Safety verification of non-linear, planar proportional control with differential inclusions

1 Safety verification of non-linear, planar proportional control with differential inclusions Hallstein Asheim Hansen Department of Technology Buskerud University College Kongsberg, Norway Email: hallsteinh@hibu.no Abstract—A mathematical model of an embedded control system will rarely exhibit the exact behavior of the system, but one can still capture this behavior by including some measure of uncertainty in the models. Physical systems are also often influenced by embedded controllers, adding to the complexity of the models. To verify safety properties of such systems we must be able to check reachability, that is, whether the systems may end up in some undesirable state. A Generalized Polygonal Hybrid System (GSPDI) is a restricted form of hybrid automaton where reachability is decidable, unlike hybrid automata in general. By over-approximating a system given by a complex class of hybrid automata by a GSPDI, we may still verify the safety of the system. In this paper we give a new algorithm which over-approximates a restricted, yet powerful, class of planar hybrid automata where the behavior can be non-linear, nondeterministic, and with different dynamics for different parts of the state space. We also show that this class of automata is expressive enough to model embedded proportional control systems. Keywords-embedded systems, formal methods, control theory, hybrid systems, safety verification, model checking I. I NTRODUCTION An embedded control system consists of a controller designed to alter the behavior of a continuous dynamical system [1]. When represented mathematically, the model of a controlled dynamical system includes the state of the dynamical system, its behavior, the influence of the controller, and some measure of uncertainty inherent in most physical systems. The presence of uncertainty in the system introduces nondeterminism, which can be modeled using differential inclusions [2]. Also, different differential inclusions may govern the behavior of the controller based on which discrete state the system is in. A hybrid system combines both discrete and continuous behavior and is commonly represented as a hybrid automaton [3]. Hybrid automata can exhibit both non-determinism and varying system dynamics, making them good candidates for describing embedded control systems. A common analytical problem for such systems is that of safety verification, which can be proved by answering the reachability question: Are there any undesirable states reachable from the initial configuration? Answering this question is particularly challenging when system dynamics are non-linear. Over-approximation, and in this particular case hybridization, is the process of transforming a system in one representation into another system with a different representation yet containing an abstraction of the behavior of the original system. The approximation is thus conservative. The state space reachable in the original system must still be reachable in the transformed system in order to prove the absence of safety violations. The reachability problem for hybrid automata is undecidable in general, but we can hybridize our models into subclasses of hybrid automata, such as the Generalized Polygonal Hybrid System (GSPDI for short), for which reachability has been proved decidable [4]. Earlier we have implemented the tool GSPeeDI [5], [6], which checks reachability for GSPDIs. This tool also demonstrates how an implementation may hybridize autonomous systems of two first-order differential equations using an approximation algorithm [7]. In the algorithm the over-approximation can be made as precise as desired by approaching the deterministic behavior of the original system, except in an arbitrarily small subset of the domain of the system. We prove that the algorithm is sound, which means the produced GSPDI includes the behavior of the original system, and complete in the sense that it approximates the original system to some measure of precision. While systems of non-linear differential equations can be used to model many physical systems, they are limited in that they are deterministic and so cannot model uncertainties, and in that it is not possible to represent a discrete change of dynamics. In this paper we extend the class of systems we can hybridize into GSPDIs to planar continuous non-overlapping hybrid automata where the system behavior is represented by systems of first-order time-invariant non-linear differential inclusions. Continuous non-overlapping hybrid automata is a restricted class of hybrid automata where the continuous variables of the automata cannot be reset, and where the valuations of the variables uniquely determine the location of the automata. Despite these restrictions we show that among the systems we can model with these automata are systems augmented with the widely used proportional controller [1]. The rest of the paper is organized as follows. Section II introduces notation and some mathematical results needed in the subsequent text, and defines hybrid automata and GSPDIs. Section III presents our theoretical results and the hybridization algorithm. In Section IV we survey related work before we investigate possible future work and conclude in Section V. 2 y II. M ATHEMATICAL PRELIMINARIES In this section we present notations and definitions needed in the rest of the paper. We assume familiarity with Euclidean geometry, in particular vector operations. In the following we assume that, unless stated otherwise, vectors are normalized, so that two vectors are equal iff their directions are equal. The unit circle is the circle with center at the origin and radius 1, and a vector x specifies a point on the unit circle. Henceforth, x refers to a vector as well as to the corresponding point on the unit circle. An arc ∠b a is a portion of the circumference of the unit circle, bounded by its end points, a and b, where a is assumed located clockwise of b. On the unit cycle, the length of an arc, written |∠b a | is also the angle between a and b, measured in the interval [0, 2π]. We write x ∈ ∠b a if vector x is located clockwise of b and counter-clockwise of a. If both x ∈ ∠b a y b and y ∈ ∠b a then we say that ∠x ⊆ ∠a (if x is located clockwise with respect to y), and so forth. = While a differential equation is on the form dx dt f (t, x(t)), t ∈ R, x(t) ∈ Rn where f (t, x(t)) is a point in Rn , a differential inclusion [2] takes the form dx dt ∈ F (t, x(t)) where F (t, (x(t)) is a set of elements from Rn . If for a differential inclusion F where the input x(t) gives the output F (t, x(t)) we have that F (t, x(t + δt)) = F (t + δt, x(t + δt)), we say that the inclusion is time-invariant. Definition 1 (Time-invariant differential inclusion system): Let e represent uncertainties from some interval E ⊆ R, x(t), y(t) ∈ R state variables, f and g first order, time-invariant, ordinary, possibly non-linear differential equations. We define the differential inclusions F and G as F (x(t), y(t)) = {f (x(t), y(t), e)|e ∈ E} and G(x(t), y(t)) = {g(x(t), y(t), e)|e ∈ E}. A time-invariant differential inclusion system (TIDIS) S is a tuple hQ, F, Gi with domain Q ⊂ R2 a convex polygon, and dx ∈ F (x(t), y(t)) dt dy ∈ G(x(t), y(t)) dt The possible behaviors of a TIDIS S at a given point (x(ti ), y(ti )) is the set of vectors F (x(ti ), y(ti )) × G(x(ti ), y(ti )). For reachability, however, it is relevant only whether, not when, some point is reached, and so the length of the behavior vectors are irrelevant in this case. Thus we can normalize the behavior of a TIDIS as follows: Definition 2 (Normalization): Let X ⊂ R2 be equal to the unit circle. Then the normalized dynamics of a TIDIS S is given by the function N : R2 → 2X : N (x(t), y(t)) = {(f (x(t), y(t), e)/r, g(x(t), y(t), e)/r) | e ∈ E, r 6= 0} where p r = f (x(t), y(t), e)2 + g(x(t), y(t), e)2 . The function is undefined for r = 0, that is f (x(t), y(t), e) = g(x(t), y(t), e) = 0. 1 pi ẋi xbi x ybi ẏi ṗi 1 pbi System behavior System state a) b) 1 xbi ybi p− i 1 p+ i pbi System behavior with behavior limit vectors c) Fig. 1. System state, behavior, and behavior limit vectors. To simplify notation we refer to the point (x(ti ), y(ti )) as pi = (xi , yi ), the set of normalized dynamics of pi as pbi decomposed as xbi and ybi , and one normalized dynamic vector as p˙i = (ẋi , y˙i ), p˙i ∈ pbi . See Figure 1-a) and 1-b). Given a TIDIS S with state pi where (0, 0) ∈ pbi , then pi is an equilibrium point. If pbi = {(0, 0)}, then S cannot change − its state from state pi . We denote by p+ i and pi the upper and lower behavior limit vectors of pbi , the vectors in pbi such that p+ for all other vectors p˙i ∈ pbi , we have p˙i ∈ ∠pi− . See Figure i 1-c) for a visualization. If pbi contains one element only, then − the behavior is deterministic at point pi and p+ i = pi . We illustrate these definitions using the damped pendulum: Example 1 (Pendulum): A damped pendulum of mass m, length l, and gravitational acceleration g, can be modeled as a non-linear differential inclusion in two state variables, namely the angle θ(t) and angular velocity dθ dt of the pendulum, see Figure 2. The damping, due to friction, is represented by a constant c with a deviation e drawn from some interval E ⊆ R2 . If we let x = θ and y = dθ dt we can model the pendulum by the following TIDIS: dx ∈ {y(t)} , dt dy c+e g ∈ {− y(t) − sin x(t) | e ∈ E} . dt ml l (1) (2) dy A particular example is the system dx dt ∈ {y(t)}, dt ∈ 25+e {− 100 y(t) − sin x | e ∈ [−1, 1]}. At point pi = (1, 2) we get pbi ≈ {(ẋi , y˙i ) | ẋi ∈ [0.834, 0.827], y˙i ∈ 3 max dx dt dy dt (¬a) = F (x, y, E, umax ) = G(x, y, E, umax ) (a ∧ ǫmin < ǫ < ǫmax ) (a ∧ ǫ ≥ ǫmax ) off dx dt dy dt (a ∧ ǫ ≥ ǫmax ) (a ∧ ǫ ≥ ǫmax ) (a ∧ ǫmin < ǫ < ǫmax ) proportional = F (x, y, E, 0) = G(x, y, E, 0) dx dt dy dt (a ∧ ǫmin < ǫ < ǫmax ) (¬a) (¬a) = F (x, y, E, kp ǫ) = G(x, y, E, kp ǫ) (a ∧ ǫ ≤ ǫmin ) min (¬a) dx dt dy dt (a ∧ ǫ ≤ ǫmin ) = F (x, y, E, umin ) = G(x, y, E, umin ) (a ∧ ǫ ≤ ǫmin ) Fig. 2. The damped pendulum dx ∈ {y(t)}, dt sin x} with a trajectory starting at (1, 1). [−0.562, −0.551], p dy dt ∈ {−(0.25 + e )y(t) − 100 x2i + yi2 = 1}. Any potential behavior p+ p˙i of the system at this point is bounded by ∠pi− where i − p+ i = (0.827, −0.562), pi = (0.834, −0.551). If we choose two points, pi and pj close to each other, we would like their behaviors to be similar as well. However, this is not always the case: For the pendulum example, if we chose the points pi = (0.00001, 0.00002) and pj = (0.00002, 0.00001) which are 0.000014 apart, their behaviors are still separated by a distance of 0.5 according to the following definition. Definition 3 (Behavior distance): For points x, y on the unit circle, let x − y be the length of the shortest arc between them. Let A = [a, a, ] and B = [b, b] be arcs on the unit circle. Then the behavior distance d [A, B] is defined as |a − b| + |a − b|. Lemma 1 (Metric): The behavior distance is a metric. Proof: For a distance to be a metric the following conditions must hold, for arcs A, B, C: 1. d [A, B] ≥ 0 (Non-negativity) 2. d [A, B] = 0 ⇔ A = B (Identity) 3. d [A, B] = d [B, A] (Symmetry) 4. d [A, C] ≤ d [A, B] + d [B, C] (Triangle inequality) The conditions hold because: 1) The behavior distance is defined as the sum of two absolute values. 2) We have that |a − b| + |a − b| = 0 if and only if a = b and a = b. 3) We have that |a − b| = |b − a| and |a − b| = |b − a|. 4) The triangle inequality holds on R, so |a − c| ≤ |a − b| + |b − c| and |a − c| ≤ |a − b| + |b − c| leading to |a − c| + |a − c| ≤ |a − b| + |a − b| + |b − c| + |b − c|. With a metric for the image of the normalized dynamics pb of a point, we define what it means for the normalized behavior of a TIDIS to be Lipschitz continuous. Fig. 3. (a ∧ ǫmin < ǫ < ǫmax ) Proportionally controlled TIDIS Definition 4 (Lipschitz continuity of TIDISs): Let P ⊂ R2 be a convex polygon. A TIDIS S is Lipschitz continuous (or just Lipschitz for short) on P if there exists a constant K ∈ R such that for all points pi , pj ∈ P d [pbi − pbj ] ≤ Kkpi − pj k . We will only consider systems where the normalization function N is Lipschitz on all subsets of R2 except for arbitrarily small neighborhoods around a finite number of (isolated) points, the non-Lipschitz points. In addition to the continuous evolution of the systems, it is often useful to add discrete behavior to a TIDIS. For example, in Figure 2 the pendulum spirals towards an equilibrium point (0, 0), losing velocity and amplitude and eventually (in the real world) halting. If we wanted to prevent the pendulum from halting, we could alter its behavior with a controller device. By adding a controller to a TIDIS we can end up with a system that cannot be described by a set of differential inclusions alone; the system will have a discrete part. Hybrid automata are commonly used to capture such behavior [3]. Definition 5 (Hybrid automaton): A hybrid automaton H is a tuple (Loc, Var , Lab, Edg, Act, Asg, Inv , Init, Guard ), where • Loc = {l1 , . . . , lm } is a finite set of locations. • Var = {x1 , . . . , xn } is a finite set of real-valued variables, dxn 1 and { dx dt , . . . , dt } their derivatives. • Lab is a set of labels. • Edge is a set of tuples from Loc × Lab × Loc. • Act is a function that maps continuous functions (timeinvariant differential inclusions) on the variables to the locations. • Asg is a function that maps discrete variable assignments to the edges. • Inv is a set of invariant conditions on the locations. • Init is a set of initial conditions on the locations. 4 • Guard is a set of guard conditions on the edges. l1 The state of a hybrid automaton is the current location and current valuations of the variables, (li , x1 , . . . , xn ). We will focus on a class of hybrid automata that does not have assignments and where the valuations of the variables uniquely determine the current location. Definition 6 (Continuous non-overlapping hybrid automaton): A continuous non-overlapping hybrid automaton (CN-HA) C is a hybrid automaton subject to the following restrictions: • The domain of Asg is ∅ • The state of C is the current valuations of the variables, (x1 , . . . , xn ), and the current location of C is given as a l2 function of the state. The second restriction of the definition means that the valuations of the variables uniquely determine the location of a CN-HA. In the following we will assume that Var = {x, y} for any CN-HA, and that the valuations (x, y) ∈ Q where Q is a convex polygon. Definition 7 (Border): For a CN-HA C with domain Q the border β(Q) ⊆ Q is the set of all the points p ∈ Q such b that for all neighborhoods neigh(p) of p there exist two states a (l1 , x1 , y1 ), (l2 , x2 , y2 ) ∈ neigh(p) where l1 6= l2 . A convex polygon P ∈ Q is a border region if it contains at least one point from β(Q). Since the borders between locations are one-dimensional, the area of β(Q) is 0. See Figure 4-a) for an illustration of the definition. A commonly used controller is the proportional controller [1]. Fig. 4. a) A border region with a curved border between locations l1 and Definition 8 (Proportional controller): Let S be a TIDIS l2 , with example behavior vectors. b) The resulting behavior in the region for and let the constant kp represent the ability of the controller a hypothetical GSPDI. to change the state of the TIDIS (the gain), and let the constants umin and umax represent the limits of the range of influence of the controller. At time t, let (t) be the difference increasing the acceleration of the pendulum as it descends in between the desired state SP (t) of S (the set point) and one direction, i. e. a = (x < 0 ∧ y > 0). The locations of the the actual state P V (t) of S (the process value) such that resulting hybrid automaton are illustrated in Figure 5-a), and (t) = SP (t) − P V (t). Then a proportional controller u is an example trajectory in Figure 5-b). defined as We check safety properties of proportionally controlled  0 if ¬a  TIDISs by approximating the system with an abstraction in   umax if a ∧ (t) ≥ max which reachability is decidable, namely a GSPDI [8], [4]. u= k if a ∧ min < (t) < max  p (t) Definition 10 (GSPDI): A Generalized Polygonal Hybrid   umin if a ∧ (t) ≤ min System (GSPDI) is a pair G = hP, Fi, where P is a finite where a is a boolean predicate on the state variables of the partition of the plane. Each P ∈ P, calledSa region, is a convex polygon with area area(P ). The union P of all regions is system, min = umin /kp , and max = umax /kp . From this definition we can give a formal definition of a called the domain of the GSPDI and assumed to be a convex polygon of finite area itself. F is a function associating a pair of TIDIS controlled by a proportional controller. Definition 9 (Proportionally controlled TIDIS): Given a vectors to each region, i.e., F(P ) = (aP , bP ). Every point on the plane has its dynamics defined according to which polygon TIDIS b S = hQ, F, Gi, a proportionally controlled TIDIS it belongs to: if p ∈ P , then ṗ ∈ ∠aPP . The diameter of the 0 S = hQ, F, G, Ai is a hybrid automaton A restricted to smallest disc that contains a region P is denoted diam(P ). A trajectory is a singular “run” of some system through domain Q and with Act = {F, G} for all locations l ∈ A, as that system’s state space, given as a function on the indeshown in Figure 3. pendent variable, often interpreted as time. For a GSPDI, Example 2 (Proportionally controlled pendulum): We trajectories are determined by their direction of movement. would like our pendulum to move about the equilibrium point p (0, 0) in a circle of radius 1, (t) = 1 − x(t)2 + y(t)2 . In particular their tangent vectors at all points should stay P By setting umin = −2, umax = 2 and kp = 3 we get within the bounding angles ∠b aP (per region P ). For a hybrid min = −2/3 and max = 2/3. The controller operates by automaton a trajectory is a sequence of adjacent intervals with 5 P2 P1 −5/3 l1 −4/3 min pb pa l2 −3/3 P3 P4 proportional −2/3 l3 −1/3 max −5/3 −4/3 −3/3 −2/3 a) x −1/3 b) l1 l2 off y pc l3 c) Fig. 6. a) Prefix of a trajectory of a GSPDI. pa refers to a single state (xa , ya ). b) Prefix of a trajectory of a hybrid automaton composed of three trajectory segments, which obey the dynamics of locations l1 , l2 , and l3 respectively, and where the dashed lines represent discrete resets. pb refers to two states (l1 , xb , yb ) and (l2 , xb , yb ). c) Prefix of a trajectory of a CN-HA. pc refers to a single state (xc , yc ), where location l2 is implicit. Fig. 5. Top: The locations, {min, proportional, max , off } of a proportionally controlled pendulum hybrid automaton. Bottom: Example trajectory. a continuous trajectory segment in each interval, where the intervals represent the continuous part of the hybrid automaton and the discrete transitions take place at the end points of the intervals. Definition 11 (Trajectory): 1) A trajectory of a GSPDI G, written ξ ∈ G, is a continuous and almost-everywhere differentiable function ξ : R≥0 → R2 s.t. the following holds: whenever ξ(t) ∈ P for some P ∈ P, then its ˙ ∈ ∠bP . derivative ξ(t) aP 2) A trajectory of a hybrid automaton H written ξ ∈ H [3], is a run of the automaton represented as a sequence of intervals {Ξi | i ∈ N}, where Ξi = [ξ(ti ), ξ(t0i )]), t0 = 0, ti ≤ t0i , and t0i = ti+1 . For each point in time tj , ξ(tj ) is the state (lj , x1 , . . . , xn ) of the hybrid automaton. For each interval Ξi the automaton H is in a single location l, and each trajectory segment ξ a function ξ : [ti , ti+1 ] → R2 . In Figure 6-a) and 6-b) we show the differences between trajectories of GSPDIs and hybrid automata. By resolving these differences we can relate CN-HAs and GSPDIs through the following approximation relation [7]. Definition 12 (Approximation): A GSPDI G = hP, Fi approximates a CN-HA C (written G ≥ C) if ξ ∈ C implies ξ ∈ G. We can sort the regions P ∈ P into two sub-partitions PL (the Lipschitz regions of G) and PN (the non-Lipschitz regions of G) of P, where P ∈ PL if C is Lipschitz on P , and P ∈ PN if not. III. H YBRIDIZATION ALGORITHM In this section we will first show that proportionally controlled TIDISs are a subclass of CN-HAs, and that it is possible to hybridize a CN-HA into a GSPDI. Then we introduce measures of precision which enable us to compare the respective precision of two approximating GSPDIs. Finally we give an algorithm which takes a CN-HA and precision bounds as input, and outputs an approximating GSPDI that respects the precision bounds. Lemma 2 (CN-HAs): If a hybrid automaton G is a proportionally controlled TIDIS, then it is also a CN-HA. Proof: The lemma follows directly from Definition 9: A proportionally controlled TIDIS has Asg = ∅, and the state uniquely determines the current location of the automaton. The trajectories of a CN-HA have the same properties as those of a GSPDI. 6 Lemma 3 (CN-HA trajectory): The trajectories ξ of a CNHA C are continuous and almost-everywhere differentiable functions R≥0 → R2 . Proof: The trajectories of a CN-HA have, since the locations are redundant in the states of the automaton by Definition 6, R2 as their image, and time, R≥0 , as their domain by Definition 11. From Definition 11 we also have that a trajectory of a hybrid automaton consists of a sequence of intervals, where the trajectory is continuous and almost everywhere differentiable in each interval. Since by Definition 6 we do not have resets in a CN-HA, the trajectories will also be continuous across interval boundaries and, assuming non-zeno behavior, almost everywhere differentiable. As an illustration of the lemma we show an example trajectory of a CN-HA in Figure 6-c). Note that, compared to the trajectory of the general hybrid automaton in Figure 6-b), the locations do not overlap, and the CN-HA trajectory never ’jumps’. Lemma 4 (Approximation): Let C be a CN-HA, and G = hP, Fi a GSPDI with a region P ∈ P. For all trajectories ξ ∈ C ˙ ∈ ∠bP , then and all points ξ(t) ∈ P , if it is the case that ξ(t) aP G ≥ C. Proof: The lemma follows directly from Lemma 3 and Definitions 11 and 12. P In the following we assume for all regions P ∈ P that ∠b aP is the arc with the shortest length such that Lemma 4 holds. If we make finer and finer partitions P of the domain Q of C, we can generate GSPDIs whose behaviors become more and more restricted while still being approximations of some CN-HA C. Definition 13 (Refinement): Given two GSPDIs G = hP, Fi and G 0 = hP0 , F0 i, we say that G 0 refines G properly, written a G 0 < G, if P0 is a sub-partition of P, and furthermore |∠bPP00 | < bP 0 0 |∠aP |, where P and P with P ⊆ P being Lipschitz regions for G, resp. of G 0 , i.e., P ∈ PL and P 0 ∈ P0L . Obviously, there will be some limit to how restricted the behavior of a GSPDI may be and still remain an overapproximation. If we consider the behavior of a single region P , the following definition is useful: Definition 14 (Minimal behavior): For a CN-HA C with domain Q and a region P ⊂ Q, a minimal behavior point + min + min P is a point min P ∈ P such that |∠min P− | ≤ |∠pp− | for P min + all p ∈ P . The arc length |∠min P− | is the minimal behavior of P P. P We cannot have an approximating GSPDI where |∠b aP | < min + |∠min P− |. This lower bound on the normalized behavior does P not decrease as we partition P : Lemma 5 (Increasing minimal behavior): Let C be a CNHA with domain Q, P ∈ Q be a region, and P 0 ⊆ P be a min+ min+ P0 sub-region of P , then |∠minP− | ≤ |∠min− |. P min+ P P0 + |∠pp− | Proof: By definition |∠min− | ≤ for all p ∈ P , and P P 0 is contained in P . The lemma is illustrated in Figure 7 and forms the basis of the following definition: bP ∠aP11 P1 P0 P+ ∠P1− 1 bP ∠aP00 P+ ∠P0− bP ∠aP22 P2 0 P+ ∠P2− 2 Fig. 7. As we partition region P0 , we see that the difference in length between the minimal behavior and the arc ∠b a is less in P1 and P2 than in P0 . Definition 15 (Measures for precision): Assume a CN-HA C, a GSPDI G = hP, Fi, G ≥ C, and two disjoint sets X, Y such that P = X ∪ Y. Let θ : R2 → [0, 2π] be a function that maps min + P P a region P ∈ P to |∠b aP | − |∠min − |. We will overload this 2 P 2 function symbol and let θ : 2R → [0, 2π] and δ : 2R → [0, 1] be functions such that 1) θ(X) is the maximum θ(X) for all X ∈ X. 2) δ(Y) is the relative weight of the regions of Y, area(∪Y) area(∪P) . Let Θ ∈ [0, 2π] and ∆ ∈ [0, 1]. We say that G obeys the bounds Θ and ∆ if θ(X) ≤ Θ and δ(Y) ≤ ∆ for partition P where P = X ∪ Y. Before we show the existence of approximating GSPDIs for any CN-HA C while obeying some bounds Θ and ∆, we need the following lemma. Lemma 6 (Vanishing sub-partition): Let ∈ R and let X ⊆ Q be a set where area(X) = 0. Then there exists a partition Y of Q where each Y ∈ Y is a convex polygon and X ⊆ ∪Y, such that area(∪Y) ≤ . Proof: Since the area of X is 0, X is a collection of one- and zero-dimensional entities. We let the partition Y be a closer and closer approximation of lines and points respectively, until area(Y) ≤ . For a CN-HA there does exist a GSPDI that obeys any precision bounds. Lemma 7 (Existence of approximation): Given an CN-HA C and bounds Θ and ∆, there exists a GSPDI G = hP, Fi, G ≥ C such that G obeys Θ and ∆. Proof: The lemma imposes two conditions on the precision of G. 1) For the first condition we will consider a Lipschitz region P ∈ PL of C. Definition 4 of Lipschitz continuity gives d [pbi ]pbj ≤ Kkpi − pj k for all points pi , pj ∈ P , where K is the Lipschitz constant of P . The upper bound on kpi − pj k is diam(P ), thus d [pbi − pbj ] ≤ K · diam(P ). If we make diam(P ) → 0 we have d [pbi − pbj ] → 0 since K is a constant, and in particular for some minimal min + behavior point min P of P , d [pbi − ∠min P− ] → 0. Because P of this, and as a consequence of Lemma 5, the behavior angle of P approaches that of some minimal behavior point p+ minP min P as P shrinks, i. e. ∠b , and consequently a → ∠p − p+ minP minP θ(P ) = |∠b | → 0. If we repeat this for all P ∈ PL , a |−|∠p− minP we get θ(P) → 0 and subsequently less than Θ. 7 Algorithm 1 Construct a GSPDI from a CN-HA with bounds Θ and ∆. 1: Input: CN-HA C, Θ ∈ [0, 2π], ∆ ∈ [0, 1] 2: 3: 4: 5: 6: 7: 8: 9: Empty queue PBAD , and empty collection POK PBAD .insert(Q) while area(PBAD ) > ∆ · area(Q) do P := PBAD .remove() P ∠b aP := P .getAngle(P .locations()) min + |∠min P− | := P .getMinimalBehavior (P .locations()) P 10: 11: 12: 13: 14: 15: 16: 17: min + P P if |∠b aP | − |∠min − | ≤ Θ then P POK .insert(P ) else {P1 , . . . , Pn } := P.partition() PBAD .insert(P1 , . . . , Pn ) end if end while return POK ∪ PBAD 2) The Lipschitz condition holds in all of Q, except for the arbitrarily small neighborhoods of the non-Lipschitz points, and the border β(Q) (see Figure 4-b) ). We know by Lemma 6 that there exists a PN with area(∪PN ) ≤ ∆ · area(Q), that contains the non-Lipschitz points and the border, since both have area 0. Lemma 7 guarantees that there is always a GSPDI with θ(X) and δ(Y) arbitrarily small for sets X, Y, trivially by letting PL = X and PN = Y. To actually arrive at such a GSPDI, one can iteratively partition the domain Q finer and finer with diam(P ) → 0 for all P ∈ P. For that purpose, we assume a function partition, which when applied to a partition of Q produces a sub-partition of convex polygons, for instance by splitting one particular polygon of the current partition. In the following we will assume that we are following a breadth-first strategy, but other strategies might be employed. Lemma 8 (Partition): Assume a CN-HA C, bounds Θ and ∆, and the breadth-first strategy of applying the partition function on Q. Then in a finite number of steps a partition P is generated such that there exists a GSPDI G = hP, Fi with Q = ∪P, and where θ(PL ) ≤ Θ, δ(PN ) ≤ ∆, and G ≥ C. Proof: The lemma requires application of partition iteratively such that θ(PL ) and δ(PN ) get smaller than the given upper bounds. The breadth-first strategy, where each polygon is split in two equally-sized sub-polygons, guarantees that the regions of the partition of the domain of G get arbitrarily small, and so Lemma 7 will apply. In Algorithm 1 we present a method for realizing Lemma 8, adapted from [7]. The earlier version of the algorithm only allowed GSPDI generation from systems of differential equations, whereas our extended algorithm accepts CN-HAs, a broader class of system. The algorithm takes a CN-HA C and bounds Θ and ∆ as input, and yields as output a partition P which forms part of a GSPDI G = hP, Fi with G ≥ C and where furthermore P can be divided into two sets, POK and PBAD , such that θ(POK ) ≤ Θ and δ(PBAD ) ≤ ∆ (cf. Algorithm 1). To maintain the successively finer partitioning of the given domain Q, the algorithm uses two collections of regions POK and PBAD . As loop invariant of the while iteration, the union of POK and PBAD is a partition of the initial convex polygon Q. The collection POK contains regions P where θ(P ) is less than or equal to Θ. The collection PBAD , on the other hand, contains those regions whose angles are yet to be computed. The collection PBAD keeps the regions in a queue, and during each iteration, the first region P is removed from the P head of the queue. For each region we compute the angle ∠b aP min + and the minimal behavior |∠min P− |. P min + P P If θ(P ) is small enough, i.e., if |∠b aP | − |∠min − | ≤ Θ, then P P is considered finished and moved to POK . Otherwise P is partitioned, and the sub-polygons P1 , . . . , Pn are placed at the back of the queue PBAD . The while loop is executed until the area of PBAD is less than or equal to the desired threshold, ∆ · area(Q). The return value is the union of POK and PBAD , which is a valid partition P of Q, satisfying both Θ and ∆. Note that the algorithm does not compute two sets of convex polygons where the underlying CN-HA is Lipschitz in one and not in the other. Instead, these properties are implicitly used to allow the computation of two sets POK and PBAD where θ(P ) ≤ Θ for all P ∈ POK and where the area of S PBAD ≤ ∆ · area(Q) (cf. also Definition 15 which gives the measures of precision). Note that for a pathological system whose behavior is nowhere Lipschitz, the algorithm has an exponential running time, and will not terminate, while for a system with ∠b a ≤ Θ for the entire domain Q the algorithm terminates without partitioning. Theorem 1: Algorithm 1 is sound, complete, and it terminates. Proof: The algorithm is an extension of the one presented in [7], and the original proof still applies here as we have adapted the underlying lemmas, and proved the adapted versions of the lemmas. To be precise, the algorithm has been min + extended to compute the minimal behavior |∠min P− |, and both P P the computation of the minimal behavior and the angle ∠b aP take into account that P might be a border region and so have different behavior in each location. P Since ∠b aP is computed we know that all the trajectories of the CN-HA are also trajectories of the generated approximating GSPDI (Lemma 4), so the algorithm is sound. The algorithm also satisfies that θ(G) ≤ Θ and δ(G) ≤ ∆ (Lemma 8), which guarantees completeness and also termination of the algorithm. IV. R ELATED WORK The chosen method to analyze dynamical systems with non-linear behavior is over-approximation. To ensure that the results of an over-approximation are truly conservative, the numerical computations used in an implementation must also be conservative, which is guaranteed by interval arithmetic [9]. Methods for over-approximating the flow of non-linear dynamics include interval global optimization methods [10], 8 and interval solvers for ordinary differential equation [11]. In general, making finer partitions is the way to produce overapproximations that are closer to the original system behavior [12]. The HyTech+ system [13] is an updated version of the HyTech analysis tool [14]. HyTech+ extends the class of hybrid automata accepted by the system from linear to nonlinear dynamics, and analyzes the input using interval ordinary differential equation solvers. The algorithm behind the HSolver tool [15] overapproximates non-linear hybrid automata by a system of discrete states, splitting states to achieve closer approximations, and solving interval constraints to prune unreachable states [16]. An approach similar to ours for hybridization of non-linear differential equations into piece-wise linear systems is given by [17] and [18], where the conservative approximation to the system is computed based on computation of the Lipschitz constant of the system. The advantage of our approach is that in a GSPDI we are able to accelerate any cycles that commonly occur in a reachability search [8]. V. C ONCLUSION AND FUTURE WORK In this paper we have defined a restricted form of nonlinear hybrid automaton, the continuous non-overlapping hybrid automaton or CN-HA, and shown how the commonly deployed proportional controller may be modeled using this representation. CN-HAs can be over-approximated by a class of hybrid automata, the generalized polygonal hybrid systems GSPDIs, which have simpler dynamics. We have presented an algorithm that takes a CN-HA as input and produces a GSPDI as output, obeying bounds derived from our precision measures. In the future we would like to develop an implementation based on interval global optimization methods [10], and integrate this into the reachability checker GSPeeDI [5], [6]. We can investigate whether other kinds of controllers, such as the Proportional, Integral, Derivative (PID) controllers, can be represented as CN-HAs, or whether a CN-HA is expressive enough to model switched systems. To facilitate the analysis of TIDISs regulated by controllers that cannot be represented as CN-HAs, we can look at extending the definition of a GSPDI to a hierarchical GSPDI [19]. We can also investigate whether the algorithm can be extended to higher dimensions, i.e. where both the original systems and approximations have states with an arbitrary number of variables. VI. ACKNOWLEDGMENTS The author wishes to thank Martin Steffen for many useful discussions on the paper, and Dag Samuelsen for introducing him to proportional controllers. R EFERENCES [1] K. J. Åström and R. M. Murray, Feedback Systems: An Introduction for Scientists and Engineers. Princeton University Press, 2008. [2] J. P. Aubin and A. Cellina, Differential Inclusions: Set-Valued Maps and Viability Theory. Secaucus, NJ, USA: Springer-Verlag New York, Inc., 1984. [3] T. A. Henzinger, “The theory of hybrid automata,” in LICS’96. IEEE Computer Society, 1996, pp. 278–292. [4] G. J. Pace and G. Schneider, “Relaxing goodness is still good,” in ICTAC’08, ser. LNCS, vol. 5160, 2008, pp. 274–289. [5] H. A. Hansen, “GSPeeDI,” http://heim.ifi.uio.no/ hallstah/gspeedi/. [6] H. A. Hansen and G. Schneider, “GSPeeDI –A Tool for Analyzing Generalized Polygonal Hybrid Systems,” in ICTAC’09, ser. LNCS, vol. 5684, August 2009, pp. 336–342. [7] H. A. Hansen, G. Schneider, and M. Steffen, “Reachability analysis of non-linear planar autonomous systems,” ser. LNCS. Teheran, Iran: Springer, 20-22 April 2011, to appear. [8] E. Asarin, G. Schneider, and S. Yovine, “Algorithmic analysis of polygonal hybrid systems, part I: Reachability,” TCS, vol. 379, no. 1-2, pp. 231–265, 2007. [9] R. E. Moore, “Interval arithmetic and automatic error analysis in digital computing,” Ph.D. dissertation, Department of Mathematics, Stanford University, Stanford, CA, USA, Nov. 1962, also published as Applied Mathematics and Statistics Laboratories Technical Report No. 25. [Online]. Available: http://interval.louisiana.edu/Moores early papers/disert.pdf [10] T. Weise, Global Optimization Algorithms Theory and Application , 2nd ed. E-book, 2009, http://www.it-weise.de/. [11] N. S. Nedialkov, “Interval tools for ODEs and DAEs,” in Proceedings of the 12th GAMM - IMACS International Symposium on Scientific Computing, Computer Arithmetic and Validated Numerics. Washington, DC, USA: IEEE Computer Society, 2006. [Online]. Available: http://portal.acm.org/citation.cfm?id=1338442.1338689 [12] T. A. Henzinger and P.-H. Ho, “Algorithmic analysis of nonlinear hybrid systems,” in CAV, 1995, pp. 225–238. [13] T. A. Henzinger, B. Horowitz, R. Majumdar, and H. Wong-Toi, “Beyond HYTECH: Hybrid systems analysis using interval numerical methods,” in in HSCC. Springer, 2000, pp. 130–144. [14] T. A. Henzinger, P.-H. Ho, and H. Wong-Toi, “HyTech: A model checker for hybrid systems,” Software Tools for Technology Transfer, vol. 1, pp. 110–122, 1997. [15] S. Ratschan and Z. She, “Safety Verification of Hybrid Systems by Constraint Propagation Based Abstraction Refinement,” ACM Transactions in Embedded Computing Systems, vol. 6, no. 1, pp. 573–589, 2007. [16] S. Ratschan, “Efficient solving of quantified inequality constraints over the real numbers,” ACM Transactions on Computational Logic, vol. 7, no. 4, pp. 723–748, 2006. [17] T. Dang, O. Maler, and R. Testylier, “Accurate hybridization of nonlinear systems,” in Proceedings of the 13th ACM international conference on Hybrid systems: computation and control, ser. HSCC ’10. New York, NY, USA: ACM, 2010, pp. 11–20. [Online]. Available: http://doi.acm.org/10.1145/1755952.1755956 [18] E. Asarin, T. Dang, and A. Girard, “Hybridization methods for the analysis of nonlinear systems,” ACTA INFORMATICA, vol. 43, pp. 451– 476, 2007. [19] G. Schneider, “Algorithmic Analysis of Polygonal Hybrid Systems,” Ph.D. dissertation, VERIMAG – UJF, Grenoble, France, July 2002.

Safety verification of non-linear, planar proportional control with differential inclusions

Related documents

Products

Support

Safety verification of non-linear, planar proportional control with differential inclusions

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib