APPROXIMATING SWITCHED CONTINUOUS SYSTEMS BY RECTANGULAR AUTOMATA

Transcription

1 European Control Conference 99, Karlsruhe (Germany), August 31 st - September 3 rd, 1999 APPROXIMATING SWITCHED CONTINUOUS SYSTEMS BY RECTANGULAR AUTOMATA O. Stursberg, S. Kowalewski Keywords: Approximation, Automata, Continuous dynamics, Event-driven controllers, Verification. Abstract An approximation procedure is presented for a class of hybrid systems in which switching occurs only when the continuous state trajectory crosses thresholds defined by a rectangular partitioning of the state space. The result of the approximation are rectangular automata, a class of hybrid automata for which a numerically robust approximative analysis algorithm exists. Thus, the approximation procedure can be applied when we are interested in the reachability set of a switched continuous system for which a direct analysis is infeasible. The approach is illustrated by application to a simple physical example. As an extension, an algorithm is presented to adjust the accuracy of the approximation to the continuous dynamics by choosing a state space partitioning according to the variation of the vector field. 1 Introduction The problem behind the contribution of this paper is the analysis of systems with continuous dynamics which can switch when the continuous state trajectory crosses rectangular switching manifolds. This class of hybrid systems arises for example in industrial processing plants where logic controllers are used to supervise and enforce operational and safety requirements. Usually, thresholds are defined for single process variables (e.g., alarms for the temperature in a reactor) and the crossing of these thresholds results in a discrete controller action which abruptly changes the continuous dynamics. As the control objective in these applications is to prevent the process variables from reaching certain non-desired or even dangerous ranges, reachability analysis could be a tool for checking the correct design of the logic control programs including the choice of the threshold values. However, reachability analysis is only feasible for very restricted classes of hybrid systems and the appropriate models of logic controlled processing systems (in most cases switched ordinary differential equations) rarely belong to one of them. Therefore, often a two-step procedure is proposed : First, the considered switched continuous system is approximated (conservatively) by a simpler system for which reachability analysis is possible. Then, in the second step, the approximating system is analyzed. This paper is concerned with the first step. There are various approaches to the described problem known from the literature. In most cases, the aim is to find a discrete transition system as a purely qualitative abstraction of a continuous model. The area of Qualitative Modelling [Kui95] essentially is concerned with this problem. Further examples are [CK99], [Pre97], and [Rai97]. In [Lun94] quantitative information is retained by deriving stochastic automata, and [SK+96] and [SKE97] used timed automata as the approximating class of systems. [HHW98] presents an approach to approximate an arbitrary (so-called non-linear ) HA by a so-called linear HA for which semi-decidable analysis procedures are available. To achieve this, an appropriate partition has to be found by the user of the method. The approach presented here also maps the switched continuous system into a hybrid automaton. But in contrast to [HHW98], we assume that the partitioning is given a priori by technical constraints (e.g., sensor thresholds) and that the task is to find an approximating model based on these switching manifolds. To represent the approximating model we choose rectangular automata (RA) [HK+95]. RA are a subclass of hybrid automata with the characteristic property that for each discrete state, the range of the continuous variables and their time derivatives is given as an interval. A tool for reachability analysis of RA is available [PK+98]. In the next section we describe the considered control setting and in Sec. 3 the class of RA is reviewed. Section 4 presents the main concepts for approximating switched continuous systems by RA, and the method is illustrated by application to a simple physical example in Sec. 5. An approach to refine the state space partitioning depending on the continuous dynamics is proposed in Sec. 6, and a discussion concludes the paper. 2 Event-driven Control of Continuous Systems Within this contribution we consider the following closedloop setting of a continuous plant and an event-driven controller (see Fig. 1): If the state trajectory x(t) of the continuous system crosses a specified threshold an event generator emits an output symbol o (the event ). Depend-

2 ing on this symbol the event-driven controller changes to a new discrete state s which is appropriate to control the continuous process in a desired way. The input selector transforms s into a discrete input vector u which determines the behaviour of the continuous system until the next event is generated. The four components of this setting are defined as follows. Continuous System x( t) x u Event Generator Input selector Figure 1: The control setting. o s Event-driven Controller For the part that contains continuous behaviour we consider a subclass of hybrid systems which is denoted as Switched Continuous Systems below. It is characterized by the property that depending on a discrete-valued input vector and on the actual state vector the dynamics is switched between different sets of ordinary differential equations (compare to [PSK99]). Definition 1: Switched Continuous Systems A Switched Continuous System is given by SCS = (X, U, L, Φ, O, ω) with the following components: For n variables x j defined on an interval [x j,min, x j,max ], j {1,..., n} the continuous state space is given by X = [x 1,min, x 1,max ]... [x n,min, x n,max ] IR n. U = {u 1,...,u l } is the finite set of discrete inputs of SCS where each u k is defined as an m-dimensional vector u k (u k,1,..., u k,m ) with u k,j IR, k = {1,..., l}, j {1,..., m}. Each element of the n-tuple L = {L 1,..., L n } denotes an ordered set of landmarks which is introduced for the variable x j : L j = {l j,0,..., l j,pj }, j {1,...n}. The landmarks correspond to those values of x j at which either the input is set to a new u or at which a different dynamics becomes valid (see below). The landmarks l j,0 and l j,pj are set to the bounds of the continuous state space, i. e. l j,0 = x j,min, l j,pj = x j,max. The introduction of L partitions the state space X into a number of π = p 1... p n regions of rectangular geometry. Each of these regions is denoted as X i. X i = [l 1,k1, l 1,k1+1]... [l n,kn, l n,kn+1], k j {0,..., p j 1}, such that X = 1 i π X i. The continuous state evolution is given by a set Φ = {f 1,...,f q }. A vector of functions ẋ = f r (x,u k ), r = {1,...q} is defined for x X i (or a set of regions) and u k U. Each component f r,j is assumed to be a time-invariant, possibly nonlinear ODE with a unique and continuous solution over time. The set of discrete outputs of SCS is denoted by O = {o 1, o 2,... }. The output function ω : {X, L} O generates a symbol o i at a point of time t at which a variable crosses a landmark: ω : {X, l j,k if x j (t) = l j,k and x j (t){<, >}l j,k : ω(x,l) = o i, else: ω(x, L) = }. Note that we distinguish the two cases of crossing the landmark in positive and negative direction (x j (t) denotes the time predecessor of x j (t)). If more than one variable crosses a landmark at the same time instant t (i. e. a border or a corner of a rectangular region is reached), ω generates the corresponding set of output symbols. According to this definition the SCS contains the event generator. To formalize the remaining part of the structure shown in Fig. 1 (controller and input selector) a simple state transition system of the Moore-automaton-type suffices: We define the controller automaton as CA = (S, O, φ, U, σ) in which S denotes the set of discrete states (with a start state s 0 S), O again is the discrete output set of SCS (as input alphabet of CA), φ : S O S the state transition function, U again the discrete input set of SCS (as output alphabet of CA) and σ : S U the input selection function. Thus, a state transition of CA is triggered by an output symbol o which is received from the event generator, and the state transition results in a new discrete input vector u of the continuous subsystem. We require that a state transition according to φ is enforced instantaneously by the occurrence of a symbol o. Since we do not consider timers in the controller within this paper, u can only change at points of time at which x(t) reaches a landmark. Furthermore we assume that no external disturbances exist and that chattering does not occur. The latter assumption means that the input trajectory u(t) is piece-wise constant over time: t [t k, t k+1 [: u(t) = u k with only finitely many switching operations on a bounded interval ( non-zeno -behaviour). The task we want to pursue in the sequel is to analyze whether the structure consisting of SCS and CA fulfills or violates a certain specification of its behaviour. Such a specification could be that a set of critical states (either a subset of X or a subset of S) can never be reached from a set of initial states (i. e. a combination of s 0 and a continuous start set X 0 X). The analysis, usually denoted as verification, cannot be carried out directly for a system with continuous dynamics according to Def. 1 as shown e. g. in [HHW98]. First, the dynamics of SCS has to be transformed into a simpler type the next section describes the paradigm of Rectangular Automata for which reachability analysis is feasible in many practical cases. 2

3 3 Rectangular Automata A Rectangular Automaton (RA) is characterized by the property that it contains a set of discrete states, so-called locations, to which continuous dynamics of a special kind is assigned: The time derivative of each continuous variable x j is given as a rectangular predicate which is a conjunction of (in)equalities ẋ j {, =, }c with c IR. Also the permissible range of a variable x j within a location and the propositions over x j which are used as transition labels are specified as rectangular predicates. Definition 2: Rectangular Automaton A Rectangular Automaton is a 7-tuple RA = (V, V ar, inv, act, E, g, r, init) consisting of: a finite set V of locations v V. the finite set V ar = {x 1,..., x n } of continuous variables, each defined on IR; the state space of RA is given by S = V IR n. the function inv : V IR n which assigns an invariant condition as a rectangular predicate to each location v V. The invariant condition is a pair of (in)equalities x j a v j, x j b v j, (av j, bv j IR) for each variable in V ar such that the permissible range of x j in v is a bounded interval. (The violation of inv(v) enforces a transition out of state v.) a function act(v) which maps each location into a set of rectangular predicates for the derivatives of the continuous variables, so-called activities, i. e. in each v V applies for all x V ar a pair of (in)equalities ẋ j a v j, ẋ j b v j, (av j, bv j IR). the set E V V of control switches such that for two locations v, v V a control switch e = (v, v ) is a transition from v to v. a function g(e) which assigns a rectangular predicate, the so-called guard, to each control switch in E as a conjunction of (in)equalities x j {<,, =,, >}a, (a IR). The guard represents a necessary condition for enabling a control switch. the reset function r(e) that sets the values of all variables in V ar with a control switch e to a rectangular predicate given as pair x j a v j, x j b v j, (av j, bv j IR). finally a function init(v) that assigns an initial region for each variable x V ar to each location v. The initial region is again a rectangular predicate given as pair of (in)equalities x j a v j, x j b v j, (av j, bv j IR), and it applies init(v) inv(v). Informally, a run of the rectangular automaton can be understood as follows: A state of RA is a tuple (v, x 1,..., x n ) consisting of the actual location and valuations for all variables in V ar such that (x 1,..., x n ) inv(v). Given an initialization of RA by init(v), the continuous variables evolve with time according to act(v) until either (x 1,..., x n ) / inv(v) applies or a guard g(e) is satisfied. A control switch e into a different location v is enforced in the first and enabled in the second case. If the control switch e = (v, v ) is taken the valuations of the variables are reset by r(e), and the continuous dynamics progresses according to act(v ). Hence, a run of RA is a sequence of control switches with intermediate continuous state evolution. As for the structure described in Sec. 2 we assume non- zeno-behaviour for this type of model. Furthermore, we restrict the behaviour of RA such that for each control switch e = (v, v ) the guard g(e) is a subset of the bounding values of inv(v), and that r(e) either resets a variable x V ar to a bounding value of inv(v ) or leaves its value on that one determined by g(e). With these assumptions the model corresponds semantically to the one introduced as simple RA in [PK+98]. This reference also gives an algorithm for solving the reachability problem in an approximative but conservative manner. Without repeating the details, the principle of the algorithm can be understood as follows: Starting point is an RA with an initial state set S 0 and a forbidden state set S f, both given as rectangular predicates and each a subset of the invariant of a single location. The task is to check if there exists a run of RA with which S f can be reached from S 0. First, the set S 0 ( inv(v)) is conservatively projected forward in time using the derivatives denoted by act(v) until the boundary of inv(v) is reached. The intersection of the forward projection is a set of (n 1)-dimensional hyper-planes called face-region. By a control switch e = (v, v ) with the corresponding r(e), this face-region is mapped into another one which necessarily represents a subset of inv(v ). For this entry region of v given, the exit face-region is again computed by forward projection using act(v ). This procedure is repeated until the reachable region S r of the state space S does not grow anymore (i. e. the algorithm terminates) or the intersection of S r S f becomes nonempty. 4 Approximation of SCS by RA To apply the reachability algorithm for RA to the control setting described in Sec. 2 the structure of SCS and CA has to be transformed into a rectangular automaton. The algorithm in [PK+98] is only applicable to one autonomous RA which is the reason for omitting components for communication (as synchronization labels or i/o-alphabets and -functions) in Def. 2. Thus, SCS and CA have to be modelled as a single RA. Note that Def. 2 includes the case of purely discrete respectively boolean variables x boole contained in V ar if the following applies in all locations and for all control switches: x boole is defined on the set {0, 1} only (instead of IR), the activities are given by ẋ boole = 0, and the rectangular predicates in inv(v), r(e) and init(v) are given such that a v j = bv j {0, 1} respectively xboole = a {0, 1} for 3

4 g(e). Hence, the set V ar = V ar boole V ar real can be divided into a set of boolean variables V ar boole and a set of real-valued variables V ar real. Using the set V ar boole, the switching logic of CA can straightforwardly be implemented as RA: A transition of CA is represented by a control switch e = (v, v ) triggered by a boolean variable. The target location v of e then contains the activities act(v ) which corresponds to the dynamics that is determined by the input selector in terms of the vector u. The SCS part of the control setting is represented in the RA by using the real-valued variables and the corresponding activities. We apply the following transformation rules (similar to [PSK99]): Variables: The set V ar real of the RA is formed by the variables contained in the state vector x of SCS. Locations: One location v V each is assigned to a rectangular subregion of the continuous state space X of SCS. The regions X i obtained in Sec. 2 from introducing the landmark set L generally constitute a very rough partitioning of X since only thresholds which are important for the controller or at which the ODE changes are considered as landmarks. This partitioning is very often not sufficient for an approximation of desired accuracy. Hence, we introduce a finer partitioning grid: For each continuous variable x j a number of g j (> p j ) gridpoints is introduced such that each landmark l j coincides with a gridpoint and largely uniform distances between adjacent gridpoints are obtained. The grid establishes again a rectangular partition of the state space X. Since this partitioning is fixed and independent from the continuous dynamics, we call it a static partitioning (see Sec. 6 for an alternative). The rectangular region, which is bounded by pairs of adjacent gridpoints in all coordinates, is called a cell and denoted by c k C where C = {c 1,..., c µ } stands for the set of all cells. The rectangular region corresponding to c k is referred to as X ck in the sequel. We assign a location v of RA to each cell c k C of the switched continuous system with refined partitioning. Invariant conditions: For each location v V the invariant condition for the n r real-valued variables in V ar real is set up as a conjunction of inequalities a v j = min{x j } x j b v c j = max {x j }, i. e. the admissible range k c k of x j is restricted by the coordinates of the gridpoints enclosing X ck. Activities: An essential part of the transformation of SCS into RA is the simplification of the continuous dynamics. The derivatives given by possibly nonlinear functions f r (x,u k ) according to Def. 1 have to be mapped into the rectangular predicates of act(v). We specify the activities as a conjunction of inequalities a v j = min {ẋ j } c k ẋ j b v j = max c k {ẋ j } for all variables in V ar real. Thus, the activities are given as an inclusion of all derivative values occurring in a cell c k. Our implementation of the modelling and analysis method comprises two options for determining the derivative intervals: (a) The interval bounds a v j, bv j are evaluated by numerical optimization using Sequential Quadratic Programming as standard method for constrained nonlinear optimization [Fle87]. The optimization constraints are given by the invariant conditions. Obviously, the conservativity of the approximation is bound to the fact that the global minima/maxima on X ck are found, which is not guaranteed for arbitrary non-convex functions f r. To some extent the conservativity can be controlled by the choice of the parameters g j. If the global optima are found this method usually gives a relatively accurate approximation for the derivative interval. (b) Alternatively, the derivative interval can be obtained by choosing interval-arithmetics to evaluate the functions f r for the region X ck (compare to [SKE97]). The interval library described in [Knu94] allows an efficient computation of the rectangular predicates for ẋ j. While this approach is conservative and the computational costs usually are considerably smaller than for the optimization, it can lead to large over-approximations, especially for polynomials of high order in f r. Therefore, variant (a) should be preferred as long as the functions f r are convex. Control switches: Control switches e = (v, v ) are introduced into RA for all pairs of locations v, v which correspond to cell regions X c, X c with a shared boundary, i. e. x j V ar real : max{x j } = min{x j }. c c Guard: The guard of a control switch e = (v, v ) is the rectangular predicate that specifies the (n k)- dimensional boundary (k {1,..., n 1}) which is shared by the cell regions X c, X c, when the cells c and c are assigned to the locations v and v. Resets: For all variables in the set V ar real of RA, the reset function r(e) does not change the values with any control switch e (recall that jumps in the continuous trajectory of SCS are excluded). Initial conditions: The initialization function init specifies a subregion of X ck by means of a rectangular predicate for the variables in V ar real. 5 An Example To illustrate the idea of generating and analyzing RA models, we apply it to a simple technical example a RLC-circuit. It consists of a resistor, an induction coil and a capacitor arranged in a circular manner. The capacitor voltage can be modelled as a two-dimensional ODEsystem: ẋ 1 = k 2 (u x 2 ) k 1 x 1, ẋ 2 = x 1, where x 2 denotes the capacitor voltage and x 1 its timederivative. The constants k 1 = 1.8 and k 2 = 1 parametrize 4

5 x initial region u 1 > u 2 steady state approximated reachable region x 1 Figure 2: Analysis results for the RLC-circuit. the circuit, and the total voltage drop u is the system input which can be switched between different discrete values. We assume a simple controller which switches u to a value of 20 for x 1 3, and to u = 1 otherwise. This logic can be easily be modelled by a single binary variable in RA. To transform the continuous dynamics of the RLCcircuit into RA, we first introduce a regular state space partition as shown in Fig. 2. The procedure described in Sec. 4 generates an automaton which contains a control mode for each of the 100 rectangular cells obtained from partitioning. Furthermore, the flow conditions evaluated by optimization as well as the invariants, guards and control switches (transitions) are assigned to each cell. For the resulting automaton the reachable set of location can be determined by using the algorithm described in [PK+98]. As an example, the grey-shaded area in Fig. 2 corresponds to the state space region which is computed to be reachable from the initial cell given by x 1 [ 6, 5.5], x 2 [ 0.5, 0]. As obvious from a comparison to the drawn continuous trajectories (starting from the corner points of the initial region), the grey-shaded region is a conservative over-approximation of the actually reachable set. 6 Dynamic State Space Partitioning With the procedure described above a rectangular automaton is set up which can be analyzed using the method sketched in Sec. 3 (if a set S f is specified additionally). A transformation scheme which is based on a static and almost uniform partitioning of the state space X has often the drawback of unnecessarily high approximation accuracy and computational cost: Assume a gradient field which shows large variations in some parts of the state space and which is almost constant in some other parts of X. To obtain a specified accuracy also in the X-regions with large ẋ-variations over x the parameters g j have to be set to relatively high values, whereas a considerably smaller number of gridpoints would be sufficient for other parts of X. Thus it seems to be suitable to introduce a dynamic partitioning by which the size of the cells is adapted to the gradient field variations. Similar to the step-size adaptation known from numerical integration, we use the following approach to generate the set of cells. Assume that an initial cell set C 0 = {c 1,..., c π } is determined by the landmark set L according to Def. 1. Let C temp denote a temporary cell list and C the final set of cells. A subroutine Activities evaluates the rate interval vector [ẋ] = ([ẋ 1,min, ẋ 1,max ],..., [ẋ n,min, ẋ n,max ]) for a given cell c C temp according to the description in Sec. 4. Another subroutine Partition divides the cell c (with cell region X c ) into two cells which have the same length in coordinate j. The length of c in direction j is denoted = ẋ c,j,max ẋ c,j,min is the absolute variation of ẋ j on X c, and ẋ rel c,j = ẋabs c,j / min c { ẋ j } the corresponding relative variation. The user specifies the following sets of parameters: a lower limit λ j for the cell length x c,j, an upper limit j for by x c,j. Furthermore, ẋ abs c,j ẋ rel c,j, and κ j as maximally permissible absolute variation of ẋ j relative to the variations of ẋ i j. With these specifications, C is generated by the algorithm shown in Fig. 3. A cell c C 0 is divided in each coordinate into two halves as often as necessary to obtain ẋ rel c,j < j provided that the cell length x c,j does not fall below λ j. If zero is contained in [ẋ j ] the cell is partitioned in coordinate j only if the variation of ẋ j exceeds a certain ratio (given by κ j ) relative to the variations of the other derivatives ẋ i j. Note that for each input vector u a different partition is obtained for the region X c which is assigned to a original cell c C 0. However, since switching operations (u 1 u 2 ) occur only at the landmark values (which C temp := C 0, C = WHILE C temp DO { [ẋ] =Activities(c,X c,u,f ) FOR ALL j, i {1,..., n} IF (0 [ẋ j ] AND x c,j > 2 λ j ẋ abs c,j min c{ ẋ i j } > κ j ẋ abs c,i j min c{ ẋ j }) OR (0 / [ẋ j ] AND x c,j > 2 λ j AND ẋ rel c,j > j) C new := Partition (c,x c, j) C temp := (C temp \c) C new ELSE C := C c, C temp := C temp \c END } Figure 3: The partitioning algorithm 5

6 represent a static part of the partitioning) the change between different cell sets C u1 and C u2 is well defined. Figure 4 shows a dynamically partitioned state space for the RLC-circuit described in Sec. 5. Using the parameters λ 1 = 0.16, λ 2 = 0.15, 1 = 2 = 100%, and κ 1 = κ 2 = 20%, the region on the switching boundary s left is not further partitioned due to the nearly constant gradient field. In the region around the steady state, the size of the cells is reduced until a cell length corresponding to λ 1, λ 2 is reached. x u 1 > u x 1 Figure 4: RLC-circuit: Dynamic partitioning 7 Conclusions We have presented an approximation scheme which maps switched continuous systems into rectangular automata such that the behavior of the first system is completely contained in the second one. Thus, the approximation is conservative and can be used to analyze certain reachability problems for switched continuous systems which are not tractable directly. Acknowledgement. We thank Joerg Preußig (Dortmund) for providing the analysis algorithm for simple rectangular automata. The work of the first author was financially supported by the German Research Council (DFG). References [CK99] [Fle87] Chutinan A., Krogh B.H., Verification of Polyhedral-Invariant Hybrid Automata Using Polygonal Flow Pipe Approximations, Proc. 2nd Int. Workshop on Hybrid Systems: Computation and Control, LNCS 1569, 76-90, (1999). Fletcher R., Practical Methods of Optimization, J. Wiley and Sons, (1987). [HHW98] Henzinger T.A., Ho P.-H., Wong-Toi H., Algorithmic Analysis of Nonlinear Hybrid Systems, IEEE Transactions on Automatic Control, 43(4), , (1998). [HK+95] Henzinger T.A., Kopke P.W., Puri A., Varaiya P., What s decidable about Hybrid Automata, Proc. 27th Annual Symposium on Theory of Computing, , (1995). [Knu94] [Kui95] [Lun94] [Pre97] Knueppel O., PROFIL/BIAS A Fast Interval Library, Computing, 53, , (1994). Kuipers B., Qualitative Simulation, Artificial Intelligence, 29, , (1995). Lunze J., Qualitative Modelling of Linear Dynamical Systems with Quantized State Measurements, Automatica, 30(3), , (1994). Preisig, H.A., A Discrete Modelling Procedure for Continuous Processes based on State Discretization, Proc. 2nd IMACS Symposium on Mathematical Modelling, , (1997). [PK+98] Preußig J., Kowalewski S., Wong-Toi H., Henzinger T.A., An Algorithm for the Approximative Analysis Of Rectangular Automata, Proc. Formal Techniques for Real-time and Fault-tolerant Systems, LNCS 1486, , (1998). [PSK99] [Rai97] [SKE97] [SK+96] Preußig J., Stursberg O., Kowalewski S., Reachability Analysis of a Class of Switched Continuous Systems by Integrating Rectangular Approximation and Rectangular Analysis, Proc. 2nd Int. Workshop on Hybrid Systems: Computation and Control, LNCS 1569, , (1999). Raisch J., Nondeterministic Automata as Approximations for Continuous Systems - an Approach with an Adjustable Degree of Accuracy, Proc. 2nd IMACS Symposium on Mathematical Modelling, , (1997). Stursberg O., Kowalewski S., Engell S., Generating Timed Discrete Models of Continuous Systems, Proc. 2nd IMACS Symposium on Mathematical Modelling, , (1997). Stursberg O., Kowalewski S., Hoffmann I., Preußig J., Comparing Timed and Hybrid Automata as Approximations of Continuous Systems, Hybrid Systems IV, LNCS 1273, , (1996). 6