The Symbolic Approach to Hybrid Systems Tom Henzinger University of California, Berkeley

Discrete (transition) system

Continuous (dynamical) system Q = R n

Discrete (transition) system Continuous (dynamical) system Hybrid system jumps flows Q = R n

Discrete (transition) system Continuous (dynamical) system Hybrid system jumps flows Q = R n -nondeterministic -time abstract

A Thermostat States x  R temperature h  { on, off }heat

A Thermostat States x  R temperature h  { on, off }heat Flows f 1 Y h = on  x' = K  (H-x) f 2 Y h = off  x' = -K  x invariants

A Thermostat States x  R temperature h  { on, off }heat Flows f 1 Y h = on  x' = K  (H-x) f 2 Y h = off  x' = -K  x Jumps j 1 Y h = on  h := off j 2 Y h = off  h := on guards

j1j1 j2j2 h = on h = off f1f1 f2f2 x

A Thermostat States x  R temperature h  { on, off }heat t  R timer Flows f 1 Y h = on  t  U  x' = K  (H-x); t' := 1 f 2 Y h = off  t  U  x' = -K  x; t' := 1 Jumps j 1 Y h = on  t  L  h := off; t' := 0 j 2 Y h = off  t  L  h := on; t' := 0

A Thermostat States x  R temperature h  { on, off }heat t  R timer Flows f 1 Y h = on  t  U  x' = K  (H-x); t' = 1 f 2 Y h = off  t  U  x' = -K  x; t' = 1 Jumps j 1 Y h = on  t  L  h := off; t := 0 j 2 Y h = off  t  L  h := on; t := 0

A Thermostat States x  R temperature h  { on, off }heat t  R timer Flows f 1 Y h = on  t  U  x' = K  (H-x); t' = 1 f 2 Y h = off  t  U  x' = -K  x; t' = 1 Jumps j 1 Y h = on  t  L  h := off; t := 0 j 2 Y h = off  t  L  h := on; t := 0

x t x t LU h = on h = off f1f1

x t x t LU h = on h = off j1j1 f1f1

x t x t LU h = on h = off j1j1 f1f1 f2f2

x t x t LU h = on h = off j1j1 j2j2 f1f1 f2f2

x t x t LU h = on h = off j1j1 j2j2 f1f1 f2f2

x t LU Step 1: Discretize f2f2

Transition System Qset of states  set of actions post: Q    2 Q successor function

Transition System Qset of states  set of actions post: Q    2 Q successor function Thermostat Q = R 2  { on, off }  = { f 1, f 2, j 1, j 2 } post ( x, t, on, j 1 ) = { (x, 0, off) }if t  L  if t < L {

Transition System Qset of states  set of actions post: Q    2 Q successor function Thermostat Q = R 2  { on, off }  = { f 1, f 2, j 1, j 2 } post ( x, t, on, j 1 ) = post ( x, t, on, f 1 ) = { (x, 0, off) }if t  L  if t < L { { infinite set if t U

x t x t LU h = on h = off R Step 2: Lift

x t x t LU h = on h = off R post(R,f 2 ) Step 2: Lift

x t x t LU h = on h = off R post(R,f 2 ) post( post(R,f 2 ), j 2 ) Step 2: Lift

Lifted Transition System Q  post: 2 Q    2 Q post(R,  ) =  q  Q post(q,  )

Lifted Transition System Q  post: 2 Q    2 Q post(R,  ) =  q  Q post(q,  ) pre: 2 Q    2 Q pre(R,  ) =  q  Q pre(q,  )

x t x t LU h = on h = off R

x t x t LU h = on h = off R pre(R,f 2 )

x t x t LU h = on h = off R pre(R,f 2 ) pre( pre(R,f 2 ), j 2 )

x t x t LU h = on h = off Step 3: Observe 0 < x < 1 3 < x < 4 2 < x < 3 1 < x < 2

Observed Transition System Q  pre, post: 2 Q    2 Q A = { a 1, a 2, a 3, … }set of observations Q a3a3 a2a2 a1a1

Observed Transition System Q  pre, post: 2 Q    2 Q A set of observations Thermostat A = { on, off } [ { x = c, c < x < c+1 | c  Z }

Symbolic Transition System Q  pre, post A  = { R 1, R 2, … } set of regions R i  Q 1. A   2. pre, post:      computable 3. Å :  2   \ :  2   computable  :  2  { t, f } Region algebra:

Symbolic Transition System 1. Local computation: Region Operations Compute pre, post, Å, \, and  on regions in . 2. Global computation: Symbolic Semi-Algorithms Starting from the observations in A, compute new regions in  by applying the operations pre, post, Å, \, and .

Region Algebra If -Q is the valuations for a set X:Vals of typed variables, -the effect of transitions can be expressed using Ops on Vals, -the first-order theory FO(Vals,Ops) admits quantifier elimination, then the quantifier-free fragment ZO(Vals,Ops) is a region algebra. This is because each pre and post operation is a quantifier elimination: pre(R(X)) = (  X) (Trans(X,X)  R(X))

Q = B m  R n Invariants and guards: boolean and linear constraints, e.g. a  (3x 1 + x 2  7) Flows: rectangular differential inclusions, e.g. x' 1  [1,2] Jumps: boolean and linear constraints, e.g. x 2 := 2x 1 + x 2 +1 Example: Polyhedral Hybrid Automata

Q = B m  R n Invariants and guards: boolean and linear constraints, e.g. a  (3x 1 + x 2  7) Flows: rectangular differential inclusions, e.g. x' 1  [1,2] Jumps: boolean and linear constraints, e.g. x 2 := 2x 1 + x 2 +1 A = set of boolean valuations and integral polyhedra in R n Example: Polyhedral Hybrid Automata

Q = B m  R n Invariants and guards: boolean and linear constraints, e.g. a  (3x 1 + x 2  7) Flows: rectangular differential inclusions, e.g. x' 1  [1,2] Jumps: boolean and linear constraints, e.g. x 2 := 2x 1 + x 2 +1 A = set of boolean valuations and integral polyhedra in R n  = set of boolean valuations and rational polyhedra in R n x = … ZO(Q, ,+) Example: Polyhedral Hybrid Automata

FO(Q, ,+) admits quantifier elimination, hence ZO(Q, ,+) is a region algebra. Jump j: Y x 1  x 2  x 2 := 2x 1 -1 pre( 1  x 1  x 2  2, j ) = (  x 1, x 2 ) ( x 1  x 2  x 1 = x 1  x 2 = 2x 1 -1  1  x 1  x 2  2) Example: Polyhedral Hybrid Automata

Jump j: Y x 1  x 2  x 2 := 2x 1 -1 pre( 1  x 1  x 2  2, j ) = (  x 1, x 2 ) ( x 1  x 2  x 1 = x 1  x 2 = 2x 1 -1  1  x 1  x 2  2) = x 1  x 2  1  x 1  2x 1 -1  2 = x 1  x 2  1  x 1  3/2 Example: Polyhedral Hybrid Automata FO(Q, ,+) admits quantifier elimination, hence ZO(Q, ,+) is a region algebra.

x1x1 x2x2 R

x1x1 x2x2 R pre(R,j)

Flow f: Y x 1  x 2  x' 1  [1,2]; x' 2 = 1 pre( 1  x 1  x 2  2, f ) = (  1  k 1  2) (    0) (1  x 1 + k 1   x 2 +   2  (  0     ) ( x 1 + k 1   x 2 +  )) Example: Polyhedral Hybrid Automata

Flow f: Y x 1  x 2  x' 1  [1,2]; x' 2 = 1 pre( 1  x 1  x 2  2, f ) = (  1  k 1  2) (    0) (1  x 1 + k 1   x 2 +   2  (  0     ) ( x 1 + k 1   x 2 +  )) = (    0) (   d 1  2  ) (1  x 1 +d 1  x 2 +   2  x 1  x 2  x 1 +d 1  x 2 +  ) convex guards Example: Polyhedral Hybrid Automata

Flow f: Y x 1  x 2  x' 1  [1,2]; x' 2 = 1 pre( 1  x 1  x 2  2, f ) = (  1  k 1  2) (    0) (1  x 1 + k 1   x 2 +   2  (  0     ) ( x 1 + k 1   x 2 +  )) = (    0) (   d 1  2  ) (1  x 1 +d 1  x 2 +   2  x 1  x 2  x 1 +d 1  x 2 +  ) = (    0) ( x 1  x 2  1  x 1 +2   1  x 2 +  2) = x 1  x 2  x 2  2  2 x 2  x 1 +3 convex guards Example: Polyhedral Hybrid Automata

x1x1 x2x2 R pre(R,f) f

x y

far x’  [-50,-40] x  1000 near x’  [-50,-30] x  0 past x’  [30,50] x  100 x = 1000 x = 0 x = 100  x :  [2000,  ) app! exit! app exit train x: initialized rectangular variable

up y’ = 9 open y’ = 0 raise lower gate y: uninitialized singular variable y  90 y = 90 down y’ = -9 closed y’ = 0 y  0 y = 0 raise?lower?raise? lower?

t’ = 1 t   t := 0 app? lower! t’ = 1 t   t := 0 exit? raise! appexit idle controller raiselower t: clock variable  : design parameter

Properties Safety:   ( x  10  loc[gate] = closed ) “on all trajectories, always” For which values of  is this true?

Safety:   ( x  10  loc[gate] = closed ) Liveness:     ( loc[gate] = open ) “on all trajectories, eventually” Properties

Safety:   ( x  10  loc[gate] = closed ) Liveness:     ( loc[gate] = open ) Real time:   z := 0. ( z’ = 1    ( loc[gate] = open  z  60 )) clock variable Properties

Safety:   ( x  10  loc[gate] = closed ) Liveness:     ( loc[gate] = open ) Real time:   z := 0. ( z’ = 1    ( loc[gate] = open  z  60 )) Nonzeno:   z := 0. ( z’ = 1    ( z = 1 )) “on some trajectory, eventually” Properties

A Zeno System y x left x’ = 1 y’ = -2 y  5 right x’ = -2 y’ = 1 x  5 y = 5 x = 5

y x left x’ = 1 y’ = -2 y  5 right x’ = -2 y’ = 1 x  5 y = 5 x = 5 x y t A Zeno System

Model Checker ModelProperty Condition under which the model satisfies the property, or error trajectory Collection of polyhedral hybrid automata Safety or liveness or real time or nonzeno HyTech

Model Checking for Safety Bm  RnBm  Rn initial states unsafe states ?

initial states unsafe states Bm  RnBm  Rn Model Checking for Safety

initial states unsafe states Bm  RnBm  Rn Model Checking for Safety

initial states unsafe states unsafe parameter values Bm  RnBm  Rn Model Checking for Safety

initial states unsafe states unsafe parameter values This is guaranteed to terminate if all variables are initialized (e.g. clocks). Bm  RnBm  Rn Model Checking for Safety

The Result

Applications of HyTech and Derivations: polyhedral overapproximation of dynamics -automotive engine control [Wong-Toi et al.] -chemical plant control [Preussig et al.] -flight control [Honeywell; Rockwell-Collins] -air traffic control [Tomlin et al.] -robot control [Corbett et al.] Successor Tools: 1. More expressive region algebras, e.g. FO( R, ,+,  ) still permits quantifier elimination [Pappas et al.] 2. More robust approximations, e.g. ellipsoid instead of polyhedral regions [Varaiya et al.] 3. Abstract region operations, e.g. interval numerical methods [HyperTech]; also [Krogh et al.][Maler et al.]

Symbolic Semi-Algorithms Starting from the observations in A, compute new regions in  by applying the operations pre, post, Å, \, and . Termination?

Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe

Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe V2:Repeated Reachability   b Linear temporal logic (LTL) Liveness   unfair

Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe V2:Repeated Reachability   b Linear temporal logic (LTL) Liveness   unfair V3:Nested Reachability   (b    b 1    b 2 ) Half branching temporal logic (  CTL,  CTL)

Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe V2:Repeated Reachability   b Linear temporal logic (LTL) Liveness   unfair V3:Nested Reachability   (b    b 1    b 2 ) Half branching temporal logic (  CTL,  CTL) V4:Negated Reachability   (b    c) Full branching temporal logic (CTL) Nonzenoness   (tick    tick)

V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b initial statesunsafe states

V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b pre(b) =   pre(b,  ) b [ pre(b)

V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b b [ pre(b) b [ pre(b) [ pre 2 (b)

V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b...  b b b [ pre(b) b [ pre(b) [ pre 2 (b)

a V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? b...  b b b [ pre(b) b [ pre(b) [ pre 2 (b)

a V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? b...  b b 1. pre, [,  2. Å a b [ pre(b) b [ pre(b) [ pre 2 (b)

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 1 =   pre(b)... pre(b) pre(b) [ pre 2 (b)

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 1 =   pre(b)

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 2 =   pre(b  R 1 ) R 1 =   pre(b)

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 2 =   pre(b  R 1 ) R 1 =   pre(b) R 3 =   pre(b  R 2 )

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a...   b

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a...   b

V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a...   b 1. pre, [,  2. Å a, Å b

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2 b a

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1 b a

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a   (b    b 1    b 2 )

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a   (b    b 1    b 2 )

V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a   (b    b 1    b 2 ) 1. pre, [,  2. Å

V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c

V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c

V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c b    c

V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c   (b    c)

V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c   (b    c) a    (b    c)

V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c   (b    c) 1. pre, [,  2. Å 3. \

Four Symbolic Semi-Algorithms A1: Close A under pre  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R 1 Å R 2 | R 1,R 2  i } [ { R 1 \ R 2 | R 1,R 2  i } until  i =  i-1

Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R Å a | R  i Æ a 2A } [ { R 1 \ R 2 | until  i =  i-1

Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a A3: Close A under pre, Å  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R 1 Å R 2 | R 1,R 2  i } [ { R 1 \ R 2 | R 1,R 2  i } until  i =  i-1

Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a A3: Close A under pre, Å A4:Close A under pre, Å, \  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R 1 Å R 2 | R 1,R 2  i } [ { R 1 \ R 2 | R 1,R 2  i } until  i =  i-1

Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a A3: Close A under pre, Å A4:Close A under pre, Å, \ A k terminates (1  k  4)  symbolic model checking of V k terminates.

Four State Equivalences E1:Reach Equivalence q 1  1 q 2 iffif a  A can be reached from q 1 in d steps, then a can be reached from q 2 in d steps, and vice versa.

Four State Equivalences E1:Reach Equivalence E2:Trace Equivalence q 1  2 q 2 iffif every finite trace from q 1 is a finite trace from q 2, and vice versa.

a a b b a a b b a a

a a b b a a b b a a 1 1

a a b b a a b b a a 1 1 2 2

a a b b a a b b a a 1 1 2 2 pre(a Å pre(a))

Four State Equivalences E1:Reach Equivalence E2:Trace Equivalence E3:Similarity q 1  3 q 2 iffif q 1 simulates q 2, and vice versa.

q 1 is simulated by q 2 iff there is a simulation relation S such that 1. S(q 1,q 2 ) 2. if S(p,q) then a. ( 8 a 2A ) (p 2 a iff q 2 a) b. ( 8 p') ( if p 2 pre(p') then ( 9 q') (q 2 pre(q') Æ S(p',q')))

a b a b a a a a b a a

a b a b a a a a b a 2 2 a

a b a b a a a a b a 2 2 3 3 a

a b a b a a a a b a 2 2 3 3 a pre(pre(a) Å pre(b))

Four State Equivalences E1:Reach Equivalence E2:Trace Equivalence E3:Similarity E4:Bisimilarity q 1  4 q 2 iffif q 1 simulates q 2 via a symmetric simulation relation (this is called a bisimulation relation).

a b a b a a ab a a

a b a b a a ab a 3 3 a

a b a b a a ab a 3 3 4 4 a

a b a b a a ab a 3 3 4 4 a : pre( : pre(a))

Specification Logics: V1Reachability (Safety) V2Linear Temporal Logic (Liveness) V3Existential/Universal Branching Temporal Logic V4Branching Temporal Logic (Nonzenoness) State Equivalences: E1Reach Equivalence E2Trace Equivalence E3Similarity E4Bisimilarity Symbolic Semi-Algorithms: A1Closure under pre A2Closure under pre, Å a A3Closure under pre, Å A4Closure under pre, Å, \

AkAk VkVk EkEk model checks induces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 Specification Logic computes

AkAk VkVk EkEk model checks induces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 q 1  k q 2 iff for all formulas  of V k, q 1 ²  iff q 2 ²  If E k has finite index, then V k can be model-checked on finite quotient. Specification Logic computes

AkAk VkVk EkEk model checks induces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 q 1  k q 2 iff for all formulas  of V k, q 1 ²  iff q 2 ²  If E k has finite index, then V k can be model-checked on finite quotient. All regions definable by formulas of V k are generated by A k. A k terminates iff symbolic model checking terminates for all formulas of V k. Specification Logic computes

AkAk VkVk EkEk model checks computesinduces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 q 1  k q 2 iff for all regions R computed by A k, q 1  R iff q 2  R A k terminates iff E k has finite index. q 1  k q 2 iff for all formulas  of V k, q 1 ²  iff q 2 ²  If E k has finite index, then V k can be model-checked on finite quotient. All regions definable by formulas of V k are generated by A k. A k terminates iff symbolic model checking terminates for all formulas of V k. Specification Logic

Four Classes of Symbolic Transition Systems STS1:pre closure terminates  Finite reach equiv  Safety (   ) decidable Well-structured transition systems of Abdulla, Finkel et al. STS2:(pre, Å a) closure terminates  Finite trace equiv  Liveness (LTL) decidable Initialized rectangular hybrid automata STS3:(pre, Å ) closure terminates  Finite similarity  Existential/universal branching (  CTL,  CTL) decidable 2D initialized rectangular hybrid automata STS4:(pre, Å, \ ) closure terminates  Finite bisimilarity  Nonzenoness (CTL) decidable Initialized singular (e.g. timed) hybrid automata

Four Classes of Symbolic Transition Systems STS1:pre closure terminates  Finite reach equiv  Safety (   ) decidable Well-structured transition systems of Abdulla, Finkel et al. STS2:(pre, Å a) closure terminates  Finite trace equiv  Liveness (LTL) decidable Initialized rectangular hybrid automata STS3:(pre, Å ) closure terminates  Finite similarity  Existential/universal branching (  CTL,  CTL) decidable 2D initialized rectangular hybrid automata STS4:(pre, Å, \ ) closure terminates  Finite bisimilarity  Nonzenoness (CTL) decidable Initialized singular hybrid automata

Example: Singular Hybrid Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: constant slopes, e.g.x' 1 = 1; x' 2 = 2 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max }

(c max,c max ) (0,0) x1x1 x2x2

(c max,c max ) (0,0) x1x1 x2x2 3<x 1 <4  x 2 =4 x 1 =3  x 2 =3 1<x 1 <2  2<x 2 <3

Example: Singular Hybrid Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: constant slopes, e.g.x' 1 = 1; x' 2 = 2 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max } Initialized: assignment when slope changes.

Special Case: Timed Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: clocks, e.g.x' 1 = 1; x' 2 = 1 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max } Always initialized.

f: x 1 ' = 1; x 2 ' = 1 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1

f j2j2 j1j1

f j2j2 j1j1

f j2j2 j1j1 pre(R,f) R

f: x 1 ' = 1; x 2 ' = 1 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1

(c max,c max ) (0,0) x1x1 x2x2 f: x 1 ' = 1; x 2 ' = 1 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Finite bisimulation.

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1

f j2j2 j1j1 pre(R,f) R

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 pre(R',j 2 ) R'

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 R" pre(R",j)

(c max,c max ) (0,0) x1x1 x2x2 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 Finite bisimulation. f

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2 R pre(R,f)

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2 R' pre(R,j 2 )

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Infinite bisimulation. Observation, invariant, or guard: x 1 >x 2

Example: Rectangular Hybrid Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: bounded slopes, e.g.x' 1  [1,2]; x' 2 = 1 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max } Initialized: assignment when slope bounds change.

j2j2 j1j1 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

j2j2 j1j1 pre(R,f) R f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

f j2j2 j1j1 pre(R',f) R'

f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 R"pre(R",j 1 ) f

f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 f R3R3 pre(R 3,j 2 )

f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 f

j2j2 j1j1 f Infinite bisimulation.

j2j2 j1j1 pre(R,f) R f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f  pre(R,f)

j2j2 j1j1 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

j2j2 j1j1 f

(c max,c max ) (0,0) x1x1 x2x2 j2j2 j1j1 Finite simulation. f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

Summary 1. Separate local (region algebra) from global (symbolic semi-algorithms) concerns 2. Appeal to quantifier elimination for the computability of region operations (e.g. polyhedral hybrid systems) 3. Appeal to finite abstractions for the termination of symbolic semi-algorithms (e.g. rectangular hybrid systems)