Compositional Verification of Hybrid Systems using Simulation Relations

ed models, such as in the examples above, can help to considerably speed up the analysis, and experimental results will be provided in Part 11. In the next section, we will discuss methods to compute simulation relations algorithmically, based on geometric operations in Rn. 6.3 Computing Simulation Relations in Rn 91 6.3 Computing Simulation Relations in Rn The computation of a simulation relation R that witnesses P Q for hybrid automata P and Q must be done in a symbolic fashion, i.e., with sets of states at a time, in order to obtain finite algorithm, or at least a semi-algorithm. In view of an implementation, valuations over n variables are interpreted as points in Rn, and a relation R as a map from pairs of locations to Rn+m, where n and m are the number of variables in P and Q. Where useful, valuation identifiers will be written underneath the set to clarify the ordering of variables. While the computations as such are not different from their discrete versions in Sect. 3.3, their version in Rn requires embedding and reordering operations that add to the computational cost. The symbolic versions illustrate where the computationally expensive difference operation is necessary. The following operations are used: • intersection: A u ∩B u = {u|u ∈ A∧u ∈ B}, • difference: A u ∩¬B u = {u|u ∈ A∧u / ∈ B}, • projection: A u,v ↓u = {u|∃v : (u,v) ∈ A}, • embedding: A u |u,v = {(u,v)|u ∈ A}, • reordering: A u,v |v,u = {(v,u)|(u,v) ∈ A}. To fulfill P Q, a state of a hybrid automaton P must conform with Q in discrete and timed transitions: • a discrete transition is either not enabled in P or is matched in Q and • a time-elapse is possible in P must also be possible in Q. If it fails to do so, it is called a bad state. The simulation relation is computed by successive approximation. First, it is initialized with the states in the equivalence relation ≈. Then bad states are subtracted until convergence. Just as with reachability, this is undecidable for linear hybrid automata but does converge in many practical cases. To force convergence, the relation can be restricted by widening the complement ¬R. Let k be a location of P, l a location of Q and Btr(k, l) the set of states in P that have no matching discrete transitions in Q. Similarly, let Bte(k, l) be those that have no matching timed transitions in Q. Then R is the largest fixed-point of the operator R(k, l) := R(k, l)∩¬B(k, l)∩¬B(k, l). (6.1) Finally, Q simulates P if all initial states in P find a match in the simulation relation R, i.e., if for all locations k in P holds: