SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple - - PowerPoint PPT Presentation

▶

Dec 11, 2022 210 likes •442 views

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple (often the only) strategy Given start and target S Compute finite cover of initial set Simulate from the center 0 of each cover Bloat

SLIDE 1

SIMULATION TO PROOFS IN C2E2

Parasara Sridhar Duggirala

SLIDE 2

Given start and target
Compute finite cover of initial set
Simulate from the center 𝑦0 of each cover
Bloat simulation so that bloated tube

contains all trajectories from the cover

Union = over-approximation of reach set
Check intersection/containment with 𝑈
Refine
How much to bloat?
How to handle mode switches?

𝑦0

𝑈

A simple (often the only) strategy

[Girard et al 2006], [Donze et al 2008],... (obviously incomplete)

SLIDE 3

Definition. 𝛾: ℝ2𝑜 × ℝ≥0 → ℝ≥0 defines a discrepancy of the

system if for any two states 𝑦1 and 𝑦2 ∈ 𝑌, For any t,

1. |𝜊 𝑦1, 𝑢 − 𝜊 𝑦2, 𝑢 | ≤ 𝛾 𝑦1, 𝑦2, 𝑢 and
2. 𝛾 → 0 as 𝑦1 → 𝑦2

−𝜊 𝑦1, 𝑢 −𝑊 𝜊 𝑦1, 𝑢 , 𝜊 𝑦2, 𝑢 −𝛾 𝑦1, 𝑦2, 𝑢

Discrepancy (Spirit of Loop Invariants) .

𝑦 ≔ 0 invariant 𝑦 ≤ 10 until 𝑦 ≥ 10 do 𝑦 ≔ 𝑦 + 1

SLIDE 4

If L is a Lipschitz constant for f(x,t) then |𝜊 𝑦1, 𝑢 − 𝜊 𝑦2, 𝑢 | ≤ 𝑓𝑀𝑢 𝑦1 − 𝑦2 . If 𝑦 = 𝐵𝑦 Lyapunov function 𝑦𝑈𝑁𝑦 that proves exponenial stability, then |𝜊 𝑦1, 𝑢 − 𝜊 𝑦2, 𝑢 | ≤ 𝐿𝑓𝛿𝑢 𝑦1 − 𝑦2 where 𝐿 = 𝐺𝑣𝑜𝑑(𝑁) Similar observation by [Deng et al 2013] What about Nonlinear Systems?

Computing Discrepancy .

SLIDE 5

If M is a contraction metric, that is, a positive definite matrix such that ∃𝑐𝑁 > 0: 𝐾𝑈𝑁 + 𝑁 𝐾 + 𝑐𝑁𝑁 ≼ 0, where J is the Jacobian for f, then ∃𝑙, 𝜀 > 0 such that 𝜊 𝑦, 𝑢 − 𝜊 𝑦′, 𝑢

2 ≤

𝑙 𝑦 − 𝑦′ 2𝑓−𝜀𝑢[Lohmiller & Slotine ‘98]. New algorithm: computes local discrepancy by estimating maximum eigenvalue of the Jacobian matrix over a neighborhood [Fan & Mitra 2014]. Inferring Contraction Metric from simulations [Balkan et al 2014] What next?

Computing Discrepancy .

SLIDE 6

Simulations+Annotation  Reachtubes

𝒕𝒋𝒏𝒗𝒎𝒃𝒖𝒋𝒑𝒐(𝒚𝟏 , 𝒊, 𝝑, 𝑼) of gives a sequence S0, … , 𝑇𝑙: 𝑒𝑗𝑏 𝑇𝑗 ≤ 𝜗 & at any time 𝑢 ∈ [𝑗ℎ, 𝑗 + 1 ℎ], solution 𝜊 𝑦0, 𝑢 ∈ 𝑇𝑗. 𝒔𝒇𝒃𝒅𝒊𝒖𝒗𝒄𝒇 𝑻, 𝝑, 𝑼 of 𝑦 = 𝑔 𝑦 is a sequence 𝑆0, … , 𝑆𝑙 such that 𝑒𝑗𝑏(𝑆𝑗) ≤ 𝜗 and from any 𝑦0 ∈ 𝑇, for each time 𝑢 ∈ [𝑗ℎ, (𝑗 + 1)ℎ], 𝜊 𝑦0, 𝑢 ∈ 𝑆𝑗. 𝑇0, … , 𝑇𝑙, 𝜗1 ← 𝑤𝑏𝑚𝑇𝑗𝑛(𝑦0, 𝑈, 𝑔) For each 𝑗 ∈ [𝑙] 𝜗2 ← sup

𝑢∈𝑈𝑗,𝑦,𝑦′∈𝐶𝜀(𝑦0)

𝛾 𝑦1, 𝑦2, 𝑢 𝑆𝑗 ← 𝐶𝜗2 𝑇𝑗

SLIDE 7

How to get completeness for hybrid systems?

Track & propagate 𝑛𝑏𝑧 and 𝑛𝑣𝑡𝑢 fragments of reachtube 𝒖𝒃𝒉𝑺𝒇𝒉𝒋𝒑𝒐 𝑺, 𝑸 = 𝑛𝑣𝑡𝑢 𝑆 ⊆ 𝑄 𝑛𝑏𝑧 𝑆 ∩ 𝑄 ≠ ∅ 𝑜𝑝𝑢 𝑆 ∩ 𝑄 = ∅ 𝒋𝒐𝒘𝒃𝒔𝒋𝒃𝒐𝒖𝑸𝒔𝒇𝒈𝒋𝒚(𝝎, 𝑻) = 〈𝑆0, 𝑢𝑏𝑕0, … , 𝑆𝑛, 𝑢𝑏𝑕𝑛〉 , such that either 𝑢𝑏𝑕𝑗 = 𝑛𝑣𝑡𝑢 if all the 𝑆

𝑘 ′𝑡 before it are must

𝑢𝑏𝑕𝑗 = 𝑛𝑏𝑧 if all the 𝑆

𝑘 ′𝑡 before it are at least may

and at least one of them is not must

SLIDE 8

Hybrid Reachtubes: Guards & Resets

𝒐𝒇𝒚𝒖𝑺𝒇𝒉𝒋𝒑𝒐𝒕(𝝌) returns a set of tagged regions N. 𝑆′, 𝑢𝑏𝑕′ ∈ 𝑂 iff ∃ 𝑏, 𝑆𝑗 such that 𝑆′ = 𝑆𝑓𝑡𝑓𝑢𝑏 𝑆𝑗 and: 𝑆𝑗 ⊆ 𝐻𝑣𝑏𝑠𝑒𝑏 , 𝑢𝑏𝑕𝑗 = 𝑢𝑏𝑕′ = 𝑛𝑣𝑡𝑢 𝑆𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒𝑏 ≠ ∅, 𝑆𝑗 ∉ 𝐻𝑣𝑏𝑠𝑒𝑏 , 𝑢𝑏𝑕𝑗 = 𝑛𝑣𝑡𝑢, 𝑢𝑏𝑕′ = 𝑛𝑏𝑧 𝑆𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒𝑏 ≠ ∅, 𝑢𝑏𝑕𝑗 = 𝑢𝑏𝑕′ = 𝑛𝑏𝑧

SLIDE 9

Theorem. (Soundness). If Algorithm returns safe or unsafe, then 𝐵 is safe or

unsafe. Definition Given HA 𝐵 = 〈𝑊, 𝑀𝑝𝑑, 𝐵, 𝐸, 𝑈 〉, an 𝝑-perturbation of A is a new HA 𝐵′ that is identical except, Θ′ = 𝐶𝜗(Θ), ∀ ℓ ∈ 𝑀𝑝𝑑, 𝐽𝑜𝑤′ = 𝐶𝜗(𝐽𝑜𝑤) (b) a ∈ A, 𝐻𝑣𝑏𝑠𝑒𝑏 = 𝐶𝜗(𝐻𝑣𝑏𝑠𝑒𝑏). A is robustly safe iff ∃𝜗 > 0, such that A’ is safe for 𝑉𝜗 upto time bound T, and transition bound N. Robustly unsafe iff ∃ 𝜗 < 0 such that 𝐵′ is safe for 𝑉𝜗.

Theorem. (Relative Completeness) Algorithm always terminates whenever

the A is either robustly safe or robustly unsafe.

Sound & Relatively Complete.

SLIDE 10

C2E2

SLIDE 11

TWO APPLICATIONS

Part II

Duggirala ∘ Wang ∘ Mitra ∘ Munoz ∘ Viswanathan (FM 2014) Huang ∘ Fan ∘ Meracre ∘ Mitra ∘ Kiwatkowska (CAV 2014)

SLIDE 12

SAPA-ALAS Parallel Landing Protocol

Ownship and Intruder approaching parallel runways with small separation ALAS (at ownship) protocol is supposed to raise an alarm if within T time units the Intruder can violate safe separation based on 3 different projections Verify Alert≼𝑐Unsafe for different runway and aircraft scenarios Scenario 1. With xsep [.11,.12] Nm ysep [.1,.21] Nm, 𝜚 = 30𝑝 𝜚𝑛𝑏𝑦 = 45o vyo= 136 Nmph, vyi = 155 Nmph

𝑇𝐶

𝑧𝑡𝑓𝑞 𝑦𝑡𝑓𝑞

𝑇𝐼 𝑇𝐺

Duggirala, Wang, Mitra, Munoz, Viswanathan FM 2014

SLIDE 13

𝑇𝐶

𝑧𝑡𝑓𝑞 𝑦𝑡𝑓𝑞

𝑇𝐼 𝑇𝐺

𝐵𝑚𝑓𝑠𝑢𝑗 = 𝑦 ∃ 𝑢 ∈ 0, 𝑈 , 𝑞𝑠𝑝𝑘𝑗 𝑦, 𝑢 ∈ 𝑉𝑜𝑡𝑏𝑔𝑓}, where 𝑞𝑠𝑝𝑘𝑗 defined as solution of ODE 𝑦 = 𝑕𝑗(𝑦, 𝑢) Use simulations and annotations of 𝑕𝑗 to compute 𝑛𝑣𝑡𝑢 intervals when 𝑦 ∈ 𝐵𝑚𝑓𝑠𝑢𝑗 𝐵𝑚𝑓𝑠𝑢 ≺𝑐 𝑄2 is satisfied by Reachtube 𝜔 if ∀ 𝐽2 ∈ 𝑁𝑣𝑡𝑢 𝑄2 ∪ 𝑁𝑏𝑧 𝑄2 there exists 𝐽1 ∈ 𝑁𝑣𝑡𝑢 𝐵𝑚𝑓𝑠𝑢 such that 𝐽1 < 𝐽2 − 𝑐 𝐵𝑚𝑓𝑠𝑢 ≺𝑐 𝑄2 is violated by Reachtube 𝜔 if ∃ 𝐽2 ∈ 𝑁𝑣𝑡𝑢 𝑄2 for all 𝐽1 ∈ 𝑁𝑣𝑡𝑢 𝐵𝑚𝑓𝑠𝑢 ∪ 𝑁𝑏𝑧 𝐵𝑚𝑓𝑠𝑢 such that 𝐽1 > 𝐽2 − 𝑐

Duggirala, Wang, Mitra, Munoz, Viswanathan FM 2013

SAPA-ALAS Parallel Landing Protocol

SLIDE 14

Real-time Alerting Protocol .

Scenario Alert ≼4 Unsafe Running time (mins:sec) Alert ≼? Unsafe

6 False 3:27 2.16 7 True 1:13 – 8 True 2:21 – 6.1 False 7:18 1.54 7.1 True 2:34 – 8.1 True 4:55 – 9 False 2:18 1.8 10 False 3:04 2.4 9.1 False 4:30 1.8 10.1 False 6:11 2.4

Sound & robustly completeness C2E2 verifies interesting scenarios in reasonable time; shows that false alarms are possible; found scenarios where alarm may be missed

SLIDE 15

Exploiting Modularity

𝑦1 = 𝑔

𝑏(𝑦1, 𝑦2, 𝑦3)

𝑦2 = 𝑔

𝑐(𝑦2, 𝑦1, 𝑦3)

𝑦3 = 𝑔

𝑑(𝑦3, 𝑦1, 𝑦2)

× 𝑀𝑂

𝑟𝑏 𝑟𝑐 𝑟𝑑

?

Module 1 Module 2 Module 3 Module 1 Module 2 Module 3 Module 4 Module 5

SLIDE 16

Input-to-State (IS) Discrepancy

Definition. IS discrepancy is defined by 𝛾 and 𝛿 such that for

any initial states 𝑦, 𝑦′ and any inputs 𝑣, 𝑣′,

|𝜊(𝑦, 𝑣, 𝑢) − 𝜊 𝑦′, 𝑣′, 𝑢 | ≤ 𝛾(𝑦, 𝑦′, 𝑢) +

𝑢

𝛿 |𝑣 𝑡 − 𝑣′ 𝑡 | 𝑒𝑡 𝛾 → 0 as 𝑦 → 𝑦′, and 𝛿 → 0 as 𝑣 → 𝑣′

𝑦 = 𝑔(𝑦, 𝑣)

𝑣

time 𝑦

𝜊(𝑦, 𝑣, 𝑢)

𝑦′

𝜊(𝑦′, 𝑣′, 𝑢)

𝑢 time

𝑣(𝑢) 𝑣′(𝑢)

SLIDE 17

Reduced System 𝑁(𝜀1, 𝜀2, 𝑊

1, 𝑊 2).

𝑦 = 𝑔

𝑁 𝑦

𝑦 = 〈𝑛1, 𝑛2, 𝑑𝑚𝑙〉 𝑛1 𝑛2 𝑑𝑚𝑙 = 𝑔

𝑁 𝑦 =

𝛾1 𝜀1, 𝑑𝑚𝑙 + 𝛿1 𝑛2 𝛾2 𝜀2, 𝑑𝑚𝑙 + 𝛿2 𝑛1 1

SLIDE 18

Bloating with Reduced Model

The bloated tube contains all trajectories start from the 𝜀-ball of 𝑦. The over-approximation can be computed arbitrarily precise.

time

𝜊(𝑢) 𝑦

𝑛2 = 𝛾2 𝜀, 𝑢 +𝛿2(𝑛1, 𝑛3) 𝑛1 = 𝛾1 𝜀, 𝑢 +𝛿1(𝑛2, 𝑛3) 𝑛3 = 𝛾3 𝜀, 𝑢 +𝛿3(𝑛1, 𝑛2)

time

𝑛(𝑢) 𝜀

𝑛(𝑢)

𝑦1 = 𝑔

1(𝑦1, 𝑣1)

𝑦2 = 𝑔

2(𝑦2, 𝑣2)

𝑦3 = 𝑔

3(𝑦3, 𝑣3)

SLIDE 19

Reduced 𝑁 gives effective Discrepancy of 𝐵.

Theorem. For any 𝜀 = 〈𝜀1, 𝜀2〉, 𝑊 = 〈𝑊

1, 𝑊 2〉 and 𝑈

𝑆𝑓𝑏𝑑ℎ𝐵 𝐶𝜀 𝑦 , 𝑈 ⊆ 𝑢≤𝑈 𝐶𝜈 𝑢

𝑊

(𝜊 𝑦, 𝑢 )

Theorem. For any ϵ > 0 there exists δ = 〈δ1, δ2〉 such that

𝑢≤𝑈 𝐶𝜈 𝑢

𝑊

(𝜊 𝑦, 𝑢 ) ⊆ 𝐶𝜗(𝑆𝑓𝑏𝑑ℎ𝐵(𝐶𝜀 𝑦 , 𝑈)

Here 𝜈 𝑢 is the solution of 𝑁(𝜀1, 𝜀2, 𝑊

1, 𝑊 2).

Huang & Mitra, HSCC 2013

SLIDE 20

Pacemaker + Cardiac Network .

Action potential remains in specific range No alternation of action potentials

Nodes Thresh Sims Run time (s) Property 3 2 16 104.8 TRUE 3 1.65 16 103.8 TRUE 5 2 3 208 TRUE 5 1.65 5 281.6 TRUE 5 1.5 NA 63.4 FALSE 8 2 3 240.1 TRUE 8 1.65 73 2376.5 TRUE

SLIDE 21

Summary and Outlook

Tractable reachability of nonlinear hybrid

models

– scales reasonably with time horizon and precision – exponential dependence on initial set (plenty of room to exploit parallelism)

Promising for synthesis of switching surfaces

SLIDE 22

Challenges

– Theory to support nondeterministic models using decomposition into deterministic part and state-dependent uncertainty:

Use cases: advanced controller, adversary, failures

– Compositional inference of annotations of large models from known annotations of smaller blocks

Use case: direct support of Simulink models directly

– Abstraction refinement-based algorithm for synthesis

– Connect synthesis engine with a specific complex hardware platform, for example, a quadcopter or a bipedal robotic system