Change and Delay Contracts for Hybrid System Component Verification

  • Andreas MüllerEmail author
  • Stefan Mitsch
  • Werner Retschitzegger
  • Wieland Schwinger
  • André Platzer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10202)


In this paper, we present reasoning techniques for a component-based modeling and verification approach for hybrid systems comprising discrete dynamics as well as continuous dynamics, in which the components have local responsibilities. Our approach supports component contracts (i.e., input assumptions and output guarantees of interfaces) that are more general than previous component-based hybrid systems verification techniques in the following ways: We introduce change contracts, which characterize how current values exchanged between components along ports relate to previous values. We also introduce delay contracts, which describe the change relative to the time that has passed since the last value was exchanged. Together, these contracts can take into account what has changed between two components in a given amount of time since the last exchange of information. Most crucially, we prove that the safety of compatible components implies safety of the composite. The proof steps of the theorem are also implemented as a tactic in KeYmaera X, allowing automatic generation of a KeYmaera X proof for the composite system from proofs of the concrete components.


Component-based development Hybrid systems Formal verification 


  1. 1.
    Alur, R., Courcoubetis, C., Henzinger, T.A., Ho, P.-H.: Hybrid automata: an algorithmic approach to the specification and verification of hybrid systems. In: Grossman, R.L., Nerode, A., Ravn, A.P., Rischel, H. (eds.) HS 1991-1992. LNCS, vol. 736, pp. 209–229. Springer, Heidelberg (1993). doi: 10.1007/3-540-57318-6_30 CrossRefGoogle Scholar
  2. 2.
    Aştefănoaei, L., Bensalem, S., Bozga, M.: A compositional approach to the verification of hybrid systems. In: Ábrahám, E., Bonsangue, M., Johnsen, E.B. (eds.) Theory and Practice of Formal Methods. LNCS, vol. 9660, pp. 88–103. Springer, Cham (2016). doi: 10.1007/978-3-319-30734-3_8 CrossRefGoogle Scholar
  3. 3.
    Benvenuti, L., Bresolin, D., Collins, P., Ferrari, A., Geretti, L., Villa, T.: Assume-guarantee verification of nonlinear hybrid systems with Ariadne. Int. J. Robust Nonlinear Control 24(4), 699–724 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Bohrer, B., Rahli, V., Vukotic, I., Völp, M., Platzer, A.: Formally verified differential dynamic logic. In: Bertot, Y., Vafeiadis, V. (eds.) Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and Proofs, pp. 208–221. ACM (2017)Google Scholar
  5. 5.
    Damm, W., Dierks, H., Oehlerking, J., Pnueli, A.: Towards component based design of hybrid systems: safety and stability. In: Manna, Z., Peled, D.A. (eds.) Time for Verification. LNCS, vol. 6200, pp. 96–143. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13754-9_6 CrossRefGoogle Scholar
  6. 6.
    Frehse, G., Han, Z., Krogh, B.: Assume-guarantee reasoning for hybrid I/O-automata by over-approximation of continuous interaction. In: 43rd IEEE Conference on Decision and Control, CDC, vol. 1, pp. 479–484 (2004)Google Scholar
  7. 7.
    Fulton, N., Mitsch, S., Quesel, J.-D., Völp, M., Platzer, A.: KeYmaera X: an axiomatic tactical theorem prover for hybrid systems. In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 527–538. Springer, Cham (2015). doi: 10.1007/978-3-319-21401-6_36 CrossRefGoogle Scholar
  8. 8.
    Henzinger, T.A.: The theory of hybrid automata. In: Proceedings, 11th Annual IEEE Symposium on Logic in Computer Science, pp. 278–292. IEEE Computer Society (1996)Google Scholar
  9. 9.
    Henzinger, T.A., Minea, M., Prabhu, V.: Assume-guarantee reasoning for hierarchical hybrid systems. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A. (eds.) HSCC 2001. LNCS, vol. 2034, pp. 275–290. Springer, Heidelberg (2001). doi: 10.1007/3-540-45351-2_24 CrossRefGoogle Scholar
  10. 10.
    Loos, S.M., Platzer, A., Nistor, L.: Adaptive cruise control: hybrid, distributed, and now formally verified. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 42–56. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21437-0_6 CrossRefGoogle Scholar
  11. 11.
    Lynch, N.A., Segala, R., Vaandrager, F.W.: Hybrid I/O automata. Inf. Comput. 185(1), 105–157 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Man, K.L., Reniers, M.A., Cuijpers, P.J.L.: Case studies in the hybrid process algebra Hypa. Int. J. Softw. Eng. Knowl. Eng. 15(2), 299–306 (2005)CrossRefGoogle Scholar
  13. 13.
    Mitsch, S., Ghorbal, K., Platzer, A.: On provably safe obstacle avoidance for autonomous robotic ground vehicles. In: Newman, P., Fox, D., Hsu, D. (eds.) Robotics: Science and Systems IX (2013)Google Scholar
  14. 14.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78800-3_24 CrossRefGoogle Scholar
  15. 15.
    Müller, A., Mitsch, S., Platzer, A.: Verified traffic networks: component-based verification of cyber-physical flow systems. In: 18th International Conference on Intelligent Transportation Systems, pp. 757–764 (2015)Google Scholar
  16. 16.
    Müller, A., Mitsch, S., Retschitzegger, W., Schwinger, W., Platzer, A.: A component-based approach to hybrid systems safety verification. In: Ábrahám, E., Huisman, M. (eds.) IFM 2016. LNCS, vol. 9681, pp. 441–456. Springer, Cham (2016). doi: 10.1007/978-3-319-33693-0_28 CrossRefGoogle Scholar
  17. 17.
    Müller, A., Mitsch, S., Retschitzegger, W., Schwinger, W., Platzer, A.: Change and delay contracts for hybrid system component verification. Technical report CMU-CS-17-100, Carnegie Mellon (2017)Google Scholar
  18. 18.
    Cuijpers, P.J.L., Reniers, M.A.: Hybrid process algebra. J. Log. Algebr. Program. 62(2), 191–245 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Platzer, A.: Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. 20(1), 309–352 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Platzer, A.: Quantified differential dynamic logic for distributed hybrid systems. In: Dawar, A., Veith, H. (eds.) CSL 2010. LNCS, vol. 6247, pp. 469–483. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15205-4_36 CrossRefGoogle Scholar
  21. 21.
    Platzer, A.: A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems. Logical Methods Comput. Sci. 8(4), 1–44 (2012)MathSciNetzbMATHGoogle Scholar
  22. 22.
    Platzer, A.: The complete proof theory of hybrid systems. In: Proceedings of the 27th Annual IEEE Symposium on Logic in Computer Science, pp. 541–550. IEEE Computer Society (2012)Google Scholar
  23. 23.
    Platzer, A.: Logics of dynamical systems science. In: Proceedings of the 27th Annual IEEE Symposium on Logic in Computer Science, pp. 13–24. IEEE Computer Society (2012)Google Scholar
  24. 24.
    Platzer, A.: The structure of differential invariants and differential cut elimination. Logical Methods Comput. Sci. 8(4), 1–38 (2012)MathSciNetzbMATHGoogle Scholar
  25. 25.
    Platzer, A.: A complete uniform substitution calculus for differential dynamic logic. J. Autom. Reas. 1–47 (2016). doi: 10.1007/s10817-016-9385-1
  26. 26.
    Platzer, A., Quesel, J.-D.: European train control system: a case study in formal verification. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM 2009. LNCS, vol. 5885, pp. 246–265. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10373-5_13 CrossRefGoogle Scholar
  27. 27.
    Schiffelers, R.R.H., van Beek, D.A., Man, K.L., Reniers, M.A., Rooda, J.E.: Formal semantics of hybrid Chi. In: Larsen, K.G., Niebert, P. (eds.) FORMATS 2003. LNCS, vol. 2791, pp. 151–165. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-40903-8_12 CrossRefGoogle Scholar
  28. 28.
    Rounds, W.C., Song, H.: The Ö-calculus: a language for distributed control of reconfigurable embedded systems. In: Maler, O., Pnueli, A. (eds.) HSCC 2003. LNCS, vol. 2623, pp. 435–449. Springer, Heidelberg (2003). doi: 10.1007/3-540-36580-X_32 CrossRefGoogle Scholar
  29. 29.
    Song, H., Compton, K.J., Rounds, W.C.: SPHIN: a model checker for reconfigurable hybrid systems based on SPIN. Electr. Notes Theor. Comput. Sci. 145, 167–183 (2006)CrossRefzbMATHGoogle Scholar
  30. 30.
    Xinyu, C., Huiqun, Y., Xin, X.: Verification of hybrid Chi model for cyber-physical systems using PHAVer. In: Barolli, L., You, I., Xhafa, F., Leu, F.Y., Chen, H.C. (eds.) 7th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 122–128. IEEE Computer Society (2013)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  • Andreas Müller
    • 1
    Email author
  • Stefan Mitsch
    • 2
  • Werner Retschitzegger
    • 1
  • Wieland Schwinger
    • 1
  • André Platzer
    • 2
  1. 1.Department of Cooperative Information SystemsJohannes Kepler UniversityLinzAustria
  2. 2.Computer Science DepartmentCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations