Compositional Analysis of Parametric Cooperative Cyber-Physical Systems

This paper studies the parameterized compositional model checking problem (PCMCP) for analyzing global safety properties of cooperative Cyber-Physical Systems modeled as networks of hybrid automata. We develop the modular verification technique of PCMCP to analyze global safety properties of parametric models of distributed cooperative agents, where each agent is modeled as a hybrid I/O automaton (HIOA). Combining local symmetry amongst the agents, compositionality, and parametric analysis can avoid the computational cost associated with global analysis of the hybrid system's state space. PCMCP involves analyzing the local symmetry of the agent networks and the agents' continuous interfering interactions with their neighboring agents. This analysis identifies a representative agent (HIOA) from each locally symmetric equivalent class of the system. A key step in this analysis is the calculation of overapproximations of the reachable states set for representative agents in a small cutoff instance of the system that then generalizes to arbitrarily sized HIOA networks. We illustrate this technique by outlining its application to compute a compositional local invariant for a platoon of N cooperative adaptive cruise control (CACC) vehicles. We establish a platoon cutoff and show that our simplified CACC model is collision-free, which then generalizes to the entire platoon family.


INTRODUCTION
In today's technological landscape, Cyber-Physical Systems (CPS) applications are seen across various domains, such as autonomous vehicles and robotics systems.These systems integrate control, communication, and computation, resulting in hybrid systems [1].The behavior of such systems involves discrete transitions of the cyber computational part and continuous dynamics of physical movement.A common feature of these safety-critical systems is that they are modeled as a set of distributed agents that are equipped with sensors and wireless communication capabilities.These agents cooperatively interact in order to accomplish common goals, e.g., in a cooperative driving system.Forming groups of vehicles, known as platoons [18], is used to improve highway efficiency and safety and reduce fuel consumption and harmful emissions.
Such distributed hybrid systems are parameterized by an unbounded number of interacting agents.Using the traditional nonparametric model-checking approach to verify their correctness can analyze the system by gradually composing more agents, which leads to the well-known state-space explosion problem.Therefore, it is vital to find a scalable method to verify the safety of such massive state space systems, regardless of the number of participating agents.That problem is known as the parameterized model checking problem (PMCP) [5].
Various techniques have been developed to overcome state explosion in analyzing the global state space, such as symmetry reduction [6], partial order reduction [30], and abstraction [7].Instead, the parameterized compositional model-checking problem formulation (PCMCP) of [29] exploits the system's structural and local properties to avoid considering the global state space.The inductive modular proof of the PCMCP relies on compositional reasoning to replace global state-space analysis with localized neighborhood reasoning.This enables the decomposition of proofs for systems composed of multiple components.The method benefits from the local symmetry of the network structure where any two nodes that have isomorphic neighborhoods are considered locally similar.That may reduce the parameterized verification problem by establishing the presence of a compositional cutoff, which is a small instance of the network whose compositional invariants are generalized to hold for the entire network family [28] [29].
In this paper, we extend the applicability of the PCMCP method to reason about the global software safety properties of a network of HIOAs.We use HIOAs to model the behavior of distributed CPS, such as platoons of connected CACC vehicles.We define a form of a compositional invariant that explicitly considers the evolution of continuous variables (c.f.[28] [29]).Unlike discrete systems, where interference between processes happens during discrete transitions, composed hybrid systems introduce a unique characteristic.The evolution of real-valued shared variables in these systems occurs continuously over time, resulting in continuous interference between neighboring agents that subsequently influences the behavior of the neighbors.We consider this characteristic in defining the required conditions that must be satisfied to call a property a compositional invariant.
A platoon of vehicles experiences the cascading interference effect, where disturbances, like braking in a leading vehicle, cause a ripple effect of deceleration.Through vehicle-to-vehicle (V2V) communication and advanced sensing, CACC-equipped vehicles maintain a safe following distance, preventing collisions and minimizing the risk of cascading interference.The local reasoning between vehicles within a platoon and their neighbors allows us to prove that compositional invariants remain valid, even amid interference.This proof extends seamlessly to platoons of any size.
In a nutshell, the method operates as follows: First, we study system symmetry and identify a balance relation that also acts as a groupoid.Consequently, balanced vehicles possess isomorphic compositional invariants; we then show that this compositional invariant establishes that no collisions occur between two successive vehicles.Next, we define equivalence classes of the platoon and choose a representative vehicle from each class.Subsequently, we verify the compositional invariant for the representatives of the balance equivalence classes.The invariants for all other vehicles of the equivalence classes are isomorphic to those of their representatives.
The results are based on the demonstration of a platoon cutoff by exhibiting simulation relations between all family instances of the parameterized platoon system and a fixed platoon instance.Based on our simplified model, the platoon cutoff is safe, and the forbidden states, where a collision may occur, are not reachable.The computational cost is reduced to automatically model check a safety property for a small, fixed-size set of representative agents.
The paper is structured as follows: We provide an overview of essential background material in Section 2. Section 3 presents the constraints of inductive compositional invariants for HIOAs.Section 4 provides and proves the main theorems related to local symmetry and symmetry reduction within a network of HIOAs.We analyze the safety of a parameterized platoon of cooperative vehicles in Section 5. Finally, an overview of selected works and a brief conclusion and future works are given in Sections 6 and 7, respectively.

PRELIMINARIES 2.1 Parameterized Model Checking Problem
The PMCP of distributed cooperative agents can be described as follows: Let  be a parameter representing the number of interacting agents   , where  ∈ [1.. ], in a system .Then, the PMCP for  is to show that for all  ∈ N, the composition of all agents  ≜ ||  ∈ [1.. ]   |=  , where || denotes the parallel composition of  automata to form a new automaton  that can operate simultaneously.Furthermore,  |=  indicates that the reachable states of  are contained in the set of safe states of property  , where  is a parametric specification [8][7].Based on this formulation, PMCP is used to infer whether a system composed of  replicas of   satisfies  regardless of the number of participating agents.The PMCP is generally undecidable even if the individual participating processes are finite states [4].
The parameterized compositional model checking problem (PCMCP) is a particular format of the PMCP that focuses on restricting the shape of the verification proof of parameterized systems rather than restricting the process models or their communication [29].The PCMCP is based on the compositional proof of invariance properties where each agent has its own invariant.The compositional invariant should be preserved for each agent under the actions of neighbor agents.The PCMCP is undecidable in general; however, sound semi-decision procedures have been given for some architectures and properties, where a local proof shows that the parametric members all satisfy the global property of interest [27][28] [29].Negative results of those procedures imply either the parametric family does not satisfy the property or that the local information is insufficient to prove the correctness and that a more refined local model is needed.The local proof of the PCMCP mitigates the burden of analyzing the global state space of parameterized systems by analyzing the local and neighborhood agent states.The PCMCP operates as follows: For all  ∈ N, for all  ∈ [1.. ]: Then, it follows that for all  ∈ [1.. ], the global system, comprising the composition of all   , satisfies the conjunction of all   .

Hybrid I/O Automata
Hybrid systems combine continuous and discrete behavior; therefore, their mathematical model must include both dynamics.Hybrid automata can be seen as a set of continuous modes, each defined by ordinary differential equations (ODE) or differential inclusions (DI), along with discrete transitions facilitating mode switching.
We make use of the hybrid input/output automaton (HIOA) proposed by Lynch et al. [25], supplemented by the extension introduced by Frehse [12] for syntax and semantic definitions.We include the jump syntax to the definition that is consistent with the framework of hybrid automata [2].Definition 2.2 (Semantics of HIOA).The behavior of an HIOA  is defined based on its executions and how its states evolve over time.A state (, v) is defined as a couple of a location  ∈  and a valuation of the variables v ∈ R  . semantically is a tuple (  , ,  0 , , T ) where  ≜  ×  (  ) is the state space of  and  0 ⊆  is the set of initial states of  .The execution of  modifies system states according to two types of system transitions (note that the notation ⟦.⟧ denotes the set of legal values of a predicate or constraint that corresponds to a set of states): • The set of instantaneous discrete transitions : A discrete transition is defined as ((, v), , ( ′ , v ′ )), where  = (, ,  ′ ) ∈ , both  and  ′ ∈ , both v and v ′ ∈ R  , and (v, v ′ ) ∈ ⟦ ()⟧.• The set of continuous trajectories (also called timed transitions) T : A trajectory is a continuously differentiable function  : [0, ] →  (  ),  ∈ R ≥0 that is used to model the evolution of variables over an interval of time according to the  constraints at a location .A trajectory  is defined as  = ((, v), , (, v ′ )), also written as (v, v ′ ),  (0) = (, v),  ( ) = (, v ′ ), and ∀ ∈ [0, ] both  () ∈ ⟦ ()⟧ and ( (),  ()) ∈ ⟦ ()⟧.
Unlike discrete transitions, where a single state change occurs, a trajectory  generates a set of states.The first state in this set is denoted as  . and the last state is denoted as  ..
.. of  defines the internal behavior of a hybrid automaton, and it is either a finite or an infinite sequence of trajectories and discrete transitions.If   is not the last trajectory in , then   .  − − →  +1 ..A run  is defined as an execution if its first state .  is an initial state, i.e., .  ∈  0 .If  is a closed sequence of trajectories and discrete transitions where its final trajectory is closed (left-closed and right-closed), then we write the last state of  as ..On the other hand, a trace of a run  defines the external actions and the evolution of the external variables    of  , denoted as  ().
A state ( ′ , v ′ ) is considered reachable if it can be reached by an execution, making it one of the states within the execution.The set of all reachable states of  is denoted by ℎ( ).In general, computing the exact ℎ( ) is undecidable [2] [16].However, there are several tools available for computing bounded-time overapproximations for linear hybrid systems where reachability and simulation are semi-computable with linear , , and  constraints [17][13][14].

Network Representation and Communication
The agent network denoted as , exhibits variability in its network structure and the number of distributed agents.We assume a directed information exchange topology where  (, ) is defined by a set of nodes  and directed edges .We use the notion of controlled and uncontrolled variables of the HIOA to model communications between agents [10].These notions determine whether shared variables of composed automata are affected after a local transition of the involved automata.Controlled variables of an automaton preserve their values after local transitions of neighboring composed automata.In contrast, the values of uncontrolled variables of one automaton may be changed at any time according to transitions of neighboring automata; however, the variables' valuation should meet the stated invariant condition [10].A variable can be controlled in at most one of the connected HIOAs and uncontrolled elsewhere, typically functioning as an input variable.

Interleaved Composition of HIOAs
We illustrate the compositionality of HIOAs for asynchronous, nonblocking composition where for all states (, v) of the composed system, there exists at least one transition (, v)  − → ( ′ , v ′ ).We assume that the timing of all composed automata and the continuous variables evolve uniformly at the same rate.The semantics of the interleaved parallel composition of a network of  identical HIOAs   is defined as follows [16] [20].  is a tuple (   ,   ,   0 ,   , T  ) where: •   ≜   ×  (   ): is the set of all system states, which is defined as all possible valuations of the variables in    over all locations.•   0 ⊆   : is the set of initial states that satisfies the initial predicate   of each automaton   for all  ∈ [1.. ].
•   ⊆   ×   : is the set of discrete transitions that interleaves the transitions of  automata.A discrete transition ((, v), , . ],  ≠ , for every  ∈     that is not shared with   and controlled by   , , where v  ⌈    denotes the projection of a vector v on the variables in     .The variables of     may change if there is a  assignment associated with the transition of   .That means the discrete transition of one automaton leaves the internal state of other automata unaffected.
• T  ⊆   ×   : is the set of trajectories of the composed automata.A trajectory  ∈ T  is a function  :[0, T]→  (   ), where  ∈ R ≥0 .Each automaton   in the network updates its state according to its activated flow over a period of elapsed time.A trajectory  (or (v, v ′ )) ends when a stopping condition is satisfied.This stop condition includes two cases: there exist two consecutive time instants ,  ′ , (1) when the invariant   () of  ∈   in any automaton   becomes false due to the Flow constraint; that is, there is a time when the guard condition of an edge  attached to a location  ∈   is true; that is, there is a time  such that v ′ ∈ ⟦  ()⟧.
Note that in the first case,  ( ′ ) does not represent a state of ; instead,  .refers to the state at time .
As a result, different types of states are defined within a network of HIOAs.A global state refers to the state of the entire network   that includes a global location  ∈   and a vector formed by specifying the valuations of all variables in    .An internal state (, v) of   in the network comprises of a location  ∈   and a vector v from the valuations in     .A local state (, v, y) refers to the internal state of   in the network along with a vector of external variables y that are shared with neighboring automata.Finally, a joint state is a pair ((, u, x), (, v, y)) where (, u, x) and (, v, y) represent the local states of   and   , respectively.Both local states share the same values for all variables that are common between x and y, meaning that for all variables  in x that are shared with y, x[] = y[]. 1Joint states are used later to formulate interference between agents.

Inductive Invariant of HIOAs
An invariant is a predicate that holds of all the reachable states of a model.The classical notion of inductive invariants in a discrete transition system is used to prove that all system executions starting in an initial set of states stay within a given set of safe states.Thus, a predicate  is an inductive invariant if: (1) all initial states satisfy  , and (2)  is closed under system transitions, which means  holds true in all states that can be reached from states where  is true.In the case of hybrid models, we also need to check the closure of continuous trajectories [25].

Definition 2.3 (Inductive invariant of HIOAs)
. Given an HIOA  and a predicate  , where ⟦ ⟧ ⊆ ,  is an inductive invariant of  if it satisfies the following conditions: The initial condition ensures that all initial states of  satisfy the invariant predicate  .The discrete transition closure ensures that for all edges of  , if a state before a transition satisfies  , then the updated state after the transition also satisfies  .The last condition ensures that for all trajectories if the first state of a trajectory satisfies  , then all states along that trajectory, including intermediate ones and the last state, also satisfy  .Satisfying all three conditions must cover the reachable states of  and guarantees that  is an inductive invariant of  .

PCMCP OF HYBRID I/O AUTOMATA 3.1 Inductive Compositional Invariants
The compositional reasoning of PCMCP focuses on the relationship between an agent and its neighbors.Agent interactions may influence the behavior of other connected agents in a network.Formally, each HIOA   of an agent network has a predicate   where ⟦  ⟧ is a set of local states of   in the form (, v, y) where (, v) is an internal state of   and y is a vector of shared variables with neighboring automata.The set of local states predicates { 1 , ...,   } of a network of HIOAs should satisfy four conditions to be called inductive compositional invariants: That is, for any initial state (, v, y) of   , then (, v, y) ∈ ⟦  ⟧.
The trajectories interference condition indicates that if the shared external variables of x and y change due to a trajectory of   at location ,   may adjust its controlled internal variables to respond to the changes.Generally, controlled internal real-valued variables of   whose derivatives are defined or constrained will not remain unchanged after a time  due to the continuous   ().
Changes in the variables of    must satisfy   () to ensure the model's correctness.After defining the required conditions to prove compositional invariants inductively, they are used to prove the global system invariant (c.f.[27]).Proof: (Base case) The initial condition of the compositional invariants is satisfied since, for all automata   , all initial states in  0 belong to ⟦  ⟧, which implies that all states in the global initial state set   0 also belong to ⟦  ⟧.In other words, if the initial states  0 of all agents   satisfy   , then all states in the global initial state set   0 also satisfy   , then all states in   0 satisfy  .(Inductiveness) In the hybrid setting, two kinds of inductive steps should be proved: discrete steps and trajectories.To demonstrate the closure condition for discrete steps, consider any global state  that satisfies  , and a discrete transition by an agent   that causes a global transition from state  to state .As   holds of , the transition satisfies both the discrete transition closure condition and the interference condition of discrete transitions, implying that   holds of .Similarly, for trajectories, consider any global state  that satisfies  and a continuous trajectory  ∈ T  where  =  . and all automata in   are updated to state  according to their trajectories as time passes.As   holds of ,   also holds of  by the trajectory closure condition.If a trajectory stopping condition of any agent   is satisfied, then the state  marks the end of the trajectory  and  =  ..Again, since   holds of , the trajectory satisfies both the trajectory closure condition and the interference condition of trajectories, implying that   holds for .Now, consider any other agent   .If   points to   , since  satisfies   by assumption, it follows, by the interference condition for discrete and continuous transitions, that   holds for .If   does not point to   , the discrete and continuous transitions of   do not change the values of any variables in the neighborhood of   , so   continues to hold.This reasoning can be extended to all agents in the network.As a result, we deduce that the conjunction of the compositional invariants set  for   , given by  = ∧  ∈ [1.. ]   , serves as a global inductive invariant for   .□

Parameterized Compositional Invariants
For a parameterized family of a network of HIOAs, a compositional invariant is defined using an unbounded set of predicates where each automaton  ( M, ) of each network M is associated with a predicate  ( M, ) .Each automaton must satisfy the previously defined conditions of compositional invariants.

SYMMETRY OF A NETWORK OF HYBRID I/O AUTOMATA
Local symmetries focus on symmetries that appear among sets of some agent neighborhoods but not necessarily amongst all agent neighborhoods.Proving local symmetries is sufficient to ensure that compositional invariants are isomorphic across all nodes in a network family [28].Since only representative agents of local symmetry equivalence classes need to be analyzed for safety, this may substantially reduce the cost of model checking.

Local Symmetry
The mathematical analysis of network structural symmetry utilizes tools from group theory.The local symmetry theory is described based on a generalization of a symmetry group, known as the theory of groupoids [15][27] [29].The notion of groupoid extends that of groups to add more flexibility for applications with partially defined composition operations where the composition of two elements may not be defined.
The local symmetry (or symmetry between neighborhoods) is based on studying the isomorphism relation between neighborhood nodes.An isomorphism between two nodes  and , denoted as (, , ), of a network  is characterized by a bijective function  that maps the neighborhood of  onto the neighborhood of  while preserving their edge structures.The set of all local symmetries of nodes forms a groupoid called the symmetry groupoid [15][27] [29], where the composition is only partially defined, and it is denoted by G  .A network exhibits a symmetry groupoid G  if it meets the following conditions: (1) the identity condition where (, , ) is a symmetry for each node , and  is the identity map; (2) the inverse condition where if (, , ) is a symmetry then its inverse (,  −1 , ) is also a symmetry; and (3) the composition condition where combining symmetries (, , ) and (, , ), given by (, , ), is also a symmetry.
A groupoid induces an equivalence relation called an orbit relation.If two agents  and  are related such that (, , ) ∈ G  , then we say  is in the orbit of  under the action of G  and symbolically  ≃  .That means there is a way to move from  to  by applying groupoid isomorphisms.

Symmetry Reduction
Agent assignment and simulation.After defining the local symmetries of network structure between node neighborhoods, we need to apply the definition to agents associated with the nodes.An entry (, , ) ∈ , where  ⊆ G  , represents a local symmetry relationship between the local state spaces of agents   and   that are associated with nodes  and , respectively.The assignment of agent   to node  and agent   to node  is considered valid if  0 ≡  ( 0 ),   ≡  (  ), and T  ≡  (T  ) are valid.In other words,  maps any initial state and discrete or continuous step of   to the corresponding elements of agent   .
This mapping relation between local states of two agents   and   where (, , ) ∈  can be defined as a simulation relation.That means any initial state, discrete or continuous step, or interference transition of   can be simulated by a discrete or continuous step or interference transition of   .The simulation relation of an HIOA is a relation between two HIOAs that captures how one automaton can show the same, or more, behavior of another automaton.While the trace-based simulation from one HIOA to another has been previously defined in [25], our definition extends this concept by including the simulation of interference transitions.Definition 4.1 (HIOA simulation with interference for local symmetry).Formally, for every (, , ) in the balanced local symmetry relation ,  is a simulation relation over the local states of   and   such that there is a simulation relation from   to   (denoted as   ⪯   ) if it satisfies the following conditions (for simplicity, the local states of the automata are represented by single symbols, such as  and , instead of the complete notation like (, v, y)): • (Initial match) For every  ∈  0 there exists a state  ∈  0 such that .Proof: This theorem discusses the relationship between compositional invariants in a network  under the influence of local symmetries.The proof is by induction on fixpoint stages that refer to the different iterations involved in reaching the fixpoint of a function during a computation.That means the proof is being carried out step-by-step, starting from the initial state and progressing through subsequent stages until the fixpoint is reached.Assume the inductive hypothesis that the statement of the theorem is true for every state in ⟦  ⟧, where ,  + 1... represent the iteration sequence.Now consider   ,   such that (, , ) is in  and let  ′ be in ⟦ +1  ⟧ but not in ⟦   ⟧. (Base case) We show that the statement holds for the initial states.If  is an initial state of   , then there is an initial state  at   such that  .Therefore, the claim holds due to the initial condition.(Induction: step) There are two kinds of inductive steps: for discrete transitions and for trajectories.For transition simulation, suppose that a run  of   consisting of one discrete transition in   such that . =  ′ is a successor of a state .  =  in ⟦   ⟧.By the inductive hypothesis, there is a state  in ⟦ *  ⟧ such that .Thus, there is a closed run  of   consisting of a single discrete transition in   such that .  = ,  () =  (), . =  ′ , and  ′  ′ .By the closure condition under discrete transitions of compositional invariants,  ′ is also in ⟦ *  ⟧.For trajectory simulation, let  be a run of   comprising a single closed trajectory in T  , with  ′ as a successor state of a state .  =  within ⟦   ⟧.By the inductive hypothesis, there is a state  in ⟦ *  ⟧ such that .Consequently, there exists a closed run  of   , consisting of a single trajectory in T  , where .  = ,  () =  (), . =  ′ , and  ′  ′ .Applying the closure condition under trajectories of compositional invariants, we can deduce that  ′ is also within ⟦ *  ⟧. (Induction: Interference) Suppose that  ′ is obtained through a discrete transition interference or a trajectory interference.In other words, there exists either a discrete transition in   or a trajectory in T  , for some neighbor   of   , from a joint state (, ) to joint state ( ′ ,  ′ ), where  ∈ ⟦   ⟧ and  ∈ ⟦   ⟧.By the inductive hypothesis, there is a state  in ⟦ *  ⟧ such that .In the first case of interference simulation, it is guaranteed that there exists a neighboring automaton   of   such that (, , ) is in , and for all  such that (, ) ∈ , there is a joint transition ((, ), ( ′ ,  ′ )) that occurs due to transition of   or a trajectory of T  where ( ′ ,  ′ ) ∈ .As  ∈    , the induction hypothesis allows us to infer that there is some  ∈ ⟦ *  ⟧ that maintains a relationship with  through .For that , the joint state (, ) satisfies both  *  and  *  .Consequently, by virtue of closure under interference, it follows that  ′ ∈ ⟦ *  ⟧.The other case of interference simulation ensures that there is either a discrete transition in   or a trajectory within T  from state  to  ′ such that  ′  ′ .In this case, the closure under step transitions guarantees that  ′ ∈ ⟦ *  ⟧. □ Corollary 4.3 (c.f [28]).Let  be a property of local states.If   and   such that (, , ) is in symmetry , and  is invariant under , then it is true that  *  =⇒  if and only if  *  =⇒  is also true.Corollary 4.3 means if a certain property  is preserved by the symmetry transformation  between nodes  and , then if  is true for agent   , it will also be true for   and vice versa.
Balance relation.The equivalence relation ≃  between nodes  and  ensures the similarity of their neighborhood structure.We then use the concept of balance to define the correspondence between the agents on  () and  () since agents on both sets affect   and   , respectively [15][27] [29].The balance relation has been used to connect local symmetries throughout a network and a network family.Balanced agents have isomorphic neighborhoods since the degree of each agent is roughly the same, and the connected agents are also balanced, creating a repeating pattern.Definition 4.4 (Balance [29]).Formally, a balance relation  is a set of local symmetries in the triple format (, , ) satisfying two properties: (1) for all (, , ), if (, , ) ∈ , then (,  −1 , ) ∈ , and (2) for all (, , ) ∈ , for any node  that points to  there is a node  that points to  and a bijection  such that ( , , ) ∈ , and for every edge  connected to both  and ,  () =  (), and the same condition holds for edges connected to both  and .
The main advantage of balanced agents is that they have isomorphic compositional invariants [27].That means, to model-check a compositional invariant  , it is sufficient to find  that is also a groupoid, define one or more equivalence classes, select a representative agent of each class of its orbit, and then check  for the representatives of the balance equivalence classes.The invariants for all other agents of the equivalence classes are isomorphic to those of their representatives.

Parameterized Network Families
In a parameterized network of HIOAs, identifying local symmetries that cover members of the network family can simplify the task of verifying a property.This simplification involves checking the property for a small, fixed-size set of representative instances rather than all possible instances.We employ the local symmetry definitions within a network family by adjusting the symmetry relation to relate two nodes that may belong to different networks.Consider M and N as two networks from the same family, and let  ∈ M be related to  ∈ N by  as a triple ((M, ), , (N, )).Consequently, we extend the Theorem 4. Compositional cutoff.Network cutoffs do not always exist; they depend on the network structure and programs.If a cutoff exists, the PMCP of a network of any size  can be reduced to the problem of model-checking a network of, at most,  instances, where  is the cutoff size.Then, any system of a size more than  satisfies the same logical formulae that are satisfied by systems of .
Combining the concepts of local symmetries and cutoffs of a network family leads to the concepts of compositional cutoff [29].The idea is to reduce the unbounded set of constraints  to a finite set by identifying symmetries at the local (neighborhood) level.To establish a compositional cutoff, it is essential to identify the system equivalence classes and the representative agents of each class.These representatives collectively form the minimal representative instance with a size of .Then, we need to check the symmetry simulation relation from the local reachable states of the agents in a system instance of size  ′ , where  ′ ≥ , to the local reachable states of the representative instance.If the simulation relation holds, then the representative instance is the cutoff of size  for the network family.
Finding a compositional cutoff of a network family implies that the strongest compositional invariants in a network of size greater than  are identical (up to neighborhood isomorphism) to the strongest compositional invariants in a network of size at most .

VERIFICATION FOR A PLATOON OF COOPERATIVE VEHICLES
We utilize the inductive proof provided by the PCMCP to prove that a parameterized platooning system of CACC vehicles is collisionfree during longitudinal maneuvers.Due to space constraints, we provide a concise overview of the proof to demonstrate the advantages of our method, full details will appear in a related document.

Overview
. ]   is a finite group of  ≥ 2 connected CACC vehicles that move longitudinally in a road lane over a period of time.The platoon consists of a leader vehicle  1 in the front that guides a set of follower vehicles {  }.Each independently self-controlled vehicle   exchanges instantaneous motion data with its follower (neighbor) vehicle   , denoted as  (, ), so   can quickly decide and react to imminent safety threats. forms a directed graph,  (, ) (see Figure 1), where  is a set of nodes (vehicles) and  is a set of directed edges representing connections between vehicles based on their vicinity.Vehicles are equipped with cooperative adaptive cruise control (CACC), onboard sensors, inter-vehicle wireless network devices, and actuators.CACC is a longitudinal control that manages vehicles' longitudinal motion to keep a safe distance from other preceding vehicles [35].This control strategy operates through a combination of upper-and lower-level controllers.The upper-level controller calculates the desired acceleration   using collected input data, while the lower-level controller manages the physical throttle and brake commands that implement the desired acceleration.Each vehicle independently adjusts its velocity based on the data and commands received through V2V communication and sensor measurements.
Vehicles in the same platoon are supposed to periodically disseminate their position and speed to their immediate follower using onboard sensors and their acceleration using V2V wireless communication, as illustrated in Figure 1.Followers should maintain a safe distance    from their preceding vehicles at all times.

Formal Modeling
We define the behavior of the upper-level CACC as an HIOA building on the description provided in [3].A template HIOA   of one CACC vehicle is a tuple (  , , , , , , , ), where each component is defined below.Figure 2 illustrates the hybrid automaton of a CACC.
The upper-level controller operates in three modes, denoted as  = {, , }.The Speed Control () mode maintains a desired speed by adjusting acceleration based on   , while the Gap Control () mode ensures a safe distance from the preceding vehicle.When the relative distance falls below    , the system switches to the Collision Avoidance () mode, representing maximum deceleration to prevent collisions.In  mode, vehicles may switch to  mode if the relative distance exceeds a predetermined detection distance, denoted as   , indicating significant separation from the preceding vehicle where communication is infeasible.
is a finite set of six possible discrete transitions between modes that are triggered by  conditions.The  conditions for transitions involving the  mode primarily depend on the relative distance and the safe distance, while transitions between the  and  modes are determined by the relative distance and the detection distance.
Each location  ∈  is associated with a set of predicates constraining the vehicle's trajectories, detailed in Figure 2. The  constraints for variables  and  across all modes adhere to the standard kinematic equations:  =  and  = .The acceleration in each mode is determined by the desired acceleration   , as outlined in [3], to maintain a safe gap between vehicles.Parameter definitions and default values are also adapted from [3].Assumptions.We assume that the platoon operates with identical CACC-equipped vehicles on a designated highway, assuming reliable communications and excluding environmental disturbances.Also, the lag in tracking the desired acceleration associated with the lower-level controller performance is ignored.Finally, our analysis focuses on a single platoon configuration; however, our model is capable of handling a multi-platoon configuration.

Compositional Verification
Here, we outline the steps to analyze a parameterized family of platoons of CACC vehicles based on the previous theories: • Analyze the symmetry relation  of a platoon network family and identify all possible equivalence classes.• Identify a minimal representative platoon instance whose nodes cover all of the defined equivalence classes of size .• Compute the strongest compositional invariant for the representative instance.
• Check the symmetry simulation relation from a platoon instance of size  ′ , where  ′ ≥ , to the representative instance vehicles.
If the simulation relation holds, then the representative instance is the cutoff of size  for the platoon family.Properties.The main safety objective of each vehicle is to follow its preceding vehicle at a safe distance    .The global parametric safety invariant that we want to prove of a platoon  ≜ ||  ∈ [1.. ]   ,  ≥ 2, over a bounded interval of time, is defined formally as follows: The conditions  (, ) and  <  indicate that vehicles  and  are distinct neighbors, with  immediately preceding  in the platoon.Additionally,   −   −  > 0 ensures a positive relative distance, where  has a larger position value.We subtract the preceding vehicle length  from   −   to calculate the relative distance.On the other hand, the local inductive invariant for a follower vehicle   of a platoon  is defined as follows: Initial condition.The initial condition  specifies that each vehicle   in  starts at   =  (except the leader where  1 = ).The initial value of   can be any positive real number, considering that vehicles in the front have larger position values.Additionally, the gap between the positions of consecutive vehicles must be greater than or equal to    and less than   .The variables   and   are real-valued and range between the vehicle's minimum and maximum velocity and acceleration, respectively..]   , except  1 , have one node in their  (  ) set.Also,  4 is the only one that does not have an output connection.For the vehicles in the middle,  2 and  3 have two neighbors.Thus, there is an isomorphism mapping the neighbors of  2 onto the neighbors of  3 , i.e., ( 2 , ,  3 ).In general, the isomorphisms (  ,,  ) exist for all ,  ∈ [2,  − 1].The mapping preserves the adjacency relationships between neighbors and the overall connectivity pattern of the platoon.
We found that the leader vehicle forms the first equivalence class.The last vehicle forms the second equivalence class due to the empty  (  ) set, unlike other followers.Recalling the balance Definition 4.4, the rest of the followers are identical up to the renaming of the vehicles and their neighbors.That induces a balanced relation between followers that forms the third equivalence class; thus, local analysis can be done on a fixed-size model.
Compositional invariant proof.To establish the compositional inductive invariant, it is necessary to verify whether the set of safety predicates { 1 , ...,   } satisfies the conditions in Section 3.1.Theorem 5.1.In a platoon  of  CACC vehicles, the property of local states   that a vehicle   never reaches a state in which the relative distance with its preceding vehicle   is less than or equal to zero is a compositional inductive invariant.
Proof: Let ⟦  ⟧ be the set of local states that satisfies the collision avoidance predicate   for each vehicle   in a platoon .(Initial condition) The   condition for both leader and follower vehicles ensures that the initial relative distance is greater than zero.Thus,   is true in the initial states of all platoon vehicles.(Discrete transition closure) For all discrete transitions ((, v), , ( ′ , v ′ )) ∈   of   , if  =  or  = , then (, v) ∈ ⟦  ⟧ since the  constraint of  guarantees that the relative gap with the preceding vehicle is ≥    .When the    distance is violated, the relative gap remains greater than zero at  ′ =  because of the mode's  constraints.Therefore, ( ′ , v ′ ) ∈ ⟦  ⟧.When  = , then (, v) ∈ ⟦  ⟧ since the state represents the last state of the trajectory, indicating successful disturbance handling.If the edge to  ′ =  or  ′ =  is activated, then clearly ( ′ , v ′ ) ∈ ⟦  ⟧. (Trajectory closure) For all trajectories  ∈ T  of   , if  =  or  = , then  . ∈ ⟦  ⟧ due to the  constraint, ensuring that the relative gap at  . is > 0 and remains so as time  evolves.Consequently,  () ∈ ⟦  ⟧ and  .∈ ⟦  ⟧.At  = ,  . ∈ ⟦  ⟧ since the  constraint applies the max deceleration to brake, and the  constraint ensures that the relative gap stays within the interval (0,    ).Therefore, for any time ,  () ∈ ⟦  ⟧ and  .∈ ⟦  ⟧. (Interference) The interaction between each preceding vehicle   with its follower vehicle   does not falsify the collision avoidance predicate   from every joint state.That means, ∀,  ∈ [1.. ],  ≠  such that  (, ) and  < , then: • Here, we only discuss the interference cases that may violate the collision avoidance property including the cases where either the preceding or follower vehicles, or both, are in the  mode.For example, consider an interference transition where   is the preceding (active) vehicle that transitions from mode   to   and   is the follower (passive) vehicle that remains in mode   or   during the joint transitions.Then we find that, .]   .Here,  is the smallest platoon instance with a size of  = 3, representing the three equivalence classes.The size  ′ of  can be any value greater than .We need to check that the symmetry simulation conditions hold between the representative vehicles of platoon  and the representative vehicles of platoon .That means, we need to establish a simulation relation from  (,1) to  (,1) , from  (, ) to  (, ) , and from  (, ) and  (, ) , where  ∈ [2.. − 1], which holds despite the initial condition disparity.It is observed that for every initial state, transition, trajectory, and interference transition reached by  (, ) , there exist corresponding local states in the other vehicle  (, ) In the parameterized platoon family, a compositional cutoff size of size  = 3 is chosen to indicate the point at which the system's behavior remains constant with respect to the compositional inductive invariants under local symmetries.We note that in the cutoff, all interesting patterns of platoon behavior are exhibited.The leader presents the possible behavior of any platoon leader of any platoon size.Whereas the first follower exhibits the leader-follower potential behavior between the leader that mainly maintains a desired velocity in mode  and the follower that strives to maintain a safe gap by possibly switching between  and  modes.The second follower of the cutoff illustrates the follower-follower relationship, where both vehicles follow the same policy to avoid a collision.We have run an experiment using the SpaceEx tool [14] and shown that the cutoff of size three is collision-free.We leave the results for future work.

RELATED WORK
A significant amount of research has focused on verifying parameterized systems.Surveys on parameterized verification can be found, for example, in [5] [7,Ch. 21].Parameterized verification of distributed CPS with an arbitrary number of agents has been studied using different real-world applications [23] [19].
Johnson and Mitra introduced a verification framework for parameterized networks of rectangular hybrid automata utilizing a concept called a small model theorem, which is a similar concept to system cutoffs [20].The small theorem that was originally proposed by Pnueli et al. [33], states that if a parameterized system of a bound threshold size satisfies the small model properties, then the verification result can be generalized to any system size greater than the threshold.The small model properties are global inductive invariants.The method has been automated and applied in the software tool Passel [21].Johnson and Mitra also used a parameterized model checking method of hybrid automata to verify different safety properties of the Small Aircraft Transportation System (SATS) landing protocol [19].In contrast to [20], where the global inductive invariant is proven over the global state space of parameterized networks, our approach involves establishing a set of local compositional invariants for parameterized networks of hybrid automata.We then infer the global verification result based on these compositional invariants.
KeYmaera is another verification tool for parametric hybrid systems [32].It is a semi-automatic theorem prover tool that combines deductive and computational methods to reason about the safety of hybrid systems.It has been used to verify that a system with a parametric number of distributed adaptive cruise control vehicles is collision-free in single and multi-lane street scenarios [23].A modular hierarchical proof structure is applied to manage system complexity.The control model is defined using quantified hybrid programs, while the safety properties are expressed using quantified differential dynamic logic.Our modular proof technique differs in employing local reasoning and local symmetry which enables the breakdown of the global state space into multiple local analyses within neighborhoods.That allows for relatively efficient analysis.It is sufficient to construct correctness proofs for a cutoff size model of representative instances within a cooperative distributed agent network that can be generalized to the entire network family.Thus, the automated component of our approach is the analysis of this cutoff using model-checking tools, such as SpaceEx [14] and PHAVer [13], resulting in a significant reduction in the problem state space.
The safety verification of platoon-based systems has been studied in numerous works, including [9][24] [34][11][22][31] [26].All of them share a common characteristic -they apply non-parameterized verification.The main objective of [34][24] is to model and verify the continuous dynamics of vehicle control for the platoon leader and followers during platoon maneuvers.On the other hand, in [9], the focus is to model platoon controllers of two platoons that try to merge.Each platoon is defined by one hybrid I/O automaton to represent and verify the control requirements necessary for successful platoon merging.
A compositional verification method is proposed in [11] to verify the non-collision safety condition of a five-vehicle platoon.The method is limited to the safety property between two successive vehicles and does provide a solution to conclude the global safety of the platoon.Kamali et al. focused on verifying the autonomous decision-making of the vehicles within the platoon rather than the controller itself [22].A benchmark example of a four-vehicle platoon is proposed in [26].The platoon system is modeled as one single automaton describing the closed-loop dynamics of the system.That style of modeling does not appear to scale up for analyzing parameterized networks.Unlike [26], the platoon in our work is constructed using a decentralized style in order to define a platoon with a scalable number of vehicles.

CONCLUSION
In this paper, we developed PCMCP reasoning for hybrid models of distributed CPS.This offers a semi-decision procedure to infer the global safety of a network of HIOAs through localized analysis.Our focus lies in addressing the unique challenges posed by the hybrid behavior exhibited by these CPS.
To demonstrate the utility of the framework, we applied it to a platoon of CACC vehicles and showed local symmetries between follower vehicles.We show how the modular reasoning method of PCMCP handles the cascading interference phenomenon often encountered in platoon-based systems.
In the future, we plan to employ the proof techniques outlined in [28] to analyze dynamic models of cooperative vehicle networks, addressing various adversarial changes in the network structure.These changes include scenarios where vehicles join or leave a platoon, significantly impacting platoon behavior.Exploring additional safety properties arising from platoon maneuvers presents an interesting research direction.
2 and Corollary 4.3 for a parametric network family of HIOAs.Theorem 4.5.For a local symmetry  on a parametric network family of HIOAs, let  * ( M,) and  * ( N,) be the strongest compositional invariant on M and N , respectively.Then, for every (M, ) and (N, ) such that ((M, ), , (N, )) is in , it is true that  * ( M,) =⇒ ⟨⟩ * ( N,) , where ⟨⟩ * ( N,) = { |   for some  in  * ( N,) }.Proof: Recall the proof of Theorem 4.2.Here, we need to substitute the nodes and the strongest compositional invariants of a single network with the nodes and invariants of the parameterized network family, which is straightforward.□ Corollary 4.6.Let  be a property of local states.If ((M, ), , (N, )) is in symmetry , and  is invariant under , then it is true that  * ( M,) =⇒  if and only if  * ( N,) =⇒  is also true.

Figure 1 :
Figure 1: The communication of a platoon of size  .

Figure 2 :
Figure 2: The hybrid automaton of a CACC vehicle.

•
The initial states of   satisfy the local property   .• If a state   of   satisfies a local property   and there is a transition from a state   to  ′  then  ′  also satisfies   .• If a state   of   satisfies a local property   ,   is a neighbour of , a state   of   satisfies a local property   , and if a transition of   transforms (  ,   ) to ( ′  ,  ′  ), where all shared variables are equal,  ′  satisfies   , then  ′  also satisfies the property   .That is, the actions of   do not falsify   of   .
Definition 2.1 (Hybrid I/O automaton).Syntactically, an HIOA  is a tuple (  , , , , , , , ) where: •   is a finite set of variables that is partitioned into controlled    , input    , where    ∩    = , and output    ⊆    .Let   =    ∪    , the external variables    =    ∪   , and let the internal variables be    =   \   .A valuation function  () maps each variable  ∈   to a value in its type.All possible valuations of the variables in   form the set of system states denoted as  (  ).The number of variables is , and it is called the dimension of  .•  is a finite set of control locations representing the continuous modes of  ., ).•  gives an initial condition  () to a location  whose variables are from   .•  is a location constraint  () that sets constraints on the possible valuations of variables at . •  is a location constraint that regulates the continuous evolution of variables in   ∪   at each location.  represents the set of first derivatives of   . () assigns a linear ODE or DI for variables  ∈   at a location .•  is an edge condition that represents the guard  and reset  conditions whose variables are from   ∪   ′ , where   ′ denotes the updated values of the variables at the end of a discrete transition.
•  is a finite set of actions or transition labels that are partitioned into internal   and external   actions, and   are partitioned into input and output actions.• ⊆  ×  ×  is a finite set of edges representing the discrete transitions.An edge  between locations  and , labeled with  ∈ , is written as   − →  or (, Each node  ∈  is assigned an agent   and linked to  neighboring nodes through directed edges, where  ∈ N. A node  points to a node  (written  ∈  ()) if there is an output edge  of ,  ∈  (), that is also an input edge of  such that  ∈ ().Nodes  and  are neighbors, denoted as  (, ), if they have a common connected edge, i.e., if  points to  or  points to  or both.
• (Transition simulation) If  and  is a run of   consisting of one discrete transition in   with .  = , then   has a closed run  with .  = ,  () =  (), . =  ′ , . =  ′ and  ′  ′ .• (Trajectory simulation) If  and  is a run of   consisting of a single closed trajectory in T  with .  = , then   has a closed run  with .  = ,  () =  (), . = , . =  ′ and  ′  ′ .• (Interference simulation) The interference can be in the form of changes in the shared, external variables caused by continuous or discrete transitions of a neighbor.If , and   is a neighbor of   , and there is a joint (  ,  For a local symmetry  on a network , let  * be the strongest compositional invariant on .Then, for every   ,   such that (, , ) is in , it is true that ) transition ((, ), ( ′ ,  ′ )) that is caused by a discrete transition of   or by a continuous trajectory of T  , then there is either (1) a neighbor   of   for which (, , ) is in  and for every local state  of   such that , there is a joint (  ,   ) transition ((, ), ( ′ ,  ′ )) caused by   or T  , such that  ′  ′ , or (2) there is a transition (,  ′ ) caused by a transition of   or T  such that  ′  ′ .Theorem 4.2 (Symmetry Theorem (c.f.[27])).*  =⇒ ⟨⟩ *  , where ⟨⟩ *  = { |   for some  in  *  }.
(  , u  , x  ) ∈ ⟦  ⟧ since   −1 −   −  > 0, (2) if   is in mode   , (  , v  , y  ) or in mode   , (  , v  , y  ), both states satisfy   because of the modes invariant that ensures the collision avoidance property, (3)   transfers to (  , u ′  , x ′  ) state which satisfies   since the   (  ) ensures that  ′  −1 −  ′  −  > 0 holds, (4) the shared variables x  ∩ y  between   and   are   ,   , and   have the same values in x ′  ∩ y ′  , and (5)   =   or   and v  remain unchanged after the transition of   .Thus, (  , v ′  , y ′  ) ∈ ⟦  ⟧ and also (  , v ′  , y ′  ) ∈ ⟦  ⟧. • Internal and shared continuous variables of preceding and following vehicles change over time according to the  constraint of each mode.For example, at any time  ∈ [0, ], consider a trajectory in mode   =   , and   =   (1) (  , u  , x  ) ∈ ⟦  ⟧ since   (  ) ensures that the evolution of the variables maintains the safe gap, (2) for a trajectory in location   =   , it is clear that (  , v  , y  ) ∈ ⟦  ⟧ since the relative gap must be ≥    to to remain in this mode; however, when   =   , the relative gap is less than    during the evolution of the variables.Then, the flow constraint   (  ) uses the maximum deceleration to brake and increase the relative gap.Thus, (  , v  , y  ) ∈ ⟦  ⟧. (3) There is a continuous transition at  ((  , u  , x  ), , (  , u ′  , x ′  )) of   .(4)all the shared variables in x  ∩ y  which include   ,   , and   , have the same values in x ′ ∩ y ′ after a  transition where  ′  ,  ′  , and  ′  have the same values in x ′ and y ′ .(5)Aftertime, when (  =   ), (  , v ′ ) ∈ ⟦ ( ′  ⟧), and when   =   , (  , v ′ ) ∈ ⟦ ( ′  ⟧); Thus, for all time  and for the time transitions((  , u  , x  −1 ), , (  , u ′  , x ′  −1 )) of   , we find that (  , v ′  , y ′  ) ∈ ⟦  ⟧.Since the analysis examines all possible transitions of   that may violate   , the invariant holds locally.□ It follows from Theorem 3.1 and Theorem 5.1 that the combined local compositional invariants show the platoon's global invariant.Symmetry reduction.Because of the similarity of vehicle models and the isomorphism between the follower vehicles' neighborhoods within the follower equivalence class, there is an isomorphism mapping the local reachable states of a vehicle   of a platoon  to the local reachable states of   in  for any ,  ∈ [2.. − 1],  ∈ N. By Theorem 4.2,   holds for all vehicles in the follower class.Consider two instances of the platoon family:  ≜ ||  ∈ [1.. ′ ]   and  ≜ ||  ∈ [1.