Locally Optimal Reach Set Over-approximation for Nonlinear Systems - PowerPoint PPT Presentation

Locally Optimal Reach Set Over-approximation for Nonlinear Systems EMSOFT 2016 Chuchu Fan Sayan Mitra Jim Kapinski Xiaoqing Jin

How to check safety of an autonomous maneuver? 𝜕 𝑡 $ gain overtake Given controller and separation threshold switch to requirement, check safety with respect to left switch to right ranges of initial relative positions, speeds, abort reach road conditions. threshold EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 2

Verification challenge model, bug trace Verification simulator, requirements Algorithms certificate Bug discovery → faster development Certificate → evidence for DO178C, ISO26262, etc. Challenge: models of complex control systems often do not have analytical solutions → Simulation ⇒ proofs? EMSOFT 2016 ⋅ Locally optimal 3 reachability ⋅ Chuchu Fan ⋅ UIUC

Safety verification problem Consider nonlinear ODE 𝑦̇ = 𝑔 𝑦 , 𝑦 ∈ ℝ - Relative distance Trajectory 𝜊 𝑦 / , 𝑢 : state at time 𝑢 from ‒ 𝜊 𝑒 / , 𝑢 initial state 𝑦 / 𝑒 / 𝐶(𝑒 / , 𝜀) ‒ Reachtube 𝜊(𝐶(𝑦 / , 𝜀), 𝑈) : all states 𝜊(𝐶(𝑦 / , 𝜀), 𝑈) reachable from initial set 𝐶(𝑦 / , 𝜀) ⊆ ℝ - up to time 𝑈 Unsafe time Safety verification problem: given initial set 𝐶(𝑦 / , 𝜀), unsafe set U , time bound 𝑈, d ecide 𝜊 𝐶(𝑦 / , 𝜀), 𝑈 ∩ U = ∅? EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 4

Simulation-driven verification strategy Grey tube: Unknown Green tube: Safe Given start and unsafe Θ 𝑉 Compute finite cover of initial set Relative Simulate from the center 𝑦 / of each cover distance 𝜊 𝑒 / , 𝑢 Generalize simulation to reachtube so that 𝑒 / reachtube contains all trajectories from the cover 𝐶(𝑒 / , 𝜀) 𝜊(𝐶(𝑦 / , 𝜀), 𝑈) Check intersection/containment with 𝑉 Refine time Union = over-approximation of reach set Key step: 𝜊 𝑦 / , 𝑢 -> 𝜊 𝐶 𝑦 / , 𝜀 , 𝑈 EMSOFT 2016 ⋅ Locally optimal 5 reachability ⋅ Chuchu Fan ⋅ UIUC

Main problem: How to quantify generalization? Discrepancy formalizes generalization : Discrepancy is a continuous function 𝛾 that bounds the distance between neighboring 𝜊 𝑦 D , 𝑢 trajectories 𝑦 D 𝜊 𝑦 B , 𝑢 − 𝜊(𝑦 D , 𝑢) ≤ 𝛾 𝑦 B − 𝑦 D , 𝑢 , 𝑦 B 𝛾(‖𝑦 B − 𝑦 D ‖, 𝑢) 𝜊 𝑦 B , 𝑢 From a single simulation of 𝜊(𝑦 B , 𝑢) and discrepancy 𝛾 we can over-approximate the reachtube EMSOFT 2016 ⋅ Locally optimal Feedback Friday Presentation 6 reachability ⋅ Chuchu Fan ⋅ UIUC

A simple example of discrepancy function If 𝑔(𝑦) has a Lipschitz constant 𝑀 : ∀𝑦, 𝑧 ∈ ℝ - , 𝑔 𝑦 − 𝑔 𝑧 ≤ 𝑀 𝑦 − 𝑧 𝜊 𝑦 D , 𝑢 𝑦 D Example: 𝑦̇ = −2𝑦, Lipschitz constant 𝑀 = 2 𝑦 B then a (bad) discrepancy function is 𝛾(‖𝑦 B − 𝑦 D ‖, 𝑢) 𝜊 𝑦 B , 𝑢 𝑦 B − 𝑦 D 𝑓 MN = 𝛾 𝜊 𝑦 B , 𝑢 − 𝜊(𝑦 D , 𝑢) ≤ 𝑦 B − 𝑦 D , 𝑢 EMSOFT 2016 ⋅ Locally optimal Feedback Friday Presentation 7 reachability ⋅ Chuchu Fan ⋅ UIUC

A simple example of discrepancy function 𝜊 𝑦 D , 𝑢 𝑦 D 𝑦 B 𝛾(‖𝑦 B − 𝑦 D ‖, 𝑢) 𝜊 𝑦 B , 𝑢 𝑦̇ = −2𝑦, Lipschitz constant 𝑀 = 2, 𝜀 = 1 EMSOFT 2016 ⋅ Locally optimal Feedback Friday Presentation 8 reachability ⋅ Chuchu Fan ⋅ UIUC

What is a good discrepancy ? General: Applies to general nonlinear 𝑔 𝜊 𝑦 D , 𝑢 Accurate: Small error in 𝛾 𝑦 D 𝑦 B Effective: Computing 𝛾 is fast (in practice) 𝛾(‖𝑦 B − 𝑦 D ‖, 𝑢) 𝜊 𝑦 B , 𝑢 EMSOFT 2016 ⋅ Locally optimal Feedback Friday Presentation 9 reachability ⋅ Chuchu Fan ⋅ UIUC

̇ Matrix measures can give tight discrepancy Theorem [Sontag 10]: For any 𝒠 ⊆ ℝ - , if all trajectories 𝒠 starting from the line between any two initial states 𝑦 B and 𝑦 D 𝑦 B − 𝑦 D 𝑓 QN , 𝜊 𝑦 D , 𝑢 𝑦 D remains in 𝒠 then: 𝜊 𝑦 B , 𝑢 − 𝜊 𝑦 D , 𝑢 ≤ where c = max $∈𝒠 𝜈 𝐾 𝑦 and 𝑦 B 𝜊 𝑦 B , 𝑢 𝜈 𝐾 𝑦 is a matrix measure of Jacobian = 𝑤 D + 𝑥 D Example: 𝑤̇ XY Z $ 𝐾 𝑦 = is the Jacobian matrix of f 𝑥 −𝑤 X$ [ 𝑤 = 2𝑤 2𝑥 Jacobian: 𝐾 This 𝑑 can be < 0, usually << Lipschitz constant 𝑥 −1 0 EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 10

� Matrix measure for 𝐵 ∈ ℝ -×- Matrix norm Matrix measure [Dahlquist 59]: 𝐽 + 𝑢𝐵 − 𝐽 𝐵𝑦 𝜈 𝐵 = lim 𝐵 = max 𝑢 𝑦 N→/ f $n/ klk m 𝜇 ij$ (𝐵 o 𝐵) 2-norm: 𝜈(𝐵) = 𝜇 ij$ 𝐵 D = D EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 11

� ̶ Definition of matrix measures 𝑑 = max $∈𝒠 𝜈 𝐾 𝑦 ① For any matrix 𝐵 ∈ ℝ -×- 𝐽 + 𝑢𝐾 𝑦 − 𝐽 ≡ 𝑑 = max $∈𝒠 lim Matrix norm Matrix measure [Desoer 72]: ② 𝑢 N→/ f From original 𝐽 + 𝑢𝐵 − 𝐽 𝐵𝑦 problem to an SDP … 𝜈 𝐵 = lim 𝐵 = max 𝑢 𝑦 problem in the N→/ f $n/ next slides min 𝑑 klk m 𝜇 ij$ (𝐵 o 𝐵) 𝐵 D = max 2-norm: 𝜈(𝐵) = 𝜇 ij$ D s.t. ∀𝐵 ∈ 𝒝 𝒠, 𝐾 , 𝑁𝐵 + 𝐵 o 𝑁 ≼ 2𝑑𝐽 𝑁 ≻ 0 EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 12

Baseline algorithm with 2-norm [Fan and Mitra ATVA15] Choosing ordinary matrix 2-norm, 𝜈 𝐾 𝑦 becomes: 𝐾 𝑦 + 𝐾 o 𝑦 𝜇 ij$ 2 [ATVA15]uses eigenvalue of center Jacobian matrix and perturbation bound to maximize this quantity over 𝒠 [CAV15] application to Powertrain verification problem [Jin 16] [CAV16] tool C2E2 implementing this algorithm EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 13

Coordinate transformation makes reachtube tighter Under 2-norm, approximations are represented by spheres Using linear coordinate transformations of state, we 𝜊 𝑦 D , 𝑢 can get tighter over-approximations with ellipsoids 𝑦 D Under coordinate transformation 𝑄 : matrix measure 𝑦 B 𝜊 𝑦 B , 𝑢 is 𝜈 | 𝐵 = 𝜈(𝑄𝐵𝑄 }B ) 𝛾(‖𝑦 B − 𝑦 D ‖, 𝑢) EMSOFT 2016 ⋅ Locally optimal Feedback Friday Presentation 14 reachability ⋅ Chuchu Fan ⋅ UIUC

Coordinate transformation makes reachtube tighter Plug in ① 𝑑 = max $∈𝒠 𝜈 𝐾 𝑦 Under 2-norm approximations are represented by definition [Original problem] spheres 𝐽 + 𝑢𝐾 𝑦 − 𝐽 ② ≡ 𝑑 = max $∈𝒠 lim 𝑢 Using linear coordinate transformations of state, we N→/ f 𝜊 𝑦 D , 𝑢 can get tighter over-approximations with ellipsoids 𝑦 D 𝑄𝐾 𝑦 𝑄 }B + (𝑄 }B ) o 𝐾 𝑦 𝑄 o ③ ≡ 𝑑 = max $∈𝒠 𝜇 ij$ Under coordinate transformation 𝑄 : matrix measure 𝑦 B 2 𝛾(‖𝑦 B − 𝑦 D ‖, 𝑢) 𝜊 𝑦 B , 𝑢 is 𝜈 | 𝐵 = 𝜈(𝑄𝐵𝑄 }B ) [Using coordinate transformation] EMSOFT 2016 ⋅ Locally optimal Feedback Friday Presentation 15 reachability ⋅ Chuchu Fan ⋅ UIUC

Approximating J(x) with an 𝑑 = max $∈𝒠 𝜈 𝐾 𝑦 interval matrix 𝐽 + 𝑢𝐾 𝑦 − 𝐽 ≡ 𝑑 = max $∈𝒠 lim 𝑢 N→/ f 𝑄𝐾 𝑦 𝑄 }B + (𝑄 }B ) o 𝐾 𝑦 𝑄 o 𝒠 is a compact set ≡ 𝑑 = max $∈𝒠 𝜇 ij$ 2 Each 𝐾 •‚ : 𝒠 → ℝ is continuous and has upper (𝑣 •‚ ) and lower bounds (𝑚 •‚ ) Compute interval matrix 𝒝(𝒠, 𝐾) = 𝒠 [∗,∗] ⋯ [∗,∗] ⋮ [𝑚 •‚ , 𝑣 •‚ ] ⋮ 𝑦 D 𝜊 𝑦 D , 𝑢 [∗,∗] ⋯ [∗,∗] 𝑦 B 𝐾(𝑦) 𝜊 𝑦 B , 𝑢 For all 𝑦 ∈ 𝒠, 𝐾 𝑦 ∈ 𝒝(𝒠, 𝐾) EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 16

Approximating J(x) with an interval matrix 𝑑 = max $∈𝒠 𝜈 𝐾 𝑦 ① [Original problem] 𝒠 𝒠 is a compact 𝐽 + 𝑢𝐾 𝑦 − 𝐽 ② ≡ 𝑑 = max $∈𝒠 lim 𝑦 D 𝑢 𝜊 𝑦 D , 𝑢 N→/ f Each 𝐾 •‚ : 𝒠 → ℝ is continuous and therefore has upper (𝑣 •‚ ) and lower bounds (𝑚 •‚ ) over 𝒠 𝑦 B 𝑄𝐾 𝑦 𝑄 }B + (𝑄 }B ) o 𝐾 𝑦 𝑄 o 𝐾(𝑦) 𝜊 𝑦 B , 𝑢 ③ ≡ 𝑑 = max $∈𝒠 𝜇 ij$ 2 [∗,∗] ⋯ [∗,∗] [Using coordinate transformation] ⋮ [𝑚 •‚ , 𝑣 •‚ ] ⋮ 𝒝(𝒠, 𝐾) = 𝑄𝐵𝑄 }B + (𝑄 }B ) o 𝐵𝑄 o ④ [∗,∗] ⋯ [∗,∗] ⇐ k∈𝒝 𝒠,” 𝜇 ij$ max 2 [Bound 𝐾(𝑦) with interval matrix] EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 17

𝑑 = max $∈𝒠 𝜈 𝐾 𝑦 Make it a semi-definite problem 𝐽 + 𝑢𝐾 𝑦 − 𝐽 ≡ 𝑑 = max $∈𝒠 lim 𝑢 N→/ f 𝑄𝐾 𝑦 𝑄 }B + (𝑄 }B ) o 𝐾 𝑦 𝑄 o ≡ 𝑑 = max $∈𝒠 𝜇 ij$ 2 𝑄𝐵𝑄 }B + (𝑄 }B ) o 𝐵𝑄 o ⇐ k∈𝒝 𝒠,” 𝜇 ij$ max |k| –— l(| –— ) m k| m 2 k∈𝒝 𝒠,” 𝜇 ij$ max D 𝒠 ≡ min 𝑑 𝑦 B − 𝑦 D ™ 𝑓 QN ∀𝐵 ∈ 𝒝 𝒠, 𝐾 𝑄𝐵𝑄 }B + (𝑄 }B ) o 𝐵𝑄 o ≼ 2𝑑 𝐽 𝑄 o 𝑄𝐵 𝑄 o + 𝐵𝑄 o 𝑄 ≼ 2𝑑𝐽 𝑄 o 𝑄 o 𝑄 s.t. 𝑄 𝑄 𝑦 D 𝜊 𝑦 D , 𝑢 { { 𝑁 𝑁 𝑦 B ≡ min 𝑑 𝜊 𝑦 B , 𝑢 s.t. ∀𝐵 ∈ 𝒝 𝒠, 𝐾 , 𝑁𝐵 + 𝐵 o 𝑁 ≼ 2𝑑𝐽 EMSOFT 2016 ⋅ Locally optimal reachability ⋅ Chuchu Fan ⋅ UIUC 18