Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems

Wang, Yifan; Nakamura, Masaki; Takano, Ryo; Matsumoto, Takuya; Sakakibara, Kazutoshi

doi:10.3390/electronics14071483

Open AccessArticle

Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems

by

Yifan Wang

^*,

Masaki Nakamura

,

Ryo Takano

,

Takuya Matsumoto

and

Kazutoshi Sakakibara

Faculty of Information Engineering, Toyama Prefectural University, Imizu 939-0398, Japan

^*

Author to whom correspondence should be addressed.

Electronics 2025, 14(7), 1483; https://doi.org/10.3390/electronics14071483

Submission received: 12 March 2025 / Revised: 2 April 2025 / Accepted: 3 April 2025 / Published: 7 April 2025

Download

Browse Figures

Versions Notes

Abstract

:

In multitasking systems, concurrent execution leads to an exponential growth of the state space, posing significant challenges for formal verification. This complexity is further exacerbated in hybrid systems that integrate discrete and continuous dynamics. To address these challenges, we propose to model multitasking hybrid systems and systematically verify system properties through formal verification methods, using synergistic formal verification of model checking and theorem proving to ensure rigorous correctness analysis. We, therefore, introduce a transformation framework that converts behavioral specifications into rewrite specifications, enabling the integration of verification techniques from both approaches. To demonstrate the effectiveness of our approach, we model self-driving car group control systems as Multitask Hybrid Observational Transition Systems (MHOTS), a framework extending Observational Transition Systems (OTS) to support hybrid and multitask behaviors, specify their safety properties in theorem proving via CafeOBJ, in model checking via real-time Maude, and verify that the system remains safe regardless of the number of processes involved. The approach leverages specification translation between CafeOBJ and Real-Time Maude to exploit the complementary strengths of theorem proving and model checking. CafeOBJ is an algebraic specification language that provides a rigorous mathematical foundation for theorem proving, enabling the verification of system properties through logical deductions, while Real-Time Maude facilitates model checking, thereby enhancing the safety and reliability of autonomous vehicle systems. This methodology not only confirms the safety properties of the control system but also establishes a robust framework for the future development and validation of autonomous driving technologies. The integration of these formal verification techniques provides a rigorous and systematic approach to ensuring the desired properties of Multitask Hybrid Observational Transition systems, contributing to the advancement of safe and reliable autonomous driving solutions.

Keywords:

specification translation; formal verification; multitask hybrid system; CafeOBJ; real-time Maude; theorem proving; model checking; autonomous vehicle group control systems

1. Introduction

In multitasking systems, ensuring safety and correctness is a crucial challenge, particularly when hybrid systems involve both discrete and continuous dynamics. The complexity of formal verification in such systems grows exponentially with the number of concurrent processes, making traditional verification techniques inefficient.

To address this issue, we propose a specification translation approach that systematically integrates theorem proving with CafeOBJ, an algebraic specification language designed for formal verification, and model checking with Real-Time Maude, a tool for executable specification and formal analysis of real-time systems, leveraging their complementary strengths (Figure 1). By transforming behavioral specifications into rewrite specifications, we enable rigorous safety verification of multitask hybrid systems.

Figure 1 shows the complementary strengths of CafeOBJ and Real-Time Maude in specification transformation. CafeOBJ on the upper side features interactive theorem proving, provides rigorous logical reasoning, and is suitable for infinite state space verification, but it requires a lot of manual interaction, which limits automation. Real-Time Maude on the lower side represents fully automatic model checking, providing efficient finite state space exploration, but may encounter scalability challenges due to state explosion. The middle arrow symbolizes the specification transformation mechanism that connects these two methods, effectively combining the rigorous accuracy of theorem proving with the automation and efficiency of model checking. This integration enhances the comprehensiveness, efficiency, scalability, and robustness of verification, thereby effectively addressing errors or oversights that may occur when verifying complex multitask hybrid systems.

As a case study, we apply this method to autonomous vehicle group control systems, where safety properties are critical. Autonomous vehicle group control systems are considered multitask systems. These autonomous vehicles exhibit both continuous behaviors (such as speed and position) and discrete behaviors (such as pedal action). Hybrid systems combine continuous and discrete dynamic behaviors, making them suitable for accurately representing autonomous vehicle control systems. We verify that the vehicles maintain a safe distance under the defined constraints, preventing collisions. Furthermore, we also provide a counterexample to verify our theoretical analysis.

Traditional testing and simulation tools, such as CarMaker (https://www.ipg-automotive.com/en/products-solutions/software/carmaker/) (accessed on 2 April 2025) [1], and SUMO (https://eclipse.dev/sumo/) (accessed on 2 April 2025) [2], offer valuable insights but are insufficient for ensuring comprehensive safety due to their reliance on limited and predetermined scenarios. Formal methods, encompassing various theories, tools, and techniques, are extensively utilized in the development of software and hardware systems. These methods describe, design, analyze, and verify computational systems using mathematical and logical foundations, thus providing precise and unambiguous definitions of system behaviors and properties. Formal specifications reduce ambiguity and errors, enhancing system reliability and correctness. Formal verification, which includes techniques like theorem proving and model checking, ensures that systems conform to their specifications.

There have been several important case studies in the domain of transportation systems verification using formal methods. For instance, KeYmaeraX (https://keymaerax.org/publications.html) (accessed on 2 April 2025) [3] has been effectively utilized to formally verify the collision avoidance protocols in airborne systems, demonstrating its strength in handling hybrid systems with complex continuous dynamics and rigorous safety requirements. CafeOBJ (https://cafeobj.org/) (accessed on 2 April 2025) [4] has been applied to formally model and verify autonomous vehicle systems, highlighting its capability in interactive theorem proving and specification of multitasking systems. Similarly, UPPAAL (https://uppaal.org/) (accessed on 2 April 2025) [5] has been successfully employed to verify railway timetable correctness and scheduling constraints, benefiting from its real-time model checking abilities to verify timing properties systematically. Real-time Maude (https://olveczky.se/RealTimeMaude/index.html) (accessed on 2 April 2025) [6] has also demonstrated significant advantages in the railway domain, particularly in verifying the European Rail Traffic Management System (ERTMS), showcasing its effectiveness in specifying and verifying complex real-time constraints and behaviors.

These studies collectively emphasize the complementary strengths of theorem proving (e.g., CafeOBJ and KeYmaeraX) and model checking (e.g., UPPAAL and Real-Time Maude). Inspired by these works, our research specifically leverages the synergy between CafeOBJ’s interactive theorem proving and Real-Time Maude’s automated model checking, providing a robust and rigorous verification methodology tailored explicitly for autonomous vehicle group control systems.

Theorem proving involves the generation of mathematical proofs through the collaboration between humans and computers. This semi-automated method is applicable to systems with infinite state spaces and supports continuous variables. Conversely, model checking is a fully automated approach for formal verification but is limited by the state space constraints. By the specification translation between the theorem proving and model checking, we can take advantage of both approaches to ensure the safety property of the system as Table 1. The necessity of our specification translation method stems from the integration of the respective advantages of theorem proving and model checking in a multitask hybrid system. By converting specifications between CafeOBJ and Real-Time Maude, our approach effectively combines the advantages of both verification approaches, making formal verification more efficient and reliable.

Although existing verification tools such as KeYmaeraX and UPPAAL have demonstrated their advantages in specific domains, they still face certain challenges in efficiency and scalability when applied to multi-task hybrid systems with rapidly growing state spaces. Although KeYmaeraX provides powerful formal proofs, its reliance on manual theorem proving may limit its scalability and automation in practice. Despite its advantages in automatic verification, UPPAAL may face significant challenges due to the state explosion problem as the system complexity increases.

Our approach achieves a balanced trade-off by explicitly integrating theorem proving and model checking via specification transformation between CafeOBJ and Real-Time Maude. This integration leverages the ability of theorem proving to rigorously handle infinite state spaces and the ability of model checking to automatically explore state spaces and quickly detect errors. As a result, it improves verification efficiency and system scalability, especially for scenarios involving control systems of large-scale autonomous vehicle groups.

Table 1 intentionally presents a qualitative rather than quantitative comparison between theorem proving (CafeOBJ) and model checking (Real-Time Maude). The main reason is that these methods differ fundamentally in their operational paradigms. Interactive theorem proving heavily depends on human guidance and thus exhibits high variability in metrics like execution time and memory usage, primarily influenced by user interaction patterns. In contrast, model checking is fully automated and produces explicit quantitative measures (such as time and memory consumption), which are highly dependent on specific state-space characteristics and computational resources. Therefore, a direct, meaningful quantitative comparison (e.g., execution times or memory consumption) could mislead or fail to capture the true complementary nature of these methods. Instead, Table 1 emphasizes intrinsic methodological differences, clearly highlighting their relative strengths and limitations to illustrate why integrating both techniques provides significant verification advantages.

In our previous work, we proposed a way to describe and verify an autonomous vehicle control system (single vehicle) by the CafeOBJ method [7], and explored specification translation from CafeOBJ to Maude for a single vehicle [8]. Then, we investigated a method to describe the formal specification of a control system for groups of autonomous vehicles based on the CafeOBJ method [4].

In comparison to Maude [9,10], Real-Time Maude introduces an explicit time concept, allowing for the direct modeling and analysis of systems with time constraints [11]. This extension provides a variety of time patterns and timers capable of describing diverse time-related behaviors and events within a system [12]. Furthermore, Real-Time Maude supports temporal logic, facilitating the description and verification of the temporal properties inherent in real-time systems [13]. Consequently, Real-Time Maude enhances the functionalities of Maude by enabling it to handle systems with time constraints more effectively.

The contributions of this work include: 1. Based on the framework of formal specification of multitask hybrid systems, we propose a novel specification transformation method that systematically integrates interactive theorem proving and fully automated model checking. Compared to existing methodologies that typically rely solely on theorem proving (e.g., CafeOBJ) or exclusively on model checking (e.g., Real-Time Maude), our method benefits from their complementary strengths: theorem proving’s capability in rigorously handling infinite-state spaces and complex hybrid dynamics, and model checking’s efficiency in automatically exploring state spaces and detecting potential errors rapidly. 2. By applying our proposed integrated method, we successfully verified the safety characteristics of autonomous vehicle group control systems. Compared with other formal verification studies in transportation (such as airborne collision avoidance verification by KeYmaeraX, railway scheduling verification by UPPAAL, and ERTMS verification by Real-Time Maude), our methodology not only achieves comprehensive verification results with rigorous proof scores but also demonstrates enhanced robustness, specifically due to the ability to identify critical counterexamples via automated model checking, ensuring the early detection and correction of potential specification errors.

The structure of this thesis is as follows: Section 1 provides an overview of the research problem, highlights the challenges in the formal verification of multitask hybrid systems, and introduces the proposed approach. Section 2 shows the definition of the Multitask Hybrid Observational Transition Systems(MHOTS) framework, explaining its components and mathematical foundations. Section 3 describes how MHOTS is formally specified using the CafeOBJ language. Section 4 presents the verification methodology of theorem proving using the proof score to ensure system correctness. Section 5 details the translation of CafeOBJ specifications into Real-Time Maude for model checking. Section 6 conducts simulations and model checking to verify safety properties and provides a counterexample demonstrating system failure under reduced safety constraints. Section 7 summarizes the contributions of this research and outlines potential directions for future work.

2. The Multitask Hybrid Observational Transition Systems

An Observational Transition System (OTS) consists of a set of observers, a set of initial states and a set of transitions. There are some researches on timed OTS (TOTS) [14], hybrid OTS (HOTS) [15], multitask timed OTS (MTOTS) [16]. OTS is a formal framework used for specifying and verifying system behaviors based on a set of observations, transitions, and states. To extend the concept of OTS to multitask and hybrid systems, we introduce MHOTS, which incorporate both discrete and continuous state transitions, as well as multiple interacting processes.

2.1. Definition of MHOTS

Let

T i m e

be a densely ordered set of clock values. We assume a universal state space Y, a set

P i d

of process identifiers, and sets D of values indexed by observers. In OTSs, a system state, an element of Y, is not explicitly represented. States and transitions are identified through observers in OTSs. In MHOTSs, we distinguish global, local, discrete and continuous observers and transitions explicitly, where global ones are given for the whole system’s behavior and local ones are given for processes.

Definition 1.

An MHOTS

S = (O, I, T

) consists of the following:

$O$ : A set of observers.
The set $O$ = $O_{G D} \cup O_{L D} \cup O_{G C} \cup O_{L C}$ is classified into a set $O_{G D}$ of global discrete observers; $O_{L D}$ , local discrete observers; $O_{G C}$ , global continuous observers and $O_{L C}$ , local continuous observers.
Each global observer $o \in O_{G D} \cup O_{G C}$ is a function $o : Υ \to D_{o}$ , where $D_{o}$ is a data type. Similarly, each local observer $o \in O_{L D} \cup O_{L C}$ is a function $o : P i d \times Υ \to D_{o}$ . We write $o_{i} (s)$ instead of $o (s, i)$ , and we denote $o_{i}$ as an element of $O$ and $o_{i} : Υ \to D_{o_{i}}$ for $o \in O_{L D} \cup O_{L C}$ and $i \in P i d$ if no confusion occurs. The equivalence relation $=_{S} \subset Υ \times Υ$ between two states is defined as the observational equivalence, i.e., $s_{1}$ $=_{S} s_{2}$ if and only if $\forall o \in O$ . $o (s_{1}) = o (s_{2})$ . $O_{G C}$ has a special master clock $n o w$ that observes the elapsed time since the execution of $S$ began.
$I$ : A set of initial states such that $I \subset Υ$ .
$T$ : A set of transitions.
$T = T_{G D} \cup T_{L D} \cup T_{C}$ is divided into a set $T_{G D}$ of global discrete transitions, a set $T_{L D}$ of local discrete transitions, and a set $T_{C}$ of continuous transitions. Each $τ \in T_{G D}$ (or $τ \in T_{L D}$ ) is a function $τ : Υ \to Υ$ (or $τ : Υ \times P i d \to Υ$ ). For $i \in P i d$ and $d \in T i m e$ , we may write $τ_{i} \in T$ and $t i c k_{d} \in T$ , respectively, if no confusion occurs. All transitions $τ \in T$ preserve $=_{S}$ , that is, $τ (s_{1}) =_{S} τ (s_{2})$ whenever $s_{1} =_{S} s_{2}$ . Every transition τ has an effective condition defined as $c - τ$ . For $τ \in T$ , its effective condition is given as a function $c - τ : Υ \to B o o l$ (or $c - τ : P i d \times Υ \to B o o l$ ). If $c - τ (s)$ (or $c - τ (i, s)$ ) is false then $τ (s) = s$ (or $τ (i, s) = s$ ). $T_{C}$ has only one special continuous transition $t i c k : T i m e \times Υ \to Υ$ , that is, $T_{C} = {t i c k}$ , called a time advancing transition. If $s^{'} = t i c k (t, s)$ and it is effective, then $n o w (s^{'})$ = $n o w (s) + t$ for each $t \in T i m e$ and $s \in Υ$ .

where the time advancing transition

t i c k

satisfies the following condition:

For each continuous observer $o \in O_{G C} \cup O_{L C}$ , we define a flow constraint $n e x t_{o} : T i m e \times Υ \to D_{o}$ for global ones, or $n e x t_{o} : P i d \times T i m e \times Υ \to D_{o}$ for local ones, which constrains the evolution of the values of o, that is, $n e x t_{o} (t, s)$ (or $n e x t_{o} (i, t, s)$ ) returns the value observed by o (or $o_{i}$ ) after time t from state s.
For discrete observers $O_{G D} \cup O_{L D}$ , we call a tuple of all their observed values a location. The set $L o c$ of locations is defined as

$L o c = \prod_{o \in O_{G D} \cup O_{L D}} D_{o} .$
For each observer $o \in O_{G C} \cup O_{G D}$ (or $o_{i} \in O_{L C} \cup O_{L D}$ ), we assume there is a corresponding symbol $x_{o}$ (or $x_{o_{i}}$ ), which is called a variable in ordinary hybrid automata. We denote the set of all such variables by X.
We define an invariant for each location, where the hybrid system can stay at the location as long as the invariant is true. An invariant function $i n v : L o c \to P C o n s t r (X)$ gives the evolution domain restriction $i n v (l)$ , called an invariant condition of location $l \in L o c$ , where $P C o n s t r (X)$ is the class of polynomial constraints over the set of continuous variables X. For example, $p = (x + \frac{1}{2} y > z) \in P C o n s t r (X)$ is a polynomial constraint over ${x, y, z}$ . For $p \in P C o n s t r (X)$ and a valuation v : $X \to D$ where D is the union of all $D_{o}$ , a boolean value ${⟦ p ⟧}_{v}$ is the result of replacing x with $v (x)$ . For example, for a valuation υ such that $υ (x) = 1, υ (y) = 2, υ (z) = 3$ , the boolean value ${⟦ p ⟧}_{υ} = 1 + \frac{1}{2} \cdot 2 > 3$ is false.
We assume $i n v (l)$ is a conjunction of $i n v_{o} (d)$ for all $o \in O_{G D} \cup O_{L D}$ and $d \in D_{o}$ , that is, $i n v ((d_{1}, \dots, d_{n}))$ = $i n v_{o_{1}} (d_{1}) \land \dots \land i n v_{o_{n}} (d_{n})$ , where $i n v_{o} : D_{o} \to P C o n s t r (X)$ .
The time advancing transition $t i c k$ should satisfy the following conditions: for $s^{'} = t i c k (t, s)$ , $o (s^{'}) = n e x t_{o} (t, s)$ for $o \in O_{G C}$ and $o (i, s^{'}) = n e x t_{o} (i, t, s)$ for $o \in O_{L C}$ whenever $c - t i c k (t, s)$ is true.
The effective condition $c - t i c k : T i m e \times Υ \to B o o l$ is defined as follows: $c - t i c k (t, s) = t r u e$ if and only if
$\forall o_{d} \in O_{G D}$ . $\forall o_{c} \in O_{G C} \cup O_{L C}$ . $d = o_{d} (s)$ ∧ $v (x_{o_{c}}) = n e x t_{o_{c}} (t, s)$ ∧ $v (x_{o_{d}}) = o_{d} (s)$ ⇒ ${⟦ i n v_{o_{d}} (d) ⟧}_{v}$ , and
$\forall o_{d} \in O_{L D}$ . $\forall o_{c} \in O_{G C} \cup O_{L C}$ . $d = o_{d} (i, s)$ ∧ $v (x_{o_{c}}) = n e x t_{o_{c}} (t, s)$ ∧ $v (x_{o_{d}}) = o_{d} (s)$ ⇒ ${⟦ i n v_{o_{d}} (d) ⟧}_{v}$
Roughly speaking, $t i c k (t, s)$ is effective when all of the invariant conditions hold with the values of the continuous observers after time t, that is, $n e x t_{o} (t, s)$ .

Definition 2.

An execution of an MHOTS S = (

O, I, T

) is a (finite or infinite) sequence

s_{i} \in Υ

(

i \in {0, 1, \dots, n}

or

i \in N

) of states satisfying

s_{0} \in I

, and for each

s_{i}

, there exists

τ \in T

such that

s_{i + 1}

=

τ (s_{i})

. A state s is called reachable if it is included in an execution of S. A state predicate

p : Υ \to B o o l

is called invariant if

p (s)

is true for all reachable states s. We denote the set of the reachable states by

R S

.

The explicit distinction among global, local, discrete, and continuous observers in MHOTS significantly improves verification accuracy by structuring system modeling and verification processes more systematically and precisely: Global observers capture system-wide state properties (e.g., system time, shared environmental conditions), enabling global invariants and conditions to be rigorously defined and verified at a high level of abstraction. This ensures correctness across the entire system state space. Local observers allow for the accurate and scalable verification of properties specific to individual processes or components (e.g., each vehicle’s velocity, position, or operational state). By isolating local behaviors, verification can more accurately pinpoint specific sources of errors or violations of system properties. Discrete observers clearly specify distinct modes or states of the system or individual components, facilitating precise reasoning about mode transitions and state-dependent properties. They provide clarity and accuracy in modeling state-dependent constraints and invariants, reducing ambiguity and errors during formal verification. Continuous observers explicitly describe dynamic variables that evolve continuously over time (such as velocity and position). Clearly defining continuous behaviors separately from discrete behaviors allows for an accurate and robust analysis of system dynamics under real-world physical constraints. This systematic classification of observers not only clarifies the semantics of the system being verified but also allows verification techniques (theorem proving and model checking) to be tailored specifically to different aspects of the system. Consequently, it enhances the verification’s precision, reduces the likelihood of oversights or ambiguities, and improves the accuracy and reliability of verification outcomes, especially when dealing with complex multitasking hybrid systems.

2.2. Illustrative Example of MHOTS: A Two-Tank Water Flow System

To intuitively illustrate the core principles of MHOTS, consider a simple yet illustrative toy example—a hybrid control system involving two interconnected water tanks with a controllable valve. Suppose we have two vertically aligned water tanks (Tank A at the top, Tank B at the bottom) connected by a valve-controlled pipe. The system exhibits hybrid behaviors due to both discrete control actions (opening/closing a valve) and continuous dynamic changes (water flow between tanks). The objectives of this simplified system are to maintain the water level in Tank B within safe limits and avoid overflow and underflow scenarios by controlling the valve discretely based on continuous water level observations. This scenario can be naturally modeled as an MHOTS as follows:

$O$ : Observers
Discrete Observers ( $O_{D}$ ): valve state ∈ ${o p e n, c l o s e d}$ indicating the status of the valve connecting two tanks.
Continuous Observers ( $O_{C}$ ): level A ∈ $R$ ≥ 0: Water level in Tank A; level B ∈ $R$ ≥ 0: Water level in Tank B; now ∈ $R$ ≥ 0: Global system time.
$I$ : The initial conditions of the state.
The initial valve state is closed: valve(init) = closed
Tank A and Tank B initial water levels: levelA(init) = 10, levelB(init) = 2.
Initial system time: now(init) = 0.
$T$ : Transitions
Continuous transitions are governed by the following set of differential equations: When the valve is open:

$\frac{d (l e v e l A)}{d t} = - k; \frac{d (l e v e l B)}{d t} = k,$

When the valve is closed:

$\frac{d (l e v e l A)}{d t} = 0; \frac{d (l e v e l B)}{d t} = 0 .$

Here, the constant k represents the water flow velocity (assumed to be $k = 1$ unit/s). So the next function can be defined following
When the valve is open:

$n e x t_{l e v e l A} (t, s) = l e v e l A (s) - k \cdot t; n e x t_{l e v e l B} (t, s) = l e v e l B (s) + k \cdot t$

When the valve is closed:

$n e x t_{l e v e l A} (t, s) = l e v e l A (s); n e x t_{l e v e l B} (t, s) = l e v e l B (s)$

Time Observer:

$n e x t_{n o w} (t, s) = n o w (s) + t$

The position invariant constraint is that the water levels of Tank A and Tank B must always satisfy:

$l e v e l A \geq 0; 0 \leq l e v e l B \leq 10$

Therefore, the effective condition for continuous migration is as follows:

$c_{t} i c k (t, s) = (n e x t_{l e v e l A} (t, s) \geq 0) \land (0 \leq n e x t_{l e v e l B (t, s)} \leq 10)$

Define the following valve state transition rules (discrete transitions):
Open valve:
Transition condition: Tank B water level is lower than the lower threshold (e.g., levelB ≤ 3).

$c_{o p e n} (s) = (v a l u e (s) = c l o s e d) \land (l e v e l B \leq 3)$

Behavior: The valve changes from closed to open.

$v a l u e (s) = o p e n i f c_{o p e n} (s) .$

Close valve:
Transition condition: The water level of Tank B reaches the upper threshold (for example, levelB ≥ 8).

$c_{c l o s e d} (s) = (v a l u e (s) = o p e n) \land (l e v e l B \geq 8)$

Behavior: The valve changes from open to closed.

$v a l u e (s) = c l o s e d i f c_{c l o s e d} (s) .$

At this time, the water level (levelA, levelB) and time (now) do not change.

2.3. Fundamental Assumptions of MHOTS

Before specifying MHOTS in CafeOBJ, one may encounter the challenge of an almost infinite process. For instance, when defining the effective tick (

c - t i c k

), it is necessary to verify invariants at non-initial location. However, due to the near-infinite property of this process, verifying the invariants of the effective tick, such as

i n v_{o} (p, d) (\vec{n e x t_{o} (s, t)}

), becomes significantly challenging.

To solve this problem, we introduce the specification

P S e t

which is the sequence of processes. We define the

p s

as the observation that observes the sort

P S e t

, where we assume the

p s (s)

is the arbitrary set of finite processes exist in non-initial location.

There are only infinite processes that exist in the initial location when

{⟦ i n v_{o_{D} (l a b e l)} ⟧}_{υ}

is true. We assume

O_{L C} = {o_{1}, \dots, o_{m}}

,

O_{G C} = {o_{1}^{'}, \dots, o_{n}^{'}}, X = {x_{o_{1}}, \dots, x_{o_{m}}, x_{o_{1}^{'}}, \dots, x_{o_{n}^{'}}}

, then

υ (x_{o_{i}}) = o_{i} (i n i t)

υ (x_{o_{j}^{'}}) = o_{j}^{'} (p, i n i t)

After applying the transition tick, the initial condition

o_{i} (t i c k (t, s)) = o_{i} (i n i t)

o_{j}^{'} (p, t i c k (t, s)) = o_{j}^{'} (p, i n i t)

Finite processes in non-initial location satisfy invariant. And

{⟦ i n v (d) ⟧}_{υ}

is PConstr(X) which indicate

υ (x_{o_{i}}) = n e x t_{o_{i}} (t, s)

υ (x_{o_{j}^{'}}) = n e x t_{o_{j}^{'}} (p, t, s)

for all

x \in X

.

These define the continuous evolution of system variables over time, governed by constraints such as follows:

Velocity update: $v^{'} (i) = v (i) + a (i) \times Δ t$ .
Position update: $x^{'} (i) = x (i) + v (i) \times Δ t + \frac{1}{2} a (i) \times Δ t^{2}$ .

3. Multitask Hybrid OTS/CafeOBJ Specifications

In this section, we propose a way to describe a CafeOBJ specification whose model is an MHOTS that we have defined.

3.1. Specification of Sets of Processes

One of the advantages of MHOTS is that it allows us to model a system with an arbitrary number of processes, whereas an ordinary automaton approach cannot represent a state with infinitely many processes in a finite-length tuple of variables. However, when we describe an MHOTS specification, we need to give definitions of invariants for all processes. It may make the size of the specification infinite. To avoid this problem, we assume that almost all processes are in a certain location, such as the initial location, whose invariant condition holds in any reachable state. Then, in any reachable state, it is sufficient to check a finite number of processes that are not in the location. In our example, the initial locations of all, possibly infinite, vehicles are

s t a r t

, and only finite vehicles are located at

a c c e l

,

b r a k e

or

n o t h i n g

. The observed set

p s (s)

is introduced to gather all but finitely many vehicles that have entered by the transition

e n t e r

.

mod* PID{
  [Pid]
  pred _=_ : Pid Pid {comm}
  var P : Pid
  eq (P = P) = true .
}

First, we define a module named PID in CafeOBJ language (mod* PID{}). A data type Pid ([Pid]) is defined as a data type that represents the identifier of the vehicle process ID. A predicate ( _=_ : Pid Pid ) is defined to determine whether two Pids are equal. {comm} indicates that the predicate satisfies the commutative law. A variable P (var P : Pid) is defined as a universal variable that represents an element of Pid type. An equation (axiom) is defined as (eq (P = P) = true). This equation indicates that any Pid is equal to itself (reflexive). That is, for any P, the value of the equation P = P is always true.

Then, we define PSET, a module for sets of processes of PID, as follows:

mod! PSET{
  pr(PID)
  [Pid < PSet]
  op nil : -> PSet
  op _ _ : PSet PSet -> PSet {assoc idr: nil}
  op dummy : -> Pid
  pred _in_ : Pid PSet
  pred empty : PSet
  op first : PSet -> Pid
  op last : PSet -> Pid
  op _sub_ : PSet PSet -> Bool
  op ps : -> PSet
  …
}

Module PSET imports PID. Sort PSet is declared as a super sort of Pid, which means a single process of Pid is also an element PSet. Constant

nil

denotes the empty set, and operator

__

defines a sequence of terms of sort

Pid

as a term of sort

PSet

. Constant dummy of Pid is declared as a dummy element when taking an element from the empty set. Some ordinary functions on sets are declared. For a given set, elements are lined up in order, thus, it can be regarded as a list, a queue, or a sequence of processes. For example, operator

last

takes the last element of a given set. The term last(p4 p3 p2 p1) is equivalent to p4 by applying the equation last(P PS) = P with

P = p 4

and

PS = p 3 p 2 p 1

.

3.2. System Description of MHOTSs in CafeOBJ

In this section, we give a way to describe a system module

M

of an MHOTS

S

in CafeOBJ. Module

M

imports data modules, including PSET, which was defined above. For sort

T i m e

, we choose a built-in arithmetic module of CafeOBJ, for example, the built-in module RAT of rational numbers. The universal state space

Υ

is represented by a hidden sort, denoted as H. We assume that the data types

D_{o}

for

o \in O

are described in imported data modules and that there are visible sorts

V_{o}

corresponding to the data types, and that variables used in the following equations are declared. For example, variable S of sort H, T of sort

T i m e

, P, Q of sort Pid, and PS, QS of sort PSet are declared.

Definition 3.

An MHOTS/CafeOBJ specification has the following syntax:

$O T S$ :: = $\vec{S u b M o d u l e}$ $M a i n M o d u l e$
$S u b M o d u l e_{i}$ :: = mod(!|*) $S M_{i}$ $\{. . .\}$
$M a i n M o d u l e$ :: = mod* M {
pr(S $M_{1}$ )… pr(S $M_{l}$ )
*[H]*
$S i g n a t u r e : : = I n i t$ $\vec{O b s}$ $\vec{T r a n s}$
$A x i o m$ ::= $V a r s$ $A_{i n i t}$ $A_{τ_{1}}$ … $A_{τ_{m}}$
$I n i t$ ::= op init : $\to H$ .
$A_{i n i t}$ ::= $A_{i n i t}^{o_{G_{1}}}$ … $A_{i n i t}^{o_{G_{m}}}$ $A_{i n i t}^{o_{L_{1}}}$ … $A_{i n i t}^{o_{L_{m}}}$
$A_{i n i t}^{o_{G}}$ ::= eq $o_{G}$ (init) = $t_{i n i t_{o_{G}}}$ .
$A_{i n i t}^{o_{L}}$ ::= eq $o_{L}$ (init, $X_{i}$ ) = $t_{i n i t_{o_{L}}}$ .
$O b s_{G}$ ::= bop $o_{G}$ : H $\to V_{o_{G}}$
$O b s_{L}$ ::= bop $o_{L}$ : H $X_{i}$ $\to V_{o_{L}}$
$T r a n s_{i}$ ::= $B T_{i}$ $C T_{i}$
$B T_{i}$ ::= bop $τ_{i}$ : H $X_{i}$ $\to H$
$C T_{i}$ ::= bop $c - τ_{i}$ : H $X_{i}$ → Bool
$A_{τ_{i}}^{⊥}$ ::= bceq $τ_{i}$ (S, $Y_{i}$ ) = S if not (c- $τ_{i}$ (S, $Y_{i}$ )).
$A_{τ_{i}}^{o_{G}}$ ::= ceq $o_{G}$ ( $τ_{i}$ (S, $Y_{i}$ )) = $t_{τ_{o_{G}}}$ ’ if c- $τ_{i}$ (S, $Y_{i}$ ).
$A_{τ_{i}}^{o_{L}}$ ::= ceq $o_{L}$ ( $τ_{i}$ (S, $Y_{i}$ ), $X_{i}$ ) = $t_{τ_{o_{L}}}$ ’ if c- $τ_{i}$ (S, $Y_{i}$ ).
$V a r s$ ::= $V H$ $\vec{V O_{1}}$ … $\vec{V O_{m}}$ $\vec{V T_{1}}$ … $\vec{V T_{n}}$
$V H$ ::= vars S: H
$V O_{i}$ ::= vars $X_{i}$ : $V_{o_{i}}$
$V T_{i}$ ::= vars $Y_{i}$ : $V_{τ_{i}}$
}

where each

S u b M o d u l e_{i}

is a module specifying data type, explained in the previous section.

S M_{i}

is the name of the module

S u b M o d u l e_{i}

. H is a hidden sort. Each initial state in the set

I

is represented by a constant, conventionally denoted as

i n i t

.

o_{G}

and

o_{L}

are observation symbols when the each global observer

o_{G} \in O_{G D} \cup O_{G C}

and each local observer

o_{L}

∈

O_{L D}

∪

O_{L C}

.

t_{i n i t_{o_{G}}}

and

t_{i n i t_{o_{L}}}

are terms of visible sort

V_{o_{G}}

and

V_{o_{L}}

, respectively.

τ_{i}

is a transition symbol that is defined as a behavioral operator and

c - τ_{i}

is an effective condition of transition described as a boolean operator. When a condition of transition is effective, the transition and observed values of the state will change by the equation. The condition of an equation is a boolean term.

t_{τ_{o_{G}}}

’ and

t_{τ_{o_{L}}}

’ are terms of visible sorts

V_{o_{G}}

and

V_{o_{L}}

, respectively, like

t_{i n i t_{o_{G}}}

and

t_{i n i t_{o_{L}}}

.

X_{i} (i = 1, \dots, m)

and

Y_{i} (i = 1, \dots, m)

are CafeOBJ variables for

V_{o_{i}}

and

V_{τ_{i}}

. Hereafter, all definitions and proofs are built on the notation of Definition 3.

3.3. A Case Study of the MHOTS/CafeOBJ Method

In this section, we present an MHOTS/CafeOBJ specification

MS

and verify the safety property, ensuring that vehicles do not collide with each other in any reachable state, using the proof score method.

The purpose of this model and specification is to verify that the vehicle can maintain a safe distance between any two vehicles in its initial state when performing any operation (such as braking or acceleration) (Figure 2). Regardless of how many vehicles are moving in the lane, when the distance between two vehicles is too close (

▵ x > 8

), it must switch to braking mode and fix the pedal state to braking to avoid a collision.

In the OTS/CafeOBJ specifications, a state transition system models the group control system of an autonomous vehicle, incorporating five types of observations. The continuous observations v and x capture the current values of variables v and x for each vehicle, now and ps track the elapsed time and the list of all vehicles. Meanwhile, the discrete observation loc tracks the vehicle’s present location, which is used to determine the position of the preceding vehicle.

The system provides five transition types for both discrete and continuous behaviors. The discrete transitions enter, a, b, and n represent state changes, while the continuous transition tick updates the system clock. We formalize these transitions within the OTS/CafeOBJ modules.

A CafeOBJ specification is structured by modules that contain declarations for sorts, operators, and equations. Our OTS/CafeOBJ specification includes data modules LABEL, PSET, and RAT, along with the system module MAINSYSTEM, illustrated in Figure 3.

An OTS/CafeOBJ specification consists of data modules and a system module. LABEL as the data module provides the constant operators start, accel, nothing, and brake defined as the data type Label for the vehicle.

 ops start accel nothing brake : -> Label

The following is the system module named MAINSYSTEM, which has the protecting modules PSET, RAT, and LABEL. The RAT module is used to define rational numbers. The velocity, position, and time all start from 0. The initial position of vehicle P is set to start. ps is empty, indicating that there may be no known previous vehicles in the system.

mod* MAINSYSTEM{
  pr(PSET + RAT + LABEL)
 …
 eq v(P,init) = 0 .   eq x(P,init) = 0 .   eq now(init) = 0 .
 eq loc(P,init) = start .  eq ps(init) = nil .

The transition enter, by which the vehicle enters the lane, is defined by the following equations:

eq c-enter(P,S)= (loc(P,S) = start) and (ps(S) = nil or x(last(ps(S)),S) > 0) .
ceq ps(enter(P,S))= P ps(S) if c-enter(P,S) .
ceq loc(P',enter(P,S))= (if P' = P then accel else loc(P',S) fi) if c-enter(P,S) .
eq v(P',enter(P,S))= v(P',S) . eq x(P',enter(P,S))= x(P',S) .  …

where the first equation specifies that enter is effective when the location is start and either the set of entered vehicles is empty or the last vehicle of the set is not at position 0. Only ps and loc are changed by enter, while the other observed values remain unchanged. The value of ps at the state after applying enter, that is, ps(enter(P,S)), is the set P ps(S) obtained by adding P at the end of the original set ps(S). Only the P’s location is updated to accel by enter(P,S). We omitted the transitions a b and n similar to enter.

Then, we specify the continuous transition tick(x,s), which represents the state obtained after advancing time by x from state s. Discrete values remain unchanged under tick, as follows:

eq loc(P,tick(T,S)) = loc(P,S) .

The continuous values v and x changed with tick as follows:

ceq v(P,tick(T,S)) = (if loc(P,S) = start then 0 else nextv(P,T,S) fi)
                     if c-tick(T,S) .
ceq x(P,tick(T,S)) = (if loc(P,S) = start then 0 else nextx(P,T,S) fi)
                     if c-tick(T,S) .
eq nextv(P,T,S) = v(P,S) + ac(loc(P,S)) * T .
eq nextx(P,T,S) = v(P,S) * T + 1/2 * ac(loc(P,S)) * T * T + x(P,S) .
eq ps(tick(T,S)) = ps(S) .

where the acceleration value of the vehicle is defined for each location by operation ac, where accel, brake, and nothing are 1,

- 1

, and 0, respectively. The values of v and x after tick are defined as the next values of them when the locations are not start. Note that we specify that the values of v and x are always 0 at the location start. As the system time advances (tick(T, S)), the state of ps (which is a queue of all vehicles) remains unchanged.

The effective condition c-tick(ps(S),T,S) is recursively defined on PSet as follows:

eq c-tick(nil,T,S) = true.
 
eq c-tick(P,T,S) = ((loc(P,S) = brake or loc(P,S) = accel or loc(P,S) = nothing)
                   implies (0 <= nextv(P,T,S) and nextv(P,T,S) <= 4)) .
 
eq c-tick(P Q,T,S) = c-tick(Q,T,S) and c-tick(P,T,S) and
                    (loc(P,S) = accel implies (nextx(P,T,S) + 8 < nextx(Q,T,S)))
                    and (loc(P,S) = nothing implies (((0 < nextv(P,T,S) and
                    nextv(P,T,S) <= 4)  and (nextx(P,T,S) + 8 < nextx(Q,T,S))))
                    or nextv(P,T,S) = 0) .
 
eq c-tick(P Q PS,T,S) = c-tick(P Q,T,S) and c-tick(Q PS,T,S) .
 
eq c-tick(T,S) = c-tick(ps(S),T,S) .

Each vehicle obeys the speed limit between 0 and 4, as described in the second equation. In the third equation, for the two next vehicles P and Q, they obey the speed limit as well as the part of the invariant condition between the vehicles such that the distance is more than eight when the location of the behind vehicle P is accel, and so is nothing if the velocity is not 0. By the fourth and fifth equations, all next vehicles in ps(S) satisfy the invariant condition. For example, from the recursive definition, c-tick(p3 p2 p1,T,S) is equivalent to c-tick(p3,T,S) and c-tick(p2,T,S) and c-tick(p1,T,S) and c-tick(p3 p2,T,S) and c-tick(p2 p1,T,S).

4. Verification of the Theorem Proving

A purpose of verification is to ensure no collisions in our system, that is, for each vehicle P and its next vehicle Q in ps(S) for any reachable state

S \in R S

, the position of P is always greater than that of Q, denoted by x( $P, S$ ) < x( $Q, S$ ). To formalize the property to be verified, we first describe a predicate safe in a module SAFE such that $\forall S \in R S .$ safe(ps(S),S) represents our goal. Next, we give a stronger property of our goal with formal verification. Finally, we give a formal proof of the stronger property based on the proof score method. In the proof score method, we describe several invariant properties inv-n to be proven in a module INV and a predicate istep-n which represents an inductive step of our proof by induction on the structure of reachable states. The structure of modules we use for verification is shown in Figure 4.

4.1. Module for the Safety Property

In the module SAFE, a predicate safe : PSet Sys -> Bool is recursively defined as follows:

  eq safe(nil,S) = true .
  eq safe(P,S) = true .
  eq safe(P Q,S) = (x(P,S) < x(Q,S)) .
  eq safe(P Q PS,S) =
  safe(P Q,S) and safe(Q PS,S) .

For example, safe(p4 p3 p2 p1,T,S) is reduced into x(p4,S) < x(p3,S) and x(p3,S) < x(p2,S) and x(p2,S) < x(p1,S). Thus, our goal is represented by $\forall S \in R S .$ safe(ps(S),S).

To apply induction techniques, we generalize our subgoal as follows:

\forall S \in R S . \forall P S \in PSet . P S sub ps (S) \Rightarrow safe (P S, S)

, where

P S

is a subsequence of

ps (S)

.

Since

P S

sub

P S

holds by definition, the above property is stronger than the original goal. Thus, it suffices to show the above subgoal for our goal. We prove the subgoal by induction on

P S

. The base case

P S = nil

is trivial since

safe (nil, S) = true

from the definition of safe. Consider the case of

P S = Q Q S

where

Q \in Pid

and

Q S \in PSet

. There are two cases, such that

Q S = nil

and

Q S = Q^{'} Q S^{'}

where

Q^{'} \in Pid

and

Q S^{'} \in PSet

. The former is trivial since

P S = Q

and

safe (Q, S) = true

from the definition of safe. In the latter case, we have

\begin{matrix} safe (P S, S) \\ = safe (Q Q^{'} Q S^{'}, S) \\ = safe (Q Q^{'}, S) and safe (Q^{'} Q S^{'}, S) . \end{matrix}

From the definition, we have

safe (Q Q^{'}, S) = (x (Q, S) < x (Q^{'}, S))

. From the induction hypothesis, we have

safe (Q^{'} Q S^{'}, S) = safe (Q S, S) = t r u e

. Therefore, If

x (Q, S) < x (Q^{'}, S)

is proven, our goal holds. The above reasoning can be formalized and verified by the proof score method.

4.2. Induction Basis

From the above reasoning, it suffices to show

\forall S \in R S . \forall Q, Q^{'} \in Pid . \forall Q S^{'} \in PSet . Q Q^{'} Q S^{'} sub ps (S) \Rightarrow x (Q, S) < x (Q^{'}, S)

for our goal. First, we give a state predicate inv1 as follows:

eq inv1(Q,Q',QS',S) = (Q Q' QS' sub ps(S) implies (x(Q,S) < x(Q',S))) .

If we prove inv1(S) for all reachable states from the initial state, the safety property holds. We prove it by the induction of the structure of the reachable states. Note that a reachable state is represented by the term like

τ_{n} (\dots τ_{1} (τ_{0} (init)) \dots)

, which is the result state obtained by applying transitions

τ_{0}, τ_{1}, \dots, τ_{n}

to the initial state.

As the induction basis, we apply the reduction command to prove the initial state to satisfy inv1. In specification execution, the reduction command is applied to terms without any variable. We use fresh constant operators, like q, q’ and qs’ below, as arbitrary elements.

open INV .
    red inv1(q,q',qs',init) .
close

CafeOBJ interpreter returns true, which implies the induction basis holds, that is, inv1 holds at the initial state.

4.3. Induction Step

In the induction step, we prove that each transition preserves the state predicate. We first assume inv1(s) holds for a state s. Then, we prove inv1(s’) for the state s’ obtained by applying each transition to the state s. The following is a template for the induction step.

eq istep1 = inv1(s) implies inv1(s') .

The proposition istep1 means that inv1(s’) holds under the induction hypothesis inv1(s). The following is a part of the induction steps for the transition tick, where s’ is obtained by applying the tick with t1 to s.

open ISTEP .
    op t1 : -> Rat .
    eq s' = tick(t1,s) .
    red istep1 .
close

If the above reduction returns true, it guarantees that the implication inv1(S) ⇒ inv1(tick(T,S)) holds for any state S and time T. However, it returns neither true nor false for the above proof passage. To proceed with a proof, we need to give more information. A typical proof strategy is case splitting by the effective condition as follows:

open ISTEP .
    op t1 : -> Rat .
    eq c-tick(t1,s) = false .
    eq s' = tick(t1,s) .
    red istep1 .
close

open ISTEP .
    op t1 : -> Rat .
    eq c-tick(t1,s) = true .
    eq s' = tick(t1,s) .
    red istep1 .
close

If the above two proof passage return true, the original one holds. Although the first passage returns true, the second does not. In this case, we proceed to do more case-splitting for the latter passage by q = q’, qs’ = nil and so on. These candidates of cases can be found in the result term of the proof passage. When we obtain true for all cases, it guarantees that the original proof passage is satisfied.

4.4. Lemma Introduction

Repeating the process of case splitting, we may face false as a returned value of the reduction command. Such a proof passage represents either evidence that the goal does hold or that the state satisfying the conditions in the proof passage is unreachable from the initial state. For such a case, we introduce another appropriate invariant property, called a lemma, which discharges the unreachable proof passage. For example, we introduce the following lemma inv2:

eq inv2(P,S) = (loc(P,S) = start implies x(P,S) = 0) .
eq istep2 = inv2(s) implies inv2(s') .

We may obtain true for such a proof passage by replacing the reduction command by adding the lemma as follows:

red inv2(s) implies istep1 .

Proceeding with case-splitting and introducing the lemma in this case study, we obtain true for all the remaining proof passages for inv1. This means that we have verified property ∀s ∈ RS, inv2(s)⇒ inv1(s) by the proof score method. To complete a proof, we make four lemmas and 264 proof passages, all of which return true. The introduced lemmata inv2, inv3, and inv4 are defined as follows:

eq inv1(Q,Q',QS',S) = (Q Q' QS' sub ps(S) implies (x(Q,S) < x(Q',S))) .
eq inv2(P,S) = (loc(P,S) = start implies x(P,S)=0) .
eq inv3(P,S) = (P in ps(S)) implies (not loc(P,S) = start) .
eq inv4(Q,Q',QS',S) = (Q Q' QS' sub ps(S) implies (x(Q,S) < (- 1/2 * v(Q,S)
* v(Q,S)) + x(Q',S))) .

In addition, we need to add some lemmata that can be proved without induction on reachable states, e.g., eq lemma1(QS,T,S) = ((c-tick(T,S) and (QS sub ps(S))) implies c-tick(QS,T,S)), which we proved by induction on the structure of terms of sort PSet.

5. Specification Translation to Real-Time Maude

The purpose of the MHOTS/CafeOBJ specification is to verify its safety property by an interactive theorem proving approach with the CafeOBJ system. Interactive theorem proving is capable of dealing with large and complex systems, including those with infinitely many states; however, making a complete proof usually requires human guidance and, thus, is not fully automated. For example, Diaconescu and Futatsugi [17] introduced CafeOBJ as an algebraic specification language with powerful interactive theorem-proving capabilities, emphasizing its strength in dealing with infinite-state systems through behavioral equational logic. Ogata and Futatsugi [18] further elaborated on the interactive nature of CafeOBJ proofs by introducing the concept of proof scores, providing practical methodologies for system verification that rely significantly on user expertise. Additionally, Ogata and Futatsugi [19] provided detailed practical insights and guidelines for structuring interactive proofs in CafeOBJ effectively, highlighting typical challenges and solutions in verifying complex, multitask systems.

In contrast, our research contributes by combining the strengths of interactive theorem proving (CafeOBJ) with fully automated model checking (Real-Time Maude), addressing the inherent limitation of automation in theorem proving. By integrating these two approaches, our proposed methodology not only enhances the verification efficiency but also systematically ensures robustness by enabling the automatic detection of counterexamples.

Especially for the case that the property is not true, due to the bug of the specification, the verifier may not find the failure of the specification and the proof process may not terminate. To solve the problem, we propose a specification translation method from CafeOBJ to Real-Time Maude such that we can apply the full-automated model checking function to the translated Real-Time Maude specification to find a potential bug in the input MHOTS/CafeOBJ specification. A Real-Time Maude specification is composed of two kinds of modules: functional modules and a system module [20,21]. The functional modules correspond to data modules in CafeOBJ.

5.1. Specification Translation

We give a translation from an MHOTS/CafeOBJ specification whose submodules are tight and complete into an MHOTS/Real-Time Maude specification. Precisely, we give a function F that takes an MHOTS/CafeOBJ specification and returns an MHOTS/Real-Time Maude specification. We write

X^{'}

instead of

F (X)

. For example, we write

{S i g n a t u r e}^{'}

=

\vec{O b s^{'}}

\vec{T r a n s^{'}}

instead of

F (S i g n a t u r e) = F (O b_{s_{1}}) F (O b_{s_{2}}) \dots F (T r a n s_{1}) F (T r a n s_{1}) \dots

, which means that a signature of the translated MHOTS/Real-Time Maude specification

F (M H O T S)

=

{M H O T S}^{'}

consists of symbols which are obtained by applying F to observation and transition symbols of the input

M H O T S

.

Definition 4.

For an MHOTS/CafeOBJ specification, the translated MHOTS/Real-Time Maude specification is defined as follows:

$M H O T S^{'}$ = $\vec{S u b M o d u l e^{'}}$ $M a i n M o d u l e^{'}$
$S u b M o d u l e_{i}^{'}$ = (fmod $S M_{i}$ … endfm)
$M a i n M o d u l e^{'}$ = (tmod M is
pr $S M_{i}$ . … pr $S M_{l}$ .
$S i g n a t u r e^{'}$ = $\vec{O b s^{'}}$ $\vec{T r a n s^{'}}$
${\vec{O b s_{G}}}^{'}$ = op $o_{G}$ : $V_{o_{G}}$ → System.
${\vec{O b s_{L}}}^{'}$ = op $o_{L}$ : $X_{i}$ $V_{o_{L}}$ → OValue.
${\vec{T r a n s_{i}}}^{'}$ = op c- $τ_{i}$ : $\vec{V_{τ_{i}}}$ System → Bool.
$V a r s^{'}$ = $V a r s_{1}^{'}$ $V a r s_{2}^{'}$ $V a r s_{m}^{'}$
$A_{τ_{i}}^{'}$ = crl [ $τ_{i}$ ]: $t_{τ_{o_{G}}}$ … $t_{τ_{o_{L}}}$ … $= >$ $t_{τ_{o_{G}}}$ ’ … $t_{τ_{o_{L}}}$ ’ …if c- $τ_{i}$ .
$A_{i n i t}^{'}$ = eq init = $t_{i n i t_{o_{G}}}$ … $t_{i n i t_{o_{L}}}$ …
$A x i o m^{'} = V a r s^{'} \cup A_{i n i t}^{'} \cup A_{τ_{i}}^{'}$
endtm)

where MHOTS’ denote the formal model of MHOTS implemented by Real-Time Maude,

\vec{S u b M o d u l e^{'}}

is a group of submodules,

M a i n M o d u l e^{'}

is the main module. The submodule is responsible for defining the basic operators and axioms of the system, and the main module combines multiple submodules through inheritance to realize the complete system model. Submodule

S u b M o d u l e_{i}^{'}

is defined using Real-Time Maude’s Functional Module (fmod) and the main module is defined using the Real-Time Module (tmod), which represents the overall behavior of the system. The main module imports the contents of the submodule through the pr

\vec{S u b M o d u l e^{'}}

similar to cafeOBJ. The algebraic signature consists of an observer operator and a transformation rule operator and observers are divided into global observers and local observers The c- $τ_{i}$ is a conjunction of boolean expressions, equality tests, membership tests, and (in the case of rewrite rules) rewrite tests. A rewrite rule is usually equipped with a rule label [

τ_{i}

]. Each transformation rule is formally represented by a conditional rewrite rule (crl), where

t_{τ_{o}}

and

t_{τ_{o}}

’ represent the observer results before and after the transformation, respectively, and c- $τ_{i}$ is the transformation condition. The initial state is defined by the equation axiom (eq), which represents the initial configuration of the system. The system axiom set consists of a set of variables, initial states, and transition rules. This formal description ensures the accessibility, determinism, and consistency of the system.

The translation process from a CafeOBJ specification to a Real-Time Maude specification is systematically carried out in the following step-by-step manner as Algorithm 1:

Step 1: Identification and Preparation of Modules.
CafeOBJ: Identify the main system module and all submodules, including data modules (e.g., LABEL, PID, PSET).
Real-Time Maude: Correspondingly define a Real-Time Maude functional module (fmod) for each CafeOBJ data module and a system module (tmod) for the CafeOBJ system module.

Step 2: Sorts and Subsorts Translation
Translate CafeOBJ sorts to Real-Time Maude sorts.
Declaring subsort relationships explicitly in Real-Time Maude using the subsort keyword to maintain sort hierarchies.

Step 3: Operator Translation
Translate CafeOBJ operators (op) to Real-Time Maude operators, preserving the arity and type signature. For example, a CafeOBJ observer is defined as follows:

$b o p l o c : H P i d - > L a b e l$

translates into Real-Time Maude as follows:

$o p l o c : P i d L a b e l - > O V a l u e .$

Step 4: Initial State Translation
Translate the CafeOBJ initial state (e.g., eq init = …) into Real-Time Maude as an equation defining the initial configuration of the system. For example, from cafeobj

$e q v (P, i n i t) = 0 . e q l o c (P, i n i t) = s t a r t .$

Translate into Real-Time Maude:

$e q i n i t (P) = v (P, 0) l o c (P, s t a r t) .$

Step 5: Transition Translation
Translate CafeOBJ transitions (defined by equations and conditional equations) into Real-Time Maude rewrite rules (rl, crl).
The effective condition of transitions (c- $τ$ ) in CafeOBJ is explicitly translated into the condition part of conditional rewrite rules (if c- $τ$ ) in Real-Time Maude. For example, from cafeobj

$c e q l o c (P, e n t e r (P, S)) = a c c e l i f c - e n t e r (P, S) .$

Translate into Real-Time Maude:

$c r l [e n t e r] : l o c (P, s t a r t) = > l o c (P, a c c e l) i f c - e n t e r (P, S) .$

Step 6: Consistency Check and Verification
Perform initial consistency checks by simulation using Real-Time Maude (trew command). Apply Real-Time Maude model checking (tsearch command) to verify safety properties and discover potential errors.

Algorithm 1: TranslateSpec (CafeOBJ_Spec)

Input: CafeOBJ_Spec
Output: Real-Time Maude_Spec

1. Extract all submodules from CafeOBJ_Spec.
2. For each submodule:
a. Map sorts and operators to Real-Time Maude format.
b. For each transition

τ

with effective condition c-

τ

:
         :
           Define corresponding rewrite rule in Real-Time Maude:
                crl [

τ

] : PreState => PostState if c-

τ

holds.
3. For each predicate used in verification:
Map to equivalent Real-Time Maude boolean functions.
4. Assemble all mapped modules into the final Real-Time Maude_Spec.
5. Return Real-Time Maude_Spec.

By following these systematic steps, the translation ensures semantic equivalence and maintains verification integrity between CafeOBJ and Real-Time Maude specifications.

5.2. A Case Study of the MHOTS/Real-Time Maude Method

We apply the specification translation to the MHOTS/CafeOBJ specification to obtain a Real-Time Maude specification. We call the output Real-Time Maude specification an MHOTS/Maude specification. The Real-Time Maude specification consists of a few functional modules and a system module. A few functional modules define data types and operations on them by means of equational theories. A system module specifies a rewrite theory. A rewrite rule denotes a transition. We show the result of the specification translation, which consists of a functional module LABEL PID PSET and a system module MAINSYSTEM. Firstly, we show a functional module LABEL to specify the data types of our system.

(fmod LABEL is
  sort Label .   ops start accel nothing brake : -> Label . ...
endfm)

ops indicates the definition of multiple operators, that is, symbolic constants that can be represented. start, accel, nothing, brake are the names of labels, representing the four control states of the vehicle.

We present a system module MAINSYSTEM, which specifies the multitask hybrid observational behavior of our system. The MAINSYSTEM module imports LABEL and PSET as similar to the CafeOBJ one, and POSRAT-TIME-DOMAIN to describe time-related properties. In Real-Time Maude, a state is defined as an explicit set of observed values. To specify the states, we introduce sorts like Label < OValue < System, indicating that Label is a subsort of OValue, and OValue is a subsort of System.

(tmod MAINSYSTEM is including (LABEL + PSET) .
  protecting POSRAT-TIME-DOMAIN .
  protecting RAT .
  sort OValue .
  subsorts Label < OValue < System .
  op loc : Pid Label -> OValue .
  ops v x : Pid Rat -> OValue .
  op init : -> System .
  eq init(P) = (v(P,0)x(P,0))loc(P,start) .
  ...
 endtm)

loc(P, L) represents the location of process P, represented by label L. Pid represents the unique identifier of the process (Process Identifier). v(Pid, Rat) and x(Pid, Rat) represent the velocity and position coordinates of process P, respectively. init defines the initial state of the system. System represents the state type of the entire system. init(P) means that the initial velocity and initial position are 0, and the initial state label is the initial state of the system of start. The local observations

o_{L} : H X_{i} \to V_{o_{L}}

defined in the OTS/CafeOBJ specification are translated into operations

o_{L}

:

X_{i}

V_{o_{L}}

→

O V a l u e

of Real-Time Maude. For example, loc(P, start) is a term of the sort OValue.

In the translated Real-Time Maude specification, a specification transition is translated into a rewrite rule on terms of System as follows:

 crl [a] : loc(P,L) => loc(P,accel) if not (L = start) .
 crl [b] : loc(P,L) => loc(P,brake) if not (L = start) .
 crl [n] : loc(P,L) => loc(P,nothing) if not (L = start) .
 rl [enternil] : (loc(P,start)ps(nil)) => (loc(P,accel)ps(P)) .
 crl [enterPS] : ((loc(P,start)ps(Q PS))x(Q,X)) => ((loc(P,accel)ps(P Q PS))
 x(Q,X)) if (0 < X) .

For example, the above first rewrite rule named by [a] takes any observed value of locations (except start) and rewrites it into the value of accel. When the vehicle is in the start state, we discuss two cases. If ps is empty (nil), P enters the accel state and becomes the only member of the queue ps; if ps is not empty and Q’s position X > 0, then P enters the accel state and joins after Q from ps(Q PS) to ps(P Q PS).

 eq update(T,((loc(P,L)v(P,V))x(P,X))OVS) =
 ((loc(P,L)v(P,nextv(L,P,T,V)))x(P,nextx(L,P,T,V,X)))update(T,OVS) .

The update equation updates the process state (vehicle’s position x and velocity v). The OVS serves the system’s multitasking as an object variable of other processes. The v(P,nextv(L,P,T,V)) calculates the new velocity of P after T time. The x(P,nextx(L,P,T,V,X)) calculates the new position of P after T time. The update(T,OVS) is responsible for updating the speed and position of all processes.

The tick rule allows the process state of the entire system to advance within T time units. c-tick(T, OVS) is used as a condition to ensure that the advancement within T time units is reasonable (such as whether the velocity and position constraints are met). The tick rule ensures that updates can only occur when c-tick allows, preventing unreasonable time advancement.

 crl [tick] : {OVS} => {update(T,OVS)} in time T if c-tick(T,OVS) .
 eq c-tick(nil,T,OVS) = true .
 eq c-tick(T,ps(PS)OVS) = c-tick(PS,T,ps(PS)OVS) .

If the process queue PS is empty, return true (allow time to advance). If PS is not empty, check the c-tick constraints one by one on PS as follows.

 eq c-tick(P,T,loc(P,L)v(P,V)x(P,X)OVS) = ((L = brake) or (L = accel) or
    (L = nothing)) implies (0 <= nextv(L,P,T,V) and nextv(L,P,T,V) <= 4) .
 
 eq c-tick(P2 P1,T,loc(P2,L2)v(P2,V2)x(P2,X2)loc(P1,L1)v(P1,V1)x(P1,X1)OVS)
    = c-tick(P2,T,loc(P2,L2)v(P2,V2)x(P2,X2)OVS) and c-tick(P1,T,loc(P1,L1)
    v(P1,V1)x(P1,X1)OVS) and (L2 = accel implies (nextx(L2,P2,T,V2,X2) + 8
    < nextx(L1,P1,T,V1,X1))) and (L2 = nothing implies (0 < nextv(L2,P2,T,V2)
    and nextv(L2,P2,T,V2) <= 4 and nextx(L2,P2,T,V2,X2) + 8 < nextx(L1,P1,T,
    V1,X1)) or nextv(L2,P2,T,V2) == 0) .

When a single process P is in brake, accel or nothing state, ensure that nextv(L, P, T, V) calculates a new velocity in the range [0, 4] (i.e., the velocity is not too large or too small). When two processes appear in the system, we need to ensure that P1 and P2 both comply with the c-tick rule of a single process P, but also need additional constraints. If P2 accelerates: Make sure that P2’s new position nextx(P2) is not too close to P1 (at least 8 units away). If P2’s speed remains unchanged: Make sure nextv(P2) is between [0, 4]. Make sure the minimum distance between P2 and P1 is 8. P2 can also stop when (nextv(P2) is 0). This prevents the two cars from getting too close and ensures a safe distance.

 eq c-tick(P2 P1 PS,T,loc(P2,L2)v(P2,V2)x(P2,X2)loc(P1,L1)v(P1,V1)x(P1,X1)OVS)
    = c-tick(P2 P1,T,loc(P2,L2)v(P2,V2)x(P2,X2)loc(P1,L1)v(P1,V1)x(P1,X1)OVS)
    and c-tick(P1 PS,T,...OVS) .

When there are multiple processes P2 P1 PS in the system. Recursively check whether P2 P1 and P1 PS meet the c-tick rule. Ensure that all processes meet the c-tick constraint.

6. Verification of the Model Checking

In this section, we show a simulation of the translated Real-Time Maude specification with the command trew and verification with model checking with the command tsearch to confirm the specification translation works well and is useful to find bugs in the original specification. In the below code, the sampling time is defined as 1 (in time 1), which means that the application of tick advances time by 1.

6.1. Simulation

The Real-Time Maude rewrite command is used to simulate one behavior of a given term t, denoted by

		trew [n] t in time < T

where the bracketed number n provides an upper bound for the number of rule applications and T provides an upper bound on the total duration [22,23]. We show an example of the application of the rewrite command to the module MAINSYSTEM where the first line is an input and below it is the output.

(trew [2] {loc(p1,start)ps(nil)} in time < 20 .)
Result ClockedSystem : {update(1,ps(p1)loc(p1,accel))} in time 1

The command trew performs time rewriting to simulate the state change in process p1 and the result shows that update(1, ps(p1) loc(p1,accel)) indicates that p1 enters the accel state at time T = 1.

This set of simulation code demonstrates time-constrained rewriting in Real-Time Maude language, simulating the behavior of process p1, focusing on the changes in velocity (v) and position (x), as well as the transition of process state (loc). The code mainly shows the process of p1 from acceleration (accel), velocity limit, and finally braking (brake).

(trew [4] {loc(p1,accel)v(p1,0)x(p1,0)ps(p1)} in time < 20 .)
Result ClockedSystem : {ps(p1)loc(p1,accel)v(p1,4)x(p1,8)} in time~4
 
(trew [1] {loc(p1,accel)v(p1,4)x(p1,8)ps(p1)} in time < 20 .)
Result ClockedSystem :
  {ps(p1)loc(p1,accel)v(p1,4)x(p1,8)} in time~0
 
(trew [2] {loc(p1,accel)v(p1,4)x(p1,8)ps(p1)} in time < 20 .)
Result ClockedSystem :
  {ps(p1)loc(p1,brake)v(p1,4)x(p1,8)} in time 0

At the initial state, p1 is in the acceleration (accel) state; the velocity (v) increases from 0 to 4 units; the position (x) increases from 0 to 8 units; the process state is still accel, and the simulation time advances 4 units.

After the speed reaches 4 units, try to advance 1 time unit (trew [1]). But the system state has not changed, which means that there is no applicable time advancement rule under the current conditions (because the velocity limitation constraint is not satisfied: nextv(L,P,T,V) <= 4). Therefore, time does not advance (in time 0). The state is completely unchanged, indicating that p1 is still in the accel state but cannot continue to accelerate.

Then, try to advance 2 time units (trew [2]). But the simulation does not consume time (in time 0), indicating that the discrete behavior (loc(P,L) => loc(P,brake)) directly causes p1 to enter the brake state without waiting for time to advance. The state of p1 changes from accel to brake. The velocity v(p1,4) and position x(p1,8) do not change, which means that braking has just started, and the speed has not yet decreased.

(trew [13] {loc(p1,accel)v(p1,0)x(p1,0)ps(p1)} in time < 20 .)
Result ClockedSystem : {ps(p1)loc(p1,nothing)v(p1,0)x(p1,16)} in time 10

We then continued the simulation a few more times and observed that the vehicle begins to decelerate until its velocity reached 0, switched to the no-operation state (nothing), and finally stopped at position 16 units as shown in Figure 5, which not only intuitively shows the forward trajectory of a single vehicle, but also indirectly proves that the system can stably and correctly perform state transitions under the set operation rules.

We not only simulated the track of a single vehicle in Real-Time Maude, but also simulated the forward track and safety verification of two and three vehicles in the CafeOBJ environment, and proved that our safety properties are safe. Next, we simulated the scenario with two vehicles; the results show the system of vehicles p1 and p2, by applying a series of transitions

e n t e r_{p 1}

,

t i c k_{4}

,

n_{p 1}

,

e n t e r_{p 2}

,

t i c k_{4}

,

n_{p 2}

, and

t i c k_{2}

from the initial state. By repeatedly using the reduction command, we can display the time series data of the observations the sequence of processes (

p s

) , position (x) and velocity (v) (Figure 6).

open MAINSYSTEM .
%MAINSYSTEM> red ps(tick(2,n(p2,tick(4,enter(p2,n(p1,tick(4,enter(p1,init)))
))))) .
(p1 p2):PSet
%MAINSYSTEM> red x(p1,tick(2,n(p2,tick(4,enter(p2,n(p1,tick(4,enter(p1,init)
))))))) .
(32):NzNat
%MAINSYSTEM> red v(p1,tick(2,n(p2,tick(4,enter(p2,n(p1,tick(4,enter(p1,init)
))))))) .
(4):NzNat
%MAINSYSTEM> red x(p2,tick(2,n(p2,tick(4,enter(p2,n(p1,tick(4,enter(p1,init)
))))))) .
(16):NzNat
%MAINSYSTEM> red v(p2,tick(2,n(p2,tick(4,enter(p2,n(p1,tick(4,enter(p1,init)
))))))) .
(4):NzNat

We also verified and proved the scenario, which demonstrates the security of the system with two vehicles. The results show that the system with vehicles p1 and p2 apply a series of transitions

e n t e r_{p 1}

,

t i c k_{4}

,

n_{p 1}

,

t i c k_{2}

,

e n t e r_{p 2}

,

t i c k_{4}

,

n_{p 2}

,

t i c k_{1}

,

b_{p 1}

,

t i c k_{4}

,

n_{p 1}

, and

t i c k_{1}

from the initial state. By using the reduction commands repeatedly, we display the time-series data of the observed values (Figure 7). The distance after a series of transitions is 12, and if the time advances one more unit, the set of active processes of vehicles p1 and p2 have a false c-tick.

open MAINSYSTEM .
%MAINSYSTEM> red x(p1,tick(1,n(p1,tick(4,b(p1,tick(1,n(p2,tick(4,enter(p2,
tick(2,n(p1,tick(4,enter(p1,init))))))))))))) .
(44):NzNat
%MAINSYSTEM> red v(p1,tick(1,n(p1,tick(4,b(p1,tick(1,n(p2,tick(4,enter(p2,
tick(2,n(p1,tick(4,enter(p1,init))))))))))))) .
(0):Zero
%MAINSYSTEM> red x(p2,tick(1,n(p1,tick(4,b(p1,tick(1,n(p2,tick(4,enter(p2,
tick(2,n(p1,tick(4,enter(p1,init))))))))))))) .
(32):NzNat
%MAINSYSTEM> red v(p2,tick(1,n(p1,tick(4,b(p1,tick(1,n(p2,tick(4,enter(p2,
tick(2,n(p1,tick(4,enter(p1,init))))))))))))) .
(4):NzNat
 
%MAINSYSTEM> red c-tick(2,n(p1,tick(4,b(p1,tick(1,n(p2,tick(4,enter(p2,tick(2,
n(p1,tick(4,enter(p1,init)))))))))))) .
(false):Bool
%MAINSYSTEM> red c-tick(1,n(p1,tick(4,b(p1,tick(1,n(p2,tick(4,enter(p2,tick(2,
n(p1,tick(4,enter(p1,init)))))))))))) .
(true):Bool

We verified and proved the scenario that has three vehicles; the result showed the system of vehicles p1, p2, and p3 that apply a series of transitions

e n t e r_{p 1}

,

t i c k_{4}

,

n_{p 1}

,

t i c k_{2}

,

e n t e r_{p 2}

,

t i c k_{4}

,

n_{p 2}

,

t i c k_{2}

,

e n t e r_{p 3}

, and

t i c k_{3}

from the initial state. By using the reduction commands repeatedly, we can display a time-series data of observed values (Figure 8).

open MAINSYSTEM .
%MAINSYSTEM> red ps(tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
tick(4,enter(p1,init)))))))))))) .
(p3 (p2 p1)):PSet
%MAINSYSTEM> red x(p1,tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
tick(4,enter(p1,init)))))))))))) .
(52):NzNat
%MAINSYSTEM> red v(p1,tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
tick(4,enter(p1,init)))))))))))) .
(4):NzNat
%MAINSYSTEM> red x(p2,tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
tick(4,enter(p1,init)))))))))))) .
(36):NzNat
 %MAINSYSTEM> red v(p2,tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
 tick(4,enter(p1,init)))))))))))) .
(4):NzNat
%MAINSYSTEM> red x(p3,tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
tick(4,enter(p1,init)))))))))))) .
(20):NzNat
%MAINSYSTEM> red v(p3,tick(3,n(p3,tick(4,enter(p3,n(p2,(tick(4,enter(p2,n(p1,
tick(4,enter(p1,init)))))))))))) .
(4):NzNat

In other words, the state is the result of the following processes. First, we assume that the acceleration pedal of vehicle p1 is pushed after the vehicle starts and is held for four time units, and then the pedal is released for two time units. Next, the acceleration pedal of vehicle p2 is pushed after the vehicle starts and is held for four time units; the pedal is not pushed for two time units. Next, the acceleration pedal of vehicle p3 is pushed after the vehicle starts, and it is held for three time units.

6.2. Model Checking

The Real-Time Maude rewrite command is used to search for states matched by a pattern p satisfying a given condition c from a given initial state t, denoted by

		tsearch [n] t =>* p such that c in time < T

where the bracketed number n provides an upper bound for the number of solutions to be searched and T provides an upper bound on the total duration [24,25].

6.2.1. Model Checking with Discrete Behavior

We use tsearch to perform time-bounded reachability analysis and check whether there is a state transition that allows the system to evolve from loc(p1,start)ps(nil)(v(p1,0) x(p1,0)) to ps(p1)loc(p1,L:Label) v(p1,V:Rat)x(p1,X:Rat) and satisfy L == accel, that is, p1 enters the accel state and the total time is less than 50.

  (tsearch [1] {loc(p1,start)ps(nil)(v(p1,0)x(p1,0))} =>* {ps(p1)loc(p1,L:Label)
  v(p1,V:Rat)x(p1,X:Rat)} such that L == accel in time < 50 .)
  
Solution 1
L:Label --> accel ; TIME_ELAPSED:Time --> 0 ; V:Rat --> 0 ; X:Rat --> 0

Then, we obtain the execution result:

Solution 1 indicates that a state that meets the conditions is found.
L:Label –> accel indicates that p1 has indeed entered the accel state.
TIME_ELAPSED:Time –> 0 indicates that the state transition occurs within 0 time units (i.e., instantaneous transition).
V:Rat –> 0 and X:Rat –> 0 indicate that when entering the accel state, p1’s velocity v(p1,0) and position x(p1,0) are still 0.

This search verifies that p1 can be instantly transferred to accel in the start state without consuming time, which complies with the discrete conversion rules defined by the system.

6.2.2. Model Checking with Continuous Behavior

Velocity and distance as continuous observation (

o_{C}

) values are constrained when performing multiple tasks. When multiple tasks are performed simultaneously, the system requires that the velocity of each vehicle cannot exceed 4 units of time (0 <= nextv(L,P,T,V) <= 4), and the safety distance between the two vehicles should be more than 8 units (nextx(L2,P2,T,V2,X2) + 8 < nextx(L1,P1,T,V1,X1)).

(tsearch [1] {ps(p2 p1)loc(p2,accel)v(p2,0)x(p2,0)loc(p1,accel)v(p1,0)x(p1,9)}
=>* {ps(p2 p1)loc(p2,L2:Label)v(p2,V2:Rat)x(p2,X2:Rat)loc(p1,L1:Label)
v(p1,V1:Rat)x(p1,X1:Rat)} such that V2 > 4 in time < 50 .)
rewrites: 11040920744 in 232233443ms cpu (31227869ms real)
(47542 rewrites/second)
 
No solution

The code was rewritten 11 billion times, taking 232,233.443 s (CPU time) and 31,227.869 s (real time), indicating that the amount of calculation is very large. No state that satisfies the conditions is found; that is, under the time limit of t < 50, the speed of p2 cannot exceed 4. The velocity constraint of p1 also meets the requirements of the system.

(tsearch [1] {ps(p2 p1)loc(p2,accel)v(p2,0)x(p2,0)loc(p1,accel)v(p1,0)x(p1,9)}
=>* {ps(p2 p1)loc(p2,L2:Label)v(p2,V2:Rat)x(p2,X2:Rat)loc(p1,L1:Label)
v(p1,V1:Rat)x(p1,X1:Rat)} such that V1 > 4 in time < 50 .)
rewrites: 11040920744 in 239387743ms cpu (32021922ms real)
(46121 rewrites/second)
 
No solution

To verify the safety property of the system, we apply the command as follows:

(tsearch [1] {ps(p2 p1)loc(p2,accel)v(p2,0)x(p2,0)loc(p1,accel)v(p1,0)x(p1,9)}
=>* {ps(p2 p1)loc(p2,L2:Label)v(p2,V2:Rat)x(p2,X2:Rat)loc(p1,L1:Label)
v(p1,V1:Rat)x(p1,X1:Rat)} such that X2 >= X1 in time < 50 .)
rewrites: 11131793258 in 190739035ms cpu (44980131ms real)
(58361 rewrites/second)
 
No solution

And the result is No solution, which means no state satisfying X2 >= X1 is found, i.e., p2 cannot catch up with p1 within t < 50.

6.2.3. Model Checking with Time Sampling $1 / 2$

The result of the Real-Time Maude search command may depend on a specific time sampling. We conduct experiments with different time sampling in the following sections.

We try to apply the search command with the time sampling

1 / 2

. First, we modify the definition of tick as follows:

(set tick def 1/2 .)

where the occurrences of 1 are replaced with

1 / 2

.

Similar to the above search, we confirm that the rear car can approach the front car within 8 units.

(tsearch [1] {ps(p2 p1)loc(p2,accel)v(p2,0)x(p2,0)loc(p1,accel)v(p1,0)x(p1,9)}
=>* {ps(p2 p1)loc(p2,L2:Label)v(p2,V2:Rat)x(p2,X2:Rat)loc(p1,L1:Label)
v(p1,V1:Rat)x(p1,X1:Rat)} such that 8 > X1 - X2 in time < 20 .)
Solution 1
L2:Label --> brake ; L1:Label --> nothing ; TIME_ELAPSED:Time --> 2 ; V2:Rat
    --> 1 ; V1:Rat --> 0 ; X2:Rat --> 7/4 ; X1:Rat --> 37/4

The result with time sampling

1 / 2

is exactly the same as that with time sampling 1. When the vehicle is braking, there is no velocity limit or distance limit for the vehicle ahead.

Smaller time sampling searches more state space densely, which may find bugs that may not be found with coarse time sampling; however, it needs more computation time and spaces.

6.2.4. Model Checking with Time Sampling 5

We try to apply the search command with the time sampling 5 and modify the definition of tick as follows:

(set tick def 5 .)

where the occurrences of 1 in the original one are replaced with 5 too. Since the time sampling is too coarse, we cannot find the situation where the distance between the rear vehicle and the front vehicle is less than 8 units as above, although there will be no collision between the two vehicles.

(tsearch [1] {ps(p2 p1)loc(p2,accel)v(p2,0)x(p2,0)loc(p1,accel)v(p1,0)x(p1,9)}
=>* {ps(p2 p1)loc(p2,L2:Label)v(p2,V2:Rat)x(p2,X2:Rat)loc(p1,L1:Label)
v(p1,V1:Rat)x(p1,X1:Rat)} such that 8 > X1 - X2 in time < 20 .)
No solution

The search command with this coarse time sampling is considered to fail to find the situation of two vehicles approaching each other although the two vehicles did not collide. Thus, there is a trade-off between time sampling such that coarser time sampling may fail to find bugs and finer one may take more computation time and spaces.

6.3. Counterexample

We try to find a counterexample of the critical position between the vehicles, such as the following:

eq c-tick(P2 P1,T,loc(P2,L2)v(P2,V2)x(P2,X2)loc(P1,L1)v(P1,V1)x(P1,X1)OVS) =
... (L2 = accel implies (nextx(L2,P2,T,V2,X2) + 7 < nextx(L1,P1,T,V1,X1)))
and (L2 = nothing implies (0 < nextv(L2,P2,T,V2) and nextv(L2,P2,T,V2) <= 4
and nextx(L2,P2,T,V2,X2) + 7 < nextx(L1,P1,T,V1,X1)) ...) .

In the previous part, we assume that the safe distance between the two vehicles is greater than 8 units when the maximum velocity of the vehicle does not exceed 4 units.

Now, we change the critical position between the vehicles from 8 to 7. Then, we found that at the same time, the position of the rear vehicle coincided with the position of the front vehicle, indicating that the two vehicles collided.

(tsearch [1] {ps(p2 p1)loc(p2,accel)v(p2,0)x(p2,0)loc(p1,accel)v(p1,0)x(p1,9)}
=>* {ps(p2 p1)loc(p2,L2:Label)v(p2,V2:Rat)x(p2,X2:Rat)loc(p1,L1:Label)
v(p1,V1:Rat)x(p1,X1:Rat)} such that X2 >= X1 in time < 20 .)
Solution 1
L2:Label --> brake ; L1:Label --> nothing ; TIME_ELAPSED:Time --> 9 ; V2:Rat
    --> 0 ; V1:Rat --> 0 ; X2:Rat --> 18 ; X1:Rat --> 18

This counterexample shows that if the safety distance is less than 8 units, the system will not be able to guarantee safety, thus verifying that our theoretical analysis is correct.

During the verification process with model checking in Real-Time Maude, special attention was paid to the occurrence of false positives or spurious counterexamples, which are common challenges in the automated verification of complex hybrid systems. In our experiments and simulations, due to the precise formulation and careful translation of specifications between CafeOBJ and Real-Time Maude, we did not observe any spurious counterexamples or false positives. This absence of false alarms primarily results from the following: 1. Accurate Specification Translation: Our rigorous and structured translation methodology minimizes semantic discrepancies between CafeOBJ and Real-Time Maude, significantly reducing opportunities for spurious results. 2. Well-Formulated Verification Conditions: Verification conditions are designed explicitly and clearly, avoiding ambiguity that could lead to unintended false alarms. 3. Conservative State Exploration: Careful state-space exploration using appropriate temporal and state constraints mitigates state-explosion-induced artifacts. However, it is crucial to acknowledge that while no spurious counterexamples were observed in our current study, their potential occurrence cannot be completely excluded in more complex scenarios or larger-scale applications. Future work will thus involve further refinement of abstraction techniques, explicit handling of potential spurious results, and comprehensive validation to maintain high verification accuracy in more extensive and complicated systems.

7. Conclusions

7.1. Summary of Contributions

Based on the multitask hybrid systems framework, we propose a specification transformation method that can obtain the specification from the OTS/CafeOBJ to the Real-Time Maude. Then, taking advantage of the infinite state spaces of the OTS/CafeOBJ and fully automated of Real-Time Maude, we completed the safety property verification of the autonomous vehicle group control system. We ensure that model checking for the Real-Time Maude specification obtained through specification translation is useful for finding bugs in the original specification. A specification translation between different formal specification languages benefits the research area of integrated formal methods. These findings contribute to the development of reliable autonomous driving technologies and build safe and efficient autonomous vehicle group control systems.

During the verification process by CafeOBJ, we may need some lemma to verify an invariant property. A user should try to find a suitable lemma to prove the main property. Our translation system will also be useful for that task. When a user thinks some property is a candidate of a lemma, the user translates it by our translation system and applies the Real-Time Maude search command. If a counterexample is returned, the lemma is wrong. The user avoids wasting time to prove the wrong lemma and tries to find the next candidates.

Our approach aims not only to apply the safety and efficiency of the multitask autonomous vehicle group control systems shown in this research but also to extend its applicability to more complex real-world scenarios. These include straight-line operation combined with intersections or vehicles merging into the highway, thereby enhancing the practical verification method of autonomous vehicle group control systems technology. Our methodology contributes significantly to ongoing debates in formal verification by explicitly addressing a known challenge: the trade-off between automation and the handling of infinite-state and complex hybrid systems. Whereas methods based solely on interactive theorem proving, such as CafeOBJ [17,18,19], provide rigorous proofs but depend heavily on user interaction, fully automated methods like UPPAAL [5] and Real-Time Maude [6] facilitate automatic state-space exploration but may suffer from state explosion issues. By integrating theorem proving and model checking, our approach systematically mitigates these limitations, as illustrated by the formal verification of autonomous vehicle group control systems, thus positioning our research as a robust advancement within the existing scholarly discourse.

While the proposed verification approach effectively combines interactive theorem proving and automated model checking, it faces several key bottlenecks and limitations when scaling up to large multitasking hybrid systems: 1. State Explosion Problem: Automated model checking (Real-Time Maude) is significantly constrained by state-space explosion as the number of concurrent tasks or processes increases dramatically. This limitation restricts scalability when verifying thousands or more concurrent processes. 2. Manual Effort in Theorem Proving: Although theorem proving (CafeOBJ) provides strong expressiveness and rigorous proofs, its reliance on expert-driven manual interaction significantly limits practical scalability and efficiency when applied to extremely complex or large-scale systems. 3. Complexity of Specification Translation: The precise translation of large-scale system specifications between CafeOBJ and Real-Time Maude may become increasingly complex and error-prone as systems grow, necessitating careful verification of the translation itself. 4. Resource Demands (Memory and Computational Power): The computational resources (memory, CPU time) required for exhaustive verification quickly escalate with the complexity of continuous behaviors and the number of concurrent processes, presenting practical limitations. 5. Limitations in Continuous Dynamics Modeling: Current approaches to continuous-state modeling and verification may oversimplify real-world continuous dynamics (e.g., non-linearities, uncertainties), potentially impacting verification fidelity and accuracy. To overcome these bottlenecks, future research directions include enhancing abstraction techniques, employing compositional verification methods, developing incremental and modular verification strategies, and advancing tool automation to mitigate these inherent challenges.

A critical aspect of formal verification is to ensure that identified safety violations reflect genuine system failures rather than artifacts resulting from state-space exploration constraints. The proposed verification methodology ensures the authenticity of reported violations through several rigorous mechanisms: Rigorous Specification Translation: The translation procedure between CafeOBJ and Real-Time Maude strictly preserves semantic consistency. By clearly mapping observers, predicates, and verification conditions, we prevent the introduction of artificial violations due to translation discrepancies. Verification Conditions Precision: Safety properties are explicitly and unambiguously formulated, facilitating precise differentiation between genuine violations and exploration artifacts. Ambiguities or overly restrictive conditions, which commonly result in false violations, are carefully avoided through well-defined and carefully vetted predicates. Cross-validation through Theorem Proving: Any safety violation identified by automated model checking is further cross-validated via interactive theorem proving. This combination ensures that any reported violation is independently confirmed through rigorous logical proofs rather than solely relying on automated state exploration.

Thus, these combined measures robustly differentiate actual system safety failures from artifacts of state-space exploration constraints, enhancing verification accuracy, reliability, and trustworthiness in safety-critical system analysis.

7.2. Discussion on Model Adaptation for Real-World Features and Constraints

Typical challenges that may be encountered in real environments, such as sensor uncertainty (such as noise, error, failure), communication delay or interruption (communication signal delay or loss), environmental interference factors (weather changes, road conditions), system hardware limitations (such as computing power, power supply limitations, storage capacity), complexity and dynamics of traffic scenarios (such as emergencies, complex interaction scenarios).

Combined with our research content, we plan to adjust the solution in the following aspects in the future to address the above issues: 1. Model robustness enhancement: Adjust the definition of continuous observers and discrete observers in the MHOTS model to cover uncertainty (for example, add random perturbations or uncertain boundary conditions). Consider using probabilistic or statistical models to describe sensor errors or environmental uncertainties [26]. 2. Adaptation to Communication Delays: Add explicit communication delay variables to the model, set the communication timeout state, and formulate corresponding recovery strategies. Use the temporal logic of Real-Time Maude to describe the safety constraints of the system under communication constraints or delays [27]. 3. Environmental Disturbances Adaptation: Add environmental factors such as weather and road friction coefficient to the model to simulate the dynamic characteristics of the vehicle under different environmental conditions. Enhance safety specifications and ensure that the system safety properties can still be met under extreme weather or special conditions through additional constraints [28]. 4. Verification under Computational Constraints: Consider state space abstraction or reduction in the model, which is suitable for embedded devices with limited computing resources. Discuss how to reasonably choose model checking and theorem proving strategies under resource constraints [29].

Although these schemes can improve the practical relevance and robustness of the verification model to a certain extent, it should be noted that such extensions may increase the complexity and computational cost of state space analysis. Therefore, in the future, we will focus on studying effective abstraction techniques and optimization algorithms to maintain a balance between model security and computational feasibility so as to further bridge the gap between theoretical verification and practical applicability.

Author Contributions

Methodology, Y.W. and M.N.; specification, Y.W., M.N., R.T., T.M. and K.S.; verification, Y.W., M.N., R.T., T.M. and K.S.; writing—original draft, Y.W. and M.N.; writing—review and editing, Y.W., M.N., R.T., T.M. and K.S. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by JSPS KAKENHI Grant Numbers JP19K11842 and JP20K04965.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

References

Takács, D.; Zelei, A. Performance Optimization of a Formula Student Racing Car Using the IPG CarMaker, Part 1: Lap Time Convergence and Sensitivity Analysis. Eng. Proc. 2024, 79, 86. [Google Scholar] [CrossRef]
Colley, M.; Czymmeck, J.; Kücükkocak, M.; Jansen, P.; Rukzio, E. PedSUMO: Simulacra of Automated Vehicle-Pedestrian Interaction Using SUMO To Study Large-Scale Effects. In Proceedings of the 2024 ACM/IEEE International Conference on Human-Robot Interaction, Boulder, CO, USA, 11–15 March 2024; pp. 890–895. [Google Scholar]
Jeannin, J.B.; Ghorbal, K.; Kouskoulas, Y.; Schmidt, A.; Gardner, R.; Mitsch, S.; Platzer, A. A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system. Int. J. Softw. Tools Technol. Transf. 2017, 19, 717–741. [Google Scholar] [CrossRef]
Wang, Y.; Nakamura, M.; Sakakibara, K. Formal specification of an autonomous vehicle group control system with the hybrid OTS/CafeOBJ method. In Proceedings of the 2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE), Las Vegas, NV, USA, 24–27 July 2023; pp. 2169–2176. [Google Scholar]
Haxthausen, A.E.; Hede, K. Formal verification of railway timetables-using the UPPAAL model checker. In From Software Engineering to Formal Methods and Tools, and Back: Essays Dedicated to Stefania Gnesi on the Occasion of Her 65th Birthday; Lecture Notes in Computer Science (LNCS, Volume 11865); Springer: Cham, Switzerland, 2019; pp. 433–448. [Google Scholar]
Berger, U.; James, P.; Lawrence, A.; Roggenbach, M.; Seisenberger, M. Verification of the european rail traffic management system in real-time maude. Sci. Comput. Program. 2018, 154, 61–88. [Google Scholar]
Wang, Y.; Nakamura, M.; Sakakibara, K.; Okura, Y. Formal Specification and Verification of an Autonomous Vehicle Control System by the OTS/CafeOBJ method (S). In Proceedings of the 35th International Conference on Software Engineering and Knowledge Engineering (SEKE23), Pittsburgh, PA, USA, 5–10 July 2023; pp. 363–366. [Google Scholar]
Wang, Y.; Nakamura, M.; Sakakibara, K. Investigation of Formal Verification of the Autonomous Vehicle Control System by Specification Translation. In Proceedings of the 2023 International Technical Conference on Circuits/Systems, Computers, and Communications (ITC-CSCC), Jeju-si, Republic of Korea, 25–28 June 2023; pp. 1–6. [Google Scholar]
Doyen, L.; Frehse, G.; Pappas, G.J.; Platzer, A. Verification of hybrid systems. In Handbook of Model Checking; Springer: Cham, Switzerland, 2018; pp. 1047–1110. [Google Scholar]
Clavel, M.; Durán, F.; Eker, S.; Lincoln, P.; Martí-Oliet, N.; Meseguer, J.; Talcott, C. All About Maude—A High-Performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic; Lecture Notes in Computer Science (LNCS, Volume 4350); Springer: Berlin/Heidelberg, Germany, 2007. [Google Scholar]
Ölveczky, P.C.; Meseguer, J. Specification and analysis of real-time systems using Real-Time Maude. In Fundamental Approaches to Software Engineering; Lecture Notes in Computer Science (LNCS, Volume 2984); Springer: Berlin/Heidelberg, Germany, 2004; pp. 354–358. [Google Scholar]
Ölveczky, P.C.; Meseguer, J. Semantics and pragmatics of real-time Maude. High.-Order Symb. Comput. 2007, 20, 161–196. [Google Scholar]
Ölveczky, P.C.; Meseguer, J. The real-time maude tool. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Budapest, Hungary, 29 March–6 April 2008; Springer: Berlin/Heidelberg, Germany, 2008; pp. 332–336. [Google Scholar]
Ogata, K.; Futatsugi, K. Modeling and verification of real-time systems based on equations. Sci. Comput. Program. 2007, 66, 162–180. [Google Scholar]
Ogata, K.; Yamagishi, D.; Seino, T.; Futatsugi, K. Modeling and verification of hybrid systems based on equations. In Design Methods and Applications for Distributed Embedded Systems; IFIP Advances in Information and Communication Technology (IFIPAICT, Volume 150); Springer: Boston, MA, USA, 2004; pp. 43–52. [Google Scholar]
Nakamura, M.; Higashi, S.; Sakakibara, K.; Ogata, K. Specification and verification of multitask real-time systems using the OTS/CafeOBJ method. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2022, 105, 823–832. [Google Scholar] [CrossRef]
Diaconescu, R.; Futatsugi, K. CafeOBJ Report; World Scientific: Singapore, 1998. [Google Scholar]
Ogata, K.; Futatsugi, K. Proof scores in the OTS/CafeOBJ method. In Formal Methods for Open Object-Based Distributed Systems, 6th IFIP WG 6.1 International Conference, FMOODS 2003, Paris, France, 19–21 November 2003; Lecture Notes in Computer Science (LNCS, Volume 2884); Springer: Berlin/Heidelberg, Germany, 2003; pp. 170–184. [Google Scholar]
Ogata, K.; Futatsugi, K. Some tips on writing proof scores in the OTS/CafeOBJ method. In Algebra, Meaning, and Computation: Essays Dedicated to Joseph A. Goguen on the Occasion of His 65th Birthday; Springer: Berlin/Heidelberg, Germany, 2006; pp. 596–615. [Google Scholar]
Meseguer, J. Real-Time Maude: A tool for simulating and analyzing real-time and hybrid systems. Electron. Notes Theor. Comput. Sci. 2000, 36, 361–382. [Google Scholar]
Ölveczky, P.C.; Meseguer, J. Abstraction and completeness for real-time maude. Electron. Notes Theor. Comput. Sci. 2007, 176, 5–27. [Google Scholar]
Ölveczky, P.C. Real-Time Maude and its applications. In Proceedings of the International Workshop on Rewriting Logic and Its Applications, Grenoble, France, 5–6 April 2014; pp. 42–79. [Google Scholar]
Lepri, D.; Ábrahám, E.; Ölveczky, P.C. Timed CTL model checking in real-time maude. In Proceedings of the International Workshop on Rewriting Logic and Its Applications, Tallinn, Estonia, 24–25 March 2012; pp. 182–200. [Google Scholar]
Durán, F.; Ölveczky, P.C. A guide to extending Full Maude illustrated with the implementation of Real-Time Maude. Electron. Notes Theor. Comput. Sci. 2009, 238, 83–102. [Google Scholar] [CrossRef]
Ölveczky, P.C. Real-Time Maude 2.3 Manual. 2004. Available online: https://www.duo.uio.no/handle/10852/9834 (accessed on 2 April 2025).
Ignatious, H.A.; Khan, M. An overview of sensors in Autonomous Vehicles. Procedia Comput. Sci. 2022, 198, 736–741. [Google Scholar]
Rong, D.; Jin, S.; Yang, C. Connected and Autonomous Vehicle Trajectory Planning Considering Communication Delay. IEEE Trans. Veh. Technol. 2024, 73, 12668–12681. [Google Scholar]
Yang, J.; Zhao, D.; Jiang, J.; Lan, J.; Mason, B.; Tian, D.; Li, L. A less-disturbed ecological driving strategy for connected and automated vehicles. IEEE Trans. Intell. Veh. 2023, 8, 413–424. [Google Scholar]
Lin, Z.; Ma, J.; Duan, J.; Li, S.E.; Ma, H.; Cheng, B.; Lee, T.H. Policy iteration based approximate dynamic programming toward autonomous driving in constrained dynamic environment. IEEE Trans. Intell. Transp. Syst. 2023, 24, 5003–5013. [Google Scholar]

Figure 1. The advantage of specification translation.

Figure 2. The target model.

Figure 3. Structure of the formal specification.

Figure 4. Structure of the formal verification.

Figure 5. The single−vehicle state transition and forward track.

Figure 6. The two vehicles forward track.

Figure 7. Safety property of two vehicles.

Figure 8. The three vehicles forward track.

Table 1. Characteristics of Model checking and Theorem proving.

Formal Verification	Theorem Proving	Model Checking
Example	CafeOBJ	Real-Time Maude
Advantage	infinite state spaces	fully-automated
Disadvantage	semi-automated	finite state spaces

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Wang, Y.; Nakamura, M.; Takano, R.; Matsumoto, T.; Sakakibara, K. Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems. Electronics 2025, 14, 1483. https://doi.org/10.3390/electronics14071483

AMA Style

Wang Y, Nakamura M, Takano R, Matsumoto T, Sakakibara K. Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems. Electronics. 2025; 14(7):1483. https://doi.org/10.3390/electronics14071483

Chicago/Turabian Style

Wang, Yifan, Masaki Nakamura, Ryo Takano, Takuya Matsumoto, and Kazutoshi Sakakibara. 2025. "Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems" Electronics 14, no. 7: 1483. https://doi.org/10.3390/electronics14071483

APA Style

Wang, Y., Nakamura, M., Takano, R., Matsumoto, T., & Sakakibara, K. (2025). Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems. Electronics, 14(7), 1483. https://doi.org/10.3390/electronics14071483

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Formal Verification of Autonomous Vehicle Group Control Systems via Specification Translation of Multitask Hybrid Observational Transition Systems

Abstract

1. Introduction

2. The Multitask Hybrid Observational Transition Systems

2.1. Definition of MHOTS

2.2. Illustrative Example of MHOTS: A Two-Tank Water Flow System

2.3. Fundamental Assumptions of MHOTS

3. Multitask Hybrid OTS/CafeOBJ Specifications

3.1. Specification of Sets of Processes

3.2. System Description of MHOTSs in CafeOBJ

3.3. A Case Study of the MHOTS/CafeOBJ Method

4. Verification of the Theorem Proving

4.1. Module for the Safety Property

4.2. Induction Basis

4.3. Induction Step

4.4. Lemma Introduction

5. Specification Translation to Real-Time Maude

5.1. Specification Translation

5.2. A Case Study of the MHOTS/Real-Time Maude Method

6. Verification of the Model Checking

6.1. Simulation

6.2. Model Checking

6.2.1. Model Checking with Discrete Behavior

6.2.2. Model Checking with Continuous Behavior

6.2.3. Model Checking with Time Sampling 1 / 2

6.2.4. Model Checking with Time Sampling 5

6.3. Counterexample

7. Conclusions

7.1. Summary of Contributions

7.2. Discussion on Model Adaptation for Real-World Features and Constraints

Author Contributions

Funding

Data Availability Statement

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

6.2.3. Model Checking with Time Sampling $1 / 2$