Hybrid Systems decidable, undecidable, and in between Eugene Asarin - - PowerPoint PPT Presentation

Hybrid Systems

decidable, undecidable, and in between

Eugene Asarin LIAFA - Universit´ e Paris 7 and CNRS

EJCMI - Nancy - 2007 – p. 1/6

Two goals

• A general introduction to Hybrid Systems from

computer science standpoint

EJCMI - Nancy - 2007 – p. 2/6

Two goals

• A general introduction to Hybrid Systems from

computer science standpoint

• Decidability issues or Dynamics and computation

(for HS, but this is not important)

EJCMI - Nancy - 2007 – p. 2/6

Introductory equations

• Hybrid Systems = Discrete+Continuous

EJCMI - Nancy - 2007 – p. 3/6

Introductory equations

• Hybrid Systems = Discrete+Continuous
• Hybrid Automata = A class of models of Hybrid

systems

EJCMI - Nancy - 2007 – p. 3/6

Introductory equations

• Hybrid Systems = Discrete+Continuous
• Hybrid Automata = A class of models of Hybrid

systems

• Original motivation (1990)= physical plant +

digital controller

EJCMI - Nancy - 2007 – p. 3/6

Introductory equations

• Hybrid Systems = Discrete+Continuous
• Hybrid Automata = A class of models of Hybrid

systems

• Original motivation (1990)= physical plant +

digital controller

• New applications = also scheduling, biology,

economy, numerics, and more

EJCMI - Nancy - 2007 – p. 3/6

Introductory equations

• Hybrid Systems = Discrete+Continuous
• Hybrid Automata = A class of models of Hybrid

systems

• Original motivation (1990)= physical plant +

digital controller

• New applications = also scheduling, biology,

economy, numerics, and more

• Hybrid community = Control scientists’ + Applied

mathematicians + Some computer scientists’

EJCMI - Nancy - 2007 – p. 3/6

Outline

• 1. Hybrid automata - the model
• 2. Reachability analysis of Hybrid systems
• Verification and reachability problems
• Exact methods
• The curse of undecidability
• Decidable classes
• Between decidable and undecidable
• Can realism help?
• Approximate methods
• Beyond reachability, beyond verification
• Verification tools
• 3. Conclusions and perspectives

EJCMI - Nancy - 2007 – p. 4/6

• 1. The Model

EJCMI - Nancy - 2007 – p. 5/6

The first example

I’m sorry, a thermostat.

EJCMI - Nancy - 2007 – p. 6/6

The first example

I’m sorry, a thermostat.

• When the heater is OFF

, the room cools down :

˙ x = −x

• When it is ON, the room heats:

˙ x = H − x

EJCMI - Nancy - 2007 – p. 6/6

The first example

I’m sorry, a thermostat.

• When the heater is OFF

, the room cools down :

˙ x = −x

• When it is ON, the room heats:

˙ x = H − x

• When t>M it switches OFF
• When t<m it switches ON

EJCMI - Nancy - 2007 – p. 6/6

The first example

I’m sorry, a thermostat.

• When the heater is OFF

, the room cools down :

˙ x = −x

• When it is ON, the room heats:

˙ x = H − x

• When t>M it switches OFF
• When t<m it switches ON

A strange creature. . .

EJCMI - Nancy - 2007 – p. 6/6

A bad syntax

Some mathematicians prefer to write

˙ x = f(x, q)

where

f(x, Off) = −x f(x, On) = H − x

with some switching rules on q.

EJCMI - Nancy - 2007 – p. 7/6

A bad syntax

Some mathematicians prefer to write

˙ x = f(x, q)

where

f(x, Off) = −x f(x, On) = H − x

with some switching rules on q. But we will draw an automaton!

EJCMI - Nancy - 2007 – p. 7/6

Hybrid automaton

label invariant dynamics guard reset

x = M x ≤ M ˙ x = H − x x ≥ m ˙ x = −x

Off On

x = m /γ

EJCMI - Nancy - 2007 – p. 8/6

Hybrid automaton

label invariant dynamics guard reset

x = M x ≤ M ˙ x = H − x x ≥ m ˙ x = −x

Off On

x = m /γ

A formal definition: It is a tuple . . .

EJCMI - Nancy - 2007 – p. 8/6

Hybrid automaton

label invariant dynamics guard reset

x = M x ≤ M ˙ x = H − x x ≥ m ˙ x = −x

Off On

x = m /γ

A formal definition: It is a tuple . . .

m x t M

EJCMI - Nancy - 2007 – p. 8/6

For those who know timed automata

label invariant dynamics guard reset

x = M x ≤ M ˙ x = H − x x ≥ m ˙ x = −x

Off On

x = m /γ

q1 q2 q3 q4 a, x = 5/x := 0 b, x = 2 a, x < 10 b, x > 7 a, x = 8 b, x = 5/x := 0

EJCMI - Nancy - 2007 – p. 9/6

For those who know timed automata

Element Timed Aut. Hybrid Aut. Discrete locations q ∈ Q (finite) q ∈ Q (finite) Continuous variables

• x ∈ Rn
• x ∈ Rn

x dynamics ˙ x = 1 ˙ x = f(x) (and more) Guards

• bool. comb. of xi ≤ ci
• x ∈ G

Updates xi := 0

• x := u(

x) Invariants same as guards same as guards

EJCMI - Nancy - 2007 – p. 9/6

For those who know timed automata

Element Timed Aut. Hybrid Aut. Discrete locations q ∈ Q (finite) q ∈ Q (finite) Continuous variables

• x ∈ Rn
• x ∈ Rn

x dynamics ˙ x = 1 ˙ x = f(x) (and more) Guards

• bool. comb. of xi ≤ ci
• x ∈ G

Updates xi := 0

• x := u(

x) Invariants same as guards same as guards

Hybrid automata = a (too much) far going generalization of timed automata.

EJCMI - Nancy - 2007 – p. 9/6

Semantic issues

• A trajectory (run) is an f : R → Q × Rn
• Some mathematical complications (notion of

solution, existence and unicity not so evident).

• Zeno trajectories (infinitely many transitions in a

finite period of time).

• can be forbidden
• one can consider trajectories up to the first

anomaly (Sastry et al., everything OK)

• one can consider the complete Zeno

trajectories (very funny : Asarin-Maler 95)

EJCMI - Nancy - 2007 – p. 10/6

Variants

• Discrete-time (xn+1 = f(xn)) or continuous-time

˙ x = f(x)

• Deterministic (e.g. ˙

x = f(x)) or non-deterministic

(e.g. ˙

x ∈ F(x))

• Eager or lazy.
• With control and/or disturbance (e.g. ˙

x = f(x, u, d))

• Various restrictions on dynamics, guards and

resets: “Piecewise trivial dynamics”. LHA, RectA, PCD, PAM, SPDI . . . They are still highly non-trivial.

EJCMI - Nancy - 2007 – p. 11/6

Special classes of Hybrid Automata 1

• The famous one: Linear Hybrid Automata

˙ x = c1 ˙ x = c2 x ∈ P1/x := A1x + b1 x ∈ P2/x := A2x + b2

EJCMI - Nancy - 2007 – p. 12/6

Special classes of Hybrid Automata 2

• My favorite: PCD = Piecewise Constant

Derivatives

x y P1 c1

˙ x = ci for x ∈ Pi

EJCMI - Nancy - 2007 – p. 13/6

PCD is a linear hybrid automaton (LHA)

e3 e2 e4 e5 e9 e12 e1 e8 e11 e7 e6 e10

EJCMI - Nancy - 2007 – p. 14/6

PCD is a linear hybrid automaton (LHA)

e2 e3 e9 e12 e4 e3 e1 e2 e12 e11 e1 e8 e7 e8 e11 e7 e6 e10 e6 e5 e4 e5 e9 e10

EJCMI - Nancy - 2007 – p. 14/6

PCD is a linear hybrid automaton (LHA)

˙ x = a7 ˙ x = a8 ˙ x = a4 Inv(ℓ2) ˙ x = a2

R2

˙ x = a1 x = e7 x = e6 x = e8 x = e1 x = e10 x = e11 x = e4 x = e5 Inv(ℓ4) Inv(ℓ1) Inv(ℓ8) Inv(ℓ7) Inv(ℓ6) ˙ x = a6 Inv(ℓ5) ˙ x = a5

R1 R5 R8 R7 R6 R4

e2 e3 e9 e12

EJCMI - Nancy - 2007 – p. 14/6

PCD is a linear hybrid automaton (LHA)

˙ x = a7 ˙ x = a8 ˙ x = a4 Inv(ℓ2) ˙ x = a2 x = e3

R2

˙ x = a1 x = e2 ˙ x = a3 x = e7 x = e6 x = e8 x = e1 x = e10 x = e11 x = e12 x = e9 x = e4 x = e5 Inv(ℓ4) Inv(ℓ3) Inv(ℓ1) Inv(ℓ8) Inv(ℓ7) Inv(ℓ6) ˙ x = a6 Inv(ℓ5) ˙ x = a5

R1 R5 R8 R7 R6 R3 R4

EJCMI - Nancy - 2007 – p. 14/6

PCD is a linear hybrid automaton (LHA)

˙ x = a7 ˙ x = a8 ˙ x = a4 Inv(ℓ2) ˙ x = a2 x = e3

R2

˙ x = a1 x = e2 ˙ x = a3 x = e7 x = e6 x = e8 x = e1 x = e10 x = e11 x = e12 x = e9 x = e4 x = e5 Inv(ℓ4) Inv(ℓ3) Inv(ℓ1) Inv(ℓ8) Inv(ℓ7) Inv(ℓ6) ˙ x = a6 Inv(ℓ5) ˙ x = a5

R1 R5 R8 R7 R6 R3 R4

EJCMI - Nancy - 2007 – p. 14/6

Special classes of Hybrid Automata 3

• The most illustrative: Piecewise Affine Maps

P1 P2 A1x+b1 A2x+b2

x := Aix + bi for x ∈ Pi

EJCMI - Nancy - 2007 – p. 15/6

How to model?

• a control system

EJCMI - Nancy - 2007 – p. 16/6

How to model?

• a control system
• a scheduler with preemption

EJCMI - Nancy - 2007 – p. 16/6

How to model?

• a control system
• a scheduler with preemption
• a genetic network

EJCMI - Nancy - 2007 – p. 16/6

How to model?

• a control system
• a scheduler with preemption
• a genetic network

A network of interacting Hybrid automata

EJCMI - Nancy - 2007 – p. 16/6

Hybrid languages

• SHIFT
• Charon
• Hysdel
• IF

, Uppaal (Timed + ε)

• why not Simulink? or Simulink+CheckMate.

EJCMI - Nancy - 2007 – p. 17/6

What to do with a hybrid model

• Simulate
• With Matlab/Simulink
• With dedicated tools
• Analyze with techniques from control science:
• Stability analysis
• Optimal control
• etc..
• Analyze with your favorite techniques. The most important

invention is the model.

EJCMI - Nancy - 2007 – p. 18/6

• 2. Reachability

EJCMI - Nancy - 2007 – p. 19/6

Verification and reachability problems

• Is automatic verification possible for HA?

EJCMI - Nancy - 2007 – p. 20/6

Verification and reachability problems

• Is automatic verification possible for HA?
• Safety: are we sure that HA never enters a bad

state?

• It can be seen as reachability : verify that

¬Reach(Init, Bad)

EJCMI - Nancy - 2007 – p. 20/6

Verification and reachability problems

• Is automatic verification possible for HA?
• Safety: are we sure that HA never enters a bad

state?

• It can be seen as reachability : verify that

¬Reach(Init, Bad)

• It is a natural and challenging mathematical

problem.

• Many works on decidability
• Some works on approximated techniques

EJCMI - Nancy - 2007 – p. 20/6

The reachability problem

Given a hybrid automaton H and two sets

A, B ⊂ Q × Rn, find out whether there exists a

trajectory of H starting in A and arriving to B. All parameters rational.

EJCMI - Nancy - 2007 – p. 21/6

Exact methods: The curse of undecidability

• Koiran et al.: Reach is undecidable for 2d PAM.
• AM95: Reach is undecidable for 3d PCD.
• HPKV95 Many results of the type : “3clocks + 2

stopwatches = undecidable”

EJCMI - Nancy - 2007 – p. 22/6

Anatomy of Undecidability — Preliminaries

Proof method: simulation of 2-counter (Minsky) machine, TM etc...

• A counter: values in N; operations: C + +, C − −;

test C > 0?

• A Minsky (2 counter) machine

q1 : D + +;

goto q2

q2 : C − −;

goto q3

q3 :

if C > 0 then goto q2 else q1

• Reachability is undecidable (and Σ0

1-complete) for

Minsky machines.

EJCMI - Nancy - 2007 – p. 23/6

Simulating a counter

1 2 3 4

C x 0 1

Counter PAM State space N State space [0; 1] State C = n

x = 2−n C + + x := x/2 C − − x := 2x C > 0? x < 0.75?

EJCMI - Nancy - 2007 – p. 24/6

Encoding a state of a Minsky Machine

q1 q2 q3

(0,3) (2,1) (3,3)

Minsky Machine PAM State space {q1, . . . , qk} × N × N State space [1; k + 1] × State (qi, C = m, D = n)

x = i + 2−m, y = 2−n

EJCMI - Nancy - 2007 – p. 25/6

Simulating a Minsky Machine

Minsky Machine PAM State space {q1, . . . , qk} × N × N State space [1; k + 1] × [0; 1] State (qi, C = m, D = n) x = i + 2−m, y = 2−n q1 : D + +; goto q2    x := x + 1 y := y/2 if 1 < x ≤ 2 q2 : C − −; goto q3    x := 2(x − 2) + 3 y := y if 2 < x ≤ 3 q3 : if C > 0 then goto q2 else q1    x := x − 1 y := y if 3 < x < 4    x := x − 2 y := y if x = 4

EJCMI - Nancy - 2007 – p. 26/6

. . . finally

we have proved that Reach is undecidable for 2d PAMs. Undecidability proofs for other classes of HA are similar.

PCD on the blackboard

EJCMI - Nancy - 2007 – p. 27/6

Exact methods: Decidable classes

Reach(x, y) ⇔ ∃ a trajectory from x to y Reach is decidable for

• AD: timed automata
• HKPV95: initialized rectangular automata,

extensions of timed automata

• LPY01: special linear equations + full resets.

Method : finite bisimulation (stringent restrictions on the dynamics) KPSY: Integration graphs???

EJCMI - Nancy - 2007 – p. 28/6

Decidability 2

Reach is decidable for

• MP94: 2d PCD + Key idea
• CV96: 2d multi-polynomial systems.
• ASY01: 2d “non-deterministic PCD” (wait a

minute)

EJCMI - Nancy - 2007 – p. 29/6

SPDI

Simple Polygonal Differential Inclusion = the non-deterministic version of PCD=

• A partition of the plane into polygonal regions
• A constant differential inclusion for each region

˙ x ∈ ∠b

a if x ∈ Ri

EJCMI - Nancy - 2007 – p. 30/6

SPDI

Simple Polygonal Differential Inclusion =

R6 R8 R3 R7 R2 R4 R5 R1

e5 e4 e3 e2 e1 e8 e7 e6 y x

EJCMI - Nancy - 2007 – p. 30/6

Difficulties

Too many trajectories ( even locally )

e5 e4 e1 e8 e3 e2 e7 e6

EJCMI - Nancy - 2007 – p. 31/6

Difficulties

Too many signatures

e5 e4 e3 e9 e2 e1 e8 e7 e6 e10 e11 e12

EJCMI - Nancy - 2007 – p. 31/6

Difficulties

Self-crossing trajectories

e5 e4 e3 e1 e8 e10 e9 e12 e11 e2 e6 e7

EJCMI - Nancy - 2007 – p. 31/6

Plan of solution

• Simplify trajectories
• Enumerate types of signatures
• Test reachability for each type using accelerations

EJCMI - Nancy - 2007 – p. 32/6

Simplification 1: Straightening

x′ Ri x a b

EJCMI - Nancy - 2007 – p. 33/6

Simplification 2: Removing self-crossings

b a b a e2 e′

2

x0 xf x′ y y′ e′

1

x e1 e′

2

e′

1

e1 xf

e2

y′ x0 x

Bottom line:Reach(x, y) ⇔ ∃ a simple piecewise straight trajectory from x to y

EJCMI - Nancy - 2007 – p. 34/6

Key topological remark

Simple curves on the plane are very simple (Jordan, Poincaré-Bnedixson, applied by

Maler-Pnueli )

EJCMI - Nancy - 2007 – p. 35/6

Signatures of simplified trajectories

• Representation Theorem: Any edge signature

can be represented as

σ = r1(s1)k1r2(s2)k2 . . . rn(sn)knrn+1

• Properties
• ri is a seq. of pairwise different edges;
• si is a simple cycle;
• ri and rj are disjoint
• si and sj are different

Proof based on Jordan’s theorem (MP94)

EJCMI - Nancy - 2007 – p. 36/6

Classification of signatures

Any edge signature belongs to a type

r1(s1)∗r2(s2)∗ . . . rn(sn)∗rn+1

s1 s2 sn rn rn+1 r3 r2 r1

There are finitely many types!

EJCMI - Nancy - 2007 – p. 37/6

How to explore one type?

s1 s2 sn rn rn+1 r3 r2 r1

Recipe: compute successors and accelerate cycles.

EJCMI - Nancy - 2007 – p. 38/6

Successors (by σ)

One step (σ = e1e2)

e4 e5 e11 e12 e9 e10 e2 e3 e1 e13 e8 e7 e6 x I2

[a1x + b1, a1x + b1]

I′ = Succe1e2(x) = [fb(x), fa(x)] = F(x)

EJCMI - Nancy - 2007 – p. 39/6

Successors (by σ)

Several steps (σ = e1e2e3)

• e4

e5 e11 e12 e9 e10 e2 e3 e1 e13 e8 e7 e6 I3 x

I′ = Succσ(x) = [f′

b(x), f′ a(x)] = F ′(x)

EJCMI - Nancy - 2007 – p. 39/6

Successors (by σ)

Several steps (σ = e1e2e3e4e5)

• x

e5 e4 e1 e10 e9 e12 e11 e6 e7 e8 e13 e2 e3

I′ = Succσ(x) = [f′′

b(x), f′′ a(x)] = F ′′(x)

EJCMI - Nancy - 2007 – p. 39/6

Successors (by σ)

One cycle (σ = s = e1e2 · · · e8e1)

• x

e5 e4 e8 e11 e10 e9 e12 e13 e7 e6 e3 e2 e1 I9

I′ = Succσ(x) = [f′′

b(x), f′′ a(x)] = F ′′(x)

EJCMI - Nancy - 2007 – p. 39/6

Successors (by σ)

• e8

e13 e1 e2 e4 e6 e7 e11 e10 e9 e12 e5

x I′

e3

One cycle iterated: ≈solution of fixpoint equation

(acceleration) (Succσ(I) = I)

EJCMI - Nancy - 2007 – p. 39/6

The calculus of TAMF

• Fact: All successors are TAMF
• Affine function (AF):

f(x) = ax + b with a > 0

• Affine multi-valued function (AMF):

˜ F(x) = [f1(x), f2(x)]

• Truncated affine multi-valued function

(TAMF):

F(x) = ˜ F(x) ∩ J if x ∈ S

Lemma: AF

, AMF and TAMF are closed under composition.

Lemma: Fixpoint equations F(I) = I can be explicitely

solved (without iterating)

EJCMI - Nancy - 2007 – p. 40/6

Reachability Algorithm

for each type of signature τ do test whether x τ

→ y

To test x τ

→ y for τ = r1(s1)∗r2(s2)∗ . . . rn(sn)∗rn+1

compute Succr and accelerate (Succs)∗

EJCMI - Nancy - 2007 – p. 41/6

Main result for SPDI

Reachability is decidable for SPDI

EJCMI - Nancy - 2007 – p. 42/6

SPeeDI the tool

35 36 40 39 R32 38 37 44 33 R33 R34 R35 R30 R29 34 R31 59 60

EJCMI - Nancy - 2007 – p. 43/6

Between Decidable and Undecidable

EJCMI - Nancy - 2007 – p. 44/6

More complex 2d systems

What happens if . . .

• . . . we allow jumps?
• . . . the PCD is on a 2d surface?
• . . . ?

The answer is: we know that we do not know. More precisely: it is equivalent to a well known open

problem.

EJCMI - Nancy - 2007 – p. 45/6

Reminder: the Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R a2x + b2 I5 I2 a4x + b4 a1x + b1 a5x + b5 I4 I1

Old Open Problem. Is reachability decidable for 1d PAM?

EJCMI - Nancy - 2007 – p. 46/6

LHA ≡ PAM

• Theorem. 2d LHA can simulate 1d PAM and vice versa
• Corollary. Reachability is decidable for 2d LHA iff it is

decidable for 1d PAM

EJCMI - Nancy - 2007 – p. 47/6

LHA ≡ PAM - proof

• LHA simulates PAM

˙ x = 0 ˙ y = 1 0 ≤ y ≤ 1 y = 1 ∧ x ∈ Ii x := aix + bi; y := 0 e′ e γ(e′, x, y) = (e, aix + bi, 0) Ii

(a) (b)

• PAM simulates LHA

e1 e5 e2 e0 e4 e3 I1 I2 I3 x′ = a3x + b3 x e1 e2 e3 e4 I1 I2 I3 A2x + B2 A3x + B3 A4x + B4 e0 R

EJCMI - Nancy - 2007 – p. 48/6

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

EJCMI - Nancy - 2007 – p. 49/6

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

Reachability?

EJCMI - Nancy - 2007 – p. 49/6

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

Reachability?

EJCMI - Nancy - 2007 – p. 49/6

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

Reachability?

EJCMI - Nancy - 2007 – p. 49/6

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

Reachability?

EJCMI - Nancy - 2007 – p. 49/6

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

Reachability?

• Theorem. PCDs on 2d surfaces can simulate 1d injec-

tive PAM and vice versa"

• Corollary. Reachability is decidable for PCDs on 2d

surfaces iff it is decidable for 1d injective PAMs

EJCMI - Nancy - 2007 – p. 49/6

Local Summary

• Reachability undecidable for dim ≥ 2 in discrete

time and dim ≥ 3 in continuous time

EJCMI - Nancy - 2007 – p. 50/6

Local Summary

• Reachability undecidable for dim ≥ 2 in discrete

time and dim ≥ 3 in continuous time

• Reachability decidable on the plane in continuous

time without jumps.

EJCMI - Nancy - 2007 – p. 50/6

Local Summary

• Reachability undecidable for dim ≥ 2 in discrete

time and dim ≥ 3 in continuous time

• Reachability decidable on the plane in continuous

time without jumps.

• Difficult question for jumps on the plane or for 2d

manifolds.

EJCMI - Nancy - 2007 – p. 50/6

Local Summary

• Reachability undecidable for dim ≥ 2 in discrete

time and dim ≥ 3 in continuous time

• Reachability decidable on the plane in continuous

time without jumps.

• Difficult question for jumps on the plane or for 2d

manifolds.

• General remark: it seems that undecidability is

related to chaotic dynamics

EJCMI - Nancy - 2007 – p. 50/6

Can realism help?

Maybe even undecidability is an artefact? Maybe it never occurs in real systems?

EJCMI - Nancy - 2007 – p. 51/6

Proof method – Abstract View

• Proof by simulation of an infinite state machine by

a DS

• State of machine ↔ state of the DS
• Dynamics of DS simulates transitions of the

machine

EJCMI - Nancy - 2007 – p. 52/6

Consequences for bounded DS witnessing undecidability

• Important states (sets) of the DS are very dense

(have accumulation points)

• Dynamics should be very precise (at least around

accumulation points)

• It is difficult (impossible) to realize such systems

physically

• ...and also: dynamics should be chaotic...

infinite state

EJCMI - Nancy - 2007 – p. 53/6

The Conjecture

Reachability is decidable for realistic, un- precise, noisy, “fuzzy”, “robust” systems Arguments:

• The only known proof method uses unbounded

precision (or unbounded state space)

• Noise could regularize...
• This world is nice and bad things never happen...
• Engineers design systems and never deal with

undecidability.

EJCMI - Nancy - 2007 – p. 54/6

Noise: Some Thoughts and Results 1

• All the arguments are weak
• The problem is interesting
• I know 4 natural formalizations of “realism”
• Non-zero noise: undecidable (Σ1-hard)
• uniform noise: open problem
• Infinitesimal noise: undecidable and co-r.e.

(Π0

1-complete)

• Stochastic noise: ∆0

2-complete for TM

EJCMI - Nancy - 2007 – p. 55/6

Noise: Some Thoughts and Results 2

• Both positive or negative solution would be

interesting for the second one

• Most of these effects are not specific for a class of

systems, they can be ported to any reasonable class.

• All this is very intriguing.

EJCMI - Nancy - 2007 – p. 56/6

Approximate methods for reachability

• In practice approximate methods should be used

for safety verification.

• Several tools, many methods.
• General principles are easy, implementation

difficult.

EJCMI - Nancy - 2007 – p. 57/6

Abstract algorithm

For example consider forward breadth-first search. F=Init repeat F=F ∪ SuccFlow(F) ∪ SuccJump(F) until fixpoint |(F∩ Bad = ∅) | tired A standard verification (semi-)algorithm.

EJCMI - Nancy - 2007 – p. 58/6

How to implement it

Needed data structure for (over-)approximate representation of subsets of Rn, and algorithms for efficient computing of

• unions, intersections;
• inclusion tests;
• SuccFlow;
• SuccJump.

EJCMI - Nancy - 2007 – p. 59/6

Known implementations

• Polyhedra (HyTech - exact. Checkmate)
• “Griddy polyhedra” (d/dt)
• Ellipsoids (Kurzhanski, Bochkarev)
• Level sets of functions (Tomlin)
• Zonotopes (Girard)

f(x)<0

EJCMI - Nancy - 2007 – p. 60/6

Does it work?

Up to 10 dimensions. Sometimes.

EJCMI - Nancy - 2007 – p. 61/6

Using advanced verification techniques

• Searching for better data-structures (SOS, *DD)
• Abstraction and refinement
• Combining model-checking and theorem proving
• Acceleration
• Bounded model-checking

EJCMI - Nancy - 2007 – p. 62/6

Beyond verification

Generic verification algorithms + hybrid data structures allow:

• Model-checking
• Controller synthesis
• Phase portrait generation

EJCMI - Nancy - 2007 – p. 63/6

A picture

R6 R8 R4 R3 R7 R5 R2 R11 R12 R13 R14 R15 R1

e14 e15 e8 e5 e4 e3 e2 e7 e6 e13 e12 e11 e10 e1

EJCMI - Nancy - 2007 – p. 64/6

• 3. Final Remarks

EJCMI - Nancy - 2007 – p. 65/6

Conclusions for a pragmatical user

• A useful and proper model : HA. Modeling

languages available.

• Simulation possible with old and new tools
• No hope for exact analysis
• In simple cases approximated analysis (and

synthesis) with guarantee is possible using verification paradigm. Tools available

• (Not discussed) Some control-theoretical

techniques available (stability, optimal control etc).

EJCMI - Nancy - 2007 – p. 66/6

Perspectives for a researcher

• Obtain new decidability results (nobody cares for

undecidability).

• Explore noise-fuzziness-realism issues
• Apply modern model-checking techniques to

approximate verification of HS

• Create hybrid theory of formal languages
• etc.

EJCMI - Nancy - 2007 – p. 67/6