Stability Proofs for Hybrid Systems Jens Oehlerking - - PowerPoint PPT Presentation

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Stability Proofs for Hybrid Systems

Jens Oehlerking

jens.oehlerking@informatik.uni-oldenburg.de Abteilung Systemsoftware und verteilte Systeme Department f¨ ur Informatik Carl von Ossietzky Universit¨ at Oldenburg

March 18, 2010

Jens Oehlerking 1/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Goal of this Talk

This talk will give an introduction to:

• stability theory for hybrid systems
• Lyapunov function based results that allow verification
• concrete verification methods based on nonlinear optimization
• decompositional techniques to ease the proof obligations

Jens Oehlerking 2/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Outline

1 Hybrid Systems and Stability 2 Lyapunov Functions 3 Lyapunov Function Computation 4 Decomposition 5 Conclusion

Jens Oehlerking 3/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Outline

1 Hybrid Systems and Stability 2 Lyapunov Functions 3 Lyapunov Function Computation 4 Decomposition 5 Conclusion

Jens Oehlerking 4/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Closed-loop Contol

Classical application for hybrid systems: closed-loop control

100 200 300 400 500 600 700 800 900 1000 −16 −14 −12 −10 −8 −6 −4 −2 2 4

• system variables must be driven toward a designated target

(equilibrium state xe ∈ Rn)

• small disturbances should only cause small deviations from

this equilibrium

Jens Oehlerking 5/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Stability

Any given bound on the deviation from the equilibrium xe should be respected, if we choose the initial state close enough. ∀ǫ > 0∃δ > 0 : ||x(0) − xe|| < δ = ⇒ ∀t : ||x(t) − xe|| < ǫ In temporal logic: ∀ǫ > 0∃δ > 0 : ||x − xe|| < δ = ⇒ (||x − xe|| < ǫ) Here: initial state represents result of a transient disturbance, or initial error after changing the set point of the system. Intuitively: no chaotic behavior, where small disturbances cause huge changes in behavior.

Jens Oehlerking 6/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Convergence

Intuitively: A (hybrid) system is convergent, if, from any initial state, the system state converges to equilibrium xe.

q

xe ∀ǫ > 0∃t0 > 0∀t > t0 : ||x(t)−xe|| < ǫ In temporal logic: ∀ǫ > 0 : ♦(||x − xe|| < ǫ) ⇒ conjunction

• f

infinitely many “finally globally” proper- ties

Jens Oehlerking 7/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Global Asymptotic Stability

Global asymptotic stability is the conjunction of these two properties: A system is globally asymptotically stable (GAS), if for all trajectories x(t): ∀ǫ > 0∃δ > 0 : ||x − xe|| < δ)) = ⇒ (||x − xe|| < ǫ) and ∀ǫ > 0 : ♦(||x − xe|| < ǫ) It is not inherently clear

• how fast convergence will be
• how far the system can stray from xe

But this can be derived in many cases!

Jens Oehlerking 8/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Hybrid Automata

A hybrid automaton is a finite automaton where

• each node (=mode) has a differential equation

˙ x = 1 ˙ x = −1

Jens Oehlerking 9/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Hybrid Automata

A hybrid automaton is a finite automaton where

• each node (=mode) has a differential equation
• optionally, each node has an invariant predicate

˙ x = 1 x < 10 ˙ x = −1 x > 10

Jens Oehlerking 9/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Hybrid Automata

A hybrid automaton is a finite automaton where

• each node (=mode) has a differential equation
• optionally, each node has an invariant predicate
• each edge (= mode transition) has an associated guard

predicate ˙ x = 1 x < 10 ˙ x = −1 x > 10 x = 10

Jens Oehlerking 9/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Hybrid Automata

A hybrid automaton is a finite automaton where

• each node (=mode) has a differential equation
• optionally, each node has an invariant predicate
• each edge (= mode transition) has an associated guard

predicate

• optionally, each edge has a discrete update function

˙ x = 1 x < 10 ˙ x = −1 x > 10 x = 10 ∧ x+ = x + 1

Jens Oehlerking 9/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Runs of Hybrid automata

˙ x = f1(x) I1

Jens Oehlerking 10/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Runs of Hybrid automata

˙ x = f1(x) I1 ˙ x = f2(x) I2 g1 ∧ x+ = u1(x)

Jens Oehlerking 10/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Runs of Hybrid automata

˙ x = f1(x) I1 ˙ x = f2(x) I2 g1 ∧ x+ = u1(x)

Jens Oehlerking 10/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Runs of Hybrid automata

˙ x = f1(x) I1 ˙ x = f2(x) I2 g1 ∧ x+ = u1(x) ˙ x = f3(x) I3 g2 ∧ x+ = u2(x)

Jens Oehlerking 10/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Proving Stability

Proving stability requires different techniques than proving safety properties, because

• we need to prove that sets of states will definitely be reached
• this includes disproving oscillations in the state space
• predicate abstraction techniques will result in loops in the

abstraction

• we need to guarantee some sort of progress toward the

equilibrium in all situations

• proof decomposition is not easy (see next slide)

Jens Oehlerking 11/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Compositionality

• very desirable: Break down stability proofs of large systems

into smaller sub-proofs

• this works well for safety proofs, but is very difficult for

stability!

• individual modes of a stable hybrid system can be unstable
• (all) individual modes of an unstable hybrid system can be

stable

• therefore, we cannot easily use “divide and conquer”

strategies on hybrid automata!

Jens Oehlerking 12/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Unstable System with Stable Modes

−1.5 −1 −0.5 0.5 1 1.5 −2 −1.5 −1 −0.5 0.5 1 1.5 2 −1.5 −1 −0.5 0.5 1 1.5 2 −2 −1.5 −1 −0.5 0.5 1 1.5 2 5 10 15 20 25 30 35 −10 −5 5 10

Jens Oehlerking 13/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Stable System with Unstable Modes

−8 −6 −4 −2 2 4 6 8 −6 −4 −2 2 4 6 −3 −2 −1 1 2 3 −5 −4 −3 −2 −1 1 2 3 4 5 −0.5 0.5 0.2 0.4 0.6 0.8 1

Jens Oehlerking 14/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Outline

1 Hybrid Systems and Stability 2 Lyapunov Functions 3 Lyapunov Function Computation 4 Decomposition 5 Conclusion

Jens Oehlerking 15/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Lyapunov Functions – Intuition

We need a way of arguing about progress toward xe. Basic Idea (Lyapunov, 1907): Measure the “energy” of the system. The energy must be:

• at its minimum at xe
• strictly decreasing over time along any valid run of the

system, unless we are already at xe

• radially unbounded

Jens Oehlerking 16/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Lyapunov Functions for Differential Equations

For a differential equation ˙ x = f (x), x ∈ Rn, define the time derivative ˙ V (x) := dV

dt (x) = dV dx (x) · f (x), and find a continuously

differentiable function V : Rn → R, such that:

• V (xe) = 0, and
• V (x) > 0 for x = xe
• ˙

V (xe) = 0

• ˙

V (x) < −αV (x) for x = xe and some α > 0

• ||x|| → ∞ ⇒ V (x) → ∞

Then ˙ x(t) = f (x(t)) is GAS with exponential convergence rate α: V (x(t)) ≤ e−αtV (x(0))

Jens Oehlerking 17/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Lyapunov Functions and Safety Proofs

Lyapunov functions can be used to show safety: If V (x) < c = ⇒ x | = P, then V (x(0)) < c = ⇒ P, because ˙ V ≤ 0 acts as a differential invariant.

V(c)=c Unsafe Set Init

⇒ barrier certificates (Prajna and Jadbabaie, 2004)

Jens Oehlerking 18/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Decidability and Converse Theorems

For single linear differential equation ˙ x = Ax, stability is usually easy to prove, for instance by:

• solving the Lyapunov Equation ATP + PA = −Q
• showing that the eigenvalues of A have negative real parts

For hybrid systems,

• GAS is undecidable, even for simple classes

(Blondel et al., 2001)

• while a Lyapunov function for a GAS hybrid system can be

proven to exist (Cai et al., 2008), algorithmic computation is possible only for some subclasses

Jens Oehlerking 19/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Extending LFs to Hybrid Systems

Hybrid system trajectories are in general not differentiable:

• if there is a mode switch, dx/dt is not necessarily defined
• if there is a discrete update, x(t) is not even continuous

Therefore,

• enforce Lyapunov conditions only when there is no mode

switch

• at mode switch, allow discontinuities for the Lyapunov

functions

• but introduce additional constraint, to make sure that the

deiscontinuity does not destroy stability

Jens Oehlerking 20/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Piecewise Continuous LFs

An extension for hybrid automata:

• use one Lyapunov function Vm per node m
• on a transition from m to m′ with guard g and update

function U require that g ⇒ Vm′(U(x)) ≤ Vm(x) (“non-increasingness condition”)

• gives extra degrees of freedom in the choice of the functions
• resulting discontinuous function will still decrease over time

V1(x(t)) V2(x(t)) V3(x(t)) t

Jens Oehlerking 21/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Piecewise Continuous LF for Hybrid Systems

A piecewise continuous Lyapunov function for a hybrid system is a function V : M × Rn → R with

• for all m and x |

= Inv(m) : V (m, x) = 0, if x = xe, and V (m, x) > 0 otherwise

• for all m and x |

= Inv(m) : ˙ V (m, x) = 0, if x = xe, and ˙ V (m, x) < −αV (m, x) otherwise, for some α > 0

• for all m, ||x|| → ∞ ⇒ V (m, x) → ∞
• for all transitions e from m1 to m2 and

x | = guarde : V (m1, x) ≥ V (m2, updatee(x)) The existence of such a V implies GAS with exponential convergence rate: V (m(t), x(t)) ≤ e−αtV (m(0), x(0))

Jens Oehlerking 22/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Automata-Based View

V (m1, x) V (m2, x) V (m3, x) V (m4, x) V (m5, x) V (m6, x)

• one local Lyapunov function (LLF) Vi = V (mi, x) per mode
• all LLF of an automaton form the global Lyapunov Function

(GLF)

• two LLF are interrelated by the non-increasingness condition

whenever there is a transition between the modes

Jens Oehlerking 23/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Convexity Properties

Important Property: Dynamics for which V is a LF are closed under positive linear combination. If V is a LF for ˙ x = f (x) and ˙ x = g(x) then V is also a LF for the differential inclusion ˙ x ∈ {¯ x|∃λ1 > 0, λ2 > 0 : ¯ x = λ1f (x) + λ2g(x)} ⇒ can identify a LF for differential inclusions, by looking at finitely many differential equations This allows for the formulation of robust stability problems

Jens Oehlerking 24/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LFs for Polytopic Differential Inclusions

For a polytopic differential equation ˙ x ∈ co{f1(x), . . . , fn(x)}, find a continuously differentiable function V : Rn → R, such that:

• V (xe) = 0, and
• V (x) > 0 for x = xe
• ∀i : dV

dx (xe)fi(xe) = 0

• ∀i : dV

dx (x(t))fi(x(t)) < −αV (x) for x = xe and some α > 0

• ||x|| → ∞ ⇒ V (x) → ∞

Then ˙ x ∈ co{f1(x), . . . , fn(x)} is GAS with exponential convergence rate α: V (x(t)) ≤ e−αtV (x(0))

Jens Oehlerking 25/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Stochastic Systems

Two ways of introducing stochastic behavior into a hybrid automaton:

• probabilistic transitions (i.e., target mode is determined

randomly)

• add stochastic noise to differential equation

˙ x = f1(x) I1 G ∧ Update ˙ x = f2(x) I2 ˙ x = f3(x) I3 p1 p2

Want to know: Does the system still converge with probability 1?

Jens Oehlerking 26/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LFs for Stochastic Hybrid Systems

Answer: yes, if we can find a Lyapunov function whose expected value decreases:

• for all m and x |

= Inv(m) : V (x, m) = 0, if x = xe, and V (x, m) > 0 otherwise

• for all m and x |

= Inv(m) : ˙ V (x, m)) = 0, if x = xe, and E( ˙ V (x, m)) < −αV (x, m) otherwise, for some α > 0

• for all m, ||x|| → ∞ ⇒ V (m, x) → ∞
• for all transitions t from m to m1, . . . , mn with probabilities

p1, . . . , pn and x | = guard(t) : V (x, m) ≥

i piV (updatei(xi), mi)

Jens Oehlerking 27/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Outline

1 Hybrid Systems and Stability 2 Lyapunov Functions 3 Lyapunov Function Computation 4 Decomposition 5 Conclusion

Jens Oehlerking 28/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Optimization-based Computation of LFs

How to obtain such functions?

Jens Oehlerking 29/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Optimization-based Computation of LFs

How to obtain such functions?

• w.l.o.g. assume that xe = 0
• start with a parameterized Lyapunov function template for

each node m

Jens Oehlerking 29/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Optimization-based Computation of LFs

How to obtain such functions?

• w.l.o.g. assume that xe = 0
• start with a parameterized Lyapunov function template for

each node m

• common choices: polynomial, quadratic

(Vm(x, y) = am,1x2 + am,2xy + am,3y2), etc.

Jens Oehlerking 29/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Optimization-based Computation of LFs

How to obtain such functions?

• w.l.o.g. assume that xe = 0
• start with a parameterized Lyapunov function template for

each node m

• common choices: polynomial, quadratic

(Vm(x, y) = am,1x2 + am,2xy + am,3y2), etc.

• Lyapunov constraints can be expressed as a linear matrix

inequality (LMI) constraint system with

• constraints per node (the Lyapunov conditions)
• constraints per edge (the non-increasingness condition)

Jens Oehlerking 29/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Optimization-based Computation of LFs

How to obtain such functions?

• w.l.o.g. assume that xe = 0
• start with a parameterized Lyapunov function template for

each node m

• common choices: polynomial, quadratic

(Vm(x, y) = am,1x2 + am,2xy + am,3y2), etc.

• Lyapunov constraints can be expressed as a linear matrix

inequality (LMI) constraint system with

• constraints per node (the Lyapunov conditions)
• constraints per edge (the non-increasingness condition)
• throw all constraints of the automaton together and solve

with semidefinite programming (SDP) software

Jens Oehlerking 29/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Optimization-based Computation of LFs

How to obtain such functions?

• w.l.o.g. assume that xe = 0
• start with a parameterized Lyapunov function template for

each node m

• common choices: polynomial, quadratic

(Vm(x, y) = am,1x2 + am,2xy + am,3y2), etc.

• Lyapunov constraints can be expressed as a linear matrix

inequality (LMI) constraint system with

• constraints per node (the Lyapunov conditions)
• constraints per edge (the non-increasingness condition)
• throw all constraints of the automaton together and solve

with semidefinite programming (SDP) software

• result: values for the parameters am,i for all modes, such that

conditions are fulfilled ⇒ system is stable

Jens Oehlerking 29/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Lyapunov Function Computation

To find a Lyapunov function for a system we need to

• define a finite-dimensional subspace in which to search, by

selecting a suitable parameterized form V (λ1, . . . , λn, x) for the function

• if

∃λ1, . . . , λn∀x : V (λ1, . . . , λn, x) fulfills the LF conditions, then the system is GAS Problem: alternating quantifiers. Ideally, we want to get rid of the “∀” quantifier!

Jens Oehlerking 30/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Semidefiniteness (1)

Every quadratic function V : Rn → R can be represented by a symmetric matrix P, for example: V (x1, . . . , xn) = [x1, x2, x3]   p1,1 p1,2 p1,3 p1,2 p2,2 p2,3 p1,3 p2,3 p3,3     x1 x2 x3   = p1,1x2

1 + p2,2x2 2 + p3,3x2 3 + 2p1,2x1x2 + 2p1,3x1x3 + 2p2,3x2x3

If ∀x : V (x) ≥ 0, them P is called positive semidefinite. This can be checked without looking at individual values of x!

Jens Oehlerking 31/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Semidefiniteness (2)

The following are equivalent for a symmetric matrix P:

• P is positive semidefinite, written as P 0
• the real parts of all eigenvalues of P are nonnegative
• all principal minors of P are nonnegative

Furthermore

• P 0 =

⇒ ∀λ ≥ 0 : λP 0

• P1, P2 0 =

⇒ P1 + P2 0 ⇒ matrices with P 0 form a convex cone. This means we can use convex optization techniques to search for positive semidefinite matrices!

Jens Oehlerking 32/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Positive Semidefinite Cone

Image taken from: Jon Dattoro, Convex Optimization & Euclidean Distance Geometry, Meboo Publishing, http://meboo.convexoptimization.com/

Jens Oehlerking 33/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Linear Matrix Inequalities (I)

Linear matrix inequalities: semidefiniteness constraints on linear combinations of matrices x1M1 + . . . + xnMn 0 where the xi ∈ R are unknown and Mi ∈ Rn×n are known and symmetric It is often convenient to write an LMI as a sum of matrix products: A1M1B1 + . . . + AjMjBj 0 ...can be brought into above form by multplying out the matrices.

Jens Oehlerking 34/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Solving LMIs

Find xi ∈ R, such that: x1M1 + . . . + xnMn 0 This problem can be mapped onto a special type of convex

• ptimization problem.

Can be solved by numerical algorithms.

Jens Oehlerking 35/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Software Packages

A (possibly incomplete) list of available software that can solve LMIs:

• C-based SDP solver/library CSDP (Borchers, 1999)
• Matlab-based solver SeDuMi (Romanko et al., 1999)
• Matlab frontends MPT, Yalmip, SOSTools
• standalone solvers SDPA, DSDP, SDPT
• Matlab wrapper VSDP for solver SDPT3, producing verified

results

Jens Oehlerking 36/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LMIs for Lyapunov Functions (I)

Assume: linear differential equation ˙ x = Ax, and quadratic Lyapunov function candidate xTPx. We want to find P such that:

• V (xe) = 0 and V (x) > 0 for x = xe
• ˙

V (xe) = 0 and ˙ V (x) < −αV (x) for x = xe By the product rule: ˙ V (x) = d(xTPx) dt = d(xT) dt Px + xTP dx dt = xT(ATP + PA)x We can try to solve the LMI:

• P − I 0
• −ATP − PA + αP 0

Jens Oehlerking 37/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LMIs for Lyapunov Functions (II)

If the differential equation has a constant part ˙ x = Ax + b, or we want the LF to have a constant or linear part, use a simple trick: Add an artificial system variable

x ⇒ ¯ x := x

• Then, dynamics can be written as

˙ ¯ x = A b

• ¯

x and LFs with linear/constant part as V (x) = ¯ xTP¯ x

Jens Oehlerking 38/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

The Hybrid Case

For hybrid systems:

• for all m and x |

= Inv(m) : V (x, m) = 0, if x = xe, and V (x, m) > 0 otherwise

• for all m and x |

= Inv(m) : ˙ V (x, m) = 0, if x = xe, and ˙ V (x, m) < −αV (x, m) otherwise, for some α > 0

• for all transitions t from m1 to m2 and x |

= guard(t) : V (x, m1) ≥ V (update(t)(x), m2) The “∀” quantifiers are not global, but local to an invariant/guard set! But: semidefiniteness implies that xTPx ≥ 0 for all x

Jens Oehlerking 39/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Invariants, Guards, and the S-Procedure

Want to show ∃λ : x ∈ S = ⇒ g(λ, x) ≥ 0 Suppose we have a function f : Rn → R with x ∈ S = ⇒ f (x) ≥ 0 Then [Yakubovich,1977]: (∃µ ≥ 0∀x : −µf (x)+g(λ, x) ≥ 0) = ⇒ (x ∈ S = ⇒ g(λ, x) ≥ 0) This relaxation is called the S-Procedure.

Jens Oehlerking 40/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

S-Procedure in LMIs

For example, we have an LMI constraint: −ATP − PA + αP 0 but we only want it to hold for all x | = Inv. Find a matrix Q such that x | = Inv = ⇒ xTQx ≥ 0 Then, solve the LMI −ATP − PA + αP − λQ 0 with λ ≥ 0

Jens Oehlerking 41/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

S-Procedure Conservativeness

What kind of sets can be represented by xTQx ≥ 0? Conic sections.

−1.5 −1 −0.5 0.5 1 1.5 −1.5 −1 −0.5 0.5 1 1.5 −1.5 −1 −0.5 0.5 1 −3 −2 −1 1 2 3 −5 −4 −3 −2 −1 1 2 3 4 5

−5 5 −5 −4 −3 −2 −1 1 2 3 4 5

Left: 1.5x2 − y2 = 2, Center: 1.5x + y = 2, Right: 3xy + 3y2 = 0

Jens Oehlerking 42/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LMI for Piecewise Quadratic LFs (Pettersson, 1999)

Assume

• dynamics of mode m are ˙

x = Amx

• edges t = (m1, m1, guardt, updatet), where updatet(x) = Utx
• for each invariant Inv(m) a family S-procedure matrices Qi

m

• for each guard guardt a family S-procedure matrices Rj

t

Find Pm ∈ Rn × Rn, α > 0, µj

m, ηj m, ϑj e ≥ 0, such that

for all modes m : Pm −

• j

µj

mQj m − I

• for all modes m : −AT

mPm − PmAm −

• j

ηj

mQj m + αPm

• for all transitions t : Pm1 − UT

t Pm2Ut −

• j

ϑj

eRj t

• Jens Oehlerking

43/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Beyond Affine Dynamics and Quadratic LFs

So far: linear differential equations, linear updates, quadratic Lyapunov functions per mode. What to do with polynomial/transcendental dynamics? What if quadratic Lyapunov functions certifying progress do not exist? Want to go beyond the linear/quadratic scenario. Basic idea: substitution techniques in the constraints.

Jens Oehlerking 44/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Sums-of-Squares Decomposition (I) (Parrilo, 2003)

Nonlinear differential equation system ˙ x1 = −x3

1 − 0.01x2, ˙

x2 = −x3

2 − 0.01x1

Quadratic Lyapunov function candidate V (x) = xT p1 p2

• x

˙ V (x) = dV dx (x)dx dt (x) = [2p1x1, 2p2x2] −x3

1 + 0.01x2

−x3

2 + 0.01x1

• = −2p1x4

1 + 0.02p2x3 1x2 + 0.02p1x1x3 2 − 2p2x4 2

How to find suitable p1, p2?

Jens Oehlerking 45/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Sums-of-Squares Decomposition (II)

Want to find p1, p2 such that, for (x, y) = (0, 0), −2p1x4

1 + 0.02p2x3 1x2 + 0.02p1x1x3 2 − 2p2x4 2 < 0

Idea: substitute u = x2

1, v = x1x2, w = x2 2

Result: −2p1u2 + 0.02p2uv + 0.02p1vw − 2p2w2 Now find α > 0, p1, p2, λ ∈ R with   2p1 −0.01p2 λ −0.01p2 −2λ −0.01p1 λ −0.01p1 2p2   − α   1 1 1   0 Solution: λ = −1, α = 0.1, p1 = 1, p2 = 1.

Jens Oehlerking 46/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Drawbacks of LMI Methods

Key issues, if we want to include LMI techniques in hybrid verification tools:

• algorithms use floating point arithmetic ⇒ at best, accurate

to machine precision

• convex optimization algorithms use heuristics to approximate

a “steepest descent” ⇒ existing solution may not be found

• choice of parameterization may be unsuitable
• if computation fails, there is no constructve feedback from the

algorithm

• algorithm only of limited help during the design of stable

automata

Jens Oehlerking 47/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Outline

1 Hybrid Systems and Stability 2 Lyapunov Functions 3 Lyapunov Function Computation 4 Decomposition 5 Conclusion

Jens Oehlerking 48/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Decomposition

Very desirable: decompositional arguments about GAS and existence of LFs.

• want apply local arguments on the automaton, resulting in

smaller sub-proofs

• nevertheless the sum of the local proofs should prove GAS for

the entire system

• but remember: straightforward decomposition does not work!
• therefore, we need to maintain side conditions that ensure the

correctness of the decompsotion

• basis of decomposition: graph structutre of the automaton

Jens Oehlerking 49/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

SCC Decomposition (I)

Let H be a hybrid automaton. If all sub-automata pertaining to the SCCs of H are stable, and there are no discrete updates on the bridge edges, then H is stable. If all sub-automata pertaining to the SCCs of H are convergent, then H is convergent. Consequence: H can be decomposed into its SCCs, which can be analyzed separately

Jens Oehlerking 50/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

SCC Decomposition (I)

Let H be a hybrid automaton. If all sub-automata pertaining to the SCCs of H are stable, and there are no discrete updates on the bridge edges, then H is stable. If all sub-automata pertaining to the SCCs of H are convergent, then H is convergent. Consequence: H can be decomposed into its SCCs, which can be analyzed separately

Jens Oehlerking 50/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

SCC Decomposition (II)

Intuition:

• SCCs form an acyclic graph
• if we have a LF for each SCC, a trajectory either
• converges inside an SCC
• hits a transition to a successor SCC
• acyclic graph: there exists a “last” SCC, where the trajectory

must convergence

Jens Oehlerking 51/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Decomposition within SCCs

Chop up an SCC into further subgraphs. Problem: sequence of subgraphs traversed can be infinite ⇒ arguments for SCCs cannot be used! One approach: use Lyapunov functions to make sure stability is also preserved for infinite sequences Decompose SCC into subgraphs and:

• compute a separate Lyapunov function for each subgraph
• but: make sure that these LFs can be combined into a LF for

the entire SCC (without explicitly computing it!)

Jens Oehlerking 52/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Cycle Covers

Every node and edge in an SCC lies on at least one simple cycle. ⇒ compute on LF per cycle, making sure the results are “compatible” on the intersection nodes

Jens Oehlerking 53/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Convexity

Exploit convexity for composition: LF form a convex cone, as

• V1 and V2 are LF for system H

= ⇒ V1 + V2 is a LF for system H

• V is a LF for system H

= ⇒ ∀λ > 0 : λV is a LF for system H We can represent a polytopic set of LF by just its corner points (=valuations of the parameters)

Jens Oehlerking 54/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LF-based Decomposition (I)

Basic Idea:

• pick a cycle of the graph
• identify nodes that intersect with other cycles (border nodes)
• find m solutions for the LMI system of the cycle, and for each

border node b, memorize the possible LLFs V i

b(x), 1 ≤ i ≤ m

for b

• move on to the next cycle, but use a different

parameterization for previously encountered border nodes b: V (b, x) =

i λiV i b(x), where the λi are the free parameters

• repeat until the entire graph is covered

Jens Oehlerking 55/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LF-based Decomposition (II)

Theorem (Decomposition within SCCs)

Let H be a hybrid automaton consisting of two subgraphs C1 and C2 with a single common node b.

b n1 n2 n3 C1 C2 m1 m2 m3

Jens Oehlerking 56/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LF-based Decomposition (II)

Theorem (Decomposition within SCCs)

Let H be a hybrid automaton consisting of two subgraphs C1 and C2 with a single common node b. Let b, n1, . . . , nj be the nodes of C1 and b, m1, . . . , mk be the nodes of C2.

b n1 n2 n3 C1 C2 m1 m2 m3

Jens Oehlerking 56/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LF-based Decomposition (II)

Theorem (Decomposition within SCCs)

Let H be a hybrid automaton consisting of two subgraphs C1 and C2 with a single common node b. Let b, n1, . . . , nj be the nodes of C1 and b, m1, . . . , mk be the nodes of C2. For 1 ≤ i ≤ m, let V i

b(x) be a LLF for b, such that there exists a GLF V i C1(m, x) for

C1 with V i

C1(b, x) = V i b(x).

b n1 n2 n3 C1 C2 m1 m2 m3 V i

b

Jens Oehlerking 56/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

LF-based Decomposition (II)

Theorem (Decomposition within SCCs)

Let H be a hybrid automaton consisting of two subgraphs C1 and C2 with a single common node b. Let b, n1, . . . , nj be the nodes of C1 and b, m1, . . . , mk be the nodes of C2. For 1 ≤ i ≤ m, let V i

b(x) be a LLF for b, such that there exists a GLF V i C1(m, x) for

C1 with V i

C1(b, x) = V i b(x). If there exist a GLF VC2(m, x) and

λ1, . . . , λm ≥ 0 such that VC2(b, x) =

i λiV i b(x), then H is GAS.

b n1 n2 n3 C1 C2 m1 m2 m3 V i

b

Jens Oehlerking 56/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Normal-Boundary Intersection

How to compute the V i

b?

the exact constraints

• n V (b, x) imposed

by the LMI on C1 parameter space for the LLF of b

Jens Oehlerking 57/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Normal-Boundary Intersection

Pick an optimization direction for the LMI of C1

Jens Oehlerking 57/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Normal-Boundary Intersection

Compute optimal solution (=LLF) V 1

b in this direction

Jens Oehlerking 57/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Normal-Boundary Intersection

Repeat to compute several V i

b

Jens Oehlerking 57/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Normal-Boundary Intersection

The conic hull of the V i

b contains only LLFs of b

Jens Oehlerking 57/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Cycles with Multiple Border Nodes

If two cycles overlap in more than one mode, things get complicated:

• cannot treat the border nodes separately, as their LF

constraints are interdependent within each cycle

• would need to under-approximate the set of combinations of

possible LFs → dimensional blowup But: we can often get rid of these situations by bisilimarity transformations of the underlying graph.

Jens Oehlerking 58/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Bislimilarity Transformations

Each node inherits

• dynamics and invariant
• one incoming and one outgoing transition, with guard and

update function, such that all combinations of incoming and outgoing edges are represented ⇒ all trajectories of the original system remain possible

Jens Oehlerking 59/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Merging Nodes

Polynomial LF candidates, no discrete uppdates, the interior of g1 ∩ g2 ∩ g3 nonempty: any GLF must have V1 = V2 = V3. ⇒ can merge the nodes into one, and replace the dynamics by ˙ x ∈ co(f1(x), f2(x), f3(x))

˙ x = f1(x) ˙ x = f2(x) ˙ x = f3(x)

g1 g2 g3 = ⇒

˙ x ∈ co(f1(x), f2(x), f3(x))

Jens Oehlerking 60/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Different Graph Transformations

• split modes to reduce cycle intersections
• if interconnection between modes is very strong, only common

LFs for some nodes are possible ⇒ merge nodes

• if LF search unsuccessful, splitting some nodes gives more

flexibility in LF search

• node splitting might “uncover” more SCCs and ease the

analysis

• LLF contour lines can be used as invariants to identify

unreachable parts of the graph

Jens Oehlerking 61/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Conclusion

• while numerous tools for safety verification are available,

support for stability (liveness) proofs is still very limited

• optimization based methods make such proofs possible in

polynomial time

• however, in practice, they have some robustness issues when

dealing with complex systems

• stability verification obligations are hard to decompose

because stability usually depends on the interplay between subsystems

• but: great potential, as computations come at a relatively

small cost and are capable of providing abstractions for complex continuous-time behavior

Jens Oehlerking 62/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Blondel, V., Bournez, O., Koiran, P., and Tsitsiklis, J. (2001). The stability of saturated linear dynamical systems is undecidable. Journal of Computer and System Sciences, 62:442–462. Borchers, B. (1999). CSDP, a C library for semidefinite programming. Optimization Methods and Software, 10(1):613–623. https://projects.coin-or.org/Csdp/. Cai, C., Teel, A., and Goebel, R. (2008). Smooth Lyapunov functions for hybrid systems – part II: (pre)asymptotically stable compact sets. IEEE Transactions on Automatic Control, 53(3):734–748. Lyapunov, A. (1907). Probl` eme g´ en´ eral de la stabilit´ e du movement.

• Ann. Fac. Sci. Toulouse, 9:203–474.

(Translation of a paper published in Comm. Soc. math. Kharkow, 1893, reprinted in

• Ann. math. Studies No. 17, Princeton University Press, 1949).

Jens Oehlerking 63/64 Stability Proofs for Hybrid Systems

HS/Stability Lyapunov Functions LF Computation Decomposition Conclusion References

Parrilo, P. (2003). Semidefinite programming relaxations for semialgebraic problems. Mathematical Programming Ser. B, 96:293–320. Pettersson, S. (1999). Analysis and Design of Hybrid Systems. PhD thesis, Chalmers University of Technology, Gothenburg, Sweden. Prajna, S. and Jadbabaie, A. (2004). Safety verification of hybrid systems using barrier certificates. In International Workshop on Hybrid Systems: Computation and Control (HSCC’04). Romanko, O., P´

• lik, I., and Sturm, J. F. (1999).

Using SeDuMi 1.02, a MATLAB toolbox for optimization over symmetric cones.

Jens Oehlerking 64/64 Stability Proofs for Hybrid Systems