Joseph Sifakis

The Algorithmic Analysis of Hybrid Systems

We present a general framework for the formal specification and algorithmic analysis of hybrid systems. A hybrid system consists of a discrete program with an analog environment. We model hybrid systems as finite automata equipped with variables that evolve continuously with time according to dynamical laws. For verification purposes, we restrict ourselves to linear hybrid systems, where all variables follow piecewise-linear trajectories. We provide decidability and undecidability results for classes of linear hybrid systems, and we show that standard program-analysis techniques can be adapted to linear hybrid systems. In particular, we consider symbolic model-checking and minimization procedures that are based on the reachability analysis of an infinite state space. The procedures iteratively compute state sets that are definable as unions of convex polyhedra in multidimensional real space. We also present approximation techniques for dealing with systems for which the iterative procedures do not converge.

Modeling Heterogeneous Real-time Components in BIP

We present a methodology for modeling heterogeneous real-time components. Components are obtained as the superposition of three layers: behavior, specified as a set of transitions; Interactions between transitions of the behavior; Priorities, used to choose amongst possible interactions. A parameterized binary composition operator is used to compose components layer by layer. We present the BIP language for the description and composition of layered components as well as associated tools for executing and analyzing components on a dedicated platform. The language provides a powerful mechanism for structuring interactions involving rendezvous and broadcast. We show that synchronous and timed systems are particular classes of components. Finally, we provide examples and compare the BIP framework to existing ones for heterogeneous component-based modeling

Symbolic model checking for real-time systems

Finite-state programs over real-numbered time in a guarded-command language with real-valued clocks are described. Model checking answers the question of which states of a real-time program satisfy a branching-time specification. An algorithm that computes this set of states symbolically as a fixpoint of a functional on state predicates, without constructing the state space, is given.<<ETX>>

Controller Synthesis for Timed Automata 1

Abstract In this work we tackle the following problem: given a timed automaton, restrict its transition relation in a systematic way so that all the remaining behaviors satisfy certain properties. This is an extension of the problem of controller synthesis for discrete event dynamical systems, where in addition to choosing among actions, the controller have the option of doing nothing and let the time pass. The problem is formulated using the notion of a real-time game, and a winning strategy is constructed as a fixed-point of an operator on the space of states and clock configurations.

The Algebra of Timed Processes, ATP

The algebra of timed processes, ATP, uses a notion of discrete global time and suggests a conceptual framework for introducing time by extending untimed languages. The action vocabularly of ATP contains a special element representing the progress of time. The algebra has, apart from standard operators of process algebras such as prefixing by an action, alternative choice, and parallel composition, a primitive unit-delay operator. For two arguments, processes P and Q, this operator gives a process which behaves as P before the execution of a time event and behaves as Q afterwards. It is shown that several d-unit delay constructs such as timeouts and watchdogs can be expressed in terms of the unit-delay operator and standard process algebra operators. A sound and complete axiomatization for bisimulation semantics is studied and two examples illustrating the adequacy of the language for the description of timed systems are given. Finally we provide a comparison with existing timed process algebras.

Tools and Applications II: The IF Toolset

This paper presents an overview on the IF toolset which is an environment for modelling and validation of heterogeneous real-time systems. The toolset is built upon a rich formalism, the IF notation, allowing structured automata-based system representations. Moreover, the IF notation is expressive enough to support real-time primitives and extensions of high-level modelling languages such as SDL and UML by means of structure preserving mappings. The core part of the IF toolset consists of a syntactic transformation component and an open exploration platform. The syntactic transformation component provides language level access to IF descriptions and has been used to implement static analysis and optimisation techniques. The exploration platform gives access to the graph of possible executions. It has been connected to different state-of-the-art model-checking and test-case generation tools. A methodology for the use of the toolset is presented at hand of a case study concerning the Ariane-5 Flight Program for which both an SDL and a UML model have been validated.Finite automata and regular languages have been useful in a wide variety of problems in computing, communication and control, including formal modeling and verification. Traditional automata do not admit an explicit modeling of time, and consequently, timed automata [2] were introduced as a formal notation to model the behavior of real-time systems. Timed automata accept timed languages consisting of sequences of events tagged with their occurrence times. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theoretical results concerning decision problems of reachability, language inclusion and language equivalence for timed automata and its variants, with some new proofs and comparisons. We conclude with a discussion of some open problems.

Rigorous Component-Based System Design Using the BIP Framework

An autonomous robot case study illustrates the use of the behavior, interaction, priority (BIP) component framework as a unifying semantic model to ensure correctness of essential system design properties.

The IF toolset

This paper presents an overview on the IF toolset which is an environment for modelling and validation of heterogeneous real-time systems. The toolset is built upon a rich formalism, the IF notation, allowing structured automata-based system representations. Moreover, the IF notation is expressive enough to support real-time primitives and extensions of high-level modelling languages such as SDL and UML by means of structure preserving mappings. The core part of the IF toolset consists of a syntactic transformation component and an open exploration platform. The syntactic transformation component provides language level access to IF descriptions and has been used to implement static analysis and optimisation techniques. The exploration platform gives access to the graph of possible executions. It has been connected to different state-of-the-art model-checking and test-case generation tools. A methodology for the use of the toolset is presented at hand of a case study concerning the Ariane-5 flight program for which both an SDL and a UML model have been validated

Model checking: algorithmic verification and debugging

Turing Lecture from the winners of the 2007 ACM A.M. Turing Award. In 1981, Edmund M. Clarke and E. Allen Emerson, working in the USA, and Joseph Sifakis working independently in France, authored seminal papers that founded what has become the highly successful field of model checking. This verification technology provides an algorithmic means of determining whether an abstract model---representing, for example, a hardware or software design---satisfies a formal specification expressed as a temporal logic (TL) formula. Moreover, if the property does not hold, the method identifies a counterexample execution that shows the source of the problem. The progression of model checking to the point where it can be successfully used for complex systems has required the development of sophisticated means of coping with what is known as the state explosion problem. Great strides have been made on this problem over the past 28 years by what is now a very large international research community. As a result many major hardware and software companies are beginning to use model checking in practice. Examples of its use include the verification of VLSI circuits, communication protocols, software device drivers, real-time embedded systems, and security algorithms. The work of Clarke, Emerson, and Sifakis continues to be central to the success of this research area. Their work over the years has led to the creation of new logics for specification, new verification algorithms, and surprising theoretical results. Model checking tools, created by both academic and industrial teams, have resulted in an entirely novel approach to verification and test case generation. This approach, for example, often enables engineers in the electronics industry to design complex systems with considerable assurance regarding the correctness of their initial designs. Model checking promises to have an even greater impact on the hardware and software industries in the future. ---Moshe Y. Vardi, Editor-in-Chief

From ATP to timed graphs and hybrid systems

The paper presents results of ongoing work aiming at the unification of some behavioral description formalisms for timed systems. We propose for the algebra of timed processes ATP a very general semantics in terms of a time domain. It is then shown how ATP can be translated into a variant of timed graphs. This result allows the application of existing model-checking techniques to ATP. Finally, we propose a notion of hybrid systems as a generalization of timed graphs. Such systems can evolve, either by executing a discrete transition, or by performing some “continuous” transformation. The formalisms studied admit the same class of models: time deterministic and time continuous, possibly infinitely branching transition systems labeled by actions or durations.