From Simulation Models to Hybrid Automata Using Urgency and Relaxation

We consider the problem of translating a deterministic \emph{simulation model} (like Matlab-Simunk, Modelica or Ptolemy models) into a \emph{verification model} expressed by a network of hybrid automata. The goal is to verify safety using reachability analysis on the verification model. Simulation models typically use transitions with urgent semantics, which must be taken as soon as possible. Urgent transitions also make it possible to decompose systems that would otherwise need to be modeled with a monolithic hybrid automaton. In this paper, we include urgent transitions in our verification models and propose a suitable adaptation of our reachability algorithm. However, the simulation model, due to its imperfections, may be unsafe even though the corresponding hybrid automata are safe. Conversely, set-based reachability may not be able to show safety of an ideal formal model, since complex dynamics necessarily entail overapproximations. Taken as a whole, the formal modeling and verification process can both falsely claim safety and fail to show safety of the concrete system. We address this inconsistency by relaxing the model as follows. The standard semantics of hybrid automata is a mathematical idealization, where reactions are considered to be instantaneous and physical measurements infinitely precise. We propose semantics that relax these assumptions, where guard conditions are sampled in discrete time and admit measurement errors. The relaxed semantics can be translated to an equivalent relaxed model in standard semantics. The relaxed model is realistic in the sense that it can be implemented on hardware fast and precise enough, and in a way that safety is preserved. Finally, we show that overapproximative reachability analysis can show safety of relaxed models, which is not the case in general.