Verification of hybrid systems. Thanks to

Verification of hybrid systems George J Pappas Departments of ESE and CIS University of Pennsylvania pappasg@eeupennedu http://wwwseasupennedu/~pappasg HYBRIDGE Summer School on Hybrid Systems : A Formal Paradigm for Safety Critical Embedded Systems Patras, Greece September -4, 004 Thanks to School Organizers Marika di Benedetto Kostas Kyriakopoulos John Lygeros and HYBRIDGE

Acknowledgments Postdocs Mohamed Babaali Antoine Girard PhD Students Ali Ahmazadeh George Fainekos Hadas Kress Gazit Hakan Yazarel Michael Zavlanos Collaborators Rajeev Alur, Datta Godbole, Tom Henzinger, Ali Jadbabaie, John Koo, Vijay Kumar, Gerardo Lafferierre, Insup Lee, John Lygeros, Shankar Sastry, Omid Shakernia, Claire Tomlin, Sergio Yovine Support NSF Career, PECASE NSF ITR () NSF EHS ARO MURI DARPA HURT Honeywell Goals for this mini-course Why hybrid systems? Emphasis on some engineering examples Modeling of hybrid systems Emphasis on abstraction and refinement Analysis of hybrid systems Emphasis on algorithmic verification Synthesis of hybrid controllers Emphasis on temporal logic synthesis Warning : All questions and answers are biased and incomplete!

Bisimilar linear systems George J Pappas Automatica 39():035-047 December 003 Some references Model checking LTL over controllable linear systems is decidable Paulo Tabuada and George J Pappas Hybrid Systems : Computation and Control, Lecture Notes in Computer Science, Prague, Czech Republic, April 003 Symbolic reachability computations for families of linear vector fields G Lafferriere, G J Pappas, and S Yovine Journal of Symbolic Computation, 3(3):3-53, September 00 Discrete abstractions of hybrid systems RAlur, T Henzinger, G Lafferriere, G Pappas Proceedings of the IEEE, 88():97-984, July 000 Hierarchically consistent control systems George J Pappas, Gerardo Lafferriere, and Shankar Sastry IEEE Transactions on Automatic Control, 45(6):44-60, June 000 O-minimal hybrid systems G Lafferriere, G J Pappas, and S Sastry Mathematics of Control, Signals, and Systems, 3():-, March 000 Outline of lectures Lecture : Thursday, September 3 Examples of hybrid systems and modeling formalisms Transitions systems, temporal logics, abstraction Discrete abstractions of hybrid systems for verification Lecture : Friday, September 4 Applications in motion planning and visibility games 3

Why hybrid? Enabling technologies Advances in sensor and actuator technology GPS, control of quantum systems Invasion of powerful microprocessors in physical devices Sophisticated software/hardware on board Networking everywhere Interconnects subsystems 4

Emerging applications Latest BMW : 7 networked microprocessors Boeing 777 : 80 networked microprocessors Networked embedded systems Network Controller SW/HW Controller SW/HW Actuator Sensor Actuator Sensor Physical System Physical System 5

Networked embedded systems Network Controller SW/HW Controller SW/HW Actuator Sensor Actuator Sensor Physical System Physical System Physical system is continuous, software is discrete Discrete and Continuous Control Theory Continuous systems Stability, control Feedback, robustness Computer Science Transition systems Composition, abstraction Concurrency models Hybrid Systems Software controlled systems Multi-modal systems Embedded real-time systems Multi-agent systems 6

Exporting Science Control Theory Continuous systems Stability, control Feedback, robustness Computer Science Transition systems Composition, abstraction Concurrency models Composition Abstraction Concurrency Robustness Feedback Stability Different views Computer science perspective View the physics from the eyes of the software Modeling result : Hybrid automaton Control theory perspective View the software from the eyes of the physics Modeling result : Switched control systems 7

Hybrid dynamics Hybrid behavior arises in Hybrid model is a simplification of a larger nonlinear model Quantized control of continuous systems Input and observation sets are finite Logic based switching Software is designed to supervise various dynamics/controllers Partial synchronization of many continuous systems Resource allocation for competing multi-agent systems Hybrid specifications of continuous systems Plant is continuous, but specification is discrete or hybrid Logic based switching 8

Nuclear reactor example Without rods With rod With rod T = 0 T 50 T = 0 T 56 T = 0 T 60 Rod and cannot be used simultaneously Once a rod is removed, you cannot use it for 0 minutes Specification : Keep temperature between 50 and 550 degrees If T=550 then either a rod is available or we shutdown the plant Software model of nuclear reactor Rod NoRod Rod Shutdown 9

Hybrid model of nuclear reactor T = 50 y = 0 y = 0 Rod T = 550 y 0 NoRod T = 550 y 0 Rod T = 0 T 56 T = 0 T 50 T = 0 T 60 y = y = y = y = y = y = T 50 T = 50 y : = 0 T 550 T = 50 y : = 0 T 50 T = 550 y < 0 y < 0 Analysis : Is shutdown reachable? Algorithmic verification : NO Shutdown T = 0 T 50 y = y = true Conflict Resolution in ATM* 0

Conflict Resolution Protocol Cruise until a miles away Change heading by Φ 3 Maintain heading until lateral distance d 4 Change to original heading 5 Change heading by - Φ 6 Maintain heading until lateral distance -d 7 Change to original heading Is this protocol safe? Conflict Resolution Maneuver

Computing Unsafe Sets Safe Sets

Partial synchronization (Concurrency) The train gate x θ approach raise lower exit Controller System = Train Gate Controller Safety specification : If train is within 0 meters of the crossing, then gate should completely closed Liveness specification : Keep gate open as much as possible 3

Train model x 000 far - 50 x 40 x = 000 approach near past x = 0-50 x 30-50 x 30 x 000 x 0 x -00 exit x = 00 x' [000, ) Gate model θ = 90 raise raising θ = 9 θ = 90 open θ = 0 raise θ 90 lower θ = 90 raise lower raise lowering θ = 9 θ = 0 closed θ = 0 lower θ 0 θ = 0 lower 4

Controller model y : = 0 exit true Goingtolower y : = 0 idle y : = 0 Goingtoraise ẏ = approach ẏ = exit ẏ = y d lower true raise y d y : = 0 approach x 000 Synchronized transitions far - 50 x 40 x = 000 approach near past x = 0-50 x 30-50 x 30 x 000 x 0 x -00 exit x = 00 x' [000, ) y : = 0 exit true Going tolower ẏ = y : = 0 approach idle ẏ = y : = 0 Going to raise exit ẏ = y d lower true raise y d y : = 0 approach 5

Verifying the controller x θ approach raise lower exit Controller System = Train Gate Controller Safety specification : Can we avoid the set θ > 0 (-0 x 0)? Parametric HyTech verification : YES if d 49 5 Modeling Issues Research Issues Well posedness, robustness, zenoness Analysis Stability issues, qualitative theory, parametric analysis Verification Algorithmic methods that verify system performance Controller Synthesis Algorithmic methods that design hybrid controllers Simulation Mixed signal simulation, event detection, modularity Code generation From hybrid models to embedded code Complexity Compositionality and hierarchies Tools : HyTech, Checkmate, d/dt, HYSDEL, Stateflow, Charon 6

Outline of lectures Lecture : Thursday, September 3 Examples of hybrid systems and modeling formalisms Transitions systems, temporal logics, abstraction Discrete abstractions of hybrid systems for verification Lecture : Friday, September 4 Applications in motion planning and visibility games Transition Systems A transition system T consists of A set of states Q A set of events Σ A set of observations O σ The transition relation q The observation map q = = ( Q, Σ,, O, q o 0 ) o 0 o 0 q 0 σ σ q o 0 q Initial or final states may be incorporated The sets Q, Σ, and O may be infinite Language of T is all sequences of observations σ σ o q3 o q4 7

The parking meter A painful example 5p 5p 5p 0 3 4 5 60 exp act act act act act tick tick tick tick tick tick tick tick 5p States Q ={0,,,,60} Events {tick,5p} Observations {exp,act} A possible string of observations (exp,act,act,act,act,act,exp, ) act A familiar example T Transition System = ( Q, Σ,, O, ) n State set Q = X = R T x k + = Axk + Bu Ty = k Cx k k Label set Σ = U = R Observatio n set O = Y = R Linear Observation Map x = Cx Transition Relation X U X u m x x x = Ax + p Bu 8

Transition Systems A region is a subset of states P Q We define the following operators Pre (P) = {q Q p P σ Pre(P) = {q Q σ Σ σ q p} p P σ q p} Post (P) = {q Q p P σ Post(P) = {q Q σ Σ σ p q} p P σ p q} We can recursively define Transition Systems Preσ (P) = Pre n Preσ (P) = Pre σ σ (P) (Pre n- σ (P)) Similarly for the other operators Also * Pre (P) = * Post (P) = U n N U n N Pre n Post (P) n (P) 9

Basic safety problems Given transition system T and regions P, S determine Forward Reachability Post ã (P) S= Backward Reachability P Pre ã (S)= Forward reachability algorithm Forward Reachability Algorithm initialize R := P while TRUE do if R S= return UNSAFE ; end if; if Post(R) ò R return SAFE ; end if; R := R Post(R) end while If T is finite, then algorithm terminates (decidability) Complexity : O(n I + m R ) initial states reachable transitions 0

Backward reachability algorithm Backward Reachability Algorithm initialize R := S while TRUE do if R P= return UNSAFE ; end if; if Pre(R) ò R return SAFE ; end if; R := R Pre(R) end while If T is infinite, then there is no guarantee of termination Algorithmic issues Representation issues Enumeration for finite sets Symbolic representation for infinite (or finite) sets Operations on sets Boolean operations Pre and Post computations (closure?) Algorithmic termination (decidability) Guaranteed for finite transition systems No guarantee for infinite transition systems

More complicated problems More sophisticated properties can be expressed using Linear Temporal Logic (LTL) Computation Tree Logic (CTL) CTL* mu-calculus The basic verification problem Given transition system T, and temporal logic formula ϕ Basic verification problem T =ϕ Two main approaches Model checking : Algorithmic, restrictive Deductive methods : Semi-automated, general

Another verification problem Given transition system T, and specification system S Another verification problem L(T) ò L(S) Language inclusion problems The basic synthesis problem Given transition system T, and temporal logic formula ϕ Basic synthesis problem T k C =ϕ Synthesis in computer science assumes disturbances Deep relationship between synthesis and game theory 3

Linear temporal logic (informally) Express temporal specifications along sequences Informally Syntax Semantics Eventually p p qqqqqqqqqqqqp Always p p pppppppppppppp If p then next q p í q qqqqqqqqpq p until q puq pppppppppppppppq Linear temporal logic (formally) Linear temporal logic syntax The LTL formulas are defined inductively as follows Atomic propositions All observation symbols p are formulas Boolean operators If ϕ and ϕ are formulas then ϕ ϕ ϕ Temporal operators If ϕ and ϕ are formulas then ϕ U ϕ í ϕ 4

Linear temporal logic semantics The LTL formulas are interpreted over infinite (omega) words w = p 0 p p p 3 p 4 (w, i) =p iff p i = p (w, i) =ϕ ϕ iff (w, i) =ϕ or (w, i) =ϕ (w, i) = ϕ iff (w, i) 6 =ϕ (w, i) = í ϕ iff (w, i +) =ϕ (w, i) =ϕ U ϕ j õ i (w, j) =ϕ and i ô k ô j (w, k) =ϕ w =þ iff (w, 0) = ϕ T =þ iff w L(T) w = ϕ Linear temporal logic Syntactic boolean abbreviations Conjunction Implication Equivalence ϕ ϕ = ( ϕ ϕ ) ϕ ϕ = ϕ ϕ ϕ ϕ =(ϕ ϕ ) (ϕ ϕ ) Syntactic temporal abbreviations Eventually Always In 3 steps ϕ = > U ϕ ϕ = ϕ í 3 ϕ = íííϕ 5

LTL examples Two processors want to access a critical section Each processor can has three observable states p={incs, outcs, reqcs} p={incs, outcs, reqcs} Mutual exclusion Both processors are not in the critical section at the same time (p = incs p = incs) Starvation freedom If process requests entry, then it eventually enters the critical section p = reqcs p = incs LTL Model Checking Given transition system and LTL formula we have LTL model checking Determine if T =ϕ System verified Counterexample LTL model checking is decidable for finite T Complexity : O((n + m)(k + l) O(k) ) states transitions formula length 6

Computation tree logic (informally) Express specifications in computation trees (branching time) Informally Syntax Semantics Inevitably next p í p p p p Possibly always p p q p q p Comparing logics CTL LTL CTL* 7

Dealing with complexity Bisimulation Simulation Language Inclusion Language Equivalence Consider two transition systems T and T over same Σ and O T o0 q0 σ σ o0 p0 σ T o 0 q o 0 q p o 0 σ σ σ σ o q3 o q4 o p3 o p4 Languanges are equivalent L( T )=L( ) T 8

LTL equivalence Consider two transition systems T and and an LTL formula T Language equivalence If L(T )=L(T ) then T =ϕ T =ϕ Language inclusion If L(T ) ò L(T ) then T =ϕ T =ϕ Language equivalence and inclusion are difficult to check Consider two transition systems Simulation Relations T = ( Q, Σ,, O, ) = ( Q, Σ,, O, ) T over the same set of labels and observations A relation is called a simulation relation if it Respects observations if (q,p) S then q = p S Q Q Respects transitions if (q,p) S and q q', σ σ then p p' for some (q',p') S If a simulation relation exists, then T T 9

Game theoretic semantics Simulation is a matching game between the systems T o0 q0 σ σ o0 p0 σ T o 0 q o 0 q p o 0 σ σ σ σ o q3 o q4 o p3 o p4 Check that T but it is not true that T T T The parking meter The parking example 5p 5p 5p 0 3 4 5 60 exp act act act act act tick tick tick tick tick tick tick tick 5p act A coarser model 5p tick tick 0 exp tick many 5p act S = {(0,0),(,many),, (60,many)} 30

Simulation relations Consider two transition systems T and T Simulation implies language inclusion If T ô T then L(T ) ò L(T ) Complexity of L(T ) ò L(T ) O((n + m ) n ) Complexity of T ô T O((n + m )(n + m )) Two important cases Abstraction Refinement T T T T T T T T 3

Bisimulation Consider two transition systems T and T Bisimulation T ñ T if T ô T T ô T Bisimulation is a symmetric simulation Strong notion of equivalence for transition systems CTL* (and LTL) equivalence If T ñ T then T =ϕ T =ϕ If T ñ T then L(T )=L(T ) Special quotients Abstraction T / T T T / When is the quotient language equivalent or bisimilar to T? 3

Quotient Transition Systems Given a transition system T and an observation preserving partition naturally using Observation Map = ( Q, Σ,, O, ) Q Q T/ = ( Q/, Σ,, O, ), define P = o iff there exists p P with p = o Transition Relation P σ P' iff there exists p P, p' P' with σ p p' Bisimulation Algorithm Quotient system T / always simulates the original system T When does original system T simulate the quotient system T /? σ o σ o 33

Bisimulation Algorithm Quotient system T / always simulates the original system T When does original system T simulate the quotient system T /? σ o σ o Bisimulation algorithm Bisimulation Algorithm initialize Q/ ø = {p ø q iff <q>=<p>} while P, P 0 Q/ such that 6= ò P Pre(P 0 )6= ò P 0 ø P := P Pre(P 0 ) P := P \ Pre(P 0 ) Q/ ø := (Q/ ø \{P}) {P,P } end while If T is finite, then algorithm computes coarsest quotient If T is infinite, there is no guarantee of termination 34

Relationships Bisimulation Strongest, more properties, easiest to check Simulation Weaker, less properties, easy to check Language Inclusion Weakest, less properties, difficult to check Complexity comparisons Bisimulation O(m á log(n)) Simulation O(m á n) Language Equivalence O(m á n ) 35

Outline of lectures Lecture : Thursday, September 3 Examples of hybrid systems and modeling formalisms Transitions systems, temporal logics, abstraction Discrete abstractions of hybrid systems for verification Lecture : Friday, September 4 Applications in motion planning and visibility games Hybrid to discrete Abstraction Discrete T / T T / Hybrid T Goal : Finite quotients of hybrid systems 36

Hybrid System Model A hybrid system H =(V, < n,x 0,F,Inv,R) consists of V is a finite set of states < n is the continuous state space X = V â < n is the state space of the hybrid system X 0 ò X is the set of initial states F(l, x) ò< n maps a diff inclusion to each discrete state Inv(l) ò< n maps invariant sets to each discrete state R ò X â X is a relation capturing discontinuous changes Define E = {(l, l 0 ) x Inv(l),x 0 Inv(l 0 )((l, x), (l 0,x 0 )) R} Init(l)={x Inv(l) (l, x) X 0 } Guard(e)={x Inv(l) x 0 Inv(l 0 )((l, x), (l 0,x 0 )) R} Reset(e, x)={x 0 Inv(l 0 ) ((l, x), (l 0,x 0 )) R} An example T = 50 y = 0 y = 0 Rod T = 550 y 0 NoRod T = 550 y 0 Rod T = 0 T 56 T = 0 T 50 T = 0 T 60 y = y = y = y = y = y = T 50 T = 50 y : = 0 T 550 T = 50 y : = 0 T 50 T = 550 y < 0 y < 0 Shutdown T = 0 T 50 y = y = true 37

Transitions of Hybrid Systems Hybrid systems can be embedded into transition systems H =(V, < n,x 0,F,Inv,R) T H =(Q, Q 0, Σ,,O,<á >) Q = V â < n Q 0 = X 0 Σ = E {ü} ò Q â Σ â Q Observation set and map depend on desired properties Discrete transitions (l,x )à (l e,x ) iff x Guard(e),x Reset(e, x ) Continuous (time-abstract) transitions (l,x )à (l ü,x ) iff l = l and î õ 0 x(á ):[0,î] < n x(0) = x,x(î)=x, and t [0,î] xç F(l,x(t)) and x(t) Inv(l ) Rectangular hybrid automata Rectangular sets : x 000 V i x i ø c i ø {<, ô, =, õ,>},c i Q far - 50 x 40 x = 000 approach near past x = 0-50 x 30-50 x 30 x 000 x 0 x -00 exit x = 00 x' [000, ) Rectangular hybrid automata are hybrid systems where are rectangular sets Init(l),Inv(l),F(l, x),guard(e),reset(e, x) i 38

Multi-rate automata x = 000 l 3 ẋ = 3 x = 000 l l x = 0 ẋ = ẋ = x 000 x 0 x -00 x = 00 x' = 000 Multi-rate automata are rectangular hybrid automata where are singleton sets Init(l),F(l, x), Reset(e, x) i Timed automata x = 0 l 3 ẋ = x > 9 y : = 0 l ẋ = y > 3 l ẋ = ẏ = ẏ = ẏ = x < 0 y < 5 true x > 0 y > 0 x : = 0 y : = Timed automata are multi-rate automata where for all locations l and all variables F(l, x i )= 39

Initialized automata Rectangular hybrid automata are initialized if the following holds: After a discrete transition, if the differential inclusion (equation) for a variable changes, then the variable must be reset to a fixed interval Timed automata are always initialized x 000 far - 50 x 40 x = 000 approach near past x = 0-50 x 30-50 x 30 x 000 x 0 x -00 exit x = 00 x' [000, ) Bad news Undecidability barriers Consider the class of uninitialized multi-rate automata with n- clock variables, and one two slope variable (with two different rates) The reachability problem is undecidable for this class No algorithmic procedure exists Model checking temporal logic formulas is also undecidable Initalization is necessary for decidability 40

Timed automata x = 0 l 3 ẋ = ẏ = x > 9 y : = 0 l ẋ = ẏ = y > 3 l ẋ = ẏ = x < 0 y < 5 true x > 0 y > 0 x : = 0 y : = All timed automata admit a finite bisimulation Hence CTL* model checking is decidable for timed automata Timed automata x = 0 l 3 x > 9 y : = 0 l ẋ = y > 3 l ẋ = ẏ = ẏ = y < 5 true x > 0 y > 0 x : = 0 y : = Approach : Discretize the clock dynamics using region equivalence 4

Region equivalence y l 3 x Equivalence classes : 6 corner points 4 open line segments 8 open regions Multi-rate automata x = 000 l 3 ẋ = 3 x = 000 l l x = 0 ẋ = ẋ = x 000 x 0 x -00 x = 00 x' = 000 All initialized multi-rate automata admit a finite bisimulation 4

Rectangular automata x = 000 l 3 ẋ = 3 x = 000 l l x = 0 ẋ = ẋ = x 000 x 0 x -00 x = 00 x' = 000 All initialized rectangular automata admit a finite bisimulation Rectangular automata x = 000 l 3 ẋ = 3 x = 000 l l x = 0 ẋ = ẋ = x 000 x 0 x -00 x = 00 x' = 000 All initialized rectangular automata admit a finite bisimulation 43

No finite bisimulation Inv y' = 0 0 x 0 y ẋ ẏ 0 x 0 y Inv x' = 0 Bisimulation algorithm never terminates but x 000 far - 50 x 40 x = 000 approach near past x = 0-50 x 30-50 x 30 x 000 x 0 x -00 exit x = 00 x' [000, ) All initialized rectangular automata admit a finite language equivalence quotient which can be constructed effectively LTL model checking of rectangular automata is decidable 44

More complicated dynamics? Sets = {(x,0) 0 x 4} P P = {(x,0) -4 x < 0} P3 = R \(P P ) Dynamics Bisimulation algorithm never terminates!! x = 0x + x = -x + x 0x Basic problems Finite bisimulations of continuous dynamical systems Given a vector field F(x) and a finite partition of Does there exist a finite bisimulation? Can we compute it? n R 45

Representation issues Symbolic representation for infinite sets Rectangular sets? Semi-linear? Semi-algebraic? Operations on sets Reminder Boolean (logical) operations Can we compute Pre and Post? Is our representation closed under Pre and Post? Algorithmic termination (decidability) No guarantee for infinite transition systems We need nice alignment of sets and flows Globally finite properties First-order logic Every theory of the reals has an associated language (<,<,+, à, 0, ) Universe Relation Functions Constants Variables : x,x,x 3, TERMS : ATOMIC FORMULAS : Variables, constants, or functions of them x àx +, +, àx 3 Apply the relation and equality to the terms x + x < à, x =,x = x 3 (FIRST ORDER) FORMULAS : Atomic formulas are formulas If are formulas, then ϕ, ϕ ϕ ϕ, ϕ, xϕ, xϕ 46

First-order logic Useful languages (<,<,+, à, 0, ) (<,<,+, à, â, 0, ) (<,<,+, à, â,e x, 0, ) x y(x +y õ 0) xax +bx +c =0 t(t õ 0) (y = e t x) A theory of the reals is decidable if there is an algorithm which in a finite number of steps will decide whether a formula is true or not A theory of the reals admits quantifier elimination if there is an algorithm which will eliminate all quantified variables xax +bx +c =0ñb à4ac õ 0 First-order logic Theory Decidable? Quant Elim? (<,<,+, à, 0, ) (<,<,+, à, â, 0, ) (<,<,+, à, â,e x, 0, ) YES YES? YES YES NO (<,<,+,à,â,0,) Tarski s result : Every formula in Eliminate quantified variables Quantifier free formulas can be decided can be decided 47

O-Minimal Theories A definable set is Y = {(x,x,,x n ) < n ϕ(x,,x n )} A theory of the reals is called o-minimal if every definable subset of the reals is a finite union of points and intervals Example: Y = {(x) < p(x) õ 0} for polynomial p(x) Recent o-minimal theories (<,<,+,à,0,) Exponential flows (<,<,+,à,â,0,) (<,<,+,à,â,e x,0,) (<,<,+,à,â,fê,0,) (<,<,+,à,â,fê,e x,0,) Spirals? Related to Hilbert s 6th problem Basic answers Finite bisimulations of continuous dynamical systems Consider a vector field X and a finite partition of n R where The flow of the vector field is definable in an o-minimal theory The finite partition is definable in the same o-minimal theory Then a finite bisimulation always exists 48

Corollaries (<,<,+,à,0,) Consider continuous systems where Finite partition is polyhedral (semi-linear) Vector fields have linear flows (timed, multi-rate) Then a finite bisimulation exists (<,<,+,à,â,0,) Consider continuous systems where Finite partition is semialgebraic Vector fields have polynomial flows Then a finite bisimulation exists Corollaries (<,<,+,à,â,e x,0,) Consider continuous systems where Finite partition is semi-algebraic Vector fields are linear with real eigenvalues Then a finite bisimulation exists Consider continuous systems where Finite partition is sub-analytic Vector fields are linear with purely imaginary eigenvalues (<,<,+,à,â,fê,0,) Then a finite bisimulation exists 49

Corollaries (<,<,+,à,â,fê,e x,0,) Consider continuous systems where Finite partition is semi-algebraic Vector fields are linear with real or imginary eigenvalues Then a finite bisimulation exists x x x x x x Conditions are sufficient but tight Computability Finite bisimulations exist, but can we compute them? Bisimulation Algorithm initialize Q/ ø = {p ø q iff <q>=<p>} while P, P 0 Q/ such that 6= ò P Pre(P 0 )6= ò P 0 ø P := P Pre(P 0 ) P := P \ Pre(P 0 ) Q/ ø := (Q/ ø \{P}) {P,P } end while Need to : Check emptiness Perform boolean operations Compute Pre (or Post) Use (<,<,+,à,â,0,) 50

Computing reachable sets Consider a linear system dx =Ax A Q nân dt Rational entries and a semi-algebraic set Y If Then Y={y < n p(y)} Pre(Y)={x < n y tp(y) t õ 0 x = e àta y} Problem? Nilpotent matrices: Nilpotent Linear Systems n õ 0 A n =0 Then flow of linear system is polynomial e àta = Pnà (à ) k t k A k k=0 k! Therefore Pre(Y) completely definable in (<,<,+,à,â,0,) Pre(Y) ={x < n y tp(y) t õ 0 x = Pnà (à ) k t k A k y} k=0 k! 5

Diagonalizable, rational eigenvalues Example system : xç =x Compute all states that can reach the set Y = { y=5 } Pre(Y) ={x < y t y =5 t õ 0 x = e àt y} Let s = e àt, then Pre(Y) ={x < y t y =5 õ s õ 0 x = s y} Pre(Y) ={x < 0 <xô 5} Diagonalizable, rational eigenvalues More generally Therefore xç =Ax x(t)=te Λt T à x(0) e àta = â Pn a ijk e àõ tã k ij k= Rescale rational eigenvalues to integer eingenvalues Eliminate negative integer eigenvalues 3 Perform the substitution s = e àt Consider diagonalizable e àta =[ P linear vector fields with real, n rational eigenvalues, and let ay k= ijk be e àõ a ksemi-algebraic t ] ij set Then Pre(Y) is also semi-algebraic (and computable) 5

Diagonalizable, imaginary eigenvalues Procedure is similar if system is diagonalizable with purely imaginary, rational eigenvalues Equivalence is obtained by z = cos(t) z = sin(t) Suffices to compute over a period Consider diagonalizable e àta =[ Plinear n a vector k= ijk e àõ k t ] fields with real, rational eigenvalues, and let Y be a semi-algebraic ij set Then Pre(Y) is also semi-algebraic (and computable) Composing all computability results together results in Decidable problems for continuous systems Consider linear vector fields of the form F(x)=Ax where A is rational and nilpotent A is rational, diagonalizable, with rational eigenvalues A is rational, diagonalizable, with purely imaginary, rational eigenvalues Then The reachability problem between semi-algebraic sets is decidable Consider a finite semi-algebraic partition of the state space Then a finite bisimulation always, exists and can be computed 3 Consider a CTL* formula where atomic propositions denote semi-algebraic sets Then CTL* model checking is decidable 53

Decidable problems for hybrid systems A hybrid system H is said to be o-minimal if In each discrete state, all relevant sets and the flow of the vector field are definable in the same o-minimal theory After every discrete transition, state is reset to a constant set (forced initialization) All o-minimal hybrid systems admit a finite bisimulation CTL* model checking is decidable for the class of o-minimal hybrid systems Decidable problems for hybrid systems Consider a linear hybrid system H where For each discrete state, all relevant sets are semi-algebraic After every discrete transition, state is reset to a constant semi-algebraic set (forced initialization) 3 In each discrete location, the vector fields are of the form F(x)=Ax where A is rational and nilpotent A is rational, diagonalizable, with rational eigenvalues A is rational, diagonalizable, with purely imaginary, rational eigenvalues Then CTL* model checking is decidable for this class of linear hybrid systems The reachability problem is decidable for such linear hybrid systems 54

Outline of lectures Lecture : Thursday, September 3 Examples of hybrid systems and modeling formalisms Transitions systems, temporal logics, abstraction Discrete abstractions of hybrid systems for verification Bisimulations of continuous systems (if time permits) Lecture : Friday, September 4 Applications in motion planning and visibility games Controller synthesis The main (controller) synthesis equation A X B or a more relaxed version A X B Equations can be interpreted over various model types Various semantics of composition and equivalence 55

Discrete semantics The main (controller) synthesis equation or a more relaxed version A X B A X B Models : Finite state automata Composition : Equivalence : Order : L(A B) = L(A) I L(X) A B iff L(A) = L(X) A B iff L(A) L(X) Continuous semantics The main (controller) synthesis equation or a more relaxed version A X B A X B Models : Control systems Composition : Feedback composition Equivalence : Asymptotic equivalence Order : Not much 56

Notions of equivalence Language equivalence for finite state systems has served us well as a notion of system equivalence for systems which are NOT interacting with other systems Asymptotic equivalence for control systems has served us well as a notion of system equivalence for systems which are NOT interacting with other systems Challenge : Reactive notions of system equivalence Two coffee machines* coffee tea 5c 5c coffee 5c 5c tea 5c tea (5c) 5c coffee (50c) tea (5c) 5c coffee (50c) S S *R Milner, Communicating and mobile systems : the pi-calculus, Cambridge University Press, 999 57

Two coffee machines coffee tea 5c coffee 5c tea 5c L(S ) = L(S )! 5c 5c S S Nondeterminism! Consider two transition systems Simulation Relations S = ( Q, i,σ, S = ( Q, i,σ, over the same set of labels and observations A relation R Q Q is called a simulation relation if it Respects initial states (i,i ) R ) ) Respects transitions ' q σ q R R ' q σ q If a simulation relation exists, then S S 58

Game theoretic semantics Simulation is a matching game between the systems coffee tea 5c coffee 5c tea 5c 5c 5c S S The transition systems are bisimilar iff S S and S S Relationships Simulation CTL Bisimulation CTL * Language Inclusion Reachability Language Equivalence LTL If S S then L(S ) L(S ) If S S then L(S ) = L(S ) Converse statements are true for deterministic systems 59

Bi-simulations of control systems* (t) u x (t) = A x (t) + B u (t) + E d (t) y (t) = C x (t) S (t) y L(S ) = {(u (t), y (t)) x (t), d (t) satisfying equations} (t) u x (t) = A x (t) + B u (t) + E d (t) y (t) = C x (t) S (t) y L(S ) = {(u (t), y (t)) x (t), d (t) satisfying equations} *GJ Pappas, G Lafferriere, and S Sastry, Hierarchically Consistent Control Systems, IEEE TAC, June 000 *GJ Pappas, Bisimilar linear systems, Automatica, 003 *P Tabuada and GJ Pappas, Bisimilar control affine systems, Systems and Control Letters, 004 *A van der Schaft, Bisimulations of dynamical systems, Hybrid Systems : Computation and Control, 004 Non-deterministic dynamics x (t) = A x (t) + E d (t) y (t) y (t) = C x (t) S x (t) = A x (t) + E d (t) (t) y (t) = C x (t) S y A relation R is a simulation relation if for all d (t) d (t) x(0) x (t) R d (t) d (t) R x(0) x (t) C x (t) = Cx (t) R is a bi-simulation if converse is true as well 60

H-related systems* x (t) = A x (t) + E d (t) y (t) y (t) = C x (t) S x (t) = A x (t) + E d (t) (t) y (t) = C x (t) S y A linear relation (x,hx) is a simulation relation iff for all d H(A + S x + Ed ) = AHx Ed C = CH simulates or is H - related to S d *GJ Pappas, G Lafferriere, and S Sastry, Hierarchically Consistent Control Systems, IEEE TAC, June 000 Deterministic systems x (t) = A x (t) y (t) y (t) = C x (t) S x (t) = A x (t) (t) y (t) = C x (t) S y A linear relation (x,hx) is a simulation relation iff HA = AH C H C = Restrictive! 6

Advantage of non-determinism x (t) = A x (t) + E d (t) y (t) y (t) = C x (t) S? S (t) y Given surjective map x = can we construct S simulating? Hx A = HAH C = CH + + E = [HE HAKer(H)] if Ker(H) Ker(C ) *GJ Pappas, G Lafferriere, and S Sastry, Hierarchically Consistent Control Systems, IEEE TAC, June 000 S Two remarks Abstraction is always possible in the class of nondeterministic systems The more you abstract, the more non-determinism you generate 6

Bi-simulation is finer x (t) = x (t) x (t) = d (t) y (t) = x (t) z = x z (t) y (t) = d (t) = z (t) S L(S ) = L(S ) S S S S S S When is (x,hx) a bisimulation relation? S Bisimilar linear systems* x (t) = A x (t) + E d (t) y (t) y (t) = C x (t) S x (t) = A x (t) + E d (t) (t) y (t) = C x (t) S y S S Let be H-related to Then the relation (x,hx) is a bi-simulation relation if and only if A Ker(H) Ker(H) + R(E ) *GJ Pappas, Bisimilar linear systems,automatica, 003 *A van der Schaft, Bisimulations of dynamical systems, Hybrid Systems : Computation and Control, 004 63

Coarsest Bisimulation Find map x = Hx which abstracts as much as possible Thus Ker(H) must be maximal but also must Preserve observations Ker(H) Ker(C ) Preserve transitions A Ker(H) Ker(H) + R(E ) This lead to the well known algorithm Coarsest Bisimulation Algorithm Maximal controlled invariant subspace computation V0 = Ker(C ) Vk + = Vk A (Vk + R(E )) Then V * = V n is the maximal desired subspace Once V* is computed, then pick map x = Hx Ker(H)=V* and construct the H-related system such that 64

Similar relationships Simulation Bisimulation Language Inclusion Language Equivalence If S S then L(S ) L(S ) If S S then L(S ) = L(S ) If S S then H(Reach(S,X)) Reach(S,H(X)) Extensions Bi-simulations of nonlinear systems GJ Pappas and SSimic, Consistent abstractions of affine control systems, IEEE TAC 00 P Tabuada and GJ Pappas, Abstractions of Hamiltonian systems, Automatica, 003 P Tabuada and GJ Pappas, Bisimilar control affine systems, Systems and control letters, 003 K Grasee, Admissibility of trajectories in Phi-related systems, MCSS 003 A van der Schaft, Bisimulations of dynamical systems, Hybrid Systems : Computation and Control, 004 Unifying discrete and continuous notions E> Hagverdi, P Tabuada, GJ Pappas, Bisimulations of discrete, continuous, and hybrid systems, Theoretical Computer Science, Submitted AAJulius, AJ van der Schaft, A behavioral framework for compositionality, MTNS 004 Extensions to hybrid systems P Tabuada, GJ Pappas, P Lima, Composing abstractions of hybrid systems, Discrete even dynamic systems, 004 A van der Schaft, Bisimulations of dynamical systems, Hybrid Systems : Computation and Control, 004 65