Models, Over-approximations and Robustness Eugenio Moggi DIBRIS, - - PowerPoint PPT Presentation

Overview HS TTS Reach Robust End Bib HS Ex.

Models, Over-approximations and Robustness

Eugenio Moggi DIBRIS, Genova Univ. Rennes, 2020-05-14

E.Moggi Rennes, p. 1

Overview HS TTS Reach Robust End Bib HS Ex.

Context

1 Systems: natural (Science) or man-made (Engineering)

expensive to observe or design/build/test

2 Mathematical Models of Systems

to predict the behavior of a system to analyze the model (of a system) before building the system

3 Computer-aided Analysis of Mathematical Models

enabling technology to predict/test/verify models semantics/model ✲ syntax/representation

Mathematical Models

✲ Computer-aided Analysis

Languages for CPS modeling language ML

✲ describe models of CPS

E.Moggi Rennes, p. 2

Overview HS TTS Reach Robust End Bib HS Ex.

Different views of the Real numbers

Maths: the usual real numbers x: R Physics: x ± ǫ with error ǫ > 0, or interval [xl, xu]: IR Computer Science:

finite representation, eg floating-point (FP) number ˜ x: F finite approximation, eg FP interval [˜ xl, ˜ xu]: IF

Computable/ Approximable ≃ Cauchy seq. of rationals Q metric space shrinking seq. of intervals IQ partial order R f

✲ R

IR

❄

∩

[f ] ✲ IR

❄

∩

f continuous implies [f ](I) ∆ = f (I) Scott continuous IR dcpo (≤ reverse incl.) induced Scott topology

E.Moggi Rennes, p. 3

Overview HS TTS Reach Robust End Bib HS Ex.

Some Peculiarities of CPS (aka Hybrid Systems)

Time T matters (in concurrency causal order suffices) State Space S uncountable, exact representation impossible Imprecisions/inaccuracies can be anywhere

What can one do with computers?

analysis of e: ML

✲ compute over-approximation of A([

[e] ])

e model description [ [e] ] semantics (of e) A analysis.

E.Moggi Rennes, p. 4

Overview HS TTS Reach Robust End Bib HS Ex.

Summary

1 Hybrid Sys. (HS [GST09]) vs Topological TS (TTS [Cui07]) 2 Safe Reachability and Closed Sets

states reachable in finite time vs in finite steps, avoid hybrid time domains and hybrid arcs ([GST09] pag 39) asymptotically reachable states and safe over-approximations

3 Robustness of HS Analysis and Continuity

robustness wrt over-approx. and Scott continuous maps, avoid notion of (τ, ǫ)-close hybrid arcs ([GST09] pag 46)

Study of Dynamical Systems via Domain Theory ([Eda95])

E.Moggi Rennes, p. 5

Overview HS TTS Reach Robust End Bib HS Ex.

Hybrid Systems (HS)

Definition (HS [GST09] pag 30) A hybrid system on a Banach space S [eg Rn] is H = (F, G) with F flow and G jump relation, ie F, G: Rel(|S|, |S|) ≃ Set(|S|, P(|S|)) Define new HS from a given HS H = (F, G) on S closure of H is HS H ⊆ c(H) = H ∆ = (F, G) on S H with clock is HS t(H)

∆

= (F ′, G ′) on T × S st

F ′ = {((t, s), (1, v))|t: T ∧ (s, v): F} G ′ = {((t, s), (t, s′))|t: T ∧ (s, s′): G}

E.Moggi Rennes, p. 6

Overview HS TTS Reach Robust End Bib HS Ex.

Topological Transition Systems (TTS)

Definition (TTS [Cui07]) Given a topological space S topological transition system = transition relation

✲ ⊆ |S × S|

timed TTS = timed transition relation

✲ ⊆ |S × T+ × S|, where T+ = [0, +∞)

TTTS

H

✲ induced by HS H = (F, G), s

d H

✲ s′

∆

⇐ ⇒

jump d = 0 and s′ ∈ G(s) or (cf. hybrid arc) flow d > 0 and ∃h: Top([0, d], S) st s = h(0), s′ = h(d) and ∀t: (0, d).˙ h(t) ∈ F(h(t)) with ˙ h: Top((0, d), S)

TTS s

✲ s′

∆

⇐ ⇒∃d.s

d✲ s′, ie forget time from TTTS

E.Moggi Rennes, p. 7

Overview HS TTS Reach Robust End Bib HS Ex.

Complete lattices and Monotonic maps [CC92]

The poset-enriched category Po

• bj X: Po complete lattice, ie poset st any S ⊆ |X| has a sup ⊔S

arr f : Po(X, Y ) monotonic, and ≤ pointwise order on Po(X, Y ) as setting for approximations (abstr. inter.) and reachability maps. Given a topological space S, define the complete lattices P(S) = subsets of S ordered by reverse inclusion ⊑, ie smaller is better, sups are given by intersection C(S) = closed subsets of S ordered by ⊑, C(S)

✛

⊤

⊂

✲ P(S)

H(S) ∆ = P(S2)2 ∼ = P(2 × S2), ie complete lattice of HS on S Hc(S) ∆ = C(S2)2, ie complete lattice of closed HS on S c: H(S)

✲ Hc(S)

t: H(S)

✲ H(T × S)

E.Moggi Rennes, p. 8

Overview HS TTS Reach Robust End Bib HS Ex.

Naive vs Safe Reachability

Define S: Po(H(S), P(S)) and T, Rf: Po(H(S) × P(S), P(S)) S(F, G) = {s|∃s′.sGs′ ∨ s′Gs ∨ sFs′}, the support of (F, G) T(H, S) = {s′|s

H

✲ s′}, ie states reachable in one transition

Rf(H, I) = smallest S: P(S) st I ⊆ S and T(H, S) ⊆ S, ie states reachable from I in finitely many transitions Theorem S(H) ⊆ S(H) ⊆ C ∆ = S(H) = S(H) and I ⊆ C = ⇒ Rf(H, I) ⊆ C Problem (under-approximation) Rf(H, I) ⊂ state reachable from I in finite time, eg Zeno HS

HB E.Moggi Rennes, p. 9

Overview HS TTS Reach Robust End Bib HS Ex.

Naive vs Safe Reachability

Define S: Po(H(S), P(S)) and T, Rf: Po(H(S) × P(S), P(S)) S(F, G) = {s|∃s′.sGs′ ∨ s′Gs ∨ sFs′}, the support of (F, G) T(H, S) = {s′|s

H

✲ s′}, ie states reachable in one transition

Rf(H, I) = smallest S: P(S) st I ⊆ S and T(H, S) ⊆ S, ie states reachable from I in finitely many transitions Due to imprecision a set S is indistinguishable from its closure S Define Rs: Po(H(S) × P(S), C(S)) Rs(H, I) = smallest C: C(S) st I ⊆ C an T(H, C) ⊆ C, ie safe approximation of states reachable from I in finite time Theorem Rf(H, I) ⊆ Rs(H, I) = Rs(H, I) ⊆ Rs(H, I) and I ⊆ C = ⇒ Rs(H, I) ⊆ C where C ∆ = S(H)

E.Moggi Rennes, p. 10

Overview HS TTS Reach Robust End Bib HS Ex.

Naive vs Safe Reachability

Define S: Po(H(S), P(S)) and T, Rf: Po(H(S) × P(S), P(S)) S(F, G) = {s|∃s′.sGs′ ∨ s′Gs ∨ sFs′}, the support of (F, G) T(H, S) = {s′|s

H

✲ s′}, ie states reachable in one transition

Rf(H, I) = smallest S: P(S) st I ⊆ S and T(H, S) ⊆ S, ie states reachable from I in finitely many transitions Define Rs: Po(H(S) × P(S), C(S)) Rs(H, I) = smallest C: C(S) st I ⊆ C an T(H, C) ⊆ C, ie safe approximation of states reachable from I in finite time Problem (over-approximation) Rs(H, I) ⊃ state reachable from I in finite time, for a HS

HD E.Moggi Rennes, p. 11

Overview HS TTS Reach Robust End Bib HS Ex.

Robustness and Scott Continuity

Let S1 and S2 be metric spaces Definition (Robustness) A: Po(C(S1), C(S2)) robust

∆

⇐ ⇒∀X.∀ǫ > 0.∃δ > 0.A(Xδ) ⊆ A(X)ǫ where Xδ

∆

= {y|∃x: X.di(x, y) < δ}: C(Si) δ-fattening of X: C(Si). R The HS Hδσ ([GST09] pag 49) is like a fattening of H. Q Robustness rely on a quantitative notion, the metric d, can

• ne replace d with a qualitative notion?

A Robustness amounts to continuity wrt a topology on C(S) between the Scott topology and Upper Vietoris topology!

E.Moggi Rennes, p. 12

Overview HS TTS Reach Robust End Bib HS Ex.

Robustness and Scott Continuity

Let S1 and S2 be metric spaces Definition (Robustness) A: Po(C(S1), C(S2)) robust

∆

⇐ ⇒∀X.∀ǫ > 0.∃δ > 0.A(Xδ) ⊆ A(X)ǫ where Xδ

∆

= {y|∃x: X.di(x, y) < δ}: C(Si) δ-fattening of X: C(Si). Theorem ([Eda95] Prop 3.2 & 3.3) If Si are compact (metric spaces) and A: Po(C(S1), C(S2)), then Upper Vietoris top.=Scott top., and thus A robust ⇐ ⇒ A Scott continuous C(Si) are ω-continuous lattices bounded & closed = ⇒ compact, only in finite dim. Banach spaces

E.Moggi Rennes, p. 13

Overview HS TTS Reach Robust End Bib HS Ex.

Complete lattices and Scott continuous maps

The poset-enriched sub-category Cpo of Po

• bj X: Cpo complete lattice

arr f : Cpo(X, Y ) Scott continuous, ie f monotonic and f (⊔D) = ⊔f (D) whenever D ⊆ |X| directed X finite lattice = ⇒ Cpo(X, Y ) = Po(X, Y ). Theorem (BCA) Cpo(X, Y ) ⊂ ✲ Po(X, Y ) preserves sups, and its right-adjoint gives the best cont. approx. f : Cpo(X, Y ) of f : Po(X, Y ). If robustness=Scott continuity, f gives best robust approx. If f : Po(X, Y ) & g: Po(Y , Z), then g ◦ f ≤ (g ◦ f )

E.Moggi Rennes, p. 14

Overview HS TTS Reach Robust End Bib HS Ex.

Robustness of Safe Reachability

Let H0: Hc(S) compact, also S0 = S(H0): C(S) is compact H(H0) complete lattice of HS included in H0 C(S0) continuous lattice of compact subsets included in S0 Hc(H0) continuous lattice of compact HS included in H0 S0 and H0 as hard constrains on non-determinism If H: H(H0), then H ⊆ H: Hc(H0) and Rs(H, −): Po(C(S), C(S)) restricts to RsH: Po(C(S0), C(S0)) Rs

H: Cpo(C(S0), C(S0)) robust wrt I: C(S0) (but not wrt H)

Inclusions: RsH(I) ⊆ Rs

H(I).

E.Moggi Rennes, p. 15

Overview HS TTS Reach Robust End Bib HS Ex.

Robustness of Safe Reachability

Let H0: Hc(S) compact, also S0 = S(H0): C(S) is compact H(H0) complete lattice of HS included in H0 C(S0) continuous lattice of compact subsets included in S0 Hc(H0) continuous lattice of compact HS included in H0 Other maps monotonic/continuous wrt I and also H Rs: Po(Hc(H0) × C(S0), C(S0)) safe reachability Rs : Cpo(Hc(H0) × C(S0), C(S0)) robust wrt H and I Inclusions: RsH(I) ⊆ Rs

H(I) ⊆ Rs H(I) ⊆ Rs(H, I).

E.Moggi Rennes, p. 16

Overview HS TTS Reach Robust End Bib HS Ex.

Conclusions

Non-determinism essential to define robustness wrt H Importance of noise: [Fra99, MFT19]. Q Is Rs: Cpo(Hc(H0) × C(S0), C(S0)) computable? Restriction to finite model checking Safe but not Robust, ie for X non-trivial finite sub-lattice RsH restricted to X trivially continuous, but C(S) Rs

H✲ C(S)

≤ X

∪

✻

RsH

✲ X

∪

✻

E.Moggi Rennes, p. 17

Overview HS TTS Reach Robust End Bib HS Ex.

References 1

• P. Cousot and R. Cousot.

Abstract interpretation frameworks. Journal of logic and computation, 2(4):511–547, 1992. P.J.L. Cuijpers. On bicontinuous bisimulation and the preservation of stability. In Hybrid Systems: Computation and Control, LNCS 4416, 2007.

• A. Edalat.

Dynamical systems, measures, and fractals via domain theory. Information and Computation, 120(1):32–48, 1995.

• M. Fr¨

anzle. An ounce of realism can save an infinity of states. In Computer Science Logic, pages 126–139. Springer, 1999.

E.Moggi Rennes, p. 18

Overview HS TTS Reach Robust End Bib HS Ex.

References 2

• R. Goebel, R.G. Sanfelice, and A. Teel.

Hybrid dynamical systems. Control Systems, IEEE, 29(2):28–93, 2009.

• E. Moggi, A. Farjudian, A. Duracz, and W. Taha.

Safe & robust reachability analysis of hybrid systems. Theoretical Computer Science, 747C:75–99, 2018.

• E. Moggi, A. Farjudian, and W. Taha.

System analysis and robustness. In 20th ICTCS, CEUR-WS Vol. 2504, 2019.

E.Moggi Rennes, p. 19

Overview HS TTS Reach Robust End Bib HS Ex.

Examples of HS

For each example of deterministic HS H ⊆ H0 compact, we give Acumen-like description of H and its initial state s0 init s = s0: S0; init-clause flow bf (s, s′) flow rel. for H0 flow s′ = f (s) when bf (s); flow-clauses jump bg(s, s+) jump rel. for H0 jump s+ = g(s) when bg(s); jump-clauses Plots of the unique trajectory starting from s0 but the closure H of H could be non-deterministic Approximations of the set R of reachable states

RfH(s0) ⊆ R ⊆ RsH(s0) ⊆ Rs

H(s0) ⊆ Rs(H, s0) ⊆ S0

and mark the under - or over -approximations of R Examples:

HE HD HC HB E.Moggi Rennes, p. 20

Overview HS TTS Reach Robust End Bib HS Ex.

HS HE for Exponential Expand

init m = m0; flow |m|, |m′| ≤ M; flow m′ = m when 0 ≤ m < M; increase flow m′ = 0 when m = M; hold t m m0 > 0 t m m0 = 0 RfH(m) = [m, M] = RsH(m) = Rs

H(m) = Rs(H, m), m > 0

RfH(0) = [0] = RsH(0) ⊂ [0, M] = Rs

H(0) = Rs(H, 0)

E.Moggi Rennes, p. 21

Overview HS TTS Reach Robust End Bib HS Ex.

HS HD for Exponential Decay

init m = m0; flow |m|, |m′| ≤ M; flow m′ = −m when 0 < m < M; decrease jump |m|, |m+| ≤ M; jump m+ = M when m = 0; refill t m m0 > 0 t m m0 = 0 RfH(0) = [0, M] = RsH(0) = . . . = Rs(H, 0) RfH(m) = (0, m] ⊂ [0, M] = RsH(m) = Rs(H, m), m > 0

E.Moggi Rennes, p. 22

Overview HS TTS Reach Robust End Bib HS Ex.

HS HC with Sliding Mode Control

init m = m0; flow t′ = 1 ∧ 0 ≤ t ≤ M ∧ |m|, |m′| ≤ M; flow t′ = 1, m′ = −1 when m > 0; decrease flow t′ = 1, m′ = +1 when m < 0; increase t m m0 > 0 t m m0 = 0 RfH(0, m) = R ∆ = {(t, m − t)|t: [0, m]} = RsH(0, m) = Rs

H(0, m) ⊂ R ∪ {(t, 0)|t: [m, M]} = Rs(H, (0, m)), m ≥ 0

E.Moggi Rennes, p. 23

Overview HS TTS Reach Robust End Bib HS Ex.

HS HB for Bouncing Ball + Kicked

init v = u = U ≤ V ; b: [0, 1] (u is max v) flow v′ = −1 ∧ u′ = 0 ∧ |v| ≤ u ≤ V ; flow v′ = −1, u′ = 0 when |v| < u; move jump (|v+| = u+ ≤ u = −v ≤ V ) ∨ bounce (v+ = u+ = V ∧ v = u = 0); kicked jump v+ = −bv, u+ = bu when v = −u < 0; bounce jump v+ = V , u+ = V when v = u = 0; kicked b = 1, t0 = 2U first bounce, never stops t v

E.Moggi Rennes, p. 24

Overview HS TTS Reach Robust End Bib HS Ex.

HS HB for Bouncing Ball + Kicked

init v = u = U ≤ V ; b: [0, 1] (u is max v) flow v′ = −1 ∧ u′ = 0 ∧ |v| ≤ u ≤ V ; flow v′ = −1, u′ = 0 when |v| < u; move jump (|v+| = u+ ≤ u = −v ≤ V ) ∨ bounce (v+ = u+ = V ∧ v = u = 0); kicked jump v+ = −bv, u+ = bu when v = −u < 0; bounce jump v+ = V , u+ = V when v = u = 0; kicked b = 0, t0 = 2U first bounce and first stop v: −U → 0 → V t v

E.Moggi Rennes, p. 25

Overview HS TTS Reach Robust End Bib HS Ex.

HS HB for Bouncing Ball + Kicked

init v = u = U ≤ V ; b: [0, 1] (u is max v) flow v′ = −1 ∧ u′ = 0 ∧ |v| ≤ u ≤ V ; flow v′ = −1, u′ = 0 when |v| < u; move jump (|v+| = u+ ≤ u = −v ≤ V ) ∨ bounce (v+ = u+ = V ∧ v = u = 0); kicked jump v+ = −bv, u+ = bu when v = −u < 0; bounce jump v+ = V , u+ = V when v = u = 0; kicked b = 1/2, t0 = 2U first bounce, tω = 2t0 first stop v: 0 → V t v

E.Moggi Rennes, p. 26

Overview HS TTS Reach Robust End Bib HS Ex.

HS HB for Bouncing Ball + Kicked

init v = u = U ≤ V ; b: [0, 1] (u is max v) flow v′ = −1 ∧ u′ = 0 ∧ |v| ≤ u ≤ V ; flow v′ = −1, u′ = 0 when |v| < u; move jump (|v+| = u+ ≤ u = −v ≤ V ) ∨ bounce (v+ = u+ = V ∧ v = u = 0); kicked jump v+ = −bv, u+ = bu when v = −u < 0; bounce jump v+ = V , u+ = V when v = u = 0; kicked b = 1 RfB(s) = S(U) = Rs

H(s) ⊂ ∪{S(u)|u: [0, V ]} = Rs(H, s)

b = 0 RfH(s) = S(U) ∪ S(0) ∪ S(V ) = RsH(s) = Rs(H, s) b = 1

2 RfH(s)= S∗(U) ⊂ S∗(U)∪S(0)∪S∗(V )=RsH(s)=Rs(H, s)

s ∆ = (U, U), S(u) ∆ = {(u, v)||v| ≤ u} and S∗(u) ∆ = ∪{S(bnu)|n: N}

E.Moggi Rennes, p. 27