Assume-Guarantee Reasoning for Hierarchical Hybrid Systems

  • Thomas A. Henzinger
  • Marius Minea
  • Vinayak Prabhu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2034)


The assume-guarantee paradigm is a powerful divide-and-conquer mechanism for decomposing a verification task about a system into subtasks about the individual components of the system. The key to assume-guarantee reasoning is to consider each component not in isolation, but in conjunction with assumptions about the context of the component. Assume-guarantee principles are known for purely concurrent contexts, which constrain the input data of a component, as well as for purely sequential contexts, which constrain the entry configurations of a component. We present a model for hierarchical system design which permits the arbitrary nesting of parallel as well as serial composition, and which supports an assume-guarantee principle for mixed parallel-serial contexts. Our model also supports both discrete and continuous processes, and is therefore well-suited for the modeling and analysis of embedded software systems which interact with real-world environments. Using an example of two cooperating robots, we show refinement between a high-level model which specifies continuous timing constraints and an implementation which relies on discrete sampling.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [ACH+95]
    R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. The algorithmic analysis of hybrid systems. Theoretical Computer Science, 138:3–34, 1995.MATHCrossRefMathSciNetGoogle Scholar
  2. [AG00]
    R. Alur and R. Grosu. Modular refinement of hierarchic reactive machines. In Principles of Programming Languages, pp. 390–402, ACM Press, 2000.Google Scholar
  3. [AGH+00]
    R. Alur, R. Grosu, Y. Hur, V. Kumar, and I. Lee. Modular specification of hybrid systems in Charon. In Hybrid Systems: Computation and Control, LNCS 1790, pp. 130–144, Springer-Verlag, 2000.CrossRefGoogle Scholar
  4. [AH97]
    R. Alur and T.A. Henzinger. Modularity for timed and hybrid systems. In Concurrency Theory, LNCS 1243, pp. 74–88, Springer-Verlag, 1997.Google Scholar
  5. [AH99]
    R. Alur and T.A. Henzinger. Reactive modules. Formal Methods in System Design, 15:7–48, 1999.CrossRefGoogle Scholar
  6. [AL95]
    M. Abadi and L. Lamport. Conjoining specifications. ACM Transactions on Programming Languages and Systems, 17:507–534, 1995.CrossRefGoogle Scholar
  7. [BRJ98]
    G. Booch, J. Rumbaugh, and I. Jacobson. The Unified Modeling Language User Guide. Addison-Wesley, 1998.Google Scholar
  8. [DGH+99]
    J. Davis, M. Goel, C. Hylands, B. Kienhuis, E.A. Lee, J. Liu, X. Liu, L. Muliadi, S. Neuendorffer, J. Reekie, N. Smyth, J. Tsay, and Y. Xiong. Overview of the Ptolemy project. Tech. Rep. UCB/ERL M99/37, University of California, Berkeley, 1999.Google Scholar
  9. [DGV97]
    A. Deshpande, A. Göllü, and P. Varaiya. Shift: A formalism and a programming language for dynamic networks of hybrid automata. In Hybrid Systems, LNCS 1273, pp. 113–134, Springer-Verlag, 1997.CrossRefGoogle Scholar
  10. [Har87]
    D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8:231–274, 1987.MATHCrossRefMathSciNetGoogle Scholar
  11. [Hen96]
    T.A. Henzinger, The theory of hybrid automata. In Logic in Computer Science, pp. 278–292, IEEE Computer Society Press, 1996.Google Scholar
  12. [Hen00]
    T.A. Henzinger. Masaccio: A formal model for embedded components. In Theoretical Computer Science, LNCS 1872, pp. 549–563, Springer Verlag, 2000.Google Scholar
  13. [LSVW96]
    N.A. Lynch, R. Segala, F. Vaandrager, and H.B. Weinberg. Hybrid I/O Automata. In Hybrid Systems, LNCS 1066, pp. 496–510, Springer-Verlag, 1996.CrossRefGoogle Scholar
  14. [McM97]
    K.L. McMillan. A compositional rule for hardware design refinement. In Computer-aided Verification, LNCS 1254, pp. 24–35, Springer-Verlag, 1997.Google Scholar
  15. [MC81]
    J. Misra and K.M. Chandy. Proofs of networks of processes. IEEE Transactions on Software Engineering, 7:417–426, 1981.CrossRefMathSciNetGoogle Scholar
  16. [TAKB96]
    S. Tasiran, R. Alur, R.P. Kurshan, and R.K. Brayton. Verifying abstractions of timed systems. In Concurrency Theory, LNCS 1119, pp. 546–562, Springer-Verlag, 1996.Google Scholar
  17. [US94]
    A.C. Uselton and S.A. Smolka. A compositional semantics for Statecharts using labeled transition systems. In Concurrency Theory, LNCS 836, pp. 2–17, Springer-Verlag, 1994.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Thomas A. Henzinger
    • 1
  • Marius Minea
    • 1
  • Vinayak Prabhu
    • 1
  1. 1.Dept. of EECSUniversity of CaliforniaBerkeleyUSA

Personalised recommendations