Engineering Constraint Solvers for Automatic Analysis of ... · PDF fileEngineering Constraint Solvers for Automatic Analysis of Probabilistic Hybrid ... Research Group Hybrid Systems

Engineering Constraint Solvers forAutomatic Analysis of Probabilistic Hybrid Automata✩

Martin Franzle∗, Tino Teige, Andreas Eggers

Carl von Ossietzky Universitat Oldenburg, GermanyDpt. of Computing Science, Research Group Hybrid Systems

Abstract

In this article, we recall different approaches to the constraint-based, symbolic analysisof hybrid discrete-continuous systems and combine them to atechnology able to ad-dress hybrid systems exhibiting both non-deterministic and probabilistic behavior akinto infinite-state Markov decision processes. To enable mechanized analysis of suchsystems, we extend the reasoning power of arithmetic satisfiability-modulo-theories(SMT) solving by, first, reasoning over ordinary differential equations (ODEs) and,second, a comprehensive treatment of randomized (also known as stochastic) quantifi-cation over discrete variables as well as existential quantification over both discrete andcontinuous variables within the mixed Boolean-arithmeticconstraint system. This pro-vides the technological basis for a constraint-based analysis of dense-time probabilis-tic hybrid automata, extending previous results addressing discrete-time automata (1).Generalizing SMT-based bounded model-checking of hybrid automata (2; 3), stochas-tic SMT including ODEs permits the direct analysis of probabilistic bounded reach-ability problems of dense-time probabilistic hybrid automata without resorting to ap-proximation by intermediate finite-state abstractions.

Key words: Probabilistic hybrid automata, bounded model checking, arithmeticconstraint solving, stochastic satisfiability.

1. Introduction

Most embedded systems operate within or even comprise coupled networks ofboth discrete and continuous components. Safety assessment of suchhybrid systemsamounts to showing that the joint dynamics of the embedded system and its environ-ment is well-behaved, e.g. that it may never reach an undesirable state or that it will

✩This work has been supported by the German Research Council (DFG) as part of the TransregionalCollaborative Research Center “Automatic Verification andAnalysis of Complex Systems” (SFB/TR 14AVACS, www.avacs.org).∗Corresponding authorEmail addresses:[email protected] (Martin Franzle),

[email protected] (Tino Teige),[email protected] (Andreas Eggers)

Preprint submitted to Elsevier December 3, 2009

converge to a desirable state, regardless of the actual disturbance. Disturbances mayoriginate from uncontrolled inputs in an open system, like acar driver performing herdriving task, as well as from internal sources of the overalltechnical system, like fail-ing system components, including sensors or even actuators. Gradually advancing thecapabilities of addressing such systems, research in hybrid system verification has thustraditionally focused on different classes of system structures and disturbances, rangingfrom a closed-system view over non-deterministic to probabilistic or stochastic hybridsystems. While the closed-system view necessitates a reasonably exact representationof the rather intricate yet deterministic feedback dynamics of coupled discrete and con-tinuous systems, non-deterministic systems extend this view by unknown inputs of anopen system. Probabilistic systems, finally, allow to capture unpredictable, yet statisti-cally characterizable disturbances.

Within this article, we recollect different approaches to the constraint-based, sym-bolic analysis of hybrid systems and combine them to a technology able to deal with hy-brid systems exhibiting both non-deterministic and probabilistic behavior as in infinite-state Markov decision processes, thus being able to model feedback behavior of hybridsystems with both unknown inputs or parameters and probabilistic sources of distur-bance, like component failures. The resulting procedure enables constraint-based anal-ysis of dense-time probabilistic hybrid automata, extending previous results addressingdiscrete-time probabilistic hybrid automata (1; 4) and dense-time non-deterministic hy-brid automata (5).

Our procedure belongs to the class of depth-bounded state-space exploration meth-ods based on satisfiability solvers, which have originally been suggested for large finite-state systems by Groote et al. in (6) and by Biere et al. in (7) and have since becomepopular under the termbounded model checking(BMC), now accounting for a majorfraction of the industrial applications of formal verification. The idea of BMC is toencode the next-state relation of a system as a propositional formula, to unroll this tosome given finite depthk, and to augment it with a corresponding finite unravelling ofthe tableaux of (the negation of) a temporal formula in orderto obtain a propositionalSAT problem which is satisfiable if and only if an error trace of lengthk exists. Enabledby the impressive gains in performance of propositional SATcheckers in recent years,BMC can now be applied to very large finite-state designs.

Though originally formulated for discrete transition systems, the concept of BMCalso applies to hybrid discrete-continuous systems. The BMC formulae arising fromsuch systems comprise complex Boolean combinations of arithmetic constraints overreal-valued variables, thus entailing the need forsatisfiability modulo theories(SMT)solvers over arithmetic theories to solve them. Such SMT procedures are thus currentlyin the focus of the SAT-solving community (e.g., 8; 9; 10; 11), as is their application toand tailoring for BMC of hybrid system (e.g., 2; 3; 5; 12; 13).

The scope of the aforementioned procedures, however, is confined to qualitative(i.e., non-probabilistic) models of hybrid behavior as well as to purely Boolean queriesof the form “can the system ever exhibit an undesirable behavior?”, whereas require-ments for safety-critical systems frequently take the formof bounds on error probabil-ity, requiring the residual probability of engaging into undesirable behavior to be belowan acceptable threshold. Automatically answering such queries requires, first, modelsof hybrid behavior that are able to represent probabilisticeffects like component break-

2

down and, second, algorithms for state space traversal of such hybrid models.In the context of hybrid systems augmented with probabilities, a wealth of models

has been suggested by various authors. These models vary with respect to the patternsof continuous dynamics supported, the shapes of randomnessmodelled, and the degreeto which they support non-determinism and compositionality. The cornerstones areformed byprobabilistic hybrid automata, where state changes forced by continuousdynamics may involve discrete random events determining both the discrete and thecontinuous successor state (1; 14; 15),piecewise deterministic Markov processes(16),where state changes may happen spontaneously in a manner similar to continuous-timeMarkov processes, andstochastic differential equations(17), where, like in Brownianmotion, the random perturbation affects the dynamics continuously. In full general-ity, stochastic hybrid system (SHS) models can cover all such ingredients (18; 19).While such models have a vast potential of application (20; 21; 22), results relatedto their analysis and verification are limited, and often based on Monte-Carlo simu-lation (23; 24). For certain subclasses of piecewise deterministic Markov processes,of probabilistic hybrid automata, and of stochastic hybridsystems, reachability prob-abilities can be approximated (15; 25; 26; 27) or, if continuous behavior is extremelyrestricted as in timed automata or the equivalent class of initialized rectangular hybridautomata, even computed (14; 28).

For the automated state-exploratory analysis methods among the above, scalabilityis in general poor, as they are mostly relying on explicit representations of either bisim-ulation quotients or finite abstractions. In previous papers (1; 4), we have presented atechnology that preserved the virtues of SMT-based BMC, namely the constraint-basedtreatment of hybrid state spaces, while advancing the reasoning power to probabilisticmodels and requirements. While the technique is more general, these previous papersfocus on depth-bounded reachability ofdiscrete-timeprobabilistic hybrid automata,where the dynamics is given by (potentially non-linear) pre-post-relations rather thanordinary differential equations, as common in hybrid systems. Furthermore, assign-ments to continuous variables are confined to be deterministic in (1; 4). In the currentsubmission, we strive to overcome these limitations by devising a procedure tacklingdense time, dynamics described by (potentially non-linear) ordinary differential equa-tions, and non-deterministic continuous behavior.

In order to achieve this goal, we first (in Section 2) definedense-time probabilis-tic hybrid automata(PHA) and provide their semantics as well as the bounded prob-abilistic reachability problem. We proceed in Section 3 with introducingstochasticsatisfiability modulo the theories of non-linear arithmetic and ODEsas the unifica-tion of stochastic propositional satisfiability (29) and satisfiability modulo non-lineararithmetic (11) and modulo ODEs (5). Section 4 formalizes the SSMT encoding ofthe probabilistic bounded reachability properties of PHA.Solving this symbolic en-coding by an extension of the SSMT algorithm from (4) to incorporate ODEs, whichis explained in Section 5, we obtain a technique for analysisof probabilistic boundedreachability problems of probabilistic hybrid automata. This technique does neither re-sort to approximation by intermediate finite-state abstractions of the hybrid system nordoes it require flattening out concurrent system by computing an automaton-product,as the handling of discrete states is fully symbolic. The latter is demonstrated in Sec-tion 6, where a system with 13 parallel components is analyzed which would flatten

3

out to more than a million discrete states.With its focus on scalability in the number of concurrent components and in the size

of the discrete components, being able to analyze e.g. networked automation systemsat the level of their feedback dynamics with the continuous domain, we consider thisline of work complementary to the body of analytic techniques developed for classesof hybrid systems with more intricate stochastic dynamics.Our approach is very con-fined concerning the stochastic behavior; actually, it onlyadmits probabilistic eventswithin transitions. Analytic techniques based on Lyapunovtheory (e.g., 30) can handleeventual stabilization of switched stochastic differential equations and reachability the-ory of piecewise deterministic Markov processes (31) can characterize the reach setsof systems incorporating (deterministic) differential equations paired with probabilis-tic switching governed by guards and state-dependent jump rates. Automation of theseapproaches is, however, hard and probably bound to be of confined scalability, as itrequires techniques like the construction of a common Lyapunov function, computa-tion of simulating systems, or the conservative, yet sufficiently accurate approximationof, e.g., hitting distributions (26), which using usual approximation schemes for distri-butions is exponential in the continuous dimension of the system and subject to stateexplosion in the discrete states. It would be interesting tosee how these approachescould be unified, overcoming the limitations of our current approach concerning theclasses of continuous behavior while retaining its scalability on concurrent systems.

2. Dense-time probabilistic hybrid automata

Probabilistic hybrid automata (PHA) extend the concept of hybrid automata withprobabilistic transitions modeling, e.g., component failures or collisions on a sharedmedium and the resulting loss of data packets in distributedsystems. Like dense-time hybrid automata, PHA feature a finite set of discrete locations or modes, eachof which comes decorated with a (possibly non-linear) differential equation governingthe dynamics of a vector of continuous variables while residing in the mode and withan invariant constraining the evolution of the continuous variables while in the mode.Mode changes are effected by instantaneous transitions guarded by conditions on thecurrent values of the continuous variables, and such mode changes may also involvediscontinuous updates to the continuous variables. Both transition selection and vari-able updates may be non-deterministic; the first situation arises in case of overlappingguard conditions, the second due to underspecification in the pre-post-relations defin-ing these assignments. Beyond these mechanisms from hybridautomata, PHA add theprobabilistic selection of a transition variant based on a random experiment: Followingthe idea of Sproston (14; 28), potentially non-deterministic transition selection happensfirst, choosing one transition among the enabled ones, and isthen followed by random-ized selection of a transition variant according to a probability distribution belonging tothe selected transition. The different transition variants can lead to different follow-uplocations and different continuous successors, as depicted in Figure 1, wherethe guardcondition determining transition selection is depicted tothe left of the box denotingthe random experiment. In comparison to Piecewise Deterministic Markov Processes(31), PHA add a second form of choice dynamics, namely non-deterministic choice inboth the selection among competing transitions and the computation of the continuous

4

∨ cos(x) < 0y ≥ 0.4

∧y′ = yx′ = x

∧y′ = 2 · xx′ = 3.1

s1

dydt = 3x− y

−3 < y < 7.7

s2

dydt = 3x− y2

y ∈ Rx ∈ R

dxdt = ydx

dt = x · y

0 ≤ x < 21.0

false

∧y = −1.1x ∈ [0.1, 1.4]

0.1

0.3

0.7

0.9

x′ > sin(y) ∧ y′2 = 4 · y

x′ = x∧ y′ = y

|y| · x2 < x/2

x′ = x∧ y′ = y

true

t2

t1

t3

Figure 1: A probabilistic hybrid automatonA. The rectangular boxes denote random events selecting atransition variant with the probabilities denoted along the transition arcs. Note that transition selection andexecution is a three-stage process: Non-determinism, which may arise due to overlapping guard conditions,is resolved strictly before performing the random experiment selecting a transition variant determining thesuccessor location. Hereafter, a continuous successor state is selected.

successor state, yet omit transition rates. The rationale for adding non-determinismis enhanced expressiveness when addressing open dynamic systems or partially devel-oped technical systems, where part of the uncertain system dynamics, like componentfailures in the subsystem modelled, can be characterized statistically, while other dy-namical aspects are unknowns at the time of modeling and analysis and thus need to beaccounted for in their worst-case form, as permitted by non-deterministic underspeci-fication under a demonic interpretation of non-determinism.

Formally, a (flat, we will introduce concurrency later on)dense-time probabilistichybrid automaton A= (Λ,Trans,R, s, p, g, asgn, ode, inv, init) consists of the followingcomponents:

• Finite setsΛ of locations, Transof transitions, andR = {x1, . . . , xn} of contin-

uous state components, together with mappingss : Transtotal−→ Λ, assigning to

each transition its source location, andp : Transtotal−→ P(Λ), assigning to each

transition a probability distribution over the target locations.1 Here and in thesequel,P(M) denotes the set of probability distributions over the finite setM.

• A family g = (gt)t∈Trans assigning to each transition atransition guardenablingthat transition, where the transition guard is an arithmetic predicate with freevariables inR that may involve non-linear arithmetic and transcendentalfunc-tions, as can be seen in Figure 1.

• A family asgn= (asgnt,λ′)t∈Trans,λ′∈Λ assigning to each transition and each targetlocation anassignmentwhich is defined by means of a predicate over variablesin R andR′, whereR′ = {x′1, . . . , x

′n} denotes primed variants of the state compo-

nents inR. Undecorated state componentsx ∈ R refer to the state immediatelybefore the transition, while the primed variantx′ ∈ R′ refers to the state immedi-ately thereafter such that the predicates define pre-post-relations. The assignment

1W.l.o.g., distributions range over the full setΛ as unconnected locations and locations connected withprobability 0 are indistinguishable w.r.t. probabilisticreachability.

5

predicates are potentially non-linear arithmetic predicates over the continuousvariables and may involve transcendental functions; Figure 1 provides examplesof such assignment predicates.

To maintain the desired separation between the resolution of non-determinismand random transitions, we demand that assignments are defined for each statesatisfying the guard, i.e. requiregt ⇒ ∃x′1, . . . , x

′n : asgnt,λ′ to be valid for each

t ∈ Transand eachλ′ ∈ Λ with p(t)(λ′) > 0.

• A family ode= (odeλ)λ∈Λ assigning to each locationλ ∈ Λ a flow odeλ : Rn total−→

Rn which describes the continuous evolution while residing inλ by means of a

vector field, constraining the evolution to solutions of theordinary differentialequationd~x

dt = odeλ(~x ). For technical reasons induced by the constraint solv-ing mechanisms for ODEs, we assume in the sequel that the automaton followseach individual flow for a total duration of at most a given∆ > 0, thereafterbeing forced into a stutter step before resuming the flow. Note that due to stut-tering, this assumption does not prevent the automaton fromresiding inλ for anarbitrarily long duration, to the extent permitted by the invariant.

• A family inv = (invλ)λ∈Λ assigning to each locationλ ∈ Λ an invariant invλwhich is a box inRn, i.e. specifies for eachxi ∈ R an intervalIxi of finite widththat the continuous evolution may not leave while residing in λ.

• A family init = (initλ)λ∈Λ of initial state predicates, where eachinitλ is an arith-metic predicate overR which constrains the valuations of the continuous statecomponents when control residesinitially in the discrete locationλ.2

The automaton engages in a sequence of continuous flows and discrete jumps, wherethe continuous flows are solutions to the ordinary differential equations assigned to thecurrent location and the discrete jumps coincide with enabled transitions, thereby firstselecting non-deterministically among the enabled transitions and then probabilisti-cally among the different target locations and finally again non-deterministically amongthe assignments to continuous variables permitted by the transition.

Given a transitiontr ∈ Trans, A has atr-jump from state (λ, ~x ) ∈ Λ × (Rtotal−→ R)

to state (λ′, ~x ′) ∈ Λ × (Rtotal−→ R) if s(tr) = λ and~x |= gtr and if ~x , ~x ′ |= asgntr ,λ′

or p(tr)(λ′) = 0.3 Here,~x , ~x ′ |= asgntr ,λ′ denotes thatasgntr ,λ′ is satisfied when~xis substituted for the variables inR and ~x ′ is substituted for the variables inR′ oralternatively . Reflecting the random event of selecting a target location entailed in thetransition, theprobability of the tr-jumpfrom (λ, ~x ) to (λ′, ~x ′) is pr = p(tr)(λ′). In thiscase, we write (λ, ~x )→pr

tr (λ′, ~x ′).

2A discrete locationλ not to be taken initially takes the predicateinitλ = false.3The alternativep(tr )(λ′) = 0 completes the transition system with default transitionsof probability 0

in cases where no explicit transition is available, as arcs with probability 0 are generally not drawn in PHAand thus naturally associated with the unsiatisfiable transition predicatefalse. This completion is just atechnicality which avoids many case distinctions in the subsequent development.

6

A has a continuousflow from (λ, ~x ) ∈ Λ × (Rtotal−→ R) to (λ′, ~x ′) ∈ Λ × (R

total−→ R) if

λ = λ′ and if there is a continuous evolution in locationλ of duration at most∆ whichleads from~x to ~x ′, i.e. if there is a durationt ∈ ]0,∆] such that

∃F : [0, t]C1

−→ Rn :

F(0) = ~x∧ F(t) = ~x ′

∧ ∀δ ∈ [0, t] : dFdt (δ) = odeλ(F(δ))

∧ ∀δ ∈ [0, t] : F(δ) ∈ invs(tr)

,

whereAC1

−→ B denotes the continuously differentiable functions with domainA andimage⊆ B. In this case, we write (λ, ~x )→t (λ′, ~x ′).

A run of A is a sequence (λ0, ~x0)→t1 (λ1, ~x1)→pr2tr2

. . . (λn, ~xn) of flows and jumps.It need not alternate between flows and jumps, but may well chain multiple jumps ormultiple flows in a row, thus supporting stuttering within flows as well as permittingmultiple jumps at the same time instant.The probabilityPr(r) of a runr is the productof the probabilities of the jumps incorporated, i.e. for theabove run it is

∏ni=1 pri with

pri = 1 whenever the step is a continuous evolution and the probability of the corre-sponding jump otherwise. Given a run, we call its projectionto the states visited, i.e.the sequence〈(λ0, ~x0), (λ1, ~x1), . . . , (λn, ~xn)〉 its trace.

Note that beyond the stochastic uncertainty of the PHA dynamics, which is coveredby the random events in transitions, there are two points in astep where uncertaintymodelled as non-determinism enters. These are in the selection among the set of en-abled transitions, which need not be a singleton, and among the continuous successorstate in the assignment to the continuous variables. As usual in models blending proba-bilistic and non-deterministic choice, like Markov Decision Processes (32), we assumethat the dynamics is controlled by adecision makeror policy (scheduler, adversary)re-solving the non-determinism based on (complete) observation of the current state andhistory. Based on the trajectory exhibited so far, such a policy can decide

1. whether a jump shall be performed, if one is enabled, or whether and for howlong the current continuous evolution shall proceed,

2. in case a jump is performed, which of the enabled transitionstr ∈ Transshall betaken, and

3. depending on the probabilistically generated random event, which of the possibleupdates of continuous variables pertaining to this event shall be performed.

In the remainder, we shall assume that these decisions depend deterministically on thecurrent trajectory prefix, i.e. that the permissible adversaries are Markovian determin-istic policies (33), also known as step-dependent schedulers. Consequently, a policyconsists of

1. a start state selected amongst the permissible initial states{(λ, ~x ) | ~x |= initλ} and2. a mapping from sequences of sampling points to either a duration t ≤ ∆ of

the next flow or a transitiontr ∈ Trans to be taken plus aΛ-indexed family ofassignments to the continuous variables (one assignment for each outcome of therandom event, thus covering the reaction of the policy to therandom event).

7

I.e., withS = Λ×(Rtotal−→ R) being the state set of the PHA, a policy is a pair of an initial

state and a mappingPol : S∗total−→

(

]0, δ] ∪(

Trans× (Λtotal−→ (R

total−→ R)

))

with the side

condition that the moves suggested by the policy are feasible in the PHA. The latteramounts to demanding that whenever (λ, ~x ) ∈ S is the last element of the sequences ∈ S∗ then

∃(λ′, ~x ′) ∈ S : (λ, ~x )→t (λ′, ~x ′) if Pol(s) = t ∈ ]0,∆]

and∀λ′ ∈ Λ : (λ, ~x )→p(tr)(λ′)

tr (λ′, pa(λ′)) if Pol(s) = (tr , pa) .

Given a set of target statesTarget= (Targetλ)λ∈Λ, a depth boundk ∈ N, and a pol-icy ((λ, ~x ),Pol), thedepth-bounded reachability problemfor depthk subject to policy((λ, ~x ),Pol) can be defined as follows: First, a trace〈(λ0, ~x0), (λ1, ~x1), . . . , (λk, ~x k)〉 ∈S∗ is consistent with the policyif

1. it is anchored in the start state suggested by the policy, i.e. (λ0, ~x0) = (λ, ~x ), and2. the steps are policy-consistent, i.e. for alli < k we have that (λi , ~x i)→t (λi+1, ~x i+1)

if Pol(〈(λ0, ~x0), . . . , (λi, ~x i)〉) = t and that (λi , ~x i) →prtr (λi+1, ~x i+1) and~x i+1 =

pa(λi+1)) if Pol(〈(λ0, ~x0), . . . , (λi , ~x i)〉) = (tr , pa).

The trace〈(λ0, ~x0), (λ1, ~x1), . . . , (λ,~x k)〉 ∈ S∗ hits the targetif ∃i ≤ k : ~x i |= Targetλi.

Theprobability of hitting the target within k steps under policy ((λ, ~x ),Pol) then is

Prk((λ,~x ),Pol) =

∑

{s∈Sk+1|sconsistent with ((λ,~x ),Pol),shits target}

Pr(s) ,

wherePr(s) is the probability of sequences, which is defined as the probabilityPr(r) ofthe (unique) policy-consistent runr yielding traces. It follows from a straightforwardinduction on the depth-boundk that for any policy, this probability of reachingTargetunder the given policy can be characterized recursively as follows:

Lemma 1. Given a PHA A= (Λ,Trans,R, s, p, g, asgn, ode, inv, init) and a corre-sponding policy((λ, ~x ),Pol), the probability of hitting the target within k steps underthe policy satisfies

Prk((λ,~x ),Pol) =

1 if ~x |= Targetλ,

0 if k = 0∧ ~x 6|= Targetλ,

Prk−1((λ′ ,~x ′),Pol) if k > 0∧ Pol(λ, ~x ) = t ∧

(λ, ~x )→t (λ′, ~x ′),∑

λ′∈Λ ptr (λ′) · Prk−1((λ′ ,pa(λ′)),Pol) if k > 0∧ Pol(λ, ~x ) = (tr, pa).

In the sequel, we will be interested in themaximum probability under an arbitrarypolicyof reaching a given set of target locations within a given numberk ∈ N of steps.Semantically, this is adequate for modelling and analyzingsituations where the tar-get states are considered undesirable and a demonic perspective to non-determinismis taken (rendering the policy adversarial), or symmetrically to cases where the target

8

states are considered desirable and an angelic perspective(rendering the policy cooper-ative) is taken. In particular, depth-bounded probabilistic reachability in probabilistichybrid systems is representative of a number of verificationproblems for embeddedsystems, e.g.

• performing quantitative safety analysis (in the sense of estimating failure prob-ability) of a conflict resolution scheme which is expected toterminate after afinite number of actions whenever triggered, like collisionavoidance maneuversin road traffic,

• performing quantitative safety analysis (in the sense of estimating failure proba-bility) of a finite critical mission, like the descent of an airplane,

• assessing the reliability of a system subject to regular maintenance, where thenumber of system actions between maintenance is bounded by aconstantk, or

• step-bounded region stabilization4 of hybrid systems subject to probabilistic dis-turbances, i.e. determining whether a system will with sufficient probability con-verge into a target region within a given step (and thus, time) bound.

We will elaborate on how to formalize these proof obligations after presenting a sym-bolic encoding of the probabilistic hybrid system in Section 4.

Formally, themaximum probability of hitting the target within k stepsis definedas the maximum over arbitrary policies of the policy-dependent hit probability, i.e.as probabilityPrk = max((λ,~x ),Pol) a policyPrk

((λ,~x ),Pol). Theprobabilistic bounded modelchecking problem (PBMC, for short)is then defined to be the problem of decidingwhether the maximum probability of reaching the undesirable states within a givennumber of steps is below a given threshold:

Definition 1 (Probabilistic bounded model checking).Given a probabilistic hybridautomaton A= (Λ,Trans,R, s, p, g, asgn, ode, inv, init) together with a (predicativelydefined) set of target states Target= (Targetλ)λ∈Λ, a depth k∈ N, and a probabilitythresholdθ ∈ [0, 1], the probabilistic bounded model checking problem w.r.t. targetstatesTargetand depthk is to determine whether Prk < θ.

The maximum probability of hitting the target withink steps can be computedby a backward induction scheme akin to that of Bellman (32), yielding the followinginductive characterization of the probability of reachinga target state.

Lemma 2 (Probabilistic bounded reachability). Given a probabilistic hybrid automa-ton A = (Λ,Trans,R, s, p, g, asgn, ode, inv, init) together with a set of target states

Target= (Targetλ)λ∈Λ, a depth bound k∈ N, and a hybrid state(λ, ~x ) ∈ Λ× (Rtotal−→ R),

themaximum probability of reaching the targetTargetwithin at mostk steps from the

4Note that eventual stabilization, while frequently considered due to its simpler mathematics, is hardlyever a convincing notion in practice. In most practical applications, bounds on stabilization time are desir-able.

9

initial state (λ, ~x ) — i.e., under any policy selecting(λ, ~x ) as its initial state —, denotedPk

A(λ, ~x ,Target), is

PkA(λ, ~x ,Target) =


0 if ~x 6|= Targetλ ∧ k = 0,

max(idealflow, idealjump) if ~x 6|= Targetλ ∧ k > 0,

where idealflow= max{Pk−1A (λ′, ~x ′,Target) | t ∈ ]0,∆], (λ, ~x)→t (λ′, ~x ′)} and

idealjump= maxtr∈Trans

∑

λ′∈Λ

(

ptr (λ′) ·max{Pk−1A (λ′, ~x ′,Target) | (λ, ~x )→ptr (λ′)

tr (λ′, ~x ′)})

.

Proof. By induction over the depth-boundk of the transition tree:In casek = 0, the set of traces of lengthk starting in (λ, ~x ) consists of exactly

one traces comprising just the start state (λ, ~x ), i.e. s = 〈(λ, ~x )〉. This traces hits thetarget iff ~x |= Targetλ. For each policy selecting (λ, ~x ) as initial state,s is the uniquepolicy-consistent trace of length 0, and thus has probability 1. Consequently,

P0A(λ, ~x ,Target) =


0 if ~x 6|= Targetλ.

In casek > 0, we can build on the induction hypothesis that for each (λ′, ~x ′), themaximum probability under any scheduler of reachingTargetwithin k − 1 steps from(λ′, ~x ′) is Pk−1

A (λ′, ~x ′,Target) and that there exist a policy ((λ′, ~x ′),Polλ′,~x ′ ,k−1) startingin (λ′, ~x ′) and providing exactly that reach probability withink− 1 steps.

Now, we define a policy ((λ, ~x ),Pol) for thek-step case by

Pol(〈(λ1, ~x1), . . . , (λn, ~xn)〉) =

Polλ2,~x2,k−1(〈(λ2, ~x2), . . . , (λn, ~xn)〉) if n > 1,

tideal if n = 1 andidealflow≥ idealjump

(tr , pa)ideal if n = 1 andidealflow< idealjump,

whereidealflowand idealjumpare defined as before andtideal satisfies (λ1, ~x1) →tideal

(λ′, ~x ′) ∧ Pk−1A (λ′, ~x ′,Target) = idealflow, i.e. is the flow duration leading to the flow

successor with maximalPk−1A (λ′, ~x ′,Target). Likewise, (tr , pa)ideal is the jump with

∑

λ′∈Λ

(

ptr (λ′) ·max{Pk−1A (λ′, ~x ′,Target) | (λ1, ~x1)→ptr (λ′)

tr (λ′, ~x ′)})

= idealjump, i.e. se-lects the transition and assignments with the maximum weighted sum of the successor’sPk−1

A (λ′, ~x ′,Target).It follows from Lemma 1 thatA under policy ((λ, ~x ),Pol) reachesTargetwith prob-

ability PkA(λ, ~x ,Target). It remains to be shown that there is no policy yielding a higher

probability of reaching the target. Therefore, let (((λ, ~x),Pol′) be an arbitrary policystarting in (λ, ~x ). Concerning the behavior ofPol′ on (λ, ~x ), we can distinguish twocases: Either, it takes a flow or a jump, i.e.Pol′(〈(λ, ~x )〉) = t∗ for somet > 0 orPol(〈(λ, ~x )〉) = (tr∗, pa∗).

In case 1, i.e. ifPol′ selects a flow durationPol′(〈(λ, ~x )〉) = t∗, there is a state

10

(λ∗, ~x ∗) such that (λ, ~x )→t∗ (λ∗, ~x ∗). Then

PkA(λ, ~x ,Target)

= max(idealflow, idealjump)

≥ idealflow

= max{Pk−1A (λ′, ~x ′,Target) | t ∈ ]0,∆], (λ, ~x)→t (λ′, ~x ′)}

≥ Pk−1A (λ∗, ~x ∗,Target)

≥ Prk−1((λ∗ ,~x ∗),Pol′)

= Prk((λ,~x ),Pol′)

where the last inequation follows from the induction hypothesis and the last equationfrom Lemma 1. This shows thatPol′ yields at most the same probability of reachingTarget.

Case 2, i.e. thatPol′ takes a jump, is similar. 2

3. Stochastic satisfiability modulo theories

Thestochastic satisfiability modulo theories(SSMT) problem was introduced in (1;4) as an extension of thesatisfiability modulo theories(SMT) problem (e.g. 34) to sup-port existentialandrandomized quantificationover discrete variables as known fromstochastic satisfiability(SSAT, 35; 29) andstochastic constraint satisfaction(SCSP,36). In contrast to SSAT and SCSP problems, where the domainsof all variables arefinite, the original formulation of SSMT also permits continuous domains for non-quantified variables (which are interpreted as the set of innermost existentially quanti-fied variables), and involves non-linear real arithmetic including transcendental func-tions like sin and exp. In this paper, we enhance the expressive power of SSMT beyond(1; 4) by two major extensions:

1. Integration ofordinary differential equations(ODEs).2. Existential quantification overreal-valuedvariables.

The integration of ODEs and the possibility to quantify overreal-valued variables en-hances the SSMT paradigm such that it can represent the semantics of dense-timehy-brid systems.

3.1. Syntax of SSMT

A stochastic satisfiability modulo theory problem

Φ = Q1x1 ∈ dom(x1) . . .Qnxn ∈ dom(xn) : ϕ

is specified by aprefix Q1x1 ∈ dom(x1) . . .Qnxn ∈ dom(xn) binding the variablesxi

to the quantifiersQi ∈ {∃,

R

d}, and a quantifier-free SMT formulaϕ, also called thematrix. A quantifierQ, associated with variablex, is eitherexistential, denoted as∃, orrandomized, denoted as

R

d, whered is a discrete probability distribution over the finite

11

domain ofx. In this paper, we do not require that the domain dom(x) of an existentiallyquantified variablex has to be finite but can also be abounded real-valued interval.

Intuitively, the value of a variablex bound by a randomized quantifier (randomizedvariable for short) is determined stochastically by the corresponding distributiond,while the value of an existentially quantified variable (existential variablefor short)can be set arbitrarily. We usually denote such a probabilitydistributiond by a function[v1 → p1, . . . , vm→ pm] which maps valuevi to a probabilitypi with 0 < pi ≤ 1. Themappingvi → pi is understood aspi is the probability of setting variablex to valuevi .The distribution satisfiesvi , v j for i , j,

∑mi=1 pi = 1, and dom(x) = {v1, . . . , vm}. For

instance,

R

[0→0.2,1→0.5,2→0.3]x ∈ {0, 1, 2}means that the variablex is assigned the value0, 1, or 2 with probability 0.2, 0.5, and 0.3, respectively.

Let V(ϕ) be the set of all variables occurring in an SMT formulaϕ. To cope alsowith ODE constraints,ϕ contains two classes of variables: first, variables of base typesreal and integer, denotedVbase(ϕ) ⊆ V(ϕ), and second, ODE variablesVODE(ϕ) ⊆ V(ϕ)(cf. Subsection 3.2.2). We require that only base-type variables are quantified and thatΦ has no free base-type variables, i.e.Vbase(ϕ) = {x1, . . . , xn}, where{x1, . . . , xn} is theset of variables bound in the quantifier prefix. Without loss of generality, the SMTformula ϕ is in conjunctive normal form (CNF), i.e.ϕ is a conjunction of clauseswhere a clause is a disjunction of constraints. A constraintcan be either a (non-linear) arithmetic constraint like sin(x2)/y ≥ exp(x · y) or an ODE constraint like(

dz1dt (t) = z1 · sin(z2), true, x, y, τ

)

. Formally, the syntax of an SMT formulaϕ is asfollows.

smt formula ::= {clause∧}∗clause

clause::= ({constraint∨}∗constraint)

constraint::= arithmeticconstraint | odeconstraint

arithmeticconstraint::= term relop term

odeconstraint::= (d odevar/dt = oterm,

invar, basevar, basevar, basevar)

invar ::= true | const(< | ≤) odevar (< | ≤) const

term ::= uop term | term bop term| basevar | const

oterm::= uop oterm| oterm bop oterm| odevar | const

relop ::= < | ≤ |= | ≥ |>

uop ::= sin | exp | sqrt | . . .

bop ::= + | − | · | . . .

wherebasevar andodevar are base-type and ODE variables, respectively, andconstranges over the rational constants.

12

As an example consider the following SSMT formula.

quantifier prefix︷︸︸︷R

[1→0.3,2→0.7]a ∈ {1, 2} ∃x ∈ [−1, 3] ∃y ∈ [2, 5] ∃τ ∈ [0, 10] :(

a = 1∨(

dzdt (t) = 1.4 · z, true, x, y, τ

) )

∧(

a = 2∨(

dzdt (t) = z2 − 1.2 · z, 2.5 ≤ z≤ 7.1, x, y, τ

) )

∧(

y− x ≥ 4.2)

︸︷︷︸

matrix

3.2. Semantics of SMTBefore we formally introduce the semantics of SSMT, we need to define the sat-

isfaction of quantifier-free SMT formulae in our context. Let ϕ be an SMT formulaincluding non-linear arithmetic constraints and ODE constraints.5 Then, we callσ atotal valuation if it maps each base variablex in Vbase(ϕ) to a value inR and eachODE variable fromVODE to a function, respectively. More precisely, for base-typevariablesx ∈ Vbase we haveσ : x 7→ σ(x) ∈ R, and for ODE variablesx ∈ VODE,σ : x 7→ σ(x) ∈ C1

f in, whereC1f in denotes the set of differentiable functions on an in-

terval, i.e.C1f in :=

{

x ∈ C1∣∣∣dom(x) = [0, a], a≥ 0

}

. An example may help to clarify thisdefinition ofσ. For two variablesa, b ∈ Vbaseand a variablec ∈ VODE, a possible valu-ationσ could be given byσ(a) = 3.2,σ(b) = −2.1 andσ(c) = t 7→ c(t) = 2.3 · t2 witht ∈ [0, 10]. The base variables are thereby mapped to values fromR, while the ODEvariablec is mapped to a function [0, 10] 7→ R which is differentiable over its domain.A valuation can thus be interpreted as a functionσ : (Vbase∪ VODE) → (R ∪ C1

f in),though above definition is more precise about which elementsare mapped to real num-bers and which to functions. There can obviously be an infinite number of valuationsfor these three variables – and this observation is true in general. The following rulesonsatisfaction of constraintswill set conditions onσ that can be interpreted as a filterremoving those valuations that do not actually constitute satisfying valuations and aretherefore of little interest.

3.2.1. Arithmetic constraintsSatisfaction of arithmetic constraints is w.r.t. the standard interpretation of the arith-

metic operators and the ordering relations over the reals. For instance,x2 > sin(y) issatisfied under the valuationσ with σ(x) = −5.12 andσ(y) = 3.8 because (−5.12)2 >sin(3.8).

3.2.2. ODE constraintsTo describe the continuous evolutions of variables, we consider the integration of

the theory ofordinary differential equations(ODEs) into SSMT in addition to nonlin-ear arithmetic over the reals and integers.

5ODE constraints and ODE variables will be introduced in moredetail in Sect. 3.2.2. For the moment,considering them as constraints and variables of a special type is sufficient.

13

Definitions. We call the tuplecODE := (ODE(x), I (x), u, v, τ) anODE constraint, with

• a differential equationODE(x) := dxdt (t) = f (x1(t), . . . , xn(t)) whose right hand

side functionf : Rn→ R is Lipschitz continuous on the given domaindom(x1)×· · · × dom(xn), wherex1, . . . , xn ∈ VODE(ϕ) are the variables defined by this orother ODE constraints (see below),

• an invariantI (x) := lb ≤ x(t) ≤ ub, i.e. a constraint describing an interval,

• a variableu called the start point of the trajectory in dimensionx,

• a variablev called the end point of the trajectory in dimensionx, and

• a variableτ called the length of the trajectory.

A variablex is defined byan ODE constraint,ODE variablefor short, iff it occurs onthe left-hand side of the differential equationODE(x) of an ODE constraintcODE.

Semantics of ODE constraints.An ODE constraintc = (ODE(xi), I (xi), ui, vi , τi) issatisfied by a valuationσ if it contains solution functionsσ(x1), . . . , σ(xn) such thatσ(xi) connects the valuations given for the start pointσ(ui) with the valuations forthe end pointσ(vi) by a trajectory of lengthσ(τi), the solution functions satisfy thedifferential equationODE(xi), andσ(xi) never leaves the invariantI (xi). We thus callcODE satisfied by a valuationσ iff the above properties are satisfied. More formally:

eval((ODE(xi), I (xi), ui, vi , τi), σ)

=

true if max(dom(σ(xi))) = σ(τi)

and d(σ(xi ))dt (t) = f (σ(x1)(t), . . . , σ(xn)(t)) for all t ∈ [0, σ(τi)]

andσ(xi)(0) = σ(ui) andσ(xi)(σ(τi)) = σ(vi)

andlb ≤ σ(xi)(t) ≤ ub for all t ∈ [0, σ(τi)]

false else

Figure 2 illustrates these characteristics of a satisfyingvaluation.We call a set of ODE constraintsS satisfied under a valuationσ iff all its elements

are satisfied underσ. As above,eval(S, σ) returnstrue iff S is satisfied according tothis definition.

3.2.3. Satisfaction of SMT formulaeGiven an SMT formulaϕ, and a total valuationσ of V(ϕ), ϕ is satisfied underσ

iff at least one constraint in each clause is satisfied underσ. Such a valuationσ iscalledsolution ofϕ. Let π be a partial valuation ofV(ϕ). An SMT formulaϕ is calledsatisfiable underπ iff there exists a solutionσ of V(ϕ) s.t. for each variablex, if π(x) isdefined thenσ(x) = π(x) holds.

14

0

1

2

3

4

5

0 1 2 3 4 5

σ(xi)

(σ(xi))(0) = σ(ui)

dom(σ(xi))

t

max(dom(σ(xi))) = σ(τi)

(σ(xi))(τ) = σ(vi)

f ((σ(x1))(t), . . . , (σ(xn))(t))

Figure 2: A satisfying valuation for an ODE constraint

3.3. Semantics of SSMT

The semantics of an SSMT problem is defined by theprobability of satisfaction(1;4). Formally, theprobability of satisfaction Pr(Φ) of an SSMT formulaΦ = Q1x1 ∈

dom(x1) . . .Qnxn ∈ dom(xn) : ϕ is given by the valueprob(Φ, ∅) ∈ [0, 1]. Here,∅denotes the partial valuation which is totally undefined. Given a partial valuationπ, thepartial valuationπ′ = π ⊕ [x 7→ v] is defined asπ′(x) = v and∀y , x : π′(y) = π(y).A valuationπ′ is called an extension ofπ if dom(π′) ⊃ dom(π) and∀y ∈ dom(π) :π′(y) = π(y). The functionprob(Φ, π), whereΦ is an SSMT formula,Pre is a quantifierprefix with ε denoting the empty prefix, andπ is a partial valuation ofV(ϕ), is definedrecursively by the following rules.

1. prob(ε : ϕ, π) = 0 if ϕ is not satisfied by any extension ofπ.

2. prob(ε : ϕ, π) = 1 if ϕ is satisfied by some extension ofπ.

3. prob(∃x ∈ dom(x) Pre : ϕ, π)= max

v∈dom(x)prob(Pre : ϕ, π ⊕ [x 7→ v]).

4. prob(

R

dx ∈ dom(x) Pre : ϕ, π)=

∑

v∈dom(x)d(v) · prob(Pre : ϕ, π ⊕ [x 7→ v]).

Note thatd is a probability distribution where (v→ p) ∈ d denotesd(v) = p.The probability of satisfaction is determined by the functionprobwith the original

SSMT formulaΦ and the empty valuation∅ as its inputs. Then, the quantifier prefixis traversed recursively from left to right, thereby substituting all possible values ofthe quantified variables. The goal for existential variables is to compute the maximumprobability over all alternatives, while randomized quantification calls for calculating

15

unsatunsat unsatunsatunsat satunsatsat

yy y y

x

x = 4.8x = −3.1x = −9.8 x = 10.1

y = 1 y = 2y = 1 y = 2 y = 1 y = 2 y = 1 y = 2

Pr = 0 Pr = 0

Pr(Φ) = 0.7= max(0, . . . , 0.3, . . . , 0.7, . . . , 0)

Pr = 0.3 Pr = 0.7

Pr = 0Pr = 0 Pr = 1 Pr = 0 Pr = 1Pr = 0 Pr = 0 Pr = 0

0.3 0.7 0.3 0.7 0.3 0.7 0.3 0.7

Φ = ∃x ∈ [−9.8, 10.1]

R

[1→0.3,2→0.7]y ∈ {1, 2} : (x2 ≤ 25.3)∧ (x > 0∨ y = 1)∧ (x ≤ 0∨ y = 2)

Figure 3: Semantics of an SSMT formula depicted as a tree. Only a finite sample of the infinitely manybranches departing from the grey area depicting the real-valued quantifier has been drawn.

the weighted sum. Once the whole quantifier prefix is traversed, π is a total valuationof all base-type variables inVbase(ϕ) since we requireΦ to feature no free variables inVbase(ϕ). The satisfiability ofϕ underπ then determines the probability of satisfactionfor the base cases. For an example explaining this semanticsconfer Figure 3.

Algorithmically, computing the probability of satisfaction for the extended notionof SSMT is not straightforward in general. This is first due tomaximizing over un-countably many alternatives, and second due to dealing withundecidable theories asnon-linear arithmetic and differential equations. To nevertheless find safe solutions tothis important and challenging problem, we will present an algorithmic approach toeffectively compute safe upper bounds of satisfaction probabilities in Section 5.

4. Reducing PBMC to SSMT

In order to perform probabilistic bounded model checking (PBMC) of dense-timeprobabilistic hybrid automata (PHA), we employ a reductionto stochastic satisfiabil-ity modulo theories (SSMT) which generalizes the propositional SAT encodings forbounded model checking of finite-state systems (7) and the SMT encodings for BMCof hybrid automata (2; 3). Our construction proceeds in two phases: First, we generatethe matrix of the SSMT formula. This matrix is an SMT formula encoding all runsof A of the given lengthk ∈ N which reached the goal states, akin to (2; 3). There-after, we add the quantifier prefix encoding the probabilistic and the non-deterministicchoices, whereby a probabilistic choice reduces to a randomized quantifier while anon-deterministic choice yields an existential quantifier.

16

Phase 1: Constructing the matrix.Let A = (Λ,Trans,R, s, p, asgn, ode, inv, init) be adense-time probabilistic hybrid automaton. In order to encode the runs ofA of somegiven lengthk ∈ N by a matrix formula, we proceed as follows:

Reduction step 1.For encoding the discrete states held during the steps of thehybridsystems, we takek + 1 variablesλi , for 0 ≤ i ≤ k, each ranging over domainΛ. Thevalue ofλi coincides with the discrete location which automatonA resides in duringstepi.

Reduction step 2.For representing transitions connecting the above, we takek variablestr i with domainTrans, for 1 ≤ i ≤ k. The value oftr i encodes theith move in the runof A.

Reduction step 3.For each continuous state componentx ∈ Rwe takek+1 real-valuedvariablesxi . The value ofxi−1 encodes the value ofx before theith step in the run (andthusxi the value thereafter).

Reduction step 4.Furthermore, we take for eachx ∈ R a sequence ofk C1-valuedvariablesXi representing the flows in stepsi = 1, . . . , k.

Reduction step 5.For representing the durations of continuous flows in the run, wetakek real-valued variablesti of range [0,∆], one for each 1≤ i ≤ k. The value ofti

encodes the duration of theith step. The step is a continuous flow ifti > 0 and a jumpotherwise.

Reduction step 6.The effect of the continuous flows on the state is encoded by theODE constraint system

k∧

i=1

∧

x∈R

∧

λ∈Λ

(ti > 0∧ λi−1 = λ ⇒ (odeλ(x)[ ~X i/~x ], invλ(x)[ ~X i/~x ], xi−1, xi , ti)) ∧ λi = λ ,

whereodeλ(x) is the ODE pertaining tox in λ andinvλ(x) is the invariant pertaining tox in λ. These constraints express that when residing in stateλ in stepi for a positiveduration, the step-initial valuexi and the flow-final valuexi are connected by a flow ofdurationti which satisfiesodeλ(x) as well asinvλ(x).

Reduction step 7.The interplay between discrete states and transitions requires thattr i

impliesλi−1 = s(tr i). This can be expressed by thek · |Trans| SSMT clauses in

k∧

i=1

∧

tr∈Trans

(

ti = 0∧ tr i = tr ⇒ λi−1 = s(tr))

.

Note that this condition is only enforced if the step duration is 0, which indicates ajump.

Reduction step 8.Likewise,assignmentsare dealt with by

k∧

i=1

∧

tr∈Trans

∧

λ′∈Λ

(

ti = 0∧ tr i = tr ∧ λi = λ′ ⇒

asgntr ,λ′ [xi1, . . . , x

in/x′1, . . . , x

′n][ xi−1

1 , . . . , xi−1n /x1, . . . , xn]

)

which expresses that the flow-final values ˜xij are connected to the step-final valuesxi

j

by the assignment pertaining to transitiontr i .

17

Reduction step 9.We complete the encoding of the PHA transition dynamics by addingconstraints describing the allowable initial states through the SSMT constraint system

∧

λ∈Λ

(

λ0 = λ ⇒ initλ[x01, . . . x

0n/x1, . . . , xn]

)

.

Reduction step 10.Finally, we complete the matrix by adding constraints describingthe verification goal. In case we are interested in a probabilistic bounded reachabilityproblem, this is that a state (λ, ~x ) with ~x |= Targetλ is eventually visited along the trace,i.e.

k∨

i=0

∨

λ∈Λ

(λi = λ ∧ Targetλ[~xi/~x ]) .

The conjunction of the above formulae yields the matrix of our SSMT formulaencoding the PBMC problem. Satisfying valuations of the matrix thus obtained arein one-to-one correspondence to the runs ofA of lengthk (3). As in bounded modelchecking (7; 37), satisfaction of temporal properties on all runs of depthk can fur-thermore be checked by adding to the formula thek-fold unrolling6 of a tableaux ofthe (negated) property, then checking the resulting formula for unsatisfiability. Usingstandard techniques from predicative semantics (38), the translation scheme can be ex-tended to both shared variable and synchronous message-passing parallelism, therebyyielding formulae of size linear in the number of parallel components. This techniqueis used in the case studied presented in Section 6, where an exponentially more conciserepresentation of shared-state concurrency is thus obtained.

Phase 2: Encoding choices.Let ϕ be the matrix corresponding to the conjunctionof the above formulae. As each non-deterministic choice corresponds to selecting atransition while each probabilistic choice amounts to selecting an actual target location,we generate the following SSMT formula:

Reduction step 11.An SSMT formulaψ = ψ1 encoding the probabilistic and non-deterministic choices along the run is obtained by alternating the quantifiers consis-tently with the alternation of choices. To permit a homogeneous randomized quantifi-cation over all transitions, we select a finite setO = {o1, . . . , on} of choice options forrandomized choices, wheren is chosen minimal among the possible solutions of the

following conditions, a probability distributionpO : Ototal−→ (0, 1] overO, and a function

pd : Trans× Λtotal−→ P(O) such that these together satisfy

∀tr ∈ Trans, λ ∈ Λ :∑

pc∈pd(tr ,λ)

pO(pc) = p(tr)(λ) and

∀tr ∈ Trans, λ1, λ2 ∈ Λ : pd(tr, λ1) ∩ pd(tr, λ2) = ∅ .

Such a setO and probability distributionpO exist always. The worst-case cardinalityof O is the number|{p(tr)(λ) | tr ∈ Trans, λ ∈ Λ}| of different transition probabilities,

6involving dedicated termination rules for liveness properties (37)

18

but can be considerably smaller due to different probability constants being the sumsof each other.

Now, we encode the non-deterministic choices by existential quantification overthe transitions inTransand the possible target states and we encode the probabilisticchoices by randomized quantification overO. The latter quantifiers choose an auxiliaryvariablepci in each step which in turn is mapped to the target locationλi by means ofthe mappingpd. Therefore,ψi is defined recursively as follows: for 1≤ i < k,

ψi = ∃tr i ∈ Trans: ∃xi1, . . . , x

in :

R

pO pci ∈ O : ψi+1 , and

ψk = ϕ ∧

n∧

k=1

∧

tr∈Trans

∧

λ∈Λ

[(tr i = tr ∧ λi = λ) ⇒∨

o∈pd(tr ,λ)

pci = o] .

Reduction step 12.In order to solve the PBMC problem, it remains to choose theinitial state maximizing the probability. This can be accomplished by existential quan-tification over the possible states, yielding the formulaPBMCk

A,Target = ∃λ0 ∈ Λ :

∃x01, . . . , x

0n ∈ R : ψ. Given the structural similarity between probabilistic bounded

reachability and quantification in SSMT, this reduction is correct in the following sense:

Proposition 1 (Correctness of reduction).Pr(PBMCkA,Target) ≤ θ iff A satisfies the

PBMC problem w.r.t. thresholdθ, depth k, and target states Target.

This proposition implies that by this reduction, we obtain afully symbolic encodingof the PBMC problem and consequently, an SSMT solving algorithm permits analysisof the PBMC problem for dense-time probabilistic hybrid automata. In particular, analgorithm providing safe upper approximations of the satisfaction probability of SSMTformulae, as we will encounter in the next section, permits us to perform the followinganalysis tasks which are instantiations of the PBMC problem:

• Given a setBadof hazardous states and a tolerable failure probabilityθ, deter-mine whether a step-bounded mission modelled as a PHA is sufficiently safe inthe sense of its overall failure risk not exceeding the thresholdθ.

This is a direct application of the above scheme for probabilistic bounded reach-ability, i.e., of the first version of the goals introduced instep 10.

• Given a linear-time temporal logic (LTL, (39)) formulaφ characterizing safeor desired behavior and a step-bounded mission modelled as aPHA, determinewhether it is safe in the sense of its overall probability of engaging into behaviorsviolatingφ not exceeding the thresholdθ.

This can be achieved by combining the above procedure with a bounded tableauxconstruction for LTL (37).

• Assessing reliability of a system subject to regular maintenance, where the num-ber of system actions between maintenance is bounded by a constantk. Again,this is the same shape of proof, requiring to formulate the system dynamics as aPHA with the possible post-maintenance states as initial states.

19

5. Algorithm for SSMT problems

In this section, we present our algorithm for calculating the maximum probabilityof satisfaction of an SSMT formula. As indicated in Section 3, an exact and completealgorithm for solving SSMT formulae is impossible due to handling undecidable the-ories. We will provide an algorithm that, when queried “is the probabilityPr(Φ) ofsatisfaction at mostθ?” for some SSMT formulaΦ and someθ ∈ [0, 1], will pro-vide reliable “yes” answers, yet may provide false negatives. I.e., whenever it claims“Pr(Φ) ≤ θ” then this is reliable.

As a proof procedure, we generalize to SSMT over ODEs the extended Davis-Putnam-Logemann-Loveland (DPLL) algorithm (40; 41) for SSAT described in (42).The main idea of the DPLL-based approach to solving propositional SSAT problemsΦ = Pre : ϕ is to enumerate all satisfying valuations of the quantifier-free SAT for-mulaϕ. Based on these solutions, the probability of satisfactionPr(Φ) is computedin accordance with the semantic definition of SSAT (i.e. the special case of SSMTwhere all variables range over the Boolean domain, cf. Sect.3.3). Clearly, such a naiveenumeration approach establishes a decision procedure forSSAT but is far from be-ing efficient since the number of valuations is exponential in the number of variables.Therefore, state-of-the-art implementations of SSAT algorithms employ a systematicsearch combined with various heuristics to gain performance. SSAT solvers manipu-late partial valuations to the variables thus keeping trackof the already visited searchspace. Furthermore, this gives the opportunity to immediately exclude partial valu-ations from the search that are meaningless for calculatingthe satisfaction probabil-ity, thus pruning away a potentially huge number of (total) valuations. Such pruningmechanisms are realized by, e.g., extending partial valuations by (logical) inferences(e.g.unit propagation, pure variable elimination(42)), skipping the alternative val-ues of quantified variables (e.g.threshold pruning(42)), and storing and reusing thesatisfaction probabilities of equivalent subformulae (memoization(43; 44)). Anotherpruning technique is to shorten partial valuations upon detecting inconsistent or satis-fying valuations which is referred to asnon-chronological backtracking(e.g. 45; 46) orsolution-directed backjumping(47), respectively. Intuitively, whenever a partial valua-tion was built up by freelychoosingvalues for some quantified variables, in principlethe alternative values need to be explored later on. These alternatives are stored asbacktrack points. However, if it turns out that some of the alternative branches yieldthe same result as the current branch (i.e. an inconsistencyor a solution), explorationof the alternative branch may be omitted for efficiency. Successively skippingn back-track points prunes away 2n partial valuations. The number of backtrack points to beskipped can be calculated from a so-calledreasonfor an inconsistency or solution. Fora comprehensive survey of SSAT algorithms and the listed heuristic enhancements thereader is referred to (29).

In contrast to SSAT the original definition of SSMT from (1; 4)additionally allowsnon-quantified (interpreted as innermost existentially quantified) variables overcontin-uous domainsas well asnon-linear arithmetic constraintslike x3 < sin(y). The do-mains of the randomized and existential variables –while not restricted to be Boolean–need to be finite. Though the abovementioned SSAT algorithm cannot be applied di-rectly to SSMT problems, the basic idea however remains the same. The variables of

20

the quantifier prefix are instantiated with values from left to right, thus building partialvaluations. Once the whole quantifier prefix is processed, itremains to decide the satis-fiability of a quantifier-free SMT formula. Such satisfiability problems are solved by anappropriate SMT solver. Since in this context the SMT formulae comprise non-lineararithmetic over the reals, we employ the SMT solver iSAT (11).

This approach to compute the satisfaction probability of SSMT problems is imple-mented in a SSMT solver called SiSAT (1; 4). As mentioned above, enumerating allinstantiations of the quantified variables cannot yield an efficient procedure for practicalapplications. Therefore, the SiSAT tool implements all thealgorithmic improvementsknown from state-of-the-art SSAT solvers which lead to performance gains of multipleorders of magnitude (cf. 4; 48). To show the practical significance of the SSMT-basedsymbolic model checking approach on realistic scenarios, we applied the SiSAT tool ona case study from thenetworked automation system(NAS) domain presented in (49).The results for the NAS case study can be found in (48).

In this paper, we further enhance the expressive power of SSMT as indicated inSection 3. That is, theadditional issues the enhanced SSMT procedure has to copewith are

1. to reason about ODE constraints and2. to exhaustively explore quantifiers ranging over uncountable domains, as in ex-

istentially quantified continuous variables.

Addressing issue 1, we exploit overapproximation techniques based on safe intervalcalculations which permit safe reasoning by “enclosing” ODE solutions in interval-valued functions. These methods are described in Subsection 5.1. For solving con-straint formulae containing an alternation of existentialquantifiers ranging over thereals and of randomized quantifiers, the authors, to the bestof their knowledge, knowof no competing approaches. We address issue 2 by an algorithm which safely approx-imates the probability of satisfaction from above. The basic idea here is to exhaustivelycover the domains of existential variables by small subintervals and reason about theseusing interval constraint propagation. This approach is safe in the sense that it willalways deliver safe upper bounds of the probability of satisfaction (Subsection 5.2).

The presentation of the enhanced SSMT algorithm is organized in three layers. Thelowermost layer is a combination oftheory solvers TSfor reasoning about a conjunc-tive system over the theory combinationT incorporating ODE constraints and arith-metic constraints. These theory solvers are interval-based, i.e., use interval calculationsand interval constraint propagation (50) as safe, yet incomplete reasoning mechanisms.As the middle layer, anSMT solverfor disjunctive systems overT employs the theorysolversTS. Finally, theSSMT solveris an extension of the SMT layer to deal withexistential and randomized quantification.

5.1. Reasoning about non-linear arithmetic and ODE constraints

We start our exposition with a description of the lowest layer of the solver, thetheory layer, which deals with arithmetic and ODE constraints. Our approach to rea-soning about such constraints is based oninterval arithmetic. Therefore, instead ofreal- and integer-valued valuations, all base variables are interpreted overinterval val-uationsρ : Vbase→ IR ∪ IZ, whereVbase is the set of base variables of types integer

21

and real as introduced before.IR andIZ are the sets of bounded intervals inR and inZ, respectively – the Boolean domain can be represented byB = [0, 1] ⊂ Z. If bothρ′ andρ are interval valuations thenρ′ is called arefinementof ρ, denotedρ′ ⊆ ρ,iff ρ′(v) ⊆ ρ(v) for each variablev ∈ Vbase. Note that such interval valuations do notassign any value to the ODE variablesVODE as the existence of solution functions tothe ODEs is handled locally in the theory layer for ODEs.

Theory layer for non-linear arithmetic constraints.As reasoning mechanisms for gen-eral non-linear constraint systems over the reals, we employ safe interval analysis (IA)for approximating real-valued satisfaction and augment itwith interval constraint prop-agation (ICP) as a powerful deduction mechanism.

Interval analysis(e.g. 51) enables to evaluate theinterval consistencyof a setCarith

of non-linear arithmetic constraints involving functionslike sin and exp. Interval con-sistency is a necessary yet not sufficient condition for real-valued satisfiability ofCarith.Thus, refutation by interval consistency is always correct. There are several definitionsof interval consistency in the literature. They mainly differ in the strength of theirconsistency notions and in the computational effort to decide consistency. Our consis-tency concept ishull consistency(for details, cf. 50) up to a given accuracy, which iseasy to decide and which gives good results in practice. Given an arithmetic constrainta(~x ) = b(~x ), wherea andb are arithmetic terms over~x , and an interval valuationρof its variables~x , interval arithmetic permits computing conservative interval approx-imationsIa(~x ) andIb(~x ) of the ranges ofa(~x ) andb(~x ) underρ. If these intervals arenot disjoint, i.e. ifIa ∩ Ib , ∅, the constraint is called interval consistent. This notioncan be lifted to conjunctive systems of constraintsCarith requiring that each constraintc ∈ Carith is interval consistent underρ.

Interval constraint propagation(e.g. 52; 53; 50) complements IA as a deductionmechanism pruning off non-solutions by narrowing the intervals while maintaininginterval consistency. Given a constraintc and an interval valuationρ, ICP potentiallycomputes a refinementρ′ ⊆ ρ s.t.ρ′ contains all solutions ofc in ρ. Implementationsof interval arithmetic support common functions like+,−, ·, as well as transcendentalfunctions like sin (54; 55). For instance, if using floating-point data-types then intervalsare always rounded outwards s.t. the results remain correctalso under rounding errors.As an example, assume the arithmetic constraintz= x+ y and the interval valuationρwith ρ(x) = [1, 4], ρ(y) = [2, 3], andρ(z) = [0, 5] are given. Each solved form of theconstraint, i.e.x = z−y, y = z−x, andz= x+y, allows contraction of the interval for thevariable on the left-hand side. Forx = z−y, we subtract the interval [2, 3] for y from theinterval [0, 5] for z, concluding thatx can only be in [−3, 3]. Intersecting this intervalwith the original interval [1, 4], we know thatx can only be in [1, 3]. Proceeding in asimilar way fory = z− x does not change any interval, and finally, usingz= x+ y, wecan conclude thatz can only be in [3, 5].

We formalize these observations as follows. LetM be a conjunctive system ofconstraints,Carith ⊆ M be the set of all arithmetic constraints inM, andρ, ρ′ be intervalvaluations. The first two rules give the results of the interval consistency check while

22

the third rule deduces a tighter interval valuation by ICP.

(M, ρ) −→IA cons only if Carith is interval consistent underρ.(M, ρ) −→IA incons only if Carith is not interval consistent underρ.(M, ρ) −→IA (M, ρ′) only if ρ′ ⊆ ρ and for each valuationσ ∈ ρ, σ < ρ′ :

(M, σ) −→IA incons

Note that the last line describes the ability of the theory layer to propagate tighterbounds by pruning off definite non-solutions.

Theory layer for ODE constraints.In contrast to arithmetic constraints, which pro-vide useful interval contractors already if considered in isolation (and applied alternat-ingly in a one-by-one fashion), ODEs require a more global view, as only definition-ally closed sets of ODEsdx

dt = f (x, y) and dydt = g(x, y) are dynamically sufficiently

constrained to provide a useful contractor. Therefore, we collect the ODE constraintsfrom the conjunctive constraint systemM and apply the (costly) ODE processing todefinitionally closed systems only. Given the setM, we take the subsetCODE ⊆ Mof ODE constraints and call the elementsc1, . . . , cm ∈ CODE (in no particular order)and the variablesx1, . . . , xn ∈ VODE(ϕ), i.e. the ODE-defined variables. The task of theODE theory layer is to decide whether, given a valuationρ, there exists a refinementsatisfying the ODE constraints, i.e., whether

∃σ ∈ ρ : ∃y1 ∈ C1f in, . . . , yn ∈ C

1f in : eval(c1, σ

′) ∧ · · · ∧ eval(cm, σ′), (1)

whereσ′ = σ ⊕ [x1 7→ y1] ⊕ · · · ⊕ [xn 7→ yn] is a total valuation in the sense used inSection 3.2 whileσ itself does not contain any valuation for the variables fromVODE.The ODE solver thus has to decide whether there exist solution functionsy1, . . . , yn thatsatisfy the ODE constraints under one concrete valuationσ′ that is compatible to thecurrent interval assignmentρ.

Actually decidingthat question will be out of reach for most classes of ODEs butrelaxing (1) yields an overapproximation similar to the oneperformed in the case of in-terval arithmetic for nonlinear constraints. AssumingIR is the set of bounded intervalsoverR andte ∈ R≥0, we callX : [0, te] → IR anenclosureof x ∈ C1

f in iff ∀t ∈ [0, te] :x(t) ∈ X(t) holds. Instead of using real-valued solutions functions for the ODE andchecking the conditions on satisfied ODE constraints as laiddown in Sect. 3.2.2, theseconditions are checked for the enclosuresX1, . . . ,Xn. For example, having an ODEconstraint (ODE(x), I (x), u, v, τ) and an interval valuationρ with ρ(u) = [0, 1], a setof initial values, andρ(v) = [10.2, 12], a set of possible endpoints to be reached afterρ(τ) = [0, 5.2] time units, assume e.g. a constant enclosureX(t) = [0, 5] for the solu-tion trajectories of the ODE was calculated. Even though theexact solution trajectoriesemerging fromρ(u) stay unknown, this enclosure is sufficient to decide that none of thepossible endpointsρ(v) can be reached during the given timeρ(τ) because the intersec-tion X(ρ(τ)) ∩ ρ(v) is empty. We call a set of ODE constraintsCODE inconsistentwitha valuationρ iff such enclosuresX1, . . . ,Xn of the unknown exact solutionsx1, . . . , xn

can be calculated and there exists at least one constraintci ∈ CODE that cannot be sat-isfied by any valuationσ′ ∈ (σ ⊕ [x1 7→ y1 ∈ X1] ⊕ · · · ⊕ [xn 7→ yn ∈ Xn]) with σ ∈ ρ.Without knowing the exact solutions, the enclosuresX1, . . . ,Xn are thus used to detect

23

unsatisfiability of the constraints underρ. Obviously, we never call a setCODE incon-sistent if (1) is actually satisfiable. This overapproximation is thus safe and its qualitydepends on the tightness of the enclosuresXi .

This task of deciding consistency and the task of propagating tighter bounds aretherefore closely related to calculating safe enclosures of the solution sets of initialvalue problems. There are several techniques aiming at different classes of differentialequations. The most “traditional” methods are based on extrapolating the state vectorover time by interval-based evaluation of truncated Taylorseries with an enclosure ofthe truncation error, safe handling of the rounding errors and some form of coordi-nate transformation to avoid the so-called wrapping effect. These methods date backto Moore (56) and were developed further by Lohner (57) and intheir more recentmore generalized incarnations are still considered competetive for linear ODEs (58).In (5) we have presented a prototypical implementation of Taylor-series-based enclo-sures of ODE trajectories in our constraint solver iSAT. Taylor models (59) togetherwith techniques called “shrink-wrapping” and “preconditioning” (60; 61) to fight thewrapping effect allow tighter enclosures in the case of nonlinear ODEs. Other methodsinclude flowpipe enclosures using zonotopes (62), which explicitly allow to also handlebounded but otherwise unknown continuous inputs, and constraint-propagation-basedmethods like CLP(F) (63). Along the lines of the integrationapproach we presented in(5), we will investigate the integration of some of these newer methods and use them aspropagators for ODEs. In the following, we assume that a suitable enclosure methodis available and we therefore concentrate on the correct useof it to solve the originalquestion posed above.

In order to perform such an enclosure,definitionally closedsystems of differentialequations are required, i.e. for all variablesx occuring on the right-hand side of anODE there must also be a constraintc ∈ CODE with anODE(x) definingx. For variablesx ∈ VODE that do not occur in any of the constraintsc1, . . . , cm, we may assume arbitrarybehavior, i.e. we do not need to care about such variables. Incase a variable occurs onthe right-hand side of an ODE but is not defined by any constraint in CODE, we mayeither try to overapproximate all possible behaviors of that variable and then try toprove inconsistency or safely assume that the system is consistent, which is the muchsimpler option.

Neglecting the technical details, it is safe to assume that we can generate a numberof definitionally closed sets of ODE constraints by groupingthe constraints fromCODE

together such that all variables occuring on the right hand side of the involved ODEsare themselves defined by ODE constraints. For the purpose ofillustration, assumesuch a set is given by

S := {(ODE(x1), I (x1), u1, v1, τ1), . . . , (ODE(xm), I (xm), um, vm, τm)} ,

which definesm different variablesx1, . . . , xm by ODE constraints. Ideally, this set isminimal in the sense that if any of the constraints were removed,S would no longerbe definitionally closed. Clearly this means that each of thevariables defined by aconstraint inS occurs itself on the right-hand side one of at least one of theother con-straints. For example the setS = {(ODE(x), I (x), a, b, t), (ODE(y), I(y), c, d, t)} withODE(x) = dx

dt = x− y andODE(y) = dydt = y cannot be split up further into definition-

ally closed subsets as the right-hand side ofODE(x) depends ony.

24

0

1

2

3

4

5

0 1 2 3 4 5 0

1

2

3

4

5

0 1 2 3 4 5

postbox

prebox

forward propagation

horizon

backward propagation

Figure 4: Usage of ODE enclosures as pruning operators.

We call the boxρ(u1) × · · · × ρ(um) thepreboxandρ(v1) × · · · × ρ(vm) thepostbox.Taking the value∆ = max(

⋂

(ρ(τ1), . . . , ρ(τm))) as a timehorizon, we need to encloseall trajectories emerging from the prebox and satisfying all the differential equationsin S up to∆. If the intersection of this enclosure and the given postboxis empty onthe entire interval [min(

⋂

(ρ(τ1), . . . , ρ(τm))),max(⋂

(ρ(τ1), . . . , ρ(τm)))], we know thatno real-valued trajectories exist that connect any valuation from this pre- and postboxwith the given length. We can therefore safely callS and thereby alsoCODE incon-sistent with the given valuationρ. Furthermore, if this intersection is not empty, wecan remove all parts from the postbox that yield empty intersections with the computedenclosure, i.e. if the intersection ofρ(v1) × · · · × ρ(vm) with the enclosure is not empty,this intersectionρ′(v1)×· · ·×ρ′(vm) may be used as a new valuation, asρ′ still containsall possible solutions.

Note that we can use the same mechanism described above to enclose the set offorward-reachable states fromρ(ui) and pruneρ(vi), to also calculate the backwards-reachable set fromρ(vi) and prune off parts fromρ(ui). This is achieved by usingthe inverse ODE constraints and exchanging the roles ofui andvi in them. For eachODE constraint

(dxidt = fi(x1, . . . , xn), I i(xi), ui, vi , τi

)

∈ CODE, we can add an inverse

constraint(

dxidt = − fi(x1, . . . , xn), I i(xi), vi, ui, τi

)

, consider the variable ¯x1, . . . , xn ODE-defined variables, and then perform the exact same steps as described above.

Figure 4 visualizes this use of ODE enclosure mechanisms as propagators. Someof the trajectories emerging from the prebox reach the postbox during the temporalinterval depicted by the dashed box. The upper part of the postbox, however, is notreached by any trajectory and can thus be safely pruned off. This tightened postboxserves as input to the backward propagation depicted in the right part of the figure.Using the inverse ODE, an enclosure over the same timespan for which the postboxwas reachable during forward propagation – again indicatedby the dashed box – nowyields a tightened version of the prebox. Looking at the illustration of the forwardpropagation again, one can clearly see that exactly that part of the prebox was pruned

25

off by backwards propagation from which no trajectory can actually reach the postbox.Analogously to ICP, the above operations yield contractorsthat are able to narrow

the intervals for variablesx, y, τ in an ODE constraint(

dz1dt (t) = z1 · sin(z2), true, x, y, τ

)

,as well as to potentially detect inconsistencies with the other constraints. These con-tractors yield a derivation relation−→ODE yielding either narrowings or consistencyinformation, which satisfies the following properties:

(M, ρ) −→ODE cons only if CODE is not inconsistent underρ.(M, ρ) −→ODE incons only if CODE is inconsistent underρ.(M, ρ) −→ODE (M, ρ′) only if ρ′ ⊆ ρ and for each valuationσ ∈ ρ, σ < ρ′ :

CODE is inconsistent under{σ}.

Note that this notion of an ODE constraint being “not inconsistent” with ρ does notmean thatρ actually contains a solution. If we call the constraint inconsistent underρ,however, it definitely does not contain any solution.

Combined theory layer.Combining the theory solvers for non-linear arithmetic andODE constraints yields the combined theory layer. LetM be a set of non-linear arith-metic, denotedCarith ⊆ M, and of ODE constraints, denotedCODE ⊆ M. Furthermore,let ρ, ρ′ be interval valuations. Then we merge both theory solvers into one, i.e. the in-terval consistency checks and the mechanisms of deducing tighter interval valuations.

(M, ρ) −→TS cons iff (M, ρ) −→IA cons and (M, ρ) −→ODE cons

(M, ρ) −→TS incons iff (M, ρ) −→IA incons or (M, ρ) −→ODE incons

(M, ρ) −→TS (M, ρ′) iff (M, ρ) −→IA (M, ρ′) or (M, ρ) −→ODE (M, ρ′)

5.2. SSMT algorithm

In this section we present our algorithm for computing safe upper bounds on theprobability of satisfaction of an SSMT formula. Our algorithm is an extension of theSiSAT algorithm described in (1; 4) with existential quantification over continuousdomains and with ODE constraints. The SiSAT approach generalizes the SSAT al-gorithm described in (42) based on the Davis-Putnam-Logemann-Loveland (DPLL)procedure (40; 41).

SMT layer. The SMT layer is described by the following rules. More details on SMTcan be found, e.g., in (34). In contrast to the quantifier-free SMT setting, our SSMTformulae do not contain free variables of the base types realand integer. That is, thebranchingmechanism as well as thebacktrackingrule is not applied by the SMT solverbut is executed by the SSMT layer which will be introduced later on. Thus, the SMTprocedure covers onlytheory propagationandtheory consistency checkingcombinedwith clause learning to exclude inconsistent valuations.

In the sequel, letϕ be an SMT formula in CNF over the theories of non-lineararithmetic and ordinary differential equations,M be a conjunctive system of constraintsfrom ϕ which are asserted during the proof search, andρ, ρ′ be interval valuations ofthe variablesV(ϕ). For conciseness in tracing reasons of deductions and thuslearnedconflicts, an interval valuation is represented as a list of interval bounds.

26

Rules R.1 and R.2 deduce new facts. Rule R.1 appliesunit propagationif all con-straints but one in a clause are inconsistent withM underρ, and adds the remainingconstraint to be satisfied toM. Theory propagationis done by rule R.2 where newtighter interval valuations are deduced by ICP or by the ODE solver. Note that derivingempty intervals is forbidden. In case an empty interval could be deduced, the formulais inconsistent, which is covered by rule R.4.

(c1 ∨ . . . ∨ cm) ∈ ϕ, ci < M,∀ j , i : (M · 〈c j〉, ρ) −→TS incons

(ϕ,M, ρ) −→S MT (ϕ,M · 〈ci〉, ρ)(R.1)

(M, ρ) −→TS (M, ρ′),∀x ∈ V(ϕ) : ρ′(x) , ∅

(ϕ,M, ρ) −→S MT (ϕ,M, ρ′)(R.2)

If a conflict occurs, i.e. the arithmetic constraints or the ODE constraints inM areinconsistent underρ, a more general interval valuationρ′ with ρ ⊆ ρ′ as areasonforthe conflict can be extracted. More formally,ρ′ is such a reason if there is a sequenceof theory deductions from state (M, ρ′) to state (M, ρ), i.e. (M, ρ′) −→∗TS (M, ρ). Theinterval valuationρ′ can be symbolically encoded as a conjunctive system of intervalboundsb1, . . . , bℓ wherebi is of form x ∼ k with x is a variable,∼∈ {<,≤,≥, >}, andk ∈R. We denote this symbolic encoding ofρ′ by symbenc(ρ′) = {b1, . . . , bℓ}. To preventthe SSMT layer from unnecessarily probing a refinement ofρ′ in future search,ρ′ isexcluded by adding a so calledconflict clauseto the formula. Such a conflict clausecan be easily constructed by the disjunction of the negated interval boundsb1, . . . , bℓ,i.e. (¬b1∨ . . .∨¬bℓ). This new clause forbids any refinement ofρ′ in which a solutioncannot exist by forcing that at least one of the boundsb1, . . . , bℓ may not hold. This isreferred to asconflict-driven clause learning(rule R.3).

(M, ρ) −→TS incons, (M, ρ′) −→∗TS (M, ρ), symbenc(ρ′) = {b1, . . . , bℓ}

(ϕ,M, ρ) −→S MT (ϕ ∧ (¬b1 ∨ . . . ∨ ¬bℓ),M, ρ)(R.3)

Note that there are many different techniques for (efficient) generation of such an infea-sible subsystemb1, . . . , bℓ of ρ. Very prominent in propositional SAT solving is thefirstunique implication point techniquefrom (46). Conflict-driven clause learning usuallyappears in combination withnon-chronological backtracking(confer the introductorypart of this section). However, in our setting the SMT layer does not know about pos-sible backtrack points since all branching and backtracking steps are executed by theSSMT layer, in order to compute the satisfaction probabilities at backtrack points.

The last two rules of the SMT layer perform a consistency check. A proof state isinconsistent if the list of constraintsM which were asserted by rule R.1 are togetherinconsistent under the current interval valuationρ.

(M, ρ) −→TS incons

(ϕ,M, ρ) −→S MT incons(R.4)

Note that rule R.3 also detects inconsistency but rule R.4 does not generate a reasonfor this conflict s.t. in concrete implementations of the algorithm conflict-driven clauselearning can be applied according to heuristic measures or the ability of the theorysolvers to provide reasons of conflict.

27

If each clause inϕ contains at least one constraint s.t. all these constraintstogetherare consistent then the SMT formula is consistent.

∃M′ ⊇ M ∀cl ∈ ϕ ∃c ∈ cl with c ∈ M′ : (M′, ρ) −→TS cons

(ϕ,M, ρ) −→S MT cons(R.5)

SSMT layer.The topmost SSMT layer is responsible for exhaustively branching thesearch space by choosing values and intervals for quantifiedvariables, and for calcu-lating the corresponding probabilities of satisfaction (cf. semantics of SSMT, Subsec-tion 3.3). For the sake of clarity, we just present thebasicproof rules of the SSMTlayer to make clear the new contribution of handling existential quantification overcontinuous domains. That is, we do not mention the integration of pruning rules likethresholdingor solution-directed backjumpingwhich are already published and imple-mented in the SiSAT tool (1; 4) and are indispensable for an efficient implementation.Such pruning rules cut off huge parts of the quantifier tree based on deductions at theSMT and SSMT layers, thus often avoiding the exponential blow-up of the search treein quantifier depth.

Addressing issue 2 from the introduction to this section, weneed to exhaustivelycover the domain of existentially quantified continuous variables, i.e. compute the max-imum over uncountably many alternatives. Algorithmically, this is infeasible in gen-eral. Thus, we aim at computing safe upper boundsθ ≥ Pr(Φ) of the actual probabilityof satisfaction.

We obtain safe upper bounds on existential quantification over bounded continuousintervals by partitioning the initial interval into subintervals of a given widthε > 0and applying ICP to the resulting intervals. Formally, given a real-valued intervalI = [l, u], a partitioning of I w.r.t. some parameterε is a finite set of disjoint inter-valsP = {[l, h1], (h1, h2], . . . , (hk, u]} s.t. the width of each interval inP is at mostε. Weinstantiate the continuous variables by intervals of widthε and consider interval consis-tency which overapproximates real-valued satisfaction s.t. if inconsistency is reportedthen no real-valued solution exists within the interval valuation. In case of provinginterval consistency, a real-valued solution may exist. Consequently, we have a relaxednotion of satisfiability and obtain an upper bound on satisfaction probability.

In the sequel, we present the SSMT layer. LetΦ = Pre : ϕ be an SSMT formula andε some positive real-valued constant. We obtain apartitioned w.r.t.ε quantifier prefix ofPreby replacing the real-valued interval domains dom(x) of all existentially quantifiedreal-valued variablesx in Pre by partitioningsP of dom(x) w.r.t. ε, i.e. dom(x) := P.A state of the SSMT solver is characterized by (Pre, ϕ,M, ρ), whereΦ = Pre : ϕ isan SSMT formula s.t. the domain of each existential real-valued variable inPre is aset of intervals,M is a list of asserted constraints, andρ is an interval valuation. Eachdeduction yields either a new proof state of the same structure, or a final state, i.e.a pair (P, ϕ′) of a probability and a new matrix. In the latter case the deduction chainterminates. If (Pre, ϕ,M, ρ) −→∗S S MT (P, ϕ′) thenP is an upper bound of the probabilityof satisfactionPr(Pre : ϕ). The new matrixϕ′ ⊇ ϕ potentially contains learned conflictclauses, i.e.∀c ∈ ϕ′ − ϕ : (ϕ |= c). Given an SSMT formulaΦ = Pre : ϕ and someε > 0 then the initial state is defined by (Pre′, ϕ, ∅, ρ) wherePre′ is a version ofPre

28

partitioned w.r.t.ε, andρ is the smallest interval valuation which includes all initialvariable domains.

The SSMT layer consists of the following rules. To compute the satisfaction prob-ability according to the semantics of Subsection 3.3, we branch the proof search bychoosingvalues or intervals (of width at mostε) from the domains of the quantifiedvariables. Rules R.6 and R.7 apply if the leftmost quantifieris existential. Whilerule R.6 branches the search (domain size is at least two) andreturns the maximumof both derived probabilities, rule R.7 computes the probability of the last alternative.Note that the domain dom(x) is either a set of values or of intervals. Both cases can beunified in one rule, respectively.

|dom(x)| ≥ 2, v ∈ dom(x),(Pre, ϕ,M, update(ρ, x = v)) −→∗S S MT (P1, ϕ1), consistent(ϕ1,M, ρ),

(∃x ∈ dom(x) \ {v} · Pre, ϕ1,M, ρ) −→∗S S MT (P2, ϕ2)

(∃x ∈ dom(x) · Pre, ϕ,M, ρ) −→S S MT (max(P1,P2), ϕ2)(R.6)

|dom(x)| = 1, v ∈ dom(x),(Pre, ϕ,M, update(ρ, x = v)) −→∗S S MT (P, ϕ′), consistent(ϕ′,M, ρ),

(∃x ∈ dom(x) · Pre, ϕ,M, ρ) −→S S MT (P, ϕ′)(R.7)

whereconsistent(ϕ,M, ρ) := (¬∃cl ∈ ϕ : ∀c ∈ cl : (M · 〈c〉, ρ) −→TS incons)indicates whether the new matrixϕ is consistent with the listM of asserted constraintsand the interval valuationρ. An inconsistency can occur, e.g., if the SMT layer adds aconflict clause to the matrix by rule R.3. In case of inconsistency, we do not need toprobe the remaining alternatives ofx, as these yield satisfaction probability 0. This willbe handled by rules R.10 and R.11. The functionupdate(ρ, x = v) yields the intervalvaluationρ′ s.t. for all variablesy , x : ρ′(y) = ρ(y), andρ′(x) = v if v is an intervalandρ′(x) = [v, v] if v is a value.

Analogously, the branchings rules for the randomized quantifier can be formalized.Here, the domains always consist of finitely many discrete values, and the resultingprobability is the weighted sum.

|dom(x)| ≥ 2, v ∈ dom(x), (v→ pv) ∈ d,(Pre, ϕ,M, update(ρ, x = v)) −→∗S S MT (P1, ϕ1), consistent(ϕ1,M, ρ),

(

R

dx ∈ dom(x) \ {v} · Pre, ϕ1,M, ρ) −→∗S S MT (P2, ϕ2)

(

R

dx ∈ dom(x) · Pre, ϕ,M, ρ) −→S S MT (pv · P1 + P2, ϕ2)(R.8)

|dom(x)| = 1, v ∈ dom(x), (v→ pv) ∈ d,(Pre, ϕ,M, update(ρ, x = v)) −→∗S S MT (P, ϕ′), consistent(ϕ′,M, ρ)

(

R

dx ∈ dom(x) · Pre, ϕ,M, ρ) −→S S MT (pv · P, ϕ′)(R.9)

It may happen that after an SSMT call for branchx = v, all remaining branches forvariablex lead to inconsistent interval valuations and thus to satisfaction probability0. In such a case, we may immediately skip probing all alternative values ofx whilereturning the (weighted) satisfaction probability for branchx = v. In order to find outwhether such a situation is present, we search for inconsistent conflict clauses in thenew matrixϕ′ returned by the SSMT call for branchx = v. Such conflict clauses could

29

be added to the old matrixϕ by rule R.3 during exploration of branchx = v. A clausecl ∈ ϕ′ is inconsistent with the current solver state if each constraint c ∈ cl is incon-sistent withM andρ, i.e. (M · 〈c〉, ρ) −→TS incons. If a clause inϕ′ is inconsistentthen the conjunction of clausesϕ′ is inconsistent. Inconsistency of a clause inϕ′ isformalized byinconsistent(ϕ′,M, ρ) := ¬consistent(ϕ′,M, ρ). Observe that under anyextensionM′ of M and any refinementρ′ of ρ the matrixϕ′ remains inconsistent, i.e.inconsistent(ϕ′,M′, ρ′) is true. This implies that the satisfaction probabilitiesof allremaining branches forx are 0. Rules R.10 and R.11 save unnecessary visits of thesebranches.

v ∈ dom(x),(Pre, ϕ,M, update(ρ, x = v)) −→∗S S MT (P, ϕ′), inconsistent(ϕ′,M, ρ),

(∃x ∈ dom(x) · Pre, ϕ,M, ρ) −→S S MT (P, ϕ′)(R.10)

v ∈ dom(x), (v→ pv) ∈ d,(Pre, ϕ,M, update(ρ, x = v)) −→∗S S MT (P, ϕ′), inconsistent(ϕ′,M, ρ)

(

R

dx ∈ dom(x) · Pre, ϕ,M, ρ) −→S S MT (pv · P, ϕ′)(R.11)

Note that chained executions of that rules, which occur if the returned matrixϕ′ is alsoinconsistent on some previous levels, correspond tonon-chronological backtracking.

All of the aforementioned SSMT rules are designed to deal with existential andrandomized quantification. The following rules embed the SMT layer into the SSMTalgorithm. If the SMT solver can propagate new facts by rule R.1 (unit propagation),rule R.2 (theory propagation), or rule R.3 (clause learning), we lift these deductions tothe SSMT layer.

(ϕ,M, ρ) −→S MT (ϕ′,M′, ρ′),Pre′ = reduce(Pre, ρ′)

(Pre, ϕ,M, ρ) −→S S MT (Pre′, ϕ′,M′, ρ′)(R.12)

The functionreduce(Pre, ρ′) returns a modified prefixPre′ s.t. all values and (sub)in-tervals are removed from the variable domains which are inconsistent with the newinterval valuationρ′.

Whenever the domain of some variable becomes empty by eitherquantifier-domainreduction in rule R.12 or when the current SSMT state is inconsistent within the SMTlayer, we know thatϕ is unsatisfiable over any refinement of the current valuation.Thus, we immediately return probability 0.

∃(Qx ∈ dom(x)) ∈ Pres.t. dom(x) = ∅or

(ϕ,M, ρ) −→S MT incons

(Pre, ϕ,M, ρ) −→S S MT (0, ϕ)(R.13)

If all quantified variables are instantiated, i.e. the prefixis empty, and the SMT rule R.5reports consistency, existence of a satisfying real-valued assignment cannot be refutedby the SMT layer. Thus, we return the upper bound 1 on probability.

(ϕ,M, ρ) −→S MT cons,

(ε, ϕ,M, ρ) −→S S MT (1, ϕ)(R.14)

30

5.3. Soundness and termination of the SSMT algorithm

The algorithm to address SSMT problems was presented in a rule-based form, leav-ing implementation freedom w.r.t., e.g., different branching heuristics in the SSMTlayer, different conflict clause learning schemes in SMT, or the choice of different the-ory solvers. We prove soundness and termination of the SSMT algorithm relative tosoundness and termination of the SMT solver and the underlying theory solvers. Forproofs of such properties for SMT approaches with decidablebackground theories likelinear arithmetic, and for the undecidable case of non-linear arithmetic involving tran-scendental functions, the interested reader is referred to(64) and (11), respectively.

Proposition 2 (Soundness).Assume that each SMT rule(ϕ,M, ρ) −→S MT S is soundin the sense that

• if S = incons then there is no assignment inρ which satisfies the constraintsystem M, and

• if S = (ϕ′,M′, ρ′) thenϕ ⇒ ϕ′, ϕ ∧ M ⇒ M′, and there is no assignment inρ \ ρ′ which satisfies the constraint system M.

LetΦ = Pre : ϕ be an SSMT formula,ε > 0 be some real-valued constant, Pre′ bea partitioned version of Pre w.r.t.ε, andρ be the smallest interval valuation whichincludes all initial domains of the variables V(ϕ). Then, if (Pre′, ϕ, ∅, ρ) −→∗S S MT(P, ϕ′) then Pr(Φ) ≤ P.

Proof. First observe that rule R.12 is based on semantic inferences, which are byassumption sound and constrain the search space such that non-solutions ofϕ areremoved. By the definition of SSMT, non-solutions yield satisfaction probability 0,which is taken into account by the backtrack rules R.10 and R.11, and by the inconsis-tency rule R.13.

In the base cases, i.e. if inconsistency is detected or the quantifier prefix is empty,safe upper bounds for the probabilities are computed by rules R.13 and R.14. (Notethat non-strict upper bounds may be introduced by rule R.14 since we cannot decidesatisfaction here in general.) Now assume the probabilities in the premises of rules R.6–R.11 are safe upper bounds. Then each of these rules computessafe upper probabilitybounds according to the semantics definition. This gives us the inductive argumentcompleting the proof. 2

For termination of the SSMT algorithm, we must limit the number of consecutiveSMT propagation steps in rule R.12, as deduction mechanismslike interval constraintpropagation are not terminating in general. A usual approach in practice enforcing suchtermination is to stop propagation if the progress in the interval narrowing becomesnegligible. Relative to such enforced termination at the SMT layer, termination of theSSMT layer is easy to show: Each SSMT rule except rule R.12 leads directly to a finalstate. It remains to be shown that checking its premise is terminating. The latter holdsby induction since SSMT-calls in a premise are done on smaller problems (either theleftmost element from the finite quantifier prefix or an element from the finite domainof the leftmost quantified variable is removed). The base cases are given by rules R.13and R.14.

31

5.4. Example of the SSMT algorithm

Consider the SSMT formulaΦ =

∃x ∈ [−0.5, 1.5]

R

[1→0.3,2→0.7]y ∈ {1, 2} :

(x2 ≤ 25.3)∧ (x > 0∨ y = 1)∧ (x ≤ 0∨ y = 2)

from Figure 3 which is slightly modified by a smaller intervalfor x for illustrationreasons. Note that this does not affect the probability of satisfaction. Given the pa-rameterε = 0.5, a partitioned domain ofx w.r.t. ε is the setD = {[−0.5, 0], (0, 0.5],(0.5, 1], (1, 1.5]} of intervals, all of width 0.5. Then, the initial proof state is

(∃x ∈ D

R

[1→0.3,2→0.7]y ∈ {1, 2}, ϕ, ∅, ρ),

whereϕ = (x2 ≤ 25.3)∧ (x > 0∨ y = 1)∧ (x ≤ 0∨ y = 2), andρ is given byρ(x) =[−0.5, 1.5], ρ(y) = [1, 2]. By rule R.12, we can execute SMT unit propagation (R.1),i.e.

(ϕ, ∅, ρ) −→S MT (ϕ, 〈x2 ≤ 25.3〉, ρ)

since the first clause is initially unit. This may be followedby SMT theory propaga-tion (R.2). However, fromx2 ≤ 25.3, ICP cannot conclude tighter intervals forx. Notethat for a greater interval ofx, like [−9.8, 10.1] as in Figure 3, ICP would contract it to[−5.03, 5.03]. By rule R.12, we enter the new SSMT state

(∃x ∈ D

R

[1→0.3,2→0.7]y ∈ {1, 2}, ϕ, 〈x2 ≤ 25.3〉, ρ).

Now just rule R.6 or R.10 are applicable. To find out which rulematches, we choosean interval forx, say [−0.5, 0]. The new state is

(R

[1→0.3,2→0.7]y ∈ {1, 2}, ϕ, 〈x2 ≤ 25.3〉, ρ1),

whereρ1(x) = [−0.5, 0] andρ1(y) = ρ(y). Then we can perform unit propagation (R.1)for the second clause (x > 0∨ y = 1), since the theory constraintx > 0 is inconsistentunderρ1.

(ϕ, 〈x2 ≤ 25.3〉, ρ1) −→S MT (ϕ, 〈x2 ≤ 25.3, y = 1〉, ρ1)

Theory propagation (R.2) narrows the interval ofy.

(ϕ, 〈x2 ≤ 25.3, y = 1〉, ρ1) −→S MT (ϕ, 〈x2 ≤ 25.3, y = 1〉, ρ2),

whereρ2(y) = [1, 1] andρ2(x) = ρ1(x). Hence, two executions of rule R.12 lead tostate

(

R

[1→0.3,2→0.7]y ∈ {1}, ϕ, 〈x2 ≤ 25.3, y= 1〉, ρ2).

Note that the domain ofy is also reduced in the prefix. Then there is just one possiblevalue to choose for the randomized variabley. Now take rule R.9, where in its premiserule R.14 is applicable, since no inconsistency can be detected.

(∅, ϕ, 〈x2 ≤ 25.3, y = 1〉, ρ2) −→S S MT (1, ϕ)

32

By rule R.9, we have probability 0.3 = 0.3 · 1.

(

R

[1→0.3,2→0.7]y ∈ {1}, ϕ, 〈x2 ≤ 25.3, y = 1〉, ρ2) −→S S MT (0.3, ϕ)

Here, we know that we have to apply rule R.6 for state

(∃x ∈ D

R

[1→0.3,2→0.7]y ∈ {1, 2}, ϕ, 〈x2 ≤ 25.3〉, ρ)

if we select interval [−0.5, 0] for x. To abridge the example, we assume that in thepremise of rule R.6, the following deduction sequence holds.

(∃x ∈ D \ {[−0.5, 0]}

R

[1→0.3,2→0.7]y ∈ {1, 2}, ϕ, 〈x2 ≤ 25.3〉, ρ) −→∗S S MT (0.7, ϕ)

Then we can compute the maximum of the probabilities calculated in the premise, i.e.max(0.3, 0.7)= 0.7.

(∃x ∈ D

R

[1→0.3,2→0.7]y ∈ {1, 2}, ϕ, 〈x2 ≤ 25.3〉, ρ) −→S S MT (0.7, ϕ)

Hence, an upper bound probability for the SSMT formulaΦ is 0.7, which here also isthe actual probability of satisfaction.

6. Experimental evaluation of the algorithm

In order to evaluate the algorithm proposed in this paper, wehave integrated ourcurrent work on ODE enclosure methods, which extends the approach presented in (5),into the SiSAT tool as described in (4; 48). This prototypical implementation still lackssome of the features presented in this paper; chief among them, it does not supportexistential quantification over continuous domains and itsODE propagation currentlyonly works in forward direction. In constrast to the approach to embedding ODE en-closures as propagators into the iSAT algorithm described in (5), we use Nedialkov’sVNODE-LP (58) as the underlying enclosure mechanism. The reimplementation ofour ODE enclosure layer necessitated by this change is the reason why the tool stilllacks support for backwards propagation, intersection with flow invariants, and severaltechnical optimizations but, on the other hand, allows learning of deduced enclosuresin new clauses – similar to the conflict-driven clause learning rule R.3 described inSection 5.2.

6.1. Case study

In the remainder of this section, we present the quantitative analysis of a networkedcontrol system, starting with an abstract system description and an automaton modelof that system, succeeded by the encoding as an SSMT formula and concluded withthe experimental results obtained when making use of our prototypical implementa-tion. Though the scenario of this case study is of academic nature, it is represen-tative of a number of real-world industrial applications comprising the interplay ofcontrolled continuous processes with feedback control mediated by a communicationnetwork exhibiting communication latencies. Among the frequently used communica-tion protocols in such environments is the class of carrier sense multiple access pro-tocols with collision detection (CSMA/CD) or with randomized collision avoidance

33

process 2

actuator 2

actuator 1

process 1

sensor 1sensor 2

bus

controller

Figure 5: A networked control system

(CSMA/CA), which are popular because of their relatively low average-case latencyand the widespread availability of corresponding network components. The price to bepaid is a broad variation in actual communication latenciesstemming from retries aftercollision detection or random retreat in collision avoidance. The resulting large jitter inthe end-to-end latency of the feedback path poses a major problem in networked con-trol systems. A classical countermeasure is a pessimistic and thus costly dimensioningof the communication network, which results from both the aim of generally keepingthe jitter low and the limited ability of current analysis methods to analyze such sys-tems in their entirety. In the following, we demonstrate that the methods proposed inthis paper are in principle suitable for such an analysis. Inparticular, manipulating aholistic model of the networked control loop, they cover notonly the effects of jitter onthe controlled system, but also the otherwise often neglected dependency of communi-cation frequency and thus collision probability and jitteron the state of the controlledsystem.

The case study of this paper is illustrated in Figure 5. Two processes are to beregulated by a networked control unit. These processes of potentially physical, biolog-ical, or chemical nature are continuously evolving while the actuators may occasionallyswitch some of their controlled inputs, causing a change of the processes’ continuousbehaviors. Periodically, the observable states of the processes are measured by the sen-sors and then transmitted to the controller via the communication bus. The controllerchecks whether the current state of a process requires some modification of its inputs tochange the process’ behavior. If so, the controller sends anadequate data package overthe bus to the corresponding actuator. In the present scenario we assume the bus to bea shared medium subject to collisions, i.e. only one of the sensors or the controller mayuse the bus at a particular time. Obviously, this restriction leads to situations where adevice is ready to send but cannot actually start sending dueto bus occupancy, and alsoto situations where messages get lost due to simultaneous sending of more than one

34

device. In both cases the protocol tries to resolve the undesired situation by randomretreat, i.e., through assigning a random delay before resend to each of the conflictingsenders. Given such a randomized protocol embedded in the described application, aquantitative analysis of the overall system requires a precise exploration of all the pos-sible interleavings between the continuously evolving processes, the timing delays ofthe discrete components, and the probabilistic choices in resolving potential communi-cation conflicts.

6.2. Parallel components model of the case studyAn implementation of the abstract case study motivated above is shown in Figure 6

and Figure 7. We have modelled the system by a set of parallel automata, each reflect-ing particular aspects of the system dynamics. Note that flattening out this concurrentsystem by a product construction would yield a PHA of 26 ·32 ·53 ·7 = 504.000 graph-ical locations and, due to two further Boolean variables signalling successful sends,slightly more than 2 million discrete locations overall. InFigure 6, the plant modelwith its continuous evolution is given by two hybrid automata representing the twoprocesses p1 and p2. If left uncontrolled, each of the processes converges exponen-tially to either+10 or -10, depending on the mode it is in. The task of the controllerwill be to keep the system inside the corridor [−8.8, 8.8] by switching between themodes early enough. Therefore sensors, depicted by the automata s1 and s2, regularlytry to send current measurements of the continuous variables x1 and x2 representingthe continuous state of the plant over the bus to the controller. The controller (cf. Fig-ure 7) comprises a receiver part for each of the sensors (cr1 and cr2), an arbiter (ca)to queue pending messages to be sent to the actuators, and a sender (cs) whose task isto transmit the actual messages to the actuators. In order tocompensate for the antici-pated network delay, the controller already decides to senda switch message whenevera received sensor value falls outside the corridor of [−8.0, 8.0]. Successfully receivingsuch a switch message from the controller, the actuators (a1and a2) perform the switch– modelled by sending an event p1toggle or p2toggle to the respective process p1 orp2.

As the bus protocol is one of the central aspects of the model,a more detailed ex-planation is of interest. As mentioned above, only one device can successfully transmita message over the bus at a particular time. If more than one sender is using the bus,this can be detected afterwards – in practice by, e.g., bus snooping or through lack ofan acknowledge message from the receiver addressed. This behavior is modelled bythe buserror automaton, which switches to its error state as soon asthere is more thanone sender and leaves it only after the last of these senders has ceased sending. Thus,also the last sender can detect that its message has not been transmitted successfully.

According to the implemented protocol, a device has to sensethe bus prior to ac-tually starting to send in order to avoid unnecessary conflicts. If the bus is not freewhen sensing or if an error occurred during transmission, a random retreat scheme isemployed by setting a timer to a random value and waiting for the corresponding du-ration. These random delays can be seen in the automata on theprobabilistic transitionfrom states sense to wait and send to wait respectively. For sensor s1, these are, e.g.,4 time units (t.u.) chosen with probability 0.25, 7 t.u. (probability 0.75), and 13 t.u.(probability 0.25). We chose lower delays for the controller because its messages have

35

sentsucctime≤ next

wait for sendtime≤ next

waittime≤ next

sensetime≤ next

sendtime≤ next

time≥ next/ next′ = time+4,

bus val 1′ = x1

¬ bus free∧ time≥ next

/ next′ = time+ 13

/ next′ = time+ 7

/ next′ = time+ 4

time≥ next

bus free∧ time ≥ next/ next′ = time+ 1

0.25

0.50.25

time≥ next∧ bus error

time≥next

/ next′ =time+ 20

time≥ next∧¬buserror/ next′ = time

Sensor 1 (s1):

sentsucctime≤ next


waittime≤ next

sensetime≤ next

sendtime≤ next

/ next′ = time

/ next′ = time+ 13

0.25

0.50.25

time≥ next

time≥ next/ next′ = time+4,

busval 2′ = x2

bus free∧ time ≥ next/ next′ = time+ 1


time≥ next∧ buserror

/ next′ = time+ 3

/ next′ = time+ 9

time≥next

/ next′ =time+ 20

time≥ next∧¬buserror/ next′ = time

Sensor 2 (s2):

/ next′ = time

buserror(∑

i∈{s1, s2, cs1, cs2}

i.send)≥ 1

¬ buserror(∑

i∈{s1, s2, cs1, cs2}

i.send)≤ 1

Bus error detection (buserror):

s1.send+s2.send+cs1.send+cs2.send> 1

s1.send+ s2.send+ cs1.send+ cs2.send> 1

s1.send+ s2.send+ cs1.send+ cs2.send= 0

s1.send+s2.send+cs1.send+cs2.send≤ 1

bus free(∑

i∈{s1, s2, cs1, cs2}

i.send)= 0

¬ bus free(∑

i∈{s1, s2, cs1, cs2}

i.send)≥ 1

Bus free detection (busfree):

s1.send+s2.send+cs1.send+cs2.send= 0

s1.send+ s2.send+ cs1.send+ cs2.send= 0

s1.send+ s2.send+ cs1.send+ cs2.send≥ 1

s1.send+s2.send+cs1.send+cs2.send≥ 1

˙time= 1

receiving

idle¬ buserror∧¬ cs1.send/ p1 toggle!

cs1.send

bus error

Actuator 1 (a1):

receiving

idle¬ buserror∧¬ cs2.send/ p2 toggle!

cs2.send

bus error

Actuator 2 (a2):

up

x2 =(−x2 + 10)

200

¬up

x2 =(−x2 − 10)

200

x2 =∗

p2 toggle?

Process 2 (p2):

up

x1 =(−x1 + 10)

100

¬up

x1 =(−x1 − 10)

100p1 toggle?

x1 =∗Process 1 (p1):

Time passage:

time= 0

∗Note: there are several variants of this benchmarkwith different initial conditions.

∗Note: there are several variants of this benchmarkwith different initial conditions.

Note:nextis a local variable.

Note:nextis a local variable.

Figure 6: Parallel automata of the case study: bus, sensors,actuators, and continuous processes.

36


waittime≤ next

sensetime≤ next

send1time≤ next

send2time≤ next

idle

sendsucctime≤ next

0.750.25


time≥ next

bus free∧ time ≥ next/next′ = time+ 1

time≥ next∧( ca.send1∨ ca.send12)/ next′ =time+ 4 time≥ next∧

( ca.send2∨ ca.send21)/ next′ =time+ 4

time≥ next∧ buserror

time≥ next∧¬buserror

/ cs sent1 succ′ = truenext′ = time

time≥ next∧¬buserror

/ cs sent2 succ′ = truenext′ = time

processingtime≤ next

actionneeded

processingtime≤ next

idle

actionneeded

idle

send1 send12

send21

idle

send2

/ next′ = time+ 2

/ next′ = time+ 5

¬ ca.idle/ next′ = time

time≥ next∧ bus error

time≥ next/cs sent1 succ′ = falsecs sent2 succ′ = false

Note: nextis a local variable.

Controller arbiter (ca):

Controller receiver for sensor 2 (cr2):

Controller receiver for sensor 1 (cr1):

cs send2 succ

time≥ next

cs send1 succ

time≥ next

s1.sentsucc∧ |busval 1| ≥ 8/ next′ = time+ 2

s2.sentsucc∧ |busval 2| ≥ 8/ next′ = time+ 2

cs sent1 succ

cs sent2 succ

cs sent1 succ∧cr2.actionneeded

cr2.actionneeded∧¬ cs sent1 succ

cs sent1 succ

cs sent2 succ

cr1.actionneeded∧cr2.actionneeded

cs sent2 succ∧cr1.actionneeded

cr1.actionneeded∧¬ cs sent2 succ

cr2.actionneeded

cr1.actionneeded

Controller sender (cs):

Figure 7: Parallel automata of the case study: parts of the controller.

37

both a higher urgency and a lower frequency: it only sends a message if a toggle is re-ally required. The sensor messages on the other hand will often contain measurementsthat will not cause any further reaction, as they will mostlyfrequently indicate that thecurrent control mode can be held.

6.3. Encoding of the system

Each of the automata described above has been manually encoded into SSMT for-mat. Thereby, we have followed the scheme described in Section 4, yet have deviatedfrom strictly applying that scheme where simplifications inthe encoding were obvi-ous. For example, all transitions in the components of the system have deterministicguard conditions such that there no need for existential quantification upon transitionselection. As introduced in Section 4, each instance of the variables in the predicativeencoding describes the system’s state at a particular pointof time. Therefore, paral-lelism demands that each automaton can be interrupted and perform a transition at anymoment, thereby keeping the valuation of its variables constant (often calledstutterjumps). The formula thus explicitly encodes such self loops that are invisible in theautomata depicted in the figures. The different forms of communication between theautomata (using events, shared variables, or state observation) are all mapped to usingthe valuation of the corresponding variables in those partsof the formula encoding tran-sition guards or actions. To compute the duration between two successive snapshotsin a scheduled eventfashion, we introduce a step variable for each of the componentsthat is set to zero whenever the automaton switches between modes (which takes notime) or set to the anticipated flow duration when the automaton is known to reside ina mode (e.g. when a sensor is waiting). In the latter case, thenextvariables (encodingthe temporal position of the next event) are used to determine these durations. Theduration of the global step is thus the minimum of the local steps. For more details, werefer the reader to the input files that contain the complete encoding.7

To evaluate our proposed integration of safe ODE enclosuresinto the SSMT al-gorithm, we compare three different encodings of the continuous behavior. First, weencode the differential equation directly in order to have it handled by thecombinedODE-SSMT solver. As for this example, the closed-form solutions are easily com-putable, in a second encoding the ODE constraints are replaced by the explicit solutionfunctions, thus forming an SSMT model without any ODE constraints. As such so-lution functions are in general not easily obtainable, our third model comprises a safeoverapproximation of the continuous behavior. In order to achieve this, we calculatethe first Taylor terms of the ODE’s exact solution and use the knowledge that any tra-jectory starting within [−10, 10] will never leave that interval to bound the error term.The resulting formula thus performs an Euler step and compensates for the truncation

7To be found athttp://www.avacs.org/Benchmarks/Open/sisat ode benchmark.tar.gz.

38

−15

−10

−5

0

5

10

15

0 50 100 150 200

(I) upwards, exact(I) upwards, stepsize= 1

(I) upwards, stepsize=10

(I) upwards, stepsize=10

(II) downwards, stepsize=10

(II) downwards, stepsize=10

(I) upwards, stepsize= 1

(II) downwards, stepsize= 1(II) downwards, exact(II) downwards, stepsize= 1

x(t)

t

Figure 8: Overapproximation compared to exact solution.

error using the bounded second order Taylor term. For the ODEs

d xd t=−x(t) + 10

r, with r ∈ {100, 200} (I)

d xd t=−x(t) − 10

r, with r ∈ {100, 200} (II)

the solution functions are given by

x(t0 + h) = 10+ e−h/r · (−10+ x(t0)) for (I)

x(t0 + h) = −10+ e−h/r · ( 10+ x(t0)) for (II)

and the overapproximations by

x(t0 + h) ∈ x(t0) + h ·−x(t0) + 10

r+

h2

2·−[0, 20]

r2for (I)

x(t0 + h) ∈ x(t0) + h ·−x(t0) − 10

r+

h2

2·−[−20, 0]

r2for (II)

using [−10, 10] as a safe overapproximation forx(t) in the remainder term. Figure 8illustrates the enclosure characteristics of this overapproximation and its conservative-ness for different stepsizesh andr = 100.

In order to compare this overapproximation with VNODE-LP (58), which weuse internally to enclose the ODE trajectories, we called the VNODE-LP tool withthe given ODE (I) for upwards dynamics andr = 100. Starting for a point valuex(0) = 0, the tool was able to take one step of length 200 to reach the final point di-rectly, calculating a safe enclosure for that pointx(200)= 8.6466471676338[674, 799]in a small fraction of a second. Computing tight interval enclosures for interval-valued initial conditions, e.g. givenx(0) ∈ [0, 3], yields the enclosurex(200) ∈

39

[8.6466471676338674,9.0526530173437188], which is exact up to at least 14 digits –again using only one direct step.

While these three different encodings can be used to reveal the impact of using anODE solver inside the SiSAT algorithm, an additional impactfactor may be the levelof random and existential quantification as well as newly introduced non-determinism.We therefore define four scenarios featuring different characteristics regarding thesecriteria:

1. By replacing the random choices in the model by pre-definedconstant valuesand setting the initial values ofx1 and x2 to 0, the model becomes completelydeterministic. We use this model to validate the behavior ofthe system.

2. Again fixing the initial values ofx1 andx2 to 0 but leaving the randomized quan-tification intact, we get the smallest model that reflects thedescribed behavior,i.e. faithfully represents collisions on the bus and the consequences of randomretreat.

3. The third scenario also uses random quantification but adds existential quantifi-cation for the initial values. Instead of setting them to fixed values, bothx1 andx2 can be set to any value from{−2,−1, 0, 1, 2} independently.

4. In the fourth scenario, a level of non-determinism for theinitial values ofx1and x2 is added. Instead of assigning the values from the existential quanti-fier’s domain directly, they are used to mapx1 and x2 to initial ranges from{[−2,−1], [−1, 0], [0, 1], [1,2]}.

For each of these scenarios, the three different encodings of the continuous dynamicshave been generated.

6.4. Analysis and results

The goal of the controller is to keep the continuous variables inside the interval[−8.8, 8.8]. We thus are interested in the failure probability of the system, i.e. leavingthis interval in at least one dimension. This goal is added toour encodings of the systemas a description of the target states. The sample traces obtained from the first scenarioshow that this goal is reachable. Figure 9 depicts one of those sample traces with aBMC unwinding depth of 500 for the encoding comprising ODEs.As can easily beseen from the figure, the trace clearly reflects the intended system behavior.

For the other three scenarios, we do not report single tracesbut the computed upperbounds of the probabilities to reach a target state, i.e. forx1 or x2 to become greater than8.8 or less than−8.8. The experiments were performed in parallel on a 16 core 2.4GHzAMD Opteron machine with 128 GB physical memory. The overallcomputation timefor each of the 12 models (resulting from four scenarios and three encodings each) waslimited to one week. We stopped computation at a BMC unwinding depth of 500 orafter reaching that deadline.

For the three scenarios involving random quantification, Figure 10 depicts the up-per bounds on the worst-case probabilities resulting from the different encodings of thecontinuous behavior. It shows that the probabilities computed for the models incor-porating ODEs and the models using the closed-form solutions coincide in all caseswhere the algorithms delivered analysis results within thegiven limit on runtime. Fur-thermore, the upper bounds on the probabilities obtained onthe overapproximation

40

bus_errorbus_free

0 100 200 300 400 500

s1_waits1_send_succ

s1_sends1_wait_send

s1_sense

0 100 200 300 400 500

cr1_action_neededcr1_processing

cr1_idle

0 100 200 300 400 500

s2_waits2_send_succ

s2_sends2_wait_send

s2_sense

0 100 200 300 400 500

cr2_action_neededcr2_processing

cr2_idle

0 100 200 300 400 500

ca_send21ca_send12ca_send2ca_send1

ca_idle

0 100 200 300 400 500

cs_sent_2_success

cs_sent_1_success

cs_wait

cs_send_succ

cs_send2

cs_send1

cs_wait_send

cs_sense

cs_idle

0 100 200 300 400 500

p1_upa1_receiving

a1_idle

0 100 200 300 400 500

−10

−5

0

5

10

0 100 200 300 400 500

p1_x

p2_upa2_receiving

a2_idle

0 100 200 300 400 500

−10

−5

0

5

10

0 100 200 300 400 500

p2_x

target_reached

0 100 200 300 400 500time

Figure 9: Sample trace for the first scenario (i.e. without random quantification and fixed initial conditions)with direct ODE encoding. The time-axis is given by the actual time variable. The trace was calculated for500 BMC steps, i.e. each graph consists of 500 sample points,which have been connected for illustrationpurposes only.

41

1e−08

1e−07

1e−06

1e−05

0.0001

0.001

0.01

0.1

1

45 50 55 60 65 70 75 80 85 90 95 100 105

1e−07

1e−06

1e−05

30 35 40 45 50 55

1e−07

1e−06

1e−05

0.0001

0.001

0.01

35 40 45 50 55 60 65 70

prob.

prob.prob.

−0.1

0

0.1

0.2

0.3

0.4

0.5

0 20 40 60 80 100 120 140 160

one initial point, ODEone initial point, overapproximation

one initial point, solution

−0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0 10 20 30 40 50 60 70 80 90 100

many initial points, ODEmany initial points, overapproximation

many initial points, solution

−0.0001

0

0.0001

0.0002

0.0003

0.0004

0.0005

0 10 20 30 40 50 60 70

initial intervals, ODEinitial intervals, overapproximation

initial intervals, solution

(b)

ODE

overapproximation

(a)

(c)

solution

solution

overapproximation

ODE

BMC depths

BMC depths BMC depths

overapproximation

ODE

solution

(d)

Figure 10: Calculated maximum probabilities for the three different scenarios comprising random quantifi-cation: (a) scenario two with one fixed initial point, (b) scenario three with existential quantification of theinitial point, (c) scenario four with existential quantification mapped to initial ranges. Subfigure (d) showsinteresting excerpts in logarithmic scale to visualize thequickly growing gap between the overapproximationand the ODE/solution results.

(d)

(b)(a)

(c)

1 1

1

11

1

23

3

2

2

3

3

2

2

3

31

23

1

23

2

0.01

0.1

1

10

100

1000

10000

100000

1e+06

0 50 100 150 200 250 300 350 400 450 500

no random, one initial point, ODEno random, one initial point, overapproximation

no random, one initial point, solution

0.01

0.1

1

10

100

1000

10000

100000

1e+06

0 20 40 60 80 100 120 140 160

one initial point, ODEone initial point, overapproximation

one initial point, solution

BMC depths BMC depths

BMC depths

runtime [s] runtime [s]

BMC depths

runtime [s] runtime [s]

0.01

0.1

1

10

100

1000

10000

100000

1e+06

0 10 20 30 40 50 60 70 80 90 100

many initial points, ODEmany initial points, overapproximation

many initial points, solution

0.01

0.1

1

10

100

1000

10000

100000

1e+06

0 10 20 30 40 50 60 70

initial intervals, ODEinitial intervals, overapproximation

initial intervals, solution

Figure 11: Runtimes for the four scenarios of the case study:(a) scenario without random quantification andwith fixed initial value, (b) scenario two with random quantification and fixed initial point, (c) scenario threewith existential quantification of the initial point, (d) scenario four with existential quantification mapped toinitial ranges.

42

are never tighter than those computed via ODE solving or closed-form solutions, i.e.they either coincide or are weaker in the sense of being strictly greater. The resultseven suggest that there is an exponentially growing gap (cf.Figure 10 (d)) betweenthe probabilities computed via the overapproximation and the ones calculated by ODEsolving.

The runtimes are shown in Figure 11. Clearly, the solver performs best on the mod-els making use of the exact solution, as expected. The runtimes for the overapproxi-mating model stay very close to those of the exact solution for low unwinding depths,however increase dramatically later on. This is most likelydue to the increased coarse-ness of the approximation, which causes a greater amount of non-determinism in themodel. The solver thus has to cover a rapidly growing search space, e.g. whenever theoverapproximated trajectories could either satisfy a transition guard or not, the solverhas to investigate both options. Compared to the model encoding the exact solution, theoverhead of using the embedded ODE solver is clearly noticeable. However, at least inthe first two scenarios, at some point, the runtimes for the overapproximation exceedthose for the ODE version and subsequently the ODE-enabled solver outperforms theone using the overapproximation. For the other two scenarios, a similar behavior isexpected to occur eventually, as the runtime curves for the overapproximation versiongrow more steeply than the ones for the ODE version. The data collected within theruntime limitations is, however, insufficient to reveal an actual intersection between therespective curves in these scenarios.

Our experiments indicate that integrating ODE enclosure methods into the SiSATtool is a promising approach. The combined algorithm using ODE enclosures outper-forms the solver on a model using overapproximation of the continuous dynamics interms of tightness of the calculated probabilities and in atleast some of the scenar-ios even in terms of solver runtimes. Obviously, whenever the closed-form solutionis readily available and expressible in the constraint language – with the latter not be-ing very restrictive due to the rich set of arithmetic operators supported by SiSAT –one should make use of it. However, as closed-form solutionsto differential equationsare only available for a small subset of the ODEs encounteredin models of technicalsystems, a solver that supports direct use of ODEs is much more versatile in practice.

7. Conclusion

This paper has given a detailed account of a symbolic encoding of probabilisticbounded reachability problems of dense-time probabilistic hybrid automata, togetherwith a generalized SMT procedure determining the satisfaction probability of that en-coding based on DPLL-style proof search and arithmetic constraint solving coveringboth non-linear arithmetics and ODEs. These ingredients provide a technique for ana-lyzing probabilistic hybrid systems without resorting to approximation by intermediatefinite-state abstractions and, due to the fully symbolic manipulation of discrete statesfacilitated by DPLL, without flattening out concurrent systems, thus potentially en-hancing accuracy and scalability of the analysis algorithms. The solving algorithmemploys a tight integration of constraint solvers that has not been published beforeand which provides a completely new functionality. It is, however, built from compo-nents that have previously been implemented: An SMT-like procedure handling large

43

Boolean combinations of non-linear arithmetic constraints, as encountered in the tran-sition dynamics of general hybrid systems, has been implemented in the iSAT tool (11).Its combination with safe enclosures for ODEs facilitatingSMT reasoning over flowsin hybrid systems has been prototypically implemented in (5). Finally, a unification ofSMT and stochastic SAT called SSMT has been explored in (4) and applied to discrete-time probabilistic hybrid automata in (1; 48). Our novel contribution here is to, first,unite those lines and, second, remove the severe semantic limitations of the originalSSMT approach. This permits a generalization to dense-timeprobabilistic hybrid sys-tems and non-deterministic assignments.

Acknowledgements.We would like to thank our colleagues in the Transregional Re-search Center “AVACS” (Automatic Verification and Analysisof Complex Systems)for their contributions to the technologies underlying thecombination of SMT tech-niques suggested herein. In particular, we would like to thank Holger Hermanns andLijun Zhang for familiarizing us with probabilistic model checking in general and theintricacies of step-bounded probabilistic properties in particular, Stefan Ratschan forintroducing us to interval constraint propagation and for discussing constraint-basedreasoning over ODEs, and Christian Herde, Natalia Kalinnik, Stefan Kupferschmid,Tobias Schubert, and Bernd Becker for jointly developing and implementing the iSATalgorithm. Finally, we would like to thank the anonymous reviewers for their extremelyhelpful and exceptionally detailed comments.

References

[1] M. Franzle, H. Hermanns, T. Teige, Stochastic Satisfiability Modulo Theory: ANovel Technique for the Analysis of Probabilistic Hybrid Systems, in: M. Egerst-edt, B. Mishra (Eds.), Proceedings of the 11th International Conference on Hy-brid Systems: Computation and Control (HSCC’08), Vol. 4981of Lecture Notesin Computer Science, Springer, 2008, pp. 172–186.

[2] G. Audemard, M. Bozzano, A. Cimatti, R. Sebastiani, Verifying industrial hybridsystems with mathsat, Electr. Notes Theor. Comput. Sci. 119(2) (2005) 17–32.

[3] M. Franzle, C. Herde, HySAT: An efficient proof engine for bounded modelchecking of hybrid systems, Formal Methods in System Design30 (2007) 179–198.

[4] T. Teige, M. Franzle, Stochastic Satisfiability moduloTheories for Non-linearArithmetic, in: L. Perron, M. A. Trick (Eds.), Integration of AI and OR Tech-niques in Constraint Programming for Combinatorial Optimization Problems, 5thInternational Conference, CPAIOR 2008, Vol. 5015 of Lecture Notes in Com-puter Science, Springer, 2008, pp. 248–262.

[5] A. Eggers, M. Franzle, C. Herde, SAT modulo ODE: A directSAT approach tohybrid systems, in: S. S. Cha, J.-Y. Choi, M. Kim, I. Lee, M. Viswanathan (Eds.),Proceedings of the 6th International Symposium on Automated Technology forVerification and Analysis (ATVA’08), Vol. 5311 of Lecture Notes in ComputerScience, Springer, 2008, pp. 171–185.

44

[6] J. F. Groote, J. W. C. Koorn, S. F. M. van Vlijmen, The Safety Guaranteeing Sys-tem at Station Hoorn-Kersenboogerd, in: Conference on Computer Assurance,National Institute of Standards and Technology, 1995, pp. 57–68.

[7] A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic model checking without BDDs,in: TACAS’99, Vol. 1579 of Lecture Notes in Computer Science, Springer Verlag,1999, pp. 193–207.

[8] M. Bozzano, R. Bruttomesso, A. Cimatti, T. A. Junttila, P. van Rossum, S. Schulz,R. Sebastiani, The MathSAT 3 system, in: Conf. on Automated Deduction, Vol.3632 of Lecture Notes in Computer Science, Springer Verlag,2005, pp. 315–321.

[9] B. Dutertre, L. de Moura, A Fast Linear-Arithmetic Solver for DPLL(T), in: Pro-ceedings of the 18th Computer-Aided Verification Conference, Vol. 4144 of Lec-ture Notes in Computer Science, Springer-Verlag, 2006, pp.81–94.

[10] A. Bauer, M. Pister, M. Tautschnig, Tool-support for the analysis of hybrid sys-tems and models, in: DATE ’07: Proceedings of the Conferenceon Design, Au-tomation and Test in Europe, EDA Consortium, San Jose, CA, USA, 2007, pp.924–929.

[11] M. Franzle, C. Herde, T. Teige, S. Ratschan, T. Schubert, Efficient Solving ofLarge Non-linear Arithmetic Constraint Systems with Complex Boolean Struc-ture, Journal on Satisfiability, Boolean Modeling and Computation – Special Is-sue on SAT/CP Integration 1 (2007) 209–236.

[12] E. Abraham, B. Becker, F. Klaedke, M. Steffen, Optimizing bounded modelchecking for linear hybrid systems, in: Proceedings of VMCAI’05 (Verification,Model Checking, and Abstraction), Vol. 3385 of Lecture Notes in Computer Sci-ence, Springer-Verlag, Paris, 2005, pp. 396–412.

[13] E. Abraham, T. Schubert, B. Becker, M. Franzle, C. Herde, Parallel SATsolving in bounded model checking, Journal of Logic and Computation,doi:10.1093/logcom/exp002.

[14] J. Sproston, Model checking of probabilistic timed andhybrid systems, Ph.D.thesis, University of Birmingham (2000).

[15] A. Bemporad, S. D. Cairano, Optimal control of discretehybrid stochastic au-tomata, in: Hybrid Systems: Computation and Control, Vol. 3414 of LectureNotes in Computer Science, Springer, 2005, pp. 151–167.

[16] M. Davis, Markov Models and Optimization, Chapman & Hall, London, 1993.

[17] L. Arnold, Stochastic Differential Equations: Theory and Applications, Wiley -Interscience, 1974.

[18] J. Hu, J. Lygeros, S. Sastry, Towards a theory of stochastic hybrid systems, in:Hybrid Systems: Computation and Control, Vol. 1790 of Lecture Notes in Com-puter Science, Springer-Verlag, 2000, pp. 160–173.

45

[19] M. L. Bujorianu, J. Lygeros, Toward a general theory of stochastic hybrid sys-tems, in: Stochastic Hybrid Systems: Theory and Safety Critical Applications,Vol. 337 of Lecture Notes in Control and Information Sciences, Springer-Verlag,2006, pp. 3–30.

[20] C. G. Cassandras, J. Lygeros (Eds.), Stochastic HybridSystems, CRC/ Taylor &Francis, 2007.

[21] H. A. Blom, J. Lygeros (Eds.), Stochastic Hybrid Systems: Theory and SafetyCritical Applications, Vol. 337 of Lecture Notes in Controland Information Sci-ences, Springer-Verlag, 2006.

[22] D. Riley, X. D. Koutsoukos, K. Riley, Reachability analysis of a biodiesel pro-duction system using stochastic hybrid systems, in: 15th IEEE MediterraneanConference on Control and Automation (MED’07), 2007, pp. 1–6.

[23] H. A. P. Blom, J. Krystul, G. J. Bakker, A particle systemfor safety verificationof free flight in air traffic, in: Decision and Control, IEEE, 2006, pp. 1574–1579.

[24] J. P. Hespanha, Polynomial stochastic hybrid systems,in: Hybrid Systems: Com-putation and Control, Vol. 3414 of Lecture Notes in ComputerScience, Springer,2005, pp. 322–338.

[25] S. Amin, A. Abate, M. Prandini, J. Lygeros, S. Sastry, Reachability analysis ofcontrolled discrete-time stochastic hybrid systems, in: Hybrid Systems: Compu-tation and Control, Vol. 3927 of Lecture Notes in Computer Science, SpringerVerlag, 2006, pp. 49–63.

[26] M. L. Bujorianu, J. Lygeros, Reachability questions inpiecewise deterministicmarkov processes, in: Hybrid Systems: Computation and Control, Vol. 2623 ofLecture Notes in Computer Science, Springer, 2003, pp. 126–140.

[27] X. D. Koutsoukos, D. Riley, Computational methods for reachability analysis ofstochastic hybrid systems, in: J. P. Hespanha, A. Tiwari (Eds.), HSCC, Vol. 3927of Lecture Notes in Computer Science, Springer Verlag, 2006, pp. 377–391.

[28] J. Sproston, Decidable model checking of probabilistic hybrid automata, in:FTRTFT 2000, Vol. 1926 of Lecture Notes in Computer Science,Springer, 2000,pp. 31–45.

[29] S. M. Majercik, Stochastic boolean satisfiability, in:Biere et al. (65), Ch. 27, pp.887–925.

[30] Xiangbo Feng, K. A. Loparo, Yuandong Ji, H. J. Chizeck, Stochastic stabil-ity properties of jump linear systems, IEEE Transactions onAutomatic Control37 (1) (1992) 38–53.

[31] M. H. A. Davis, Piecewise-deterministic markov processes: A general class ofnon-diffusion stochastic models, Journal of the Royal Statistical Society 46 (3)(1984) 353–384.

46

[32] R. Bellman, A Markovian decision process., J. Math. Mech. 6 (1957) 679–684.

[33] C. Baier, H. Hermanns, J.-P. Katoen, B. R. Haverkort, Efficient computation oftime-bounded reachability probabilities in uniform continuous-time markov de-cision processes, Theorertical Computer Science 345 (1) (2005) 2–26.

[34] C. Barrett, R. Sebastiani, S. A. Seshia, C. Tinelli, Satisfiability modulo theories,in: Biere et al. (65), Ch. 26, pp. 825–885.

[35] C. H. Papadimitriou, Games against nature, J. Comput. Syst. Sci. 31 (2) (1985)288–301.

[36] T. Walsh, Stochastic constraint programming, in: Proc. of the 15th EuropeanConference on Artificial Intelligence (ECAI’02), IOS Press, 2002, pp. 111–115.

[37] A. Cimatti, M. Pistore, M. Roveri, R. Sebastiani, Improving the encoding of LTLmodel checking into SAT, in: A. Cortesi (Ed.), VMCAI, Vol. 2294 of LectureNotes in Computer Science, Springer, 2002, pp. 196–207.

[38] E. C. R. Hehner, Predicative programming, Communications of the ACM 27(1984) 134–151.

[39] A. Pnueli, The temporal logic of programs, in: FOCS, IEEE, 1977, pp. 46–57.

[40] M. Davis, H. Putnam, A Computing Procedure for Quantification Theory, Journalof the ACM 7 (3) (1960) 201–215.

[41] M. Davis, G. Logemann, D. Loveland, A Machine Program for Theorem Proving,Communications of the ACM 5 (1962) 394–397.

[42] M. L. Littman, S. M. Majercik, T. Pitassi, Stochastic Boolean Satisfiability, Jour-nal of Automated Reasoning 27 (3) (2001) 251–296.

[43] S. M. Majercik, M. L. Littman, MAXPLAN: A New Approach toProbabilisticPlanning, in: Artificial Intelligence Planning Systems, 1998, pp. 86–93.

[44] S. M. Majercik, APPSSAT: Approximate probabilistic planning using stochasticsatisfiability, Int. J. Approx. Reasoning 45 (2) (2007) 402–419.

[45] R. J. Bayardo, R. Schrag, Using CSP look-back techniques to solve real-worldSAT instances, in: Proceedings of the Fourteenth National Conference on Ar-tificial Intelligence and Ninth Innovative Applications ofArtificial IntelligenceConference, AAAI 97, IAAI 97, July 27-31, 1997, Providence,Rhode Island,AAAI Press/ The MIT Press, 1997, pp. 203–208.

[46] L. Zhang, C. F. Madigan, M. H. Moskewicz, S. Malik, Efficient conflict drivenlearning in a Boolean satisfiability solver, in: ICCAD’01: Proceedings of the2001 IEEE/ACM international conference on Computer-aided design, IEEEPress, Piscataway, NJ, USA, 2001, pp. 279–285.

47

[47] S. Majercik, Nonchronological backtracking in stochastic Boolean satisfiability,in: Tools with Artificial Intelligence, 2004. ICTAI 2004. 16th IEEE InternationalConference on, IEEE Computer Society, 2004, pp. 498–507.

[48] T. Teige, M. Franzle, Constraint-Based Analysis of Probabilistic Hybrid Systems,in: A. Giua, C. Mahulea, M. Silva, J. Zaytoon (Eds.), Proc. ofthe 3rd IFACConference on Analysis and Design of Hybrid Systems (ADHS’09), IFAC, 2009,pp. 162–167.

[49] J. Greifeneder, J. Frey, Probabilistic hybrid automata with variable step widthapplied to the analysis of networked automation systems, in: Proc. 3rd IFACWorkshop on Discrete Event System Design (DESDes’06), 2006, pp. 283–288.

[50] F. Benhamou, L. Granvilliers, Continuous and intervalconstraints, in: F. Rossi,P. van Beek, T. Walsh (Eds.), Handbook of Constraint Programming, Foundationsof Artificial Intelligence, Elsevier, Amsterdam, 2006, Ch.16, pp. 571–603.

[51] R. E. Moore, Interval Analysis, Prentice Hall, Englewood Cliffs, NJ, 1966.

[52] F. Benhamou, D. McAllester, P. Van Hentenryck, CLP(intervals) revisited, in:M. Bruynooghe (Ed.), International Symposium on Logic Programming, MITPress, Ithaca, NY, USA, 1994, pp. 124–138.

[53] F. Benhamou, Heterogeneous constraint solving, in: Proc. of the Fifth Interna-tional Conf. on Algebraic and Logic Programming, Vol. 1139 of LNCS, Springer,1996, pp. 62–76.

[54] A. Neumaier, Interval Methods for Systems of Equations, Cambridge Univ. Press,Cambridge, 1990.

[55] T. Hickey, Q. Ju, M. van Emden, Interval arithmetic: from principles to imple-mentation, Journal of the ACM 48 (5) (2001) 1038–1068.

[56] R. Moore, Interval analysis, Prentice-Hall EnglewoodCliffs, NJ, 1966.

[57] R. Lohner, Einschließung der Losung gewohnlicher Anfangs- und Randwertauf-gaben, Ph.D. thesis, Fakultat fur Mathematik der Universitat Karlsruhe, Karlsruhe(1988).

[58] N. S. Nedialkov, Interval Tools for ODEs and DAEs, Tech.Rep. CAS 06-09-NN, McMaster University, Hamilton, ON, L8S 4K1, Canada,http://

www.cas.mcmaster.ca/∼nedialk/PAPERS/intvtools/intvtools.pdf

(November 2006).

[59] M. Berz, K. Makino, Verified Integration of ODEs and Flows Using Differen-tial Algebraic Methods on High-Order Taylor Models, Reliable Computing 4 (4)(1998) 361–369.

[60] K. Makino, M. Berz, Suppression of the wrapping effect by Taylor model-basedverified integrators: Long-term stabilization by preconditioning, InternationalJournal of Differential Equations and Applications 10 (4) (2005) 353–384.

48

[61] K. Makino, M. Berz, Suppression of the wrapping effect by Taylor model-basedverified integrators: The single step, International Journal of Pure and AppliedMathematics 36 (2) (2006) 175–197.

[62] A. Girard, Reachability of uncertain linear systems using zonotopes, in:M. Morari, L. Thiele (Eds.), Hybrid Systems: Computation and Control, Vol.3414 of Lecture Notes in Computer Science, Springer, 2005, pp. 291–305.

[63] T. J. Hickey, D. K. Wittenberg, Rigorous modeling of hybrid systems using inter-val arithmetic constraints, in: R. Alur, G. J. Pappas (Eds.), HSCC, Vol. 2993 ofLecture Notes in Computer Science, Springer, 2004, pp. 402–416.

[64] R. Nieuwenhuis, A. Oliveras, C. Tinelli, Solving SAT and SAT Modulo Theories:From an abstract Davis–Putnam–Logemann–Loveland procedure to DPLL(T), J.ACM 53 (6) (2006) 937–977.

[65] A. Biere, M. J. H. Heule, H. van Maaren, T. Walsh (Eds.), Handbook of Satisfia-bility, Vol. 185 of Frontiers in Artificial Intelligence andApplications, IOS Press,2009.

49

Documents

Engineering Constraint Solvers for Automatic Analysis of ... · PDF fileEngineering Constraint Solvers for Automatic Analysis of Probabilistic Hybrid ... Research Group Hybrid Systems