CSE 591: Theoretical Aspects of CPSgfaineko/courses/cse591/2010/lec20.pdf · 7 What about hybrid (embedded) systems? • In general, verifying a hybrid system is undecidable R. Alur

1

School of Computing, Informatics and Decision System Engineering

Arizona State University

fainekos at asu edu

http://www.public.asu.edu/~gfaineko

Instructor: Georgios E. Fainekos

05 Apr 2010

CSE 591: Theoretical Aspects of CPS

Robust testing and Testing robustness

http://www.public.asu.edu/~gfaineko

2Motivation – Transmission lines

At low frequencies

3Motivation – Transmission lines

Analysis of interconnect effects is a necessity!

Figure from UCB EE CE481 lecture notes

Operating frequencies

Feature size

Transmission lines become asimportant as the devices!

Distributed RLC circuit

4

Motivation – A study of transient dynamics

Desired Performance Characteristics1. Overshoot2. Rise time3. Delay time 4. Settling time5. Constraints on input/states6. Response sensitivity

Use Linear or MetricTemporal Logic

SPICEAWE

5

43

1

2

5

)()(

)()()(

tCxtU

tUbtxAtx

out

inii

VnV2V1

V

Rn LnR2 L2R1 L1DnD2D1

Cn CcnCc2Cc1 C2C1

Example : Verifying a transmission line

System:

Step input (t > 0):

Steady state at t = 0:

Property:

Φ = G p1 F [0,0.85]G p2

O (p1) = [-1.5,1.5]

O (p2) = [0.8,1.2]

Τ

Initial conditions:

Uncertain parameters

e.g. C[a1,a2]

6

What can we verify?

• Verifying Cyber systems is a decidable problem The Turing award this year was given to the founders of model checking : E. Clark, A.

Emerson and J. Sifakis

• Applications in verification of software, hardware, protocols etc.

• Many software toolboxes : SPIN, SMV etc

Cyber-System Specification

Algorithm

YES NO

7

What about hybrid (embedded) systems?

• In general, verifying a hybrid system is undecidable R. Alur and C. Courcoubetis and N. Halbwachs and T. A. Henzinger and P.-H. Ho and X. Nicollin

and A. Olivero and J. Sifakis and S. Yovine, The algorithmic analysis of hybrid systems, TCS

Henzinger, Kopke, Puri, Varaiya, What's decidable about hybrid automata? Proceedings of the twenty-seventh annual ACM symposium on Theory of computing.

Cyber-Physical

SystemSpecification

Algorithm

YES NO

8What can be done?

• Previous approaches to the undecidability problem : identifying decidable classes :

Alur, Henzinger, Pappas, Lafferriere, …

semi-decidable algorithms : Krogh, Alur, Henzinger, Dang, Ivančić, Girard, Mitchell, Tomlin, Maler, …

barrier certificates : Prajna, Jadbabaie, …

systematic simulations / model based testing : Krogh, Maler, Dang, Lee, Sokolsky, Kumar, Esposito, LaValle, Vardi, …

• In Practice : Simulations ! Schuller, Brangs, Rothfuß, Lutz, Breit: Development methodology for

dynamic stability control systems, International Journal of Vehicle Design 2002 - Vol. 28, No.1/2/3 pp. 37-56

Gielen, Rutenbar: Computer-Aided Design of Analog and Mixed-Signal Integrated Circuits, Proceedings of the IEEE, Vol. 88, No. 12, 2000

9

Advantages : A finite number of simulations

Coverage guarantees

Scales as well as simulation scales

More complicated specifications than safety

Almost no parameters to set besides the simulation parameters

New tools : we need metrics

ROBUST SIMULATIONS

Reach(I)

I

10Problem 1: Robust Temporal Logic Testing

LTL / MTLΦ = G p1 F[0,Τ]G p2

Closed-loop system Σ

xç = f(x; p; u)X0 X

y = g(x; p; u)

L(Σ) L(Φ)

Robust Tester

Fainekos, Girard and Pappas, Temporal logic verification using simulation, FORMATS 2006

Julius, Fainekos, Anand, Lee, Pappas, Robust Test Generation and Coverage for Hybrid Systems, HSCC 2007Fainekos, Pappas, MTL Robust Testing and Verification for LPV Systems, ACC 2009

11

What are the challenges in robust TL testing?

1. What is the specification language?

2. How can we define neighborhoods of signals with the same temporal properties?

3. Can two signals have approximately similar behavior?

4. How can we verify a system for an infinite set of parameters?

12

Overview

Motivation

Robust Testing Problem - Challenges

Specification language (MTL)

Robust Temporal Logic Testing

Analog system robust testing / verification

Hybrid system robust testing

Testing Robustness

13

Metric Temporal Logic (MTL)

Syntax:

Derived operators:

I can be of any bounded or unbounded interval of +, but Ii.e. I = [0,+), I = [2.5,9.8]

Φ ::= T | | p | p | Φ1 Φ2 | Φ1 Φ2 | Φ1 UI Φ2 | Φ1 RI Φ2

Eventually (in the future) FI Φ := TUIΦ

Always (globally) GI Φ :=RIΦ

until release

Koymans ’90, Specifying real-time properties with metric temporal logic

14

LTL intuition

G a - always a

F a – eventually a

X a – next state a

a U b – a until b

a B b – a before b

a a a a aa

* * a * **

a * * * **

a a b * *a

* a * b **

15MTL : An example for signals

FI a

time

a

Booleanabstraction

a

time

I

I

t

t

16

MTL : More complicated examples

FI a

time

a

Booleanabstractiona

time

I

I

t

t

X

GI’ a

(a)UI b

b

timet

a

timeI’t

a

timet

b

I’

17

Temporal Logic Testing

Truth Value

{,T}

[Maler and Nickovic ‘04][Thati and Rosu ‘04][Rosu and Havelund ‘05][Geilen ‘01]others …

Monitoring

Algorithm


A/DBoolean

abstraction

18

Overview

Motivation






Testing Robustness

19

0 2 4 6 8 10-15

-10

-5

0

5

10

15

s1

s2

MTL Spec:G(p1YF2 p2)

p2

p1

Two signals that satisfy the same spec, but …

20LTL to motion planning

F(p2 F(p3 F(p4 (p3 p4) U p1)))

Fainekos, Kress-Gazit and Pappas, Temporal Logic Motion Planning for Mobile Robots, ICRA 2005Fainekos, Kress-Gazit and Pappas, Hybrid Controllers for Path Planning, CDC 2005

p1 p2

p3 p4

p1 p2

p3 p4

21

Robustness of Temporal Logics

LTL / MTLΦ = G(p1YF2 p2)

Monitor/Tester

Robustness parameter

ε {±}

|ε|

|ε|

Fainekos and Pappas, Robustness of temporal logic specifications, FATES/RV 2006Fainekos and Pappas, Robustness of temporal logic specifications for continuous-time signals, TCS, 2009

22

Metric Spaces

• A metric space (X, d) is a set X with a metric d• A metric on a set X is a positive function d : X x XY+, such that the

three following properties hold for all x1, x2, x3 X it is d(x1,x3) d(x1,x2)+d(x2,x3)

for all x1,x2 X it is d(x1,x2) = 0 iff x1 = x2

for all x1,x2 X it is d(x1,x2) = d(x2,x1)

• Given a metric d, a radius ε+ and a point xX, then the open ε-ball centered at x is defined as

Bd(x,ε) = { yX | d(x,y)<ε }

C

2ε

X

x

23(Signed) Distance

Let xX be a point, CX be a set and d be a metric. Then we define

distd(x;C) := inffd(x; y) j y 2 cl(C)g

depthd(x;C) := distd(x;XnC)

Distd(x; C) :=èà distd(x; C)

depthd(x; C)

if x 62 C

if x 2 C

x

C

depthd(x,C)

x

Bd(x,ε)

X

distd(x,C)

x

24Definition of robustness for signals

ε := Distρ(s, L(Φ))

Given a signal s, we can define the robustness degree as

L(Φ)

s

XR

ρ(s,s’) = sup {d(s(t),s’(t)) | t R}

s

L(Φ)

25Main result

Theorem: Let Φ be an MTL formula, s be a (continuous or discrete time)

signal and |ε|>0 be the robustness parameter of Φ with respect to s,

then for all s’ in Bρ(s,ε) we have that s Φ iff s’ Φ

Fainekos and Pappas, Robustness of temporal logic specifications for finite timed state sequences in metric spaces, Technical Report MS-CIS-04-32, 2004Fainekos and Pappas, Robustness of temporal logic specifications, FATES/RV 2006Fainekos and Pappas, Robustness of temporal logic specifications for continuous-time signals, Theoretical Computer Science, 2009

|ε|

|ε|

26

X

Spec : FpO (p)

Simple example

ε

Bρ(s,ε) L(Φ)s

27Software toolbox : TaLiRo

Input:

LTL / MTL formula &

Observation map

Monitor/Tester

Output:

ε {±}

Input:

Discrete time signal

Available at : http://www.public.asu.edu/~gfaineko/taliro.html

http://www.public.asu.edu/~gfaineko/taliro.html

http://www.public.asu.edu/~gfaineko/taliro.html

28

Discrete-time Robust Semantics for MTL

Based on formula re-writing, we can derive a monitoring/testing algorithm

29

Main results

Theorem: Let Φ be an MTL formula and μ = (ζ,η) be a TSS, then

(x0,t0)(x2,t2)

(xn,tn)

(x1,t1)

Extension to continuous time:Fainekos and Pappas, Robust Sampling for MITL specifications, FORMATS 2007

Fainekos and Pappas, Robustness of temporal logic specifications for continuous-time signals, Theoretical Computer Science, 2009

30Computing DistancesFor computational reasons we allow only convex or concave setswhich are usually described using intersections OR unions of halfspaces

Assume S is convexif yS

Solve QP:min (x-y)T(x-y)s.t. jajxbj

Dist(y,S) = -minvalQPelse

for jJdj = |bj-ajx|/norm(aj)end forDist(y,S) = min {dj}jJ

end if

S = fx j ^j2J (aj á x ô bj)g

S = fx j _j2J (aj á x ô bj)g

such that S is convex

y

S

y

S

S

31Running TaLiRo on a Dell PowerEdge 1650

0 3.1416 6.2832 9.4248 12.5664 15.708 18.8496 21.9911-2

-1

0

1

2

Time

G(p1 F(0.0,1.0)p1)

s(i) = sin η(i)+sin 2η(i)

τ(i) = 0.2i

O(p1) = [1.5,+)

32Related Research

Robustness in temporal logics WRT time :

Huang, Voeten, Geilen ‘03, Real-time property preservation in approximations of timed systems

Henzinger, Majumdar, Prabhu ‘05, Quantifying similarities between timed systems …

WRT state : Huth, Kwiatkowska ‘97, Quantitative analysis and model checking Lamine, Kabanza ‘00, Using fuzzy TL for monitoring behavior-based mobile robots de Alfaro, Faella, Stoelinga ‘04, Linear and Branching Metrics for Quantitative

Transition Systems de Alfaro, Faella, Henzinger, Majumdar, Stoelinga ‘04, Model Checking Discounted

Temporal Properties Rizk, Batt, Fages, Soliman ‘08 On a continuous degree of satisfaction of temporal logic

formulae with applications to systems biology

33

Overview

Motivation






Testing Robustness

34

Example : a study of transient dynamics

System (dim 81):

Step input (t > 0):

Steady state at t = 0-:

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-1.5,1.5]

O (p2) = [0.8,1.2]

Τ

Initial conditions:

35Robust TL testing of analog systems



xç = f(x)X0 X

y = g(x)

L(Σ) L(Φ)

Robust Tester

Fainekos, Girard and Pappas, Temporal logic verification using simulation, FORMATS 2006Fainekos, Pappas, MTL Robust Testing and Verification for LPV Systems, ACC 2009

36

Proj0 (PΦ L(Σ))

Main idea

xç = f(x)

Closed-loop system Σ:

X0 X

Specification Φ

L(Σ) L(Φ)

X0

ε robustness parameter

Bρ(ζ,|ε|)

y = g(x)

time

37

Proj0 (PΦ L(Σ))

Main idea

xç = f(x)


X0 X

Specification Φ

L(Σ) L(Φ)

X0


Bρ(ζ,|ε|)

y = g(x)

time

38

Proj0 (PΦ L(Σ))

Main idea

xç = f(x)


X0 X

Specification Φ

L(Σ) L(Φ)

X0


Bρ(ζ,|ε|)

y = g(x)

time

39

Achieving coverage I

xç = f(x)


X0 X

Specification Φ

L(Σ) L(Φ)

X0

y = g(x)

Good news!Coverage with a finite number of simulations

Proj0 (PΦ L(Σ))

time

40

Computing bisimulation functions

Quadratic Bisimulation Functions for Deterministic Linear Systems

xç =Ax

y =Cx

y

is a bisimulation function if

0MAMA

CCM

T

T

MxxV(x) T

Bisimulation Functions using Sum Of Squares Relaxation

xç = f(x)

y = g(x)

y )x,q(x)x,V(x 2121

)(xfx

)x,q(x)(xf

x

)x,q(x22

2

2111

1

21

)(xg)(xg)x,q(x2

221121

is SOS

is SOS

is a bisimulation function if

41

Achieving coverage II

L(Σ) L(Φ)

X0

xç = f(x)


X0 X

Specification Φ

y = g(x)

Even better news!It is possible to verify

the system withjust one simulation

Proj0 (PΦ L(Σ))

time

42

Quick falsification

X0

L(Σ) L(Φ)xç = f(x)


X0 X

Specification Φ

y = g(x)

Observation!A robust system with

respect to the propertyrequires less simulations

Proj0 (PΦ L(Σ))

time

43

Coverage certificates

L(Σ) L(Φ)

X0

xç = f(x)


X0 X

Specification Φ

y = g(x)

Good news!We get coverageguarantees after

K iterations.

Proj0 (PΦ L(Σ))

time

44

Main results

Theorem: Let (x1,y1),…,(xr,yr) be trajectories of Σ such that Disc(X0,δ) =

{x1(0),…,xr(0)}. Let εi be the robustness parameter of Φ wrt yi. Then,

Proposition: Let V be a bisimulation function. For any compact set of initial conditions X0 , for all δ > 0, there exists a finite set of points {x1,…,xr} X0 such that

for all x X0, there exists xi, such that V(x,xi) δ

Theorem: Let V be a bisimulation function, for i = 1,2, let (xi,yi) be trajectories of Σ and εi be the robustness parameter of Φ wrt yi, then i {1,2}.V(x1(0),x2(0)) < εi implies y1 Φ iff y2 Φ

i {1,…,r} . εi > δ y L(Σ) . y Φ

45

Experimental Results(MATLAB toolbox)

T=0.8 T=1.2 T=1.6

θ=1.4False

1

False

1

False

1

θ=1.5False

1

False

15

False

13

θ=1.6False

1

True

17

True

7

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-θ,θ], O (p2) = [0.8,1.2]T

θ

from Zhi Han’s PhD Thesis 2005

T

θ

46


T=0.8 T=1.2 T=1.6

θ=1.4False

1

False

1

False

1

θ=1.5False

1

False

15

False

13

θ=1.6False

1

True

17

True

7

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-θ,θ], O (p2) = [0.8,1.2]T

θ


T

θ

-0.1526

47


T=0.8 T=1.2 T=1.6

θ=1.4False

1

False

1

False

1

θ=1.5False

1

False

15

False

13

θ=1.6False

1

True

17

True

7

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-θ,θ], O (p2) = [0.8,1.2]T

θ


θ

-0.0

29

8

48


T=0.8 T=1.2 T=1.6

θ=1.4False

1

False

1

False

1

θ=1.5False

1

False

15

False

13

θ=1.6False

1

True

17

True

7

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-θ,θ], O (p2) = [0.8,1.2]T

θ


θ

49


T=0.8 T=1.2 T=1.6

θ=1.4False

1

False

1

False

1

θ=1.5False

1

False

15

False

13

θ=1.6False

1

True

17

True

7

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-θ,θ], O (p2) = [0.8,1.2]T

θ


θ

50


T=0.8 T=1.2 T=1.6

θ=1.4False

1

False

1

False

1

θ=1.5False

1

False

15

False

13

θ=1.6False

1

True

17

True

7

Property:

Φ = G p1 F[0,Τ]G p2

O (p1) = [-θ,θ], O (p2) = [0.8,1.2]T

θ


θ

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2-0.2

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Time(nsec)

Uout(

Volt)

51

L(Σ) L(Φ,O)

L(Σ’) L(Φ,Oδ) ?

Extension to systems with uncertain parameters


δ-approximately

bisimilar

X0 X

p(t)P

dx/dt = A(p(t)) x(t)

y(t) = C x(t)

Closed-loop system Σ’

X0 Xdx/dt = A’ x(t)

y(t) = C x(t)

δ-robustification

LTL / MTL

Φ = G π1 ˄ F[0,Τ] G π2

Observation map Oδ

LTL / MTL

Φ = G π1 ˄ F[0,Τ] G π2

Observation map O

52

Approximating an LPV with an LTI System

Theorem: Let Σ be an LPV system and p’P. If there exists a positive semidefinite matrix M such that

Then is a bisimulation function between Σ and Σ’.

0'0

0

'0

0.

pA

pAMM

pA

pAPEPp

CCCC

CCCCM

T

T

TT

TT

TTTTT xxMxxxxF 000000 '')',(

53

Approximating an LPV with an LTI System

Proposition: Let Σ be an LPV system, p’P and let

be a bisimulation function between Σ and Σ(p’). Then, the solution of the static games

computes the optimal points x and x’ which provide anupper bound δ = F(x, x’) for the approximate bisimulation

relation.

TTTTT xxMxxxxVxxF '')',()',(

)',(infsup),',(infsupmax0

00

0 ''xxFxxF

XxXEPxXxXEPx

54

Putting Everything together

Proposition:

Consider an MTL formula φ and a map O : Π → P(X). If systems Σand Σ’ are δ-approximately bisimilar and Bδ(L(Σ’)) L(Φ,O), then

L(Σ) L(Φ,O).

Corollary:

Consider an MTL formula φ and a map O : Π → P(X). If systems Σand Σ’ are δ-approximately bisimilar and L(Σ’) L(Φ,Oδ), then

L(Σ) L(Φ,O).

55Related Research

TL Verification/Robust Testing of Analog Systems Ghosh, Vemuri ’99, Formal Verification of Synthesized Analog Designs Hartong, Hedrich, Barke ’02, On Discrete Modeling and Model Checking for

Nonlinear Analog Systems Gupta, Krogh, Rutenbar ’04, Towards Formal Verification of Analog Designs Frehse, Krogh, Rutenbar, Maler ’05, Time Domain Verification of Oscillator

Circuit Properties Donze, Maler ‘07, Systematic Simulation using Sensitivity Analysis Rizk, Batt, Fages, Soliman ’08, On a continuous degree of satisfaction of

temporal logic formulae with applications to systems biology Julius and Pappas ‘09, Trajectory based verification using local finite-time

invariance …

56

Overview

Motivation






Testing Robustness

57

Navigation benchmark

0 1 2 30

1

2

3

x1

x2

Unsafe 2 4

2 3 4

2 2 Goal

58

Navigation benchmark

0 1 2 30

1

2

3

x1

x2Unsafe 2 4

2 3 4

2 2 Goal

59Robust testing of hybrid systems

Safety Specification

HU H

Hybrid automaton H = (X,Q,F,H0,,R,I,G)

Reach(H) HU =

Simulator / Tester

Julius, Fainekos, Anand, Lee, Pappas,

Robust Test Generation and Coverage for Hybrid Systems, HSCC 2007

60

How robust is a hybrid test trajectory?

UnsafeInit

L1

L2

61


UnsafeInit

L1

L2

62


UnsafeInit

L1

L2

63


UnsafeInit

L1

L2

64


UnsafeInit

L1

L2

65

Increasing robustness

g1

g2

g2

act

x0

(t,x )0

Unsafe

Unsafeact

(,x )0

66

Timing guarantees

g1

g2

act

x0

(x ,d )min0B

^g2

(,x )0

(x )0

(x )0

Unsafe act

d unsafe

d out

67

Computing distances

linear projections(least squares when we consider

the location dynamics)

quadratic

programming Unsafe

semidefinite

programming

68

Overview of algorithm

Includesinitial

conditions

Max simulation time, max number of tests,

etc

Pick a point in the

parameter space

Simulate

trajectory

Compute

Robustness

Update parameter

space

Remove computed ellipsoid from

initial conditions

Stoppingcriterion?

No

Output

ResultsYes

Safe?

Yes

Hybrid

Automaton

Input

Parameters

System

UnsafeNo

Includes the computation of bisimulation functions

69

Navigation benchmark 1

0 1 2 30

1

2

3

x1

x2

Unsafe 2 4

2 3 4

2 2 Goal

70


With 25 runs, we cover >48% of the initial set.

Notice that there is a clear divide in the initial set, due to different transitions.

0 1 2 30

0.5

1

1.5

2

2.5

3

(a)

x2

x1

1 1.5 2

0.8

1

1.2

1.4

1.6

1.8

2

(b)

x2

x1

71

Benchmark problem 2

Verified to be safe with CHARON

0 1 2 30

1

2

3

x1

x2

Unsafe 2 4

2 3 4

2 2 Goal

72

Benchmark problem 2

Safety verified after 9 tests!(All traces have the same qualitative behavior and the system is robust wrt to the unsafe set. Termination guaranteed similar to Girard & Pappas HSCC’06, Fainekos et al FORMATS 2006)

Numerically, we compute a coverage estimate of 72%.

2 2.2 2.4 2.6 2.8 3

1

1.2

1.4

1.6

1.8

2

(a)

x2

x1

2 2.2 2.4 2.6 2.8 3

1

1.2

1.4

1.6

1.8

2

(b)x2

x1

73


0 1 2 30

1

2

3

x1

x2

2 3 6

3 3 Goal

2 2 Unsafe

74


• Test generation using Voronoi with weights

• We proved unsafety with 10 tests.

-0.5 0 0.5 1 1.5 2 2.5 3 3.5-0.5

0

0.5

1

1.5

2

2.5

3

3.5

x1

x2

75Related Research

Robust Testing of hybrid systems Girard and Pappas ‘06, Verification using simulation Dang, Donze, Maler, Shalev, ’08, Sensitive state-space exploration Lerda, Kapinski, Clarke, and Krogh, ‘08, Verification of supervisory control

software using state proximity and merging

76

Overview

Motivation






Testing Robustness

77Problem 2: Testing Temporal Logic Robustness



xç = f(x; p; u)X0 X

y = g(x; p; u)

inf{Distρ(ζ, L(Φ)) | ζΣ} = ?

Tester

Nghiem, Sankaranarayanan, Fainekos, Ivancic, Gupta, Pappas, Monte-Carlo Techniques for Falsification of Temporal Properties of Non-Linear Hybrid Systems, HSCC 2010

78Testing Temporal Logic Robustness

• We need to solve an optimization problem:min Distρ(y, L(Φ))

y=g(x,u,p) and x is a solution of dx/dt=f(x,u,p) with x0X0, uU, pP

• Challenges:• Non-linear system dynamics

• Unknown input signals

• Unknown system parameters

• Non-smooth cost function • not known in closed form

• Classical solution to difficult engineering problems:• Stochastic optimization algorithms

• Goal: Falsify the system or find non-robust behaviors

79Monte Carlo Sampling(Simulated Annealing)

We adapt β so that the

acceptance / rejection ratio

remains close to 1

Chib, and Greenberg, Understanding the Metropolis-Hastings algorithm. The American Statistician 49, 4 (Nov 1995), 327–335.

80

Hit and Run sampler

xx

x x

x'

Smith, The hit-and-run sampler: a globally reaching markov chain sampler for generating arbitrary multivariate distributions. In Proceedings of the 28th conference on Winter simulation (1996), pp. 260–264

81

Example 1

System:

dx/dt = x-y+0.1t

dy/dt = ycos(2πy)-xsin(2πx)+0.1t

Initial conditions:

[-1,1]x[-1,1]

Specification:

G[0,2] a

where O(a) = [-1.6,-1.4]x[-1.1,-.9]

82

Example 2: Aircraft model

X0 = [200,260]x[-10,10]x[120,150]

U = [34386,53973]x[0,16]

83

Example 3 : Navigation Benchmark

Specification:

(Cyan) U[0,25] (White)

Not falsified, but robustness close to 0!

84

Experimental Results

85Related Research

Probabilistic/Stochastic testing Kapinski, Krogh, Maler, Stursberg ‘03, On systematic simulation of open

continuous systems Tan, Kim, Sokolsky, Lee ‘04, Model-based testing and monitoring for hybrid

embedded systems Bhatia, Frazzoli, ‘04, Incremental search methods for reachability analysis of

continuous and hybrid systems. Bensalem, Bozga, Krichen, Tripakis ‘05, Testing conformance of real time

applications with automatic generation of observers Esposito, Kim, Kumar ‘05, Adaptive RRTs for validating hybrid robotic control

systems Branicky, Curtiss, Levine, Morgan, ‘06, Sampling-based planning, control and

verification of hybrid systems. Younes, Simmons,’06. Statistical probabilitistic model checking with a focus on

time-bounded properties Plaku, Kavraki, Vardi ‘07, Hybrid systems: From verification to falsification Nahhal, Dang ‘07, Test Coverage for Continuous and Hybrid Systems Plaku, Kavraki, Vardi, ’09, Falsification of ltl safety properties in hybrid systems Clarke, Donze, Legay, ‘09Statistical model checking of analog mixed-signal

circuits with an application to a third order δ−σ modulator …

Documents

CSE 591: Theoretical Aspects of CPSgfaineko/courses/cse591/2010/lec20.pdf · 7 What about hybrid (embedded) systems? • In general, verifying a hybrid system is undecidable R. Alur