A Temporal Dynamic Logic for Verifying Hybrid System Invariants e - - PowerPoint PPT Presentation

A Temporal Dynamic Logic for Verifying Hybrid System Invariants

Andr´ e Platzer1,2

1University of Oldenburg, Department of Computing Science, Germany 2Carnegie Mellon University, Computer Science Department, Pittsburgh, PA, USA

LFCS’07

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 1 / 16

Outline

1

Motivation

2

Temporal Dynamic Logic dTL Syntax Trace Semantics Conservative Extension Safety Invariants in Train Control

3

Verification Calculus for dTL Sequent Calculus Verifying Safety Invariants in Train Control Soundness

4

Conclusions & Future Work

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 1 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

Hybrid Systems

continuous evolution along differential equations + discrete change

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

Hybrid Systems

continuous evolution along differential equations + discrete change

t z v

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

× no free parameters like ST, SB × no finite-state bisimulation for HS

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

× declaratively axiomatise operational model

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

| = [ETCS] z < MA DL-calculus

• ×
• Andr´

e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

| = [ETCS] z < MA DL-calculus

• ×
• [RBC]partitioned → Train[RBC]safe

× no intermediate states

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

| = [ETCS] z < MA DL-calculus

• ×
• |

= [ETCS] z < MA DTL-calculus

• Andr´

e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Verifying Hybrid Systems

RBC MA ST SB negot corr far

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

| = [ETCS] z < MA DL-calculus

• ×
• |

= [ETCS] z < MA DTL-calculus

• differential temporal dynamic logic

dTL = TL + DL + HP

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Outline

1

Motivation

2

Temporal Dynamic Logic dTL Syntax Trace Semantics Conservative Extension Safety Invariants in Train Control

3

Verification Calculus for dTL Sequent Calculus Verifying Safety Invariants in Train Control Soundness

4

Conclusions & Future Work

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Outline

1

Motivation

2

Temporal Dynamic Logic dTL Syntax Trace Semantics Conservative Extension Safety Invariants in Train Control

3

Verification Calculus for dTL Sequent Calculus Verifying Safety Invariants in Train Control Soundness

4

Conclusions & Future Work

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 2 / 16

Temporal Dynamic Logic dTL: Syntax

Definition (Hybrid program α)

x′ = f (x) (continuous evolution) x := θ (discrete jump) ?χ (conditional execution) α; β (seq. composition) α ∪ β (nondet. choice) α∗ (nondet. repetition)

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 3 / 16

Temporal Dynamic Logic dTL: Syntax

Definition (Hybrid program α)

x′ = f (x) (continuous evolution) x := θ (discrete jump) ?χ (conditional execution) α; β (seq. composition) α ∪ β (nondet. choice) α∗ (nondet. repetition) ETCS ≡ negot; corr; z′′ = a negot ≡ z′ = v, ℓ′ = 1 corr ≡ (?MA − z < SB; a := −b) ∪ (?MA − z ≥ SB; a := . . . )

RBC MA ST SB negot corr far Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 3 / 16

Temporal Dynamic Logic dTL: Syntax

Definition (Formulas / state formulas φ)

¬, ∧, ∨, →, ∀x , ∃x , =, ≤, +, · (first-order part) [α]π, απ (dynamic part)

Definition (Trace formulas π)

φ (non-temporal part) φ, ♦φ (temporal part)

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 3 / 16

Temporal Dynamic Logic dTL: Syntax

Definition (Formulas / state formulas φ)

¬, ∧, ∨, →, ∀x , ∃x , =, ≤, +, · (first-order part) [α]π, απ (dynamic part)

Definition (Trace formulas π)

φ (non-temporal part) φ, ♦φ (temporal part) [ETCS](ℓ ≤ L → z < MA) ETCS ≡ negot; corr; z′′ = a negot ≡ z′ = v, ℓ′ = 1

RBC MA ST SB negot corr far

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 3 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid trace)

Hybrid trace is sequence of continuous functions σi : [0, ri] → Sta V t x Semantics of hybrid program: set of all its hybrid traces σ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 4 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid trace)

Hybrid trace is sequence of continuous functions σi : [0, ri] → Sta V t x Semantics of hybrid program: set of all its hybrid traces σ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 4 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid programs α: trace semantics)

v w x := θ x . = val(v, θ)

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 5 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid programs α: trace semantics)

v w x′ = f (x) t x w v ϕ(t) x′ = f (x)

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 5 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid programs α: trace semantics)

v ?χ if v | = χ limbo ?χ if v | = χ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 5 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid programs α: trace semantics)

v s w α; β α β α; β ≡ α

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 5 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid programs α: trace semantics)

v s1 s2 sn w α∗ α α α

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 5 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Hybrid programs α: trace semantics)

v w1 w2 α β α ∪ β

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 5 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (State formulas φ)

v [α]π π π π

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (State formulas φ)

v απ π

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v αφ φ φ φ φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v [α]φ φ φ φ φ φ φ φ φ φ φ φ φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v α♦φ ♦φ φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v [α]♦φ ♦φ φ ♦φ φ ♦φ φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v w αφ φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v α-span [α]π

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v α-span [α]π βπ β-span

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Temporal Dynamic Logic dTL: Trace Semantics

Definition (Trace formulas φ)

v α-span [α]π βπ β-span β♦[α]-span

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 6 / 16

Conservative Extension dTL/dL

Proposition

dTL is conservative extension of non-temporal dL, i.e., trace semantics ≡ transition semantics (without , ♦) v w

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 7 / 16

Conservative Extension dTL/dL

Proposition

dTL is conservative extension of non-temporal dL, i.e., trace semantics ≡ transition semantics (without , ♦) v w

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 7 / 16

Outline

1

Motivation

2

Temporal Dynamic Logic dTL Syntax Trace Semantics Conservative Extension Safety Invariants in Train Control

3

Verification Calculus for dTL Sequent Calculus Verifying Safety Invariants in Train Control Soundness

4

Conclusions & Future Work

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 7 / 16

Verification Calculus for dTL

φ ∧ [x := θ]φ [x := θ]φ v w φ x := θ φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 8 / 16

Verification Calculus for dTL

φ ∧ [x := θ]φ [x := θ]φ v w φ x := θ φ [α]φ ∧ [α][β]φ [α; β]φ v s w α; β α φ β φ α; β ≡ α φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 8 / 16

Verification Calculus for dTL

φ ∧ [x := θ]φ [x := θ]φ v w φ x := θ φ [α]φ ∧ [α][β]φ [α; β]φ v s w α; β α φ β φ α; β ≡ α φ [x′ = θ]φ [x′ = θ]φ v w x′ = f (x) φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 8 / 16

Verification Calculus for dTL

φ ∧ [x := θ]φ [x := θ]φ v w φ x := θ φ [α]φ ∧ [α][β]φ [α; β]φ v s w α; β α φ β φ α; β ≡ α φ [x′ = θ]φ [x′ = θ]φ v w s x′ = f (x) φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 8 / 16

Verification Calculus for dTL

Temporal Reduction Rules

10 temporal rules (T1) [α]φ ∧ [α][β]φ [α; β]φ (T2) φ [?χ]φ (T3) φ ∧ [x := θ]φ [x := θ]φ (T4) [x′ = θ]φ [x′ = θ]φ (T5) [α; α∗]φ [α∗]φ (T6) α♦φ ∨ αβ♦φ α; β♦φ (T7) φ ?χ♦φ (T8) φ ∨ x := θφ x := θ♦φ (T9) x′ = θφ x′ = θ♦φ (T10) α; α∗♦φ α∗♦φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 9 / 16

Verification Calculus for dTL

Non-temporal Rules

10 non-temporal rules (D1) απ ∨ βπ α ∪ βπ (D2) [α]π ∧ [β]π [α ∪ β]π (D3) αβφ α; βφ (D4) χ ∧ φ ?χφ (D5) χ → φ [?χ]φ (D6) φ ∨ α; α∗φ α∗φ (D7) φ ∧ [α; α∗]φ [α∗]φ (D8) F θ

x

x := θF (D9) ∃t≥0 x := yx(t)φ x′ = θφ (D10) ∀t≥0 [x := yx(t)]φ [x′ = θ]φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 10 / 16

Verification Calculus for dTL

Propositional/Quantifier Rules

10 propositional rules (P1) ⊢ φ ¬φ ⊢ (P2) φ ⊢ ⊢ ¬φ (P3) φ ⊢ ψ ⊢ φ → ψ (P4) φ, ψ ⊢ φ ∧ ψ ⊢ (P5) ⊢ φ ⊢ ψ ⊢ φ ∧ ψ (P6) ⊢ φ ψ ⊢ φ → ψ ⊢ (P7) φ ⊢ ψ ⊢ φ ∨ ψ ⊢ (P8) ⊢ φ, ψ ⊢ φ ∨ ψ (P9) φ ⊢ φ (P10) F0 ⊢ G0 F ⊢ G

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 11 / 16

Verify Safety in Train Control

ETCS ≡ negot; corr; z′′ = a negot ≡ z′ = v, ℓ′ = 1 corr ≡ (?MA − z < ST; a := −b) ∪ (?MA − z ≥ ST; a := . . . )

RBC MA ST SB negot corr far Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 12 / 16

Verify Safety in Train Control

ETCS ≡ negot; corr; z′′ = a negot ≡ z′ = v, ℓ′ = 1 corr ≡ (?MA − z < ST; a := −b) ∪ (?MA − z ≥ ST; a := . . . )

RBC MA ST SB negot corr far

Proof

ψ ⊢ Lv + z < MA ψ ⊢ ∀l≥0 (l ≤ L → lv + z < MA) ψ ⊢ ∀l≥0 z := lv + z, ℓ := lφ ψ ⊢ [negot]φ ψ ⊢ [negot]φ ψ, ℓ≥0 ⊢ v2 < 2b(MA − Lv − z) ψ, ℓ≥0 ⊢ z := ℓv+z, a := -b∀t≥0 (ℓ≤L → a

2 t2+vt+z<MA)

ψ, ℓ≥0 ⊢ z := ℓv+z, a := -b∀t≥0 z := a

2 t2+vt+zφ)

ψ, ℓ≥0 ⊢ z := ℓv+z, a := -b[z′′ = a]φ ⊲ ψ, ℓ≥0 ⊢ z := ℓv+z[corr][z′′ = a]φ ⊲ ψ, ℓ≥0 ⊢ z := ℓv+z[corr; z′′ = a]φ ψ ⊢ ℓ≥0 → z := ℓv+z[corr; z′′ = a]φ ψ ⊢ ∀ℓ≥0 z := ℓv+z[corr; z′′ = a]φ ψ ⊢ [negot][corr; z′′ = a]φ ψ ⊢ [negot; corr; z′′ = a]φ ⊢ ψ → [negot; corr; z′′ = a]φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 12 / 16

Verify Safety in Train Control

v2 < 2b(MA−Lv −z) Lv + z < MA

RBC MA ST SB negot corr far

Proof

ψ ⊢ Lv + z < MA ψ ⊢ ∀l≥0 (l ≤ L → lv + z < MA) ψ ⊢ ∀l≥0 z := lv + z, ℓ := lφ ψ ⊢ [negot]φ ψ ⊢ [negot]φ ψ, ℓ≥0 ⊢ v2 < 2b(MA − Lv − z) ψ, ℓ≥0 ⊢ z := ℓv+z, a := -b∀t≥0 (ℓ≤L → a

2 t2+vt+z<MA)

ψ, ℓ≥0 ⊢ z := ℓv+z, a := -b∀t≥0 z := a

2 t2+vt+zφ)

ψ, ℓ≥0 ⊢ z := ℓv+z, a := -b[z′′ = a]φ ⊲ ψ, ℓ≥0 ⊢ z := ℓv+z[corr][z′′ = a]φ ⊲ ψ, ℓ≥0 ⊢ z := ℓv+z[corr; z′′ = a]φ ψ ⊢ ℓ≥0 → z := ℓv+z[corr; z′′ = a]φ ψ ⊢ ∀ℓ≥0 z := ℓv+z[corr; z′′ = a]φ ψ ⊢ [negot][corr; z′′ = a]φ ψ ⊢ [negot; corr; z′′ = a]φ ⊢ ψ → [negot; corr; z′′ = a]φ

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 12 / 16

Verify Safety in Train Control

inv ≡ v2 ≤ 2b(MA − z)

RBC MA ST SB negot corr far

ST ≥ Lv + v2

2b

SB ≥

v2 2b +

a

b + 1

a

2ε2 + εv

• Andr´

e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 12 / 16

Soundness

Theorem (Soundness)

dTL calculus is sound.

Proposition (Incompleteness)

“All” discrete or continuous fragments of dTL are inherently incomplete.

fragment discrete continuous

FOL

• [α]φ

× × [α]♦φ × × [α]φ × × (Yet, reachability in hybrid systems is not semidecidable)

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 13 / 16

Outline

1

Motivation

2

Temporal Dynamic Logic dTL Syntax Trace Semantics Conservative Extension Safety Invariants in Train Control

3

Verification Calculus for dTL Sequent Calculus Verifying Safety Invariants in Train Control Soundness

4

Conclusions & Future Work

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 13 / 16

Future Work

Prove dTL/dL relatively complete “Temporal” induction Improve alternating “liveness” quantifiers [α]♦φ dTL∗ [ETCS](♦sensor → ♦stable)

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 14 / 16

Conclusions (I)

Deductively verify temporal properties of operational hybrid systems

differential temporal dynamic logic

dTL = TL + DL + HP [α]♦φ ♦φ φ

problem technique OP PAR T closed

ETCS | = z < MA TL-MC

• ×
• ×

| = (Ax(ETCS) → z < MA) TL-calculus × . . .

• . . .

| = [ETCS] z < MA DL-calculus

• ×
• |

= [ETCS] z < MA dTL-calculus

• Andr´

e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 15 / 16

Conclusions (II)

Train control (ETCS) verification Modular temporal/non-temporal calculus Constructive deduction modulo Verification tool HyKeY Parameter discovery

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 16 / 16

• B. Beckert and S. Schlager.

A sequent calculus for first-order dynamic logic with trace modalities. In R. Gor´ e, A. Leitsch, and T. Nipkow, editors, IJCAR, volume 2083 of LNCS, pages 626–641. Springer, 2001.

• J. M. Davoren, V. Coulthard, N. Markey, and T. Moor.

Non-deterministic temporal logics for general flow systems. In R. Alur and G. J. Pappas, editors, HSCC, volume 2993 of LNCS, pages 280–295. Springer, 2004.

• V. Mysore, C. Piazza, and B. Mishra.

Algorithmic algebraic model checking II: Decidability of semi-algebraic model checking and its applications to systems biology. In D. Peled and Y.-K. Tsay, editors, ATVA, volume 3707 of LNCS, pages 217–233. Springer, 2005.

• M. R¨
• nkk¨
• , A. P. Ravn, and K. Sere.

Hybrid action systems.

• Theor. Comput. Sci., 290(1):937–973, 2003.

Andr´ e Platzer (University of Oldenburg) Temporal Dynamic Logic for Hybrid Systems LFCS’07 16 / 16