Tools for Hybrid Systems Reachability Goran Frehse Universite - PowerPoint PPT Presentation

Tools for Hybrid Systems Reachability Goran Frehse Universite Grenoble 1, Verimag - with work from Thao Dang, Antoine Girard and Colas Le Guernic - QMC’10, Copenhague, March 5, 2010 1

Outline I. Hybrid Automata and Reachability II. Linear Hybrid Automata III. Piecewise Affine Hybrid Systems IV. Support Functions 2

Formal Verification Model of Formal System Specification Revise Verification Design (algorithmic) Incorrect / Correct Unknown 3

Formal Verification Key Problems – computable (decidable) only for simple dynamics – computationally expensive – representation of / computation with continuous sets 4

Formal Verification Fighting complexity with overapproximations – simplify dynamics – set representations – set computations Overapproximations should be – conservative – easy to derive and compute with – accurate (not too many false positives) 5

Formal Verification Model of Formal System Specification Revise Verification Design (algorithmic) Incorrect / Correct Unknown 6

Formal Verification Model of System Model of Model of Physics Software continuous dynamics discrete dynamics � � � � � � � 7

Modeling Hybrid Systems Example: Bouncing Ball – ball with mass m and position x in free fall – bounces when it hits the ground at x� =�0 – initially at position x  and at rest x F g 0 8

Part I – Free Fall Condition for Free Fall � ≥ � x – ball above ground: F g First Principles (physical laws) 0 • gravitational force : � � � − �� � � � � ��� � � � • Newton's law of motion : � � � � � � 9

Part I – Free Fall � � � − �� � � � � � � x Obtaining 1 st Order ODE System F g • ordinary differential equation � � � � � � � 0 • transform to 1st order by introducing variables for higher derivatives • here: � � � � : � � � � − � � � � 10

Part II – Bouncing Conditions for “Bouncing” • ball at ground position: � � � • downward motion: � � � Action for “Bouncing” • velocity changes direction • loss of velocity (deformation, friction) • � �� − �� , � ≤ � ≤ � 11

Combining Part I and II Free Fall • while � ≥ � , continuous dynamics � � � � � � � � � � � � � � − � Bouncing discrete dynamics • if � � � and � � � � ∈ � − �� � �� � �� � � � � 12

Hybrid Automaton Model initial conditions � � � � � � � location freefall label � ≥ � ������ invariant guard � � � ∧ � � � � � � � � �� − �� − � � � � reset flow discrete transition 13

Hybrid Automata - Semantics Run – sequence of discrete transitions and time elapse Execution – run that starts in the initial states x  ( t ) x  ( t ) x  ( t ) 14

Execution of Bouncing Ball x  x  ( t ) x  ( t ) position x x  ( t ) x  ( t ) x  ( t ) 0 time t … δ  δ  δ  δ  δ  v  velocity v v  ( t ) v  ( t ) v  ( t ) v  ( t ) v  ( t ) 0 time t … δ  δ  δ  δ  δ  15

Execution of Bouncing Ball State-Space View (infinite time range) x  position x x  ( t ) x  ( t ) x  ( t ) 0 velocity v discrete transition 16

Formal Verification Model of Formal System Specification Revise Verification Design (Reachability) Incorrect / Correct Unknown 17

Computing Reachable States Compute successor states • discrete transitions : ���� � � � � • time elapse : ���� � � � � R 0 R 1 = Post c ( R 0 ) R 3 = Post c ( R 2 ) R 2 = Post d ( R 1 ) 0 18

Computing Reachable States Fixpoint computation • Initialization: � � � ��� • Recurrence: � � �� � � � ∪ ���� � � � � � ∪ ���� � � � � � • Termination: � � �� � � � ⇒ ����� � � � . Problems – in general termination not guaranteed – time-elapse very hard to compute with sets 19

Chapter Summary Why should we care? – Reachability Analysis is a set-based computation that can answer many interesting questions about a system (safety, bounded liveness,…) What’s the problem? – The hardest part is computing time elapse. – Explicit solutions only for very simple dynamics. What’s the solution? – First study simple dynamics. – Then apply these techniques to complex dynamics. 20

Outline I. Hybrid Automata and Reachability II. Linear Hybrid Automata III. Piecewise Affine Hybrid Systems IV. Support Functions 21

In this Chapter… A very simple class of hybrid systems Exact computation of discrete transitions and time elapse – Note: Reachability (and pretty much everything else) is nonetheless undecidable . A case study 22

Linear Hybrid Automata Continuous Dynamics • piecewise constant: ˙ x = 1 • intervals: ˙ x ∈ [1 , 2] • conservation laws: ˙ x � + ˙ x � = 0 • general form: conjunctions of linear constraints a ∈ � n , b ∈ � , ⊲ a � ˙ ⊳ ∈ { <, ≤} . x ⊲ ⊳ b, = convex polyhedron over derivatives 23

Linear Hybrid Automata Discrete Dynamics • affine transform: x := ax + b • with intervals: x � := x � ± 0 . 5 • general form: conjunctions of linear constraints (new value x ′ ) a � x + a ′ � x ′ ⊲ a, a ′ ∈ � n , b ∈ � , ⊲ ⊳ ∈ { <, ≤} ⊳ b, = convex polyhedron over x x and x x x x ’ x x 24

Linear Hybrid Automata Invariants, Initial States • general form: conjunctions of linear constraints a ∈ � n , b ∈ � , ⊲ a � x ⊲ ⊳ b, ⊳ ∈ { <, ≤} , = convex polyhedron over x x x x 25

Reachability with LHA Compute discrete successor states Post d ( S ) – all x ’ for which exists x ∈ S s.t. • x ∈ G • x ’ ∈ R ( x ) � Inv Operations: – existential quantification – intersection – standard operations on convex polyhedra, but of exponential complexity 26

Reachability with LHA Compute time elapse states Post c ( S ) Theorem [Alur et al.] – Time elapse along arbitrary trajectory iff time elapse along straight line (convex invariant). Inv – time elapse along straight line can be computed as projection along cone [Halbwachs et al.] 27

9 Reachability with LHA [Halbwachs, Henzinger, 93-97] 1. get projection 1. get projection cone cone 2. time elapse by 2. time elapse by invariant projection 3. compute projection 3. compute successors of successors of transitions transitions successors initial states derivatives projection cone 28

8 5 Multi-Product Batch Plant 29

Multi-Product Batch Plant Cascade mixing process L IS L IS L IS 1 1 12 1 3 – 3 educts via 3 reactors ⇒ 2 products Verification Goals M M M – Invariants LIS LIS LIS 21 22 23 QIS QIS Q IS 21 22 23 • overflow • product tanks never empty – Filling sequence Design of verified LIS L IS controller 31 32 30

� � Verification with PHAVer Controller + Plant – 266 locations, 823 transitions (~150 reachable) – 8 continuous variables Reachability over infinite time – 120s—1243s, 260—600MB – computation cost increases with nondeterminism (intervals for throughputs, initial states) Controller Controlled Plant 31

Verification with PHAVer 32

Outline I. Hybrid Automata and Reachability II. Linear Hybrid Automata III. Piecewise Affine Hybrid Systems IV. Support Functions 33

In this Chapter… Another class of (not quite so) simple dynamics – but things are getting serious (no explicit solution for sets) Exact computation of time elapse only at discrete points in time – used to overapproximate continuous time Efficient data structures 34

Piecewise Affine Hybrid Systems Affine dynamics – Flow: x = Ax + b (deterministic) ˙ x ∈ Ax + B , with B a set (nondeterministic) ˙ – For time elapse it’s enough to look at a single location. 35

Linear Dynamics Let’s begin with “autonomous” part of the dynamics: x ∈ � n x = Ax, ˙ Known solutions: – analytic solution in continuous time – explicit solution at discrete points in time (up to arbitrary accuracy) Approach for Reachability: – Compute reachable states over finite time: Reach [0,T] ( X Ini ) – Use time-discretization, but with care! 36

Time-Discretization for an Initial Point Analytic solution: e At x Ini x ( t ) = x ( t ) x 3 • with t = δk : x 2 x 1 e Aδ x ( δk ) x 0 x ( δ ( k + 1)) = 0 δ 2 δ 3 δ t Explicit solution in discretized time (recursive): x � = x Ini e Aδ x k x k �� = multiplication with const. matrix e Aδ = linear transform 37

Time-Discretization for an Initial Set X 3 Explicit solution in discretized time X 2 X 1 X 0 X � = X Ini Reach [0,3 δ ] ( X Ini ) e Aδ X k X k �� = 0 δ 2 δ 3 δ t Acceptable solution for purely continuous systems – x ( t ) is in ǫ ( δ ) -neighborhood of some X k Unacceptable for hybrid systems – discrete transitions might “fire” between sampling times – if transitions are “missed,” x ( t ) not in ǫ ( δ ) -neighborhood 38