Numerical Proofs in Nonlinear Control Sicun Gao, UCSD Nonlinear - PowerPoint PPT Presentation

Numerical Proofs in Nonlinear Control Sicun Gao, UCSD

Nonlinear control working

Nonlinear control not working

Dynamical systems are simple loops x ( t ) = x (0) + ∫ t f ( x , u ( x ))d s 0 x = x 0 t = 0 while true do x = f ( x, u ( x )) · d t + x t = t + d t end while

Dynamical systems are simple loops M ( ✓ ) ¨ ✓ + C ( ✓ , ˙ ✓ ) ˙ ✓ + ⌧ ( ✓ ) = Bu, ✓ = [ ✓ 1 , ✓ 2 , . . . , ✓ n ] T 2 R n , u 2 R n M ( ✓ ) = [ a ij cos ( ✓ j � ✓ i )] , M ( ✓ ) 2 R n × n h i C ( ✓ , ˙ � a ij ˙ , C ( ✓ , ˙ ✓ ) 2 R n × n , ✓ ) = ✓ j sin ( ✓ j � ✓ i ) ⌧ ( ✓ ) = [ � b i sin ✓ i ] , G ( ✓ ) 2 R n , B = [1 , 1 , . . . , 1] T ⇢ a ii = I i + m i ` 2 P n ci + ` 2 k = i +1 m k , 1  i  n i P n a ij = a ji = m j ` i ` cj + ` i ` j k = j +1 m k , 1  i < j  n ! n X b i = m i ` ci + ` i g, 1  i  n, m k k = i +1 pendulum system our approach can find the following neural Lyapuno

Dynamical systems are simple loops

Properties we care about • Safety: do not reach bad states ∀ x 0 ∀ t ∀ x t ( x t = F u ( x 0 , t ) → safe( x t ) ) • Stability (Liveness): eventually reach good states

Properties we care about • Safety: do not reach bad states ∀ x 0 ∀ t ∀ x t ( x t = F u ( x 0 , t ) → safe( x t ) ) • Stability (Liveness-ish) : eventually reach good states ∀ ε ∃ δ ∀ x 0 ∀ t ∀ x t ( ∥ x 0 ∥ < δ ∧ x t = F u ( x 0 , t ) t →∞ x t = 0) ) → ( ∥ x t ∥ < ε ∧ lim

Recall: invariants for programs For a discrete loop of the transition relation T ( x , x ′ � ) • Safety (core part) ( Inv( x ) ∧ T( x , x ′ � ) ) → Inv( x ′ � ) • Termination (core part) T( x , x ′ � ) → ( Rank( x ) > Rank( x ′ � ) )

Inductive proofs over R n • Safety: barrier functions, differential invariants B ( x ) = 0 → ∇ f B ( x ) < 0 • Lie Derivative ∇ f V ( x ) = ∑ d t = ∑ ∂ V ∂ V d x f i ( x ) ∂ x i ∂ x i i i

Inductive proofs over R n • Stability: Lyapunov functions Find an “energy” landscape that forces stabilization (same as ranking function for termination)

Inductive proofs over R n • Stability (Lyapunov functions) V (0) = 0, · V (0) = 0 V ( x ) > 0, ∀ x ∈ D ∖ {0} ∇ f V ( x ) < 0, ∀ x ∈ D ∖ {0}

Inductive proofs over R n • Stability: Lyapunov functions ∇ f V V

Difficulty due to nonlinearity • For discrete programs, finding invariants is always hard, but checking them is easy ( Inv( x ) ∧ T( x , x ′ � ) ) → Inv( x ′ � ) T( x , x ′ � ) → ( Rank( x ) > Rank( x ′ � ) ) • Just encode the negations of these as SMT and hope for an unsat answer

Difficulty due to nonlinearity • In the continuous case, even checking the inductive conditions is very hard • First-order theory over nonlinear real arithmetic ∇ f V ( x ) ≤ 0, ∀ x ∈ D ⊆ ℝ n 𝖴𝗂 ( ⟨ℝ , ≤ , { + , × } ⟩ ) is decidable but doubly-exponential 𝖴𝗂 Σ 1 ( ⟨ℝ , ≤ , {sin, + , × } ⟩ ) is undecidable

Delta-decisions • FOL over reals is not that scary if we can allow some numerical errors in the decisions • Delta-decisions over reals [Gao-Avigad-Clarke, LICS’12] • Can deal with any formula in where ⟨ℝ , ≤ , ℱ⟩ ℱ is the set of all Type 2 computable functions

Type 2 Computability • Manipulate real numbers through natural encodings as functions over the integers (e.g. Cauchy sequences) • A real function is Type 2 computable if an algorithm can approximate it up to arbitrary finite precisions (effective continuity) • contains polynomials, sin, cos, exp, ODEs, etc. ℱ (pretty much all the functions we need in engineering)

Delta-decisions • Delta-weakening: put a formula in a positive normal form and relax all to where δ ∈ ℚ + f ( x ) ≥ 0 f ( x ) ≥ − δ • Example: is relaxed to . ∃ x ( x = 0) ∃ x ( | x | ≤ δ ) • We say a formula is delta-satisfiable if its delta-weakening is satisfiable. The delta-decision problem asks if a formula is unsat or delta-sat.

Delta-decisions • Theorem: formulas are delta-decidable over any ℒ ℝ , ℱ compact domain. • Theorem: The complexity of delta-deciding these formulas is the same as their Boolean counterparts. • Complexity results for free: e.g., global multi-objective disjunctive nonlinear optimization is -complete ( 𝖮𝖰 𝖮𝖰 ). Σ P 2

Delta-decisions • In practice, delta-decisions are all we need for many problems in verification, optimization, etc. • Reachability/Safety questions can be encoded, with answers “safe” or “not robustly-safe” (a delta-perturbation makes the system unsafe) • dReal, dReach, etc. buffer w

Difficulty with induction • However, induction fails under numerical errors! B ( x ) = 0 → ∇ f B ( x ) < 0 • dReal always gives spurious counterexamples

Difficulty with induction • However, induction fails under numerical errors! V ( x ) > 0, ∀ x ∈ D ∖ {0} ∇ f V ( x ) < 0, ∀ x ∈ D ∖ {0} V (0) = 0, · V (0) = 0

Difficulty with induction • But again, precise checking is unrealistic (high nonlinearity, disturbances,…) ✓ p 0 1 s ◆ 2 p c 3 + c 4 c 2 p + c 5 c 2 p 2 + c 6 c 2 � � ˙ = c 1 @ 2 ˆ p u 1 2 p c 11 − − A c 11 c 3 + c 4 c 2 p + c 5 c 2 p 2 + c 6 c 2 ✓ ◆ 2 p ˙ = 4 r 2 p est )(1 + i + c 14 ( r − c 16 )) − r c 13 ( c 3 + c 4 c 2 p est + c 5 c 2 p 2 est + c 6 c 2 ! r ⌘ 2 ⇣ c 3 + c 4 c 2 p est + c 5 c 2 p 2 est + c 6 c 2 p p � � p est = c 1 ˙ 2 ˆ u 1 − c 13 2 p est c 11 − c 11 ˙ = c 15 ( r − c 16 ) i (Example: powertrain control system)

Our fix to this problem • We redefine the inductive proof rules over continuous domains to robustify them Epsilon-Lyapunov and Epsilon-Barrier functions [Gao et al. CAV’19]

Our fix to this problem • Three robust proof rules (epsilon-inductive conditions) for stability and safety • For any epsilon, there exists a bound D, such that for any delta<D, delta-decision procedures are sound and complete for checking the epsilon-invariance conditions

Epsilon-Stability • In practice, we can allow the system to oscillate within an epsilon-ball around the origin

Relaxing Stability and Strengthening LF • Relax stability to allow small perturbation (epsilon-stability) • Strengthen Lyapunov conditions to allow small numerical errors (epsilon-Lyapunov) • Prove epsilon-Lyapunov implies epsilon-stability • Prove epsilon-delta completeness

Epsilon-Stability • Relaxation: allow the system to oscillate within an epsilon-ball around the origin ⇣ ⌘ f 8 (0 , ∞ ) τ 9 (0 , ∞ ) δ 8 D x 0 8 [0 , ∞ ) t Stable ( f ) ⌘ d k x 0 k < δ ! k F ( x 0 , t ) k < τ ⇣ ⌘ f 8 [ ε , ∞ ) τ 9 (0 , ∞ ) δ 8 D x 0 8 [0 , ∞ ) t Stable ε ( f ) ⌘ d k x 0 k < δ ! k F ( x 0 , t ) k < τ the only difference

Epsilon-Lyapunov functions • Extend point-based requirements to neighborhoods V � α f > 0 r f V  � γ r f V  0 V  β ε ε 0 f = 0 V = 0 Lyapunov Epsilon-Lyapunov

Epsilon-Lyapunov functions • Extend point-based requirements to neighborhoods V � α f > 0 r f V  � γ r f V  0 V  β ε ε 0 f = 0 V = 0 Lyapunov Epsilon-Lyapunov

Epsilon-Lyapunov functions • Extend point-based requirements to neighborhoods ⇣ ⌘ f ( V (0) = 0) ^ ( f (0) = 0) ^ 8 D \{ 0 } x LF ( f, V ) ⌘ d V ( x ) > 0 ^ r f V ( x )  0 f 9 (0 , ε ) ε 0 9 (0 , 1 ) α 9 (0 , α ) β 9 (0 , 1 ) γ LF ε ( f, V ) ⌘ d ⇣ ⌘ ⇣ ⌘ ^ 8 B ε 0 x 8 D \B ε x V ( x ) � α V ( x )  β ⇣ ⌘ ^ 8 D \B ε 0 x r f V ( x )  � γ

Epsilon-Lyapunov functions Theorem 1. If there exists an ε -Lyapunov function V for a dynamical system defined by f , then the system is ε -stable. Namely, LF ε ( f, V ) ! Stable ε ( f ) . Theorem 2 (Soundness). If a δ -complete decision procedure confirms that LF ε ( f, V ) is true then V is indeed an ε -Lyapunov function, and f is ε -stable. Theorem 3 (Relative Completeness). For any ε 2 R + , if LF ε ( f, V ) is true then there exists δ 2 Q + such that any δ -complete decision procedure must return that LF ε ( f, V ) is true . V � α r f V  � γ V  β ε ε 0

Safety and epsilon-barrier functions • Similarly, we define two robust barrier function conditions that are stronger, sufficient for the normal notion of safety • Prove epsilon-delta completeness

Safety and epsilon-barrier functions • Ensure that the system goes back into the invariant set “near” the boundary 0 0 = = B = � ε ⇤ B B B = � ε 0 init init B = � ε B = � ε r f B  � γ (c) Type 1 ε -Barrier (d) Type 2 ε -Barrier

Safety and epsilon-barrier functions Type 1: ⇣ ⌘ f 8 D x Barrier ε ( f, init , B ) ⌘ d init ( x ) ! B ( x )  � " ⇣ ⌘ ^ 9 (0 , ∞ ) � 8 D x B ( x ) = � " ! r f B ( x )  � � Type 2: ⇣ ⌘ f ∀ D x Barrier T, ε ( f, init , B ) ≡ d init ( x ) → B ( x ) ≤ − ε ⇣ ( B ( x ) = − ε ) → B ( F ( x, t )) ≤ − ε ⇤ ⌘ ∧ ∃ (0 , ε ] ε ⇤ ∀ D x ∀ [0 ,T ] t ⇣ ( B ( x ) = − ε ) → B ( F ( x, T )) ≤ − ε 0 ⌘ ∧ ∃ ( ε , 1 ) ε 0 ∀ D x