Reachability Analysis of Stochastic Hybrid Systems Maria Prandini - PDF document

st 1 HYCON PhD School on Hybrid Systems www.ist-hycon.org www.unisi.it Reachability Analysis of Stochastic Hybrid Systems Maria Prandini Politecnico di Milano, Italy prandini@elet.polimi.it scimanyd suounitnoc enibmoc smetsys dirbyH lacipyt (snoitauqe ecnereffid ro laitnereffid) scimanyd etercsid dna stnalp lacisyhp fo fo lacipyt (snoitidnoc lacigol dna atamotua) fo senilpicsid gninibmoc yB .cigol lortnoc ,yroeht lortnoc dna smetsys dna ecneics retupmoc dilos a edivorp smetsys dirbyh no hcraeser ,sisylana eht rof sloot lanoitatupmoc dna yroeht fo ngised lortnoc dna ,noitacifirev ,noitalumis egral a ni desu era dna ,''smetsys deddebme`` ria ,smetsys evitomotua) snoitacilppa fo yteirav ssecorp ,smetsys lacigoloib ,tnemeganam ciffart .(srehto ynam dna ,seirtsudni HYSCOM IEEE CSS Technical Committee on Hybrid Systems 13 Siena, July 1 9-22, 2005 - Rectorate of the University of Siena

Outline • Reachability Reachability Analysis for Stochastic Hybrid – Reachability & safety verification – Probabilistic safety Systems: a Markov chain approximation method • Reachability computations for safety verification Maria Prandini Politecnico di Milano, Italy • A Markov chain approximation method for probabilistic safety E-mail: prandini@elet.polimi.it verification • Application to aircraft conflict detection In collaboration with Jianghai Hu, Purdue University, and Shankar Sastry, University of California at Berkeley Reachability Reachability Given a system and a set of initial conditions S 0 Given a system and a set of initial conditions S 0 determine the set of states that can be reached by the system determine the set of states that can be reached by the system starting from S 0 starting from S 0 S 0 S 0 Reach( S 0 ) Safety verification Reachability & safety verification • In some systems, a region of the state space is “unsafe”. Reachability analysis can be used for safety verification • One has to verify that the system operates in safe conditions, i.e., it keeps staying inside the safe set. If that is not the case the system has to be modified so as to safe set F guarantee safety. S 0 Reach( S 0 ) Reach( S 0 ) ⊂ safe set F the system is operating in safe conditions

Reachability & safety verification Safety for stochastic systems Reachability analysis can be used for safety verification In stochastic systems, trajectories are realizations of a stochastic process, and different realizations have different likelihood. • if every realization keeps staying inside the safe set, then the system is 100% safe safe set F S 0 100% safe ↔ Reach( S 0 ) Reach( S 0 ) ⊂ safe set F Reach( S 0 ) ⊄ safe set F safe set F S 0 the system is operating in unsafe conditions Reach( S 0 ) Safety for stochastic systems Safety for stochastic systems In stochastic systems, trajectories are realizations of a stochastic Two safety notions: process, and different realizations have different likelihood. • every realization has to keep staying inside the safe set � worst-case safety • if the set of realizations exiting the safe set has probability smaller than ε , then the system is 100(1- ε ) % safe � trajectories are considered all equally admissible as if the system were deterministic � conservative 100(1- ε ) % safe ↔ Pr( Reach( S 0 )\ safe set F ) < ε • some realizations may exit the safe set, but this event has small probability � probabilistic safety � trajectories are weighted according to their likelihood safe set F � no 100% guarantees S 0 Reach( S 0 ) Model checking Deterministic finite automata automatic methods for safety verification through reachability deterministic S = { q 1 , q 2 , …} ≡ finite set of states Σ = {a, b, c,… } ≡ finite set of input symbols (events) finite computations T ⊂ S × Σ × S ≡ transition relation automaton S = {1,2,3,4,5,6} Σ = {a, b} model T = {(1,a,2),(1,b,3),(2,a,5),(2,b,4),(3,a,1),(3,b,6),(4,a/b,4),(5,a/b,5),(6,a/b,6)} Model Checker safe/not safe safe set Graph 1 representation a a b – require to be able to “compute” with sets and probabilities (represent and 2 3 propagate) b a b – mainly developed for deterministic systems (worst-case safety) a,b a,b a,b 4 5 6

Deterministic finite automata: execution Deterministic finite automata: reach set S = { q 1 , q 2 , …} ≡ finite set of states S = { q 1 , q 2 , …} ≡ finite set of states deterministic deterministic Σ = {a, b, c,… } ≡ finite set of input symbols (events) Σ = {a, b, c,… } ≡ finite set of input symbols (events) finite finite T ⊂ S × Σ × S ≡ transition relation T ⊂ S × Σ × S ≡ transition relation automaton automaton execution ≡ sequence of states { s 0 , s 1 , s 2 , …} such that there exists a sequence given a set of initial states S 0 ⊂ S : of events { e 0 , e 1 , e 2 , …} for which ( s i , e i , s i +1 ) ∈ T , ∀ i Reach( S 0 ) ≡ set of states s ∈ S for which there is a finite execution that starts in S 0 and ends at s S 0 ={3} 1 {3,1,2,4,4, …} is an execution 1 a a a b a b 2 3 2 3 b a b b a b a,b a,b a,b a,b a,b a,b 4 5 6 4 5 6 Deterministic finite automata: reach set Deterministic finite automata: reach set deterministic S = { q 1 , q 2 , …} ≡ finite set of states deterministic S = { q 1 , q 2 , …} ≡ finite set of states Σ = {a, b, c,… } ≡ finite set of input symbols (events) Σ = {a, b, c,… } ≡ finite set of input symbols (events) finite finite T ⊂ S × Σ × S ≡ transition relation T ⊂ S × Σ × S ≡ transition relation automaton automaton one-step successor operator: given a set of initial states S 0 ⊂ S : Post: 2 S → 2 S Reach( S 0 ) ≡ set of states s ∈ S for which there is a finite execution that starts in one-step successors of Post( A )={ s ’ ∈ S : ∃ s ∈ A , e ∈ Σ , ( s , e,s’ ) ∈ T} S 0 and ends at s the set of states A reach set computation S 0 = {3} S 0 ={3} 1 1 by listing all finite Reach 0 = {3} a executions a a b a b {3,1,2,4} Reach 1 = Reach 0 ∪ Post(Reach 0 ) = {1,3,6} finite executions 2 3 {3,1,2,5} 2 3 Reach 2 = Reach 1 ∪ Post(Reach 1 ) = {1,2,3,6} starting from s = 3 {3,6} Reach 3 = Reach 2 ∪ Post(Reach 2 ) = S b a b b a b … Reach 4 = Reach 3 a,b a,b a,b a,b a,b a,b 4 5 6 4 5 6 Reach( S 0 ) = S Reach( S 0 ) = S Deterministic finite automata: reach set Safety verification algorithm algorithm can terminate immediately if initialization: Reach -1 = ∅ deterministic S = { q 1 , q 2 , …} ≡ finite set of states one of the Reach i is not included in F Reach 0 = S 0 Σ = {a, b, c,… } ≡ finite set of input symbols (events) finite i = 0 T ⊂ S × Σ × S ≡ transition relation automaton while Reach i ≠ Reach i -1 and Reach i ⊆ safe set F do loop: Reach i +1 = Reach i ∪ Post(Reach i ) i = i + 1 one-step successor operator: Post: 2 S → 2 S if Reach i = Reach i -1 then the system is safe else the system is not safe output: one-step successors of Post( A )={ s ’ ∈ S : ∃ s ∈ A , e ∈ Σ , ( s , e,s’ ) ∈ T} the set of states A Safe set: S 0 = {3} 1 F = {1,3,4,5,6} Theorem: Since S is finite then Reach 0 = {3} a a b the algorithm can be implemented and always terminates. Reach 1 = {1,3,6} 2 3 Reach 2 = {1,2,3,6} ⊄ F � not safe b a b a,b a,b a,b 4 5 6