Accelerating safety verification of autonomous systems using

symmetry transformationsHussein Sibai

Coordinated Science Laboratory

University of Illinois at Urbana-Champaign

11

Show Uber video

12

Reachability matters in the real world

• Consider certifying an autonomous vehicle that can overtake while maintaining safety

• With perfect sensor information, we can simulate forward to check safety

• With sensor and estimation errors, no finite number of simulations is enough to prove safety

• We need to propagate forward the set of all possible future states given the errors/uncertainties---reachability analysis

13

Glimpse of hope..

• Challenge is mainly scalability:

• Agent: complicated dynamics

• Multi-agent: huge number of agents

• Opportunities:

• Agent: many states share same dynamics

• Multi-agent: many agents share same dynamics

14

System model, notations, and decidability

𝑥"

𝜉(𝑥", 𝑡): trajectory

Nonlinear dynamical model

𝜉(K, [0, 𝑇]): reachtube

Safety verification problem: 𝜉 𝐾, 0, 𝑇 ∩ 𝑈 = ∅?Computing reachtubes is undecidable, forced to

overapproximate them, still expensive to compute.

time

𝑑𝑥𝑑𝑡

= 𝑓 𝑥Initial set 𝐾 ⊆ ℝ7,Unsafe set U ⊆ ℝ7

U

𝐾

15We get tighter over-approximations for smaller 𝐾

Symmetry maps efficiently transform old reachtubes to new reachtubes

• A linear invertible map 𝛾:ℝ7 → ℝ7 is a symmetry of the system if for any solution 𝜉 𝑥",⋅ , 𝛾 𝜉 𝑥",⋅ is also a solution.

• Hence, if 𝜉 𝐾,⋅ is a reachtube, then 𝛾 𝜉(𝐾,⋅ ) is a reachtube

• 𝛾 is a symmetry if 𝑓 𝛾 𝑥 = 𝛾 𝑓 𝑥 , ∀𝑥

• It’s cheap to transform 𝜉 using 𝛾 while expensive to compute it from scratch

𝜉> 𝛾>(𝜉>)

𝜉?

𝛾?(𝜉>)𝛾@(𝜉?)

𝛾A(𝜉?)

𝜉> 𝛾>(𝜉>)

𝛾?(𝜉>)

16

Main contributions: theory + tools

• We are the first to introduce caching to the area of verification of dynamical and hybrid systems

• We are the first to use symmetry transformations in the safety verification of general nonlinear dynamical and hybrid systems

• We augment a traditional dynamical and hybrid safety verification algorithms with symmetry utilization capabilities

• A software tool on top of the verification tool DryVR for dynamical systems verification and another one for verification of multi-agent systems

• We show experimental results of 1000× improvement in verification running time

Dynamical System verification algorithm

1. Partition the initial set of states

2. Compute the reachtubes starting from each part

3. Check intersection with the unsafe set

4. Repeat if necessary..

𝑥"

𝜉(𝑥", 𝑡): trajectory

𝜉(K, [0, 𝑇]): reachtube

time

U

𝐾

Remember: we get tighter over-approximations for smaller 𝐾

Symmetry and caching based dynamical System verification algorithm1. Partition the initial set of states

2. Retrieve the reachtubes for the parts that have cached reachtubes

3. Compute the reachtubes for the rest of the parts

4. Store the newly computed reachtubes

5. Check intersection with the unsafe set

6. Repeat if necessary..

TubeCache

Where is symmetry used?

• Short Answer: in retrieving the stored tubes

• Full answer: for any query for a stored tube for an initial set 𝑖𝑛𝑖𝑡𝑠𝑒𝑡7GGHGH , we check if a symmetric version of the tube is stored as well:

• For a given 𝛾, is there an 𝑖𝑛𝑖𝑡𝑠𝑒𝑡GIJKLJ7M ∈ 𝑐𝑎𝑐ℎ𝑒, such that 𝛾R>(𝑖𝑛𝑖𝑡𝑠𝑒𝑡7GGHGH) ⊆ 𝑖𝑛𝑖𝑡𝑠𝑒𝑡GIJKLJ7M ?

• Increases the number of hits in the cache

𝑖𝑛𝑖𝑡𝑖𝑠𝑒𝑡7GGHGH

𝛾R>(𝑖𝑛𝑖𝑡𝑖𝑠𝑒𝑡_𝑛𝑒𝑒𝑑𝑒𝑑)

𝑖𝑛𝑖𝑡𝑖𝑠𝑒𝑡GIJKLJ7M

Results? Well.. not so promising…

• Cache access overhead is larger than the cost of computing reachtubes..

• Reason? Few cache hits because of using a single map 𝛾

brake-brake

H. Sibai, N. Mokhlesi, S. Mira, Using Symmetry Transformations in Equivariant Dynamical Systems for Their Safety Verification. ATVA 2019 21

But, some models posses multiple (infinite) symmetries Γ• Simple example: vehicles are translation invariant. Every translation

vector gives rise to a symmetry transformation

• Update the rule for the check to the following:for a given 𝛾 If ∃ ΓK ⊆ Γ and 𝑖𝑛𝑖𝑡𝑠𝑒𝑡GIJKLJ7M ∈ 𝑐𝑎𝑐ℎ𝑒, such that

∪W∈XY 𝛾R>(𝑖𝑛𝑖𝑡𝑠𝑒𝑡7GGHGH) ⊆ 𝑖𝑛𝑖𝑡𝑠𝑒𝑡GIJKLJ7M ?

Results? Much better..

• Single car dynamics: �̇� = 𝑓 𝑥 = 𝑥A cos 𝑥^, 𝑥A sin 𝑥^, 𝑢, 𝑎,Ibctan 𝑥@

• Symmetry: 𝛾 𝑥 = 𝑥> + 𝑐>, 𝑥? + 𝑐?, 𝑥@, 𝑥A, 𝑥^ , for any 𝑐>, 𝑐? ∈ 𝑅• Scenarios: Two cars. bb: both braking, cc: both cruising, one braking

and one cruising. Unsafe situation: collision

23

brake-brake

cruise-cruise

brake-cruise

End of story? Or can we get even better results? • Before, we were augmenting existing algorithms with the

cache/symmetry capability..

• Can we choose which parts to compute first and how to partition to get more savings? Yes.

• Cars example: compute reachtube from a thin position initial set, bloat it using symmetry.

24

Results: 1000x improvement over DryVR

25

brake-brake

cruise-cruise

brake-cruise

H. Sibai, N. Mokhlesi, S. Mira, Using Symmetry Transformations in Equivariant Dynamical Systems for Their Safety Verification. ATVA 2019

Multi-agent hybrid system verification and symmetry

26

Back to multi-agent system and curse of dimensionality

Static unsafe set: yellow rectangles

Drones going through a sequence of waypoints; 5 dimensional nonlinear dynamics

The blue and red drones are safe while the green one is not

Number of unique simulations (or reachtubecomputations) needed scales exponentially with the number of agents, size of initial set, and waypoints!

System model, notations, and decidability Multi-agent dynamical model

Safety verification problem 𝑐𝑜𝑛𝑐𝑎𝑡𝑒𝑛𝑎𝑡𝑖𝑜𝑛J∈ijLk(𝜉 𝐾J, 𝑝J, 0, 𝑇J ) ∩ 𝑈 = ∅?

time

𝑑𝑥𝑑𝑡

= 𝑓 𝑥, 𝑝Initial set 𝐾 ⊆ ℝ7,

Unsafe set U ⊆ ℝ7,Mode set 𝑃 ⊆ ℝn,Path: list of 𝑝 ∈ 𝑃

𝑥"

𝜉(𝑥", 𝑝, 𝑡): trajectory

𝜉(K, 𝑝, [0, 𝑇]): reachtubeU

𝐾

28

Need new definition of symmetry for systems with parameters• A linear invertible map 𝛾: ℝ7 → ℝ7 is a symmetry of the system if

there exists a map 𝜌:ℝn → ℝn, where for any solution 𝜉 𝑥", 𝑝,⋅ ,𝛾 𝜉 𝑥", 𝜌 𝑝 ,⋅ is also a solution

• Hence, if 𝜉 𝐾, 𝑝,⋅ is a reachtube, then 𝛾 𝜉(𝐾, 𝜌(𝑝),⋅ ) is a reachtube

• 𝛾 is a symmetry if 𝑓 𝛾 𝑥 , 𝜌(𝑝) = 𝛾 𝑓 𝑥, 𝑝 , ∀𝑥 and 𝑝

29

Virtual system: unifying all modes

Transform to the virtual coordinates where the line joining the waypoints is the y-axis

• waypoint sequences with repeated geometry will lead to cache hits vi

rtua

l coo

rdin

ates

Orig

inal

coo

rdin

atesIf there a common virtual mode/waypoint

𝑝p ∈ 𝑃, such that for any 𝑝 ∈ 𝑃, there exists 𝛾q and 𝜌q such that 𝛾q is a symmetry and:

𝜌 𝑝 = 𝑝p

Multi agent verification algorithm

1. Iterate over the different agents

2. Iterate over each mode of an agent

3. Compute the reachtube of that mode using method described before

4. Check intersection with the unsafe set

5. Repeat if necessary..

Back to caching but for multi-agent systems: use virtual system1. Iterate over the different agents

2. Iterate over each mode of an agent

3. Check if the reachtube is in the cache, transform it to original coordinates from the virtual ones if it does. If it doesn’t,

4. Compute the reachtube of that mode using method described before

5. Transform the reachtube to virtual coordinates and store it in the cache.

6. Check intersection with the unsafe set

7. Repeat if necessary..

1 agent, small initial setcomputed: 21transformed: 59

1 agent, large initial setcomputed: 511transformed: 4439

2 agents, small initial sets, computed: 21transformed: 139

3 agents, small initial sets, computed: 49transformed: 381

Symmetry transformations enable verification algorithm to cover many configurations from few computed simulations

Promising results: up to 66% improvement in verification time

34H. Sibai, N. Mokhlesi, C. Fan, S. Mira, Multi-Agent Safety Verification using Symmetry Transformations. Under submission

Conclusion

• We introduced the use of symmetry transformations to the area of safety verification of dynamical and hybrid systems.

• We presented a safety verification algorithms that augment traditional verification algorithms with symmetry-utilization capability.

• We developed tools and achieved > 1000× savings in running time.

35

Acknowledgments

Thanks to my collaborators: Navid Mokhlesi, Chuchu Fan, and SayanMitra

The work is supported by a research grant from The Boeing Company and a research grant from NSF (CPS 1739966).

We would like to thank John L. Olson and Arthur S. Younger from The Boeing Company for valuable technical discussions.

36

Challenges and future directions

• Unbounded time and unbounded initial sets safety verification

• Combine symmetry with partial order reduction

• How to do dimensionality reduction / system abstraction using symmetry

• Use symmetry for synthesis and monitoring

37

SmartCar platform

GEM vehicle from AutonomouStuff (now Hexagon)● 6 Generation Intel® CoreTM i7-6700 quad-core, 2.4 GHz● NVIDIA® GeForce® GTX 950 and GTX 1050 GPU● PACMOD, ethernet, CAN, ● Lidar: Velodyne VLP-16, Radar, GPS & Inertial Measurement

Unit, Mako G-319C color camera, 1920x1440● ROS, PACMOD, Ethernet, CAN

Running reachability on real car in near real time

Running time for each. computation for a lookahead of 5 seconds was around 300 milliseconds on a standard laptop

Car in action

https://www.youtube.com/watch?v=AUBfZ_plR7Y&t=5s

40