SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple - PowerPoint PPT Presentation

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1

A simple (often the only) strategy 𝑈 • Given start and target S • Compute finite cover of initial set • Simulate from the center 𝑦 0 of each cover • Bloat simulation so that bloated tube contains all trajectories from the cover 𝑦 0 • Union = over-approximation of reach set • Check intersection/containment with 𝑈 • Refine [Girard et al 2006], [Donze et al 2008],... • How much to bloat? (obviously incomplete) • How to handle mode switches? 2

Discrepancy (Spirit of Loop Invariants) . Definition. 𝛾: ℝ 2𝑜 × ℝ ≥0 → ℝ ≥0 defines a discrepancy of the system if for any two states 𝑦 1 and 𝑦 2 ∈ 𝑌 , For any t, 1. |𝜊 𝑦 1 , 𝑢 − 𝜊 𝑦 2 , 𝑢 | ≤ 𝛾 𝑦 1 , 𝑦 2 , 𝑢 and 2. 𝛾 → 0 as 𝑦 1 → 𝑦 2 𝑦 ≔ 0 invariant 𝑦 ≤ 10 until 𝑦 ≥ 10 do −𝜊 𝑦 1 , 𝑢 𝑦 ≔ 𝑦 + 1 −𝑊 𝜊 𝑦 1 , 𝑢 , 𝜊 𝑦 2 , 𝑢 −𝛾 𝑦 1 , 𝑦 2 , 𝑢 od 3

Computing Discrepancy . If L is a Lipschitz constant for f(x,t) then |𝜊 𝑦 1 , 𝑢 − 𝜊 𝑦 2 , 𝑢 | ≤ 𝑓 𝑀𝑢 𝑦 1 − 𝑦 2 . 𝑦 = 𝐵𝑦 Lyapunov function 𝑦 𝑈 𝑁𝑦 that proves exponenial If stability, then |𝜊 𝑦 1 , 𝑢 − 𝜊 𝑦 2 , 𝑢 | ≤ 𝐿𝑓 𝛿𝑢 𝑦 1 − 𝑦 2 where 𝐿 = 𝐺𝑣𝑜𝑑(𝑁) Similar observation by [Deng et al 2013] What about Nonlinear Systems? 4

Computing Discrepancy . If M is a contraction metric, that is, a positive definite matrix such that ∃𝑐 𝑁 > 0 : 𝐾 𝑈 𝑁 + 𝑁 𝐾 + 𝑐 𝑁 𝑁 ≼ 0, where J is the 2 ≤ Jacobian for f, then ∃𝑙, 𝜀 > 0 such that 𝜊 𝑦, 𝑢 − 𝜊 𝑦 ′ , 𝑢 𝑙 𝑦 − 𝑦 ′ 2 𝑓 −𝜀𝑢 [Lohmiller & Slotine ‘98]. New algorithm: computes local discrepancy by estimating maximum eigenvalue of the Jacobian matrix over a neighborhood [Fan & Mitra 2014]. Inferring Contraction Metric from simulations [Balkan et al 2014] What next? 5

Simulations+Annotation  Reachtubes 𝒕𝒋𝒏𝒗𝒎𝒃𝒖𝒋𝒑𝒐(𝒚 𝟏 , 𝒊, 𝝑, 𝑼) of gives a sequence S 0 , … , 𝑇 𝑙 : 𝑒𝑗𝑏 𝑇 𝑗 ≤ 𝜗 & at any time 𝑢 ∈ [𝑗ℎ, 𝑗 + 1 ℎ] , solution 𝜊 𝑦 0 , 𝑢 ∈ 𝑇 𝑗 . 𝒔𝒇𝒃𝒅𝒊𝒖𝒗𝒄𝒇 𝑻, 𝝑, 𝑼 of 𝑦 = 𝑔 𝑦 is a sequence 𝑆 0 , … , 𝑆 𝑙 such that 𝑒𝑗𝑏(𝑆 𝑗 ) ≤ 𝜗 and from any 𝑦 0 ∈ 𝑇, for each time 𝑢 ∈ [𝑗ℎ, (𝑗 + 1)ℎ] , 𝜊 𝑦 0 , 𝑢 ∈ 𝑆 𝑗 . 𝑇 0 , … , 𝑇 𝑙 , 𝜗 1 ← 𝑤𝑏𝑚𝑇𝑗𝑛(𝑦 0 , 𝑈, 𝑔) For each 𝑗 ∈ [𝑙] 𝜗 2 ← sup 𝛾 𝑦 1 , 𝑦 2 , 𝑢 𝑢∈𝑈 𝑗 ,𝑦,𝑦 ′ ∈𝐶 𝜀 (𝑦 0 ) 𝑆 𝑗 ← 𝐶 𝜗 2 𝑇 𝑗 6

How to get completeness for hybrid systems? Track & propagate 𝑛𝑏𝑧 and 𝑛𝑣𝑡𝑢 fragments of reachtube 𝑛𝑣𝑡𝑢 𝑆 ⊆ 𝑄 𝒖𝒃𝒉𝑺𝒇𝒉𝒋𝒑𝒐 𝑺, 𝑸 = 𝑛𝑏𝑧 𝑆 ∩ 𝑄 ≠ ∅ 𝑜𝑝𝑢 𝑆 ∩ 𝑄 = ∅ 𝒋𝒐𝒘𝒃𝒔𝒋𝒃𝒐𝒖𝑸𝒔𝒇𝒈𝒋𝒚(𝝎, 𝑻) = 〈𝑆 0 , 𝑢𝑏𝑕 0 , … , 𝑆 𝑛 , 𝑢𝑏𝑕 𝑛 〉 , such that either ′ 𝑡 before it are must 𝑢𝑏𝑕 𝑗 = 𝑛𝑣𝑡𝑢 if all the 𝑆 𝑘 ′ 𝑡 before it are at least may 𝑢𝑏𝑕 𝑗 = 𝑛𝑏𝑧 if all the 𝑆 𝑘 and at least one of them is not must 7

Hybrid Reachtubes: Guards & Resets 𝒐𝒇𝒚𝒖𝑺𝒇𝒉𝒋𝒑𝒐𝒕(𝝌) returns a set of tagged regions N. ∈ 𝑂 iff ∃ 𝑏, 𝑆 𝑗 such that 𝑆 ′ = 𝑆𝑓𝑡𝑓𝑢 𝑏 𝑆 𝑗 and: 𝑆′, 𝑢𝑏𝑕′ 𝑆 𝑗 ⊆ 𝐻𝑣𝑏𝑠𝑒 𝑏 , 𝑢𝑏𝑕 𝑗 = 𝑢𝑏𝑕 ′ = 𝑛𝑣𝑡𝑢 𝑆 𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒 𝑏 ≠ ∅, 𝑆 𝑗 ∉ 𝐻𝑣𝑏𝑠𝑒 𝑏 , 𝑢𝑏𝑕 𝑗 = 𝑛𝑣𝑡𝑢, 𝑢𝑏𝑕 ′ = 𝑛𝑏𝑧 𝑆 𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒 𝑏 ≠ ∅, 𝑢𝑏𝑕 𝑗 = 𝑢𝑏𝑕′ = 𝑛𝑏𝑧 8

Sound & Relatively Complete. Theorem. (Soundness). If Algorithm returns safe or unsafe, then 𝐵 is safe or unsafe. Definition Given HA 𝐵 = 〈𝑊, 𝑀𝑝𝑑, 𝐵, 𝐸, 𝑈 〉 , an 𝝑 -perturbation of A is a new HA 𝐵′ that is identical except, Θ ′ = 𝐶 𝜗 (Θ) , ∀ ℓ ∈ 𝑀𝑝𝑑, 𝐽𝑜𝑤 ′ = 𝐶 𝜗 (𝐽𝑜𝑤) (b) a ∈ A, 𝐻𝑣𝑏𝑠𝑒 𝑏 = 𝐶 𝜗 (𝐻𝑣𝑏𝑠𝑒 𝑏 ) . A is robustly safe iff ∃𝜗 > 0 , such that A’ is safe for 𝑉 𝜗 upto time bound T, and transition bound N. Robustly unsafe iff ∃ 𝜗 < 0 such that 𝐵′ is safe for 𝑉 𝜗 . Theorem. (Relative Completeness) Algorithm always terminates whenever the A is either robustly safe or robustly unsafe. 9

C2E2 10

Part II TWO APPLICATIONS Duggirala ∘ Wang ∘ Mitra ∘ Munoz ∘ Viswanathan (FM 2014) Huang ∘ Fan ∘ Meracre ∘ Mitra ∘ Kiwatkowska (CAV 2014) 11

SAPA-ALAS Parallel Landing Protocol Ownship and Intruder approaching parallel runways with small separation ALAS (at ownship) protocol is supposed to raise an 𝑇𝐼 alarm if within T time units the Intruder can violate 𝑦𝑡𝑓𝑞 safe separation based on 3 different projections 𝑇𝐺 Verify Alert ≼ 𝑐 Unsafe for different runway and aircraft 𝑇𝐶 𝑧𝑡𝑓𝑞 scenarios Scenario 1. With xsep [.11,.12] Nm ysep [.1,.21] Nm, 𝜚 = 30 𝑝 𝜚 𝑛𝑏𝑦 = 45 o vy o = 136 Nmph, vy i = 155 Nmph Duggirala, Wang, Mitra, Munoz, Viswanathan FM 2014 12

SAPA-ALAS Parallel Landing Protocol 𝐵𝑚𝑓𝑠𝑢 𝑗 = 𝑦 ∃ 𝑢 ∈ 0, 𝑈 , 𝑞𝑠𝑝𝑘 𝑗 𝑦, 𝑢 ∈ 𝑉𝑜𝑡𝑏𝑔𝑓} , where 𝑞𝑠𝑝𝑘 𝑗 defined as solution of ODE 𝑦 = 𝑕 𝑗 (𝑦, 𝑢) 𝑇𝐼 𝑦𝑡𝑓𝑞 Use simulations and annotations of 𝑕 𝑗 to compute 𝑇𝐺 𝑛𝑣𝑡𝑢 intervals when 𝑦 ∈ 𝐵𝑚𝑓𝑠𝑢 𝑗 𝑇𝐶 𝑧𝑡𝑓𝑞 𝐵𝑚𝑓𝑠𝑢 ≺ 𝑐 𝑄 2 is satisfied by Reachtube 𝜔 if ∀ 𝐽 2 ∈ 𝑁𝑣𝑡𝑢 𝑄 2 ∪ 𝑁𝑏𝑧 𝑄 2 there exists 𝐽 1 ∈ 𝑁𝑣𝑡𝑢 𝐵𝑚𝑓𝑠𝑢 such that 𝐽 1 < 𝐽 2 − 𝑐 𝐵𝑚𝑓𝑠𝑢 ≺ 𝑐 𝑄 2 is violated by Reachtube 𝜔 if ∃ 𝐽 2 ∈ 𝑁𝑣𝑡𝑢 𝑄 2 for all 𝐽 1 ∈ 𝑁𝑣𝑡𝑢 𝐵𝑚𝑓𝑠𝑢 ∪ 𝑁𝑏𝑧 𝐵𝑚𝑓𝑠𝑢 such that 𝐽 1 > 𝐽 2 − 𝑐 Duggirala, Wang, Mitra, Munoz, Viswanathan FM 2013 13

Real-time Alerting Protocol . Alert ≼ 4 Alert ≼ ? Running time Scenario Unsafe (mins:sec) Unsafe 6 False 3:27 2.16 7 True 1:13 – 8 True 2:21 – 6.1 False 7:18 1.54 7.1 True 2:34 – 8.1 True 4:55 – Sound & robustly completeness 9 False 2:18 1.8 10 False 3:04 2.4 C2E2 verifies interesting scenarios in 9.1 False 4:30 1.8 reasonable time; shows that false 10.1 False 6:11 2.4 alarms are possible; found scenarios where alarm may be missed 14

Exploiting Modularity Module 1 Module 1 ? Module 2 Module 3 Module 2 Module 3 Module 5 Module 4 𝑟 𝑏 𝑦 1 = 𝑔 𝑏 (𝑦 1 , 𝑦 2 , 𝑦 3 ) × 𝑀 𝑂 𝑦 2 = 𝑔 𝑐 (𝑦 2 , 𝑦 1 , 𝑦 3 ) 𝑦 3 = 𝑔 𝑑 (𝑦 3 , 𝑦 1 , 𝑦 2 ) 𝑟 𝑑 𝑟 𝑐 15

Input-to-State (IS) Discrepancy 𝑣(𝑢) 𝜊(𝑦, 𝑣, 𝑢) 𝑣 𝑦 𝑦 = 𝑔(𝑦, 𝑣) 𝑣′(𝑢) 𝜊(𝑦 ′ , 𝑣 ′ , 𝑢) 𝑦′ time time 𝑢 Definition. IS discrepancy is defined by 𝛾 and 𝛿 such that for any initial states 𝑦, 𝑦 ′ and any inputs 𝑣, 𝑣 ′ , 𝑢 𝛿 |𝑣 𝑡 − 𝑣 ′ 𝑡 | 𝑒𝑡 |𝜊(𝑦, 𝑣, 𝑢) − 𝜊 𝑦 ′ , 𝑣 ′ , 𝑢 | ≤ 𝛾(𝑦, 𝑦 ′ , 𝑢) + 0 𝛾 → 0 as 𝑦 → 𝑦′ , and 𝛿 → 0 as 𝑣 → 𝑣 ′ 16

Reduced System 𝑁(𝜀 1 , 𝜀 2 , 𝑊 1 , 𝑊 2 ) . 𝑦 = 𝑔 𝑁 𝑦 𝑦 = 〈𝑛 1 , 𝑛 2 , 𝑑𝑚𝑙〉 𝑛 1 𝛾 1 𝜀 1 , 𝑑𝑚𝑙 + 𝛿 1 𝑛 2 𝑛 2 = 𝑔 𝑁 𝑦 = 𝛾 2 𝜀 2 , 𝑑𝑚𝑙 + 𝛿 2 𝑛 1 𝑑𝑚𝑙 1 17

Bloating with Reduced Model 𝑛 1 = 𝛾 1 𝜀, 𝑢 𝑦 1 = 𝑔 1 (𝑦 1 , 𝑣 1 ) +𝛿 1 (𝑛 2 , 𝑛 3 ) 𝑛 2 = 𝛾 2 𝜀, 𝑢 𝑛 3 = 𝛾 3 𝜀, 𝑢 +𝛿 2 (𝑛 1 , 𝑛 3 ) 𝑦 3 = 𝑔 3 (𝑦 3 , 𝑣 3 ) +𝛿 3 (𝑛 1 , 𝑛 2 ) 𝑦 2 = 𝑔 2 (𝑦 2 , 𝑣 2 ) 𝜊(𝑢) 𝑛(𝑢) 𝜀 𝑦 𝑛(𝑢) time time The bloated tube contains all trajectories start from the 𝜀 -ball of 𝑦 . The over-approximation can be computed arbitrarily precise. 18

Reduced 𝑁 gives effective Discrepancy of 𝐵 . Theorem. For any 𝜀 = 〈𝜀 1 , 𝜀 2 〉 , 𝑊 = 〈𝑊 1 , 𝑊 2 〉 and 𝑈 𝑊 𝑆𝑓𝑏𝑑ℎ 𝐵 𝐶 𝜀 𝑦 , 𝑈 ⊆ 𝑢≤𝑈 𝐶 𝜈 𝑢 (𝜊 𝑦, 𝑢 ) Theorem. For any ϵ > 0 there exists δ = 〈δ 1 , δ 2 〉 such that 𝑊 𝑢≤𝑈 𝐶 𝜈 𝑢 (𝜊 𝑦, 𝑢 ) ⊆ 𝐶 𝜗 (𝑆𝑓𝑏𝑑ℎ 𝐵 (𝐶 𝜀 𝑦 , 𝑈) Here 𝜈 𝑢 is the solution of 𝑁(𝜀 1 , 𝜀 2 , 𝑊 1 , 𝑊 2 ) . Huang & Mitra, HSCC 2013 19

Pacemaker + Cardiac Network . Action potential remains in specific range No alternation of action potentials Nodes Thresh Sims Run time (s) Property 3 2 16 104.8 TRUE 3 1.65 16 103.8 TRUE 5 2 3 208 TRUE 5 1.65 5 281.6 TRUE 5 1.5 NA 63.4 FALSE 8 2 3 240.1 TRUE 20 8 1.65 73 2376.5 TRUE