SLIDE 1 1
Reachability Analysis
Goran Frehse Université Grenoble 1 Joseph Fourier Verimag, France CPS Summer School, Grenoble, 2014
SLIDE 2 2
A Biased Overview from...
– Oded Maler – Thao Dang – Antoine Girard (LJK) – Colas Le Guernic (now DGA, France) – Alexandre Donzé (now UC Berkeley)
– Bruce Krogh
– Sebastian Engell – Stefan Kowalewski (now RWTH Aachen) – Olaf Stursberg (now U Kassel)
– Varaiya, Kurzhanski (ellipsoids) – Althoff (zonotopes) – Sankaranarayanan (Taylor models)
SLIDE 3 3
Example: Tunnel Diode Oscillator
What are good parameters?
– startup conditions – parameter variations – disturbances
Tunnel Diode Vd
( ) ( )
in L C L L L C d C C
V RI V I I V I V +
+
1 1
) ( & &
Dang, Donze, Maler, FMCAD’ 04
SLIDE 4 4
Example: Tunnel Diode Oscillator
R=0.20 Oscillation
VC [V] IL [mA] Time [µs]
initial states
SLIDE 5 5
Example: Tunnel Diode Oscillator
R=0.24 Stable equilibrium
VC [V] IL [mA] Time [µs]
initial states
SLIDE 6 6
Example: Tunnel Diode Oscillator
Jitter measurement
– add clock that is reset at zero crossing
time
jitter measurement
Vd [V] IL [mA] t [µs] 0.0 0.5 1.0 0.0 14.90 12.75
SLIDE 7 7
VC [V] IL [mA]
( ) ( )
in L C L L L C d C C
V RI V I I V I V +
+
1 1
) ( & &
Example: Tunnel Diode Oscillator
Tunnel Diode
Reachability Analysis Formal Model Analog/Mixed Signal Circuit Guaranteed Safety Property
SLIDE 8 8
Outline
- Modeling with Hybrid Automata
- Reachability versus Simulation
- Reachability Algorithms
– piecewise constant dynamics – piecewise affine dynamics
- SpaceEx Tool Platform
- Bibliography
SLIDE 9
9
Modeling with Hybrid Automata
Example: Bouncing Ball
– ball with mass m and position x in free fall – bounces when it hits the ground at x = 0 – initially at position x and at rest x Fg
SLIDE 10 10
Condition for Free Fall
– ball above ground:
First Principles (physical laws)
Part I – Free Fall
Fg = mg g = 9.81m/s2
m¨ x = Fg x 0
x Fg
SLIDE 11 11
Obtaining 1st Order ODE System
Part I – Free Fall
Fg = mg m¨ x = Fg
- ordinary differential equation ˙
x = f(x)
- transform to 1st order by introducing variables
for higher derivatives
x: ˙ x = v ˙ v = g
x Fg
SLIDE 12 12
Part II – Bouncing
Conditions for “Bouncing” Action for “Bouncing”
- ball at ground position: x = 0
- downward motion: v < 0
- velocity changes direction
- loss of velocity (deformation, friction)
- v := cv, 0 c 1
SLIDE 13 13
Combining Part I and II
Free Fall Bouncing
˙ x = v ˙ v = g
v := cv
continuous dynamics discrete dynamics
˙ x = f(x) x G x := R(x)
SLIDE 14 14
Hybrid Automaton Model
x
x = 0 v < 0 v := cv
freefall
˙ x = v ˙ v = g x = x0 v = 0
flow location invariant discrete transition guard label reset initial conditions
SLIDE 15
15
ODEs with Switching
Continous/Discrete Behaviour
– evolution with time according to ODE dynamics – dynamics can switch (instantaneous) – state can jump (instantaneous)
x(t) x(t) x(t)
SLIDE 16
16
Example: Bouncing Ball
States over Time
time t position x x(t) x(t) x(t) x(t) x(t) x time t velocity v v(t)v(t) v(t)v(t)v(t)
SLIDE 17
17
Example: Bouncing Ball
States over States = State-Space View
position x velocity v x x(t) x(t) x(t)
behavior from single initial state
SLIDE 18
18
Reachability in State-Space
Example: Bouncing Ball
position x velocity v
behaviors from set of initial states =
reachable states
SLIDE 19 19
Outline
- Modeling with Hybrid Automata
- Reachability versus Simulation
- Reachability Algorithms
– piecewise constant dynamics – piecewise affine dynamics
- SpaceEx Tool Platform
- Bibliography
SLIDE 20
20
Reachability in Model Based Design
Plant Model Controller Synthesis Simulation Deployment Reachability
SLIDE 21
21
Example: Overhead Crane
State variables
– position x, speed v – line angle y, angle rate w
Feedback controller
– state estimated by observer
Goals
– validate observer for y,w – validate swing x,v y,w u
SLIDE 22 22
Overhead Crane – Observer
Validation of
Standard:
– Simulation of “representative trajectories”
Reachability:
– Error bounds over range of initial states & inputs time angle rate actual estimated angle rate error angle error
SLIDE 23 23
Overhead Crane - Controller
Evaluation of swing (angle range)
[-0.17,0.12]
[-0.17,0.12]
[-0.17,0.17]
[-0.17,0.17] angle angle position position setpoint setpoint
SLIDE 24 24
Example: Controlled Helicopter
28-dim model of a Westland Lynx helicopter
– 8-dim model of flight dynamics – 20-dim continuous H controller for disturbance rejection – stiff, highly coupled dynamics
- S. Skogestad and I. Postlethwaite, Multivariable Feedback Control: Analysis and Design. John Wiley & Sons, 2005.
Photo by Andrew P Clarke
SLIDE 25 25
Simulation vs Reachability
Simulation
– approximative sample
– over finite time
Reachability
– over-approximative set-valued cover
– over finite or infinite time
vertical speed simulation run reachable states over time
SLIDE 26 26
Simulation vs Reachability
Simulation
– deterministic
Monte Carlo etc.
– scalable for nonlinear dyn.
Reachability
– nondeterministic
- continuous disturbances...
- implementation tolerances...
– scalable for linear dynamics
vertical speed 1000 simulations Reachable set equiv. >228 corner case simulations Reachable set equiv. >228 corner case simulations
Frehse et al. "SpaceEx: Scalable verification of hybrid systems." Computer Aided Verification. Springer, 2011.
SLIDE 27 27
Example: Controlled Helicopter
Comparing two controllers subject to continuous disturbance
Frehse, G., et al. "SpaceEx: Scalable verification of hybrid systems." Computer Aided Verification. Springer, 2011.
SLIDE 28 28
Outline
- Modeling with Hybrid Automata
- Reachability versus Simulation
- Reachability Algorithms
– piecewise constant dynamics – piecewise affine dynamics
- SpaceEx Tool Platform
- Bibliography
SLIDE 29 29
Computing Reachable States
Computing One-Step Successors Fixpoint computation
- Initialization: R0 = Ini
- Recurrence: Rk+1 = Rk Postd(Rk) Postc(Rk)
- Termination: Rk+1 = Rk Reach = Rk.
SLIDE 30
30
Computing Reachable States
Set-based integration can answer many interesting questions about a system
– safety, bounded liveness,…
Problems
– in general termination not guaranteed – set-based integration of ODEs is hard
Solution
– piecewise constant approximations – piecewise linear approximations – math tricks (implicit set representations,...)
SLIDE 31
31
Piecewise Constant Dynamics
A very simple class of hybrid systems: Linear Hybrid Automata
– trajectories are straight lines
Exact computation of successor states possible
– reachability is nonetheless undecidable.
SLIDE 32 32
Linear Hybrid Automata
Continuous Dynamics
x = 1
x [1, 2]
x1 + ˙ x2 = 0
- general form: conjunctions of linear constraints
a · ˙ x b, a Zn, b Z, {<, }. = convex polyhedron over derivatives
SLIDE 33 33
Linear Hybrid Automata
Discrete Dynamics
- affine transform: x := ax + b
- with intervals: x2 := x1 ± 0.5
- general form: conjunctions of linear constraints (new value x)
a · x + a · x b, a, a Zn, b Z, {<, } = convex polyhedron over x and x’
SLIDE 34 34
Linear Hybrid Automata
Invariants, Initial States
- general form: conjunctions of linear constraints
a · x b, a Zn, b Z, {<, }, = convex polyhedron over x
SLIDE 35 35
Linear Hybrid Automata
model complex behavior
– discrete jump maps can model discrete-time linear control systems (widely used in industry)
(source: wikipedia) source: mathworks.com
SLIDE 36 36
Linear Hybrid Automata
chaos
– even with 1 variable, 1 location, 1 transition (tent map) – observed in actual production systems [Schmitz,2002]
states of the Tent map
source: wikipedia
Schmitz, J. P. M., D. A. Van Beek, and J. E. Rooda. "Chaos in discrete production systems?." Journal of Manufacturing Systems 21.3 (2002): 236-246.c
brewery and chaotic throughput [Schmitz,2002]
SLIDE 37
37
Compute time elapse states Postc(S)
arbitrary trajectory iff straight line exists (convex invariant) [Alur et al.] time elapse along straight line can be computed as projection along cone [Halbwachs et al.]
derivatives projection cone Inv
SLIDE 38
38
Compute discrete successors Postd(S)
Postd(S) = all x’ for which exists x S s.t.
– guard: x G – reset and target invariant: x’ R(x) Inv
Operations:
– existential quantification – intersection – standard operations on convex polyhedra, but O(exp(n))
SLIDE 39 39
Reachability with LHA [Halbwachs, Henzinger, 93-97]
invariant initial states successors derivatives projection cone
cone
cone
projection
projection
discrete successors
discrete successors
SLIDE 40
40
Example: Multi-Product Batch Plant
SLIDE 41 41
Example: Multi-Product Batch Plant
Cascade mixing process
– 3 educts via 3 reactors 2 products
Verification Goals
– Invariants
- overflow
- product tanks never empty
– Filling sequence
Design of verified controller
L IS 1 1 M LIS 22 QIS 22 L IS 32 LIS 31 M LIS 23 Q IS 23 M LIS 21 QIS 21 L IS 1 3 L IS 12
SLIDE 42 42
Verification with PHAVer
– 266 locations, 823 transitions (~150 reachable) – 8 continuous variables
- Reachability over infinite time
– 120s—1243s, 260—600MB – computation cost increases with nondeterminism (intervals for throughputs, initial states)
Controller Controlled Plant
SLIDE 43
43
Verification with PHAVer
SLIDE 44 44
Outline
- Modeling with Hybrid Automata
- Reachability versus Simulation
- Reachability Algorithms
– piecewise constant dynamics – piecewise affine dynamics
- SpaceEx Tool Platform
- Bibliography
SLIDE 45
45
Piecewise Affine Dynamics
Not quite so simple dynamics
– trajectories = exponential functions
Exact computation at discrete points in time
– used to overapproximate continuous time
Efficient data structures
SLIDE 46
46
Time Elapse Computation
Continuous time elapse for affine dynamics
– efficient, scalable – approximation without accumulation of approximation error (wrapping effect)
It took a long time to do it well...
– Chutinan, Krogh. HSCC’99 – Asarin, Bournez, Dang, Maler. HSCC’00 – Girard. HSCC’05 – Le Guernic, Girard. HSCC’06, CAV’09 – Frehse, Kateja, Le Guernic. HSCC’13
SLIDE 47
47
Affine Dynamics
linear terms plus inputs U: solution:
matrix exponential factors influence of inputs (stable system forgets the past)
SLIDE 48 48
Time-Discretization (no inputs)
Analytic solution: Explicit solution in discretized time (recursive):
x0 = xIni xk+1 = eAxk x(t) = eAtxIni
2 3
x1 x2 x3 t x(t)
multiplication with const. matrix eA = linear transform x((k + 1)) = eAx(k)
SLIDE 49 49
Time-Discretization for an Initial Set
Explicit solution in discretized time Acceptable solution for purely continuous systems
– x(t) is in ()-neighborhood of some Xk
Unacceptable for hybrid systems
– discrete transitions might “fire” between sampling times – if transitions are “missed,” x(t) not in ()-neighborhood
2 3
X1 X2 X3 t
X0 = XIni Xk+1 = eAXk
Reach[0,3](XIni)
SLIDE 50
50
One can miss jumps (guard)
Time Discretization for Hybrid Systems
guard flowpipe sets in discretized time X1 X2 jump not visible in discretization
SLIDE 51
51
Bouncing Ball
– Note: Computed in exact arithmetic, no numerical errors – In other examples this error might not be as obvious… X90 =
SLIDE 52 52
States in discrete time:
From Time-Discretization to Reach
2 3
Reach(X0) X X2 X3
...
X0
need to cover also states in between! integral over inputs
SLIDE 53
53
Cover in discrete time:
From Time-Discretization to Reach
t Reach(X0) [0,] [,2] [2,3]
...
X0
Minkowski sum = pointwise sum of sets
2 3
SLIDE 54 54
Wrapping Effect
accumulation of approximation error avoidable using the right approximation
wrapping effect wrapping-free algorithm
Antoine Girard, Colas Le Guernic, and Oded Maler. Efficient computation of reachable sets of linear time-invariant systems with inputs. HSCC 2006
SLIDE 55
55
Reachability in High Dimensions
Scalability Trick 1: Use data structures adapted to operations
SLIDE 56
56
Scalable Set Representations
Ellipsoids [Kurzhansky, Varaiya 2006]
– bad representation of intersection, convex hull, flat sets
(this is an illustration, not actual computation)
SLIDE 57
57
Scalable Set Representations
Zonotopes [Girard 2005]
– symmetric polytope spanned by set of generator vectors – bad representation of intersection, convex hull, asymmetric sets
(computed with Zonotope toolbox of M. Althoff)
SLIDE 58
58
Scalable Set Representations
Support Functions [Le Guernic, Girard 2009]
– lazy representation of any convex set – gives outer polyhedral approximation that can be refined – scalable except for intersection
(computed with SpaceEx) low accuracy high accuracy
SLIDE 59 59
Operations on Convex Sets
Polyhedra Operators Constraints Vertices Zonotopes Support F. Convex hull
Affine transform +/- ++ ++ ++ Minkowski sum
++ Intersection +
- Le Guernic, Girard. CAV’09
SLIDE 60
60
Support Functions
Support Function Rn R
– direction d position of supporting halfspace – exact set representation
d P
x* support vector
SLIDE 61
61
Support Functions
black box representation of a convex set implementation: function objects
direction vector tangent hyperplane
Support Function
SLIDE 62
62
Support Functions
black box representation of a convex set implementation: function objects
Support Function
direction vector
SLIDE 63
63
Support Functions
black box representation of a convex set implementation: function objects
Support Function
direction vector
Support Function
SLIDE 64
64
Reachability in High Dimensions
Scalability Trick 2: Change data structures (data-dependent)
SLIDE 65 65
Computing Time Elapse
Linear Map Minkowski Sum Invariant Intersection Convex Hull
Support Functions Polyhedra
Initial Set Initial Set
SLIDE 66 66
Computing Transition Successors
Intersection with guard
– use outer poly approximation
Linear map & Minkowski sum
– with polyhedra if invertible (map regular, input set a point) – otherwise use support functions
Intersection with target invariant
– use outer poly approximation
x
x = 0 v < 0 v := cv
freefall
˙ x = v ˙ v = g x = x0 v = 0
guard reset
SLIDE 67 67
Computing Transition Successors
Linear Map Minkowski Sum Invariant Intersection Guard Intersection
Support Functions Polyhedra
Linear Map Minkowski Sum map reversible irreversible exact (LP)
SLIDE 68
68
Example: Switched Oscillator
Switched oscillator
– 2 continuous variables – 4 discrete states – similar to many circuits (Buck converters,…)
plus linear filter
– m continuous variables – dampens output signal
affine dynamics
– total 2 + m continuous variables
SLIDE 69 69
Example: Switched Oscillator
Scalability Measurements:
– fixpoint reached in O(nm2) time – box constraints: O(n3) – octagonal constraints: O(n5)
0.1 1.0 10.0 100.0 1000.0 10000.0 1 10 100 1000
number of variables n runtime [s]
SLIDE 70
70
Reachability in High Dimensions
Scalability Trick 3: Work in Space-Time (exploit pointwise convexity)
SLIDE 71
71
Approximation in Space-Time
x y Improve the approximation by adding time...
SLIDE 72
72
Approximation in Space-Time
x y
SLIDE 73
73
Approximation in Space-Time
x y
SLIDE 74
74
Approximation in Space-Time
y x t approximation constant over time interval
SLIDE 75
75
Support Function over Time
t t support in d convex set per time interval = piecewise constant scalar functions x y d
SLIDE 76 76
Support Function over Time
1st order Taylor approx.
CAV’11
t support in d upper bound lower bound interpolation with piecewise linear scalar functions
SLIDE 77
77
Support Function over Time
t support in d support sampling at each t infinite union of template polyhedra (one for each t) x y t d
SLIDE 78
78
Convexification
t support in d concave piece finite union of non-template polyhedra (one for each concave piece) x y t d non-template polyhedron
SLIDE 79 79
Approximation in Space-Time
y x t approximation piecewise linear
SLIDE 80
80
Approximation in Space-Time
y x t
SLIDE 81
81
Approximation in Space-Time
x y
SLIDE 82
82
Approximation in Space-Time
x y non-template facet normals
SLIDE 83
83
Example: Bouncing Ball
Clustering up to total error 0.1 = 8 pieces non-template facet normals! non-template facet normals!
SLIDE 84
84
Example: Bouncing Ball
Clustering up to total error 1.0 = 2 pieces
SLIDE 85 85
Example: Controlled Helicopter
28-dim model of a Westland Lynx helicopter
– 8-dim model of flight dynamics – 20-dim continuous H controller for disturbance rejection – stiff, highly coupled dynamics
- S. Skogestad and I. Postlethwaite, Multivariable Feedback Control: Analysis and Design. John Wiley & Sons, 2005.
Photo by Andrew P Clarke
SLIDE 86
86
Example: Helicopter
28 state variables + clock
CAV’11: 1440 sets in 5.9s 1440 time steps
SLIDE 87
87
28 state variables + clock
Example: Helicopter
HSCC’13: 32 sets in 15.2s (4.8s clustering) 2 -- 3300 time steps, median 360 convex in 29 dimensions! convex in 29 dimensions!
SLIDE 88
88
Example: Chaotic Circuit
piecewise linear Rössler-like circuit
Pisarchik, Jaimes-Reátegui. ICCSDS’05
added nondet. disturbances 3 variables, hard!
SLIDE 89 89
Outline
- Modeling with Hybrid Automata
- Reachability versus Simulation
- Reachability Algorithms
– piecewise constant dynamics – piecewise affine dynamics
- SpaceEx Tool Platform
- Bibliography
SLIDE 90
90
SpaceEx Verification Platform
Browser-based GUI
–2D/3D output –runs remotely
SLIDE 91
91
SpaceEx Model Editor
Components = Hybrid Automata
– real-values variables – ODE, linear DAE
SLIDE 92
92
SpaceEx Model Editor
Block diagrams connect components
– templates, nesting
SLIDE 93
93
PHAVer
–constant dynamics (LHA) –formally sound and exact
SpaceEx Reachability Algorithms
Support Function Algo
–many continuous variables –low discrete complexity
Simulation
–nonlinear dynamics –based on CVODE
spaceex.imag.fr spaceex.imag.fr
SLIDE 94 94
Outline
- Modeling with Hybrid Automata
- Reachability versus Simulation
- Reachability Algorithms
– piecewise constant dynamics – piecewise affine dynamics
- SpaceEx Tool Platform
- Bibliography
SLIDE 95 95
Bibliography
Hybrid Systems Theory
– Alur, Courcoubetis, Halbwachs, Henzinger, Ho, Nicollin, Olivero, Sifakis,
- Yovine. The algorithmic analysis of hybrid systems. Theoretical Computer
Science, 1995
– Henzinger. The theory of hybrid automata. LICS’96
Linear Hybrid Automata
– Henzinger, Ho, Wong-Toi, HyTech: The next generation. RTSS’95 – Frehse. PHAVer: Algorithmic Verification of Hybrid Systems past HyTech.
HSCC’05
– Frehse. Tools for the verification of linear hybrid automata models. Handbook
- f Hybrid Systems Control. 2009.
SLIDE 96 96
Bibliography
Affine Dynamics
– Asarin, Bournez, Dang, Maler. Approximate Reachability Analysis of
Piecewise-Linear Dynamical Systems. HSCC’00
– Girard, Le Guernic, Maler. Efficient computation of reachable sets of linear
time-invariant systems with inputs. HSCC’06
Support Functions
– Le Guernic, Girard. Reachability analysis of hybrid systems using support
– Frehse, Le Guernic, Donzé, Ray, Lebeltel, Ripado, Girard, Dang, Maler.
SpaceEx: Scalable verification of hybrid systems. CAV’11.
– Frehse, Kateja, Le Guernic. Flowpipe approximation and clustering in space-
SLIDE 97 97
Bibliography
Ellipsoids
– Kurzhanskiy, Varaiya. Ellipsoidal toolbox (et). CDC, 2006. – Kurzhanskiy, Varaiya. Ellipsoidal techniques for reachability analysis of
discrete-time linear systems. IEEE Transactions on Automatic Control, 2007.
Zonotopes
– Antoine Girard. Reachability of uncertain linear systems using zonotopes.
HSCC’05
– M. Althoff and B. Krogh. Reachability analysis of nonlinear differential-algebraic
- systems. IEEE Transactions on Automatic Control, 2013
SLIDE 98
98
Verification Tools for Hybrid Systems
HyTech: LHA
– http://embedded.eecs.berkeley.edu/research/hytech/
Matisse Toolbox: zonotopes
– http://www.seas.upenn.edu/~agirard/Software/MATISSE/
Cora Toolbox: zonotopes, nonlinear systems
– http://www6.in.tum.de/Main/SoftwareCORA
HSOLVER: nonlinear systems
– http://hsolver.sourceforge.net/
Flow*: nonlinear systems
– http://systems.cs.colorado.edu/research/cyberphysical/taylormodels/
and more…: http://wiki.grasp.upenn.edu/hst/
SLIDE 99 99
Conclusions
- Reachability in continuous time is hard
– even for simple dynamics
- Handle affine systems with 100+ variables
– exploiting properties of affine dynamics – lazy set representations (support functions)
– abstraction refinement – extension to nonlinear dynamics
SLIDE 100
100
