# Goran FrehseENSTA Paris · Computer Science and Systems Engineering Laboratory (U2IS)

Goran Frehse

PhD in Computer Science

## About

79

Publications

11,299

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

3,396

Citations

Introduction

Goran Frehse is a professor and director of the department of computer science and system engineering (U2IS) at ENSTA Paris. He holds a diploma in electrical engineering from Karlsruhe Institute of Technology and a PhD in computer science from Radboud University, Nijmegen. His research focus is assuring the trustworthiness of cyber-physical and AI systems through formal design and analysis methods.

Additional affiliations

September 2018 - present

**ENSTA Paris**

Position

- Professor

September 2006 - August 2018

November 2005 - August 2006

Education

September 2004 - October 2005

January 2000 - December 2003

October 1993 - December 1999

## Publications

Publications (79)

In 1995, HyTech broke new ground as a potentially powerful tool for verifying hybrid systems. But due to practical and systematic
limitations it is only applicable to relatively simple systems. We address the main problems of HyTech with PHAVer, a new
tool for the exact verification of safety properties of hybrid systems with piecewise constant bou...

We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines
polyhedra and support function representations of continuous sets to compute an over-approximation of the reachable states.
The algorithm improves over previous work by using variable time steps to guarantee a given local e...

The falsification of a hybrid system aims at finding trajectories that violate a given safety property. This is a challenging problem, and the practical applicability of current falsification algorithms still suffers from their high time complexity. In contrast to falsification, verification algorithms aim at providing guarantees that no such traje...

Reachability analysis consists in computing the set of states that are reachable by a dynamical system from all initial states and for all admissible inputs and parameters. It is a fundamental problem motivated by many applications in formal verification, controller synthesis, and estimation, to name only a few. This article focuses on a class of m...

Reachability analysis aims at identifying states reachable by a system within a given time horizon. This task is known to be computationally expensive for linear hybrid systems. Reachability analysis works by iteratively applying continuous and discrete post operators to compute states reachable according to continuous and discrete dynamics, respec...

Mining temporal assertions from time-series data using information theory to filter real properties from incidental ones is a practically significant challenge. The problem is complex for continuous or hybrid systems because the degrees of influence on a consequent from a timed-sequence of predicates (called its prefix sequence), varies continuousl...

Reachability analysis aims at identifying states reachable by a system within a given time horizon. This task is known to be computationally hard for hybrid systems. One of the main challenges is the handling of discrete transitions, including computation of intersections with invariants and guards. In this paper, we address this problem by proposi...

We present JuliaReach, a toolbox for set-based reachability analysis of dynamical systems. JuliaReach consists of two main packages: Reachability, containing implementations of reachability algorithms for continuous and hybrid systems, and LazySets, a standalone library that implements state-of-the-art algorithms for calculus with convex sets. The...

In current practice a
formal
analysis of hybrid system models is assertion-based. The work presented here is based on
features
that look beyond functional correctness toward a quantitative evaluation of behavioral attributes. A feature defines a real-valued evaluation function over a specific set of traces. This paper describes an improved method...

Reachability analysis is difficult for hybrid automata with affine differential equations, because the reach set needs to be approximated. Promising abstraction techniques usually employ interval methods or template polyhedra. Interval methods account for dense time and guarantee soundness, and there are interval-based tools that overapproximate af...

Hybrid systems are models which combine discrete and continuous behavior. They occur frequently in safety-critical applications in various domains such as health care, transportation, and robotics, as a result of interactions between a digital controller and a physical environment. They also have relevance in other areas such as systems biology, in...

Approximating the set of reachable states of a dynamical system is an algorithmic yet mathematically rigorous way to reason about its safety. Although progress has been made in the development of efficient algorithms for affine dynamical systems, available algorithms still lack scalability to ensure their wide adoption in the industrial setting. Wh...

Approximating the set of reachable states of a dynamical system is an algorithmic yet mathematically rigorous way to reason about its safety. Although progress has been made in the development of efficient algorithms for affine dynamical systems, available algorithms still lack scalability to ensure their wide adoption in the industrial setting. Wh...

Welcome to the proceedings of the 20th ACM International Conference on Hybrid Systems: Computation and Control (HSCC'17), held in Pittsburgh, Pennsylvania. HSCC is the premier research conference on foundations of Cyber-Physical Systems. It covers design, analysis, control synthesis techniques and their applications in various domains such as auton...

Presents information on the The 20th ACM International Conference on Hybrid Systems: Computation and Control.

We present novel techniques for computation of reachable sets
and pre-computation of maneuver automata. The techniques
are applicable for non-deterministic, non-linear systems and
allow to find solutions with safety guarantees for reach-avoid
type problems.

This report presents the results of a friendly competition for formal verification of continuous and hybrid systems with linear continuous dynamics. The friendly competition took place as part of the workshop Applied Verification for Continuous and Hybrid Systems (ARCH) in 2017. In its first edition, seven tools have been applied to solve three dif...

Template polyhedra generalize intervals and octagons to polyhedra whose facets are orthogonal to a given set of arbitrary directions. They have been employed in the abstract interpretation of programs and, with particular success, in the reachability analysis of hybrid automata. While previously, the choice of directions has been left to the user o...

Reachability analysis is an important technique for formally verifying continuous systems, as well as for guaranteed state estimation, stability analysis, and controller synthesis. We present a detailed assessment of the computational efficiency for the reachability analysis of linear systems with respect to the two most scalable set representation...

We consider the problem of translating a deterministic \emph{simulation model} (like Matlab-Simunk, Modelica or Ptolemy models) into a \emph{verification model} expressed by a network of hybrid automata. The goal is to verify safety using reachability analysis on the verification model. Simulation models typically use transitions with urgent semant...

The tool Matlab/Simulink is a numerical simulation environment that is widely used in industry for model-based design. Numerical simulation scales well and can be applied to systems with highly complex dynamics, but it is also inherently incomplete in the sense that critical events or behavior may be overlooked. The application of formal verificati...

Latest developments brought interesting theoretical results and powerful tools for the reachability analysis of hybrid systems. However, there are still challenging problems to be solved in order to make those technologies applicable to large-scale applications in industrial context. To support this development, in this paper we give a brief overvi...

Hybrid systems represent an important and powerful formalism for modeling real-world applications such as embedded systems. A verification tool like SpaceEx is based on the exploration of a symbolic search space (the region space). As a verification tool, it is typically optimized towards proving the absence of errors. In some settings, e.g., when...

Hybrid automata combine finite state models with continuous variables that are governed by differential equations. Hybrid automata are used to model systems in a wide range of domains such as automotive control, robotics, electronic circuits, systems biology, and health care. Numerical simulation approximates the evolution of the variables with a s...

Since about two decades, formal methods for continuous and hybrid systems enjoy increasing interest in the research community. A wide range of analysis techniques were developed and implemented in powerful tools. However, the lack of appropriate benchmarks make the testing, evaluation and comparison of those tools difficult. To support these proces...

Computing an approximation of the reachable states of a hybrid system is a challenge, mainly because overapproximating the solutions of ODEs with a finite number of sets does not scale well. Using template polyhedra can greatly reduce the computational complexity, since it replaces complex operations on sets with a small number of optimization prob...

In this paper, we present experimental results from running SpaceEx on some of the benchmarks of the ARCH14 workshop. Some of the SpaceEx models were obtained from Matlab/Simulink models with
the help of a new translation tool. While some benchmarks could be handled to our satisfaction, several still pose signi�cant challenges. We discuss possible...

The theories underlying control engineering and real-time systems engineering use idealized models that mutually abstract from central aspects of the other discipline. Control theory usually assumes jitter-free sampling and negligible (constant) input-output latencies, disregarding complex real-world timing effects. Real-time systems theory uses ab...

Compositional verification techniques in the assume-guarantee style have been successfully applied to transition systems to efficiently reduce the search space by leveraging the compositional nature of the systems under consideration. We adapt these techniques to the domain of hybrid systems with affine dynamics. To build assumptions we introduce a...

Linear hybrid automata (LHAs) are of particular interest to formal verification because sets of successor states can be computed exactly, which is not the case in general for more complex dynamics. Enhanced with urgency, LHA can be used to model complex systems from a variety of application domains in a modular fashion. Existing algorithms are limi...

Linear hybrid automata (LHAs) are of particular interest to formal verification because sets of successor states can be computed exactly, which is not the case in general for more complex dynamics. Enhanced with urgency, LHA can be used to model complex systems from a variety of application domains in a modular fashion. Existing algorithms are limi...

This volume contains the proceedings of the 1st International Workshop on
Synthesis of Continuous Parameters (SynCoP'14). The workshop was held in
Grenoble, France on April 6th, 2014, as a satellite event of the 17th European
Joint Conferences on Theory and Practice of Software (ETAPS'14).
SynCoP aims at bringing together researchers working on par...

The Hybrid I/O-automaton (HIOA) is a rigorous formal model designed for the analysis of complex hybrid (discrete-continuous) dynamical systems. The use of the HIOA formalism renders compositional reasoning possible, in the sense that once a property has been established for an automaton, it still holds if the automaton is composed with other automa...

Hybrid systems represent an important and powerful formalism for modeling real-world applications that require both discrete and continuous behavior. A verification tool such as SpaceEx is based on the exploration of a symbolic search space (the region space). As a verification tool, it is typically optimized towards proving the absence of errors....

In this paper, we present an approximation of the set of reachable states, called flowpipe, for a continuous system with affine dynamics. Our approach is based on a representation we call flowpipe sampling, which consists of a set of continuous, interval-valued functions over time. A flowpipe sampling attributes to each time point a polyhedral encl...

We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an over-approximation of the reachable states. The algorithm improves over previous work by using variable time steps to guarantee a given local e...

A recent technique used in falsification methods for hybrid systems relies on distance-based heuristics for guiding the search towards a goal state. The question is whether the technique can be carried over to reachability analyses that use regions as their basic data structure. In this paper, we introduce a box-based distance measure between regio...

Recently, efficient reachability algorithms for hybrid systems with piecewise affine dynamics have been developed. They achieve good scalability and precision by using support functions to represent continuous sets. In this paper, we propose an improvement of these algorithms that reduces the overapproximation error of the image computation of disc...

We propose to combine timed automata and linear hybrid automata model checkers for formal testing and monitoring of embedded
systems with a hybrid behavior, i.e., where the correctness of the system depends on discrete as well as continuous dynamics.
System level testing is considered, where requirements capture abstract behavior and often include...

We present a new approach to compute the reachable set with a bounded number of jumps for a rectangular automaton. The reachable set under a flow transition is computed as a polyhedron which is represented by a conjunction of finitely many linear constraints. If the bound is viewed as a constant, the computation time is polynomial in the number of...

Introduction Hybrid automata and reachability Linear hybrid automata Piecewise affine hybrid systems Hybridization techniques for reachability computations Bibliography

The verification of continuous and hybrid systems is known to be hard, and today tools are limited to relatively small problems. Several novel approaches are currently under investigation that exploit various kinds of set representations (polyhedra, zonotopes), improved algorithms (avoiding the wrapping effect) and strategies (such as abstraction r...

The verification of continuous and hybrid systems is known to be hard, and today tools are limited to relatively small problems. Several novel approaches are currently under investigation that exploit various kinds of set representations (polyhedra, zonotopes), improved algorithms (avoiding the wrapping effect) and strategies (such as abstraction r...

Our goal is to find the set of parameters for which a given linear hybrid automaton does not reach a given set of bad states. The problem is known to be semi-solvable (if the algorithm terminates the result is correct) by introducing the parameters as state variables and computing the set of reachable states. This is usually too expensive, how- eve...

Many situation in various application domains can be formalized as switched buffer networks, that is, networks of containers in which quantities of some substances are stored and transported at various rates to other buffers. A mode of such a system is defined by the channels that are active at a given time, which determine the rates of change in t...

Set-based reachability analysis computes all possible states a system may attain, and in this sense provides knowledge about the system with a completeness, or coverage, that a finite number of simulation runs can not deliver. Due to its inherent complexity, the application of reachability analysis has been limited so far to simple systems, both in...

Timed and weak timed simulation relations are often used to show that operations on hybrid systems result in equivalent behavior or in conservative overapproximations. Given that systems are frequently designed and verified in a modular approach, it is desirable that this relationship is compositional, which is not the case for hybrid systems in ge...

The application of formal methods to analog and mixed signal circuits requires efficient methods for constructing abstractions of circuit behaviors. This paper concerns the verification of properties of oscillator circuits. Generic monitor automata are proposed to facilitate the application of hybrid system reachability computations to characterize...

Properties of analog circuits can be verified formally by partitioning the continuous state space and applying hybrid system verification techniques to the resulting abstraction. To verify properties of oscillator circuits, cyclic invariants need to be computed. Methods based on forward reachability have proven to be inefficient and in some cases i...

Assume-guarantee reasoning (AGR) is recognized as a means to counter the state explosion problem in the verification of safety properties. We propose a novel assume-guarantee rule for hybrid systems based on simulation relations. This makes it possible to perform compositional reasoning that is conservative in the sense of over-approximating the co...

The interaction of software with a physical environment can cause complex, mixed continuous-discrete behavior, also referred to as being hybrid. Formal verification can guarantee the conformance of the system with a specification on a design level. However, the computational cost limits its applicability to relatively simple systems. To enable the...

Simulation relations can be used to verify refinement between a system and its specification, or between models of different complexity. It is known that for the verification of safety properties, simulation between hybrid systems can be defined based on their labeled transition system semantics. We show that for hybrid systems without shared varia...

The algorithmic analysis of control systems for large and distributed hybrid systems is considerably restricted by its computational complexity. In order to enable the verification of discrete controllers for such hybrid systems, this contribution proposes an approach that combines decomposition, model checking and deduction. The system under exami...

The main task in the control of dynamical systems with mixed discrete-continuous behavior is to guide its hybrid state from
an actual operating point to the desired target state. One precondition for the design of an appropriate controller is a reachability
analysis to determine all states which are both, reachable from the initial state and contro...

Modeling.- What Is a Hybrid System?.- Description of Hybrid Systems by Modified Petri Nets.- Model Based Development of Hybrid Systems: Specification, Simulation, Test Case Generation.- Hybrid Modeling of Complex Process Control Function Blocks.- Discrete Models for Hybrid Systems.- Simulation.- An Environment for the Integrated Modelling of System...

The algorithmic analysis of control systems for large and distributed hybrid systems is considerably restricted by its computational complexity. In order to enable the verification of discrete controllers for such hybrid systems, this contribution proposes an approach that combines decomposition, model checking and deduction. The system under exami...