Verification of Hybrid Systems

Transcription

1 Verification of Hybrid Systems Goran Frehse Universite Grenoble 1, Verimag - with work from Thao Dang, Antoine Girard and Colas Le Guernic - MOVEP 08, June 25,

2 Boeing & Tupolew Collision B TU154M! Überlingen, July 1, :33:03 Alarm from Traffic Collision Avoidance System (TCAS) 2

3 Boeing & Tupolew Collision B TU154M! Überlingen, July 1, :33:03 Alarm from Traffic Collision Avoidance System (TCAS) 21:34:49 Human air traffic controller command 3

4 Boeing & Tupolew Collision B TU154M! Überlingen, July 1, :33:03 Alarm from Traffic Collision Avoidance System (TCAS) 21:34:49 Human air traffic controller command 21:34:56 TCAS recommendation 4

5 Boeing & Tupolew Collision B TU154M! Überlingen, July 1, :33:03 Alarm from Traffic Collision Avoidance System (TCAS) 21:34:49 Human air traffic controller command 21:34:56 TCAS recommendation 21:35:32 Collision 5

6 2 Boeing & Tupolew Collision B TU154M Überlingen, July 1, :33:03 Official Inquiry Recommendation:! Alarm from Traffic Collision Avoidance System (TCAS) pilots are are to to obey and 21:34:49 and follow TCAS advisories, regardless of of whether command contrary instruction is is given 21:34:56 Requires high confidence design Human air traffic controller TCAS recommendation 21:35:32 Collision 6

7 Formal Verification Model of System Formal Specification Revise Design Verification (algorithmic) Incorrect / Unknown Correct TCAS verified in part [Livadas, Lygeros, Lynch, 00] 7

8 Join Maneuver [Tomlin et al.] Traffic Coordination Problem join paths at different speed Goals avoid collision join with sufficient separation 8

9 Join Maneuver [Tomlin et al.] Traffic Coordination Problem join paths at different speed Goals avoid collision join with sufficient separation disturbances Models Environment: Planes Software: Controller switches fast/slow Specification keep min. distance 9

10 Characteristics Formal Verification mathematical rigor (sound proofs & algorithms) exhaustive In this talk: Reachability Analysis initial states run (trajectory) forbidden states reachable states = states on any run 10

11 Join Maneuver [Tomlin et al.] reachable states blue plane time reachable states yellow plane 11

12 Join Maneuver [Tomlin et al.] reachable states blue plane Possible collision! time reachable states yellow plane 12

13 Key Problems Formal Verification computable (decidable) only for simple dynamics computationally expensive representation of / computation with continuous sets 13

14 Formal Verification Fighting complexity with overapproximations simplify dynamics set representations set computations Overapproximations should be conservative easy to derive and compute with accurate (not too many false positives) 14

15 Outline I. Hybrid Automata and Reachability II. Reachability for Simple Dynamics a) Linear Hybrid Automata b) Piecewise Affine Hybrid Systems III. Application to Complex Dynamics a) Hybridization Techniques b) Abstraction Refinement 15

16 Formal Verification Model of System Formal Specification Revise Design Verification (algorithmic) Incorrect / Unknown Correct TCAS verified in part [Livadas, Lygeros, Lynch, 00] 16

17 Formal Verification Model of System Model of Physics Model of Software continuous dynamics discrete dynamics ẋ = f(x) 17

18 Modeling Hybrid Systems Example: Bouncing Ball ball with mass m and position x in free fall bounces when it hits the ground at x = 0 initially at position x 0 and at rest x F g 0 18

19 Part I Free Fall Condition for Free Fall ball above ground: x 0 x F g First Principles (physical laws) gravitational force : F g = mg g=9.81m/s 2 0 Newton's law of motion : mẍ=f g 19

20 Part I Free Fall F g = mg mẍ = F g Obtaining 1 st Order ODE System ordinary differential equationẋ=f(x) transform to 1st order by introducing variables for higher derivatives x 0 F g here:v=ẋ: ẋ = v v = g 20

21 Part II Bouncing Conditions for Bouncing ball at ground position:x=0 downward motion:v<0 Action for Bouncing velocity changes direction loss of velocity (deformation, friction) v:= cv,0 c 1 21

22 Combining Part I and II Free Fall whilex 0, ẋ = v v = g continuous dynamics ẋ = f(x) Bouncing ifx=0andv<0 v := cv discrete dynamics x G x:=r(x) 22

23 Hybrid Automaton Model x=x 0 v=0 initial conditions location invariant flow freefall x 0 ẋ = v v = g bounce x=0 v<0 v:= cv label guard reset discrete transition 23

24 Hybrid Automata H =(Loc,Var,Ini,Inv,Trans,Lab,Flow) Defining Inhabited State Space: LocationsLoc {freefall} VariablesVar {x,v} Valuation: x R Vars attributes a real value to each variable State: s=(l,x), withl Loc,x R Vars Initial states Ini Loc R Vars {(freefall,(x=x 0,v=0))} InvariantInv Loc R Vars {(freefall,(x 0,v R))} 24

25 Hybrid Automata Discrete Dynamics Defining Discrete Dynamics: Trans (l,α,g,r,l ) Trans, with R labelα Lab, guardg R Vars, resetr:r Vars 2 RVars (l,x) G (l,r(x)) Semantics: Discrete Transition can jump from (l,x) to (l, x ) if x G and x R(x) 25

26 Hybrid Automata Cont. Dynamics Defining Continuous Dynamics: Flow Flow :Loc R Vars 2 RVars for each location l differential inclusion ẋ Flow(l,x) Semantics: Time Elapse change state along x(t) as time elapses x(t) must be in invariant Inv ẋ(t) Flow(l,x) 26

27 Hybrid Automata Cont. Dynamics Bouncing Ball: Flow: x,v ẋ = v v = g v(0) x(0) x(t) t v(t) 27

28 Run Hybrid Automata - Semantics sequence of discrete transitions and time elapse Execution run that starts in the initial states x 0 (t) x 2 (t) x 1 (t) 28

29 Execution of Bouncing Ball position x x 0 0 x 0 (t) x 1 (t) x 2 (t) x3 (t) x4 (t) δ 0 δ 1 δ 2 δ 3 δ 4 time t v 0 velocity v 0 v 0 (t) v 1 (t) v 2 (t)v 3 (t) v 4 (t) δ 0 δ 1 δ 2 δ 3 δ 4 time t 29

30 Execution of Bouncing Ball State-Space View (infinite time range) position x x 0 x 0 (t) x 1 (t) x 2 (t) 0 discrete transition velocity v 30

31 Formal Verification Model of System Formal Specification Revise Design Verification (Reachability) Incorrect / Unknown Correct TCAS verified in part [Livadas, Lygeros, Lynch, 00] 31

32 Computing Reachable States Reachable states: Reach(S) any state encountered in a run starting in S S position x 0 velocity v 32

33 Computing Reachable States Compute successor states discrete transitions :Post d (R) time elapse :Post c (R) R 1 =Post c (R 0 ) R 0 R 3 =Post c (R 2 ) 0 R 2 =Post d (R 1 ) 33

34 Computing Reachable States Fixpoint computation Initialization:R 0 =Ini Recurrence:R k+1 =R k Post d (R k ) Post c (R k ) Termination:R k+1 =R k Reach=R k. Problems in general termination not guaranteed time-elapse very hard to compute with sets 34

35 Why should we care? Chapter Summary Reachability Analysis is a set-based computation that can answer many interesting questions about a system (safety, bounded liveness, ) What s the problem? The hardest part is computing time elapse. Explicit solutions only for very simple dynamics. What s the solution? First study simple dynamics. Then apply these techniques to complex dynamics. 35

36 Outline I. Hybrid Automata and Reachability II. Reachability for Simple Dynamics a) Linear Hybrid Automata b) Piecewise Affine Hybrid Systems III. Application to Complex Dynamics a) Hybridization Techniques b) Abstraction Refinement 36

37 In this Chapter A very simple class of hybrid systems Exact computation of discrete transitions and time elapse Note: Reachability (and pretty much everything else) is nonetheless undecidable. A case study 37

38 Linear Hybrid Automata Continuous Dynamics piecewise constant: ẋ = 1 intervals: ẋ [1, 2] conservation laws: ẋ 1 + ẋ 2 = 0 general form: conjunctions of linear constraints a ẋ b, a Z n, b Z, {<, }. = convex polyhedron over derivatives 38

39 Discrete Dynamics Linear Hybrid Automata affine transform: x := ax + b with intervals: x 2 := x 1 ± 0.5 general form: conjunctions of linear constraints (new value x ) a x+a x b, a, a Z n, b Z, {<, } = convex polyhedron over x and x 39

40 Linear Hybrid Automata Invariants, Initial States general form: conjunctions of linear constraints a x b, a Z n, b Z, {<, }, = convex polyhedron over x 40

41 Reachability with LHA Compute discrete successor states Post d (S) all x for which exists x Ss.t. x G x R(x) Inv Operations: existential quantification intersection standard operations on convex polyhedra 41

42 Reachability with LHA Compute time elapse states Post c (S) Theorem [Alur et al.] Time elapse along arbitrary trajectory iff time elapse along straight line (convex invariant). Inv time elapse along straight line can be computed as projection along cone [Halbwachs et al.] 42

43 9 Reachability with LHA [Halbwachs, Henzinger, 93-97] 1. get projection cone invariant 2. time elapse by projection 3. compute successors of transitions successors initial states derivatives projection cone 43

44 8 5 Multi-Product Batch Plant 44

45 Multi-Product Batch Plant LIS 11 LIS 12 LIS 13 Cascade mixing process 3 educts via 3 reactors 2 products M M M Verification Goals LIS 21 QIS 21 LIS 22 QIS 22 LIS 23 QIS 23 Invariants overflow product tanks never empty Filling sequence LIS 31 LIS 32 Design of verified controller 45

46 Switched Buffer Network Buffers s 1,,s n store material continuous level x 1,,x n Channels transport material from buffer to buffer continuous throughput v(s,s ), nondeterministic inside interval Switching activate/deactivate channels discretely x=x M x=0 v in v out x Buffer 46

47 Continuous Dynamics Stationary throughput v [a,b] Source buffer empty throughput may seize, v [0,b] inflow of source = outflow of source Target buffer full throughput may seize, v [0,b] inflow of target = outflow of target 47

48 Buffer Automaton Model tank levels = cont. variables x i incoming flow v in (s)= s v(s,s) outgoing flow v out (s)= s v(s,s ) 48

49 Channel Automaton Model throughput = algebraic variable (will be projected away) this case study: omit saturation 49

50 Production Schedule uses 3 reactors in parallel transfers of batches from one tank to another formally a control strategy: locations cont. variables locations 50

51 Verification with PHAVer Controller automaton model 78 locations ASAP transitions Controller + Plant 266 locations, 823 transitions (~150 reachable) Reachability over infinite time 120s 1243s, MB computation cost increases with nondeterminism (intervals for throughputs, initial states) Controller Controlled Plant 51

52 Verification with PHAVer 52

53 Outline I. Hybrid Automata and Reachability II. Reachability for Simple Dynamics a) Linear Hybrid Automata b) Piecewise Affine Hybrid Systems III. Application to Complex Dynamics a) Hybridization Techniques b) Abstraction Refinement 53

54 In this Chapter Another class of (not quite so) simple dynamics but things are getting serious (no explicit solution for sets) Exact Computation time elapse only at discrete points in time used to overapproximate continuous time Efficient data structures 54

55 Piecewise Affine Hybrid Systems Affine dynamics Flow: ẋ = Ax + b (deterministic) ẋ Ax + B, with B a set (nondeterministic) For time elapse it s enough to look at a single location. 55

56 Linear Dynamics Let s begin with autonomous part of the dynamics: ẋ = Ax, x R n Known solutions: analytic solution in continuous time explicit solution at discrete points in time (up to arbitrary accuracy) Approach for Reachability: Compute reachable states over finite time: Reach [0,T] (X Ini ) Use time-discretization, but with care! 56

57 Time-Discretization for an Initial Point Analytic solution: with t = δk : x(t) = e At x Ini x 3 x(t) x(δ(k + 1)) = e Aδ x(δk) x 0 x 1 x 2 0 δ 2δ 3δ t Explicit solution in discretized time (recursive): x 0 = x Ini x k+1 = e Aδ x k multiplication with const. matrix e Aδ = linear transform 57

58 Time-Discretization for an Initial Set Explicit solution in discretized time X 0 X 1 X 2 X 0 = X Ini X k+1 = e Aδ X k Reach [0,3δ] (X Ini ) Acceptable solution for purely continuous systems x(t) is in ǫ(δ)-neighborhood of some X k Unacceptable for hybrid systems discrete transitions might fire between sampling times if transitions are missed, x(t) not in ǫ(δ)-neighborhood 0 δ 2δ X 3 3δ t 58

59 Bouncing Ball X 90 = In other examples this error might not be as obvious 59

60 Goal: Reachability by Time-Discretization Compute sequence Ω k over bounded time [0,Nδ] such that: Reach [0,Nδ] (X Ini ) Ω 0 Ω 1... Ω N Approach: Refine Ω k by recurrence: Ω 2 Ω k+1 = e Aδ Ω k Condition for Ω 0 : Ω 0 Ω 1 Reach [0,3δ] (X Ini ) Reach [0,δ] (X Ini ) Ω 0 0 δ 2δ 3δ t 60

61 Time-Discretization with Convex Hull Overapproximating Reach [0,δ] : X 1 X 0 Reach [0,δ] (X Ini ) Conv(X 0,X 1 ) Bloat(Conv(X 0,X 1 )) 61

62 Time-Discretization with Convex Hull Bouncing Ball: X 1 Ω 0 X 0 X 1 Ω 0 X 0 62

63 Nondeterministic Affine Dynamics Let s include the effect of inputs: ẋ = Ax + Bu, x R n, u U R p variables x 1,,x n, inputs u 1,,u p Input u models nondeterminism ẋ Ax + BU used later for overapproximating nonlinear dynamics 63

64 Nondeterministic Affine Dynamics Analytic Solution x(t) = e Aδ x(0) + autonomous dynamics τ 0 e A(δ τ) Bu(τ)dτ influence of inputs influence of inputs Reach [0,3δ] (X Ini ) 0 δ 2δ 3δ t 64

65 Nondeterministic Affine Dynamics How far can the input push the system in δ time? V = box with radius e A δ 1 A sup u U Bu Ω 0 = Bloat(Conv(X Ini, e Aδ X Ini )) V Ω k+1 = e Aδ Ω k V Minkowski Sum: A B ={a + b a A, b B} 65

66 Nondeterministic Affine Dynamics Ω 2 = e Aδ Ω 1 V e Aδ Ω 1 Ω 1 Ω 0 0 δ 2δ 3δ t 66

67 Implementing Reachability Find representation for continuous sets with linear transformation ( Ω κ+1 = Φ Ω κ ) Minkowski Sum intersection (with guards) 67

68 Polyhedra Finite conjunction of linear constraints P ={x Ax b}. a T 1 x b 1 a T 2 x b 2 a T 5 x b 5 a T 3 x b 3 a T 4 x b 4 68

69 Operations on Polyhedra Linear Transformation transform matrix O(n 3 ) Minkowski Sum need to compute vertices O(exp(n)) Intersection join lists of constraints O(1) 69

70 Zonotopes Central symmetric polyhedron Z=(c, v 1,...,v m )= c+ m i=1 α i v i α i [ 1,1]. center generators zonotope (2 dimensional) generators center 70

71 Operations on Zonotopes Linear Transformation transform generators O(n 2 ) Minkowski Sum join lists of generators O(1) Intersection ΦZ=(Φc, Φv 1,...,Φv m ) Z Z =(c+c, v 1,...,v m,v 1,...,v m ) Problem: intersection of zonotopes is not a zonotope overapproximate 71

72 Quadratic form Ellipsoids matrix or generator representation E= { x x T Qx+Ax b }. 72

73 Operations on Ellipsoids Linear Transformation transform generators O(n 2 ) Minkowski Sum Problem: result is not an ellipsoid overapproximate Intersection Problem: intersection of ellipsoids is not an ellipsoid overapproximate 73

74 Implementing Reachability Complexity of 1 Step of Time Elapse: Polyhedra: O(exp(n)) Zonotopes: O(n 2 ) Problem: With each iteration, Ω i get more complex Ω k+1 = e Aδ Ω k V Minkowski sum increases number of Polyhedra: constraints Zonotopes: generators 74

75 Wrapping Effect Fight complexity by overapproximation Overapproximated Sequence ˆΩ k+1 = Approx(e Aδ ˆΩk V ) accumulation of approximations Wrapping Effect exponential increase in approximation error! 75

76 Wrapping Effect Exact vs. overapproximation dimension 5 for 600 time steps overapproximation with 100 generators 76

77 Wrapping Effect ˆΩ k+1 = Approx(e Aδ ˆΩk V ) How does error accumulate? linear transformation (scaling error up exp) adding V is added (adding some more error) 77

78 Wrapping Effect ˆΩ k+1 = Approx(e Aδ ˆΩk V ) = e Aδ Ω 0 V 78

79 Wrapping Effect ˆΩ k+1 = Approx(e Aδ ˆΩk V ) ˆΩ 1 Ω 1 V 79

80 Wrapping Effect ˆΩ k+1 = Approx(e Aδ ˆΩk V ) ˆΩ 2 e Aδ ˆΩ1 Ω 2 V 80

81 Wrapping Effect ˆΩ k+1 = Approx(e Aδ ˆΩk V ) ˆΩ 3 not even touching! Ω 3 e Aδ ˆΩ2 81

82 Fighting the Wrapping Effect Separate transformations and Minkowski sums: Ω k+1 = e (k+1)δa Ω 0 e kδa V ( e (k 1)δA V V ). R i+1 V i S i 4 Sequences: R i+1 = e δa R i, V i+1 = e δa V i, S i+1 = S i V i, Ω i+1 = R i+1 S i+1 Si+1 R 0 = Ω 0, V 0 = V, S 0 ={0} 82

83 4-Sequence Algorithm R k+1 = e δa R k, V k+1 = e δa V k, S k+1 = S k V k, Ω k+1 = R k+1 S k+1 Only transformations in R k and V k complexity independent of k no overapproximation necessary Only Minkowski sum in S k and Ω k growing number of generators, but no longer transformed O(Nn 3 ) instead of O(N 2 n 3 ) 83

84 4-Sequence Algorithm R k+1 = e δa R k, V k+1 = e δa V k, Ŝ k+1 = ˆΩ k+1 = Ŝk Approx(V k ), R k+1 Ŝk+1 Use overapproximation with Approx(X) Approx(Y ) =Approx(X Y ) bounding box, octagonal, etc. No accumulation of error: Ŝ k = Approx(S k ) ˆΩ k Approx(Ω k ) 84

85 Fighting the Wrapping Effect Exact vs. overapproximation dimension 5 for 600 time steps overapproximation with bounding box 85

86 Experimental Results Time and memory for 100 steps 4-Sequence Zonotopes 4-Sequence Box Zonotope, 20 Gen. 4-Sequence Zonotopes 4-Sequence Box Zonotope, 20 Gen. 86

87 Outline I. Hybrid Automata and Reachability II. Reachability for Simple Dynamics a) Linear Hybrid Automata b) Piecewise Affine Hybrid Systems III. Application to Complex Dynamics a) Hybridization Techniques b) Abstraction Refinement 87

88 In this Chapter Complex nonlinear dynamics and how to overapproximate them with simpler dynamics How to keep approximation error small Strategic heuristics to improve performance 88

89 Hybridization Goal: Overapproximation of H with simpler dynamics approximation error ǫ Observation: approximation error depends on size of invariant in each location Approach: split locations until all invariants small enough overapproximate dynamics in each location 89

90 Splitting Locations x Inv 1 (l) ẋ Flow(l,x) x Inv(l) ẋ Flow(l,x) τ τ x Inv 2 (l) ẋ Flow(l,x) same behavior as before if τ-transitions don t change variables and are unobservable Inv 1 Inv 2 = Inv (and some details) 90

91 Overapproximating Dynamics x Inv(l) ẋ Flow(l,x) x Înv(l) ẋ Flow(l,x) same or more behavior as before if Inv(l) Înv(l) Flow(l, x) Flow(l, x) 91

92 From Affine to LHA-Dynamics ẋ Ax + B, B R n ẋ C, C R n By definition x Inv(l): overapproximation C ={x x Inv(l) : x Ax + B} If B,Inv polyhedra C polyhedron O(exp(n)) 92

93 From Affine to LHA-Dynamics ẋ Ax + B, B R n ẋ C, C R n 93

94 Hybridization with LHA Bouncing Ball Dynamics dynamics of x are affine (depend on v). Invariant: x 0 no restriction on v entire invariant reachable ẋ = v v = g ẋ R 94

95 Hybridization with LHA Bouncing Ball Dynamics Split v axis in K parts ẋ = v v = g on bounded subset v [-2,2] Arbitrary accuracy for small enough K ẋ {v±4/k} K ẋ v 95

96 Hybridization with LHA Bouncing Ball Reachable states for K=64: 96

97 6 Tunnel Diode Oscillator Tunnel Diode V& 1 C = ( d C L ) C I ( V ) + I V d I& 1 = ( V RI + V ) L L C L in What are good parameters? startup conditions parameter variations disturbances 97

98 6 Tunnel Diode Oscillator R=0.20Ω Oscillation I L [ma] initial states Time [µs] V C [V] 98

99 6 Tunnel Diode Oscillator R=0.24Ω Stable equilibrium I L [ma] initial states Time [µs] V C [V] 99

100 Tunnel Diode Oscillator Tunn el Diode Analog/Mixed Signal Circuit V& I& C L = = 1 L ( I d ( VC + I L ) ( V RI + V ) 1 C ) C L in Formal Model I L [ma] Reachability Analysis V C [V] Oscillation Jitter Guaranteed Safety Property 100

101 9 Reachability Analysis I L [ma] 1. Hybridization Partition State Space (on the fly) Switching between Hybrid System V C [V] 101

102 9 Reachability Analysis I L [ma] V C [V] vector field 1. Hybridization Partition State Space (on the fly) Switching between Hybrid System 2. Overapproximation Linear Hybrid Automata Polyhedral enclosure of actual trajectories 102

103 10 Reachability Analysis I L [ma] V C [V] Efficiency through adapting partitions to dynamics overapproximation of complex polyhedra with simplified polyhedra Good performance Reachability with high accuracy in 72s, 127MB Partition depending on dynamics 103

104 Hybridization with LHA Problems with high accuracy requires small partitions small partitions small fractional coefficients large integer representations complex dynamics complex fixpoint Simplification of polyhedra needed must be overapproximations 104

105 12 Limiting the Number of Bits 1. truncate bits of coefficients 2. push plane to outside (solve LP) 3. snap to next largest integer y 1 7 bit 109 x 121 y 100 y 1 y 1 6 x 6 y? 6 x 6 y x 6 y x 3 bit 0 1 x 0 1 x 105

106 Limiting the Number of Bits 1. truncate bits of coefficients 2. push plane to outside (solve LP) 3. snap to next largest integer y 1 7 bit 109 x 121 y 100 y 1 y 1 6 x 6 y? 6 x 6 y x 6 y x 3 bit 0 1 x 0 1 x in practice large problems infeasible without guarantees termination finite number of possible constraints but: unbounded error 106

107 13 Limiting the Number of Constraints 45 B 90 A C 45 F D E 135 Reduce from m to z constraints Significance Measure f(m,d) Volume: exp Slack: LP max. angle: m 2 d B A 45 2 F D 3 1 C 30 From 6 to 5 constraints - min i j a it a j Heuristics to choose constraints deconstruction: drop (m-z) least significant reconstruction: add z most significant Experiments: angle & reconstr in 4 dim: < 2 sec. (1000x faster than slack) 107

108 22 Clocked Tunnel Diode Oscillator g(x 1 ) Nonlinearity x 1 2-dim. oscillator + clock to measure bound on cycle time = 3-dim. system x I L [ma] V d [V] t [µs] x

109 23 Clocked Tunnel Diode Oscillator Limiting at every iteration bad prohibitively expensive convergence problems Trigger limiting at threshold 300 bits 16 bits 56 constraints 32 constraints Comparison for low accuracy: 12x faster, 20% memory Loss of accuracy: < 0.3% Max. Constraints Max. Bits Max. # of Bits unlimited limited Iteration Max. # of Constraints unlimited limited Iteration 109

110 Hybridization with LHA Problem with reachability computations: fixpoint may be complex or even not representable by finite number of polyhedra (spirals ) Apply overapproximation techniques Splitting locations can localize error approximation error limited to invariant small invariant small error 110

111 3rd-Order Delta Sigma Modulator Analog/Digital converter linear circuit + 1-bit quantizer 3 discrete-time integrators To show: quantizer input in [-2,2] Monitor quantizer input Richard Schreier. The delta-sigma toolbox version 6.0, January

112 All runs of fixed length Symbolic Execution const. input, cont. set of initial states Depth Time Polyh. Failure Detected CheckMate 3min PHAVer s 116 No Failure PHAVer 100 6min 189,414 Advantage Find errors after few time steps Drawback Combinatorial explosion inherent in switching algorithm prevents longer horizons Quantizer ok: x 3 2 [-2,2] x x Quantizer ok: x 3 2 [-2,2] x 1 x 3

113 Delta-Sigma Modulator Variable Input All runs of fixed length cont. set of initial states Variable Input changing to arbitrary values at each sampling step modeled using state variable 4-dimensional system greatly increased complexity x 3 x 3 Quantizer overload Quantizer overload x 1 Depth Time Failure Detected, u [0,0.8] PHAVer 9 195s No Failure, u [0.5,0.6] PHAVer 18 12min Polyh x 2 113

114 Delta-Sigma Modulator - Reachability Infinite time horizon Compute convex hull cover state space, so eventually new states will be contained Limit bits + constraints Localize overapproximation by partitioning otherwise too large in undesirable directions Computation: 34min, 224MB x 3 x 2 x 1 Saturation Bounds guaranteed 114 x 3

115 Continuous Time System Nonlinear Dynamics ẋ = F(x) Hybridization partition state space (invariant) into small regions overapproximate with simpler dynamics in each region 115

116 Continuous Time System Nonlinear Dynamics ẋ = F(x) Approximation with affine dynamics ẋ = Ax+Bu,u U U modeling approximation error determine U such that F(x) Ax BU 116

117 Van der Pool Oscillator Nonlinear Continuous Time System ẋ = y ẏ = y(1 x 2 ) x Reachability Analysis using Hybridization approximation with piecewise affine dynamics uniform triangular mesh, partition of size 0.05 result used in detection of limit cycle 117

118 Reachable states Van der Pool Oscillator 118

119 Outline I. Hybrid Automata and Reachability II. Reachability for Simple Dynamics a) Linear Hybrid Automata b) Piecewise Affine Hybrid Systems III. Application to Complex Dynamics a) Hybridization Techniques b) Abstraction Refinement 119

120 16 Forward/Backward Refinement - Principle To show: bad states not reachable Observation: Small partitions not leading to bad states Solution: forward/backward between initial and bad states smaller partitions at each step Partitions Final states Initial states Reachable states 120

121 17 F/B-Refinement - Example Step 1 a) Forward reachability with coarse partition R 1 Step 2 a) Restrict final states and invariants to R 1 b) Backward reachability with finer partition R 2 Step 3 a) Restrict final states and invariants to R 2 b) Backward reachability with finer partition R 3 final states not reachable 121

122 15 Voltage Controlled Oscillator 3-dim. system with nonlinearity Goal: Show invariance of cycle No success after 20min, 1GB RAM 64x accuracy needed 20h, 64GB? 122

123 F/B-Refinement of VCO I L [ma] ii. final states F/B-Refinement final (forbidden) := states outside initial V C [V] initial states not reachable any cycle passes through initial states C D ii. B A hybrid automaton 123

124 F/B-Refinement of VCO initial states V D2 15 steps F/B-Refinement last iteration vanishes 1 final (forbidden) := states outside initial overapprox. harmless V D1 not reachable any cycle passes through initial states C D ii. Success 11.5h, 1.7GB RAM B A hybrid automaton 124

125 2 Navigation Benchmark Fehnker, Ivancic. Benchmarks for Hybrid Systems Verification. HSCC'04 Balloon driven by wind moving object in plane forbidden states reachable states 4-dimensional piecewise affine dynamics (position, velocity) equilibrium velocity depends on position Instances NAV01-NAV29 with increasing difficulty Verification Task: Reachability of forbidden states NAV02 direction of equilibrium velocity initial velocities initial states target states 125

126 19 forbidden states initial velocities initial states Navigation Benchmark NAV02 NAV04 NAV05 Instance Tool NAV01 NAV02 NAV03 NAV04 NAV05 NAV06 d/dt Verimag 00 ~30s ~150s? No results with: Pred. Abstr. UPenn 02 4x250MHz Sun 34s 153s 68MB 152s 180MB -?- PHAVer 05/ GHz P4 5s 27MB 6s 27MB 6s 27MB 8s 48MB TimePass Stanf. 06 PIII(!) 5s 2MB 73s 5MB 78s 5MB 1191s 16MB HyTech ( 95-00, Henzinger) CheckMate ( 98-05, CMU) HSOLVER ( 05, MPI) 5s 10s 10s 75s PHAVer F/B-Ref. 05 3GHz Xeon Doyen, Henzinger, Raskin Sept. 05 PHAVer F/B-Ref GHz P4 32s 59MB 34s 60MB 33s 60MB 81s 52MB 46000s 529MB 48000s 575MB 126

127 forbidden states Navigation Benchmark NAV02 NAV04 NAV05 initial velocities initial states Tool Instance d/dt Verimag 00 Pred. Abstr. UPenn 02 4x250MHz Sun PHAVer 05/ GHz P4 TimePass Stanf. 06 PIII(!) PHAVer F/B-Ref. 05 3GHz Xeon PHAVer F/B-Ref GHz P4 NAV01 NAV02 NAV03 NAV04 NAV05 NAV06 ~30s ~150s? 34s 153s 68MB 152s 180MB -?- 5s 27MB 6s 27MB 6s 27MB 8s 48MB 5s 2MB 73s 5MB 78s 5MB 1191s 16MB Only results: PHAVer & TimePass 5s 10s 10s 75s Doyen, Henzinger, Raskin Sept s 59MB 34s 60MB 33s 60MB 81s 52MB 46000s 529MB 48000s 575MB 127

128 forbidden states Navigation Benchmark NAV02 NAV04 NAV05 initial velocities initial states Tool Instance NAV01 NAV02 NAV03 NAV04 NAV05 NAV06 d/dt Verimag 00 ~30s ~150s? Pred. Abstr. UPenn 02 4x250MHz Sun 34s 153s 68MB 152s 180MB -?- PHAVer 05/ GHz P4 5s 27MB 6s 27MB 6s 27MB 8s 48MB TimePass Stanf. 06 PIII(!) 5s 2MB 73s 5MB 78s 5MB 1191s 16MB 5s 10s 10s 75s convergence problems widening? [Halbwachs] convergence problems widening? [Halbwachs94] PHAVer F/B-Ref. 05 3GHz Xeon Doyen, Henzinger, Raskin Sept. 05 PHAVer F/B-Ref GHz P4 32s 59MB 34s 60MB 33s 60MB 81s 52MB 46000s 529MB 48000s 575MB 128

129 Navigation Benchmark NAV05 high accuracy required 129

130 Bibliography Hybrid Systems Theory Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A. Henzinger, Pei-Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, and Sergio Yovine. The algorithmic analysis of hybrid systems. Theoretical Computer Science 138:3-34, 1995 Thomas A. Henzinger. The theory of hybrid automata. Proceedings of the 11th Annual Symposium on Logic in Computer Science (LICS), IEEE Computer Society Press, 1996, pp Linear Hybrid Automata Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi, HyTech: The next generation. RTSS 95 Goran Frehse. PHAVer: Algorithmic Verification of Hybrid Systems past HyTech. HSCC

131 Bibliography Affine Dynamics E. Asarin, O. Bournez, T. Dang, and O. Maler. Approximate Reachability Analysis of Piecewise-Linear Dynamical Systems. HSCC 00 A. Girard, C. Le Guernic, and O. Maler. Efficient computation of reachable sets of linear time-invariant systems with inputs. HSCC 06 Hybridization and Nonlinear Dynamics Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. Algorithmic analysis of nonlinear hybrid systems. IEEE Transactions on Automatic Control 43: , 1998 E. Asarin, T. Dang, and A. Girard. Reachability Analysis of Nonlinear Systems Using Conservative Approximation. HSCC 03 Forward/Backward Refinement G. Frehse, B. H. Krogh, R. A. Rutenbar. Verifying Analog Oscillator Circuits Using Forward/Backward Abstraction Refinement. DATE

132 Verification Tools for Hybrid Systems HyTech: LHA PHAVer: LHA + affine dynamics d/dt: affine dynamics + controller synthesis Matisse Toolbox: zonotopes HSOLVER: nonlinear systems 132