Beyond HyTech Presented by: Ben Horowitz and Rupak Majumdar Joint work with Tom Henzinger and Howard Wong-Toi.

Structure of this talk n Hybrid automata n Symbolic model checking n HyTech n Interval numerics n HyTech’s algorithm n Extending HyTech’s dynamics n Thermostat example

Hybrid automata n (V, E, X, pre, post, init, flow, jump, inv, Σ)

Symbolic model checking n State space of a hybrid automaton is infinite. n Thus, verification algorithms must be symbolic. n To have a symbolic algorithm, we need: u finite representation of infinite state sets; u Pre, Boolean operations as primitives on state sets.

HyTech n Symbolic model checker for hybrid automata. n Automata must be polyhedral: u flow conditions are polyhedra; u invariants, pre, post, etc. are also polyhedra; u state sets are unions of convex polyhedra; u Pre implemented as polyhedral manipulation.

HyTech cont. n HyTech has been used to verify several realistic examples: u audio control protocol, u steam boiler, u auto engine in cutoff controller mode, u...

Shortcomings of HyTech n HyTech allows only restrictive dynamics: u polyhedral automata n For example, in the cutoff control study: u dynamics required extensive manual approximation before HyTech could be applied.

Current ways to avoid shortcomings n For a large system, one may: u Simulate via numerical integration: F not appropriate for verification: may miss events, round-off errors; u Massage into HyTech-acceptable form: F messy, F time-consuming.

Avoiding shortcomings, cont. n Massaging input with rate translation: u Replace nonlinear x with linear x. u Bound (d/dt)x by upper & lower constants. u Split location v into several locations to yield better approximation.

Massaging input, cont. Thermostat becomes: State explosion!

Our objective n Our aim is to provide both a more direct and a more accurate analysis of hybrid systems. u More direct: dynamics may be modeled directly. u More accurate: bounds obtained are tighter. n We have implemented a prototype.

Interval numerical methods n Arithmetic operators on intervals instead of reals. u [2.7818, ] n Numerical ODE solvers available. n ODE solutions lie within validated intervals. n In worst case, solution is unacceptably wide. u But solution is never false.

HyTech’s algorithm n Maintain two sets of regions: u R : already-explored regions, u R’ : to-be-explored regions. n Initially, R =  and R’ is the initial region. n while (R’   ): u remove region r from R’, u compute r’s event and time successors S, u add non-visited successors to R’, u R := R  { r }.

n Maintain two sets of regions: u R : already-explored region, u R’ : to-be-explored region. n Initially, R =  and R’ is the initial region. n while (R’  ): u remove region r from R’, u compute r’s event and time successors S, u add non-visited successors to R’, u R := R  { r }. Our algorithm

r Computing time successors n Start with: u exit region e, u initial rectangle r. n Use interval numerical integration to compute time successors of r. n Stop when we hit e. e

Example: thermostat

Tighter bounds for thermostat n Using HyTech, it was shown that 0  x  4. n Using a 20-state approximation, HyTech obtains the bounds.28  x  n Using interval numerical methods, the new HyTech shows that.367  x  3.64.

Nuclear reactor n Example from [ACHH]. n HyTech with old algorithm gives t = 2 for controllability. n New Algorithm gives t = n Other (small) examples in the HyTech example suite also work.

Future work n Try larger examples, e.g. cutoff control. n Investigate whether interval numerical methods can be used on polyhedra or ellipsoids. n Redesign HyTech’s input language and implementation.