SMT-Based Symbolic Encoding and Formal Analysis of HML Models

Abstract

Hybrid system is a dynamic system that involves continuous, discrete behaviors, and the interactions between continuous physical components and discrete controllers. In this paper a hybrid modeling language (called HML) for hybrid systems is extended with templates to achieve code reuse. For the formal analysis of the corresponding hybrid system models in this modeling language, these models are translated into SMT (satisfiability modulo theories) formulas as the input to an SMT solver dReal which retains the capability of bounded reachability analysis for non-linear hybrid systems. Moreover, dReal can produce data for potential traces of hybrid systems, thus it can be employed to simulate on hybrid systems. In this paper the simulation and reachability analysis are integrated in a prototype tool (open source). We present a case study for an inverted pendulum with PID (Proportional-Integral-Derivative) controllers and a rod reactor system for temperature control, both are verified to demonstrate the efficiency of the prototype tool. We conclude that, this modeling language is capable of modeling and verification of hybrid systems based on simulation and bounded reachability analysis.

Appendices

Appendix A: Definitions Related to Computable Functions

Some basic definitions that are related to this paper are reviewed here. For more details, see [29, 40].

Definition 5

(Names) A name of \(v \in \mathbb {R}\) is any function \(\gamma _{v} : \mathbb {N} \rightarrow \mathbb {D}\) satisfying

$$\forall i \in \mathbb{N}, ~| \gamma_{v}(i) - v | < 2^{-i}, $$

where, \(\mathbb {D}\) is the set of all dyadic rationals (numbers of the form \(\frac {\varphi }{2^{\psi }}\) for an integer φ and natural number ψ).

For multi-dimensional name of \(\mathbf {v} \in \mathbb {R}^{n}\), \(\gamma _{\mathbf {v}} = \langle \gamma _{\mathbf {v}_{1}},..., \gamma _{\mathbf {v}_{n}} \rangle \). The name of v is a sequence of dyadic rationals converging to it.

Definition 6

(Computable Reals) A real number \(v \in \mathbb {R}\) is computable if there exists a name γ _v of v that is a computable function.

A real function is computable if its value can be approximated for arbitrary precision by a function-oracle Turing machine.

Definition 7

(Computable Functions) Let \(V \subseteq \mathbb {R}^{n}\), function \(f: V \rightarrow \mathbb {R}\) is computable if there exists a function-oracle Turing machine F-OTM _f calculating a rational number \(\mathcal {Q}_{f}^{\gamma _{\mathbf {v}}}(i)\) for \(i \in \mathbb {N}\) and γ _v satisfying \(|\mathcal {Q}_{f}^{\gamma _{\mathbf {v}}}(i) - f(\mathbf {v})| < 2^{-i}\).

A function-oracle Turing machine F-OTM is an ordinary Turing machine except that F-OTM have an additional tape for query and two additional states (query and answer states, respectively).

When F-OTM enters the query state, the oracle γ replaces the current string v by γ(v) in the query tape, then the tape head returns to the first cell of the query tape, and the state of the machine is reset to the answer state.

For “types” of functions, informally, integer and rational numbers are Type-0 objects, a real number can be considered as a Type-1 function that maps a Type-0 object to type-0 object. Type-2 functions are those functions that map from Type-1 functions to Type-1 (or Type-0) functions. Thus, a function as \(f:\mathbb {R} \rightarrow \mathbb {R}\) is a Type-2 function.

Appendix B: Sample SMT Formulas

Here, we present one sample SMT formulas that are encoded (with maximum unrolling depth 0) for our HML model. In the following list of SMT formulas, there are some important parts should be explained:

• Logic. In line 1, set--logic is a keyword of SMT standard language. (set-logic L) tells the solver (dReal) what logic L is being used for satisfiability checking of the SMT formulas. Here, QF_NRA_ODE is the logic implemented in dReal for non-linear differential equations.

• Variable. (declare-fun position () Real) declares a variable named position with data type Real.

• Differential equation. (define-ode flow_n F) defines a differential equation, number n is an index for this equation, F is the formula representing the concrete form of the equation, for example line 16 defines a simultaneous differential equation. E.g., SMT formula (= d/dt[clock] 1) can be considered as a differential equation \(\frac {\mathtt {d clock}}{\mathtt {dt}} = 1\) for variable clock.

• Assert. The assert command (assert F) instructs the SMT solver to assume that the formula F is true.

• Check. The check command (check-sat) tells the SMT solver to do the checking of the satisfiability of the SMT formulas.

• Property. The properties that users want to check can be added as normal assert commands.

• Exit. The exit command (exit) returns success and the SMT solver dReal terminates.