Algorithmic Verification of Stability of Hybrid Systems Pavithra - - PowerPoint PPT Presentation

1

Algorithmic Verification of Stability of Hybrid Systems

Pavithra Prabhakar

Kansas State University

University of Kansas February 24, 2017

Cyber-Physical Systems (CPS)

Medical Devices Automotive Robotics Aeronautics Process control

Systems in which software "cyber" interacts with the "physical" world

2

✤ Cruise control, lane assistants ✤ Pacemakers, infusion pumps

Software controlled physical systems

Cyber-Physical Systems (CPS)

3

Enhanced safety, security and efficiency through sophisticated functionalities

✤ Autonomous cars ✤ Smart Grids ✤ Smart Buildings

The New York Times |Source: Florida traffic crash report

Cyber-Physical Systems (CPS)

3

Safety Critical Systems Incorrect functioning can be disastrous

✤ Tesla’s self driving car accident

Enhanced safety, security and efficiency through sophisticated functionalities

✤ Autonomous cars ✤ Smart Grids ✤ Smart Buildings

The New York Times |Source: Florida traffic crash report

Cyber-Physical Systems (CPS)

3

Safety Critical Systems Incorrect functioning can be disastrous

✤ Tesla’s self driving car accident

Grand Challenge How do we build and deploy reliable CPS? Enhanced safety, security and efficiency through sophisticated functionalities

✤ Autonomous cars ✤ Smart Grids ✤ Smart Buildings

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

˙ x = f(x, u) y = h(x)

y

u

u = g(y)

Plant Control

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

˙ x = f(x, u) y = h(x)

y

u

u = g(y)

Plant Control

Vehicle dynamics, heart, …

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

˙ x = f(x, u) y = h(x)

y

u

u = g(y)

Plant Control

Vehicle dynamics, heart, … Digital Logic, Software

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

˙ x = f(x, u) y = h(x)

y

u

u = g(y)

Plant Control

Hybrid Systems Systems with mixed discrete and continuous behaviors

Vehicle dynamics, heart, … Digital Logic, Software

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

˙ x = f(x, u) y = h(x)

y

u

u = g(y)

Plant Control

Hybrid Systems Systems with mixed discrete and continuous behaviors

Vehicle dynamics, heart, … Digital Logic, Software

Hybrid Systems

Rigorous techniques for CPS verification through hybrid systems theory

4

˙ x = f(x, u) y = h(x)

y

u

u = g(y)

Plant Control

Hybrid Systems Systems with mixed discrete and continuous behaviors

Vehicle dynamics, heart, … Digital Logic, Software

Formal verification

5

Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification

Formal verification

✤ Examples of formal verification problems:

5

Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification

Formal verification

✤ Examples of formal verification problems: ✤ (Safety) Does an air-traffic collision avoidance protocol ensure

minimum separation between the aircraft?

5

Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification

Formal verification

✤ Examples of formal verification problems: ✤ (Safety) Does an air-traffic collision avoidance protocol ensure

minimum separation between the aircraft?

✤ (Stability) Does a cruise control bring the velocity of the vehicle to a

desired velocity, and maintain it there in the presence of small disturbances?

5

Given a hybrid system model and a formal specification, a verification algorithm generates a proof that the model satisfies the specification

Hybrid Systems

6

Cruise control and an automatic gearbox

7

Automatic gearbox

Goal of the cruise control: Drive the vehicle velocity to a desired velocity, and maintain it there in the presence of uphills and downhills.

Kq Kq τ Z (vd − v)dv

q

T

+ + +

–

vd v ωhigh ωlow

CRUISE CONTROLLER GEARBOX

Continuous controller

Discrete controller

Integral

Kq(vd − v)

Proportional

˙ v = pr

qT

M

Automatic gearbox: a hybrid system

Automatic gearbox: a hybrid system

1 2 3 4

Automatic gearbox: a hybrid system

1 2 3 4

E = vd − v Difference between desired and current velocity TI Integral part of the torque

x = ✓ E TI ◆

Variables

Automatic gearbox: a hybrid system

1 2 3 4

E = vd − v Difference between desired and current velocity TI Integral part of the torque

x = ✓ E TI ◆

Variables

˙ E = − pq MrKqE − pq MrTI ˙ TI = −Kq τ E

Dynamics

Automatic gearbox: a hybrid system

1 2 3 4

˙ x = A1x ˙ x = A2x ˙ x = A3x ˙ x = A4x

E = vd − v Difference between desired and current velocity TI Integral part of the torque

x = ✓ E TI ◆

Variables

˙ E = − pq MrKqE − pq MrTI ˙ TI = −Kq τ E

Dynamics

Automatic gearbox: a hybrid system

1 2 3 4

E = 1 p4 ωlow E = 1 p3 ωlow E = 1 p2 ωlow E = 1 p1 ωhigh E = 1 p2 ωhigh E = 1 p3 ωhigh ˙ x = A1x ˙ x = A2x ˙ x = A3x ˙ x = A4x

E = vd − v Difference between desired and current velocity TI Integral part of the torque

x = ✓ E TI ◆

Variables

˙ E = − pq MrKqE − pq MrTI ˙ TI = −Kq τ E

Dynamics

Automatic gearbox: a hybrid system

1 2 3 4

E = 1 p4 ωlow E = 1 p3 ωlow E = 1 p2 ωlow E = 1 p1 ωhigh E = 1 p2 ωhigh E = 1 p3 ωhigh ˙ x = A1x ˙ x = A2x ˙ x = A3x ˙ x = A4x

TI E

TI

4 to 3

• 3

to 2

• 2

to 1

• E

1 to 2

• 2

to 3

• 3

to 4

• x3

x0 x1 x2

Trajectories Executions

Stability

10

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

Stable

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

Stable

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

Stable

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

Stable

✤ Small perturbations in the initial state lead to small deviations in

the system behavior

11

Stability

Stable Unstable

12

Lyapunov Stability (LS)

A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ ∈ Bε(0).

12

Lyapunov Stability (LS)

A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ ∈ Bε(0).

✏

12

Lyapunov Stability (LS)

A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ ∈ Bε(0).

✏ δ

12

Lyapunov Stability (LS)

A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ ∈ Bε(0).

✏ δ

12

Lyapunov Stability (LS)

A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ ∈ Bε(0).

✏ δ

12

Lyapunov Stability (LS)

A system is Lyapunov stable with respect to 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ ∈ Bε(0).

✏ δ

∀✏ > 0, ∃ > 0, [(⌧(0) ∈ B(0)) ⇒ ∀t(⌧(t) ∈ B✏(0))]

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0.

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0.

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. Global asymptotic stability

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. Global asymptotic stability

(Global) Asymptotic Stability (AS)

13

A system is AS with respect to 0 if it is Lyapunov stable and there exists a value δ > 0 such that every execution σ starting from Bδ(0) converges to 0.

δ

A system is GAS with respect to 0 if it is Lyapunov stable and every execution σ converges to 0. Global asymptotic stability Asymptotic stability

Challenges in Stability Verification for Hybrid Systems

14

Stability analysis

Linear dynamical systems

x

y

y

x

Stability analysis

Linear dynamical systems

Stable Stable

x

y

y

x

Stability analysis

Stability can be determined by eigen values analysis

Linear dynamical systems

Stable Stable

x

y

y

x

Stability analysis

Stability can be determined by eigen values analysis

Linear dynamical systems

Stable Stable

x

y

y

x

Linear hybrid systems

y

x

Stability analysis

Stability can be determined by eigen values analysis

Linear dynamical systems

Stable Stable Stable

x

y

y

x

Linear hybrid systems

y

x

Stability analysis

Stability can be determined by eigen values analysis

Linear dynamical systems

Stable Stable Stable

x

y

y

x

Linear hybrid systems

y

x x

y

Stability analysis

Stability can be determined by eigen values analysis

Linear dynamical systems

Stable Stable Stable Unstable

x

y

y

x

Linear hybrid systems

y

x x

y

Stability analysis

Eigen value analysis does not suffice for switched linear system Stability can be determined by eigen values analysis

Linear dynamical systems

Stable Stable Stable Unstable

x

y

y

x

Linear hybrid systems

y

x x

y

Lyapunov’s second method

V

x y

✤ Continuously differentiable ✤ Positive definite ✤ Decreases along any trajectory

Lyapunov function:

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x

16

˙ x = F(x)

Lyapunov’s second method

V

x y

✤ Continuously differentiable ✤ Positive definite ✤ Decreases along any trajectory

Lyapunov function:

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x

16

˙ x = F(x)

Lyapunov’s second method

V

x y

✤ Continuously differentiable ✤ Positive definite ✤ Decreases along any trajectory

Lyapunov function:

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x

16

˙ x = F(x)

Lyapunov’s second method

V

x y

✤ Choose a template ✤ Polynomial with coefficients as parameters ✤ Encode (a relaxation) of the constraints as a sum-of-

square programming problem

✤ Use existing tools for SOS

Template based automated search

✤ Continuously differentiable ✤ Positive definite ✤ Decreases along any trajectory

Lyapunov function:

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x

16

˙ x = F(x)

Lyapunov’s second method

V

x y

✤ Choose a template ✤ Polynomial with coefficients as parameters ✤ Encode (a relaxation) of the constraints as a sum-of-

square programming problem

✤ Use existing tools for SOS

Template based automated search

✤ Continuously differentiable ✤ Positive definite ✤ Decreases along any trajectory

Lyapunov function:

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x

✤ Success depends crucially on the choice of the template ✤ The current methods provide no insight into the reason

for the failure, when a template fails to prove stability

✤ No guidance regarding the choice of the next template

Shortcomings:

16

˙ x = F(x)

Lyapunov’s second method

V

x y

✤ Choose a template ✤ Polynomial with coefficients as parameters ✤ Encode (a relaxation) of the constraints as a sum-of-

square programming problem

✤ Use existing tools for SOS

Template based automated search

✤ Continuously differentiable ✤ Positive definite ✤ Decreases along any trajectory

Lyapunov function:

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x

A CEGAR framework

✤ Success depends crucially on the choice of the template ✤ The current methods provide no insight into the reason

for the failure, when a template fails to prove stability

✤ No guidance regarding the choice of the next template

Shortcomings:

16

˙ x = F(x)

Counter-example guided abstraction refinement

17

Abstraction

2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

✤ Every trajectory corresponds to a path in the graph

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 18

Safety Analysis

✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Abstraction

2 1 3 4 5 6 7 8 9 2 1 3 4 5 6 7 8 9 19

✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9

✤ The above system is safe

2 1 3 4 5 6 7 8 9 19

✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9

✤ The above system is safe ✤ The abstract graph has a counter-example

2 1 3 4 5 6 7 8 9 19

✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Abstraction

2 1 3 4 5 6 7 8 9

✤ The above system is safe ✤ The abstract graph has a counter-example

2 1 3 4 5 6 7 8 9

✤ Right abstractions are hard to find!

19

✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Refinement

2 1 3 4 5 6 7 8 9

✤ Refine by analyzing the abstract counter-example

2 1 3 5 6 7 8 9 4 20

✤ The above system is safe ✤ The abstract graph has a counter-example ✤ Right abstractions are hard to find! ✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Refinement

2 1 3 4 5 6 7 8 9

✤ Refine by analyzing the abstract counter-example

2 1 3 5 6 7 8 9 4 20

✤ The above system is safe ✤ The abstract graph has a counter-example ✤ Right abstractions are hard to find! ✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Refinement

2 1 3 4 5 6 7 8 9

✤ Refine by analyzing the abstract counter-example

2 1 3 5 6 7 8 9 4 20

✤ The above system is safe ✤ The abstract graph has a counter-example ✤ Right abstractions are hard to find! ✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Refinement

2 1 3 4 5 6 7 8 9

✤ Refine by analyzing the abstract counter-example

2 1 3 5 6 7 8 9 4 20

✤ The above system is safe ✤ The abstract graph has a counter-example ✤ Right abstractions are hard to find! ✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Refinement

2 1 3 4 5 6 7 8 9

✤ Refine by analyzing the abstract counter-example

2 1 3 5 6 7 8 9 4 20

✤ The above system is safe ✤ The abstract graph has a counter-example ✤ Right abstractions are hard to find! ✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Refinement

2 1 3 4 5 6 7 8 9

✤ Refine by analyzing the abstract counter-example

2 1 3 5 6 7 8 9 20

✤ The above system is safe ✤ The abstract graph has a counter-example ✤ Right abstractions are hard to find! ✤ Every trajectory corresponds to a path in the graph ✤ Absence of a path from green to red node implies safety

Safety Analysis

Counter-example guided abstraction refinement

Property violated Abstraction Relation Analysis Results Abstract Counter-example Property Abstract System Concrete System

Abstract Model-Check Validate Refine Yes No Yes No

Property satisfied

✤ CEGAR for discrete systems

[Kurshan et al. 93, Clarke et al. 00, Ball et al. 02]

✤ CEGAR for hybrid systems safety

verification [Alur et al 03, Clarke et al 03, Prabhakar et al 13]

21

Counter-example guided abstraction refinement

Property violated Abstraction Relation Analysis Results Abstract Counter-example Property Abstract System Concrete System

Abstract Model-Check Validate Refine Yes No Yes No

Property satisfied

✤ CEGAR for discrete systems

[Kurshan et al. 93, Clarke et al. 00, Ball et al. 02]

✤ CEGAR for hybrid systems safety

verification [Alur et al 03, Clarke et al 03, Prabhakar et al 13]

21

✤ Success depends crucially on the choice

• f the template

✤ No insight into the reason for the failure,

when a template fails to prove stability

✤ No guidance regarding the choice of the

next template

Template based search CEGAR framework

✤ Systematically iterate over the abstract

systems

✤ Returns a counter-example in the case

that the abstraction fails

✤ The counter-example can be used to

guide the choice of the next abstraction

AVERIST: An Algorithmic VERIfier for STability

22

Tool webpage: http://software.imdea.org/projects/averist/

PPL GLPK NetworkX Z3 Quantitative Predicate Abstraction Model-Checking Validation Refinement Region Stability Analysis Stability Zone Computation Hybridization

Global Asymptotic Stability Analyzer

Local Asymptotic Stability Analyzer Linear/Non- Linear Hybrid Automaton Stable/ Unstable

Abstraction based analysis: Lyapunov and asymptotic stability

23

24

Quantitative Predicate Abstraction

A B C D E F

p4 p1 p6 p2 p3 p5 p1 p2 p3 p4 p5 p6

24

Quantitative Predicate Abstraction

A B C D E F

p4 p1 p6 p2 p3 p5 p1 p2 p3 p4 p5 p6

d1

d2

p1 p2

w(e) = |d2| |d1|

24

Quantitative Predicate Abstraction

A B C D E F

p4 p1 p6 p2 p3 p5 p1 p2 p3 p4 p5 p6 w6 w5 w2 w4 w1 w3

d1

d2

p1 p2

w(e) = |d2| |d1|

24

Quantitative Predicate Abstraction

A B C D E F

p4 p1 p6 p2 p3 p5 p1 p2 p3 p4 p5 p6 w6 w5 w2 w4 w1 w3

Weights capture information about distance to the origin along the executions

d1

d2

p1 p2

w(e) = |d2| |d1|

25

Weighted Graph Construction

p1

p2 p4 p3

1 1 1 1

p1

p2 p4 p3

1/2 1 1/2 1

p1

p2 p4 p3

2 1 2 1

p1 p2 p4

p3

p1 p2 p4

p3

p1 p2 p4

p3

p1 p2

p4 p3 p1 p2 p4

p3

Higher Dimensions

26

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D. p1 d1 d2 w(e) = |d2| |d1| p2

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

x

y z

~ a ~ b

p1 d1

d2 w(e) = |d2| |d1| p2

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

x

y z

~ a ~ b

p1 d1

d2 w(e) = |d2| |d1| p2

|~ b| |~ a|

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

x

y z

~ a ~ b

p1 d1

d2 w(e) = |d2| |d1| p2

|~ b| |~ a|

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

x

y z

~ a ~ b

p1 d1

d2 w(e) = |d2| |d1| p2

|~ b| |~ a| |~ b+~ c| |~ a+~ c|

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

x

y z

~ a ~ b

p1 d1

d2 w(e) = |d2| |d1| p2

|~ b| |~ a| |~ b+~ c| |~ a+~ c|

Higher Dimensions

26

The weighted graph construction has a bisimulation like property for 2D.

x

y z

~ a ~ b

p1 d1

d2 w(e) = |d2| |d1| p2

|~ b| |~ a| |~ b+~ c| |~ a+~ c|

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

27

Soundness of Quantitative Predicate Abstraction

Theorem

An n dimensional PCD is Lyapunov stable if

✤ there are no edges with infinite weights and ✤ the weighted graph does not contain any cycles with product of

weights on the edges greater than 1 Abstraction based model-checking of stability of hybrid systems.

• P. Prabhakar, M. G. Soto. CAV’13

Polyhedral Inclusion Dynamics

28

Constant derivative ˙ x = ϕ

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

Polyhedral inclusion dynamics ˙ x ∈ P

P is a polyhedral set

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

Polyhedral inclusion dynamics ˙ x ∈ P

P is a polyhedral set

V ai · x ∼ ci

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

ϕ ∈ P

Polyhedral inclusion dynamics ˙ x ∈ P

P is a polyhedral set

V ai · x ∼ ci

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

ϕ ∈ P

Polyhedral inclusion dynamics ˙ x ∈ P

P is a polyhedral set

V ai · x ∼ ci

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

ϕ ∈ P

Polyhedral inclusion dynamics ˙ x ∈ P

P is a polyhedral set

V ai · ϕ ∼ ci V ai · x ∼ ci

Polyhedral Inclusion Dynamics

28

sup |v2| |v1| t ≥ 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ϕt

Constant derivative ˙ x = ϕ

ϕ ∈ P

Polyhedral inclusion dynamics ˙ x ∈ P

P is a polyhedral set

V ai · ϕ ∼ ci V ai · (v2 − v1) ∼ cit V ai · x ∼ ci

Switched Systems

29

Switched Systems

29

p1

p3

Switched Systems

29

p2

p4 p1

p3

Switched Systems

29

p2

p4 p1

p3

v1

Switched Systems

29

p2

p4 p1

p3

v1

✤ The invariants associated with modes may overlap — unbounded

number of switching in a region

✤ A straight forward encoding of the reachability relation will lead to an

infinite number of constraints

✤ We use certain decompositions into strongly connect components to

reduce it to a finite number of constraints

So far ….

30

✤ Construct weighted graph (Quantitative Predicate Abstraction) ✤ Check that the weighted graph has no cycle with product of weight >=1 ✤ If such a cycle exists, it is a counter-example

CEGAR for Stability

31

32

Counter-example

✤

If the abstract system fails to prove stability, then it returns a counter- example.

32

Counter-example

✤

If the abstract system fails to prove stability, then it returns a counter- example.

p1 p2

p4

p3

2 1 2 1

✤ A cycle with product of weight

greater than 1

32

Counter-example

✤

If the abstract system fails to prove stability, then it returns a counter- example.

p1 p2

p4

p3

2 1 2 1

✤ A cycle with product of weight

greater than 1

✤

Need to check if it is spurious — can the system follow the cycle to exhibit trajectories which diverge

32

Counter-example

✤

If the abstract system fails to prove stability, then it returns a counter- example.

p1 p2

p4

p3

2 1 2 1

✤ A cycle with product of weight

greater than 1

✤

Need to check if it is spurious — can the system follow the cycle to exhibit trajectories which diverge

✤

Validation — checking spuriousness — is not a bounded model-checking problem

33

Validation

33

Validation

p1 p2 p4 p3 p1

pk−1

33

Validation

p1 p2 p4 p3 p1

pk−1

33

Validation

p1 p2 p4 p3 p1

pk−1 x1 x2 xk x3 x4 xk−1

33

∃α > 1 : x1

P1

x2

P2

x3 . . .

Pk

xk ∧ xk = αx1

Theorem

if and only if

A counter example p1 → p2 → p3 → · · · → p1 is valid

Validation

p1 p2 p4 p3 p1

pk−1 x1 x2 xk x3 x4 xk−1

Validation and Refinement Summary

34

Validation and Refinement Summary

✤ Refinement essentially tries to ``eliminate’’ the abstract counterexample

(ACE)

34

Validation and Refinement Summary

✤ Refinement essentially tries to ``eliminate’’ the abstract counterexample

(ACE)

✤ If the ACE is spurious, we perform a forward computation to find the

reach sets along the ACE

34

Validation and Refinement Summary

✤ Refinement essentially tries to ``eliminate’’ the abstract counterexample

(ACE)

✤ If the ACE is spurious, we perform a forward computation to find the

reach sets along the ACE

✤ The spuriousness of the ACE ensures that in a finite number of iterations

the corresponding reach set becomes empty and we refine (similar to the safety case)

34

Validation and Refinement Summary

✤ Refinement essentially tries to ``eliminate’’ the abstract counterexample

(ACE)

✤ If the ACE is spurious, we perform a forward computation to find the

reach sets along the ACE

✤ The spuriousness of the ACE ensures that in a finite number of iterations

the corresponding reach set becomes empty and we refine (similar to the safety case)

✤ Some improvements can be obtained by examining the ACE further to

determine if it in fact has no infinite executions

34

Validation and Refinement Summary

✤ Refinement essentially tries to ``eliminate’’ the abstract counterexample

(ACE)

✤ If the ACE is spurious, we perform a forward computation to find the

reach sets along the ACE

✤ The spuriousness of the ACE ensures that in a finite number of iterations

the corresponding reach set becomes empty and we refine (similar to the safety case)

✤ Some improvements can be obtained by examining the ACE further to

determine if it in fact has no infinite executions

34

Counterexample guided abstraction refinement for stability analysis

• P. Prabhakar, M. G. Soto. CAV’16

Hybridization

35

Reachability relation computation is hard!

Linear dynamical systems

✓x y ◆ ✓ a b c d ◆ ✓ ˙ x ˙ y ◆

=

36

A very important class of control system

Reachability relation computation is hard!

Linear dynamical systems

✓x y ◆ ✓ a b c d ◆ ✓ ˙ x ˙ y ◆

=

36

A very important class of control system

Reach(P1, P, P2) = {(s1, s2) | s1 ∈ P1, s2 ∈ P2, s1

P

s2}

Reachability relation computation is hard!

Linear dynamical systems

✓x y ◆ ✓ a b c d ◆ ✓ ˙ x ˙ y ◆

=

36

A very important class of control system

✤ Solution is an exponential function

Reach(P1, P, P2) = {(s1, s2) | s1 ∈ P1, s2 ∈ P2, s1

P

s2}

Reachability relation computation is hard!

Linear dynamical systems

✓x y ◆ ✓ a b c d ◆ ✓ ˙ x ˙ y ◆

=

36

A very important class of control system

✤ Solution is an exponential function ✤ Need a representation on which optimization can be performed

Reach(P1, P, P2) = {(s1, s2) | s1 ∈ P1, s2 ∈ P2, s1

P

s2}

Reachability relation computation is hard!

Linear dynamical systems

✓x y ◆ ✓ a b c d ◆ ✓ ˙ x ˙ y ◆

=

36

A very important class of control system

✤ Solution is an exponential function ✤ Need a representation on which optimization can be performed ✤ Approximation methods [Girard et al., Frehse et al., PP]

Reach(P1, P, P2) = {(s1, s2) | s1 ∈ P1, s2 ∈ P2, s1

P

s2}

37

Arbitrary switching of two linear systems

y

x y

x

q1

q2 p1

p2

✤ The invariants associated with modes may overlap — unbounded

number of switching in a region

✤ Tools based on symbolic state space exploration do not reach a fixpoint

Hybridization

38

Hybridization

✤ Broad approach

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions ✤ Abstract the dynamics in each region by a simpler dynamics

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions ✤ Abstract the dynamics in each region by a simpler dynamics

✤

Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al]

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions ✤ Abstract the dynamics in each region by a simpler dynamics

✤

Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al]

✤

Linear dynamics for non-linear dynamics [Asarin et al, Dang et al]

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions ✤ Abstract the dynamics in each region by a simpler dynamics

✤

Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al]

✤

Linear dynamics for non-linear dynamics [Asarin et al, Dang et al]

✤ Crucial parts — state-space partition and the choice of the

abstract dynamics

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions ✤ Abstract the dynamics in each region by a simpler dynamics

✤

Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al]

✤

Linear dynamics for non-linear dynamics [Asarin et al, Dang et al]

✤ Crucial parts — state-space partition and the choice of the

abstract dynamics

✤ Polyhedra inclusion dynamics and conical partitions

38

Hybridization

✤ Broad approach ✤ Partition the state-space into a finite number of regions ✤ Abstract the dynamics in each region by a simpler dynamics

✤

Rectangular dynamics, Polyhedral dynamics for Linear dynamics [Puri et al, Bogomolov et al]

✤

Linear dynamics for non-linear dynamics [Asarin et al, Dang et al]

✤ Crucial parts — state-space partition and the choice of the

abstract dynamics

✤ Polyhedra inclusion dynamics and conical partitions

38

Hybridization for Stability Analysis of Switched Linear Systems

• P. Prabhakar, M. G. Soto. HSCC’16

Linear to Polyhedral Inclusion Dynamics

39

y

x

˙ x = −2x − 4y ˙ y = 20x − 2y

z = (x, y)

Linear Dynamics

˙ z = Az

Linear to Polyhedral Inclusion Dynamics

39

y

x

x ≤ 0 y ≥ 0

R

y

x

˙ x = −2x − 4y ˙ y = 20x − 2y

z = (x, y)

Linear Dynamics

˙ z = Az

Linear to Polyhedral Inclusion Dynamics

39

y

x

x ≤ 0 y ≥ 0

R

y

x

˙ x = −2x − 4y ˙ y = 20x − 2y

z = (x, y)

Linear Dynamics

˙ z = Az

˙ z ∈ P

P = {Az | z ∈ R}

Polyhedral Inclusion Dynamics

Linear to Polyhedral Inclusion Dynamics

39

P

y

x

x ≤ 0 y ≥ 0

R

y

x

˙ x = −2x − 4y ˙ y = 20x − 2y

z = (x, y)

Linear Dynamics

˙ z = Az

˙ z ∈ P

P = {Az | z ∈ R}

Polyhedral Inclusion Dynamics

Soundness of the construction

40

Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable

Soundness of the construction

40

Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable

✤ The set of executions of Poly(H, S) is a super set of the executions of H

Soundness of the construction

40

Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable

✤ The set of executions of Poly(H, S) is a super set of the executions of H ✤ Stability is preserved by over-approximation

Soundness of the construction

40

Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable

✤ The set of executions of Poly(H, S) is a super set of the executions of H ✤ Stability is preserved by over-approximation ✤ Conical partitions do not ensure bounded error approximation of the

reachability relation

Soundness of the construction

40

Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable

✤ The set of executions of Poly(H, S) is a super set of the executions of H ✤ Stability is preserved by over-approximation ✤ Conical partitions do not ensure bounded error approximation of the

reachability relation

✤ However, they ensure bounded error approximation of the scaling

Soundness of the construction

40

Theorem (Hybridization and stability preservation): Let H be a switched linear system, and let Poly(H,S) be the hybridized polyhedral hybrid system with respect to a partition S. If Poly(H, S) is Lyapunov (asymptotically) stable, then H is Lyapunov (asymptotically) stable

✤ The set of executions of Poly(H, S) is a super set of the executions of H ✤ Stability is preserved by over-approximation ✤ Conical partitions do not ensure bounded error approximation of the

reachability relation

✤ However, they ensure bounded error approximation of the scaling ✤ The approximation algorithm is complete for asymptotically stable linear

dynamical systems

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

AVERIST

✤ Prove stability in many more cases than

Stabhyli

✤ The verification time increases slower with

respect to the number of regions as compared to the degree of the polynomial

✤ Abstraction computation is parallelizable ✤ Stabhyli can handle non-linear hybrid

systems

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

AVERIST

✤ Prove stability in many more cases than

Stabhyli

✤ The verification time increases slower with

respect to the number of regions as compared to the degree of the polynomial

✤ Abstraction computation is parallelizable ✤ Stabhyli can handle non-linear hybrid

systems

Experiments

41

AVERIST STABHYLI Dimension/ name Regions Runtime Proved Stability Degree LF found Runtime 2D AS1 129 31 Yes 6 Yes 8 SS4 1 9 <1 Yes 8 − 452 SS8 1 17 <1 Yes 6 − 443 SS16 1 33 1 Yes 4 − 177 3D AS 4 147 194 Yes 6 − 410 SS4 4 771 484 Yes 2 Yes 75 SS8 4 771 470 Yes 2 Yes 15 SS16 4 771 568 Yes 2 Yes 138 4D AS 7 81 625 Yes 2 − 12 SS4 7 81 119 Yes 2 − 101 SS8 7 153 234 Yes 2 − 1071 SS16 7 297 533 Yes 2 − 339 AS 9 −

• ut

No 4 Yes 34 SS4 9 81 125 Yes 4 − 105 SS8 9 153 247 Yes 2 − 16

Template based search suffers from numerical instability

✤ 6th degree polynomial returned, but no 8th

degree polynomial

✤ LF found for arbitrary switched system, but

not for restricted switched system

✤ Common LF found, but no multiple LF

AVERIST

✤ Prove stability in many more cases than

Stabhyli

✤ The verification time increases slower with

respect to the number of regions as compared to the degree of the polynomial

✤ Abstraction computation is parallelizable ✤ Stabhyli can handle non-linear hybrid

systems

AVERIST: An Algorithmic VERIfier for STability

42

Tool webpage: http://software.imdea.org/projects/averist/

PPL GLPK NetworkX Z3 Quantitative Predicate Abstraction Model-Checking Validation Refinement Region Stability Analysis Stability Zone Computation Hybridization

Global Asymptotic Stability Analyzer

Local Asymptotic Stability Analyzer Linear/Non- Linear Hybrid Automaton Stable/ Unstable

Global asymptotic stability

43

Global asymptotic stability (GAS)

44

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin.

Global asymptotic stability (GAS)

44

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

Global asymptotic stability (GAS)

44

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

An Algorithmic Approach to Global Asymptotic Stability Verification of Hybrid Systems

• P. Prabhakar, M. G. Soto. EMSOFT’16

Region Stability (RS)

45

R

Region Stability is a CTL property: All executions eventually reach R AFR A hybrid system is Region Stable with respect to a region R if every execution of the system eventually reaches R

Global asymptotic stability (GAS)

46

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

46

Observation 1: The weighted graph captures the information of the executions which remain within a center region (here, ABCDEF)

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

46

Observation 1: The weighted graph captures the information of the executions which remain within a center region (here, ABCDEF)

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

46

Observation 1: The weighted graph captures the information of the executions which remain within a center region (here, ABCDEF)

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Note: All executions starting within the center region do not remain within the center region, even if the system is stable

Global asymptotic stability (GAS)

47

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

47

Observation 2: A Lyapunov/asymptotic stability proof provides a “stability zone” within the center region such that the executions starting from the stability zone will remain within the center region

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

47

Observation 2: A Lyapunov/asymptotic stability proof provides a “stability zone” within the center region such that the executions starting from the stability zone will remain within the center region

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

47

Observation 2: A Lyapunov/asymptotic stability proof provides a “stability zone” within the center region such that the executions starting from the stability zone will remain within the center region Note: The longest distance an execution can traverse w.r.t the initial point is at most 3/2 times

p1 p2 p4 p3

1/2 3/2 1/2 3/2

p1 p2 p4 p3

Global asymptotic stability (GAS)

48

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

Global asymptotic stability (GAS)

48

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

✤ Check if the system is asymptotically stable

Global asymptotic stability (GAS)

48

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

✤ Check if the system is asymptotically stable ✤ If yes, compute a stability zone

Global asymptotic stability (GAS)

48

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

✤ Check if the system is asymptotically stable ✤ If yes, compute a stability zone ✤ Check if the system is region stable with respect to the stability zone

Global asymptotic stability (GAS)

48

A hybrid system is GAS if it is Lyapunov stable and every execution of the system starting from any initial state will converge to the origin. Broad Approach: Decompose the GAS verification problem to an AS verification problem and a RS verification problem

✤ Check if the system is asymptotically stable ✤ If yes, compute a stability zone ✤ Check if the system is region stable with respect to the stability zone ✤ If yes, then the system is GAS

Stability zone computation for the gearbox

49

TI

Center region Stability zone

E

1 to 2

• 2

to 3

• 3

to 4

• 4

to 3

• 3

to 2

• 2

to 1

Conclusion

50

Tool webpage: http://software.imdea.org/projects/averist/

PPL GLPK NetworkX Z3 Quantitative Predicate Abstraction Model-Checking Validation Refinement Region Stability Analysis Stability Zone Computation Hybridization

Global Asymptotic Stability Analyzer

Local Asymptotic Stability Analyzer Linear/Non- Linear Hybrid Automaton Stable/ Unstable

Future Work

✤ Stabilizing controller synthesis using the algorithmic approach ✤ Solve quantitative games ✤ Compositional analysis of stability ✤ Compose input-output stability notions ✤ Extensions to nonlinear dynamics ✤ Hybridization to linear systems with inputs

51

Future Work

✤ Stabilizing controller synthesis using the algorithmic approach ✤ Solve quantitative games ✤ Compositional analysis of stability ✤ Compose input-output stability notions ✤ Extensions to nonlinear dynamics ✤ Hybridization to linear systems with inputs

51

Acknowledgements:

✤ Marie Curie Career Integration Grant ✤ NSF CAREER Award ✤ ONR Young Investigator Award ✤ Miriam Garcia Soto (IMDEA) ✤ Geir Dullerud (UIUC) ✤ Mahesh Viswanathan (UIUC) ✤ Jun Liu (Univ. Waterloo) ✤ Richard Murray (Caltech)