Modeling and Verifying Cyber-Physical Systems with Hybrid Active Objects

Formal modeling of cyber-physical systems (CPS) is hard, because they pose the double challenge of combined discrete-continuous dynamics and concurrent behavior. Existing formal specification and verification languages for CPS are designed on top of their underlying proof search technology. They lack high-level structuring elements. In addition, they are not efficiently executable. This makes formal CPS models hard to understand and to validate, hence impairs their usability. Instead, we suggest to model CPS in an Active Objects (AO) language designed for concise, intuitive modeling of concurrent systems. To this end, we extend the AO language ABS and its runtime environment with Hybrid Active Objects (HAO). CPS models and requirements formalized in HAO must follow certain communication patterns that permit automatic translation into differential dynamic logic, a sequential hybrid program logic. Verification is achieved by discharging the resulting formulas with the theorem prover KeYmaera X. We demonstrate the practicality of our approach with case studies.

💡 Research Summary

**
The paper tackles the long‑standing difficulty of formally modeling cyber‑physical systems (CPS), which combine discrete‑time computation with continuous‑time physical dynamics and exhibit concurrent, distributed behavior. Existing CPS specification languages (hybrid automata, hybrid process algebras, differential dynamic logic‑based formalisms) are built around verification engines and therefore lack high‑level structuring mechanisms such as types, scopes, methods, and futures. Moreover, they are often not efficiently executable, making models hard to understand, test, and validate before proof attempts.

To bridge this “usability gap,” the authors start from ABS, an active‑object language designed for concise, intuitive modeling of asynchronous, concurrent systems. They extend ABS with Hybrid Active Objects (HAO), creating the Hybrid ABS (HABS) language. The key extension is a physical block inside a class where continuous state variables and their governing ordinary differential equations (ODEs) are declared. Physical fields evolve according to their ODEs whenever time passes, even if the object’s process is idle. HAO retains ABS’s core features: encapsulated objects, asynchronous method calls, futures, cooperative scheduling, and a mandatory run() method that launches the object’s controllers.

A crucial design decision is to restrict HAO programs to a specific communication pattern. Controllers must start with an await guard (either a Boolean condition or a duration), perform a deterministic state update, and then recursively invoke themselves. Ports are used for data exchange but never contain control flow. This disciplined pattern guarantees that each hybrid class can be automatically translated into a sequential hybrid program expressed in differential dynamic logic (dL). The translation proceeds as follows:

1. The physical block becomes a continuous evolution { x' = θ & H } in dL.
2. An await guard becomes a test ?φ combined with the maximal time that can elapse before the guard becomes true (computed from the ODE solution).
3. Sequential statements map to dL’s sequential composition ;.
4. Recursive controller calls become nondeterministic repetition α*.

Because each class translates independently, verification becomes compositional: one proves, for each class, that a given precondition implies an invariant after any execution of its translated dL program. The resulting dL formulas are fed to the theorem prover KeYmaera X, which discharges them automatically or with minimal user guidance.

The authors extend the structural operational semantics (SOS) of timed ABS only minimally: object states now contain (i) a store σ mapping both physical and logical fields to values, and (ii) a set F of ODE solutions for the physical block. Evaluation of expressions involving physical fields uses the current ODE solution; await on a differential guard suspends execution until the guard holds, which is determined by computing the maximal time‑elapse function mte. When time advances, the physical fields are updated according to the ODE solution.

A tool chain is implemented: the HABS compiler generates Erlang code for execution (allowing simulation and visualization of physical field trajectories) and simultaneously produces the corresponding dL program. The simulation component visualizes variable evolution graphs, giving developers immediate feedback before formal proof attempts.

Two case studies illustrate the approach. The first models a single water tank as a hybrid object with fields level and drain. The controller waits until the level reaches a low or high threshold, then flips the drain direction, recursively repeating. A precondition 4 < inVal < 9 guarantees the invariant 3 ≤ level ≤ 10. The second splits the system into two objects: a Tank exposing an input port inDrain and an output port outLevel, and a FlowCtrl controller that periodically reads the tank’s level, decides on a new drain rate, and writes it back. The controller runs every tick seconds, ensuring the same invariant. Both models are translated to dL and proved in KeYmaera X, demonstrating that the pattern‑based translation works for realistic CPS designs.

The paper acknowledges that KeYmaera X does not yet support distributed hybrid systems (QdL) and component‑based reasoning directly. By imposing the communication pattern, the authors sidestep this limitation, effectively reducing a distributed hybrid system to a collection of sequential hybrid programs. Future work aims to broaden the admissible patterns and eventually integrate QdL to handle truly distributed hybrid verification.

In summary, the contribution is threefold:

1. Hybrid Active Objects – an extension of ABS that brings continuous dynamics into an object‑oriented, asynchronous concurrency model.
2. Pattern‑based automatic translation from HABS to differential dynamic logic, enabling compositional verification.
3. Integrated tool chain (simulation, visualization, and KeYmaera X proof) that closes the loop from modeling through testing to formal verification, thereby making formal CPS analysis more accessible to engineers.