Reachability computation for hybrid systems with Ariadne Luca Benvenuti ∗ Davide Bresolin ∗∗ Alberto Casagrande ∗∗∗ Pieter Collins ∗∗∗∗ Alberto Ferrari † Emanuele Mazzi † Alberto Sangiovanni-Vincentelli †,‡ Tiziano Villa ∗∗ ∗ Universit`a di Roma “La Sapienza”, Roma, Italy (luca.benvenuti@uniroma1.it) ∗∗ Universit`a di Verona, Verona, Italy (bresolin@sci.univr.it, tiziano.villa@univr.it) ∗∗∗ Universit`a di Udine, Udine, Italy (casagrande@dimi.uniud.it) ∗∗∗∗ CWI, Amsterdam, The Netherlands (pieter.collins@cwi.nl) † PARADES, Roma, Italy (aferrari@parades.rm.cnr.it, emazzi@parades.rm.cnr.it) ‡ Dept. of EECS, University of California, Berkeley, California(alberto@eecs.berkeley.edu) Abstract: Ariadne is an in-progress open environment to design algorithms for computing with hybrid automata, that relies on a rigorous computable analysis theory to represent geometric objects, in order to achieve provable approximation bounds along the computations. In this paper we discuss the problem of reachability analysis of hybrid automata to decide safety properties. We describe in details the algorithm used in Ariadne to compute over- approximations of reachable sets. Then we show how it works on a simple example. Finally, we discuss the lower-approximation approach to the reachability problem and how to extend Ariadne to support it. 1. INTRODUCTION In many applicative fields there is the need to model systems having a mixed discrete and continuous behaviour that cannot be characterized faithfully using either only discrete or continuous models. This is the case, for exam- ple, of automotive powertrain systems, where a four stroke engine is modelled by a switching continuous system and is controlled by a digital controller. Such systems consist of a discrete control part that operates in a continuous environment and are named hybrid systems because of their mixed nature. In order to model and specify hybrid systems in a formal way, Alur et al. (1992) and Maler et al. (1991) intro- duced the notion of hybrid automata. Intuitively, a hybrid automaton is a “finite-state automaton” with continuous variables that evolve according to dynamics characterizing each discrete node. Of particular importance in the study of a hybrid automaton is the reachable set, which consists of all states that can be reached under the dynamical evolution starting from a given initial state set. Hybrid au- tomaton states consist of a discrete location paired with a vector of continuous variables, and therefore they have the cardinality of continuum. Because of this, the reachable set is, in general, not decidable, as it has been proved in Henzinger et al. (1995). Many papers therefore propose ap- proximation techniques to estimate the reachable set (see Halbwachs et al. (1994); Dang and Maler (1998); Asarin et al. (2000); Kurzhanski and Varaiya (2000); Botchkarev and Tripakis (2000); Silva et al. (2001)). However, even the computation of approximations to the reachable set is not straightforward; indeed, it may not even be possible to compute a sequence of over-approximations convergent to the reachable set (Collins (2005)). Many tools have been developed to compute or approx- imate reachable sets for hybrid systems, using differ- ent approaches. Tools like Kronos (Daws et al. (1995); Yovine (1997)) and UPPAAL (Larsen et al. (1997)) compute the reachability relation for systems based on timed automata. Other tools, such as d/dt (Asarin et al. (2002)), VeriShift (Botchkarev and Tripakis (2000)), HSOLVER (Ratschan and She (2007)), HybridSal (Ti- wari (2008)), and HyTech (Henzinger et al. (1997)) com- pute approximations to the reachable set for hybrid au- tomata with linear continous dynamics. PHAVer (Frehse (2005)) allows to set an arbitrary level of precision; Check- Mate (Clarke et al. (2003)) can compute approximations to the reachable set for hybrid automata with non-linear dy- namics. Additionally, general-purpose tools for set-based analysis, such as GAIO (Dellnitz et al. (2001)), COSY In- finity (Makino and Berz (2006)) and Mitchell’s Toolbox of Level Set Methods (Tomlin et al. (2003)) may be used. These tools also include many interesting features such as model checking capabilities or graphical modeling inter- faces. However, most of these tools are unable to handle nonlin- ear dynamics and constraints and have restrictive licences, and some are even closed source. Without access to the source code, users can neither customize or optimize them for a specific class of instances of the reachability problem, nor check that the algorithms are correctly implemented.