Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran...
Transcript of Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran...
![Page 1: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/1.jpg)
Model Checking of Hybrid Systems
Goran FrehseAVACS Autumn School, October 1, 2015Univ. Grenoble Alpes – Verimag,2 avenue de Vignate, Centre Equation,38610 Gières, France,[email protected]
![Page 2: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/2.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
2
![Page 3: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/3.jpg)
Overview
Hybrid Automata
Example
Definition and Semantics
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
3
![Page 4: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/4.jpg)
Example: Ball on String
mFs
Fg
xr
xr + L
x
(a) extension
m
Fgxr
xr + L
x
(b) freefall
4
![Page 5: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/5.jpg)
Equations of Motion
• dynamics in freefall when x ≥ xr, with mass m,
mx = Fg = −mg.
• dynamics in extension when x ≤ xr, with springconstant k, damping factor d,
mx = Fg + Fs = −mg + kxr − kx − dx.
• transition when x = xr + L, collision factor c ∈ [0, 1],
x′ = −cx.
5
![Page 6: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/6.jpg)
Hybrid Automaton Model
auxiliary variable v = x, so v = x.
clip from SpaceEx Model Editor1
1 G. Frehse, C. L. Guernic, A. Donzé, R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang,and O. Maler, “Spaceex: Scalable verification of hybrid systems,” in CAV’11, ser. LNCS,Springer, 2011. 6
![Page 7: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/7.jpg)
Behavior
0 0.5 1 1.5 2 2.5−1
0
1
x0
x1
x2
x3 x4
x5
t
posit
ionx
0 0.5 1 1.5 2 2.5
−5
0
5
v0
v1
v−2
v2
v3
v4
v5
t
veloc
ityv
7
![Page 8: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/8.jpg)
Overview
Hybrid Automata
Example
Definition and Semantics
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
8
![Page 9: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/9.jpg)
Hybrid Automata (Alur, Henzinger, ’95)[2][3]
• locations Loc = ℓ1, . . . , ℓm and variablesX = x1, . . . , xn define the state space Loc × RX,
• transitions Edg ⊆ Loc × Lab × Loc define locationchanges with synchronization labels Lab,
• invariant or staying condition Inv ⊆ Loc × RX,• flow relation Flow, where Flow(ℓ) ⊆ RX × RX, e.g.,
x = f(x);
• jump relation Jump, where Jump(e) ⊆ RX × RX′ , e.g.,
Jump(e) = (x, x′) | x ∈ G ∧ x′ = r(x),
• initial states Init ⊆ Inv.
9
![Page 10: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/10.jpg)
Run Semantics
(ℓ0, x0)δ0,ξ0−−→ (ℓ0, ξ0(δ0))
α0−→ (ℓ1, x1)δ1,ξ1−−→ (ℓ1, ξ1(δ1)) . . .
with (ℓ0, x0) ∈ Init, αi ∈ Lab ∪ τ, and for i = 0, 1, . . .:
1. Trajectories: (ξ(t), ξ(t)) ∈ Flow(ℓ) and ξi(t) ∈ Inv(ℓi)
for all t ∈ [0, δi].2. Jumps: (ξi(δi), xi+1) ∈ Jump(ei),
ei = (ℓi, αi, ℓi+1) ∈ Edg, and xi+1 ∈ Inv(ℓi+1).
A state (ℓ, x) is reachable if there exists a run with(ℓi, xi) = (ℓ, x) for some i.
10
![Page 11: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/11.jpg)
Example: Ball on String
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1
−5
0
5
x0
ξ0(δ0) = x1
ξ3(δ3) = x4ξ1(δ1)
x2
ξ2(δ2) = x3
ξ4(δ4) = x5
position x
veloc
ityv
11
![Page 12: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/12.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Piecewise Constant Dynamics
Piecewise Affine Dynamics
Set Representations
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
12
![Page 13: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/13.jpg)
Set-Based Reachability
Extending numerical simulation from numbers to sets
• account for nondeterminism• exhaustive• infinite time horizon
Downsides:
• only approximate for complex dynamics• generally not scalable in # of variables• trade-off between runtime and accuracy
13
![Page 14: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/14.jpg)
Reachability Algorithm
One-step successors by time elapse from set of states S,
PostC(S) =(ℓ, ξ(δ))
∣∣ ∃(ℓ, x) ∈ S : (ℓ, x) δ,ξ−→ (ℓ, ξ(δ)).
One-step successors by jump from set of states S,
PostD(S) =(ℓ′, x′)
∣∣ ∃(ℓ′, x′) ∈ S,∃α ∈ Lab ∪ τ :
(ℓ, x) α−→ (ℓ′, x′).
14
![Page 15: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/15.jpg)
Reachability Algorithm
Compute sequence
R0 = PostC(Init),Ri+1 = Ri ∪ PostC(PostD(Ri)).
If Ri+1 = Ri, then Ri = reachable states.
• may not terminate if states unbounded (counter)• problem undecidable in general2
2 T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s decidable about hybridautomata?” Journal of Computer and System Sciences, vol. 57, pp. 94–124, 1998. 15
![Page 16: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/16.jpg)
Ball on String: Reachable States
(clip from SpaceEx output)
16
![Page 17: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/17.jpg)
HA with piecewise constant dynamics (PCDA, LHA)
• initial states and invariants given by conjunctions of linearconstraints,
• flows given by conjunctions of linear constraints over thederivatives X, and
• jumps given by linear constraints over X ∪ X′, where X′
denote the variables after the jump.
One-step successors of PCDA can be computed exactly.
17
![Page 18: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/18.jpg)
Polyhedra in Constraint Form
H-polyhedron (constraint form)
P =x∣∣∣ ∧m
i=1aT
ix ≤ bi
,
with facet normals ai ∈ Rn and inhomogeneouscoefficients bi ∈ R.
vector-matrix notation:
P =x∣∣∣ Ax ≤ b
, with A =
(aT
1...aT
m
),b =
(b1...
bm
).
18
![Page 19: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/19.jpg)
Geometric Operations
0 0.2 0.4 0.6 0.8 100.20.40.60.81
x1
x2
Qpos(Q)
x1
x2
P
Q
P ⊕Q
The convex hullchull(Q) =
∑qi∈Q λi · qi
∣∣∣ λi ≥ 0,∑
i λi = 1,
The cone of Q is pos(Q) = q · t | q ∈ Q, t ≥ 0.
The Minkowski sum is P ⊕Q = p+ q | p ∈ P ,q ∈ Q.
19
![Page 20: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/20.jpg)
Polyhedra in Generator Form
V-polyhedron (generator form)
P = (V,R) = chull (V)⊕ pos(chull(R)).
with vertices V ⊆ Rn and rays R ⊆ Rn
conversion between H- and V-polyhedra is expensive
cube: 2n constraints, 2n vertices
cross-polytope (diamond): 2n vertices, 2n constraints
20
![Page 21: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/21.jpg)
Time Elapse with Polyhedra
For PCDA, it suffices to consider straight-line trajectories:
Lemma (Constant Derivatives3)
There is a trajectory ξ(t) from x = ξ(0) to x′ = ξ(δ), δ > 0, iffη(t) = x+ qt with q = (x′ − x)/δ is a trajectory from x to x′.
3 P.-H. Ho, “Automatic analysis of hybrid systems,” Technical Report CSD-TR95-1536,PhD thesis, Cornell University, Aug. 1995. 21
![Page 22: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/22.jpg)
Time Elapse with Polyhedra
Given polyhedra P = x | Ax ≤ b, Q = q | Aq ≤ b
Time successors (without invariant):
PQ = x′ | x ∈ P ,q ∈ Q, t ∈ R≥0, x′ = x+ qt.
Eliminating q = x′−xt for t > 0 and multiplying with t:
PQ =x′∣∣∣ Ax ≤ b ∧ A(x′ − x) ≤ b · t ∧ t ≥ 0
.
Quantifier elimination of t squares the number of constraints.
22
![Page 23: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/23.jpg)
Time Elapse with Polyhedra – Geometric Version
x1
x2
Qpos(Q)
(a) cone pos(Q)
x1
x2
P
P ⊕ pos(Q)
(b) PQ = P ⊕ pos(Q)
Intersect with invariant:
postC(ℓ× P) = ℓ×(PFlow(ℓ)
)∩ Inv(ℓ).
23
![Page 24: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/24.jpg)
Discrete Successors
Edge e = (ℓ, α, ℓ′) with guard x ∈ G and nondeterministicassignment x′ = Cx+w, w ∈ W,
postD(ℓ× P) = ℓ′ ×(C(P ∩ G)⊕W
)∩ Inv(ℓ′).
If linear map C singular, constraints require quantifierelimination, otherwise
CP = x | AC−1x ≤ b
24
![Page 25: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/25.jpg)
Computational Cost
polyhedraoperation m constraints k generators
cone m2 kMinkowski sum exp k2
linear map m / exp kintersection 2m exp
25
![Page 26: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/26.jpg)
Complex Behavior in PCDA
36
Linear Hybrid Automata
Ɣ chaos– even with 1 variable, 1 location, 1 transition (tent map)– observed in actual production systems [Schmitz,2002]
states of the Tent mapsource: wikipedia
Schmitz, J. P. M., D. A. Van Beek, and J. E. Rooda. "Chaos in discrete production systems?." Journal of Manufacturing Systems 21.3 (2002): 236-246.c
brewery and chaotic throughput [Schmitz,2002]
26
![Page 27: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/27.jpg)
40
Example: Multi-Product Batch Plant
27
![Page 28: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/28.jpg)
41
Example: Multi-Product Batch Plant
Ɣ Cascade mixing process– 3 educts via 3 reactors
2 products
Ɣ Verification Goals– Invariants
• overflow• product tanks never empty
– Filling sequence
Ɣ Design of verified controller
LIS11
M
LIS22
QIS22
LIS32
LIS31
M
LIS23
QIS23
M
LIS21
QIS21
LIS13
LIS12
28
![Page 29: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/29.jpg)
42
Verification with PHAVer
Ɣ Controller + Plant– 266 locations, 823 transitions
(~150 reachable)– 8 continuous variables
Ɣ Reachability over infinite time– 120s—1243s, 260—600MB– computation cost increases
with nondeterminism(intervals for throughputs, initial states)
Controller Controlled Plant
29
![Page 30: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/30.jpg)
43
Verification with PHAVer
30
![Page 31: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/31.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Piecewise Constant Dynamics
Piecewise Affine Dynamics
Set Representations
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
31
![Page 32: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/32.jpg)
Piecewise Affine Dynamics
Hybrid automata with piecewise affine dynamics (PWA)
• initial states and invariants are polyhedra,• flows are affine ODEs
x = Ax+ Bu, u ∈ U ,
• jumps have a guard set and assignments
x′ = Cx+w, w ∈ W .
32
![Page 33: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/33.jpg)
Continuous successors
x = Ax+ Bu, u ∈ U ,
trajectory ξ(t) from ξ(0) = x0 for given input signal ζ(t) ∈ U :
ξx0,ζ(t) = eAtx0 +
∫ t
0eA(t−s)Bζ(s)ds.
reachable states from set X0 for any input signal:
Xt = eAtX0 ⊕ Yt,
Yt =
∫ t
0eAsUds = eAtX0 ⊕ lim
δ→0
⌊t/δ⌋⊕k=0
eAδkδU .
33
![Page 34: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/34.jpg)
Computing a Convex Cover
X0
Ω0
Xδ
Ω1
X2δ
Ω2
Compute Ω0,Ω1, . . . such that∪0≤t≤T
Xt ⊆ Ω0 ∪ Ω1 ∪ . . . .
34
![Page 35: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/35.jpg)
Time Discretization
X0Ω0
Xδ
Ω1
X2δ
Ω2
Semi-group property: (Xkδ)δ = X(k+1)δ
Time discretization: X(k+1)δ = eAδXkδ ⊕ Yδ.
Given initial approximations Ω0 and Ψδ such that∪0≤t≤δ
Xt ⊆ Ω0, Yδ ⊆ Ψδ,
Xt is covered by the sequence
Ωk+1 = eAδΩk ⊕Ψδ.
35
![Page 36: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/36.jpg)
Initial Approximations
X0
Xδ
Ω0
(a) convex hull and pushing facets (b) convex hull and bloating
36
![Page 37: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/37.jpg)
Initial Approximations – Forward Bloating
Bloating based on norms:4
Ω0 = chull(X0 ∪ eAδX0)⊕ (αδ + βδ)B,Ψδ = βδB,αδ = µ(X0) · (e∥A∥δ − 1 − ∥A∥δ),βδ = 1
∥A∥µ(BU) · (e∥A∥δ − 1),
with radius µ(X ) = maxx∈X∥x∥ and unit ball B.
4 A. Girard, “Reachability of uncertain linear systems using zonotopes,” in HSCC, 2005,pp. 291–305. 37
![Page 38: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/38.jpg)
Initial Approximations – Forward Bloating
X0
Ω0
Xδ
Ω1
X2δ
Ω2
Forward bloating is tight on X0 and bloated on Xδ.
Improvements:
• intersect forward bloating with backward bloating• bloat based on interpolation error (shown before)
38
![Page 39: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/39.jpg)
Wrapping Effect
X0
eAδX0
Appr(eAδX0)
Appr(eAδAppr(eAδX0))
(a) with wrapping effect
X0
eAδX0
Appr(eAδX0)Appr(eA2δX0)
(b) using a wrapping-free algorithm
avoid increasing complexity through approximation
Ωk+1 = Appr(eAδΩk ⊕Ψδ).
wrapping effect: error accumulation39
![Page 40: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/40.jpg)
Wrapping Effect
Solution: Split sequence5
Ψk+1 = Appr(eAkδΨδ)⊕ Ψk, with Ψ0 = 0,Ωk = Appr(eAkδΩ0)⊕ Ψk.
satisfies Ωk = Appr(Ωk) (wrapping-free) if
Appr(P ⊕Q) = Appr(P)⊕ Appr(Q),
e.g., bounding box.
5 A. Girard, C. L. Guernic, and O. Maler, “Efficient computation of reachable sets of lineartime-invariant systems with inputs,” in HSCC, 2006, pp. 257–271. 40
![Page 41: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/41.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Piecewise Constant Dynamics
Piecewise Affine Dynamics
Set Representations
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
41
![Page 42: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/42.jpg)
Polyhedra
X0
Ω0
Xδ
Ω1
X2δ
Ω2
polyhedraoperation m constr. k gen.
convex hull exp 2kMinkowski sum exp k2
linear map m / exp kintersection 2m exp
42
![Page 43: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/43.jpg)
Ellipsoids6
X0
Ω0
Xδ
Ω1
X2δ
Ω2
polyhedra ellipsoidsoperation m constr. k gen. n × n matrix
convex hull exp 2k approxMinkowski sum exp k2 approxlinear map m / exp k O(n3)
intersection 2m exp approx
6 A. B. Kurzhanski and P. Varaiya, Dynamics and Control of Trajectory Tubes. Springer,2014. 43
![Page 44: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/44.jpg)
Zonotopes
v1v2
v3
v4c
Zonotope with center c ∈ Rn and generators v1, . . . , vk ∈ Rn
P =
c+
∑k
i=1αivi
∣∣∣∣ αi ∈ [−1, 1].
linear map: map center and generatorsMinkowski sum: add centers, take union of generators
44
![Page 45: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/45.jpg)
Zonotopes7
X0
Ω0
Xδ
Ω1
X2δ
Ω2
polyhedra ellipsoids zonotopesoperation m constr. k gen. n × n matrix k generators
convex hull exp 2k approx approxMinkowski sum exp k2 approx 2klinear map m / exp k O(n3) kintersection 2m exp approx approx
7 A. Girard, “Reachability of uncertain linear systems using zonotopes,” in HSCC, 2005,pp. 291–305. 45
![Page 46: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/46.jpg)
Support Functions
dρP(d)
P
0
(a) support function in direction d
d3
d4
d1
d2
P
⌈P⌉D
(b) outer approximation
support function = linear optimization (efficient!)
ρP(d) = maxdTx | x ∈ P.
computed values define polyhedral outer approximation
⌈P⌉D =∩d∈D
dTx ≤ ρP(d)
.
46
![Page 47: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/47.jpg)
Support Functions
dρP(d)
P
0
(a) support function in direction d
d3
d4
d1
d2
P
⌈P⌉D
(b) outer approximation
• linear map: ρMX (ℓ) = ρX (MTℓ), O(mn),• convex hull: ρchull(P∪Q)(ℓ) = maxρP(ℓ), ρQ(ℓ), O(1),• Minkowski sum: ρX⊕Y(ℓ) = ρX (ℓ) + ρY(ℓ), O(1).
47
![Page 48: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/48.jpg)
Support Functions (Le Guernic, Girard,’09)[9]
X0
Ω0
Xδ
Ω1
X2δ
Ω2X0
Ω0
Xδ
Ω1
X2δ
Ω2
support functions: lazy approximation on demand
polyhedra ellipsoids zonotopes support f.operation m constr. k gen. n × n matrix k generators —
convex hull exp 2k approx approx O(1)Minkowski sum exp k2 approx 2k O(1)linear map m / exp k O(n3) k O(n2)
intersection 2m exp approx approx opt. / approx
48
![Page 49: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/49.jpg)
68
Example: Switched Oscillator
Ɣ Switched oscillator– 2 continuous variables– 4 discrete states– similar to many circuits
(Buck converters,…)
Ɣ plus linear filter– m continuous variables– dampens output signal
Ɣ affine dynamics– total 2 + m continuous variables
49
![Page 50: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/50.jpg)
28
Example: Switched Oscillator
Low number of directions sufficient? – here: 6 state variables
12 box constraints (axis directions)
72 octagonal constraints (± xi ± xj)
50
![Page 51: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/51.jpg)
69
Example: Switched Oscillator
Ɣ Scalability Measurements:– fixpoint reached in O(nm2) time– box constraints: O(n3)
– octagonal constraints: O(n5)
0.1
1.0
10.0
100.0
1000.0
10000.0
1 10 100 1000
number of variables n
runt
ime
[s]
51
![Page 52: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/52.jpg)
85
Example: Controlled Helicopter
Ɣ 28-dim model of a Westland Lynx helicopter– 8-dim model of flight dynamics– 20-dim continuous H' controller for disturbance rejection– stiff, highly coupled dynamics
S. Skogestad and I. Postlethwaite, Multivariable Feedback Control: Analysis and Design. John Wiley & Sons, 2005.
Photo by Andrew P Clarke
52
![Page 53: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/53.jpg)
86
Example: Helicopter
Ɣ 28 state variables + clock
CAV’11: 1440 sets in 5.9s1440 time steps
53
![Page 54: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/54.jpg)
87
Ɣ 28 state variables + clock
Example: Helicopter
HSCC’13: 32 sets in 15.2s (4.8s clustering)2 -- 3300 time steps, median 360
convex in 29 dimensions!convex in 29 dimensions!
54
![Page 55: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/55.jpg)
88
Example: Chaotic Circuit
Ɣ piecewise linear Rössler-like circuitPisarchik, Jaimes-Reátegui. ICCSDS’05
Ɣ added nondet. disturbancesƔ 3 variables, hard!
55
![Page 56: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/56.jpg)
Nonlinear Dynamics – Polynomial Approximations
Bernstein polynomials for polynomial f(x)
• polyhedral approximation of successors8
Taylor models
• polynomial approximations of Taylor expansion• represent sets with polynomials• Flow* verification tool[11]
8 T. Dang and R. Testylier, “Reachability analysis for polynomial dynamical systems using thebernstein expansion,” Reliable Computing, vol. 17, no. 2, pp. 128–152, 2012. 56
![Page 57: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/57.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Simulation Relations
Hybridization
Approximate Simulation
Verification by Numerical Simulation
Conclusions
57
![Page 58: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/58.jpg)
Simulation Relations9
State-Transition System T = (S,→, s0),
• set of states S,• transition relation s → s′,• initial state s0 ∈ S.
Simulation Relation ⪯ ⊆ S1 × S2 :s1 ⪯ s2 if s1 →1 s′1 ⇒ s2 →2 s′2 with s′1 ⪯ s′2.
T2 simulates T1 if s01 ⪯ s0
2.
9 R. Milner, “An algebraic definition of simulation between programs,” in Proc. of the 2nd Int.Joint Conference on Artificial Intelligence. London, UK, September 1971, D. C. Cooper,Ed., William Kaufmann, British Computer Society, 1971, pp. 481–489. 58
![Page 59: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/59.jpg)
Simulation Relations
Simulation relations preserve safety properties:
Given s01 ⪯ s0
2, bad states B1, let the abstraction of B1
α⪯(B1) = s2 ∈ S2 | ∃b1 ∈ B1 : b1 ⪯ s2,
If α⪯(B1) is unreachable in T2, then B1 is unreachable in T1.
59
![Page 60: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/60.jpg)
Simulation Relations for Hybrid Automata
State-transition semantics JHK = (S,→, s0),
• set of states S = Loc × RX,• transition relation s → s′:
• s δ−→ s′ : s′ reachable through elapse of δ time• s α−→ s′: s′ reachable through transition α
• initial state s0 ∈ S.
H2 simulates H1: JH2K simulates JH1K60
![Page 61: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/61.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Simulation Relations
Hybridization
Approximate Simulation
Verification by Numerical Simulation
Conclusions
61
![Page 62: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/62.jpg)
Phase-Portait Approximation & Hybridization10
H1 and H2 identical except in each location the flow
H1 : x ∈ f1(x) H2 : x ∈ f2(x)
satisfies f1(x) ⊆ f2(x). Then H2 simulates H1 with
s1 ⪯ s2 ≡ s1 = s2
⇒ α⪯(B1) = B1.
10 T. A. Henzinger, P.-H. Ho, and H. Wong-Toi, “Algorithmic analysis of nonlinear hybridsystems,” IEEE Transactions on Automatic Control, vol. 43, pp. 540–554, 1998. 62
![Page 63: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/63.jpg)
Phase-Portait Approximation & Hybridization
Inv(ℓ)x ∈ f(x)
(a) H1
Inv(ℓ−)
x ∈ f(x)Inv(ℓ+)x ∈ f(x)
(b) H2
H2 simulates H1 if jumps unobservable and
Inv(ℓ) ⊆ Inv(ℓ−) ∪ Inv(ℓ+)
⇒ α⪯(B1) = B1|ℓ→ℓ− ∪ B1|ℓ→ℓ+.
63
![Page 64: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/64.jpg)
Approximating Nonlinear Dynamics
approximate nonlinear dynamics
x ∈ f(x)
with piecewise constant dynamics x ∈ Q
Q = f(x) | x ∈ Inv(ℓ)
splitting invariant reduces approximation error
64
![Page 65: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/65.jpg)
Example: 2-dim. Tunnel Diode Oscillator11
−0.1 0.0 0.1 0.2 0.3 0.4 0.5 0.6−0.2
0.0
0.2
0.4
0.6
0.8
1.0
1.2
V [V]
I [m
A]
−0.1 0.0 0.1 0.2 0.3 0.4 0.5 0.6−0.2
0.0
0.2
0.4
0.6
0.8
1.0
1.2
V [V]
I [m
A]
tiny invariants for high precision, not scalable
11 G. Frehse, B. H. Krogh, R. A. Rutenbar, and O. Maler, “Time domain verification ofoscillator circuit properties,” in FAC’05, ser. ENTCS, vol. 153, 2006, pp. 9–22. 65
![Page 66: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/66.jpg)
Approximating Nonlinear Dynamics
approximate nonlinear dynamics
x ∈ f(x)
with piecewise affine dynamics x = Ax+ b+ u,u ∈ U
linearization:
aij =∂fi∂xj
(x0), b = f(x0)− Ax0.
approximation error:
U = f(x)− (Ax+ b) | x ∈ Inv(ℓ) .
66
![Page 67: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/67.jpg)
Example: Van der Pol Oscillator12
x = yy = y(1 − x2)− x
hybridization with partition of size 0.05
partitioning doesn’t scale well ⇒ use sliding window
12 E. Asarin, T. Dang, and A. Girard, “Hybridization methods for the analysis of nonlinearsystems,” Acta Inf., vol. 43, no. 7, pp. 451–476, 2007. 67
![Page 68: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/68.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Simulation Relations
Hybridization
Approximate Simulation
Verification by Numerical Simulation
Conclusions
68
![Page 69: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/69.jpg)
Simulation Relations
matching identical traces:
s1 ⪯ s2 only if p(s1) = p(s2)
⇒ T2 may be much simpler than T1
bisimilar if s1 ⪯ s2 and s2 ⪯T s1 are simulation relations.
identifying bisimilar states in a system⇒ accelerate analysis through on-the-fly minimization
69
![Page 70: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/70.jpg)
Simulation Relations for Continuous Systems
observed trace of x(t):
p(x(t)) = p(x0) +∂p(x0)∂x
x(0)1! t + ∂2p(x0)
∂x2x(0)2
2! t2 + ∂p(x0)∂x
x(0)2! t2 + · · ·
contains state information, since
x(t) = x(0) + x(0)1! t + x(0)
2! t2 + · · ·
identical traces ; equivalent dynamics
except in particular cases.13
13 A. van der Schaft, “Equivalence of dynamical systems by bisimulation,” IEEE transactionson automatic control, vol. 49, no. 12, pp. 2160–2172, 2004. 70
![Page 71: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/71.jpg)
Approximate Simulation (Girard, Julius, Pappas ’08)[17]
matching ε-close observable behavior:
x1 ⪯ε x2 only if ∥p(x1)− p(x2)∥ ≤ ε
⇒ traces from x1 and x2 never more than ε apart(also in the future)
How close do traces need to be initially?
71
![Page 72: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/72.jpg)
Approximate Simulation
possible choice:
x1 ⪯ε x2 ≡ ∥p(x1)− p(x2)∥ ≤ ε
applicable if contractive:
ddt∥p(x1)− p(x2)∥ ≤ 0.
better: find upper bound V(x1, x2) that is contractive
72
![Page 73: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/73.jpg)
Simulation Functions
a simulation function V : Rn × Rn → R≥0 satisfies
V(x1, x2) ≥ ∥p(x1)− p(x2)∥
ddtV(x1, x2) ≤ 0
simulation relation: x1 ⪯ε x2 ≡ V(x1, x2) ≤ ε
73
![Page 74: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/74.jpg)
Simulation Functions
with dynamics x1 = f1(x1), x2 = f2(x2),
ddtV(x1, x2) =
∂V∂x1
f1(x1) +∂V∂x2
f2(x2)
computing V(x1, x2) for
• linear dynamics: linear matrix inequalities,• polynomial dynamics: sums of squares program
74
![Page 75: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/75.jpg)
Approximate Simulation for Hybrid Automata[17]
Consider hybrid automata H1 and H2 with
• identical locations and transitions,• V(x1, x2) a simulation function in all locations,• only identity jumps (for simplicity).
Then H2 ε-simulates H1 if
• ε ≥ maxx1∈Init1(ℓ) minx2∈Init2(ℓ) V(x1, x2),• Inv2(ℓ) ⊇ α⪯ε
(Inv1(ℓ)
),
• G2 ⊇ α⪯ε (G1).
General case: Vℓ(x1, x2) location dependent
75
![Page 76: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/76.jpg)
Example: Patrolling Robot[17]
(a) H1: piecewise affine dynamics,6 variables
(b) H2: pw. constant dynamics,2 variables, H1 ⪯0.4 H2
reachable states much easier to compute for H2
76
![Page 77: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/77.jpg)
Approximate Simulation
Extensions:14
• bisimilar time- and state discretization,• bounded- and unbounded safety verification,• controller synthesis
14 A. Girard and G. J. Pappas, “Approximate bisimulation: A bridge between computerscience and control theory,” European Journal of Control, vol. 17, no. 5, pp. 568–578,2011. 77
![Page 78: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/78.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Signal Temporal Logic
Principle
Variations
Conclusions
78
![Page 79: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/79.jpg)
Signal Temporal Logic (STL) (Maler, Nickovic, ’04)[19]
Signal: xi : R≥0 → R ∪ ⊤,⊥
Trace: w = x1, . . . , xN
STL Syntax: variable xi, time interval I, property φ,
φ := true | xi ≥ 0 | ¬φ | φ ∧ φ | φ UI φ,
can express boolean and temporal operators (eventually,globally, etc.) with bounded and unbounded time.
79
![Page 80: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/80.jpg)
Signal Temporal Logic (STL)
Syntax: φ := true | xi ≥ 0 | ¬φ | φ ∧ φ | φUIφ.
Boolean Semantics:
w, t |= truew, t |= xi ≥ 0 iff xi(t) ≥ 0w, t |= ¬φ iff w, t |= φ
w, t |= φ ∧ ψ iff w, t |= φ and w, t |= ψ
w, t |= φ UI ψ iff ∃t′ ∈ t + I : w, t′ |= ψ∧∀t′′ ∈ [t, t′] : w, t′′ |= φ
80
![Page 81: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/81.jpg)
STL – Quantitative Semantics15
Syntax: φ := true | xi ≥ 0 | ¬φ | φ ∧ φ | φUIφ.
Quantitative Semantics: robustness estimation
ρ(true,w, t) = ⊤ρ(xi ≥ 0,w, t) = xi(t)ρ(¬φ,w, t) = −ρ(φ,w, t)ρ(φ ∧ ψ,w, t) = min ρ(φ,w, t), ρ(ψ,w, t)ρ(φ UI ψ,w, t) = supt′∈t+I min
ρ(ψ,w, t′),
inft′′∈[t,t′] ρ(ϕ,w, t′′)
15 G. E. Fainekos and G. J. Pappas, “Robustness of temporal logic specifications forcontinuous-time signals,” Theor. Comp. Science, vol. 410, no. 42, pp. 4262–4291, 2009. 81
![Page 82: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/82.jpg)
STL – Quantitative Semantics
sign of ρ(φ,w, t) determines satisfaction status of φ
magnitude of ρ(φ,w, t) determines robustness :
any trace w′ satisfies ϕ if
∥w − w′∥∞ < ρ(φ,w, t).
82
![Page 83: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/83.jpg)
STL – Quantitative Semantics
for piecewise linear w, ρ(φ,w, t) computable in time16
O(|φ| · dh(φ) · |w|
),
• |φ| : number of nodes in AST• h(φ) : depth of AST• d : constant• |w| : number of breakpoints
16 A. Donzé, T. Ferrere, and O. Maler, “Efficient robust monitoring for stl,” in Computer AidedVerification, Springer, 2013, pp. 264–279. 83
![Page 84: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/84.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Signal Temporal Logic
Principle
Variations
Conclusions
84
![Page 85: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/85.jpg)
Verification by Numerical Simulation
Asumptions:
• assume computed traces sufficiently accurate• equivalent neighborhood of initial state identifiable
Principle:
• sample initial states• decide property on traces• extend result to equivalent sets of initial states
sampling of initial states limited to low dimensional sets
85
![Page 86: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/86.jpg)
Verification by Numerical Simulation
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1
−5
0
5
position x
veloc
ityv
trace violates property x ≤ 0.9 with robustness 0.1
86
![Page 87: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/87.jpg)
Verification by Numerical Simulation
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1
−5
0
5
position x
veloc
ityv
identify equivalent initial states and mark as decided
87
![Page 88: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/88.jpg)
Verification by Numerical Simulation
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1
−5
0
5
position x
veloc
ityv
repeat: compute traces, identify equivalent initial states
88
![Page 89: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/89.jpg)
Verification by Numerical Simulation
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1
−5
0
5
position x
veloc
ityv
stop when desired coverage achieved
89
![Page 90: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/90.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Signal Temporal Logic
Principle
Variations
Conclusions
90
![Page 91: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/91.jpg)
Finding Equivalent Initial States
using bisimulation:
x1 ⪯ε x2 ⇒ ∥wx1 − wx2∥ ≤ ε
given robustness of wx1 , obtain neighborhood from V(x1, x2)
tool with related approach (discrepancy): C2E2 (S. Mitra)17
17 P. S. Duggirala, S. Mitra, M. Viswanathan, and M. Potok, “C2e2: A verification tool forstateflow models,” in TACAS’15, Springer. 91
![Page 92: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/92.jpg)
Finding Equivalent Initial States
using sensitivity:18
• with sensitivity information from ODE solver:influence of variations of the initial state on variation ofrobustness
• black-box capable• extends to parameter synthesis
tool: Breach (A. Donzé)
18 A. Donzé and O. Maler, “Robust satisfaction of temporal logic over real-valued signals,” inFORMATS’10, Springer, 2010. 92
![Page 93: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/93.jpg)
Falsification19
search counter-example that falsifies the property
• use statistics or optimization to pick next initial state• black-box capable• no claim for confirming property• suitable for path-planning
tool: S-TaLiRo (G. Fainekos)
19 S. Sankaranarayanan and G. Fainekos, “Falsification of temporal properties of hybridsystems using the cross-entropy method,” in HSCC’12. 93
![Page 94: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/94.jpg)
Overview
Hybrid Automata
Set-Based Reachability
Abstraction-Based Model Checking
Verification by Numerical Simulation
Conclusions
94
![Page 95: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/95.jpg)
Conclusions
• Hybrid automata are challenging for model checking.• Set-based reachability is exhaustive, sufficient for
safety and bounded liveness.• costly, scalable for piecewise affine dynamics
• Abstraction lifts reachability to more complex systems• progress with approximate simulation relations
• Verification by numerical simulation extendsproperties from traces to sets of states
• sampling of initial states limited to low dimensional sets
95
![Page 96: Model Checking of Hybrid Systems - AVACS · 2015-10-05 · Model Checking of Hybrid Systems Goran Frehse AVACSAutumn School,October 1,2015 Univ.Grenoble Alpes – Verimag, 2 avenue](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f458a4fb22eac3c67576c13/html5/thumbnails/96.jpg)
References
[2] R. Alur, C. Courcoubetis, N. Halbwachs, T. Henzinger, P.-H. Ho, X. Nicollin,A. Olivero, J. Sifakis, and S. Yovine, “The algorithmic analysis of hybrid systems,”Theoretical Computer Science, vol. 138, pp. 3–34, 1995.
[3] T. A. Henzinger, “The theory of hybrid automata.,” in LICS, Los Alamitos: IEEEComputer Society, 1996, pp. 278–292.
[9] C. Le Guernic and A. Girard, “Reachability analysis of linear systems using supportfunctions,” Nonlinear Analysis: Hybrid Systems, vol. 4, no. 2, pp. 250–262, 2010.
[11] X. Chen, E. Ábrahám, and S. Sankaranarayanan, “Taylor model flowpipe constructionfor non-linear hybrid systems,” in RTSS, IEEE Computer Society, 2012,pp. 183–192, ISBN: 978-1-4673-3098-5.
[17] A. Girard, A. A. Julius, and G. J. Pappas, “Approximate simulation relations for hybridsystems,” Discrete Event Dynamic Systems, vol. 18, no. 2, pp. 163–179, 2008.
[19] O. Maler and D. Nickovic, “Monitoring temporal properties of continuous signals,” inFormal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems,Springer, 2004, pp. 152–166.
96