ArticlePDF Available

Abstract and Figures

Motivated by the Model-Based Design process for Cyber-Physical Systems, we consider issues in conformance testing of systems. Conformance is a quantitative notion of similarity between the output trajectories of systems, which considers both temporal and spatial aspects of the outputs. Previous work developed algorithms for computing the conformance degree between two systems, and demonstrated how formal verification results for one system can be re-used for a system that is conformant to it. In this paper, we study the relation between conformance and a generalized approximate simulation relation for the class of Open Metric Transition Systems (OMTS). This allows us to prove a small-gain theorem for OMTS, which gives sufficient conditions under which the feedback interconnection of systems respects the conformance relation, thus allowing the building of more complex systems from conformant components.
Content may be subject to copyright.
Towards composition of conformant systems
Houssam Abbas and Georgios Fainekos
Abstract Motivated by the Model-Based Design process for
Cyber-Physical Systems, we consider issues in conformance
testing of systems. Conformance is a quantitative notion of
similarity between the output trajectories of systems, which
considers both temporal and spatial aspects of the outputs.
Previous work developed algorithms for computing the con-
formance degree between two systems, and demonstrated how
formal verification results for one system can be re-used for
a system that is conformant to it. In this paper, we study the
relation between conformance and a generalized approximate
simulation relation for the class of Open Metric Transition
Systems (OMTS). This allows us to prove a small-gain theorem
for OMTS, which gives sufficient conditions under which the
feedback interconnection of systems respects the conformance
relation, thus allowing the building of more complex systems
from conformant components.
In Model-Based Design (MBD) of systems, an executable
model of the system is developed early in the design process.
This allows the verification engineers to conduct early test-
ing [3]. The model is then refined iteratively and more details
are added, e.g., initially ignored physical phenomena, time
delays, etc. This eventually leads to the final model that gets
implemented on some computational platform, for example
via automatic code generation. See Fig. 1.
Each of the above transformations and calibrations in-
troduces discrepancies between the output behavior of the
original system (the nominal system) and the output be-
havior of the derived system (the derived system). These
discrepancies are spatial (e.g., slightly different signal values
in response to same stimulus, dropped samples, etc) and
temporal (e.g., different timing characteristics of the outputs,
out-of-order samples, delayed responses, etc) and their mag-
nitude can vary as time progresses.
Ideally, the initial (simpler) model should be amenable
to formal synthesis and verification methods (cycle 1 in
Fig. 1) through tools like [5], [18]. To understand how the
formal verification results on the simpler nominal model
can be applied to the derived more complex system, it
is necessary to quantify the conformance degree between
them. The conformance degree, introduced in [1], [2], is a
measure of both spatial and temporal differences between the
output behaviors of two systems. It relaxes traditional notions
of distance, like sup norm and approximate simulation, to
H. Abbas is with the Department of Electrical, Computer and
Energy Engineering, Arizona State University, Tempe, U.S.A.
G. Fainekos is with the School of Informatics, Decisions and
Systems Engineering, Arizona State University, Tempe, U.S.A.
This work was partially supported by NSF awards CNS 1350420 and
CPS 1446730.
Automatic Code
Simple Model
Si (HIL)
Calibration and
Deployment Sd
Complex Model
Fig. 1. Model-Based Development V-process.
encompass a larger class of systems, and to allow re-ordering
of output signal values. In [2], it was shown how the formal
properties satisfied by the derived system can be automat-
ically obtained from knowledge of the properties satisfied
by the nominal system, and knowledge of the conformance
degree between them. In this paper, we extend that work by
studying feedback interconnections of systems. Specifically,
we are concerned with the following question: suppose we
have a feedback interconnection of a plant and controller,
and the closed-loop system has been formally verified to
satisfy some properties. If the controller (or the plant) is
replaced by another controller which is conformant to it,
is the new closed-loop system conformant to the original
closed-loop system? If yes, can we estimate its conformance
degree without explicitly re-computing it? A positive answer
to both questions would allow us to leverage the results in
[2] and automatically deduce the properties satisfied by the
new interconnection.
In this paper, we give a positive answer to both questions
for a general class of dynamical systems modeled as Open
Metric Transition Systems (OMTS). These are defined in
Section II-A. The tool we use is a generalized notion of
Space-Time Approximate Simulation (STAS) relation, which
is defined in Section III-A. We show in Section III-B that
the existence of such a relation between two OMTS implies
that they are also conformant, and yields the conformance
degree between them. In Section IV we provide a small-
gain theorem for OMTS, which gives sufficient conditions
under which feedback interconnections of OMTS respect
approximate simulation, and therefore conformance. This is
done via STAS functions, which are Lyapunov-like functions
that certify the existence of a STAS relation between two
arXiv:1511.05273v2 [cs.SY] 18 Nov 2015
Notation. For a positive integer n,[n] = {1, . . . , n}.
Given a set Σ,Σis the set of finite strings on Σ, i.e.
Σ={s0s1. . . sn|siΣ, n N}. Given two sets A, B
and (a, b)A×B,prA((a, b)) = a.
In this section, we define a general system model, namely,
Open Metric Transition Systems (OMTS). These extend Met-
ric Transition Systems [8] in that they allow interconnection
of systems, and will be our formalism of choice in this paper.
We then define the conformance relations for OMTS and
feedback interconnections for OMTS, which allows us to
speak of controlled OMTS and compositionality in Section
IV. As an illustration, we show how hybrid systems can be
modeled as OMTS.
A. Open metric transition systems and conformance
A Metric Transition System (MTS) serves to model, at an
abstract level, a fairly large class of systems. An MTS is a
tuple T= (Q, Σχ,, Q0,Π,h i)where Qis a set known as
the state space, Q0Qis the set of initial states, Σχis the
set of labels on which transitions take place, →⊂ Q×Σχ×Q
is the transition relation, Πis the output set, and hi :QΠ
is the output map. We write qσχ
q0to denote an element
(q, σχ, q0)∈→. Both Qand Πare metric spaces, that is,
they are equipped with metrics dQand dΠ. Moreover, for
any qQand any label subset SΣχ, the set
Post(q, S ) = σχSPost(q, σχ)(1)
is compact in the metric-induced topology.
Given a string of labels ¯σχ=σχ,1σχ,2. . . σχ,m , we write
χfor the prefix string σχ,1σχ,2. . . σχ,i,im.
The sets Σχand Σ
χare equipped with pseudo-metrics1dΣχ
and dΣ
χ, respectively, and Πis equipped with a metric dΠ.
When two MTS share the same Σχ(Σ
χ,Π), they also share
the same associated (pseudo-)metrics.
An Open Metric Transition System (OMTS) is a tuple
T= (Q, Σ,T, Q0,Π,h i , p)where (Q, Σ,T, Q0,Π,h i)
is an MTS as above. The label set Σof an OMTS has
a special structure: ΣΣu×Σχfor sets Σu,Σχ. The
intuition behind this division is that Σuwill be used to
model input signals to the system embedded as an OMTS,
and Σχwill be used to model the domain of that input
signal. This departs from earlier approaches to embedding
forced dynamical systems as MTS [7], because we need a
way to describe interconnections of MTS, while preserving
timing information in the interconnection. A generic label σ
thus has two components: σ= (σu, σχ). The string prefix
¯σ[i]is defined similarly to the case of MTS. The port map
p: (T)Σ∪ {ν}associates a label to each transition
in T, or a special empty label ν. The empty label, as we
will see, is used to allow a system to make empty transitions
which don’t change its state and don’t advance time. The
output of the port map will be used to compose OMTS.
1Apseudo-metric does not separate points.
This makes them similar to hybrid I/O automata [14] but
enriched with a metric structure, and with ‘discrete actions’
and ‘trajectories of input variables’ lumped into one label
set, which fits well our usage of hybrid time.
We now define conformance between two OMTS T1and
T2. Conformance quantifies the similarity between systems,
and accounts for the fact that in a typical MBD process
(Fig. 1), the output signals of the derived model will have
temporal and spatial differences with the outputs of the
nominal model. From the knowledge of the conformance
degree between two systems, we can conclude what formal
specifications are satisfied by one, given the specifications
satisfied by the other [2].
Definition 2.1 (Conformance): Let T1and T2be two
OMTS with a common output space Πand common label
set Σ. Let τ, ε be two non-negative reals. Let DQ0
be a relation defined on their initial sets. We refer to Das
the derivation relation. We say T2conforms to T1with
precision (τ, ε)and derivation relation D, which we write
τ,ε T2, if for all (q0
1, q0
2)D, and any sequence of T1
1. . . σn
there exists a sequence of T2transitions
2. . . αn
such that
(a) for all qi
1,i[m], there exists qk
2s.t. dΠ(qi
εand dΣσ[i],¯α[k])τ
(b) for all qi
2,i[m0], there exists qk
1s.t. dΠ(qk
εand dΣσ[k],¯α[i])τ
Intuitively, the definition requires T2to be able to match any
execution of T1, with some allowed deviation between the
states that each execution visits, and some allowed deviation
between the labels on which transitions take place. The
matching is required not only for the final reached states
1and qm0
2, but for all intermediary states. The relation D
is meant to capture the mapping between the initial states of
one model (T1) and the initial states of its implementation
(T2). For example, if T2is obtained by model order reduction
from T1,Dcaptures the reduction mapping as applied to the
initial states. Because some of the labels in either transition
sequence may be the empty label ν, more than one state in
one sequence may match with the same state in the other
B. Feedback interconnection of OMTS
Given two OMTS T1and T2, we define their feedback
interconnection as follows.
Definition 2.2 (Feedback in OMTS): Let Tibe an OMTS
(Qi,Σ,i, Q0
i,Πi,h ii, pi),i= 1,2, such that Σ=Σu×
Σχ. Assume that Σp2(2)and Σp1(1). Their
feedback interconnection is a (closed) MTS (Q, Σχ12,
, Q0,Π,h i), denoted T1T2, where
Σχ12 Σχ
h(q1, q2)i= (hq1i1,hq2i2)
:(q1, q2)σχ
1, q0
2)iff σ1= (σ1,u, σχ)Σand
σ2= (σ2,u, σχ)Σs.t. q1
2, and
The output set distance is given by
dΠ((q1, q2),(q0
1, q0
2)) = ˜
h(dΠ1(q1, q0
1), dΠ2(q2, q0
for some positive non-decreasing function ˜
This is meant to model the situation when two hybrid systems
are feedback interconnected, such that T1’s outputs constitute
the inputs to T2, and vice versa. Note that the definitions of
output set, output map and associated distance function are
somewhat arbitrary and ultimately depend on the application
To simplify the statement of the main theorem and its
proof, we introduce the following ‘lifting’ of Σχ12 to Σ×Σ.
The set Σ12 defined below contains all label pairs (σ1, σ2)
Σ1×Σ2allowed by the interconnection T1T2. Formally:
Σ12 := {(σ1, σ2)Σ×Σ|σ1=p2(q2
1), σχ1=σχ2Σχ12,
for some transitions q2
2and q1
We note two properties of Σ12 :
1) Σ12 Σ×Σ
2) minimizing a function over the transitions enabled by
labels in Σχ12 yields the same result as minimizing it
over the transitions enabled by labels in the lifting Σ12.
C. Problem formulation
The formal statement of this paper’s problem follows:
Given two OMTS T1and T2connected in a feedback loop,
and OMTS T3that conforms to T1with precision (τ, ε)and
derivation relation D, is T3T2conformant to the T1T2? If
yes, what is the conformance degree between the two loops?
D. Embedding a hybrid system as an OMTS
Hybrid systems can be represented using, or embedded
as, OMTS. This enables us to apply the compositionality
result to them. We briefly define hybrid systems to show the
embedding. Let Cand Dbe subsets of Rn+m,URmbe a
set of input values, F:Rn+mRnand G:Rn+mRn
be set-valued maps with CdomFand DdomG. Let
z:RnRnzbe a function. The hybrid dynamical system
Hwith data (C, F, D, G, z ), internal state xRnand output
yRnzis governed by [10]
˙xF(x, u) (x, u)C
x+G(x, u) (x, u)D
The ‘jump’ map Gmodels the change in system state at a
mode change, or ‘jump’, and the jump set Dcaptures the
conditions causing a jump. The ‘flow’ map Fmodels state
evolution away from jumps, while (x, u)is in the flow set
C. System trajectories start from a specified set of initial
conditions H0prRn(CD). Finally, the output of the
system yis given as a function zof its internal state, and its
input is given by uwhich takes values in a set U.
Solutions (φ, u) to (3) are given by a hybrid arc φand an
input arc usharing the same hybrid time domain domφ=
domu, and with standard properties that can be reviewed
in [9, Ch. 2] .
Definition 2.3 (Hybrid time domains and arcs [10]): A
subset ER+×Nis a compact hybrid time domain if
[tj, tj+1]× {j}
for some finite increasing sequence of times 0 = t0t1
t2. . . tJ. A hybrid arc φis a function supported over
a hybrid time domain φ:ERn, such that for every j,
φ(·, j)is locally absolutely continuous in tover Ij={t:
(t, j)E}; we call Ethe domain of φand write it domφ.
A hybrid system H= (C, F, D, G, z )can be embedded
as an OMTS T= (Q, Σ,, Q0,Π,h i , p)as follows: Q=
{xRn| ∃u: (x, u)CD},Q0Q,h i =z, and
Π = Rnz. The label set is made of input arcs and their
domains, and the empty label ν:
Σ = {(u,domu)|uis an input arc}∪{ν}(4)
The transition relation is defined as qσ
q0iff either σ=ν
is the empty label and q=q0, or σ= (u,domu)and there
exists a solution pair (φ, u)s.t. φ(0,0) = q, φ(t, j) = q0for
some (t, j)in domu. The port map pis defined as
q0) = (z(q),(0,0)) ifσ =ν
(zφ, domφ)otherwise
where (φ, u)is the solution pair of Hcorresponding to σas
defined above in (4).
Later in the paper, we will need to impose a requirement
on dΣ, namely, equation (5) from Section III-B. The rest of
this section shows how dΣcan be defined so this requirement
is met. First, given an input arc uwith domain Eand two
subsets E0E,E00 Esuch that (0,0) E0E00
and supjE0= supjE00, the restrictions of uto E0and E00
respectively are said to have a common extension. (So the
restricted arcs start at (0,0) and make the same number of
Let σ= (u, E), σ 0= (u0, E0)be two labels with E=
jIj× {j},E0=J01
j× {j}compact hybrid time
domains with Jand J0jumps, respectively. Define
dΣ(σ, σ0) :=
maxjdH(Ij, I0
j)uand u0have a
common extension
Here, dHis the symmetric Haussdorff distance between two
sets. A string s=σ1σ2. . . σmis then a concatenation of the
input arcs and their hybrid time domains2, and is itself a
valid pair (input arc, hybrid time domain). That is, in this
case, ΣΣ. Therefore given two strings sand a, we
simply define dΣ(s, a) = dΣ(s, a). It can be shown that
this satisfies (5).
A. Space-Time Approximate Simulations
ASpace-Time Approximate Simulation (STAS) relation is
an approximate simulation relation in the sense of [12]. We
choose to introduce the new terminology in order to avoid
potentially awkward (and possibly confusing) references to
‘simulation relations in the sense of [xyz]’. STAS were
introduced in [12] and applied in [13] to the study of
networked control systems.
Our interest in this paper is on conformance as defined
earlier, which is a notion defined on entire trajectories.
STAS relations, defined on individual states of systems, is a
related notion which has the advantage of having a functional
characterization, much like Lyapunov functions characterize
stability. In this section, we define STAS relations and con-
nect them to conformance. The functional characterization
of STAS can then be used to characterize conformance.
Definition 3.1 (STAS): Given two OMTS Ti=
(Qi,Σ,i, Q0
i,Π,hii, pi), i = 1,2, and positive reals
τ, ε, consider a relation RQ1×Q2, and the following
three conditions:
1) (q1, q2)R,dΠ(hq1i,hq2i)ε
2) (q1, q2)R,q1
1,σ2Bτ(σ1)and a
transition q2
2s.t. (q0
1, q0
3) q0
2s.t. (q0
1, q0
where Bτ(σ) = {σ0Σ|dΣ(σ, σ0)τ}. If Rsatisfies the
first 2 conditions, then it is a (τ, ε)-space-time approximate
simulation (STAS) of T1by T2. If in addition it satisfies the
third, then we say T2simulates T1with precision (τ, ε).
STAS relations describe what happens when T1‘plays’ label
σ1, and T2is allowed to respond by playing a label from
Bτ(σ1). In particular, it says that T2can always find a label
such that the distance between the reached outputs is less
than ε. In the rest of this paper, we will often simply speak
of a simulation to mean a STAS.
B. From simulation to conformance
The connection between STAS, which is a relation be-
tween states, and conformance, which is a relation between
executions, is captured in the following proposition.
Proposition 3.1: Given two OMTS Ti= (Qi,Σ,i
,Π,hii, gi), i = 1,2, let Rbe a (τ, ε)-STAS relation between
them, and let DQ0
2be a derivation relation between
2The concatenation of two compact hybrid time domains E=
j=0 ([tj, tj+1]×j)and E0=SJ21
j=0 ([t0
j, t0
j+1]×j)is the hybrid
time domain Ec=SJ11
j=0 ([tj, tj+1]×j)SJ21
j=0 ([t0
j+tJ1, t0
j+1 +
tJ1]× {j0+N1})
Fig. 2. Interconnections of similar MTS
them. Assume that the label pseudo-metrics dΣ,dΣare such
that for any two strings ¯σ=σ1. . . σiand ¯α=α1. . . αi,
(ki, dΣ(σk, αk)τ) =dΣσ[i],¯α[i])τ(5)
If DR, then T2conforms to T1with precision (τ, ε)and
with derivation relation D.
Proof: Take any pair (q0
1, q0
2)D, and any sequence
of T1transitions
. . . σn
Because DR, there exists a T2transition q0
α1Bτ(σ1)and (q0
1, q0
2)R, therefore dΠ(q1
ε. Proceeding in this way for every kn, we build a
sequence q2of T2transitions
. . . αn
such that dΣ(σk, αk)τand dΠ(qk
2)εfor all k.
Now we check condition (a) of Def.2.1. For any qi
1, i n,
2)εand by property (5) of the label pseudo-
metric, dΣ(σ[i], α[i])τ. Thus condition (a) is satisfied.
By construction of the execution q2and symmetry of dΠ
and dΣ, we also have condition (b).
In this section, we prove a general small gain condition
under which the feedback interconnection of OMTS pre-
serves similarity relations. By Prop. 3.1, this implies that
conformance is also preserved under these conditions. We
work in the OMTS formalism as it bypasses unnecessary
technicalities and allows us to establish the result in greater
generality, while maintaining continuity with the work of
A. Compositionality of similar metric transition systems
Consider OMTS T1, T2, T3, T4with label sets Σ1= Σ2
and Σ3= Σ4. Systems T1and T2are feedback intercon-
nected to yield T1T2, with state space Q12 =Q1×Q2, and
label set Σχ12. Similarly, systems T3and T4are feedback
interconnected to yield T3T4, with state space Q34 =Q3×
Q4, and label set Σχ34. See Fig. 2. We seek conditions under
which T3T4simulates T1T2; based on Prop.3.1, this would
imply that under the same conditions, T1T2C
τ,ε T3T4for
some (τ, ε). To do so, we use the functional characterization
of STAS.
Definition 4.1: [12, Def. 3.2] Given two OMTS T1and
T2with common output set Πand label set Σ, and non-
negative real τ, a function V:Q1×Q2R+∪ {∞} is
aτ-simulation function of T1by T2if for all (q1, q2)
A0) V(q1, q2)dΠ(hq1i,hq2i)
A1) V(q1, q2)supq1
1, q0
Aτ-simulation function defines a (τ, ε)-STAS relation via its
level sets. Namely, as shown in [12, Thm. 3.4], the ε-sublevel
set of V
ε={(q, q0)Q1×Q2|V(q , q0)ε}(6)
is a (τ, ε)-STAS relation of T1by T2for all ε0.
To keep the equations readable, in what follows, we define
the following: given σ12 = (σ1, σ2)Σ12,
τ(σ12) := {(σ3, σ4)Σ34 |dΣχ(σχ1, σχ3)τ}
(Σ34 is defined analogously to Σ12 in (4)). The ball
τ(σ12)contains all labels in Σ34 whose ‘chronological
component’ σχ3is no more than τ-away from σχ1. Note
that by definition for any (σ3, σ4)Σ34,σχ3=σχ4(and
analogously σχ1=σχ2) so the above definition effectively
bounds the distance between both chronological components
of the label.
Consider the OMTS T1, T2, T3, T4, with T1in a feedback
loop with T2, and T3with T4. Let V13 be a τ13-STAS
function of T1by T3(Def. 4.1), and V24 be a τ24-STAS
function of T2by T4. All systems share the same label set Σ.
We introduce the following functions to keep the equations
manageable: given q0
1Q1, q3Q3, σiΣ, define
1, q3, σ1) := inf
σ3Bτ13 (σ1)
1, q0
2, q4, σ2) := inf
σ4Bτ24 (σ2)
2, q0
Consider V13: if we think of T3as trying to match T1
transitions by minimizing V13 over the label ball Bτ13, then
V13 measures how well it does it. Similarly for V24.
Because STAS functions certify STAS relations via (6), the
following theorem provides a way to build STAS functions
for interconnections of systems, from the STAS functions of
the individual connected systems.
Theorem 4.1: Consider the OMTS T1, T2, T3, T4with
common label set Σinterconnected as described above. Let
V13 be a τ13-STAS function of T1by T3, and V24 be a τ24-
STAS function of T2by T4. Set τ= min(τ13 , τ24).
Define V:Q12 ×Q34 R+to be V((q1, q2),(q3, q4)) =
h(V13(q1, q3), V24 (q2, q4)) where his continuous and non-
decreasing in both arguments.
Recall the definition of lifted label sets Σ12,Σ34 in (2).
Let g:RRbe a non-decreasing function s.t. g(x)x
and for all q12 Q12,q34 Q34 ,gsatisfies
1, q3, σ1),V24(q0
2, q4, σ2))
1, q3, σ1),V24(q0
2, q4, σ2))
Also, let γ1, γ2:RR+be continuous non-increasing
functions s.t. γi(x)x,i= 1,2, and for all σ12 =
(σ1, σ2)Σ12, for all (q3, q4)Q34 , and all (q0
1, q0
1, q3, σ1)γ1( inf
1, q0
3)) (8)
2, q4, σ2)γ2( inf
2, q0
4)) (9)
If the following conditions hold:
(a) Vis continuous in the product topology of Q12 ×Q34.
(b) For all q12 Q1×Q2, q34 Q3×Q4,
V(q12, q34 )dΠ(hq12i,hq34i)(10)
(c) Function gdistributes over h, that is
g(h(x, x0)) = h(g(x), g(x0)) x, x0
(d) [Small Gain Condition] For all xR,
gγ1(x)x, g γ2(x)x
then Vis a τ-STAS function of T1T2by T3T4.
Before proving the theorem, a few words are in order about
its hypotheses. A function gsatisfying (7) always exists: by
observing that Σ12 Σ×Σ, we see that gcan be taken to be
the identity. A non-identity function quantifies how restrictive
is the interconnection T1T2. It does so by quantifying
the difference between the full label set Σ×Σavailable
to the individual systems operating without interconnection
(on the LHS of inequality (7)), and the restricted label set
Σ12 available to them as part of the interconnection (on the
Similarly, functions γ1, γ2satisfying (9) always exist: we
can take γito be identically zero. These choices, how-
ever, are unlikely to be useful: we need γito quantify
how restrictive is the interconnection T3T4. They do so
by quantifying the difference between the full label ball
Bτ13 (σ1)×Bτ24 (σ2)available to the individual systems
operating without interconnection, and the restricted label
ball B34
τ(σ12)Bτ13 (σ1)×Bτ24 (σ2)available to them as
part of the interconnection. See Fig.3 for an illustration of
the label sets.
These two aspects are similar to the conditions, in more
classical Lyapunov-based small gain theorems, placing a
minimum on the rate of decrease of the Lyapunov functions
of the individual systems, and that bound is related to
the growth of the other system’s Lyapunov function. (For
example results on input-to-state stability [11],[21], and for
bisimulation functions in non-hybrid systems [6]). Now the
σ2in#Σ2# #
Fig. 3. Label sets constrained by interconnection. Σ12 is the set of label
pairs compatible with the interconnection as given in Def.2.2.
more restrictive T1T2is, the bigger gcan be. The more
restrictive T3T4is, the smaller γineed to be. The Small
Gain Condition (SGC) says that the restrictiveness of T1T2
must be balanced by that of T3T4: if T3T4is too restrictive
(γi(x)<< x) relative to T1T2(gγi(x)< x), then T1T2
can play a label σ12 that can’t be matched, and thus we lose
similarity of the systems. Thus similar to the classical results
(e.g., [6]), the SGC balances the gains of the feedback loops.
Proof: (Thm. 4.1)
We seek a STAS function V:Q12 ×Q34 R+which
would certify that T3T4simulates T1T2, and we seek the
corresponding precision (τ, ε).
For notational convenience, introduce
12, q34 , σ12) := inf
12, q0
By definition, Vmust satisfy for all (q12, q34 )Q12 ×
A0) V(q12, q34 )dΠ(hq12i,hq34i)
V(q12, q34 )sup
( inf
12, q0
Condition A0 is the same as (10), and so is true by
hypothesis. Now for A1. First we restate it using V:
V(q12, q34 )sup
12, q34 , σ)
For all q1, q2, q3, q4,
h(V13(q1, q3), V24 (q2, q4))
1, q3, σ1),sup
2, q4, σ2)
1, q3, σ1),V24(q0
2, q4, σ2))
= sup
1, q3, σ1),V24(q0
2, q4, σ2))
where we used property A1 for V13 and V24 and the fact that
his non-decreasing to obtain the first inequality, and the non-
decreasing nature of hto obtain the second inequality. (The
second inequality becomes equality if V13 and V24 achieve
their suprema over Σ1and Σ2respectively.) Using (7), it
h(V13, V24 )
g( sup
1, q3, σ1),V24(q0
2, q4, σ2)))
Applying (8),(9) to the RHS of this last inequality,
h(V13, V24 )
g( sup
h(γ1( inf
τ(σ12)V13 ), γ2( inf
τ(σ12)V24 ))
where we are using infB34
τ(σ12)Vij as an abbreviation for
Vij (q0
i, q0
We now establish two inequalities. First, note that
γ1( inf
τ(σ12)V13 )inf
τ(σ12)γ1(V13 )(11)
Indeed, let
Q3=Post(q3, B34
be the set over which the infimization is happening. We have
that v:= infB34
τ(σ12)V13 (q0
1, q0
3)is finite since Vis lower
bounded by 0. Now since vvfor all vV13(¯
Q3), and
γ1is non-increasing, it follows that γ1(v)γ1(v)for all
Q3). Taking the infimum on the RHS, the inequality
(11) follows. An inequality analogous to (11) holds for γ2
by a similar argument.
Second, note that because γiand Vare continuous, and
Q3is compact, then the set γiV(¯
Q3)is compact as well.
Since his continuous as well, it achieves its infimum over
compact sets and therefore
h( inf
τ(σ12)γ1(V13 ),inf
τ(σ12)γ2(V24 ))
= inf
τ(σ12)h(γ1V13 , γ2V24)(12)
We can proceed as
h(V13, V24 )
g( sup
h(γ1( inf
τ(σ12)V13 ), γ2( inf
τ(σ12)V24 )))
g( sup
h( inf
τ(σ12)γ1(V13 ),inf
τ(σ12)γ2(V24 )))
=g( sup
τ(σ12)h(γ1V13 , γ2V24))
= sup
τ(σ12)gh(γ1V13 , γ2V24)
To obtain the second inequality, we used (11) and the fact
that hand gare non-decreasing. To obtain the equalities, we
used (12) and the fact that gis non-decreasing.
By distributivity of gover hand the SGC
h(V13, V24 )
τ(σ12)h(gγ1V13 , g γ2V24)
h(V13, V24 )
thus concluding that V=h(V13, V24 )satifies A1, and so is
aτ-STAS function.
About the other conditions The distributivity assumption
in (c) holds, for example, if his the max operator, i.e.
h(x, x0) = max(x, x0).
Thm. 4.1 assures us that feedback interconnection respects
similarity relation, and therefore also respects conformance
However, the conditions defining gand γi(equations (7)
and (9),(8)) are technical conditions that are are hard to
check. Turning them into a computational tool for particular
classes of systems is the subject of current research. A
simpler, and more conservative, criterion is given in the
following theorem:
Theorem 4.2: If
k1:= infQ1infQ3V13(q1, q3)
supQ3supQ1V13(q1, q3)<
then γ1(v) = k1vsatisfies (8). Similarly, if
k2:= infQ2infQ4V24(q2, q4)
supQ2supQ4V24(q2, q4)<
then γ2(v) = k2vsatisfies (9).
Proof: We give the proof for k1, that for k2is
similar. Define ¯
3| ∃q3
3}and ˆ
3| ∃q3
Bτ13 (σ1)
3}. Since prΣ(B34
τ(σ12)) Bτ13 (σ1),
Q3Q3. Thus for any q0
1, q0
1, q0
1, q0
3)inf ¯
1, q0
1, q0
3)Q1×Q3V13(q1, q0
3)Q1×Q3V13(q1, q0
1, q0
1, q0
The challenge with the choice of γ1and γ2in Thm. 4.2
is that gis now required to always ‘compensate’ for the
worst-case behavior to satisfy the SGC. I.e. we need g(x)
x/ max(k1, k2)for all x. This may lead to a violation of (7).
The next result follows from Thm.4.1, the fact that his
increasing, and [12, Thm. 3.6].
Theorem 4.3: Let ε13 = supQ0
3V13(q1, q3)and
ε24 = supQ0
4V24(q2, q4), so that T3(τ13 , ε13)-
simulates T1, and T4(τ24, ε24 )-simulates T2. Then T3
T4(τ, ε)-simulates T1T2with τ= min(τ13 , τ24), ε =
h(ε13, ε24 ).
In this paper we understand conformance as a notion that
relates systems, as done in [22], rather than a system and
its specification as done for example in [4]. Most existing
works on system conformance, either requires equality of
outputs, or does not account for timing differences, as
in [15] where an approximate method for verifying formal
equivalence between a model and its auto-generated code
is presented. The approach to conformance of Hybrid In-
put/Output Automata in [17] and falls in the domain of
nondeterministic abstractions, and a thorough comparison
between this notion and ours is given in [16]. The works
closest to ours are [12] and [19]. The work [12] defines the
STAS relation we used in this paper. The goal in [12] is to
define robust approximate synchronization between systems
(rather than conformance testing). The refinement relation
between systems given in [20] allows different inputs to
the two systems. Conformance requires the same input be
applied, which is a more stringent requirement. The current
theoretical framework also allows a significantly wider class
of systems than in [20].
When a system model goes through multiple design and
verification iterations, it is necessary to get a rigorous and
quantitative measure of the similarities between the sys-
tems. Conformance testing [2] allows us to obtain such a
measure, and to automatically transfer formal verification
results from a simpler model to a more complex model
of the system. In this paper, we extended the reach of
conformance testing by developing the sufficient conditions
for feedback interconnections of conformant systems to be
conformant. As pointed out earlier, these conditions apply
to Open Metric Transition Systems, and while this means
they are very broadly applicable, they must be specialized
to specific classes of dynamical systems. The next step is
to compute STAS functions for various classes of dynamial
systems, including hybrid systems. This is the subject of
current research. In addition, we aim to apply the compo-
sitionality theory developed here to problems in source code
[1] H. Abbas, B. Hoxha, G. Fainekos, J. V. Deshmukh, J. Kapinski,
and K. Ueda. Conformance testing as falsification for cyber-physical
systems. Technical Report arXiv:1401.5200, January 2014.
[2] H. Abbas, H. Mittelmann, and G. Fainekos. Formal property verifica-
tion in a conformance testing framework. In MEMOCODE, 2014.
[3] K. Butts. Presentation: Toyota’s direction. [Online
at: csystems
/06 KenButts.pdf], 2010.
[4] T. Dang and T. Nahhal. Coverage-guided test generation for continu-
ous and hybrid systems. Formal Methods in System Design, 34(2):183–
213, 2009.
[5] G. Frehse, C. L. Guernic, A. Donze, S. Cotton, R. Ray, O. Lebeltel,
R. Ripado, A. Girard, T. Dang, and O. Maler. Spaceex: Scalable
verification of hybrid systems. In Proceedings of the 23d CAV, 2011.
[6] A. Girard. A composition theorem for bisimulation functions. Tech-
nical Report, 2007.
[7] A. Girard and G. J. Pappas. Approximate bisimulations for constrained
linear systems. In Proceedings of 44th IEEE Conference on Decision
and Control and European Control Conference, pages 4700–4705,
[8] A. Girard and G. J. Pappas. Approximation metrics for discrete and
continuous systems. IEEE Trans. Auto. Cont., 52(5):782–798, 2007.
[9] R. Goebel, R. G. SanFelice, and A. R. Teel. Hybrid Dynamical
Systems: modeling, stability and robustness. Princeton University
Press, 2012.
[10] R. Goebel and A. Teel. Solutions to hybrid inclusions via set and
graphical convergence with stability theory applications. Automatica,
42(4):573 – 587, 2006.
[11] Z.-P. Jiang, I. M. Mareels, and Y. Wang. A lyapunov formulation of
the nonlinear small-gain theorem for interconnected {ISS}systems.
Automatica, 32(8):1211 – 1215, 1996.
[12] A. Julius and G. Pappas. Approximate equivalence and approximate
synchronization of metric transition systems. In Decision and Control,
2006 45th IEEE Conference on, pages 905–910, Dec 2006.
[13] A. A. Julius, A. D’Innocenzo, M. D. D. Benedetto, and G. J. Pappas.
Approximate equivalence and synchronization of metric transition
systems. Systems and Control Letters, 58(2):94 – 101, 2009.
[14] N. Lynch, R. Segala, and F. Vaandrager. Hybrid i/o automata.
Information and Computation, 185(1):105 – 157, 2003.
[15] R. Majumdar, I. Saha, K. Ueda, and H. Yazarel. Compositional
equivalence checking for models and code of control systems. In
Decision and Control (CDC), 2013 IEEE 52nd Annual Conference
on, pages 1564–1571, Dec 2013.
[16] M. Mohaqeqi, M. R. Mousavi, and W. Taha. Conformance testing of
cyber-physical systems: A comparative study. ECEASST, 70, 2014.
[17] M. Osch. Hybrid input-output conformance and test generation. In
K. Havelund, M. Nunez, G. Rosu, and B. Wolff, editors, Formal
Approaches to Software Testing and Runtime Verification, volume 4262
of Lecture Notes in Computer Science, pages 70–84. Springer Berlin
Heidelberg, 2006.
[18] A. Platzer and J.-D. Quesel. KeYmaera: A hybrid theorem prover for
hybrid systems. In A. Armando, P. Baumgartner, and G. Dowek,
editors, International Joint Conference on Automated Reasoning,
volume 5195 of LNCS, pages 171–178. Springer, 2008.
[19] J.-D. Quesel. Similarity, Logic, and Games: Bridging Modeling
Layers of Hybrid Systems. PhD thesis, Carl Von Ossietzky Universitat
Oldenburg, July 2013.
[20] J.-D. Quesel, M. Fr¨
anzle, and W. Damm. Crossing the bridge
between similar games. In S. Tripakis and U. Fahrenberg, editors, 9th
FORMATS, Aalborg, Denmark, 21-23 September, 2011. Proceedings,
volume 6919 of LNCS, pages 160–176. Springer, Sep. 2011.
[21] R. G. Sanfelice. Input-output-to-state stability tools for hybrid systems
and their interconnections. IEEE Transactions on Automatic Control,
May 2014.
[22] J.-P. Talpin, P. Guernic, S. Shukla, and R. Gupta. A compositional
behavioral modeling framework for embedded system design and con-
formance checking. International Journal of Parallel Programming,
33(6):613–643, 2005.
... Once we obtain a symbolic model, we can apply to it various discrete techniques such as automata-theoretic synthesis [23], supervisory control of discrete event systems [21], algorithmic game theory [4], etc. is is the horizontal arrow at the bo om of Fig. 1. e resulting controller (i.e. a switching signal, in the current se ing) is then guaranteed, by the two approximate bisimulations, to work well with Σ τ (with precision ε 2 ) and with Σ τ ,δ 0 (with precision ε 1 + ε 2 ). 1 is way we ultimately derive a switching signal for the original system Σ τ ,δ 0 whose precision ε 1 + ε 2 is guaranteed. e work ow in Fig. 1 takes a two-step approach that separates concerns (namely time delays and discretization of state spaces). ...
... Let us set the three parameters a = 1 5 , b = 1 10 and c = 11. Our scenario is that we would like to control the switch so that the water level should stay in [1,10]. We assume there are switching delays within δ 0 = 0.1 seconds. ...
... We obtain the following characteristics for these two δ -GAS Lyapunov functions in the safe region [1,10]: ...
The recent rise of networked and cloud control poses time delays as a pressing challenge. Focusing on switched systems, we introduce an approximate bisimulation-based framework that provides an upper bound for errors caused by switching delays. We show that an incremental stability assumption can be exploited for establishing an approximate bisimulation and hence an error bound. This is the same assumption as in the existing framework for state-space discretization by Girard, Pola and Tabuada, and this fact helps to save a lot of efforts in the two-step control synthesis workflow that we propose. We present two examples for demonstration of our framework: a boost DC-DC converter (a common example of switched systems); and a nonlinear water tank.
... Abbas et al. [4] prove the transference of such transformed properties in Metric Temporal Logic. The connection of (τ, ε)-closeness to (τ, ε)-approximate simulation is studied by Abbas et al. [2]. ...
... To determine the (τ, ε)-closeness between systems, Abbas et al. [2] present an optimizationbased approach. They formulate a robustness value that measures the degree of (τ, ε)closeness. ...
Full-text available
Model-based development is an important paradigm for developing cyber-physical systems (CPS). The underlying assumption is that the functional behavior of a model is related to the behavior of a more concretized model or the real system. A formal definition of such a relation is called conformance relation. There are a variety of conformance relations, and the question arises of how to select a conformance relation for the development of CPS. The contribution of this article is a survey of the definitions and algorithms of conformance relations for CPS. Additionally, the article compares several conformance relations and provides guidance on which relation to select for specific problems. Finally, we discuss how to select inputs for testing conformance.
... This will generalize our earlier result in [16]. Moreover, we envisage other important issues such as sound sampling rates [15], test-case generation algorithms, coverage [8,9], links to temporal and modal logics [7], and compositionality [1,6]. ...
Full-text available
Several notions of conformance have been proposed for checking the behavior of cyber-physical systems against their hybrid systems models. In this paper, we explore the initial idea of a notion of approximate conformance that allows for comparison of both observable discrete actions and (sampled) continuous trajectories. As such, this notion will consolidate two earlier notions, namely the notion of Hybrid Input-Output Conformance (HIOCO) by M. van Osch and the notion of Hybrid Conformance by H. Abbas and G.E. Fainekos. We prove that our proposed notion of conformance satisfies a semi-transitivity property, which makes it suitable for a step-wise proof of conformance or refinement.
We introduce an approximate bisimulation-based framework that gives an upper bound of the Skorokhod metric between a switched system with delays and its delay-free model. To establish the approximate bisimulation relation, we rely on an incremental stability assumption. We showcase our framework using an example of a boost DC-DC converter. The obtained upper bound of the Skorokhod metric can be used to reduce the reachability analysis (or the safety controller synthesis) of the switched system with delays to that of the delay-free model.
Full-text available
For systematic and automatic testing of cyber-physical systems, in which a set of test cases is generated based on a formal specification, a number of notions of conformance testing have been proposed. In this paper, we review two existing theories of conformance testing for cyber-physical systems and compare them. We point out their fundamental differences, and prove under which assumptions they coincide.
Conference Paper
Full-text available
We present CSEC (Compositional Symbolic Equivalence Checker), a tool to perform automatic and compositional equivalence checking of C code against Simulink models. Such equivalence checking is important in model-based development of safety-critical control software in industrial settings, where either the Simulink models are hand-generated to correspond to existing legacy code bases, or the C code is generated from Simulink models using code generators. In the former case, manual translations may not preserve behavior; in the latter case, equivalence checking is necessary to ensure that the code generator has not introduced bugs. CSEC constructs proofs of equivalence of two call graphs compositionally, by constructing a formula that is valid iff two functions are equivalent, when all called functions are assumed equivalent. The validity of the formula is checked using an SMT solver. We have applied CSEC to a module of powertrain controller C code base and the corresponding semi-automatically translated Simulink model at Toyota, and have automatically uncovered several dissimilar behaviors between models and code. We have also applied CSEC to prove equivalence of a Clutch Lockup Model and the automatically generated C code from the model.
Conference Paper
Full-text available
In model-based design of cyber-physical systems, such as switched mixed-signal circuits or software-controlled physical systems, it is common to develop a sequence of system models of different fidelity and complexity, each appropriate for a particular design or verification task. In such a sequence, one model is often derived from the other by a process of simplification or implementation. E.g. a Simulink model might be implemented on an embedded processor via automatic code generation. Three questions naturally present themselves: how do we quantify closeness between the two systems? How can we measure such closeness? If the original system satisfies some formal property, can we automatically infer what properties are then satisfied by the derived model? This paper addresses all three questions: we quantify the closeness between original and derived model via a distance measure between their outputs. We then propose two computational methods for approximating this closeness measure.%, and demonstrate their use on several examples. Finally, we derive syntactical re-writing rules which, when applied to a Metric Temporal Logic specification satisfied by the original model, produce a formula satisfied by the derived model. We demonstrate the soundness of the theory with several experiments.
Full-text available
In Model-Based Design of Cyber-Physical Systems (CPS), it is often desirable to develop several models of varying fidelity. Models of different fidelity levels can enable mathematical analysis of the model, control synthesis, faster simulation etc. Furthermore, when (automatically or manually) transitioning from a model to its implementation on an actual computational platform, then again two different versions of the same system are being developed. In all previous cases, it is necessary to define a rigorous notion of conformance between different models and between models and their implementations. This paper argues that conformance should be a measure of distance between systems. Albeit a range of theoretical distance notions exists, a way to compute such distances for industrial size systems and models has not been proposed yet. This paper addresses exactly this problem. A universal notion of conformance as closeness between systems is rigorously defined, and evidence is presented that this implies a number of other application-dependent conformance notions. An algorithm for detecting that two systems are not conformant is then proposed, which uses existing proven tools. A method is also proposed to measure the degree of conformance between two systems. The results are demonstrated on a range of models.
Full-text available
Specifications and implementations of complex physical systems tend to differ as low-level effects such as sampling are often ignored when high-level models are created. Thus, the low-level models are often not exact refinements of the high-level specification. However, intuitively we would consider them as similar. To bridge the gap between these models, we study notions of similarity and robust refinement relations for hybrid systems. We identify a family of such relations which permit certain bounded deviations in the behavior of a system specification and its implementation in both values of the system variables and timings. We show that for this relaxed version of refinement a broad class of properties is preserved. This includes stability, safety, as well as bounded response properties. The question whether two systems are in refinement relation can be reduced to a reachability problem for hybrid games. For the study of parametric hybrid games, we propose a new logic, called differential dynamic game logic (dDGL), and develop a theorem prover for it. We give an operational and a modal semantics of dDGL and prove their equivalence. To allow for deductive reasoning, we exploit the fact that dDGL is a conservative extension of differential dynamic logic (dL). Subsequently, we provide rules for extending the dL sequent proof calculus to handle the dDGL specifics. Furthermore, we have implemented dDGL in our theorem prover KeYmaera. We demonstrate the strength of dDGL by applying KeYmaera to a case study in which a robot plays a game against other agents in a factory automation scenario. KeYmaera is a theorem prover for hybrid system verification. It reduces the verification task to smaller subtasks that can be decided by quantifier elimination. Unfortunately, quantifier elimination over the reals is doubly exponential in the number of quantifier alternations already in theory and even in the number of variables in many implementations. Therefore, we compare different implementations of procedures for quantifier elimination and alternative methods for dealing with these subtasks. We show that our dDGL-based approach for proving that two hybrid systems are in robust refinement relation can be effectively used. For this, we present a case study from the domain of train control with a safe specification using instantaneous and imperfect implementations which suffer from communication delays.
Full-text available
KeYmaera is a hybrid verication tool for hybrid systems that combines deductive, real algebraic, and computer algebraic prover technologies. It is an automated and interactive theorem prover for a nat- ural specication and verication logic for hybrid systems. KeYmaera supports dierential dynamic logic , which is a real-valued rst-order dynamic logic for hybrid programs, a program notation for hybrid au- tomata. For automating the verication process, KeYmaera implements a generalized free-variable sequent calculus and automatic proof strate- gies that decompose the hybrid system specication symbolically. To overcome the complexity of real arithmetic, we integrate real quantier elimination following an iterative background closure strategy. Our tool is particularly suitable for verifying parametric hybrid systems and has been used successfully for verifying collision avoidance in case studies from train control and air trac management.
We present results for the analysis of input/output properties of a general class of hybrid systems given by a flow set, a flow map, a jump set, a jump map, and an output map. For this class of systems, the notion of input-output-to-state stability is introduced in the first part of the technical note. Under mild assumptions on the functions and sets defining a hybrid system, sufficient conditions for this notion in terms of Lyapunov functions are derived. Equivalences between Lyapunov functions for input-output-to-state stability for asymptotic and exponential decay rates are established. The sufficient conditions and equivalences are linked to the existence of norm observers for hybrid systems. These results are used in the second part of the technical note to study interconnections of hybrid systems. An interconnection result in terms of a Lyapunov-based small gain theorem is also presented. Examples illustrate the results.
Hybrid dynamical systems exhibit continuous and instantaneous changes, having features of continuous-time and discrete-time dynamical systems. Filled with a wealth of examples to illustrate concepts, this book presents a complete theory of robust asymptotic stability for hybrid dynamical systems that is applicable to the design of hybrid control algorithms--algorithms that feature logic, timers, or combinations of digital and analog components. With the tools of modern mathematical analysis,Hybrid Dynamical Systemsunifies and generalizes earlier developments in continuous-time and discrete-time nonlinear systems. It presents hybrid system versions of the necessary and sufficient Lyapunov conditions for asymptotic stability, invariance principles, and approximation techniques, and examines the robustness of asymptotic stability, motivated by the goal of designing robust hybrid control algorithms. This self-contained and classroom-tested book requires standard background in mathematical analysis and differential equations or nonlinear systems. It will interest graduate students in engineering as well as students and researchers in control, computer science, and mathematics.
In this paper, we describe a formal framework for conformance testing of continuous and hybrid systems, using the international standard `Formal Methods in Conformance Testing' FMCT. We propose a novel test coverage measure for these systems, which is defined using the star discrepancy notion. This coverage measure is used to quantify the validation `completeness'. It is also used to guide input stimulus generation by identifying the portions of the system behaviors that are not adequately examined. We then propose a test generation method, which is based on a robotic motion planning algorithm and is guided by the coverage measure. This method was implemented in a prototype tool that can handle high dimensional systems (up to 100 dimensions).
The standard engineering approach to modelling of complex systems is highly compositional. In order to be able to understand (or to control) the behavior of a complex dynamical systems, it is often desirable, if not necessary, to view this system as an interconnection of smaller interacting subsystems, each of these subsystems having its own functionalities. In this paper, we propose a compositional approach to the computation of bisimulation functions for dynamical systems. Bisimulation functions are quantitative generalizations of the classical bisimulation relations. They have been shown useful for simulation-based verification or for the computation of approximate symbolic abstractions of dynamical systems. In this technical note, we present a constructive result for the composition of bisimulation functions. For a complex dynamical system consisting of several interconnected subsystems, it allows us to compute a bisimulation function from the knowledge of a bisimulation function for each of the subsystem.