Hengjun Zhao

A calculus for hybrid CSP

Hybrid Communicating Sequential Processes (HCSP) is an extension of CSP allowing continuous dynamics. We are interested in applying HCSP to model and verify hybrid systems. This paper is to present a calculus for a subset of HCSP as a part of our efforts in modelling and verifying hybrid systems. The calculus consists of two parts. To deal with continuous dynamics, the calculus adopts differential invariants. A brief introduction to a complete algorithm for generating polynomial differential invariants is presented, which applies DISCOVERER, a symbolic computation tool for semi-algebraic systems. The other part of the calculus is a logic to reason about HCSP process, which involves communication, parallelism, real-time as well as continuous dynamics. This logic is named as Hybrid Hoare Logic. Its assertions consist of traditional pre- and post-conditions, and also Duration Calculus formulas to record execution history of HCSP process.

Abstraction of Elementary Hybrid Systems by Variable Transformation

Elementary hybrid systems (EHSs) are those hybrid systems (HSs) containing elementary functions such as exp, ln, sin, cos, etc. EHSs are very common in practice, especially in safety-critical domains. Due to the non-polynomial expressions which lead to undecidable arithmetic, verification of EHSs is very hard. Existing approaches based on partition of the state space or overapproximation of reachable sets suffer from state space explosion or inflation of numerical errors. In this paper, we propose a symbolic abstraction approach that reduces EHSs to polynomial hybrid systems (PHSs), by replacing all non-polynomial terms with newly introduced variables. Thus the verification of EHSs is reduced to the one of PHSs, enabling us to apply all the well-established verification techniques and tools for PHSs to EHSs. In this way, it is possible to avoid the limitations of many existing methods. We illustrate the abstraction approach and its application in safety verification of EHSs by several real world examples.

MARS: A Toolchain for Modelling, Analysis and Verification of Hybrid Systems

We introduce a toolchain MARS for Modelling, Analyzing and veRifying hybrid Systems we developed in the past years. Using MARS, we build executable models of hybrid systems using the industrial standard environment Simulink/Stateflow, which facilitates analysis by simulation. To complement simulation, formal verification of Simulink/Stateflow models is conducted in the toolchain via the following steps: first, we translate Simulink/Stateflow diagrams to Hybrid CSP (HCSP) processes by an automatic translator Sim2HCSP, where HCSP is an extension of CSP for formally modelling hybrid systems; second, to justify the translation, another automatic translator HCSP2Sim that translates from HCSP to Simulink is provided, so that the consistency between the original Simulink/Stateflow model and the translated HCSP formal model can be checked by co-simulation; then, the HCSP processes obtained in the first step are verified by an interactive Hybrid Hoare Logic (HHL) prover; during the verification, an invariant generator independent of the theorem prover for synthesizing invariants for differential equations and loops is needed. We will demonstrate the toolchain by analysis and verification of a descent guidance control program of a lunar lander, which is a real-world industry example.

Unifying Theories of Programming (UTP)

Unifying Theories of Programming (UTP), due to Hoare and He, is a relational calculus based on first-order logic, which is intended for unifying different programming paradigms.

Stateflow and Its Combination with Simulink

Stateflow is a toolbox adding facilities for modelling and simulating reactive systems, extending Simulink’s scope to event-driven and hybrid forms of embedded control. Stateflow combines hierarchical state machines, that are similar to Statecharts, and flow diagrams, that are formed with joining junctions. By using the combined design, Stateflow provides flexible modelling mechanisms such as hierarchical states, interlevel transitions, event broadcasting, and so on. Stateflow enables the modelling of discrete control of hybrid systems, and meanwhile, it is integrated seamlessly with Simulink, that provides capabilities to model continuous dynamics.

The HHL Prover

In this chapter, we present HHL prover , an interactive theorem prover for proving HHL specifications. HHL prover is implemented based on the mechanization of the HHL in the proof assistant Isabelle/HOL. With HHL prover, users can verify whether a HCSP process conforms to a given HHL specification or not in a machine checkable way. Moreover, the correctness (or soundness) of the HHL theory itself is machine checked in HHL prover, as a direct consequence of implementing the prover.

Translating Simulink Diagrams into HCSP

In this chapter, we consider how to define a formal semantics for Simulink by encoding it into HCSP, so that a Simulink diagram can be formally verified by HHL prover given in Chap. 8 In addition, we justify the correctness of the translation by using UTP [94].

Translating Simulink/Stateflow Diagrams into HCSP

In the previous chapter, we have translated a subset of Simulink into HCSP processes, which can be formally verified by applying HHL prover. In this chapter, we will continue to investigate the translation of Stateflow models into HCSP, and then show how this translation can be integrated with the translation of Simulink to HCSP so that a translation from the combined Simulink/Stateflow models into HCSP is obtained. We will also consider the correctness of our translation, i.e., whether the Stateflow diagrams and the HCSP processes translated from them are equivalent.

Hybrid Hoare Logic

Hybrid Hoare Logic (HHL) was first proposed in Liu et al. (A calculus for hybrid CSP. In: Ueda, K. (ed.) APLAS 2010. Lecture Notes in Computer Science, vol. 6461, pp. 1–15. Springer, Berlin/Heidelberg, 2010), which is an extension of Hoare logic to hybrid system, used to specify and reason about hybrid systems modelled by HCSP. The assertion logic of HHL consists of two parts: the first-order logic and Duration Calculus (DC) (Zhou et al., Inform. Process. Lett. 40(5):269–276, 1991; Zhou et al., Duration Calculus—A Formal Approach to Real-Time Systems. Monographs in Theoretical Computer Science. An EATCS Series. Springer, Berlin/Heidelberg, 2004). The former is used to specify discrete events, represented by pre- and post-conditions, while the latter is used to specify continuous evolution. In HHL, a hybrid system is modelled by a HCSP process. So, the proof system of HHL consists of the following three parts: axioms and inference rules for the first-order logic, axioms and inference rules for DC, and axioms and inference rules for the constructs of HCSP. A theorem prover of the logic based on Isabelle/HOL has been implemented (Zou et al., Verifying Chinese train control system under a combined scenario by theorem proving. In: Cohen, E., Rybalchenko, A. (eds.) VSTTE 2013. Lecture Notes in Computer Science, vol. 8164, pp. 262–280. Springer, Berlin/Heidelberg, 2014; Wang et al., An improved HHL prover: an interactive theorem prover for hybrid systems. In: ICFEM 2015. Lecture Notes in Computer Science, vol. 9407, pp. 382–399, 2015), and applied to model and specify Chinese High-Speed Train Control System at Level 3 (CTCS-3) (Zou et al., Verifying Chinese train control system under a combined scenario by theorem proving. In: Cohen, E., Rybalchenko, A. (eds.) VSTTE 2013. Lecture Notes in Computer Science, vol. 8164, pp. 262–280. Springer, Berlin/Heidelberg, 2014), the GNC control program of the powered descent of a lunar lander (Zhao et al. Formal verification of a descent guidance control program of a lunar lander. In: FM 2014. Lecture Notes in Computer Science, vol. 8442, pp. 733–748. Springer International Publishing, Switzerland, 2014), etc.

From HCSP to Simulink

As we argued before, model-based design (MBD) has been widely used in the practice of embedded system design, and various MBD approaches have been proposed, which can be classified into two paradigms, a simulation-based informal one such as or a verification-based formal one like. It is evident that informal design of embedded systems has a low initial cost and is intuitively appealing, because simulations give results early on, but it cannot fully guarantee the correctness and reliability of the system to be developed; in contrast, the correctness and reliability of the system can be thoroughly investigated with formal design, but the cost is higher and it requires specialized skills. Therefore, it is desirable to provide a two-way path between formal and informal approaches for a designer.