Algorithmic Verification of Stability of Hybrid Systems

Transcription

1 Algorithmic Verification of Stability of Hybrid Systems Pavithra Prabhakar Kansas State University University of Kansas February 24,

2 Cyber-Physical Systems (CPS) Systems in which software "cyber" interacts with the "physical" world Medical Devices Automotive Robotics Software controlled physical systems Aeronautics Cruise control, lane assistants Pacemakers, infusion pumps Process control 2

3 Cyber-Physical Systems (CPS) Enhanced safety, security and efficiency through sophisticated functionalities Autonomous cars Smart Grids Smart Buildings 3

4 Cyber-Physical Systems (CPS) Enhanced safety, security and efficiency through sophisticated functionalities Autonomous cars Smart Grids Smart Buildings Safety Critical Systems Incorrect functioning can be disastrous Tesla s self driving car accident The New York Times Source: Florida traffic crash report 3

5 Cyber-Physical Systems (CPS) Enhanced safety, security and efficiency through sophisticated functionalities Autonomous cars Smart Grids Smart Buildings Safety Critical Systems Incorrect functioning can be disastrous Tesla s self driving car accident The New York Times Source: Florida traffic crash report Grand Challenge How do we build and deploy reliable CPS? 3

6 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory 4

7 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory Plant ẋ = f(x, u) y = h(x) u y Control u = g(y) 4

8 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory Plant ẋ = f(x, u) y = h(x) Vehicle dynamics, heart, u y Control u = g(y) 4

9 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory Plant ẋ = f(x, u) y = h(x) Vehicle dynamics, heart, u y Control u = g(y) Digital Logic, Software 4

10 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory u Plant ẋ = f(x, u) y = h(x) Control u = g(y) y Vehicle dynamics, heart, Hybrid Systems Systems with mixed discrete and continuous behaviors Digital Logic, Software 4

11 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory u Plant ẋ = f(x, u) y = h(x) Control u = g(y) y Vehicle dynamics, heart, Hybrid Systems Systems with mixed discrete and continuous behaviors Digital Logic, Software 4

12 Hybrid Systems Rigorous techniques for CPS verification through hybrid systems theory u Plant ẋ = f(x, u) y = h(x) Control u = g(y) y Vehicle dynamics, heart, Hybrid Systems Systems with mixed discrete and continuous behaviors Digital Logic, Software 4

13 Formal verification Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification 5

14 Formal verification Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification Examples of formal verification problems: 5

15 Formal verification Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification Examples of formal verification problems: (Safety) Does an air-traffic collision avoidance protocol ensure minimum separation between the aircraft? 5

16 Formal verification Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification Examples of formal verification problems: (Safety) Does an air-traffic collision avoidance protocol ensure minimum separation between the aircraft? (Stability) Does a cruise control bring the velocity of the vehicle to a desired velocity, and maintain it there in the presence of small disturbances? 5

17 Hybrid Systems 6

18 Cruise control and an automatic gearbox CRUISE CONTROLLER Continuous controller Integral K q Z (v d v)dv v d + Proportional K q (v d v) + + T GEARBOX v = pr qt M v Automatic gearbox K q q! high! low Discrete controller Goal of the cruise control: Drive the vehicle velocity to a desired velocity, and maintain it there in the presence of uphills and downhills. 7

19 Automatic gearbox: a hybrid system

20 Automatic gearbox: a hybrid system

21 Automatic gearbox: a hybrid system Variables x = E TI E = v d v Di erence between desired and current velocity T I Integral part of the torque

22 Automatic gearbox: a hybrid system E TI Variables x = Dynamics E = v d v Di erence between desired and current velocity Ė = p q Mr K qe p q Mr T I T I Integral part of the torque T I = K q E

23 Automatic gearbox: a hybrid system ẋ = A 1 x ẋ = A 2 x ẋ = A 3 x ẋ = A 4 x E TI Variables x = Dynamics E = v d v Di erence between desired and current velocity Ė = p q Mr K qe p q Mr T I T I Integral part of the torque T I = K q E

24 Automatic gearbox: a hybrid system E = 1 p 1! high E = 1 p 2! high E = 1 p 3! high ẋ = A 1 x ẋ = A 2 x ẋ = A 3 x ẋ = A 4 x E = 1 p 2! low E = 1 p 3! low E = 1 p 4! low E TI Variables x = Dynamics E = v d v Di erence between desired and current velocity Ė = p q Mr K qe p q Mr T I T I Integral part of the torque T I = K q E

25 Automatic gearbox: a hybrid system E = 1 p 1! high E = 1 p 2! high E = 1 p 3! high ẋ = A 1 x ẋ = A 2 x ẋ = A 3 x ẋ = A 4 x E = 1 p 2! low E = 1 p 3! low E = 1 p 4! low Trajectories Executions T I T I 3 to 4 2 to 3 1 to 2 x 3 x 2 0 E x 1 0 x 0 E 4 to 3 3 to 2 2 to 1

26 Stability 10

27 Stability Small perturbations in the initial state lead to small deviations in the system behavior 11

28 Stability Small perturbations in the initial state lead to small deviations in the system behavior 11

29 Stability Small perturbations in the initial state lead to small deviations in the system behavior 11

30 Stability Small perturbations in the initial state lead to small deviations in the system behavior Stable 11

31 Stability Small perturbations in the initial state lead to small deviations in the system behavior Stable 11

32 Stability Small perturbations in the initial state lead to small deviations in the system behavior Stable 11

33 Stability Small perturbations in the initial state lead to small deviations in the system behavior Stable 11

34 Stability Small perturbations in the initial state lead to small deviations in the system behavior Stable Unstable 11

35 Lyapunov Stability (LS) A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from B δ (0), σ B ε (0). 0 12

36 Lyapunov Stability (LS) A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from B δ (0), σ B ε (0). 0 12

37 Lyapunov Stability (LS) A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from B δ (0), σ B ε (0). 0 12

38 Lyapunov Stability (LS) A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from B δ (0), σ B ε (0). 0 12

39 Lyapunov Stability (LS) A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from B δ (0), σ B ε (0). 0 12

40 Lyapunov Stability (LS) A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from B δ (0), σ B ε (0). 0 8 >0, 9 >0, [( (0) 2 B (0)) )8t( (t) 2 B (0))] 12

41 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to

42 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to

43 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to

44 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to

45 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to 0. 0 A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. 13

46 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to 0. 0 A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. 13

47 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to 0. 0 A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. Global asymptotic stability 13

48 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to 0. 0 A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. Global asymptotic stability 13

49 (Global) Asymptotic Stability (AS) A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from B δ (0) converges to 0. 0 A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. Global asymptotic stability Asymptotic stability 13

50 Challenges in Stability Verification for Hybrid Systems 14

51 Stability analysis Linear dynamical systems y y x x

52 Stability analysis Linear dynamical systems y y x x Stable Stable

53 Stability analysis Linear dynamical systems y x y x Stability can be determined by eigen values analysis Stable Stable

54 Stability analysis Linear dynamical systems y x y x Stability can be determined by eigen values analysis Stable Stable Linear hybrid systems y x

55 Stability analysis Linear dynamical systems y x y x Stability can be determined by eigen values analysis Stable Stable Linear hybrid systems y x Stable

56 Stability analysis Linear dynamical systems y x y x Stability can be determined by eigen values analysis Stable Stable Linear hybrid systems y y x x Stable

57 Stability analysis Linear dynamical systems y x y x Stability can be determined by eigen values analysis Stable Stable Linear hybrid systems y y x x Stable Unstable

58 Stability analysis Linear dynamical systems y x y x Stability can be determined by eigen values analysis Stable Stable Linear hybrid systems y y Eigen value analysis does not suffice for switched linear system x x Stable Unstable

59 Lyapunov s second method ẋ = F (x) Lyapunov function: Continuously differentiable V : R n! R + Positive definite V (x) 0 8x Decreases along any F (x) apple 0 8x V y x 16

60 Lyapunov s second method ẋ = F (x) Lyapunov function: Continuously differentiable V : R n! R + Positive definite V (x) 0 8x Decreases along any F (x) apple 0 8x V y x 16

61 Lyapunov s second method ẋ = F (x) Lyapunov function: Continuously differentiable V : R n! R + Positive definite V (x) 0 8x Decreases along any F (x) apple 0 8x V y x 16

62 Lyapunov s second method ẋ = F (x) Template based automated search Lyapunov function: Continuously differentiable V : R n! R + Positive definite V (x) 0 8x Choose a template Polynomial with coefficients as parameters Encode (a relaxation) of the constraints as a sum-ofsquare programming problem Use existing tools for SOS Decreases along any F (x) apple 0 8x V y x 16

63 Lyapunov s second method ẋ = F (x) Template based automated search Lyapunov function: Continuously differentiable V : R n! R + Positive definite V (x) 0 8x Choose a template Polynomial with coefficients as parameters Encode (a relaxation) of the constraints as a sum-ofsquare programming problem Use existing tools for SOS Decreases along any F (x) apple 0 8x V Shortcomings: Success depends crucially on the choice of the template The current methods provide no insight into the reason for the failure, when a template fails to prove stability No guidance regarding the choice of the next template y x 16

64 Lyapunov s second method ẋ = F (x) Template based automated search Lyapunov function: Continuously differentiable V : R n! R + Positive definite V (x) 0 8x Choose a template Polynomial with coefficients as parameters Encode (a relaxation) of the constraints as a sum-ofsquare programming problem Use existing tools for SOS Decreases along any F (x) apple 0 8x V Shortcomings: Success depends crucially on the choice of the template The current methods provide no insight into the reason for the failure, when a template fails to prove stability No guidance regarding the choice of the next template y x A CEGAR framework 16

65 Counter-example guided abstraction refinement 17

66 Abstraction Safety Analysis 18

67 Abstraction Safety Analysis 18

68 Abstraction Safety Analysis 18

69 Abstraction Safety Analysis 18

70 Abstraction Safety Analysis 18

71 Abstraction Safety Analysis 18

72 Abstraction Safety Analysis 18

73 Abstraction Safety Analysis 18

74 Abstraction Safety Analysis Every trajectory corresponds to a path in the graph 18

75 Abstraction Safety Analysis Every trajectory corresponds to a path in the graph Absence of a path from green to red node implies safety 18

76 Abstraction Safety Analysis Every trajectory corresponds to a path in the graph Absence of a path from green to red node implies safety 19

77 Abstraction Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph Absence of a path from green to red node implies safety 19

78 Abstraction Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety 19

79 Abstraction Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! 19

80 Refinement Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! Refine by analyzing the abstract counter-example 20

81 Refinement Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! Refine by analyzing the abstract counter-example 20

82 Refinement Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! Refine by analyzing the abstract counter-example 20

83 Refinement Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! Refine by analyzing the abstract counter-example 20

84 Refinement Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! Refine by analyzing the abstract counter-example 20

85 Refinement Safety Analysis The above system is safe Every trajectory corresponds to a path in the graph The abstract graph has a counter-example Absence of a path from green to red node implies safety Right abstractions are hard to find! Refine by analyzing the abstract counter-example 20

86 Counter-example guided abstraction refinement Concrete System Abstraction Relation Abstract Refine Abstract System Analysis Results No Property Model-Check No Validate Yes Abstract Counter-example Yes Property satisfied Property violated CEGAR for discrete systems [Kurshan et al. 93, Clarke et al. 00, Ball et al. 02] CEGAR for hybrid systems safety verification [Alur et al 03, Clarke et al 03, Prabhakar et al 13] 21

87 Counter-example guided abstraction refinement Concrete System Abstraction Relation Abstract Refine Abstract System Analysis Results No Property Model-Check No Validate Yes Abstract Counter-example Yes Property satisfied Property violated CEGAR for discrete systems [Kurshan et al. 93, Clarke et al. 00, Ball et al. 02] CEGAR for hybrid systems safety verification [Alur et al 03, Clarke et al 03, Prabhakar et al 13] Template based search CEGAR framework Success depends crucially on the choice of the template Systematically iterate over the abstract systems No insight into the reason for the failure, when a template fails to prove stability Returns a counter-example in the case that the abstraction fails No guidance regarding the choice of the next template The counter-example can be used to guide the choice of the next abstraction 21

88 AVERIST: An Algorithmic VERIfier for STability Global Asymptotic Stability Analyzer Linear/Non- Linear Hybrid Automaton Hybridization Local Asymptotic Stability Analyzer Quantitative Predicate Abstraction GLPK Stability Zone Computation Model-Checking NetworkX Stable/ Unstable Region Stability Analysis Validation Refinement Z3 PPL Tool webpage: 22

89 Abstraction based analysis: Lyapunov and asymptotic stability 23

90 Quantitative Predicate Abstraction p 3 p 2 p 1 p 2 p 1 C B p 4 D E F A p 3 p 6 p 5 p 6 p 4 p 5 24

91 Quantitative Predicate Abstraction p 3 p 2 p 1 p 2 p 1 C B p 4 D E F A p 3 p 6 p 5 p 6 p 4 p 5 p 1 p 2 w(e) = d 2 d 2 d 1 d 1 24

92 Quantitative Predicate Abstraction p 3 p 2 C B p 1 w 2 p 2 w 1 p 1 w 6 p 4 D E F A p 3 p 6 p 5 p 6 w 3 p 4 p 5 w 4 w 5 p 1 p 2 w(e) = d 2 d 2 d 1 d 1 24

93 Quantitative Predicate Abstraction p 3 p 2 C B p 1 w 2 p 2 w 1 p 1 w 6 p 4 D E F A p 3 p 6 p 5 p 6 w 3 p 4 p 5 w 4 w 5 Weights capture information d 2 d 1 p 1 p 2 w(e) = d 2 d 1 about distance to the origin along the executions 24

94 Weighted Graph Construction p 2 p 2 p 2 p 3 p 3 p p 1 1 p 1 p 3 p 4 p 4 p 4 p p 1/2 2 1 p p 3 p 1 p 3 p 1 p 3 p 1 1 p p 4 1/2 1 p

95 Higher Dimensions 26

96 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. 26

97 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p 2 p 1 d 2 d 1 w(e) = d 2 d 1 26

98 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p 2 p 1 z d 2 d 1 ~ b ~a w(e) = d 2 d 1 y x 26

99 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p z 1 p ~ b 2 ~a d 2 d 1 ~ b ~a w(e) = d 2 d 1 y x 26

100 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p z 1 p ~ b 2 ~a d 2 d 1 ~ b ~a w(e) = d 2 d 1 y x 26

101 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p z 1 p ~ b 2 ~a ~ b+~c ~a +~c d 2 d 1 ~ b ~a w(e) = d 2 d 1 y x 26

102 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p z 1 p ~ b 2 ~a ~ b+~c ~a +~c d 2 d 1 ~ b ~a w(e) = d 2 d 1 y x 26

103 Higher Dimensions The weighted graph construction has a bisimulation like property for 2D. p z 1 p ~ b 2 ~a ~ b+~c ~a +~c d 2 d 1 ~ b ~a w(e) = d 2 d 1 y x sup v 2 v 1 t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't 26

104 Soundness of Quantitative Predicate Abstraction Theorem An n dimensional PCD is Lyapunov stable if there are no edges with infinite weights and the weighted graph does not contain any cycles with product of weights on the edges greater than 1 Abstraction based model-checking of stability of hybrid systems. P. Prabhakar, M. G. Soto. CAV 13 27

105 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' 28

106 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' sup v 2 v 1 t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't 28

107 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' Polyhedral inclusion dynamics ẋ 2 P P is a polyhedral set sup v 2 v 1 t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't 28

108 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' Polyhedral inclusion dynamics ẋ 2 P P is a polyhedral set sup v 2 v 1 V ai x c i t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't 28

109 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' Polyhedral inclusion dynamics ẋ 2 P P is a polyhedral set sup v 2 v 1 V ai x c i t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't ' 2 P 28

110 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' Polyhedral inclusion dynamics ẋ 2 P P is a polyhedral set sup v 2 v 1 V ai x c i t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't ' 2 P 28

111 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' Polyhedral inclusion dynamics ẋ 2 P P is a polyhedral set sup v 2 v 1 V ai x c i t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't ' 2 P V ai ' c i 28

112 Polyhedral Inclusion Dynamics Constant derivative ẋ = ' Polyhedral inclusion dynamics ẋ 2 P P is a polyhedral set sup v 2 v 1 V ai x c i t 0,v 1 2 f 1,v 2 2 f 2,v 2 = v 1 + 't ' 2 P V ai ' c i V ai (v 2 v 1 ) c i t 28

113 Switched Systems 29

114 Switched Systems p 3 p 1 29

115 Switched Systems p 3 p 4 p 2 p 1 29

116 Switched Systems p 3 v 1 p 4 p 2 p 1 29

117 Switched Systems p 3 v 1 p 4 p 2 p 1 The invariants associated with modes may overlap unbounded number of switching in a region A straight forward encoding of the reachability relation will lead to an infinite number of constraints We use certain decompositions into strongly connect components to reduce it to a finite number of constraints 29

118 So far. Construct weighted graph (Quantitative Predicate Abstraction) Check that the weighted graph has no cycle with product of weight >=1 If such a cycle exists, it is a counter-example 30

119 CEGAR for Stability 31

120 Counter-example If the abstract system fails to prove stability, then it returns a counterexample. 32

121 Counter-example If the abstract system fails to prove stability, then it returns a counterexample. p p 3 p 1 A cycle with product of weight greater than 1 1 p

122 Counter-example If the abstract system fails to prove stability, then it returns a counterexample. p p 3 p 1 A cycle with product of weight greater than 1 1 p 4 2 Need to check if it is spurious can the system follow the cycle to exhibit trajectories which diverge 32

123 Counter-example If the abstract system fails to prove stability, then it returns a counterexample. p p 3 p 1 A cycle with product of weight greater than 1 1 p 4 2 Need to check if it is spurious can the system follow the cycle to exhibit trajectories which diverge Validation checking spuriousness is not a bounded model-checking problem 32

124 Validation 33

125 Validation p 1 p 2 p 3 p 4 p k 1 p 1 33

126 Validation p 1 p 2 p 3 p 4 p k 1 p 1 33

127 Validation p 1 p 2 p 3 p 4 p k 1 p 1 x 1 x 2 x 3 x 4 x k 1 x k 33

128 Validation p 1 p 2 p 3 p 4 p k 1 p 1 x 1 x 2 x 3 x 4 x k 1 x k Theorem A counter example p 1! p 2! p 3!! p 1 is valid if and only if 9 >1:x 1 P 1 x 2 P 2 x 3... P k x k ^ x k = x 1 33

129 Validation and Refinement Summary 34

130 Validation and Refinement Summary Refinement essentially tries to ``eliminate the abstract counterexample (ACE) 34

131 Validation and Refinement Summary Refinement essentially tries to ``eliminate the abstract counterexample (ACE) If the ACE is spurious, we perform a forward computation to find the reach sets along the ACE 34

132 Validation and Refinement Summary Refinement essentially tries to ``eliminate the abstract counterexample (ACE) If the ACE is spurious, we perform a forward computation to find the reach sets along the ACE The spuriousness of the ACE ensures that in a finite number of iterations the corresponding reach set becomes empty and we refine (similar to the safety case) 34

133 Validation and Refinement Summary Refinement essentially tries to ``eliminate the abstract counterexample (ACE) If the ACE is spurious, we perform a forward computation to find the reach sets along the ACE The spuriousness of the ACE ensures that in a finite number of iterations the corresponding reach set becomes empty and we refine (similar to the safety case) Some improvements can be obtained by examining the ACE further to determine if it in fact has no infinite executions 34

134 Validation and Refinement Summary Refinement essentially tries to ``eliminate the abstract counterexample (ACE) If the ACE is spurious, we perform a forward computation to find the reach sets along the ACE The spuriousness of the ACE ensures that in a finite number of iterations the corresponding reach set becomes empty and we refine (similar to the safety case) Some improvements can be obtained by examining the ACE further to determine if it in fact has no infinite executions Counterexample guided abstraction refinement for stability analysis P. Prabhakar, M. G. Soto. CAV 16 34

135 Hybridization 35

136 Reachability relation computation is hard! Linear dynamical systems ẋ ẏ a = c b d x y A very important class of control system 36

137 Reachability relation computation is hard! Linear dynamical systems ẋ ẏ a = c b d x y A very important class of control system Reach(P 1,P,P 2 )={(s 1,s 2 ) s 1 2 P 1,s 2 2 P 2,s 1 P s2 } 36

138 Reachability relation computation is hard! Linear dynamical systems ẋ ẏ a = c b d x y A very important class of control system Reach(P 1,P,P 2 )={(s 1,s 2 ) s 1 2 P 1,s 2 2 P 2,s 1 P s2 } Solution is an exponential function 36

139 Reachability relation computation is hard! Linear dynamical systems ẋ ẏ a = c b d x y A very important class of control system Reach(P 1,P,P 2 )={(s 1,s 2 ) s 1 2 P 1,s 2 2 P 2,s 1 P s2 } Solution is an exponential function Need a representation on which optimization can be performed 36

140 Reachability relation computation is hard! Linear dynamical systems ẋ ẏ a = c b d x y A very important class of control system Reach(P 1,P,P 2 )={(s 1,s 2 ) s 1 2 P 1,s 2 2 P 2,s 1 P s2 } Solution is an exponential function Need a representation on which optimization can be performed Approximation methods [Girard et al., Frehse et al., PP] 36

141 Arbitrary switching of two linear systems y y p 2 x x q 1 q 2 p 1 The invariants associated with modes may overlap unbounded number of switching in a region Tools based on symbolic state space exploration do not reach a fixpoint 37

142 Hybridization 38

143 Hybridization Broad approach 38

144 Hybridization Broad approach Partition the state-space into a finite number of regions 38

145 Hybridization Broad approach Partition the state-space into a finite number of regions Abstract the dynamics in each region by a simpler dynamics 38

146 Hybridization Broad approach Partition the state-space into a finite number of regions Abstract the dynamics in each region by a simpler dynamics Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al] 38

147 Hybridization Broad approach Partition the state-space into a finite number of regions Abstract the dynamics in each region by a simpler dynamics Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al] Linear dynamics for non-linear dynamics [Asarin et al, Dang et al] 38

148 Hybridization Broad approach Partition the state-space into a finite number of regions Abstract the dynamics in each region by a simpler dynamics Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al] Linear dynamics for non-linear dynamics [Asarin et al, Dang et al] Crucial parts state-space partition and the choice of the abstract dynamics 38

149 Hybridization Broad approach Partition the state-space into a finite number of regions Abstract the dynamics in each region by a simpler dynamics Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al] Linear dynamics for non-linear dynamics [Asarin et al, Dang et al] Crucial parts state-space partition and the choice of the abstract dynamics Polyhedra inclusion dynamics and conical partitions 38

150 Hybridization Broad approach Partition the state-space into a finite number of regions Abstract the dynamics in each region by a simpler dynamics Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al] Linear dynamics for non-linear dynamics [Asarin et al, Dang et al] Crucial parts state-space partition and the choice of the abstract dynamics Polyhedra inclusion dynamics and conical partitions Hybridization for Stability Analysis of Switched Linear Systems P. Prabhakar, M. G. Soto. HSCC 16 38

151 Linear to Polyhedral Inclusion Dynamics z =(x, y) y x Linear Dynamics ż = Az ẋ = 2x 4y ẏ = 20x 2y 39

152 Linear to Polyhedral Inclusion Dynamics z =(x, y) y R x apple 0 y 0 y x x Linear Dynamics ż = Az ẋ = 2x 4y ẏ = 20x 2y 39

153 Linear to Polyhedral Inclusion Dynamics z =(x, y) y R x apple 0 y 0 y x x Linear Dynamics ż = Az Polyhedral Inclusion Dynamics ż 2 P ẋ = 2x 4y ẏ = 20x 2y P = {Az z 2 R} 39

154 Linear to Polyhedral Inclusion Dynamics z =(x, y) y R x apple 0 y 0 y x P x Linear Dynamics ż = Az Polyhedral Inclusion Dynamics ż 2 P ẋ = 2x 4y ẏ = 20x 2y P = {Az z 2 R} 39

155 Soundness of the construction Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable 40

156 Soundness of the construction Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable The set of executions of Poly(H, S) is a super set of the executions of H 40

157 Soundness of the construction Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable The set of executions of Poly(H, S) is a super set of the executions of H Stability is preserved by over-approximation 40

158 Soundness of the construction Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable The set of executions of Poly(H, S) is a super set of the executions of H Stability is preserved by over-approximation Conical partitions do not ensure bounded error approximation of the reachability relation 40

159 Soundness of the construction Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable The set of executions of Poly(H, S) is a super set of the executions of H Stability is preserved by over-approximation Conical partitions do not ensure bounded error approximation of the reachability relation However, they ensure bounded error approximation of the scaling 40

160 Soundness of the construction Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable The set of executions of Poly(H, S) is a super set of the executions of H Stability is preserved by over-approximation Conical partitions do not ensure bounded error approximation of the reachability relation However, they ensure bounded error approximation of the scaling The approximation algorithm is complete for asymptotically stable linear dynamical systems 40

161 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes th degree polynomial returned, but no 8th degree polynomial LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF 41

162 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes th degree polynomial returned, but no 8th degree polynomial LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF 41

163 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes th degree polynomial returned, but no 8th degree polynomial LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF 41

164 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes th degree polynomial returned, but no 8th degree polynomial LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF 41

165 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 6th degree polynomial returned, but no 8th degree polynomial SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF AVERIST SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes 2 16 Prove stability in many more cases than Stabhyli The verification time increases slower with respect to the number of regions as compared to the degree of the polynomial Abstraction computation is parallelizable Stabhyli can handle non-linear hybrid systems 41

166 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 6th degree polynomial returned, but no 8th degree polynomial SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF AVERIST SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes 2 16 Prove stability in many more cases than Stabhyli The verification time increases slower with respect to the number of regions as compared to the degree of the polynomial Abstraction computation is parallelizable Stabhyli can handle non-linear hybrid systems 41

167 Experiments AVERIST STABHYLI Template based search suffers from numerical instability Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS Yes 6 Yes 8 6th degree polynomial returned, but no 8th degree polynomial SS4 1 9 <1 Yes SS <1 Yes SS Yes D AS Yes SS Yes 2 Yes 75 SS Yes 2 Yes 15 LF found for arbitrary switched system, but not for restricted switched system Common LF found, but no multiple LF AVERIST SS Yes 2 Yes 138 4D AS Yes 2 12 SS Yes SS Yes SS Yes AS 9 out No 4 Yes 34 SS Yes SS Yes 2 16 Prove stability in many more cases than Stabhyli The verification time increases slower with respect to the number of regions as compared to the degree of the polynomial Abstraction computation is parallelizable Stabhyli can handle non-linear hybrid systems 41

168 AVERIST: An Algorithmic VERIfier for STability Global Asymptotic Stability Analyzer Linear/Non- Linear Hybrid Automaton Hybridization Local Asymptotic Stability Analyzer Quantitative Predicate Abstraction GLPK Stability Zone Computation Model-Checking NetworkX Stable/ Unstable Region Stability Analysis Validation Refinement Z3 PPL Tool webpage: 42

169 Global asymptotic stability 43

170 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. 44

171 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem 44

172 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem An Algorithmic Approach to Global Asymptotic Stability Verification of Hybrid Systems P. Prabhakar, M. G. Soto. EMSOFT 16 44

173 Region Stability (RS) A hybrid system is Region Stable with respect to a region R if every execution of the system eventually reaches R R Region Stability is a CTL property: All executions eventually reach R AFR 45

174 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 46

175 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 Observation 1: The weighted graph captures the information of the executions which remain within a center region (here, ABCDEF) 46

176 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 Observation 1: The weighted graph captures the information of the executions which remain within a center region (here, ABCDEF) 46

177 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 Observation 1: The weighted graph captures the information of the executions which remain within a center region (here, ABCDEF) Note: All executions starting within the center region do not remain within the center region, even if the system is stable 46

178 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 47

179 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 Observation 2: A Lyapunov/asymptotic stability proof provides a stability zone within the center region such that the executions starting from the stability zone will remain within the center region 47

180 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 Observation 2: A Lyapunov/asymptotic stability proof provides a stability zone within the center region such that the executions starting from the stability zone will remain within the center region 47

181 Global asymptotic stability (GAS) p 2 p 1/2 2 3/2 p 3 p 1 p 3 p 1 p 4 3/2 p 4 1/2 Observation 2: A Lyapunov/asymptotic stability proof provides a stability zone within the center region such that the executions starting from the stability zone will remain within the center region Note: The longest distance an execution can traverse w.r.t the initial point is at most 3/2 times 47

182 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem 48

183 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem Check if the system is asymptotically stable 48

184 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem Check if the system is asymptotically stable If yes, compute a stability zone 48

185 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem Check if the system is asymptotically stable If yes, compute a stability zone Check if the system is region stable with respect to the stability zone 48

186 Global asymptotic stability (GAS) A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem Check if the system is asymptotically stable If yes, compute a stability zone Check if the system is region stable with respect to the stability zone If yes, then the system is GAS 48

187 Stability zone computation for the gearbox Center region T I 3 to 4 2 to 3 1 to 2 0 E Stability zone 4 to 3 3 to 2 2 to 1 49

188 Conclusion Global Asymptotic Stability Analyzer Linear/Non- Linear Hybrid Automaton Hybridization Local Asymptotic Stability Analyzer Quantitative Predicate Abstraction GLPK Stability Zone Computation Model-Checking NetworkX Stable/ Unstable Region Stability Analysis Validation Refinement Z3 PPL Tool webpage: 50

189 Future Work Stabilizing controller synthesis using the algorithmic approach Solve quantitative games Compositional analysis of stability Compose input-output stability notions Extensions to nonlinear dynamics Hybridization to linear systems with inputs 51

190 Future Work Stabilizing controller synthesis using the algorithmic approach Solve quantitative games Compositional analysis of stability Compose input-output stability notions Extensions to nonlinear dynamics Hybridization to linear systems with inputs Acknowledgements: Miriam Garcia Soto (IMDEA) Geir Dullerud (UIUC) Mahesh Viswanathan (UIUC) Jun Liu (Univ. Waterloo) Richard Murray (Caltech) Marie Curie Career Integration Grant NSF CAREER Award ONR Young Investigator Award 51