstraction from a hybrid system and has in-spired much research in this direction along with the devel-opment of verification tools. This result can be generalizedas follows to multirate automata.

Theorem 4.5 (Bisimulations of Initialized Multirate Au-tomata [3]): Let be an initialized multirate automaton,and let be a finite set of rectangular sets. Then the transi-tion system has a finite bisimulation quotient, whichcan be constructed effectively.

The proof of Theorem 4.5 is based on rescaling the slopeof each variable to 1, by appropriately adjusting all initial,invariant, and guard sets, as well as reset maps. From the re-gion equivalence of the resulting timed automaton, we obtaina bisimulation of the initialized multirate automaton.

Corollary 4.6: The LTL and CTL model checking prob-lems (Problems 2.5 and 2.9) can be decided for initializedmultirate automata, provided every proposition occurring intemporal formulas is either an automaton location or a rect-angular set.

Notice that restricting ourselves toinitializedmultirate au-tomata in Theorem 4.5 does not violate the conditions of The-orem 3.6, by which multirate automata that are not initializedcannot, in general, have a finite bisimulation quotient. Simi-larly, restricting ourselves to propositions that are rectangular

sets in Corollary 4.6 does not violate the spirit of Theorem3.7.

B. Rectangular Automata

Up to this point, the restricted classes of hybrid systemsthat we have presented admit finite bisimulation quotients. Inthis section, we show that more general hybrid automata donot admit finite bisimulation quotients but may admit finitelanguage-equivalence quotients, which are coarser quotients.

Theorem 4.7 (Language Equivalences of Initialized Rect-angular Automata [37], [38]): Let be an initialized rect-angular automaton, and let be a finite set of rectangularsets. Then the transition system has a finite language-equivalence quotient, which can be constructed effectively.

The main idea of the proof is to convert an initialized rect-angular automaton to an initialized multirate automaton byreplacing each variable , which satisfies a differential in-clusion of the form by two variables namedand , which satisfy and , respectively. Thevariables and keep track of the lower and upper boundsof . The initial, invariant, and guard sets, as well as the resetmaps must be adjusted accordingly. For example, if the guardset is defined by , then it is replaced by , andif , then is reset to 3. This conversion from therectangular to a multirate automaton is language preserving.Hence, from the finite bisimulation of the initialized multi-rate automaton (Theorem 4.5), we can construct a finite lan-guage equivalence of the original initialized rectangular au-tomaton.

Corollary 4.8: The LTL model checking problem(Problem 2.5) can be decided for initialized rectangularautomata, provided every proposition occurring in temporalformulas is either an automaton location or a rectangular set.

The conversion from initialized rectangular automata toinitialized multirate automata may not preserve branchingproperties, such as those expressible in CTL. In general, ini-tialized rectangular automata do not admit finite bisimulationquotients.

Theorem 4.9 (Lack of Finite Bisimulation Quotients forInitialized Rectangular Automata [32]):There exist an ini-tialized rectangular automaton and a finite set of rect-angular sets such that every bisimulation of the transitionsystem has infinitely many equivalence classes.

In order to simplify the proof of the above theorem, weconsider a slight extension of Definition 3.3 and allow morethan one edge between a pair of locations.

Example 4.10:Consider the simple rectangular au-tomaton shown in Fig. 4. The automaton has only onelocation , is trivially initialized, and has two variablesand , which are allowed to live on the unit square; that


is, and .Furthermore, . Both andsatisfy the differential inclusion and

. There are two edges from to itself,and , with .Furthermore, and

; that is, and resetor to 0, respectively. Let consist of the two rectangular

sets defined by and . Then the bisimulation al-gorithm (Algorithm 2.2) does not terminate on the transitionsystem .

The classes of hybrid systems presented in this sectionare expressive enough to model many systems arising inreal-time communication networks, real-time circuits, aswell as real-time software. Timed automata allow us tomodel accurate clocks, and rectangular automata allow us tomodel clocks with bounded drift. However, the continuousdynamics (flows) that can captured directly by rectangularautomata is rather limited for control applications, andgenerally involves approximations [36], [67]. In order tocapture more complicated continuous dynamics directlywithout violating the undecidability results of Section III-C,one needs to restrict the discrete dynamics (jumps) of ahybrid system.

V. RESTRICTING THEJUMPS

Our goal in this section is to apply the framework of Sec-tion II to hybrid systems with more complicated continuousbehavior. However, the following example shows that, evenin the absence of discrete dynamics, the bisimulation algo-rithm does not terminate.

Example 5.1:Consider the trivial hybrid system with onlyone discrete location and no discrete jumps, and let bethe linear vector field on

Assume the partition of consists of the following threesets (see Fig. 5):

The trajectories of are spirals moving away from theorigin. The first iteration of the algorithm partitions into

and, where is the -coordinate of the first

intersection point of the spiral through with . Thesecond iteration subdivides into

and , where is the-coordinate of the next point of intersection of the spiral

with . This process continues indefinitely since the spiralintersects in infinitely many points, and therefore the al-gorithm does not terminate. In fact, the bisimilarity quotientis not finite.

From the above example, it is clear that the criticalproblem one must investigate is how the trajectories of

interact with the sets inside a single location. This

Fig. 4. Initialized rectangular automaton without finitebisimulation quotient.

Fig. 5. Bisimulation algorithm does not terminate.

requires that the trajectories of the vector field havenice intersection properties with such sets. Since the goalis to obtain finite partitions, it will become important thatwe restrict the study to classes of sets withglobal finitenessproperties, for example, sets with finitely many connectedcomponents. Even though these desirable properties aregeometric in nature, they are captured by the notion oforder-minimality (o-minimality) from model theory.

A. O-Minimal Structures

In this section, we provide a brief introduction to o-min-imal structures [77] and then use it to construct finite bisimu-lations of certain classes of hybrid systems. A brief introduc-tion to first-order logic can be found in the Appendix. Moreintroductory material on first-order logic can be found in [27]and [76], and the use of various logics for hybrid systems isdetailed in [23].

Definition 5.2 (O-Minimal Structure):A (model-the-oretic) structure over the reals is called o-minimal (orderminimal) if every definable subset (with parameters) of

is a finite union of points and open intervals (possiblyunbounded).


Table 1O-Minimal Structures

For structures that extend , this isequivalent to checking the above property for sets definablewithout parameters [56]. For example, consider the subsetof the reals defined by , where issome polynomial. Then, since every polynomial has a finitenumber of roots, the set where it is not negative is a finiteunion of points and intervals. This finiteness property musthold for any definable set in the structure, ,even if the formula contains quantifiers.

The class of o-minimal structures over the reals isquite rich. In [72], it was shown that the structure

admits elimination of quanti-fiers, by proposing an algorithm that given any formula in

converts it to an equivalent formulawithout quantifiers. This, together with an analysis of thesets definable by quantifier-free formulas shows that thestructure is o-minimal. Tarski was also interested in ex-tending this result to , where thereis an additional symbol in the language for the exponentialfunction. While this structure does not admit elimination ofquantifiers, it was shown in [80] that this structure is o-min-imal. Another important extension is obtained as follows.Assume is a real-analytic function in a neighborhood ofthe cube . Let be the functiondefined by

if

otherwise.We call such functionsrestricted analytic functions.These functions are useful to describe the behavior ofsome periodic trajectories. For example, the functions

and restricted to a period are sufficient to defineclosed orbits of some linear systems. In [78], the structure

, which is an extension of, was shown to be o-minimal.

Table I summarizes o-minimal structures over the reals alongwith someexamplesof sets and vector field trajectories thatare definable in these theories.

Based on the notion of o-minimality, the following classof hybrid systems is defined.

Definition 5.3 (O-Minimal Hybrid Systems):A hybridsystem is called o-minimal if:

• for each , is a differential equation whoseflow is complete (defined for all time);

• for each , the reset map is a piece-wise constant (with finite number of pieces) but setvalued map;

• for each and all edges , the sets ,, and , and the flow of are de-

finable in the same o-minimal structure over the reals.

Note that o-minimal hybrid systems place a restriction onthe discrete jumps, namely, that every time a discrete jump istaken, all states must be reinitialized, possibly nondetermin-istically. Notice, however, that we do allow piecewise con-stant set valued maps, which can be used to overapproximate,arbitrarily closely, useful reset maps like the identity map.A more detailed analysis of set-valued maps can be foundin [22]. This restriction on the discrete dynamics along withthe powerful structure of o-minimal structures, allows us toprove the following theorem without violating the results ofSection III-C. Even though the following theorem is provedin [44] for constant, set-valued reset maps, the proof can beeasily adapted to handle piecewise constant, set-valued re-sets.

Theorem 5.4 (Bisimulations of O-Minimal Hybrid Systems[44]): Let be an o-minimal hybrid system, and letbea finite collection of sets definable in the same o-minimalstructure. Then the transition system has a finite bisim-ulation quotient.

Theorem 5.4 is appealing since it can capture hybrid sys-tems with more complicated continuous dynamics. To illus-trate the continuous behavior that can be captured, we applyTheorem 5.4 for each o-minimal structure of Table 1, and weprovide examples of definable, o-minimal hybrid systems.

: The definable sets in this structurecapture polyhedral sets whereas the definable flows capturelinear flows. In particular, it captures timed and multirate au-tomata in the special case where all reset maps are constant.Timed and multirate automata, in general, allow more com-plicated reset maps, like the identity map, in their discretejumps.

: In [72], it was shown thatis decidable. In fact, the decision procedure

consisted of two parts: first, an algorithm for eliminatingquantifiers, and second, an algorithm for deciding quanti-fier free formulas. Because of these results, the definable setswith parameters in this structure are thesemialgebraic sets,which are defined as Boolean combinations of sets of theform and , where is apolynomial. The definable flows in this structure are semi-algebraic. Therefore, the o-minimal hybrid systems corre-sponding to this structure are hybrid systemswhere allsets and flows are semialgebraic.


: In order to describe the de-finable sets in this structure, we need the notions ofsemian-alytic andsubanalytic sets. We provide below an informaldefinition of these notions. For precise definitions and prop-erties, the reader is referred to [13]. We say that a subsetof

is semianalytic in if for every there exists aneighborhood of such that is a Boolean combina-tion of sets of the form and ,where is an analytic function on . Roughly speaking, alocal description of a semianalytic set is analogous to that ofa semialgebraic set with analytic functions replacing polyno-mials. A subset of is subanalytic in if it is locallythe image of a relatively compact semianalytic setunderan analytic map (defined on). A subset of is finitelysubanalytic if its image under the mapgiven by

is subanalytic. The finitely subanalytic sets in are defin-able in this structure.

Even though polynomial flows are definable in this struc-ture, since the functions are zero outside a compact set,these functions cannot be used to define complete flows.However, the operator corresponding to some periodicflows may still be definable. Consider for example, a hy-brid system whose vector fields are diagonalizable linearvector fields with purely imaginary eigenvalues and all rel-evant sets are definable in this structure. Since the restric-tion of on is definable, the operator corre-sponding to is definable. This leads to the following corol-lary of Theorem 5.4, which generalizes to the planar re-sults in [17], [43], and [47].

Corollary 5.5: Let be a hybrid system for which all rel-evant sets (guards, invariants, initial conditions) are finitelysubanalytic and all vector fields are diagonalizable linearvector fields with purely imaginary eigenvalues. Letbe afinite collection of finitely subanalytic sets. Then the transi-tion system has a finite bisimulation quotient.

: This structure, whichextends by the exponential func-tion, besides enriching the class of definable sets, allowsus to capture new classes of definable flows. In particular,the flows of linear vector fields with real eigenvalues aredefinable. The following corollary is then an immediateconsequence of Theorem 5.4.

Corollary 5.6: Let be a hybrid system for which allrelevant sets are finitely subanalytic and all vector fields areof one of the following two forms:

• linear vector fields with real eigenvalues;• diagonalizable linear vector fields with purely imagi-

nary eigenvalues.

Let be a finite collection of finitely subanalytic sets. Thenthe transition system has a finite bisimulation quotient.

The above theorem extends the planar results in [43] to.Note that relaxations of Corollary 5.6 would allow spiraling,linear vector fields, which are not definable in this structure.

As was shown by Example 5.1, such systems, in general, donot admit finite bisimulations. This shows that even thoughthe conditions of Theorem 5.4 are sufficient, they are verytight sufficient conditions.

The above results are existential and show that a finitebisimulationsexist for the above classes of o-minimal hy-brid systems. That means that the bisimulation algorithmwill terminate. To show decidability, we must also show thatthe bisimulation algorithm is computable, which means thatthere is an effective procedure to compute the oper-ator. This can be achieved for various classes of o-minimalhybrid systems by posing each step of the bisimulation al-gorithm as a quantifier elimination problem in the structure

. The proof then consists of showingthat for semialgebraic sets , the task of computingthe preimage under the flow of such linear systemsreduces to quantifier elimination in bya sequence of definable variable substitutions, which elimi-nate the exponential terms.

Theorem 5.7 (Hybrid Systems with Linear DifferentialEquations [45]): Consider the class of o-minimal hybridsystem where:

• for each and edges , the sets ,, and are semialgebraic with rational

coefficients;• for all , , where , and– is nilpotent; or– is diagonalizable and has real, rational eigenvalues;

or– has purely imaginary eigenvalues, with ra-

tional, and its real Jordan form is block diagonal withblocks;

then CTL and LTL model checking for this class of hybridsystems is decidable.

As an immediate consequence, the reachability problem isalso decidable for the above classes of hybrid systems. The-orem 5.7 can be extended to include linear hybrid systemswhere in each discrete state the dynamics are of the form

for various types of inputs.Theorem 5.8 (Hybrid Systems with Linear Control Sys-

tems [46]): Consider the class of o-minimal hybrid systemwhere:

• for each and edges , the sets ,, and are semialgebraic with rational

coefficients;• for all , , where

, , and– is nilpotent, and each entry ofis a polynomial in

; or– is diagonalizable, has real rational eigenvalues, and

each entry of is of the form with rational, andnot an eigenvalue of ; or

– has purely imaginary eigenvalues of the formwith rational, and the entries in the inputare of theform or with rational, and ;

then CTL and LTL model checking for this class of hybridsystems is decidable.


The above results remain valid if the inputs are allowed tobe rational, linear combinations of the functions of the corre-sponding type: exponentials in case of real eigenvalues andsinusoidal in the case of imaginary eigenvalues. In all cases,the sameresonancerestrictions apply on the parametersand .

VI. CONCLUSIONS

In this paper, we have considered the algorithmicanalysis of hybrid systems by the process of abstraction.We have presented a unified collection of results wherefinite, property-preserving abstractions of hybrid systemsare possible. Given the known undecidability barriers,we showed that discrete abstractions of hybrid systemsare possible when either the continuous or the discretedynamics are restricted.

In cases where discrete abstractions withequivalentproperties cannot be constructed, abstractions whose prop-erties aresufficient to check can be useful. This approachis taken in [18], [21], [30] [34], [60], [61], [63], [67],and [70], where reachable sets of differential equationsare over- or underapproximated. This line of work oftenallows us to verify instances of hybrid systems even ifthey belong to undecidable classes. The construction oftight approximations along with the tradeoff betweencomplexity and precision is of great importance andshould be pursued further. Research along this directionwill expand the scope and applicability of computationaltools, like KRONOS and HYTECH. This is needed beforethey can be applied on large scale, hybrid systems withcomplicated discrete and continuous dynamics.

APPENDIX AFIRST-ORDER LOGIC

A language is a set of symbols separated into threegroups: relations, functions, and constants. The sets

, , andare examples of languages

where (less than) is the relation, (plus), (minus),(product) and (exponentiation) are the functions, and 0(zero) and 1 (one) are the constants.

Consider a countable collection of variables. The set ofterms of a language is

inductively defined as follows. A term is a variable, aconstant, or , where is an -ary functionand , are terms. For instance,and are terms of and , respectively. Inother words, terms of are linear expressions and termsof are polynomials with integer coefficients. Notice thatintegers are the only numbers allowed in expressions (theycan be obtained by repeatedly adding the constant 1).

Theatomic formulasof a language are of the form, or , where , are terms andis an -ary relation. For example, and

are atomic formulas of . The set of(first-order) formulasis recursively defined as follows. An atomic formulais a

formula, and if and are formulas and is a variable,then , , or are formulas. Exam-ples of -formulas are ,and . The occurrence of a variablein a formula isfree if it is not inside the scope of a quan-tifier; otherwise, it isbound. For example, in the formula

. , , and are free and is bound.We often write to indicate thatare the free variables of the formula. A sentenceof is aformula with no free variables. The formulais a sentence whereas is not.

A (model-theoretic)structure over a set of a lan-guage consists of a nonempty setand an interpretationof the relations, functions, and constants. For example,

and arestruc-tures of over and , respectively, with the usualinterpretation of all the symbols. A set is de-finable if there exists a formula such that

. For example,over , the formula defines the set .A set is definable with parameters in if eachis a constant. For example, defines the set

over , using as a parameter. If a languageis interpreted over and , we simply say that a set

is definable with parameters (without mentioning).

ACKNOWLEDGMENT

The authors would like to thank the reviewers for theirdetailed comments.

REFERENCES

[1] IEEE Trans. Automat. Contr., vol. 43, no. 4, Apr. 1998. Special Issueon Hybrid Systems.

[2] Automatica, vol. 35, no. 3, Mar. 1999. Special Issue on Hybrid Sys-tems.

[3] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho,X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine, “The algorithmicanalysis of hybrid systems,”Theoret. Comput. Sci., vol. 138, pp.3–34, 1995.

[4] R. Alur, C. Courcoubetis, T. A. Henzinger, and P. H. Ho, “Hy-brid automata: An algorithmic approach to the specification andverification of hybrid systems,” inHybrid Systems. New York:Springer-Verlag, 1993, vol. 736, Lecture Notes in ComputerScience, pp. 209–229.

[5] R. Alur and D. L. Dill, “A theory of timed automata,”Theoret.Comput. Sci., vol. 126, pp. 183–235, 1994.

[6] R. Alur, R. Grosu, Y. Hur, V. Kumar, and I. Lee, “Modular speci-fication of hybrid systems in CHARON,” inHybrid Systems: Com-putation and Control, N. Lynch and B. H. Krogh, Eds. New York:Springer-Verlag, 2000, vol. 1790, Lecture Notes in Computer Sci-ence.

[7] R. Alur, T. A. Henzinger, and E. D. Sontag, Eds.,Hybrid SystemsIII . New York: Springer-Verlag, 1996, vol. 1066, Lecture Notes inComputer Science.

[8] R. Alur and R. P. Kurshan, “Timing analysis in COSPAN,” inHybridSystems III, R. Alur, T. A. Henzinger, and E. D. Sontag, Eds. NewYork: Springer-Verlag, 1996, vol. 1066, Lecture Notes in ComputerScience, pp. 220–231.

[9] P. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, Eds.,Hybrid Sys-tems II. New York: Springer-Verlag, 1995, vol. 999, Lecture Notesin Computer Science.

[10] , Hybrid Systems IV. New York: Springer-Verlag, 1997, vol.1273, Lecture Notes in Computer Science.

[11] E. Asarin, O. Bournez, T. Dang, O. Maler, and A. Pnueli, “Effectivesynthesis of switching controllers for linear systems,” , vol. 88, pp.1011–1025, July 2000.


[12] A. Balluchi, L. Benvenuti, M. DiBenedetto, C. Pinello, and A.Sangiovanni-Vincentelli, “Automotive engine control and hybridsystems: Challenges and opportunities,”Proc. IEEE, vol. 88, pp.888–912, July 2000.

[13] E. Bierstone and P. D. Milman, “Semianalytic and subanalytic sets,”Inst. Hautes Études Sci. Publ. Math., vol. 67, pp. 5–42, 1988.

[14] A. Bouajjani, J.-C. Fernandez, and N. Halbwachs, “Minimal modelgeneration,” inCAV 90: Computer-Aided Verification, R. P. Kurshanand E. M. Clarke, Eds. New York: Springer-Verlag, 1990, vol. 531,Lecture Notes in Computer Science, pp. 197–203.

[15] M. C. Browne, E. M. Clarke, and O. Grumberg, “Characterizingfinite Kripke structures in propositional temporal logic,”Theoret.Comput. Sci., vol. 59, pp. 115–131, 1988.

[16] P. E. Caines and Y. J. Wei, “Hierarchical hybrid control systems: Alattice theoretic formulation,”IEEE Trans. Automat. Contr., vol. 43,no. 4, pp. 501–508, Apr. 1998. Special Issue on Hybrid Systems.

[17] K. Cerans and J. Viksna, “Deciding reachability for planar multi-polynomial systems,” inHybrid Systems III, R. Alur, T. Henzinger,and E. D. Sontag, Eds. Berlin, Germany: Springer-Verlag, 1996,vol. 1066, Lecture Notes in Computer Science, pp. 389–400.

[18] A. Chutinam and B. Krogh, “Verification of polyhedral-invariant hy-brid automata using polygonal flow pipe approximations,” inHy-brid Systems: Computation and Control, F. Vaandrager and J. H. vanSchuppen, Eds. New York: Springer-Verlag, 1999, vol. 1569, Lec-ture Notes in Computer Science.

[19] E. M. Clarke and E. A. Emerson, “Design and synthesis of synchro-nization skeletons using branching-time temporal logic,” inWork-shop on Logic of Programs. New York: Springer-Verlag, 1981, vol.131, Lecture Notes in Computer Science, pp. 52–71.

[20] P. Cousot and R. Cousot, “Abstract interpretation: A unified latticemodel for the static analysis of programs by construction or approx-imation of fixpoints,” inProceedings of the Fourth Annual Sympo-sium on Principles of Programming Languages. New York: ACMPress, 1977.

[21] T. Dang and O. Maler, “Reachability analysis via face lifting,” inHy-brid Systems: Computation and Control, T. Henzinger and S. Sastry,Eds. Berlin, Germany: Springer-Verlag, 1998, vol. 1386, LectureNotes in Computer Science, pp. 96–109.

[22] J. Davoren, “Topologies, continuity, and bisimulations,”Theoret. In-form. Applicat., vol. 33, pp. 357–381, 1999.

[23] J. Davoren and A. Nerode, “Logics for hybrid systems,”Proc. IEEE,vol. 88, pp. 985–1010, July 2000.

[24] C. Daws, A. Olivero, S. Tripakis, and S. Yovine, “The toolKRONOS,” in Hybrid Systems III. New York: Springer-Verlag,1996, vol. 1066, Lecture Notes in Computer Science, pp. 208–219.

[25] R. DeCarlo, M. Branicky, and S. Pettersson, “Perspectives and re-sults on the stability of hybrid systems,”Proc. IEEE, vol. 88, pp.1069–1082, July 2000.

[26] E. A. Emerson, “Temporal and modal logic,” inHandbook of The-oretical Computer Science, J. van Leeuwen, Ed: Elsevier Science,1990, vol. B, pp. 995–1072.

[27] H. B. Enderton,A Mathematical Introduction to Logic. New York:Academic, 1972.

[28] S. Engell, S. Kowalewski, C. Schulz, and O. Stursberg, “Continuous-discrete interactions in chemical processing plants,”Proc. IEEE, vol.88, pp. 1050–1068, July 2000.

[29] R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds.,Hy-brid Systems. New York: Springer-Verlag, 1993, vol. 736, LectureNotes in Computer Science.

[30] T. Henzinger, P. Ho, and H. Wong-Toi, “Algorithmic analysis of non-linear hybrid systems,”IEEE Trans. Automat. Contr., vol. 43, pp.540–554, Apr. 1998.

[31] T. Henzinger and S. Sastry, Eds.,Hybrid Systems: Computation andControl. New York: Springer-Verlag, 1998, vol. 1386, LectureNotes in Computer Science.

[32] T. A. Henzinger, “Hybrid automata with finite bisimulations,” inICALP 95: Automata, Languages, and Programming, Z. Fülöp andF. Gécseg, Eds. New York: Springer-Verlag, 1995, vol. 944, Lec-ture Notes in Computer Science, pp. 324–335.

[33] , “The theory of hybrid automata,” inProc. 11th Annu. Symp.Logic in Computer Science, 1996, pp. 278–292.

[34] T. A. Henzinger and P.-H. Ho, “A note on abstract-interpretationstrategies for hybrid automata,” inHybrid Systems II, P. Antsaklis, A.Nerode, W. Kohn, and S. Sastry, Eds. New York: Springer-Verlag,1995, vol. 999, Lecture Notes in Computer Science, pp. 252–264.

[35] T. A. Henzinger, P.-H. Ho, and H. Wong-Toi, “A user guide toHYTECH,” in TACAS 95: Tools and Algorithms for the Construc-tion and Analysis of Systems, E. Brinksma, W. R. Cleaveland,K. G. Larsen, T. Margaria, and B. Steffen, Eds. New York:Springer-Verlag, 1995, vol. 1019, Lecture Notes in ComputerScience, pp. 41–71.

[36] , “Algorithmic analysis of nonlinear hybrid systems,”IEEETrans. Automat. Contr., vol. 43, no. 4, pp. 540–554, 1998.

[37] T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s de-cidable about hybrid automata?,”J. Comput. Syst. Sci., vol. 57, pp.94–124, 1998.

[38] T. A. Henzinger and R. Majumdar, “Symbolic model checking forrectangular hybrid systems,” inTACAS 00: Tools and Algorithms forthe Construction and Analysis of Systems, S. Graf, Ed. New York:Springer-Verlag, 2000, Lecture Notes in Computer Science.

[39] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine, “Symbolicmodel checking for real-time systems,”Inform. Computat., vol. 111,no. 2, pp. 193–244, 1994.

[40] R. Horowitz and P. Varaiya, “Control design of an automatedhighway system,”Proc. IEEE, vol. 88, pp. 913–925, July 2000.

[41] P. C. Kanellakis and S. A. Smolka, “CCS expressions, finite-stateprocesses, and three problems of equivalence,”Inform. Computat.,vol. 86, pp. 43–68, 1990.

[42] X. D. Koutsoukos, P. J. Antsaklis, J. A. Stiver, and M. D. Lemmon,“Supervisory control of hybrid systems,” , vol. 88, pp. 1026–1049,July 2000.

[43] G. Lafferriere, G. J. Pappas, and S. Sastry, “Hybrid systems withfinite bisimulations,” inHybrid Systems V, P. Antsaklis, W. Kohn,M. Lemmon, A. Nerode, and S. Sastry, Eds. New York: Springer-Verlag, 1998, Lecture Notes in Computer Science.

[44] , “O-minimal hybrid systems,”Math. Control, Signals, Syst.,vol. 13, no. 1, pp. 1–21, 2000.

[45] G. Lafferriere, G. J. Pappas, and S. Yovine, “A new class of decid-able hybrid systems,” inHybrid Systems: Computation and Con-trol. New York: Springer-Verlag, 1999, vol. 1569, Lecture Notesin Computer Science, pp. 137–151.

[46] , “Reachability computation for linear hybrid systems,” inProc.14th IFAC World Congress, vol. E, Beijing, P.R.C, July 1999, pp.7–12.

[47] G. Lafferriere, G. J. Pappas, and S. Sastry, “Subanalytic stratifica-tions and bisimulations,” inHybrid Systems: Computation and Con-trol, T. Henzinger and S. Sastry, Eds. Berlin, Germany: Springer-Verlag, 1998, vol. 1386, Lecture Notes in Computer Science, pp.205–220.

[48] K. Larsen, P. Pettersson, and W. Yi, “UPPAAL in a nutshell,”Springer Int. J. Software Tools Technol. Transfer, vol. 1, no. 1, 1997.

[49] C. Livadas, J. Lygeros, and N. Lynch, “High-level modeling andanalysis of the traffic alert and collision avoidance system (TCAS),”Proc. IEEE, vol. 88, pp. 926–948, July 2000.

[50] J. Lygeros, D. N. Godbole, and S. Sastry, “Verified hybrid controllersfor automated vehicles,”IEEE Trans. Automat. Contr., vol. 43, pp.522–539, Apr. 1998.

[51] J. Lygeros, G. J. Pappas, and S. Sastry, “An approach to the veri-fication of the Center-TRACON Automation System,” inHybridSystems: Computation and Control, T. Henzinger and S. Sastry,Eds. Berlin, Germany: Springer-Verlag, 1998, vol. 1386, LectureNotes in Computer Science, pp. 289–304.

[52] O. Maler, Ed., Hybrid and Real-Time Systems. New York:Springer-Verlag, 1997, vol. 1201, Lecture Notes in ComputerScience.

[53] O. Maler and S. Yovine, “Hardware timing verification usingKRONOS,” in Proc. 7th Conf. Computer-Based Systems andSoftware Engineering, 1996.

[54] Z. Manna and A. Pnueli,The Temporal Logic of Reactive and Con-current Systems: Specification. New York: Springer-Verlag, 1992.

[55] N. H. McClamroch and I. Kolmanovsky, “Performance benefits ofhybrid controller design for linear and nonlinear systems,”Proc.IEEE, vol. 88, pp. 1083–1096, July 2000.

[56] C. Miller and P. Speissegger, “Expansions of the real line by opensets: O-minimality and open cores,”Fund. Math., vol. 162, pp.193–208, 1999.

[57] R. Milner, Communication and Concurrency. Englewood Cliffs,NJ: Prentice-Hall, 1989.

[58] X. Nicolin, A. Olivero, J. Sifakis, and S. Yovine, “An approach tothe description and analysis of hybrid automata,” inHybrid Sys-tems. New York: Springer-Verlag, 1993, vol. 736, Lecture Notesin Computer Science, pp. 149–178.


[59] K. R. Butts, “Analysis needs for automotive powertrain control,”presented at the 7th Mechatronics Forum Int. Conf., Atlanta, GA,Sept 2000.

[60] A. Olivero, J. Sifakis, and S. Yovine, “Using abstractions for theverification of linear hybrid systems,” inComputer-Aided Verifi-cation. New York: Springer-Verlag, July 1994, vol. 818, LectureNotes in Computer Science, pp. 81–94.

[61] G. J. Pappas and S. Sastry, “Towards continuous abstractions of dy-namical and control systems,” inHybrid Systems IV, P. Antsaklis, W.Kohn, A. Nerode, and S. Sastry, Eds. Berlin, Germany: Springer-Verlag, 1997, vol. 1273, Lecture Notes in Computer Science, pp.329–341.

[62] G. J. Pappas, G. Lafferriere, and S. Sastry, “Hierarchically consistentcontrol systems,” inProc. 37th IEEE Conf. Decision and Control,Tampa, FL, Dec. 1998.

[63] , “Hierarchically consistent control systems,”IEEE Trans. Au-tomat. Contr., vol. 45, July 2000.

[64] D. Pepyne and C. Cassandras, “Optimal control of hybrid systemsin manufacturing,”Proc. IEEE, vol. 88, pp. 1108–1123, July 2000.

[65] A. Pnueli, “The temporal logic of programs,” inProc. 18th Annu.Symp. Foundations of Computer Science, 1977, pp. 46–57.

[66] , “The temporal logic of programs,” inProc. 18th Annu. Symp.Foundations of Computer Science, 1977, pp. 46–57.

[67] A. Puri, V. Borkar, and P. Varaiya, “�-approximation of differentialinclusions,” inHybrid Systems III, R. Alur, T. A. Henzinger, andE. D. Sontag, Eds. New York: Springer-Verlag, 1996, vol. 1066,Lecture Notes in Computer Science, pp. 362–376.

[68] A. Puri and P. Varaiya, “Decidability of hybrid systems with rectan-gular differential inclusions,” inComputer Aided Verification, 1994,pp. 95–104.

[69] J. Queille and J. Sifakis, “Specification and verification of concur-rent systems in CESAR,” inFifth International Symposium on Pro-gramming, M. Dezani-Ciancaglini and U. Montanari, Eds. NewYork: Springer-Verlag, 1981, vol. 137, Lecture Notes in ComputerScience, pp. 337–351.

[70] J. Raisch and S. D. O’Young, “Discrete approximations and supervi-sory control of continuous systems,”IEEE Trans. Automat. Contr.,vol. 43, pp. 569–573, Apr. 1998. Special Issue on Hybrid Systems.

[71] M. Song, T.-J. Tarn, and N. Xi, “Integration of task scheduling, ac-tion planning, and control in robotic manufacturing,”Proc. IEEE,vol. 88, pp. 1097–1107, July 2000.

[72] A. Tarski, “A decision method for elementary algebra and geom-etry,” University of California Press, Berkeley, CA, 2nd ed., 1951.

[73] C. J. Tomlin, J. Lygeros, and S S. Sastry, “A game theoretic approachto controller design for hybrid systems,”Proc. IEEE, vol. 88, pp.949–970, July 2000.

[74] C. Tomlin, G. J. Pappas, and S. Sastry, “Conflict resolution for airtraffic management: A study in muti-agent hybrid systems,”IEEETrans. Automat. Contr., vol. 43, no. 4, pp. 509–521, April 1998.

[75] F. W. Vaandrager and J. H. van Schuppen, Eds.,Hybrid Systems:Computation and Control. New York: Springer-Verlag, 1999, vol.1569, Lecture Notes in Computer Science.

[76] D. van Dalen,Logic and Structure, 3rd ed. New York: Springer-Verlag, 1994.

[77] L. van den Dries, Tame Topology and O-Minimal Struc-tures. Cambridge, U.K.: Cambridge University, 1998.

[78] L. van den Dries and C. Miller, “On the real exponential field withrestricted analytic functions,”Israel J. Math., vol. 85, pp. 19–56,1994.

[79] P. Varaiya, “Smart cars on smart roads: Problems of control,”IEEETrans. Automat. Contr., vol. 38, no. 2, pp. 195–207, 1993.

[80] A. J. Wilkie, “Model completeness results for expansions of theordered field of real numbers by restricted pfaffian functions andthe exponential function,”J. Amer. Math. Soc., vol. 9, no. 4, pp.1051–1094, Oct. 1996.

Rajeev Alur (Member, IEEE) received the B.S.degree in computer science from the Indian Insti-tute of Technology at Kanpur, India, in 1987, andthe Ph.D. degree in computer science from Stan-ford University, Stanford, CA, in 1991.

Since 1991, he has been with Computing Sci-ence Research Center, Bell Laboratories, LucentTechnologies, Murray Hill, NJ, as a Member ofTechnical Staff. In Fall 1997, he joined the Uni-versity of Pennsylvania, Philadelphia, as Asso-ciate Professor of computer and information sci-

ence. His areas of research include formal specification and verificationof reactive systems, hybrid systems, concurrency theory, and programminglanguages.

Dr. Alur is a recipient of the NSF CAREER and Alfred P. Sloan FacultyFellowship awards.

Thomas A. Henzinger (Member, IEEE) received the Ph.D. degree incomputer science from Stanford University, Stanford, CA, the M.S. degreein computer and information sciences from the University of Delaware,Newark, and the Dipl.-Ing. degree in computer science from the Universityof Linz, Austria.

He is currently Professor of electrical engineering and computer sciencesat the University of California, Berkeley. Previously, he was Assistant Pro-fessor of computer science at Cornell University, Ithaca, NY, and Directorof the Max-Planck Institute for Computer Science, Saarbrücken, Germany.

Gerardo Lafferriere received theLicenciadodegree in mathematics from the University of LaPlata, Argentina, in 1977, and the Ph.D. degreein mathematics from Rutgers University, NewBrunswick, NJ, in 1986.

From 1986 until 1990, he was a ResearchScientist at the Robotics Laboratory of theCourant Institute, New York. Since 1990, hehas been with the Department of MathematicalSciences at Portland State University, where he iscurrently an Associate Professor. Dr. Lafferriere

spent the 1997–1998 academic year as a Visiting Associate ResearchEngineer at the Electronics Research Laboratory of the University ofCalifornia, Berkeley. His research interests are in nonlinear control theory,hybrid systems, and robotics.

George J. Pappas(Member, IEEE) received theB.S. and M.S. degrees in computer and systemsengineering from Rensselaer Polytechnic Insti-tute, Troy, NY, in 1991 and 1992, respectively.In December 1998, he received the Ph.D. degreefrom the Department of Electrical Engineeringand Computer Sciences at the University ofCalifornia, Berkeley.

In 1994, he was a Graduate Fellow at theDivision of Engineering Sciences, HarvardUniversity, Cambridge, MA. He is currently

Assistant Professor of Electrical Engineering at the University of Pennsyl-vania, Philadelphia, where he also holds a secondary appointment in theDepartment of Computer and Information Sciences. His research interestsinclude embedded hybrid systems, hierarchical control systems, nonlinearcontrol systems, geometric control theory, flight and air traffic managementsystems, robotics, and unmanned aerial vehicles.

Dr. Pappas is the recipient of the 1999 Eliahu Jury Award for Excellencein Systems Research from the Department of Electrical Engineering andComputer Sciences at the University of California, Berkeley. He was also afinalist for the Best Student Paper Award at the 1998 IEEE Conference onDecision and Control.


discrete abstractions of hybrid systems - proceedings of the ieee

Documents