Hybrid systems and computer science a short tutorial

Size: px

Start display at page:

Download "Hybrid systems and computer science a short tutorial"

Baldric Miles
5 years ago
Views:

1 Hybrid systems and computer science a short tutorial Eugene Asarin Université Paris 7 - LIAFA SFM 04 - RT, Bertinoro p. 1/4

2 Introductory equations Hybrid Systems = Discrete+Continuous SFM 04 - RT, Bertinoro p. 2/4

3 Introductory equations Hybrid Systems = Discrete+Continuous Hybrid Automata = A class of models of Hybrid systems SFM 04 - RT, Bertinoro p. 2/4

4 Introductory equations Hybrid Systems = Discrete+Continuous Hybrid Automata = A class of models of Hybrid systems Original motivation (1990)= physical plant + digital controller SFM 04 - RT, Bertinoro p. 2/4

5 Introductory equations Hybrid Systems = Discrete+Continuous Hybrid Automata = A class of models of Hybrid systems Original motivation (1990)= physical plant + digital controller New applications = also scheduling, biology, economy, numerics, and more SFM 04 - RT, Bertinoro p. 2/4

6 Introductory equations Hybrid Systems = Discrete+Continuous Hybrid Automata = A class of models of Hybrid systems Original motivation (1990)= physical plant + digital controller New applications = also scheduling, biology, economy, numerics, and more Hybrid community = Control scientists + Applied mathematicians + Some computer scientists SFM 04 - RT, Bertinoro p. 2/4

7 Outline 1. Hybrid automata - the model 2. Verification 3. Conclusions and perspectives SFM 04 - RT, Bertinoro p. 3/4

8 1. The Model SFM 04 - RT, Bertinoro p. 4/4

9 Outline 1. Hybrid automata - the model The definition Semantic issues Modeling with hybrid automata Hybrid languages Running a hybrid automaton 2. Verification 3. Conclusions and perspectives SFM 04 - RT, Bertinoro p. 5/4

10 The first example I m sorry, a thermostat. SFM 04 - RT, Bertinoro p. 6/4

11 The first example I m sorry, a thermostat. When the heater is OFF, the room cools down : ẋ = x When it is ON, the room heats: ẋ = H x SFM 04 - RT, Bertinoro p. 6/4

12 The first example I m sorry, a thermostat. When the heater is OFF, the room cools down : ẋ = x When it is ON, the room heats: ẋ = H x When t>m it switches OFF When t<m it switches ON SFM 04 - RT, Bertinoro p. 6/4

13 The first example I m sorry, a thermostat. When the heater is OFF, the room cools down : ẋ = x When it is ON, the room heats: ẋ = H x When t>m it switches OFF When t<m it switches ON A strange creature... SFM 04 - RT, Bertinoro p. 6/4

14 A bad syntax Some mathematicians prefer to write where ẋ = f(x,q) f(x, Off) = x f(x, On) = H x with some switching rules on q. SFM 04 - RT, Bertinoro p. 7/4

15 A bad syntax Some mathematicians prefer to write where ẋ = f(x,q) f(x, Off) = x f(x, On) = H x with some switching rules on q. But we will draw an automaton! SFM 04 - RT, Bertinoro p. 7/4

16 On ẋ = H x x M guard x = M x = m /γ reset Off Hybrid automaton ẋ = x x m label dynamics invariant SFM 04 - RT, Bertinoro p. 8/4

17 On ẋ = H x x M x = M x = m /γ Off Hybrid automaton ẋ = x x m label dynamics invariant guard reset A formal definition: It is a tuple... SFM 04 - RT, Bertinoro p. 8/4

18 On ẋ = H x x M guard x = M x = m /γ reset Off Hybrid automaton ẋ = x x m label dynamics invariant x M m SFM 04 - RT, Bertinoro p. 8/4

19 Hybrid versus timed a,x = 5/x := 0 q 1 q 2 label On ẋ = H x x M x = M x = m /γ Off ẋ = x x m dynamics invariant b,x = 2 b,x > 7 a,x < 10 q 3 a,x = 8 q 4 guard reset b,x = 5/x := 0 SFM 04 - RT, Bertinoro p. 9/4

20 Hybrid versus timed Element Timed Aut. Hybrid Aut. Discrete locations q Q (finite) q Q (finite) Continuous variables x R n x R n x dynamics ẋ = 1 ẋ = f(x) (and more) Guards bool. comb. of x i c i x G SFM 04 - RT, Bertinoro p. 9/4

21 Semantic issues A trajectory (run) is an f : R Q R n Some mathematical complications (notion of solution, existence and unicity not so evident). Zeno trajectories (infinitely many transitions in a finite period of time). can be forbidden one can consider trajectories up to the first anomaly (Sastry et al., everything OK) one can consider the complete Zeno trajectories (very funny : Asarin-Maler 95) SFM 04 - RT, Bertinoro p. 10/4

22 Variants Discrete-time (x n+1 = f(x n )) or continuous-time ẋ = f(x) Deterministic (e.g. ẋ = f(x)) or non-deterministic (e.g. ẋ F(x)) Eager or lazy. With control and/or disturbance (e.g. ẋ = f(x,u,d)) Various restrictions on dynamics, guards and resets: Piecewise trivial dynamics. LHA, RectA, PCD, PAM, SPDI... They are still highly non-trivial. SFM 04 - RT, Bertinoro p. 11/4

23 Special classes of Hybrid Automata 1 The famous one: Linear Hybrid Automata x P 1 /x := A 1 x + b 1 ẋ = c 1 ẋ = c 2 x P 2 /x := A 2 x + b 2 SFM 04 - RT, Bertinoro p. 12/4

24 Special classes of Hybrid Automata 2 My favorite: PCD = Piecewise Constant Derivatives c1 P1 x y ẋ = c i for x P i SFM 04 - RT, Bertinoro p. 13/4

25 PCD is a linear hybrid automaton (LHA) e 3 e 2 e 4 e 9 e 12 e 1 e 10 e 11 e 5 e 8 e6 e 7 SFM 04 - RT, Bertinoro p. 14/4

26 PCD is a linear hybrid automaton (LHA) e 3 e3 e 2 e 2 e 4 e 9 e 12 e 1 e 4 e 9 e 12 e 1 e 5 e 10 e 11 e 8 e 10 e 11 e 5 e 8 e 6 e6 e 7 e 7 SFM 04 - RT, Bertinoro p. 14/4

27 PCD is a linear hybrid automaton (LHA) e3 e 2 R 4 R 2 ẋ = a 4 ẋ = a 2 Inv(l 4 ) e 12 Inv(l 2 ) e 9 x = e 4 x = e 1 R 5 R 1 ẋ = a 5 ẋ = a 1 Inv(l 5 ) Inv(l 1 ) x = e 5 x = e 10 x = e 11 x = e 8 R 6 ẋ = a 6 Inv(l 6 ) x = e 6 R 7 R 8 ẋ = a x = e 7 7 ẋ = a 8 Inv(l 7 ) Inv(l 8 ) SFM 04 - RT, Bertinoro p. 14/4

28 PCD is a linear hybrid automaton (LHA) R 4 R 3 R 2 x = e 3 x = e 2 ẋ = a 4 ẋ = a 3 ẋ = a 2 Inv(l 4 ) Inv(l 3 ) Inv(l 2 ) x = e 4 x = e 9 x = e 12 x = e 1 R 5 R 1 ẋ = a 5 ẋ = a 1 Inv(l 5 ) Inv(l 1 ) x = e 5 x = e 10 x = e 11 x = e 8 R 6 ẋ = a 6 Inv(l 6 ) x = e 6 R 7 R 8 ẋ = a x = e 7 7 ẋ = a 8 Inv(l 7 ) Inv(l 8 ) SFM 04 - RT, Bertinoro p. 14/4

29 PCD is a linear hybrid automaton (LHA) R 4 R 3 R 2 x = e 3 x = e 2 ẋ = a 4 ẋ = a 3 ẋ = a 2 Inv(l 4 ) Inv(l 3 ) Inv(l 2 ) x = e 4 x = e 9 x = e 12 x = e 1 R 5 R 1 ẋ = a 5 ẋ = a 1 Inv(l 5 ) Inv(l 1 ) x = e 5 x = e 10 x = e 11 x = e 8 R 6 ẋ = a 6 Inv(l 6 ) x = e 6 R 7 R 8 ẋ = a x = e 7 7 ẋ = a 8 Inv(l 7 ) Inv(l 8 ) SFM 04 - RT, Bertinoro p. 14/4

30 Special classes of Hybrid Automata 3 The most illustrative: Piecewise Affine Maps P1 P2 x := A i x + b i for x P i A1x+b1 A2x+b2 SFM 04 - RT, Bertinoro p. 15/4

31 How to model? a control system SFM 04 - RT, Bertinoro p. 16/4

32 How to model? a control system a scheduler with preemption SFM 04 - RT, Bertinoro p. 16/4

33 How to model? a control system a scheduler with preemption a genetic network SFM 04 - RT, Bertinoro p. 16/4

34 How to model? a control system a scheduler with preemption a genetic network A network of interacting Hybrid automata SFM 04 - RT, Bertinoro p. 16/4

35 Hybrid languages SHIFT Charon Hysdel IF, Uppaal (Timed + ε) why not Simulink? or Simulink+CheckMate. SFM 04 - RT, Bertinoro p. 17/4

36 What to do with a hybrid model Simulate With Matlab/Simulink With dedicated tools Analyze with techniques from control science: Stability analysis Optimal control etc.. Analyze with your favorite techniques. The most important invention is the model. SFM 04 - RT, Bertinoro p. 18/4

37 2. Verification SFM 04 - RT, Bertinoro p. 19/4

38 Outline 1. Hybrid automata - the model 2. Verification Verification and reachability problems Exact methods The curse of undecidability Decidable classes Can realism help? Approximate methods The abstract algorithm Data structures and concrete algorithms Beyond reachability, beyond verification Verification tools 3. Conclusions and perspectives SFM 04 - RT, Bertinoro p. 20/4

39 Verification and reachability problems Is automatic verification possible for HA? SFM 04 - RT, Bertinoro p. 21/4

40 Verification and reachability problems Is automatic verification possible for HA? Safety: are we sure that HA never enters a bad state? It can be seen as reachability : verify that Reach(Init, Bad) SFM 04 - RT, Bertinoro p. 21/4

41 Verification and reachability problems Is automatic verification possible for HA? Safety: are we sure that HA never enters a bad state? It can be seen as reachability : verify that Reach(Init, Bad) It is a natural and challenging mathematical problem. Many works on decidability Some works on approximated techniques SFM 04 - RT, Bertinoro p. 21/4

42 The reachability problem Given a hybrid automaton H and two sets A,B Q R n, find out whether there exists a trajectory of H starting in A and arriving to B. All parameters rational. SFM 04 - RT, Bertinoro p. 22/4

43 Exact methods: Decidable classes Reach(x,y) a trajectory from x to y Reach is decidable for AD: timed automata HKPV95: initialized rectangular automata, extensions of timed automata LPY01: special linear equations + full resets. Method : finite bisimulation (stringent restrictions on the dynamics) KPSY: Integration graphs??? SFM 04 - RT, Bertinoro p. 23/4

44 Decidability 2 Reach is decidable for MP94: 2d PCD. CV96: 2d multi-polynomial systems. ASY01: 2d non-deterministic PCD SFM 04 - RT, Bertinoro p. 24/4

45 Decidability 2 - geometric method consider signatures signatures are simple on the plane (Poincaré-Bendixson) s 1 s 2 s n r 1 r 2 r 3 finitely many patterns r n r n+1 exact acceleration of the cycles is possible. Algorithm: for each pattern compute successors, accelerate cycles. Restrictions: planarity, no jumps SFM 04 - RT, Bertinoro p. 25/4

46 Exact methods: The curse of undecidability Koiran et al.: Reach is undecidable for 2d PAM. AM95: Reach is undecidable for 3d PCD. HPKV95 Many results of the type : 3clocks + 2 stopwatches = undecidable SFM 04 - RT, Bertinoro p. 26/4

47 Anatomy of Undecidability Preliminaries Proof method: simulation of 2-counter (Minsky) machine, TM etc... A counter: values in N; operations: C + +, C ; test C > 0? A Minsky (2 counter) machine q 1 : D + +; goto q 2 q 2 : C ; goto q 3 q 3 : if C > 0 then goto q 2 else q 1 Reachability is undecidable (and Σ 0 1-complete) for Minsky machines. SFM 04 - RT, Bertinoro p. 27/4

48 Simulating a counter x 0 1 C Counter PAM State space N State space [0; 1] State C = n x = 2 n C + + x := x/2 C x := 2x C > 0? x < 0.75? 0 SFM 04 - RT, Bertinoro p. 28/4

49 Encoding a state of a Minsky Machine q 1 q 2 q 3 (3,3) (2,1) Minsky Machine (0,3) PAM State space {q 1,...,q k } N N State space [1;k + 1] State (q i,c = m,d = n) x = i + 2 m,y = 2 n SFM 04 - RT, Bertinoro p. 29/4

50 Simulating a Minsky Machine Minsky Machine PAM State space {q 1,..., q k } N N State space [1; k + 1] [0;1] State (q i, C = m, D = n) x = i + 2 m, y = 2 n q 1 : D + +; goto q 2 x := x + 1 y := y/2 if 1 < x 2 q 2 : C ; goto q 3 x := 2(x 2) + 3 y := y if 2 < x 3 q 3 : if C > 0 then goto q 2 else q 1 x := x 1 y := y x := x 2 y := y if 3 < x < 4 if x = 4 SFM 04 - RT, Bertinoro p. 30/4

51 ... finally we have proved that Reach is undecidable for 2d PAMs. Undecidability proofs for other classes of HA are similar. SFM 04 - RT, Bertinoro p. 31/4

52 A difficult problem 1d piecewise affine maps (PAMs): f : R R f(x) = a i x + b i for x I i a 1 x + b 1 R I 1 I 4 I 3 I 2 I 5 SFM 04 - RT, Bertinoro p. 32/4

53 A difficult problem 1d piecewise affine maps (PAMs): f : R R f(x) = a i x + b i for x I i a 1 x + b 1 R I 1 I 4 I 3 I 2 I 5 a 5 x + b 5 SFM 04 - RT, Bertinoro p. 32/4

54 A difficult problem 1d piecewise affine maps (PAMs): f : R R f(x) = a i x + b i for x I i a 1 x + b 1 R a 4 x + b 4 I 1 I 4 I 3 I 2 I 5 a 5 x + b 5 SFM 04 - RT, Bertinoro p. 32/4

55 A difficult problem 1d piecewise affine maps (PAMs): f : R R f(x) = a i x + b i for x I i a 1 x + b 1 R a 4 x + b 4 I 1 I 4 I 3 I 2 I 5 a 2 x + b 2 a 5 x + b 5 SFM 04 - RT, Bertinoro p. 32/4

56 A difficult problem 1d piecewise affine maps (PAMs): f : R R f(x) = a i x + b i for x I i a 1 x + b 1 R a 4 x + b 4 I 1 I 4 I 3 I 2 I 5 a 2 x + b 2 a 5 x + b 5 SFM 04 - RT, Bertinoro p. 32/4

57 A difficult problem 1d piecewise affine maps (PAMs): f : R R f(x) = a i x + b i for x I i a 1 x + b 1 a 4 x + b 4 R I 1 I 4 I 3 I 2 I 5 a 2 x + b 2 a 5 x + b 5 Old Open Problem. PAM? Is reachability decidable for 1d SFM 04 - RT, Bertinoro p. 32/4

58 Can realism help? Maybe even undecidability is an artefact? Maybe it never occurs in real systems? SFM 04 - RT, Bertinoro p. 33/4

59 Proof method Abstract View Proof by simulation of an infinite state machine by a DS State of machine state of the DS Dynamics of DS simulates transitions of the machine SFM 04 - RT, Bertinoro p. 34/4

60 Consequences for bounded DS witnessing undecidability Important states (sets) of the DS are very dense (have accumulation points) Dynamics should be very precise (at least around accumulation points) It is difficult (impossible) to realize such systems physically...and also: dynamics should be chaotic... infinite state SFM 04 - RT, Bertinoro p. 35/4

61 The Conjecture Reachability is decidable for realistic, unprecise, noisy, fuzzy, robust systems Arguments: The only known proof method uses unbounded precision (or unbounded state space) Noise could regularize... This world is nice and bad things never happen... Engineers design systems and never deal with undecidability. SFM 04 - RT, Bertinoro p. 36/4

62 Some Thoughts and Results All the arguments are weak The problem is interesting I know 3 natural formalizations of realism Non-zero noise: undecidable (Σ 1 -hard) uniform noise: open problem Infinitesimal noise: undecidable and co-r.e. (Π 0 1 -complete) Both positive or negative solution would be interesting for the second one Most of these effects are not specific for a class of systems, they can be ported to any reasonable class. SFM 04 - RT, Bertinoro p. 37/4

63 Approximate methods for reachability In practice approximate methods should be used for safety verification. Several tools, many methods. General principles are easy, implementation difficult. SFM 04 - RT, Bertinoro p. 38/4

64 Abstract algorithm For example consider forward breadth-first search. F=Init repeat F=F SuccFlow(F) SuccJump(F) until fixpoint (F Bad ) tired A standard verification (semi-)algorithm. SFM 04 - RT, Bertinoro p. 39/4

65 How to implement it Needed data structure for (over-)approximate representation of subsets of R n, and algorithms for efficient computing of unions, intersections; inclusion tests; SuccFlow; SuccJump. SFM 04 - RT, Bertinoro p. 40/4

66 Known implementations Polyhedra (HyTech - exact. Checkmate) Griddy polyhedra (d/dt) Ellipsoids (Kurzhanski, Bochkarev) Level sets of functions (Tomlin) f(x)<0 SFM 04 - RT, Bertinoro p. 41/4

67 Does it work? Up to 10 dimensions. Sometimes. SFM 04 - RT, Bertinoro p. 42/4

68 Using advanced verification techniques Searching for better data-structures (SOS, *DD) Abstraction and refinement Combining model-checking and theorem proving Acceleration Bounded model-checking SFM 04 - RT, Bertinoro p. 43/4

69 Beyond verification Generic verification algorithms + hybrid data structures allow: Model-checking Controller synthesis Phase portrait generation SFM 04 - RT, Bertinoro p. 44/4

70 A picture 40 R R R R R R R 29 SFM 04 - RT, Bertinoro p. 45/4

71 3. Final Remarks SFM 04 - RT, Bertinoro p. 46/4

72 Outline 1. Hybrid automata - the model 2. Verification 3. Conclusions and perspectives Conclusions for a pragmatical user Conclusions for a researcher SFM 04 - RT, Bertinoro p. 47/4

73 Conclusions for a pragmatical user A useful and proper model : HA. Modeling languages available. Simulation possible with old and new tools No hope for exact analysis In simple cases approximated analysis (and synthesis) with guarantee is possible using verification paradigm. Tools available (Not discussed) Some control-theoretical techniques available (stability, optimal control etc). SFM 04 - RT, Bertinoro p. 48/4

74 Perspectives for a researcher Obtain new decidability results (nobody cares for undecidability). Explore noise-fuzziness-realism issues Apply modern model-checking techniques to approximate verification of HS Create hybrid theory of formal languages etc. SFM 04 - RT, Bertinoro p. 49/4

models, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS

models, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS models, s, LIAFA - University Paris Diderot and CNRS PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics Context A model for verification of real-time systems Invented by Alur and Dill in early