Related work

The benchmarks can be solved by all considered implementations, namely HyTech, and the HHA implementation with CLP, within milliseconds. Fig. 8.6 shows the concrete run-time results (in milliseconds), by comparing Hytech with HHA. It reveals that the CLP/HHA implementation allows the briefest problem formulations because of the use of the abstract state machine, but since the time points of performing discrete steps are not computed explic-itly, it is susceptible to rounding errors. In order to guarantee termination of the CLP implementations, the search depth is fixed in advance. For the CLP/HHA implementation, the number of continuous plus discrete steps is given. These limits are also listed in the table.

Example HyTech CLP/HHA

seconds seconds steps

Scheduler 0.12 0.34 12

Temperature Controller 0.04 0.02 12 Train Gate Controller 0.05 0.03 12 Train Gate Controller 2 0.10 0.02 9

Water Level 0.03 0.02 8

Fig. 8.6. Experimental results.

In the run of the abstract state machine, the way of setting the depth might restrict the reachability analysis such that the reached configurations could be incomplete to check the reachability of certain queries. Hence, one might get negative results. A possible solution to this problem is to set the depth to be big enough. But this raises the problem of the performance of run-time.

A suitable way to handle the reachability analysis is to find exact reachabil-ity of configurations—similar to the way of computing the reachabilreachabil-ity of regions presented in Chapter 4—by running the abstract state machine until reaching to fixed configurations, i.e. finding cycles. In [Schwarz et al., 2010;

Mohammed and Schwarz, 2009] the hierarchical implementation has been re-fined to perform that process.

8.5 Related work 121

On of the early approaches discussing model checking of hierarchical state machines is presented in [Alur and Yannakakis, 1998]. In this approach the verification of hierarchical finite machines are performed without flatting the hierarchy. Several algorithms are presented for the model checking prob-lem. In particular, this approach adopts a depth first search algorithm that per-forms the reachability analysis. This approach, however, does not consider the continuous behaviors within the hierarchical state machines. A similar work to this approach is presented in [Gnesi et al., 1999]. This work presents a sim-ple model-checking approach to verify UML statechart diagrams. However, this approach is very simple and restricted in the sense that it does not handle the hierarchical notations of statecharts. Moreover, the continuous dynamics are not be considered.

Modecharts [Jahanian and Mok, 1994] is one of the early extensions of the statecharts which extends statecharts with timing notations. The for-mal semantics of Modecharts are defined in terms of real time logic of [Jahanian and Mok, 1986] whose time is restricted to discrete domain. A sim-ilar work is presented in [Kesten and Pnueli, 1991]. This work suggests an extension of statecharts to accommodate continuous and discrete event be-haviors. As a result of this extension a language called timed statecharts is presented in which each transition of statecharts is annotated by a time inter-val [l,u]denoting the lower and upper time bounds of that transition. Also, this work proposes what is called hybrid statecharts as a further extension to statecharts, which allows to annotate a basic state of statecharts with differ-ential equations. The semantics of those extensions are discussed, but there is no automatic mean to execute these hybrid statecharts.

In contrast to this chapter, there are researches that use components to model hierarchy instead of statecharts. In these researches, atomic compo-nents are used to build more complex compocompo-nents in hierarchical manners.

Interaction between components takes place by means of shared variables.

Synchronization by means of actions is, however, not supported. One of the works adopting this approach is presented in [Henzinger, 2000]. In this work, a language called Masaccio is used as a formal model of hybrid dynamic sys-tems. In Masaccio, systems are built from two atomic components, namely discrete and continuous components. A model in Masaccio is structured in a way which permits hierarchical definition of components. Both types of com-ponents can be arbitrarily nested and composed by means of parallel and se-rial operators. Data can enter and exit a component through variables. Control enters and exits through locations. Masaccio supports the assume guarantee principle, where one can separately verify the correctness of each component

by assuming that the rest of the components of the systems behave according to their specification. By using this technique, a large verification problem can be decomposed into many smaller verification problems. In this approach, however, there is no formal verification on the model as a whole. Charon [Alur et al., 2000, 2001] is quite similar to this work, which also addresses the hierarchical issues within hybrid systems. In the framework of Charon, the basic building block is represented by an agent that communicates with its environment by means of shared variables. Agents can model distinct com-ponents of the system whose executions are all active at the same time. The agents in this approach are classified into two types: primitive and compos-ite agents. The primitive agents form the primitive types or basic building blocks of the architectural hierarchy. The composite agents are derived by parallel composition of the primitive agents. The internal behavior of each agent is represented by modes, which represent the discrete and continuous activities of the agent. Each agent consists of one or more distinct modes that describe the flow of control inside an agent. In addition to variables, contin-uous dynamics, invariants, and guards, modes contain control points which provide entry and exit points to the flow of modes. Although Charon can perform some kind of formal analysis, particularly checking invariants at run time and reporting an error when an invariant is violated and no transition is enabled, it only focuses on simulation rather then formal analysis. SHIFT [Deshpande et al., 1997] is a similar simulation approach allowing hierarchi-cal specifications of hybrid systems.

Other works proposes to model hierarchical machines with hybrid au-tomata or with less expressive subclasses of hybrid auau-tomata. However, to analyze behaviors of hierarchical models, they have to be flattened into or-dinary state machines and then model checking tools are applied on the flat-tened parts. An example of these works is presented in [Mller et al., 2003].

In this work, a hierarchical specification of timed automata is presented.

To verify a hierarchical model, it has to be transformed to flat-timed au-tomata, which in turn can be used as input for the model checker tool Uppaal [Behrmann et al., 2004]. Similarly, Ruh in [Ruh, 2007] presents a translator tool that automatically converts hybrid hierarchical statecharts, defined as an ASCII-formatted specification, into an input format for the model checker Hytech [Henzinger et al., 1997]. In contrast to these works, we have shown that the hierarchical hybrid automata can be analyzed without getting in-volved in the flattening process.

9

From Graphical Modeling to Formal analysis

So far, we have shown a framework to model and verify multi-agent systems by means of concurrent and hierarchical hybrid automata. Both the model and the requirements of the system under consideration have to be written in CLP. However, specifying the complete systems using CLP is definitely a te-dious, error-prone and undesirable task, particularly when specifying safety-critical or larger systems. To facilitate the process of specification, graphical notations of software engineering are helpful to model systems, but they pro-vide little support for systems analysis. Therefore, to bring the advantages of graphical notations together with automatic verification of formal meth-ods. For this purpose, this chapter aims at simplifying the specification and verification process by introducing HieroMate a tool environment with a con-straint logic programming core that allows us to specify multi-agent systems graphically and verify them automatically. The Chapter demonstrates this on a multi-agent system scenario taken from the Robocup rescue. The contribu-tion of this chapter has been published in [Mohammed and Schwarz, 2009;

Schwarz et al., 2010].