Discrete abstractions of hybrid systems for verification

Similar documents
Verification of hybrid systems. Thanks to

Semi-decidable Synthesis for Triangular Hybrid Systems

ESE601: Hybrid Systems. Introduction to verification

Modeling & Control of Hybrid Systems. Chapter 7 Model Checking and Timed Automata

Lecture 6: Reachability Analysis of Timed and Hybrid Automata

Hybrid systems and computer science a short tutorial

Omid Shakerniat George J. Pappas4 Shankar Sastryt

APPROXIMATE SIMULATION RELATIONS FOR HYBRID SYSTEMS 1. Antoine Girard A. Agung Julius George J. Pappas

The algorithmic analysis of hybrid system

Models for Efficient Timed Verification

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Recent results on Timed Systems

Modeling and Analysis of Hybrid Systems

Abstractions for Hybrid Systems

Automata-theoretic analysis of hybrid systems

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Minimizing Cubic and Homogeneous Polynomials over Integers in the Plane

On simulations and bisimulations of general flow systems

An Introduction to Hybrid Systems Modeling

Verifying Safety Properties of Hybrid Systems.

Algorithmic Verification of Stability of Hybrid Systems

Timed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang

Linear Time Logic Control of Discrete-Time Linear Systems

ONR MURI AIRFOILS: Animal Inspired Robust Flight with Outer and Inner Loop Strategies. Calin Belta

Modeling and Analysis of Hybrid Systems


Lecture 6 Verification of Hybrid Systems

Deterministic Dynamic Programming

An introduction to hybrid systems theory and applications. Thanks to. Goals for this mini-course. Acknowledgments. Some references

Approximately Bisimilar Finite Abstractions of Stable Linear Systems

CEGAR:Counterexample-Guided Abstraction Refinement

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

Approximation Metrics for Discrete and Continuous Systems

Using Theorem Provers to Guarantee Closed-Loop Properties

Abstraction-based synthesis: Challenges and victories

Computability and Complexity Theory: An Introduction

Georgios E. Fainekos, Savvas G. Loizou and George J. Pappas. GRASP Lab Departments of CIS, MEAM and ESE University of Pennsylvania

The goal of this chapter is to study linear systems of ordinary differential equations: dt,..., dx ) T

Testing System Conformance for Cyber-Physical Systems

Modeling and Analysis of Hybrid Systems

Verification of Polynomial Interrupt Timed Automata

Geometric Programming Relaxations for Linear System Reachability

Symbolic Verification of Hybrid Systems: An Algebraic Approach

Chapter 4: Computation tree logic

Equivalence of dynamical systems by bisimulation

On the decidability of termination of query evaluation in transitive-closure logics for polynomial constraint databases

arxiv:math/ v1 [math.lo] 5 Mar 2007

L 2 -induced Gains of Switched Systems and Classes of Switching Signals

Examples include: (a) the Lorenz system for climate and weather modeling (b) the Hodgkin-Huxley system for neuron modeling

On o-minimal hybrid systems

A Automatic Synthesis of Switching Controllers for Linear Hybrid Systems: Reachability Control

Finite-State Model Checking

Notes. Corneliu Popeea. May 3, 2013

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata. Susmit Jha, Bryan Brady and Sanjit A. Seshia

Synthesizing Switching Logic using Constraint Solving

Timed Automata VINO 2011

Hierarchical Control of Piecewise Linear Hybrid Dynamical Systems Based on Discrete Abstractions Λ

Temporal Logic Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking

2.3. VECTOR SPACES 25

Intelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University

Liveness in L/U-Parametric Timed Automata

Symbolic sub-systems and symbolic control of linear systems

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

A Decidable Class of Planar Linear Hybrid Systems

Nonlinear Real Arithmetic and δ-satisfiability. Paolo Zuliani

x 9 or x > 10 Name: Class: Date: 1 How many natural numbers are between 1.5 and 4.5 on the number line?

Symbolic Control of Incrementally Stable Systems

Approximate Bisimulations for Constrained Linear Systems

Lecturecise 22 Weak monadic second-order theory of one successor (WS1S)

Formally Analyzing Adaptive Flight Control

Introduction to Kleene Algebras

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

Mathematical Logic. Reasoning in First Order Logic. Chiara Ghidini. FBK-IRST, Trento, Italy

Crash course Verification of Finite Automata CTL model-checking

FMCAD 2013 Parameter Synthesis with IC3

More Model Theory Notes

CMPS 217 Logic in Computer Science. Lecture #17

CS6901: review of Theory of Computation and Algorithms

Model theory and algebraic geometry in groups, non-standard actions and algorithms

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

models, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS

Peano Arithmetic. CSC 438F/2404F Notes (S. Cook) Fall, Goals Now

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

The State Explosion Problem

Software Verification

Notes on generating functions in automata theory

Bisimulation relations for dynamical, control, and hybrid systems

Automata-Theoretic Model Checking of Reactive Systems

Deductive Verification of Continuous Dynamical Systems

Automatic Generation of Polynomial Invariants for System Verification

Automata-theoretic Decision of Timed Games

Lecture 8 Receding Horizon Temporal Logic Planning & Finite-State Abstraction

Time and Timed Petri Nets

Deciding Bisimilarity for Alternating Timed Automata

Nonlinear Optimization

Transcription:

Discrete abstractions of hybrid systems for verification George J. Pappas Departments of ESE and CIS University of Pennsylvania pappasg@ee.upenn.edu http://www.seas.upenn.edu/~pappasg DISC Summer School on Modeling and Control of Hybrid Systems Veldhoven, The Netherlands June 23-26, 2003 http://lcewww.et.tudelft.nl/~disc hs/

Outline of this mini-course Lecture 1 : Monday, June 23 Examples of hybrid systems, modeling formalisms Lecture 2 : Monday, June 23 Transitions systems, temporal logic, refinement notions Lecture 3 : Tuesday, June 24 Discrete abstractions of hybrid systems for verification Lecture 4 : Tuesday, June 24 Discrete abstractions of continuous systems for control Lecture 5 : Thursday, June 26 Bisimilar control systems

Hybrid to discrete (Lecture 3) Abstraction Discrete T / T T / Hybrid T Goal : Finite quotients of hybrid systems

Hybrid System Model A hybrid system H =(V, < n,x 0,F,Inv,R) consists of V is a finite set of states < n is the continuous state space is the state space of the hybrid system is the set of initial states maps a diff. inclusion to each discrete state maps invariant sets to each discrete state is a relation capturing discontinuous changes Define X = V â < n X 0 ò X F(l, x) ò< n Inv(l) ò< n R ò X â X E = {(l, l 0 ) x Inv(l),x 0 Inv(l 0 )((l, x), (l 0,x 0 )) R} Init(l)={x Inv(l) (l, x) X 0 } Guard(e) ={x Inv(l) x 0 Inv(l 0 )((l, x), (l 0,x 0 )) R} Reset(e, x) ={x 0 Inv(l 0 ) ((l, x), (l 0,x 0 )) R}

An example T = 510 y = 10 y2 1 = 10 Rod1 NoRod T Rod2. 550 y 1 2 10. =. T = 0.1 T 56 T = 0.1 T 50 T = 0.1 T 60...... y 1 = 1 y 2 = 1 y 1 = 1 y 2 = 1 y 1 = 1 y 2 = 1 T 510 T = 510 y : = 1 0 T 550 T = 510 y : = 0 2 T 510 T = 550 y < 10 y2 1 < 10 Shutdown. T = 0.1 T 50.. y 1 = 1 y 2 = 1 true

Transitions of Hybrid Systems Hybrid systems can be embedded into transition systems H =(V, < n,x 0,F,Inv,R) T H =(Q, Q 0, Σ,,O,<á >) Q = V â < n Q 0 = X 0 Σ = E {ü} ò Q â Σ â Q Discrete transitions (l 1,x 1 )à (l e 2,x 2 ) iff x 1 Guard(e),x 2 Reset(e, x 1 ) Continuous (time-abstract) transitions (l 1,x 1 )à (l ü 2,x 2 ) iff l 1 = l 2 and î õ 0 x(á ):[0,î] < n x(0) = x 1,x(î)=x 2, Observation set and map depend on desired properties and t [0,î] xç F(l 1,x(t)) and x(t) Inv(l 1 )

Rectangular hybrid automata Rectangular sets : x 2000 V i x i ø c i ø {<, ô, =, õ,>},c i Q far near past - 50 x. 40 x = 1000 approach. x = 0-50 x 30-50 x 30. x 1000 exit x = 100 x' [2000, ) x 0 x -100 Rectangular hybrid automata are hybrid systems where are rectangular sets Init(l),Inv(l),F(l, x),guard(e),reset(e, x) i

Multi-rate automata x = 2000 l 3 ẋ = 3 x = 1000 1l x = 0 ẋ = 2 ẋ = 1 l 2 x 1000 x 0 x -100 x = 100 x' = 2000 Multi-rate automata are rectangular hybrid automata where are singleton sets Init(l),F(l, x),reset(e, x) i

Timed automata x = 0 l 3 ẋ = 1 x > 9 y : = 0 1l ẋ = 1 y > 3 l 2 ẋ = 1 ẏ = 1 ẏ = 1 ẏ = 1 x < 10 y < 5 true x > 10 y > 20 x : = 0 y : = 1 Timed automata are multi-rate automata where for all locations l and all variables. F(l, x i )=1

Initialized automata Rectangular hybrid automata are initialized if the following holds: After a discrete transition, if the differential inclusion (equation) for a variable changes, then the variable must be reset to a fixed interval. Timed automata are always initialized. x 2000 far near past - 50 x. 40 x = 1000 approach. x = 0-50 x 30-50 x 30. x 1000 exit x = 100 x' [2000, ) x 0 x -100

Bad news Undecidability barriers Consider the class of uninitialized multi-rate automata with n-1 clock variables, and one two slope variable (with two different rates). The reachability problem is undecidable for this class. No algorithmic procedure exists. Model checking temporal logic formulas is also undecidable Initalization is necessary for decidability

Timed automata x = 0 l 3 ẋ = 1 x > 9 y : = 0 1l ẋ = 1 y > 3 l 2 ẋ = 1 ẏ = 1 ẏ = 1 ẏ = 1 x < 10 y < 5 true x > 10 y > 20 x : = 0 y : = 1 All timed automata admit a finite bisimulation Hence CTL* model checking is decidable for timed automata

Timed automata x = 0 l 3 x > 9 y : = 0 1l ẋ = 1 y > 3 l 2 ẋ = 1 ẏ = 1 ẏ = 1 y < 5 true x > 10 y > 20 x : = 0 y : = 1 Approach : Discretize the clock dynamics using region equivalence

Region equivalence y l 3 x Equivalence classes : 6 corner points 14 open line segments 8 open regions

Multi-rate automata x = 2000 l 3 ẋ = 3 x = 1000 1l x = 0 ẋ = 2 ẋ = 1 l 2 x 1000 x 0 x -100 x = 100 x' = 2000 All initialized multi-rate automata admit a finite bisimulation

Rectangular automata x = 2000 l 3 ẋ = 3 x = 1000 1l x = 0 ẋ = 2 ẋ = 1 l 2 x 1000 x 0 x -100 x = 100 x' = 2000 All initialized rectangular automata admit a finite bisimulation

Rectangular automata x = 2000 l 3 ẋ = 3 x = 1000 1l x = 0 ẋ = 2 ẋ = 1 l 2 x 1000 x 0 x -100 x = 100 x' = 2000 All initialized rectangular automata admit a finite bisimulation

No finite bisimulation Inv y' = 0 0 x 1 0 y 1 1 ẋ 2 1 ẏ 2 0 x 1 0 y 1 Inv x' = 0 Bisimulation algorithm never terminates

but x 2000 far near past - 50 x. 40 x = 1000 approach. x = 0-50 x 30-50 x 30. x 1000 exit x = 100 x' [2000, ) x 0 x -100 All initialized rectangular automata admit a finite language equivalence quotient which can be constructed effectively. LTL model checking of rectangular automata is decidable.

More complicated dynamics? Sets P 1 = {(x,0) 0 x 4} P 2 = {(x,0) -4 x < 0} 2 P3 = R \(P1 P 2) Dynamics Bisimulation algorithm never terminates!!. x 1 = 0.2x1 +. x 2 = -x1 + x 2 0.2x 2

Basic problems Finite bisimulations of continuous dynamical systems Given a vector field F(x) and a finite partition of n R 1. Does there exist a finite bisimulation? 2. Can we compute it?

Representation issues Symbolic representation for infinite sets Rectangular sets? Semi-linear? Semi-algebraic? Operations on sets Reminder Boolean (logical) operations Can we compute Pre and Post? Is our representation closed under Pre and Post? Algorithmic termination (decidability) No guarantee for infinite transition systems We need nice alignment of sets and flows Globally finite properties

First-order logic Every theory of the reals has an associated language (<,<,+, à, 0, 1) Universe Relation Functions Constants Variables : x 1,x 2,x 3,... TERMS : Variables, constants, or functions of them x 1 àx 2 +1, 1+1, àx 3 ATOMIC FORMULAS : Apply the relation and equality to the terms x 1 +x 2 < à 1, 2x 1 =1,x 1 = x 3 (FIRST ORDER) FORMULAS : Atomic formulas are formulas If are formulas, then ϕ 1, ϕ 2 ϕ 1 ϕ 2, ϕ 1, x.ϕ 1, x.ϕ 1

First-order logic Useful languages (<,<,+, à, 0, 1) (<,<,+, à, â, 0, 1) (<,<,+, à, â,e x, 0, 1) x y(x +2y õ 0) x.ax 2 + bx + c =0 t.(t õ 0) (y = e t x) A theory of the reals is decidable if there is an algorithm which in a finite number of steps will decide whether a formula is true or not A theory of the reals admits quantifier elimination if there is an algorithm which will eliminate all quantified variables. x.ax 2 +bx +c =0ñ b 2 à4ac õ 0

First-order logic Theory Decidable? Quant. Elim.? (<,<,+, à, 0, 1) (<,<,+, à, â, 0, 1) (<,<,+, à, â,e x, 0, 1) YES YES? YES YES NO (<,<,+,à,â,0,1) Tarski s result : Every formula in can be decided 1. Eliminate quantified variables 2.Quantifier free formulas can be decided

O-Minimal Theories A definable set is Y = {(x 1,x 2,...,x n ) < n ϕ(x 1,...,x n )} A theory of the reals is called o-minimal if every definable subset of the reals is a finite union of points and intervals Example: Y = {(x) < p(x) õ 0} for polynomial p(x) Recent o-minimal theories (<,<,+,à,0,1) Exponential flows (<,<,+,à,â,0,1) (<,<,+,à,â,e x,0,1) Spirals? Related to Hilbert s 16th problem (<,<,+,à,â,fê,0,1) (<,<,+,à,â,fê,e x,0,1)

Basic answers Finite bisimulations of continuous dynamical systems Consider a vector field X and a finite partition of n R where 1. The flow of the vector field is definable in an o-minimal theory 2. The finite partition is definable in the same o-minimal theory Then a finite bisimulation always exists.

Corollaries (<,<,+,à,0,1) Consider continuous systems where Finite partition is polyhedral (semi-linear) Vector fields have linear flows (timed, multi-rate) Then a finite bisimulation exists. (<,<,+,à,â,0,1) Consider continuous systems where Finite partition is semialgebraic Vector fields have polynomial flows Then a finite bisimulation exists.

Corollaries (<,<,+,à,â,e x,0,1) Consider continuous systems where Finite partition is semi-algebraic Vector fields are linear with real eigenvalues Then a finite bisimulation exists. (<,<,+,à,â,fê,0,1) Consider continuous systems where Finite partition is sub-analytic Vector fields are linear with purely imaginary eigenvalues Then a finite bisimulation exists.

Corollaries (<,<,+,à,â,fê,e x,0,1) Consider continuous systems where Finite partition is semi-algebraic Vector fields are linear with real or imginary eigenvalues Then a finite bisimulation exists. x x x x x x Conditions are sufficient but tight

Computability Finite bisimulations exist, but can we compute them? Bisimulation Algorithm initialize Q/ ø = {p ø q iff <q>=< p>} while P, P 0 Q/ ø such that P 1 := P Pre(P 0 ) P 2 := P \ Pre(P 0 ) Q/ ø := (Q/ ø \{P}) {P 1,P 2 } end while = ò P Pre(P 0 )= ò P 0 Need to : Check emptiness Perform boolean operations Compute Pre (or Post) Use (<,<,+,à,â,0,1)

Computing reachable sets Consider a linear system dx =Ax A Q nân dt Rational entries and a semi-algebraic set Y. If Y={y < n p(y)} Then Pre(Y)={x < n y t.p(y) t õ 0 x = e àta y} Problem?

Nilpotent matrices: Nilpotent Linear Systems n õ 0 A n =0 Then flow of linear system is polynomial e àta = Pnà1 (à 1) k t k A k k=0 k! Therefore Pre(Y) completely definable in (<,<,+,à,â,0,1) Pre(Y) ={x < n y t.p(y) t õ 0 x = Pnà1 (à 1) k t k A k y} k=0 k!

Diagonalizable, rational eigenvalues Example system : xç =2x Compute all states that can reach the set Y = { y=5 } Pre(Y) ={x < y t. y =5 t õ 0 x = e à2t y} s = e àt Let, then Pre(Y) ={x < y t. y =5 1 õ s õ 0 x = s 2 y} Pre(Y) ={x < 0 <xô 5}

Diagonalizable, rational eigenvalues More generally Therefore xç =Ax x(t)=te Λt T à1 x(0) e àta = â P n k=1 1. Rescale rational eigenvalues to integer eingenvalues. 2. Eliminate negative integer eigenvalues 3. Perform the substitution a ijk e àõ k tã ij s = e àt Consider diagonalizable e àta =[ P linear vector fields with real, n rational eigenvalues, and let ay k=1 ijk be e àõ a ksemi-algebraic t ] ij set. Then Pre(Y) is also semi-algebraic (and computable)

Diagonalizable, imaginary eigenvalues Procedure is similar if system is diagonalizable with purely imaginary, rational eigenvalues Equivalence is obtained by Suffices to compute over a period z 1 = cos(t) z 2 = sin(t) Consider diagonalizable e àta =[ Plinear n a vector k=1 ijk e àõ k t ] fields with real, rational eigenvalues, and let Y be a semi-algebraic ij set. Then Pre(Y) is also semi-algebraic (and computable) Composing all computability results together results in

Decidable problems for continuous systems Consider linear vector fields of the form F(x)=Ax where A is rational and nilpotent A is rational, diagonalizable, with rational eigenvalues A is rational, diagonalizable, with purely imaginary, rational eigenvalues Then 1. The reachability problem between semi-algebraic sets is decidable. 2. Consider a finite semi-algebraic partition of the state space. Then a finite bisimulation always, exists and can be computed. 3. Consider a CTL* formula where atomic propositions denote semi-algebraic sets. Then CTL* model checking is decidable.

Decidable problems for hybrid systems A hybrid system H is said to be o-minimal if 1. In each discrete state, all relevant sets and the flow of the vector field are definable in the same o-minimal theory. 2. After every discrete transition, state is reset to a constant set (forced initialization) All o-minimal hybrid systems admit a finite bisimulation. CTL* model checking is decidable for the class of o-minimal hybrid systems.

Decidable problems for hybrid systems Consider a linear hybrid system H where 1. For each discrete state, all relevant sets are semi-algebraic 2. After every discrete transition, state is reset to a constant semi-algebraic set (forced initialization) 3. In each discrete location, the vector fields are of the form F(x)=Ax where A is rational and nilpotent A is rational, diagonalizable, with rational eigenvalues A is rational, diagonalizable, with purely imaginary, rational eigenvalues Then CTL* model checking is decidable for this class of linear hybrid systems. The reachability problem is decidable for such linear hybrid systems.

Safety games Consider the following differential game xç =Ax +Bu +Ed u Ud D Objective for control : Remain in semi-algebraic set F Objective for disturbance : Exit semi-algebraic set F F = {x < n h(x) > 0} Winning set for u d(t) u(t) x(t) F Winning set for d d(t) u(t) x(t) F

The Hamiltonian Optimal control H(x, p, u, d)=p T Ax + p T Bu + p T Ed must satisfy the Hamilton-Jacobi-Isaacs condition max u U min d D H(x, p, u, d) = min d D max u U H(x, p, u, d) Optimum (bang-bang) policies satisfy H xç = p pç = à á H T x h p(x, 0) = x u ã = arg max u U d ã = arg min d D p T Bu p T Ed

Encoding game as hybrid system q 0 =(0, 0) q 1 =(0, 1) xç =Ax + Bu +Ed pç =A T p xç =Ax + Bu +Ed pç =A T p (p T B<0) (p T E<0) (p T B<0) (p T E>0) q 2 =(1, 0) q 3 =(1, 1) xç =Ax +Bu +Ed pç =A T p (p T B>0) (p T E<0) xç =Ax +Bu +Ed pç =A T p (p T B>0) (p T E>0)

Pontryagin Maximum Principle xç =Ax + Bu A linear system is normal if for each input column b i, the pair (A,b i ) is completely controllable. If the linear system is normal with respect to both control and disturbance, then for any initial state the optimal control and optimal disturbance are well-defined, unique and piece-wise constant taking values on the vertices of U and D. If the linear system is normal and A has purely real eigenvalues, then there is a global, uniform upper bound, independent of the initial state on the number of switchings of the optimal control and optimal disturbance.

Decidable games Combining optimal control and decidable logics we get Consider the differential game with target set xç =Ax +Bu +Ed u Ud D F = {x < n h(x) > 0} If the system is normal and A has real eigenvalues, then the differential game can be decided. Winning sets for u and d can be computed. Least restrictive controllers can be computed.

Extension to chained form Consider chained system Construct Hamiltonian Co-state dynamics Optimal control satisfies maximum principle:

Polynomial flows Dynamics in discrete state (optimal input is constant ) Polynomial flow in each discrete state

Conflict Resolution in ATM*

Conflict Resolution Protocol 1. Cruise until a 1 miles away 2. Change heading by ΔΦ 3. Maintain heading until lateral distance d 4. Change to original heading 5. 6. Change heading by - ΔΦ Maintain heading until lateral distance -d 7. Change to original heading Is this protocol safe?

Conflict Resolution Maneuver

Computing Unsafe Sets

Safe Sets

Continuous to discrete (Lectures 3 & 4) Lecture 3 Lecture 4 T / T / T T / T T / T dx =Ax dt T dx =Ax+Bu dt Restricted dynamical systems Semi-algebraic partitions Verification semantics Linear control systems Restricted partitions Synthesis semantics

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback