Formal Veriication of Safety-critical Hybrid Systems Formal Veriication of Safety-critical Hybrid Systems

This thesis investigates how the formal modeling and veri cation techniques of computer science can be used for the analysis of hybrid systems [7,14,22,37]| systems involving both discrete and continuous behavior. The motivation behind such research lies in the inherent similarity of the hierarchical and decentralized control strategies of hybrid systems and the communication and operation protocols used for distributed systems in computer science. As a case study, the thesis focuses on the development of techniques that use hybrid I/O automata [29, 30] to model and analyze automated vehicle transportation systems and, in particular, their various protection subsystems | control systems that are used to ensure that the physical plant at hand does not violate its various safety requirements. The thesis is split into two major parts. In the rst part, we develop an abstract model of a physical plant and its various protection subsystems | also referred to as protectors. The specialization of this abstract model results in the speci cation of a particular automated transportation system. Moreover, the proof of correctness of the abstract model leads to simple correctness proofs of the protector implementations for particular specializations of the abstract model. In this framework, the composition of independent protectors is straightforward | their composition guarantees the conjunction of the safety properties guaranteed by the individual protectors. In fact, it is shown that under certain conditions composition holds for dependent protectors also. In the second part, we specialize the aforementioned abstract model to simpli ed versions of the personal rapid transit system (PRT 2000) under development at Raytheon Corporation. We examine overspeed and collision protection for a set of vehicles traveling on straight tracks, on binary merges, and on a directed graph of tracks involving binary merges and diverges. In each case, the protectors sample the state of the physical plant and take protective actions to guarantee that the physical plant does not reach hazardous states. The proofs of correctness of such protectors involve specializing the abstract protector to the physical plant at hand and proving that the suggested protector implementations are correct. This is done by de ning simulations among the states of the protector implementations and their abstract counterparts. Thesis Supervisor: Nancy A. Lynch, Ph.D. Title: NEC Professor of Software Science and Engineering