Verification and Qualitative analysis of hybrid systems: dimension 2 - - PowerPoint PPT Presentation

Verification and Qualitative analysis of hybrid systems: dimension 2

Joint work with Gerardo Schneider, Sergio Yovine and Gordon Pace

Eugene Asarin VERIMAG

AS - Paris - 27/06/02 – p.1/38

Outline

• Motivation and Context
• SPDI - decidable 2d systems
• The model
• Reachability is decidable
• Beyond verification : algorithmic phase portrait

construction.

• SPeeDI the tool

AS - Paris - 27/06/02 – p.2/38

Outline

• Motivation and Context
• SPDI - decidable 2d systems
• More complex systems: between decidable and

undecidable

• The reference model : 1d PAM
• 2d Linear Hybrid Automata ≡ PAM
• PCD on 2d manifolds ≡ iPAM

AS - Paris - 27/06/02 – p.2/38

Outline

• Motivation and Context
• SPDI - decidable 2d systems
• More complex systems: between decidable and

undecidable

• Undecidable 2d systems
• LHA + counter

AS - Paris - 27/06/02 – p.2/38

Outline

• Motivation and Context
• SPDI - decidable 2d systems
• More complex systems: between decidable and

undecidable

• Undecidable 2d systems
• Discussion

AS - Paris - 27/06/02 – p.2/38

Motivation and Context

AS - Paris - 27/06/02 – p.3/38

The Problem

• Explore decidability of reachability for classes of

2d hybrid systems.

• Trace the boundary between decidable and

undecidable.

• Find good algorithms for decidable problems.

AS - Paris - 27/06/02 – p.4/38

Why?

• Why hybrid systems?
• What kind of hybrid systems?
• Why reachability?
• Why 2d?

AS - Paris - 27/06/02 – p.5/38

Hybrid systems

Discrete+continuous ⇒ interesting and useful Our basic model: PCD (simple dynamics, no jumps)

t

x y P1 c1

˙ x = ci for x ∈ Pi

AS - Paris - 27/06/02 – p.6/38

Around reachability

• Reach(x, y) ⇔ ∃ a trajectory from x to y

Also Reach(A, B): set-to-set reachability.

AS - Paris - 27/06/02 – p.7/38

Around reachability

• Reach(x, y) ⇔ ∃ a trajectory from x to y

Also Reach(A, B): set-to-set reachability.

• Key to safety verification:

x is safe ⇔ ¬Reach(x, Bad)

AS - Paris - 27/06/02 – p.7/38

Around reachability

• Reach(x, y) ⇔ ∃ a trajectory from x to y

Also Reach(A, B): set-to-set reachability.

• Key to safety verification:

x is safe ⇔ ¬Reach(x, Bad)

• MP94: Reach is decidable for 2d PCD.

AS - Paris - 27/06/02 – p.7/38

Around reachability

• Reach(x, y) ⇔ ∃ a trajectory from x to y

Also Reach(A, B): set-to-set reachability.

• Key to safety verification:

x is safe ⇔ ¬Reach(x, Bad)

• MP94: Reach is decidable for 2d PCD.
• AM95: Reach is undecidable for 2d PCD.

AS - Paris - 27/06/02 – p.7/38

Where is the boundary?

The boundary between decidable and undecidable lies somewhere in dimension 2. Let us explore more general 2d systems:

• SPDI = Non-deterministic PCD
• PCD on surfaces
• Linear Hybrid Automata = PCD + jumps
• LHA+1 counter
• . . .

AS - Paris - 27/06/02 – p.8/38

SPDI - a new class of decidable systems

AS - Paris - 27/06/02 – p.9/38

SPDI

Simple Polygonal Differential Inclusion = the non-deterministic version of PCD=

• A partition of the plane into polygonal regions
• A constant differential inclusion for each region

˙ x ∈ ∠b

a if x ∈ Ri

AS - Paris - 27/06/02 – p.10/38

SPDI

Simple Polygonal Differential Inclusion =

R6 R8 R3 R7 R2 R4 R5 R1

e5 e4 e3 e2 e1 e8 e7 e6 y x

AS - Paris - 27/06/02 – p.10/38

Difficulties

Too many trajectories ( even locally )

e5 e4 e1 e8 e3 e2 e7 e6

AS - Paris - 27/06/02 – p.11/38

Difficulties

Too many signatures

e5 e4 e3 e9 e2 e1 e8 e7 e6 e10 e11 e12

AS - Paris - 27/06/02 – p.11/38

Difficulties

Self-crossing trajectories

e5 e4 e3 e1 e8 e10 e9 e12 e11 e2 e6 e7

AS - Paris - 27/06/02 – p.11/38

Plan of solution

• Simplify trajectories
• Enumerate types of signatures
• Test reachability for each type using accelerations

AS - Paris - 27/06/02 – p.12/38

Simplification 1: Straightening

x′ Ri x a b

AS - Paris - 27/06/02 – p.13/38

Simplification 2: Removing self-crossings

b a b a e2 e′

2

x0 xf x′ y y′ e′

1

x e1 e′

2

e′

1

e1 xf

e2

y′ x0 x

Bottom line:Reach(x, y) ⇔ ∃ a simple piecewise straight trajectory from x to y

AS - Paris - 27/06/02 – p.14/38

Signatures of simplified trajectories

• Representation Theorem: Any edge signature

can be represented as

σ = r1(s1)k1r2(s2)k2 . . . rn(sn)knrn+1

• Properties
• ri is a seq. of pairwise different edges;
• si is a simple cycle;
• ri and rj are disjoint
• si and sj are different

Proof based on Jordan’s theorem (MP94)

AS - Paris - 27/06/02 – p.15/38

Classification of signatures

Any edge signature belongs to a type

r1(s1)∗r2(s2)∗ . . . rn(sn)∗rn+1

s1 s2 sn rn rn+1 r3 r2 r1

There are finitely many types!

AS - Paris - 27/06/02 – p.16/38

How to explore one type?

s1 s2 sn rn rn+1 r3 r2 r1

Recipe: compute successors and accelerate cycles.

AS - Paris - 27/06/02 – p.17/38

Successors (by σ)

One step (σ = e1e2)

R1 e4 e5 R5 R7 e6 e7 R6 R4 e2 R8 R2 e10 e11 e12 e1 e8 e13 e9 R3 e3

I′ = Succe1e2(x) = [fb(x), fa(x)] = F(x)

AS - Paris - 27/06/02 – p.18/38

Successors (by σ)

Several steps (σ = e1e2e3)

• ✁

e4 e5 e11 e12 e9 e10 I′ x e2 e3 e1 e13 e8 e7 e6

I′ = Succσ(x) = [f′

b(x), f′ a(x)] = F ′(x)

AS - Paris - 27/06/02 – p.18/38

Successors (by σ)

Several steps (σ = e1e2e3e4e5)

e5 e4 e1 e10 e9 e12 e11 e6 e7 e8 e13 e2 e3

I′ = Succσ(x) = [f′′

b(x), f′′ a(x)] = F ′′(x)

AS - Paris - 27/06/02 – p.18/38

Successors (by σ)

One cycle (σ = s = e1e2 · · · e8e1)

e5 e4 e8 e11 e10 e9 e12 e13 e7 e6 e3 e2 e1

I′ = Succσ(x) = [f′′

b(x), f′′ a(x)] = F ′′(x)

AS - Paris - 27/06/02 – p.18/38

Successors (by σ)

e8 e13 e1 e2 e4 e6 e7 e11 e10 e9 e12 e5

e3

One cycle iterated: ≈solution of fixpoint equation

(acceleration) (Succσ(I) = I)

AS - Paris - 27/06/02 – p.18/38

The calculus of TAMF

• Fact: All successors are TAMF
• Affine function (AF):

f(x) = ax + b with a > 0

• Affine multi-valued function (AMF):

˜ F(x) = [f1(x), f2(x)]

• Truncated affine multi-valued function

(TAMF):

F(x) = ˜ F(x) ∩ J if x ∈ S

Lemma: AF

, AMF and TAMF are closed under composition.

Lemma: Fixpoint equations F(I) = I can be explicitely

solved (without iterating)

AS - Paris - 27/06/02 – p.19/38

Reachability Algorithm

for each type of signature τ do test whether x τ

→ y

To test x τ

→ y for τ = r1(s1)∗r2(s2)∗ . . . rn(sn)∗rn+1

compute Succr and accelerate (Succs)∗

AS - Paris - 27/06/02 – p.20/38

Main result

Reachability is decidable for SPDI

AS - Paris - 27/06/02 – p.21/38

Something for free : phase portrait

Reminder: A phase portrait - a picture of important

• bjects of a dynamical system:
• equilibria
• limit cycles
• their attraction basins

Mathematicians prefer it to reachability analysis!

AS - Paris - 27/06/02 – p.22/38

Something for free : phase portrait

Algorithm : phase portrait for SPDIs for each simple cycle σ do Compute Viab(σ) Compute Cntr(σ)

AS - Paris - 27/06/02 – p.22/38

Something for free : phase portrait

Algorithm : phase portrait for SPDIs for each simple cycle σ do Compute Viab(σ) Compute Cntr(σ) The two kernels for a cycle:

Viab(σ) = Preσ(Dom(Succσ)) Cntr(σ) = (Succσ ∩ Preσ)(CD(σ))

R6 R8 R4 R2 R3 R7 R5

e6 e7 e8 e2 e3 e4 e5

AS - Paris - 27/06/02 – p.22/38

Something for free : phase portrait

Algorithm : phase portrait for SPDIs for each simple cycle σ do Compute Viab(σ) Compute Cntr(σ) The Phase Portrait: Theorem Each sim- ple trajectory converges to Cntr(σ) for some σ

R5 R4 R3 R2 R11 R15 R1 R8 R7 R6

e5 e4 e3 e2 e1 e8 e7 e6 e15 e14 e11 e10

AS - Paris - 27/06/02 – p.22/38

SPeeDI the tool

5000 lines of Haskell!

<exit interval> <trace> <type_of_signature> simsig2fig simsig reachable <file.fig>

NO YES

<file.spdi> <input interval>

AS - Paris - 27/06/02 – p.23/38

SPeeDI :input

t Points: 0. 0.0, 0.0 * ...

• 33. -5.0, -35.0
• 34. -5.0, -25.0
• 35. -5.0, -15.0
• 36. -5.0, -5.0
• 37. -5.0, 5.0
• 38. -5.0, 15.0
• 39. -5.0, 25.0

* ... Vectors: * ...

• v3. -1,0.1833333333
• v8. 1,0
• v9. 1,1
• v12. 1, 1.5
• v20. -1, 0.001
• v22. 1,-0.001
• v25. -1,0.7

Regions: * ... * R29 33 ? 41 ! 42 ! 34 ? 33, v9, v9 * R30 34 ! 42 ! 43 ? 35 ? 34, v22, * R31 35 ? 36 ? 0 ! 44 ! 43 ! 35, v8, * R32 44 ! 45 ! 0 ? 44, v12, v12 * R33 0 ? 45 ? 46 ! 38 ! 37 ! 0, v3, * R34 38 ? 46 ? 47 ! 39 ! 38, v25, * ...

AS - Paris - 27/06/02 – p.24/38

SPeeDI: Generated Figure

35 36 40 39 R32 38 37 44 33 R33 R34 R35 R30 R29 34 R31 59 60

AS - Paris - 27/06/02 – p.25/38

SPeeDI: Session log

% reachable example.spdi "[1,2]" "[0,10]" 0-44 59-60 Generating and trying signatures from edge 0-44 to 59-60 Starting interval:[1.0,2.0] Finishing interval:[0.0,10.0] (0-44,45-44) (45-53,45-46,37-38,...,36-35,44-43,44-52)* (53-52,53-61,54-62,54-55,46-47)(38-39,..., 46-47)* (39-47, ...,68-60,59-60) <REACHABLE>

AS - Paris - 27/06/02 – p.26/38

Between Decidable and Undecidable

AS - Paris - 27/06/02 – p.27/38

More complex 2d systems

What happens if . . .

• . . . we allow jumps?
• . . . the PCD is on a 2d surface?
• . . . ?

The answer is: we know that we do not know. More precisely: it is equivalent to a well known open

problem.

AS - Paris - 27/06/02 – p.28/38

The Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R I5 I2 a1x + b1 I4 I1

AS - Paris - 27/06/02 – p.29/38

The Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R I5 I2 a1x + b1 a5x + b5 I4 I1

AS - Paris - 27/06/02 – p.29/38

The Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R I5 I2 a4x + b4 a1x + b1 a5x + b5 I4 I1

AS - Paris - 27/06/02 – p.29/38

The Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R a2x + b2 I5 I2 a4x + b4 a1x + b1 a5x + b5 I4 I1

AS - Paris - 27/06/02 – p.29/38

The Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R a2x + b2 I5 I2 a4x + b4 a1x + b1 a5x + b5 I4 I1

AS - Paris - 27/06/02 – p.29/38

The Reference Model

• 1d piecewise affine maps (PAMs): f : R → R

f(x) = aix + bi for x ∈ Ii

I3 R a2x + b2 I5 I2 a4x + b4 a1x + b1 a5x + b5 I4 I1

Old Open Problem. Is reachability decidable for 1d PAM?

AS - Paris - 27/06/02 – p.29/38

LHA ≡ PAM

A Linear Hybrid Automaton (LHA) ≈ a PCD with jumps

• Theorem. 2d LHA can simulate 1d PAM and vice versa
• Corollary. Reachability is decidable for 2d LHA iff it is

decidable for 1d PAM

AS - Paris - 27/06/02 – p.30/38

PCD on surfaces ≡ iPAM

R2 R1 R3 R4

• Theorem. PCDs on 2d surfaces can simulate 1d injec-

tive PAM and vice versa

• Corollary. Reachability is decidable for PCDs on 2d

surfaces iff it is decidable for 1d injective PAMs

AS - Paris - 27/06/02 – p.31/38

Undecidable 2d Systems

AS - Paris - 27/06/02 – p.32/38

How to make it undecidable?

Idea: adding something infinitary to 2d systems makes them undecidable. Theorem. 2d LHA with a counter can simulate 2- counter machines

• Corollary. Reachability is undecidable for 2d LHA with

a counter.

AS - Paris - 27/06/02 – p.33/38

Simulating 2 counter machines by LHA + 1 counter

Simulation method: represent the second counter by

x = 2−m, use dynamics to simulate operations.

2−m

jump to lk jump to lj

2−m c + +, jump to lj 2−m

jump to lj

li qi : if m = 0 then goto qj

else goto qk

qi : m++, goto qj qi : n++, goto qj

(a) (b) (c)

AS - Paris - 27/06/02 – p.34/38

Discussion

AS - Paris - 27/06/02 – p.35/38

Complexity of 2d systems - summary

• Systems without jumps on the plane are decidable
• Systems with jumps - between decidability and

undecidability

• Systems on surfaces - idem
• Systems with ∞ (e.g. counter) - undecidable

AS - Paris - 27/06/02 – p.36/38

Methods used - summary

Decidability: Poincaré-Maler-Pnueli analysis of cycles =

Acceleration!

Intermediate complexity: 1d PAM as a new reference

problem (à la NP-complete problems)

Undecidability: simulation, as usual

AS - Paris - 27/06/02 – p.37/38

Open problems: decidable or not?

• 1d PAMs
• 1d injective PAMs
• PCD on simple 2d manifolds (e.g. torus)
• Planar systems with more complex dynamics (e.g.

piecewise linear)

AS - Paris - 27/06/02 – p.38/38