Mathematics in Computer Science

, Volume 8, Issue 1, pp 71–97 | Cite as

Collaborative Verification-Driven Engineering of Hybrid Systems

  • Stefan Mitsch
  • Grant Olney Passmore
  • André Platzer


Hybrid systems with both discrete and continuous dynamics are an important model for real-world cyber-physical systems. The key challenge is to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be model-driven engineering to develop hybrid systems in a well-defined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verification-driven engineering. Often, hybrid systems are rather complex in that they require expertise from many domains (e. g., robotics, control systems, computer science, software engineering, and mechanical engineering). Moreover, despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires nontrivial human guidance, since hybrid systems verification tools solve undecidable problems. It is, thus, not uncommon for development and verification teams to consist of many players with diverse expertise. This paper introduces a verification-driven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (1) graphical (UML) and textual modeling of hybrid systems, (2) exchanging and comparing models and proofs, and (3) managing verification tasks. This toolset makes it easier to tackle large-scale verification tasks.


Formal verification Hybrid system Cyber-physical system Model-driven engineering 

Mathematics Subject Classification (2010)

Mathematical modeling (engineering) 97M50 Hybrid systems 34K34 Theorem proving 68T15 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akbarpour B., Paulson L.C.: MetiTarski: an automatic theorem prover for real-valued special functions. J. Autom. Reason. 44(3), 175–205 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  2. 2.
    Alur, R.: Formal verification of hybrid systems. In: Chakraborty, S., Jerraya, A., Baruah, S.K., Fischmeister, S., (eds.) Proceedings of the 11th International Conference on Embedded Software (EMSOFT), pp. 273–278. ACM (2011)Google Scholar
  3. 3.
    Alur R., Courcoubetis C., Halbwachs N., Henzinger T.A., Ho P.-H., Nicollin X., Olivero A., Sifakis J., Yovine S.: The algorithmic analysis of hybrid systems. Theor. Comput. Sci. 138(1), 3–34 (1995)CrossRefzbMATHGoogle Scholar
  4. 4.
    Anda B., Hansen K., Gullesen I., Thorsen H.K.: Experiences from introducing UML-based development in a large safety-critical project. Empir. Softw. Eng. 11(4), 555–581 (2006)CrossRefGoogle Scholar
  5. 5.
    Bajaj, M., Scott, A., Deming, D., Wickstrom, G., Spain, M.D., Zwemer, D., Peak, R.: Maestro—a model-based systems engineering environment for complex electronic systems. In: Proceedings of the 22nd Annual INCOSE International Symposium. INCOSE, Rome (2012)Google Scholar
  6. 6.
    Barrett, C., Stump, A., Tinelli, C.: The SMT-LIB standard: Version 2.0 (2012). (last accessed 2013-01-09)
  7. 7.
    Baumgartner, N., Mitsch, S., Müller, A., Salfinger, A., Retschitzegger, W., Schwinger, W.: A tour of BeAware: a situation awareness framework for control centers. Inf. Fusion (2014). doi: 10.1016/j.inffus.2014.01.008
  8. 8.
    Belta, C., Ivancic, F., (eds.): Hybrid Systems: Computation and Control (part of CPS Week 2013), HSCC’13, ACM, Philadelphia (2013)Google Scholar
  9. 9.
    Berkenkötter, K., Bisanz, S., Hannemann, U., Peleska, J.: The HybridUML profile for UML 2.0. STTT 8(2), 167–176 (2006)Google Scholar
  10. 10.
    Christakis, M., Müller, P., Wüstholz, V.: Collaborative verification and testing with explicit assumptions. In: Giannakopoulou, D., Méry, D. (eds.) FM, Volume 7436 of LNCS, pp. 132–146. Springer, Berlin (2012)Google Scholar
  11. 11.
    Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS, Lecture Notes in Computer Science, vol. 7795, pp. 93–107. Springer, Berlin (2013)Google Scholar
  12. 12.
    Collins, P., Lygeros, J.: Computability of finite-time reachable sets for hybrid systems. In: 44th IEEE Conference on Decision and Control and European Control Conference (CDC-ECC), pp. 4688–4693. IEEE (2005)Google Scholar
  13. 13.
    Craigen D., Gerhart S.L., Ralston T.: Formal methods reality check: industrial usage. IEEE Trans. Softw. Eng. 21(2), 90–98 (1995)CrossRefGoogle Scholar
  14. 14.
    Davenport J.H., Heintz J.: Real quantifier elimination is doubly exponential. J. Symb. Comput. 5(1–2), 29–35 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    de Moura, L.M., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS, Lecture Notes in Computer Science, vol. 4963, pp. 337–340. Springer, Berlin (2008)Google Scholar
  16. 16.
    De Schutter, B., Heemels, W., Lunze, J., Prieur, C.: Survey of modeling, analysis, and control of hybrid systems. In: Lunze, J., Lamnabhi-Lagarrigue, F. (eds.) Handbook of Hybrid Systems Control—Theory, Tools, Applications, chap. 2, pp. 31–55. Cambridge University Press, Cambridge (2009)Google Scholar
  17. 17.
    Derler P., Lee E.A., Sangiovanni-Vincentelli A.: Modeling cyber-physical systems. Proc. IEEE 100(1), 13–28 (2012)CrossRefGoogle Scholar
  18. 18.
    Deshpande, A., Göllü, A., Varaiya, P.: Shift: A formalism and a programming language for dynamic networks of hybrid automata. In: Antsaklis, P.J., Kohn, W., Nerode, A., Sastry, S., (eds.) Hybrid Systems, Lecture Notes in Computer Science, vol. 1273, pp. 113–133. Springer, Berlin (1996)Google Scholar
  19. 19.
    Faber J., Linker S., Olderog E.-R., Quesel J.-D.: Syspect—modelling, specifying, and verifying real-time systems with rich data. Int. J. Softw. Inf. 5(1–2), 117–137 (2011)Google Scholar
  20. 20.
    Frehse, G.: PHAVer: algorithmic verification of hybrid systems past HyTech. In: Morari, M., Thiele, L., (eds.) Hybrid Systems: Computation and Control, 8th International Workshop, HSCC 2005, Zurich, Proceedings, LNCS, vol. 3414, pp. 258–273. Springer, Berlin (2005)Google Scholar
  21. 21.
    Frehse, G., Le Guernic, C., Donzé, A., Cotton, S., Ray, R., Lebeltel, O., Ripado, R., Girard, A., Dang, T., Maler, O.: SpaceEx: scalable verification of hybrid systems. In: Ganesh Gopalakrishnan, S.Q. (ed.) CAV, LNCS. Springer, Berlin (2011)Google Scholar
  22. 22.
    Gokhale A.S., Balasubramanian K., Krishna A.S., Balasubramanian J., Edwards G., Deng G., Turkay E., Parsons J., Schmidt D.C.: Model driven middleware: a new paradigm for developing distributed real-time and embedded systems. Sci. Comput. Program. 73(1), 39–58 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Goswami, D., Schneider, R., Masrur, A., Lukasiewycz, M., Chakraborty, S., Voit, H., Annaswamy, A.: Challenges in automotive cyber-physical systems design. In: ICSAMOS, pp. 346–354. IEEE (2012)Google Scholar
  24. 24.
    Gowers T., Nielsen M.: Massively collaborative mathematics. Nature 461, 879–881 (2009)CrossRefGoogle Scholar
  25. 25.
    Hales T.C., Harrison J., McLaughlin S., Nipkow T., Obua S., Zumkeller R.: A revision of the proof of the Kepler conjecture. Discrete Comput. Geom. 44(1), 1–34 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Hause, M.C., Thom, F.: An integrated MDA approach with SysML and UML. In: Proceedings of the 13th International Conference on Engineering of Complex Computer Systems, ICECCS ’08, pp. 249–254. IEEE Computer Society, Washington (2008)Google Scholar
  27. 27.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sanvido, M.A.A.: Extreme model checking. In: Dershowitz, N., (ed.) Verification: Theory and Practice, Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday, LNCS, vol. 2772, pp. 332–358. Springer, Berlin (2003)Google Scholar
  28. 28.
    Hitz, M., Kappel, G., Kapsammer, E., Retschitzegger, W.: UML @ Work. dpunkt (2005)Google Scholar
  29. 29.
    Jouault F., Allilaire F., Bézivin J., Kurtev I.: ATL: a model transformation tool. Sci. Comput. Program. 72(1–2), 31–39 (2008)CrossRefzbMATHGoogle Scholar
  30. 30.
    Kent, S.: Model driven engineering. In: Butler M.J., Petre L., Sere K., (eds.) IFM, LNCS, vol. 2335. pp. 286–298. Springer, Berlin (2002)Google Scholar
  31. 31.
    Kerber, M., Lange, C., Rowat, C., (eds.): Enabling Domain Experts to use Formalised Reasoning—Symposium AISB, Do-Form 2013, Exeter. Proceedings. AISB (2013)Google Scholar
  32. 32.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pp. 207–220. ACM, New York (2009)Google Scholar
  33. 33.
    Kokar M.M., Matheus C.J., Baclawski K.: Ontology-based situation awareness. Int. J. Inf. Fusion 10(1), 83–98 (2009)CrossRefGoogle Scholar
  34. 34.
    Kolovos, D.S., Di Ruscio, D., Pierantonio, A., Paige, R.F.: Different models for model matching: An analysis of approaches to support model differencing. In: Proceedings of the 2009 ICSE Workshop on Comparison and Versioning of Software Models, CVSM ’09, pp. 1–6. IEEE Computer Society, Washington (2009)Google Scholar
  35. 35.
    Kordon, F., Hugues, J., Renault, X.: From model driven engineering to verification driven engineering. In: Proc. of the 6th IFIP Int. Workshop on Software Technologies for Embedded and Ubiquitous Systems, pp. 381–393. Springer, Berlin (2008)Google Scholar
  36. 36.
    Kouskoulas, Y., Renshaw, D., Platzer, A., Kazanzides, P.: Certifying the safe design of a virtual fixture control algorithm for a surgical robot. In: Belta and Ivancic [8]Google Scholar
  37. 37.
    Kupferman, O., Vardi, M.Y.: Modular model checking. In: Revised Lectures from the International Symposium on Compositionality: The Significant Difference, COMPOS’97, pp. 381–401. Springer, London (1998)Google Scholar
  38. 38.
    Lavazza, L., Quaroni, G., Venturelli, M.: Combining UML and formal notations for modelling real-time systems. In: ESEC/SIGSOFT FSE, pp. 196–206. ACM (2001)Google Scholar
  39. 39.
    Lee I., Sokolsky O., Chen S., Hatcliff J., Jee E., Kim B., King A.L., Mullen-Fortino M., Park S., Roederer A., Venkatasubramanian K.K.: Challenges and research directions in medical cyber-physical systems.. Proc. IEEE 100(1), 75–90 (2012)CrossRefGoogle Scholar
  40. 40.
    Liu J., Liu Z., He J., Mallet F., Ding Z.: Hybrid MARTEstatecharts. Front. Comput. Sci. 7(1), 95–108 (2013)CrossRefMathSciNetGoogle Scholar
  41. 41.
    Loos, S.M., Platzer, A.: Safe intersections: at the crossing of hybrid systems and verification. In: Yi, K. (ed.) ITSC, pp. 1181–1186 (2011)Google Scholar
  42. 42.
    Loos, S.M., Platzer, A., Nistor, L.: Adaptive cruise control: Hybrid, distributed, and now formally verified. In: FM, LNCS, vol. 6664, pp. 42–56. Springer, Berlin (2011)Google Scholar
  43. 43.
    Loos, S.M., Renshaw, D., Platzer, A.: Formal verification of distributed aircraft controllers. In: Belta and Ivancic [8]Google Scholar
  44. 44.
    Mallet, F., de Simone, R.: MARTE: a profile for RT/E systems modeling, analysis—and simulation? In: Molnár, S., Heath, J.R., Dalle, O., Wainer, G.A. (eds.) SimuTools, p. 43. ICST (2008)Google Scholar
  45. 45.
    Mitsch, S., Ghorbal, K., Platzer, A.: On provably safe obstacle avoidance for autonomous robotic ground vehicles. In: Robotics: Science and Systems (2013)Google Scholar
  46. 46.
    Mitsch, S., Loos, S.M., Platzer, A.: Towards formal verification of freeway traffic control. In: Lu, C. (ed.) Proc. of the 2nd Int. Conference on Cyber-Physical Systems (ICCPS), pp. 171–180. IEEE (2012)Google Scholar
  47. 47.
    Mitsch S., Passmore, G.O., Platzer, A.: A vision of collaborative verification-driven engineering of hybrid systems. In: Kerber et al. [31], pp. 8–17Google Scholar
  48. 48.
    Mitsch, S., Quesel, J.-D., Platzer, A.: Refactoring, refinement, and reasoning—a logical characterization for hybrid systems. In: FM, LNCS. Springer, Berlin (2014, to appear)Google Scholar
  49. 49.
    Mostowski, W.: The KeY syntax. In: Beckert, B., Hähnle, R., Schmitt, P.H., (eds.) Verification of Object-Oriented Software. The KeY Approach, Lecture Notes in Computer Science, vol. 4334, pp. 599–626. Springer, Berlin (2007)Google Scholar
  50. 50.
    Mota E., Clarke E.M., Groce A., Oliveira W., Falcão M., Kanda J.: VeriAgent: an approach to integrating UML and formal verification tools.. Electr. Notes Theor. Comput. Sci. 95, 111–129 (2004)CrossRefGoogle Scholar
  51. 51.
    Niemueller, T., Ewert, D., Reuter, S., Karras, U., Ferrein, A., Jeschke, S., Lakemeyer, G.: Towards benchmarking cyber-physical systems in factory automation scenarios. In: Timm, I.J., Thimm, M., (eds.) KI, Lecture Notes in Computer Science, vol. 8077. Springer, Berlin, pp. 296–299 (2013)Google Scholar
  52. 52.
    Niles, I., Pease, A.: Towards a standard upper ontology. In: Proc. of the 2nd Int. Conf. on Formal Ontology in Information Systems (FOIS ’01), pp. 2–9. ACM, Ogunquit (2001)Google Scholar
  53. 53.
    Object Management Group. OMG object constraint language (OCL). Technical Report formal/2012-01-01, OMG (2012)Google Scholar
  54. 54.
    Passmore, G.O.: Combined Decision Procedures for Nonlinear Arithmetics, Real and Complex. PhD thesis, University of Edinburgh (2011)Google Scholar
  55. 55.
    Passmore, G.O., Paulson, L.C., de Moura, L. M.: Real algebraic strategies for MetiTarski proofs. In: Jeuring, J., Campbell, J.A., Carette, J., Reis, G.D., Sojka, P., Wenzel, M., Sorge, V., (eds.) AISC/MKM/Calculemus, LNCS, vol. 7362, pp. 358–370. Springer, Berlin (2012)Google Scholar
  56. 56.
    Passmore, G.O., Platzer, A., Zawadzki, E., Avigad, J.: Geometric relevance filtering for real closed field arithmetic (2013, in preparation)Google Scholar
  57. 57.
    Platzer A.: Differential dynamic logic for hybrid systems. J. Autom. Reas. 41(2), 143–189 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  58. 58.
    Platzer A.: Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. 20(1), 309–352 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  59. 59.
    Platzer A.: Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  60. 60.
    Platzer, A.: The complete proof theory of hybrid systems. In: LICS, pp. 541–550. IEEE (2012)Google Scholar
  61. 61.
    Platzer, A.: Logics of dynamical systems. In: LICS, pp. 13–24. IEEE (2012)Google Scholar
  62. 62.
    Platzer A., Clarke E.M.: Computing differential invariants of hybrid systems as fixedpoints. Formal Methods Syst. Design 35(1), 98–120 (2009)CrossRefzbMATHGoogle Scholar
  63. 63.
    Platzer, A., Clarke, E.M.: Formal verification of curved flight collision avoidance maneuvers: a case study. In: Cavalcanti, A., Dams, D. (eds.) FM, LNCS, vol. 5850, pp. 547–562. Springer, Berlin (2009)Google Scholar
  64. 64.
    Platzer, A., Quesel, J.-D.: KeYmaera: a hybrid theorem prover for hybrid systems. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR, LNCS, vol. 5195, pp. 171–178. Springer, Berlin (2008)Google Scholar
  65. 65.
    Platzer, A., Quesel, J.-D.: European train control system: a case study in formal verification. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM, LNCS, vol. 5885, pp. 246–265. Springer, Berlin (2009)Google Scholar
  66. 66.
    Razali, R., Snook, C.F., Poppleton, M.R.: Comprehensibility of UML-based formal model: a series of controlled experiments. In: Proceedings of the 1st ACM International Workshop on Empirical Assessment of Software Engineering Languages and Technologies: Held in Conjunction with the 22Nd IEEE/ACM International Conference on Automated Software Engineering (ASE), WEASELTech’07, pp. 25–30. ACM, New York (2007)Google Scholar
  67. 67.
    Reiter R.: Knowledge in Action: Logical Foundations for Specifying and Implementing Dynamical Systems. The MIT Press, Cambridge (2001)Google Scholar
  68. 68.
    Schäfer, W., Wehrheim, H.: Model-driven development with Mechatronic UML. In Engels, G., Lewerentz, C., Schäfer, W., Schürr, A., Westfechtel, B. (eds.) Graph Transformations and Model-Driven Engineering, Lecture Notes in Computer Science, vol. 5765, pp. 533–554. Springer, Berlin (2010)Google Scholar
  69. 69.
    Schmidt D.C.: Guest editor’s introduction: model-driven engineering. IEEE Comput. 39(2), 25–31 (2006)CrossRefGoogle Scholar
  70. 70.
    Snook C.F., Butler M.J.: UML-B: formal modeling and design aided by UML. ACM Trans. Softw. Eng. Methodol. 15(1), 92–122 (2006)CrossRefGoogle Scholar
  71. 71.
    Sridhar S., Hahn A., Govindarasu M.: Cyber-physical system security for the electric power grid. Proc. IEEE 100(1), 210–224 (2012)CrossRefGoogle Scholar
  72. 72.
    Tintarev, N., Oren, N., Deemter, K.V., Kutlak, R., Green, M., Masthoff, J., Vasconcelos, W.: SAsSy—scrutable autonomous systems. In: Kerber et al. [31], pp. 1–3Google Scholar
  73. 73.
    Tomlin C., Pappas G., Sastry S.: Conflict resolution for air traffic management: a study in multiagent hybrid systems.. IEEE Trans. Autom. Control 43(4), 509–521 (1998)CrossRefzbMATHMathSciNetGoogle Scholar
  74. 74.
    Woodcock, J., Larsen, P. G., Bicarregui, J., Fitzgerald, J.: Formal methods: practice and experience. ACM Comput. Surv. 41(4), 19:1–19:36 (2009)Google Scholar

Copyright information

© Springer Basel 2014

Authors and Affiliations

  • Stefan Mitsch
    • 1
    • 2
  • Grant Olney Passmore
    • 3
  • André Platzer
    • 1
  1. 1.Computer Science DepartmentCarnegie Mellon UniversityPittsburghUSA
  2. 2.Department of Cooperative Information SystemsJohannes Kepler UniversityLinzAustria
  3. 3.LFCSEdinburgh and Clare Hall, CambridgeEdinburghUK

Personalised recommendations