Table Of ContentSafe Neighborhood Computation
for Hybrid System Verification
YiDeng A.AgungJulius
∗
ECSEDepartment ECSEDepartment
RensselaerPolytechnicInstitute RensselaerPolytechnicInstitute
[email protected] [email protected]
For the design and implementation of engineering systems, performing model-based analysis can
disclose potential safety issues at an early stage. The analysis of hybrid system models is in gen-
eral difficult due to the intrinsic complexity of hybrid dynamics. In this paper, a simulation-based
approachtoformalverificationofhybridsystemsispresented.
1 Introduction
Hybridsystemsexhibitbothdiscreteandcontinuousdynamics. Thesystemstatecanflowcontinuously,
and can also jump by triggering an event (transition). As an important application in the research of
hybrid systems, safety verification is concerned with whether a specified set of unsafe states can be
reachedbythesystemfromtheinitialset. Onedirectapproachistocomputeorover-approximatetheset
ofallreachablestates[8,11,13,16],andthenchecktheintersectionwiththeunsafeset. Theverification
problem has also been investigated by using the abstraction approach, i.e., to construct a system model
withasmallerorevenfinitestatespace,whoselanguageisequivalenttoorincludesthatoftheoriginal
system[15]. Performing analysisoftheabstractionisrelativelyeasy, andallows ustoverifyproperties
of the original system. Various effective methods for system abstraction have been proposed [2, 6, 10].
Reachable set computation, system abstraction, and some other approaches such as barrier certificate
construction[14]arecapableofformallyprovingthesystemsafety;butformalverificationoftencomes
atthepriceofconservatismandlimitedscalability.
Ascomplementaryverificationmethods,randomizedapproacheshavebeenproposedtostrategically
explore the state space with tools such as Rapidly-Exploring Random Trees (RRTs) and Probabilistic
RoadMaps (PRMs) [3, 4]. By simulating trajectories from the initial set, one can falsify the system
safety, orevaluateprobabilisticsafety. Therandomizedapproachesareeasytoimplementbecausethey
are simulation-based; but usually a large number of trajectories need to be simulated, and no formal
verificationcanbeachieved.
It is possible to bridge the simulation-based approach and formal verification [7, 12]: with finitely
many simulations run for the sampled initial states, one can verify the safety of not only the samples
butalsoinfinitelymanycandidatesintheinitialsetwithmathematicallyprovedguarantee. Asin[12],a
tubesurroundingeachsimulatedtrajectoryiscomputed,whichover-approximatesthereachablesetfora
neighborhoodofinitialstatesaroundthesimulatedone. Ifthesimulatedtrajectoryissafe,anytrajectory
initiatedfromtheneighborhoodmustbesafe,andmoreover,musttriggerthesameeventsequenceasthe
simulatedtrajectorydoes. Suchneighborhoodiscalledarobustneighborhood, whichhasbothuniform
safety and transition properties. If the initial set can be fully covered by the robust neighborhoods of
YDandAAJwouldliketoacknowledgethesupportofNSFCAREERgrantCNS-0953976.
∗
M.Bujorianu(Ed.)andR.Wisniewski(Ed.):4thWorkshopon (cid:13)c YiDeng&A.AgungJulius
HybridAutonomousSystems2014(HAS2014). Thisworkislicensedunderthe
EPTCS174,2015,pp.1–12,doi:10.4204/EPTCS.174.1 CreativeCommonsAttributionLicense.
2 SafeNeighborhoodComputationforHybridSystemVerification
finitely many simulated trajectories, then its transition and safety properties are verified. However, we
willseeinSection2thatforpuresafetyverificationproblemstheapplicabilityoftherobustneighborhood
approach is limited, since the computed robust neighborhood can vanish due to the transition property
requiredratherthansafeproperty.
Motivated by the robust neighborhood approach, we propose an algorithm for safe neighborhood
computationinthepresentwork. Asitsnameimplies,alltrajectoriesinitiatedfromasafeneighborhood
are guaranteed safe for certain time horizon, although their event sequences are possibly different from
that of the simulated trajectory. The safe neighborhood computed for any initial state is essentially a
superset of the robust neighborhood, and may have non-zero measure even if the robust neighborhood
vanishes. Consequently, for some initial state that cannot be covered by any robust neighborhood, the
computed safe neighborhood is able to cover it; for some initial set where the coverage following [12]
never reaches 100%, the present approach using safe neighborhoods is able to reach full coverage and
verifycompletesafety.
2 Safe Neighborhood Approach
2.1 HybridAutomataFormulation
AhybridautomatonisatupleH =(L X,L X ,D,E,Inv)[1].
0 0
× ×
The state space is L X, where L denotes the sets of discrete states (also called locations) and X
×
denotesthesetofcontinuousstates. TheinitialsetisL X L X.
0 0
× ⊂ ×
Eachlocation(cid:96) L isassociatedwithaninvariantsetInv((cid:96)) X. Ifthesystemisatlocation(cid:96), the
∈ ⊂
continuousstatex X mustsatisfyx Inv((cid:96)). ThesystemdynamicsDmapsapair((cid:96),x)tox˙, thetime
∈ ∈
derivative of x. Let D(cid:96) denote the restriction of D to (cid:96) X. At location (cid:96), the system state evolves
{ }×
continuously according to D(cid:96) until an event (an instantaneous transition) e:=((cid:96),(cid:96),g,r),e E occurs.
(cid:48)
∈
The event is guarded by g Inv((cid:96)). Namely, a necessary condition for the occurrence of e is x g.
⊂ ∈
After the event, the discrete state changes from the source (cid:96) to the target (cid:96), and the continuous state
(cid:48)
is reset according to the reset map r :Inv((cid:96)) Inv((cid:96)). Let ((cid:96),x) denote the system state that triggers
(cid:48)
→
e=((cid:96),(cid:96),g,r). Thentheresetstateis((cid:96),r(x)).
(cid:48) (cid:48)
A trajectory ρ((cid:96) ,x ) of the hybrid system is the solution of ((cid:96),x) initiated from ((cid:96) ,x ). Clearly,
0 0 0 0
ρ((cid:96) ,x ) is piece-wise continuous. At each location (cid:96), we write ξ(cid:96)(t,x(cid:96)) Inv((cid:96)),t(cid:96) t t(cid:96) as the
0 0 0 ∈ 0 ≤ ≤ end
solution of x, where x(cid:96) = ξ(cid:96)(t(cid:96),x(cid:96)) is the initial condition in (cid:96), and for t(cid:96) t t(cid:96) the function ξ(cid:96)
0 0 0 0 ≤ ≤ end
satisfiesthedifferentialequation ∂ξ(cid:96)(t,x0(cid:96)) =D(cid:96)(ξ(cid:96)(t,x(cid:96))).
∂t 0
Consider the system state that reaches the boundary of the invariant set at the time instantt(cid:96) , i.e.,
end
ξ(cid:96)(t(cid:96) ,x(cid:96)) ∂Inv((cid:96)). Ifthereexitsτ >0suchthatforallτ (0,τ),ξ(cid:96)(t(cid:96) +τ ,x(cid:96)) Inv((cid:96)),thenwe
end 0 ∈ 1∈ end 1 0 (cid:54)∈
saythecontinuousstateisevolvingoutwardInv((cid:96))attheboundary.
Let ∂Inv((cid:96)) denote part of the boundary ∂Inv((cid:96)) where the continuous state is evolving outward
out
Inv((cid:96)), G(cid:96) denote the set of guards such that the corresponding events all have (cid:96) as the source location.
Weassumeforall(cid:96):
1. Forallg ,g G(cid:96),g ,g aredisjoint.
1 2 1 2
∈
2. Aneventisforcedtooccurwheneverx ∂Inv((cid:96)) . Withoutthisassumption,thesystemstatewill
out
∈
getstuckat∂Inv((cid:96)) ,sinceitisnotallowedtoevolveoutsideInv((cid:96)). Inaddition,assumeevents
out
canonlybetriggeredat∂Inv((cid:96)) . DefinetheactiveguardsG(cid:96) := g ∂Inv((cid:96)) g G(cid:96) .
out act out
{ ∩ | ∈ }
3. x˙=D(cid:96)(x)admitsanuniqueglobalsolution.
4. Alltheresetmapsarecontinuous.
YiDeng&A.AgungJulius 3
2.2 TrajectoryRobustness
We briefly review the algorithm proposed in [12] for the computation of robust neighborhood around a
simulatedinitialstate,whichisbasedonthetheoryofbisimulationfunctions[9].
Definition 1. [9] Let φ(cid:96) :X X R be a pseudo-metric on the state space of the dynamical system
× →
x˙=D(cid:96)(x),x X. Let ξ(cid:96)(t,x(cid:96)) denote the solution of D(cid:96) under the initial condition x . If for any initial
∈ 0 0
statesx(cid:96) andx˜(cid:96),thefunctionφ(cid:96)(ξ(cid:96)(t,x(cid:96)),ξ(cid:96)(t,x˜(cid:96)))isnon-increasingwithrespecttotimet,thenφ(cid:96) isa
0 0 0 0
bisimulationfunctionbetweenthesystemanditself.
Consider a nominal trajectory ρ((cid:96),x(cid:96)) as shown in Fig. 1, which has been simulated for the time
0
horizon of interest, [t ,t ]. The first segment of ρ((cid:96),x(cid:96)) is ξ(cid:96)(t,x(cid:96)),t(cid:96) <t <t(cid:96) , where t(cid:96) =t is the
0 end 0 0 0 end 0 0
initialtime. Atthetimet(cid:96) ,ρ((cid:96),x(cid:96))leaves(cid:96)bytriggeringtheevente =((cid:96),(cid:96),g ,r ),i.e.,ξ(cid:96)(t(cid:96) ,x(cid:96))
end 0 1 (cid:48) 1 1 end 0 ∈
g . Definetheavoidedset
1
A(cid:96):=U(cid:96) (G(cid:96) gˇ ), (1)
act 1
∪ \
where gˇ is called the allowed part of the guard g . We will formally define gˇ later. Essentially, the
1 1 1
robustneighborhoodistobecomputedbasedontheavoidedsetA(cid:96),sothatalltrajectoriesinitiatedfrom
therobustneighborhoodwillnotreachA(cid:96) inlocation(cid:96).
Hence,theunsafeU(cid:96) mustbeincludedinA(cid:96),aswellastheundesiredpartofguardsG(cid:96) gˇ . Inthis
act 1
\
particular example shown in Fig. 1, the undesired part of guards G(cid:96) gˇ :=g (g gˇ ), where g is
act 1 2 1 1 2
\ ∪ \
undesiredbecauseittriggersanevente differentfromtheevente triggeredbythenominaltrajectory,
2 1
while gˇ is excluded from A(cid:96) since trajectories initiated from the robust neighborhood are allowed to
1
reachgˇ andtriggere . Becauseofthemonotonicityofφ(cid:96),foranytimet >t(cid:96) andinitialstatex˜(cid:96),
1 1 0 0
φ(cid:96)(ξ(cid:96)(t,x(cid:96)),ξ(cid:96)(t,x˜(cid:96))) φ(cid:96)(ξ(cid:96)(t(cid:96),x(cid:96)),ξ(cid:96)(t(cid:96),x˜(cid:96)))=φ(cid:96)(x(cid:96),x˜(cid:96)). (2)
0 0 0 0 0 0 0 0
≤
Therefore,ifx˜(cid:96) satisfies
0
φ(cid:96)(x(cid:96),x˜(cid:96))<γ := inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y), (3)
0 0 a 0
t [t(cid:96),t(cid:96) ]y A(cid:96)
∈ 0 end ∈
thenforallt [t(cid:96),t(cid:96) ],ξ(cid:96)(t,x˜(cid:96)) A(cid:96).
∈ 0 end 0 (cid:54)∈
Thetimehorizon[t(cid:96),t(cid:96) ]abovemaybetooshort,sinceρ((cid:96),x˜(cid:96))mayleave(cid:96)laterthanρ((cid:96),x(cid:96))does.
0 end 0 0
ThistimelagproblemishandledbytheShrinkingprocedure(proposedin[12],andcanalsobefoundin
Algorithm5): definedapreliminaryrobustneighborhoodB(x(cid:96),γ ):= φ(cid:96)(x(cid:96),x˜(cid:96))<γ ,andthenshrinks
0 a { 0 0 a}
B(x(cid:96),γ ) to a proper size B(x(cid:96),γ) as the robust neighborhood. As a result, for some time lag τ that
0 a 0 lag
doesnotexceedthespecifiedparameterτ , alltrajectoriesinitiatedfromB(x(cid:96),γ)areguaranteedto
maxlag 0
leaveInv((cid:96))beforet(cid:96) +τ ,andwillnotreachA(cid:96) beforetheytriggere atgˇ . SeeFig. 1.
end lag 1 1
Itisalsoproposedin[12]howtocomputetheeventtimeleadτ suchthatalltrajectoriesinitiated
lead
fromB(x(cid:96),γ)areguaranteedtostayin(cid:96)beforet(cid:96) τ . Weuseτ todenoteanupperboundof
0 end− lead maxlead
theeventtimeleadfortherobustneighborhoods.
The allowed part of guard gˇ in Eq. (1) is defined according to the robust neighborhood computed
1
for the next location reached by the nominal trajectory using similar steps as Eq. (1), (3): let B(x0(cid:96)(cid:48),γ(cid:48))
denotetherobustneighborhoodcomputedfortheresetinitialstatex0(cid:96)(cid:48) :=r1(ξ(cid:96)(te(cid:96)nd,x0(cid:96))),then
gˇ1:=r1−1(B(x0(cid:96)(cid:48),γ(cid:48)))∩g1. (4)
Therefore,therobustneighborhoodiscomputedinarecursiveway,fromthelastlocationreachedto
thefirstlocationreached.
4 SafeNeighborhoodComputationforHybridSystemVerification
ξ‘(t‘end+τlag,x‘0) ξ‘(t‘end,x‘0) ξ‘(t‘end,x‘0)
g
1
gˇ1 U‘ g1 U‘
(Unsafe) γ=0 (Unsafe)
g2 g2
φ‘(x,x‘)=γ
0
φ‘(x,x‘0)=γa U‘isfaraway.
B(x‘,γ)vanishes.
B(x‘,γ) 0
0
Figure1: Robustneighborhoodcomputation. Figure2: Guard-criticaltrajectory.
Inthelastlocationreached(denotedbyl),theavoidedsetisdefinedinaformdifferentformEq. (1).
Al:=Ul Gl . (5)
act
∪
Eventtimelagdoesnotneedtobeconsidered,sincelisthelastlocationreached.
Fromtheargumentabove,B(x(cid:96),γ)hasthefollowingproperty:
0
Proposition2. Forallx˜(cid:96) B(x(cid:96),γ),thetrajectoryρ((cid:96),x˜(cid:96))musttriggerthesameeventsequenceasthe
0∈ 0 0
nominal trajectory ρ((cid:96),x(cid:96)) does. The time lead and lag for triggering the same event is bounded by
0
τ andτ respectively. Inallthelocationsreachedexceptthelastone,ρ((cid:96),x˜(cid:96))muststaysafe
maxlead maxlag 0
beforeitleavesthelocation. Inthelastreachedlocationl,ρ((cid:96),x˜(cid:96))muststaysafeforatleast[tl,tl ]as
0 0 end
thenominaltrajectoryρ((cid:96),x(cid:96))does.
0
2.3 CriticalTrajectory
Suppose in Fig. 1, the nominal trajectory reaches the closure of g , g gˇ orU(cid:96), then clearly Eq. (3)
2 1 1
\
resultsinzero. Suchatrajectoryiscalledcritical.
Definition 3 (Critical Trajectory). If a nominal trajectory reaches the closure of the avoided set in the
robustneighborhoodcomputation,thenitiscalledacriticaltrajectory.
Directlyfollowingfromthealgorithmin[12],thepropositionbelowholds:
Proposition4. Therobustneighborhoodcomputedforanominaltrajectoryhaszeromeasureifandonly
ifthenominaltrajectoryisacriticaltrajectory.
Essentially, a critical trajectory has trivial robustness. There exists some infinitesimal perturbation
of the trajectory that changes its transition or safety property. In particular, we define guard-critical
trajectories,whoserobustneighborhoodsvanishduetoguardsratherthantheunsafeset.
Definition 5 (Guard-Critical Trajectory). A critical trajectory that does not reach the closure of the
unsafesetiscalledaguard-criticaltrajectory.
Guard-critical trajectories can cause issues in safety verification problems, where only the safety
propertyisofconcern. AsshowninFig. 2,theguard-criticaltrajectorytriggersaneventthroughg ,but
1
it also reaches the closure of g . By the robust neighborhood algorithm, the initial state ((cid:96),x(cid:96)) cannot
2 0
be covered by the robust neighborhood of any initial state. Consequently, if an initial set contains such
((cid:96),x(cid:96)),itcanneverbecoveredfullybyrobustneighborhoods. Ontheotherhand,thenominaltrajectory
0
ρ((cid:96),x(cid:96))isfarfromunsafe. Sotherobustneighborhoodapproachdoesnotworkinasatisfactorywayfor
0
thepurposeofsafetyverification.
YiDeng&A.AgungJulius 5
In this work, an adapted approach called safe neighborhood is proposed to deal with this issue.
Essentially, for each nominal trajectory, the computed robust neighborhood has both uniform transition
andsafetyproperties,whilethesafeneighborhoodhasonlyuniformsafetyproperty. Thelatteristhusa
supersetoftheformer.
2.4 SafeNeighborhoodComputation
Basic Case In order to illustrate the basic idea of safe neighborhood computation, first consider the
simplecaseshowninFig. 3. Forsimplicity,itisassumedthenominaltrajectoryρ((cid:96),x(cid:96))doesnottrigger
0
any event; but it gets sufficiently close to the active part of guard g :=g ∂Inv((cid:96)) within the time
act out
∩
horizon[t(cid:96),t(cid:96) ]. Theguardgisassociatedwiththeevente=((cid:96),(cid:96),g,r). Inthelocation(cid:96),thereareno
0 end (cid:48) (cid:48)
guards. Theunsafesetisassumedtobeonlyin(cid:96),i.e.,U(cid:96) isempty.
(cid:48)
‘ ‘
0
y
∗
g
r(y∗) U‘0
e=(‘,‘0,g,r) (Unsafe)
ξ‘(t ,x‘)
x‘ ∗ 0 φ‘0(x,r(y∗))=γ0
0
Figure3: Basiccaseofsafeneighborhoodcomputation.
Algorithm1Basiccaseofsafeneighborhoodcomputation.
1: compute(t∗,y∗)= argmin φ(cid:96)(ξ(cid:96)(t,x0(cid:96)),y) (cid:46)cl()givestheclosureofaset.
t∈[t0(cid:96),te(cid:96)nd],y∈cl(gact)
2: ifφ(cid:96)(ξ(cid:96)(t∗,x0(cid:96)),y∗)≤dthr then
3: simulateatrajectoryfromr(y∗)forthetimehorizont∗≤t ≤te(cid:96)nd
4: computeγ(cid:48)= inf inf φ(cid:96)(cid:48)(ξ(cid:96)(cid:48)(t,r(y∗)),y)
y∈U(cid:96)(cid:48)t∈[t∗,te(cid:96)nd]
5: defineg˚act := y gact φ(cid:96)(cid:48)(r(y),r(y∗)) γ(cid:48)
{ ∈ | ≥ }
6: specifyatimeintervalδ :=[t∗ τlead,t∗+τlag]
−
7: computeγ =min inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y),inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y)
{t∈[t0(cid:96),te(cid:96)nd]\δy∈gact 0 t∈δy∈g˚act 0 }
8: else
9: computeγ = inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y)
0
t [t(cid:96),t(cid:96) ]y gact
∈ 0 end ∈
10: endif
11: Safe(x(cid:96)):= x φ(cid:96)(x,x(cid:96)) γ
0 { | 0 ≤ }
Atthepointy andthetimeinstantt [t(cid:96),t(cid:96) ],thenominaltrajectoryandtheguardggetsufficiently
∗ ∗∈ 0 end
close (φ(cid:96) attains its infimum, and the infimum is smaller than the specified threshold value d , which
thr
corresponds to the first case in the if-else block of Algorithm 1). Since U(cid:96) is assumed as empty, the
bottleneckofrobustneighborhoodcomputationisintheguard. Wesimulateabranchtrajectoryfromy
∗
for the rest of the time: t t t(cid:96) , which triggers e=((cid:96),(cid:96),g,r). In the target location (cid:96), there are
∗ ≤ ≤ end (cid:48) (cid:48)
no guards. We compute the infimum value γ(cid:48) of φ(cid:96)(cid:48) generated by the branch trajectory and the unsafe
setU(cid:96)(cid:48). Becauseofthemonotonicityofφ(cid:96)(cid:48),forallt ∈[t∗,te(cid:96)nd]andx0(cid:96)(cid:48) ∈{x|φ(cid:96)(cid:48)(x,r(y∗))<γ(cid:48)},ξ(cid:96)(cid:48)(t,x0(cid:96)(cid:48))
cannotreachU(cid:96) (seeargumentsintherobustneighborhoodcomputation).
We thus define gˇ := y g φ(cid:96)(cid:48)(r(y),r(y∗))<γ(cid:48) as the allowed part of g. For the specified time
{ ∈ | }
window δ :=[t τ ,t +τ ], consider g˚ :=g gˇ as the avoided set; while for the reset of the
∗ lead ∗ lag act act
− \
6 SafeNeighborhoodComputationforHybridSystemVerification
time,[t(cid:96),t(cid:96) ] δ,considertheentireg astheavoidedset. Specifically,wecompute
0 end \ act
γ =min inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y),inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y) . (6)
0 0
{t∈[t0(cid:96),te(cid:96)nd]\δy∈gact t∈δy∈g˚act }
Thenforallx˜(cid:96) Safe(x(cid:96)):= x φ(cid:96)(x,x(cid:96))<γ andt t(cid:96),becauseofthemonotonicityofφ(cid:96),
0∈ 0 { | 0 } ≥ 0
φ(cid:96)(ξ(cid:96)(t,x˜(cid:96)),ξ(cid:96)(t,x(cid:96))) φ(cid:96)(ξ(cid:96)(t(cid:96),x˜(cid:96)),ξ(cid:96)(t(cid:96),x(cid:96)))=φ(cid:96)(x˜(cid:96),x(cid:96))<γ. (7)
0 0 0 0 0 0 0 0
≤
As a result, for all t [t(cid:96),t(cid:96) ] δ, ξ(cid:96)(t,x˜(cid:96)) g , while for all t δ, ξ(cid:96)(t,x˜(cid:96)) g˚ . Namely, the
∈ 0 end \ 0 (cid:54)∈ act ∈ 0 (cid:54)∈ act
trajectory ρ((cid:96),x˜(cid:96)) is allowed to escape from gˇ during δ, and then stays in (cid:96) safely for at leastt(cid:96) t .
0 (cid:48) end− ∗
Ifnoeventhasbeentriggered,ρ((cid:96),x˜(cid:96))muststayin(cid:96)safelyasthenominaltrajectoryρ((cid:96),x(cid:96))does.
0 0
GeneralCase Formoregeneralcases,thesafeneighborhoodofanominaltrajectoryρ((cid:96) ,x )canbe
0 0
computed as in Algorithm 2. The time horizon is t t t . For clarity, we denote the trajectory
0 end
≤ ≤
segmentsas ξ(cid:96)i(t,xi),ti t ti N ,whereN isthetotalnumberofeventstriggered.
{ 0 0≤ ≤ end}i=1
The essential idea is as presented in the basic case: When the nominal trajectory gets sufficiently
close to a guard, even if it does not actually trigger the corresponding event, we still simulate a branch
trajectoryaccordingtotheevent. Thisiscalledavirtualevent. Forthebranchtrajectorywecomputethe
safe neighborhood. Part of guards that maps into the safe neighborhood of the branch trajectory is then
considered as the allowed part. We exclude it from the avoided set for a short time window, and thus
removedthebottleneckofthebisimulationfunctionvalue. Clearly,thealgorithmmustbeperformedin
recursiveway. Thenominaltrajectorycangetsufficientlyclosetomultipleguardsinonelocation,andit
canalsogetsufficientlyclosetoguardsinsequentiallyreachedlocations. Foreachlocation,notonlythe
event triggered by nominal trajectory itself by also all the virtual events need to be considered. We call
thecollectionoftriggeredeventsandvirtualeventstheeventtreeassociatedwiththenominaltrajectory.
Properties of Safe Neighborhoods The safe neighborhood computed by Algorithm 2 for a general
trajectoryhasthefollowingproperties,whereProposition6directlyfollowsfromprecedingarguments,
andProposition9isprovedinAppendix.
Proposition 6. For allx˜ Safe(x ), the trajectoryρ((cid:96) ,x˜ )must trigger a path on the event treethat
0 0 0 0
∈
is triggered by the nominal trajectory ρ((cid:96) ,x ) and all its branch trajectories. The time lead/lag for
0 0
triggeringthesameeventisboundedbyτ andτ respectively. Inalllocationsreachedexcept
maxlead maxlag
thelastone,ρ((cid:96) ,x˜ )muststaysafebeforeitleavesthelocation. Inthelastreachedlocation,ρ((cid:96) ,x˜ )
0 0 0 0
muststaysafeforatleastthesametimeintervalasρ((cid:96) ,x )(oritsbranchtrajectory).
0 0
Definition7(CriticalState). Foraguard-criticaltrajectory,ifastateisreachedbythetrajectoryonthe
closureofguardsbutdoesnottriggeranyevent,thenitiscalledacriticalstate.
Definition 8 (Enlarged Reachable Set). Let (cid:96) be an initial location and Init Inv((cid:96) ) be a compact
0 0
⊂
initialsetofcontinuousstates.
Theenlargedreachablesetofaninitialstate,Reache(x ),isdefinedasfollows:
0
Ifthetrajectoryρ((cid:96) ,x ),t t t isnotguard-critical,thenReache(x )onlyincludesthestates
0 0 0 end 0
≤ ≤
in ρ((cid:96) ,x ),t t t . Otherwise, Reache(x ) should include the original trajectory as well as all
0 0 0 end 0
≤ ≤
branchtrajectoriessimulatedfromthecriticalstatesforthetimehorizont t t ,wheret denotes
∗ end ∗
≤ ≤
thetimeinstantwhenthecriticalstateisreached.
TheenlargedreachablesetofaninitialsetisdefinedasReache(Init):= (cid:83) Reache(x ).
0
x Init
0
∈
Proposition9. Theradiusofthesafeneighborhoodcomputedforx Init doesnotvanishifandonlyif
0
∈
Reache(x ) cl(Unsafe)=0/. The radii of safe neighborhoods Safe(x ) x Init are bounded from
0 0 0
∩ { | ∈ }
belowbyapositivenumberifandonlyifReache(Init) cl(Unsafe)=0/.
∩
YiDeng&A.AgungJulius 7
Algorithm2Safeneighborhoodcomputationforageneraltrajectory.
1: procedureSAFENEIGHBORHOOD((cid:96)0,x0,t0,tend)
2: fori N to1do
←
3: du inf inf φ(cid:96)i(ξ(cid:96)i(t,xi),y)
i ←t [ti,ti ]y U(cid:96)i 0
4: di←m∈in0{edndiu,d∈thr}
5: Ti←{t ∈[t0i,teind]|ProximalGuards((cid:96)i,x0i,t,di)(cid:54)=0/}
6: T Ti,k 0,d(k) ∞ (cid:46)T isthesetoftimeinstantswhenthesystemstategets
← ← ←
sufficientlyclosetocertainguards.
7: whileT =0/ do
8: dT (cid:54) inf inf φ(cid:96)i(ξ(cid:96)i(t,xi),y)
9: ifd(←k) t∈TdTy∈tGh(cid:96)aicetn 0
≤
10: breakthewhileloop
11: endif
12: k k+1 (cid:46)kisthenumberofpivots.
←
13: t(k) sup argmin inf φ(cid:96)i(ξ(cid:96)i(t,xi),y) (cid:46)Atthepivottimeinstantt(k),thesystem
← { t T y G(cid:96)i 0 }
stategetsclosesttothegu∈ardsa∈stactvariesinT .
14: G(ck)←ProximalGuards((cid:96)i,x0i,t(k),di)
15:
(k) (k)
16: takeτlead ∈[0,τmaxlead],τlag ∈[0,τmaxlag]suchthatthefollowingconditionsaresatisfied
forallτ T(k):=[t(k) τ(k) ,t(k)+τ(k)]:
∈ − lead lag
Gτ G(k),whereGτ ProximalGuards((cid:96),xi,τ,d).
• c ⊂ c c ← i 0 i
g Gτ,let((cid:96),(cid:96),g,r)denotethecorrespondingevent,andy(k) ProximalState((cid:96),xi,t(k),g),
• ∀ ∈ c i ← i 0
yτ ProximalState((cid:96),xi,τ,g). Then g Gτ, it is satisfied that yτ S(k) :=
← i 0 ∀ ∈ c ∈
r−1(SafeNeighborhood((cid:96),r(y(k)),t(k),tend)), and φ(cid:96)i(yτ,y(k)) α inf φ(cid:96)i(y,y(k)), where α
≤ y S(k) ∈
∈
(0,1)isaconstant.
k 1
17: T(k) T(k) (cid:83)− T(j) (cid:46) T(j) k aredisjoint.
← \ { }j=1
j=1
18: G˘(cid:96)i := (cid:83) g r−1(SafeNeighborhood((cid:96),r(y(k)),t(k),tend)) (cid:46) g Gc(k),((cid:96)i,(cid:96),g,r)is
∩ ∀ ∈
g G(ck)
theevent;Gˇ(cid:96)i denot∈estheallowedpartofG(cid:96)i.
19: d(k) inf inf φ(cid:96)i(ξ(cid:96)i(t,xi),y)
←t∈T(k)y∈G(cid:96)aict\Gˇ(cid:96)i 0
20: T T T(k)
← \
21: endwhile
k
2223:: ∆γ˚ii←:=m[ti0in,{teidndiu],\digj(cid:83)=,d1(T1)(,j.),..d,igd←(k)}ti∈,n∆γ˚fiiy←∈inGf(cid:96)aSicthφr(cid:96)ini(kξin(cid:96)ig(t(,γxi)0i),y)
24: endfor
25: γ γ1,Safe(x0):= x φ(cid:96)1(x0,x) γ
← { | ≤ }
26: returnSafe(x0)
27: endprocedure
8 SafeNeighborhoodComputationforHybridSystemVerification
Algorithm3Subroutine. Obtainguardsthataresufficientlyclosetoξ(cid:96)(τ,x ).
0
1: procedurePROXIMALGUARDS((cid:96),x0,τ,d)
2: Gc gact G(cid:96)act inf φ(cid:96)(ξ(cid:96)(τ,x0),y) d
←{ ∈ |y gact ≤ }
3: returnGc ∈ (cid:46)OutputGc astheproximalguardsatthetimeinstantτ.
4: endprocedure
Algorithm4Subroutine. Obtainthestateontheguardgthatisclosesttoξ(cid:96)(τ,x ).
0
1: procedurePROXIMALSTATE((cid:96),x0,τ,g)
2: Yc argminφ(cid:96)(ξ(cid:96)(τ,x0),y)
←
y cl(g)
∈
3: y Yc (cid:46)Forclarity,weassumeYc isasingleton. Forexample,whentheguardsarehyberplanes,
←
Y mustbeasingleton. Ifnot,theprocedurecanbeextendedbychoosingapropery Y .
c c
∈
4: returny (cid:46)Outputyastheproximalstateatthetimeinstantτ.
5: endprocedure
Algorithm5Subroutine. Shrinktheradiusγ byaproperamountforeventtimelagcompensation[12].
i
1: procedureSHRINKING(γi)
23:: sd˜iium(τu(cid:48)l)at←eξt(cid:96)i[(tit,ix,nt0iif)+foτr]ytieinnUdf(cid:96)i≤φ(cid:96)ti(≤ξ(cid:96)tiei(ntd,x+0i)τ,mya)xlfaogra0cc≤orτd(cid:48)i≤ngτtmoatxhlaegdynamicsoflocation(cid:96)i
∈ end end (cid:48) ∈
k
4: T(τ(cid:48)):=[teind,teind+τ(cid:48)]\ (cid:83) T(j) (cid:46){T(j)}kj=1 arethesameasinAlgorithm2.
j=1
56:: dγ˜˜iig((ττ(cid:48))(cid:48))←←mt∈iiTnn({fτγ(cid:48))i,y∈di˜nGiuf((cid:96)aicτtφ(cid:48))(cid:96),id(˜iξg((cid:96)τi((cid:48)t),}x0i),y)for0≤τ(cid:46)(cid:48)≤Clτemaarlxyla,gγ˜i(0)=γi,andγ˜i(τ(cid:48))isnon-increasing.
7: diinv(τ(cid:48))←t∈[teinsd,uteipnd+τ(cid:48)]y∈Iinnvf((cid:96)i)φ(cid:96)i(ξ(cid:96)i(t,x0i),y)for0≤τ(cid:48)≤τmaxlag (cid:46)Clearly,diinv(0)=0,and
dinv(τ )isnon-decreasing.
i (cid:48)
8: T (cid:48)←{τ(cid:48)∈[0,τmaxlag]|γ˜i(τ(cid:48))≤diinv(τ(cid:48))}
9: ifT (cid:48) isnotemptythen
10: τlag infT (cid:48)
←
11: else
12: τlag τmaxlag
←
13: endif
14: γi←diinv(τlag) (cid:46)
τ [0,τ ], γ˜(τ ) dinv(τ ), which implies γ˜(τ ) dinv(τ )=γ. So the avoided set cannot
∀ (cid:48) ∈ lag i (cid:48) ≥ i (cid:48) i lag ≥ i lag i
bereachedbeforeteind+τlag. Besides,diinv(τlag)= sup inf φ(cid:96)i(ξ(cid:96)i(t,x0i),y)=γi. Soany
t∈[teind,teind+τlag]y∈Inv((cid:96))
trajectoryinitiatedfromtheshrunkneighborhoodleavesInv((cid:96))beforeti +τ .
end lag
15: returnγi (cid:46)Outputγi astheradiusoftheshrunkneighborhood.
16: endprocedure
YiDeng&A.AgungJulius 9
2.5 Implementation
Therobust/safeneighborhoodapproachissimulation-based,readilyparallelizable,andthussuitablefor
numerical implementation. We have developed a MATLAB toolbox STRONG (System Testing with
RObust Neighborhood Generation) [5] that integrates the robust neighborhood and safe neighborhood
computationfunctionsforhybridsystemswithlineardynamics.
Example In order to illustrate the verification procedure, consider the simple example in Fig. 4.
The system has three locations. The invariant sets are Inv((cid:96) ) = Inv((cid:96) ) = R2, Inv((cid:96) ) = (x ,x )
1 2 3 1 2
(cid:18) (cid:19) (cid:18) { (cid:19) ∈
1 0 2 0
R2|x1 ≥1,x2 ≥1}. Dynamics are D(cid:96)i :x˙=Aix, where A1 = −0 2 ,A2 = −0 1 ,A3 =
(cid:18) (cid:19) − −
1 0
−0 3 .Location(cid:96)3 hasguardsg1={(x1,x2)|x1≥1,x2=1}andg2={(x1,x2)|x1=1,x2>1},
−
resettingthediscretestateto(cid:96) ,(cid:96) respectivelywithoutchangingthecontinuousstate. Thereisanunsafe
1 2
set (cid:96) ,(cid:96) (x ,x ) 1.2 x 1.4,0.5 x 0.9 . Theinitialstateis(1.25,1.9).
1 2 1 2 1 2
{ }×{ | ≤ ≤ ≤ ≤ }
x
2 g
2 2
y(2) y(1)
1
g
1
Unsafe
0 1 2 x1
Figure4: Asimulatedtrajectoryofthesimpleexample. Locations(cid:96) ,(cid:96) arereachedsequentially.
3 1
Wecansimulateatrajectoryandcomputetherobustneighborhoodusingthecommand
>>traj = RobustTest(sys,sim time,max lead, max lag),
wheresysisthesystemmodel,sim timeisthetimehorizon0 t 0.5,max lead=max lag=0.1
≤ ≤
is the maximum event time lead/lag allowed. The nominal trajectory is shown in Fig. 4, for which the
radiusofrobustneighborhoodcomputedasanoutputofthetoolboxis
>>traj.ball.d min = [0.0042, 0.1613].
In the last location reached, l=(cid:96) , there are no guards. The toolbox computes the minimum distance
1
(measured by the bisimulation function φ(cid:96)1) from the nominal trajectory segment toUnsafe, which is
0.1613. Sotherobustneighborhoodaroundtheresetinitialstatehasradius0.1613.
In the initial location (cid:96) , there are no unsafe states. The toolbox computes the minimum distance
3
(measured by φ(cid:96)3) to undesired part of guards. The nominal trajectory triggers an event ((cid:96)3,(cid:96)1,g1,r) at
y(1) g1, where r is identity matrix. Thus, gˇ1 := y g1 φ(cid:96)1(r(y),r(y∗))<0.1613 should be defined
∈ { ∈ | }
astheallowedpartofg . Ontheotherhand, theentireguardg isintheavoidedset. Sinceg israther
1 2 2
closetothenominaltrajectory,theradiusoffinalrobustneighborhoodcomputedaroundtheinitialstate
dramaticallyshrinksto0.0042.
Thesafeneighborhoodcomputationfunctionisinvokedbysettingtheflag
>>sys.opt(1) = true,
andcallingthesamefunctionRobustTest.
The toolbox will simulate a branch trajectory from y(2) and compute the safe neighborhood around
r(y(2)), where r is identity matrix. Based on that, part of g will be regarded as the allowed part. The
1
bottleneckofminimumdistancecomputationisthusremoved. Itturnsout
>>traj.ball.d min = [0.0515, 0.1613],
where0.0515istheradiusoffinalsafeneighborhoodcomputedaroundtheinitialstate.
10 SafeNeighborhoodComputationforHybridSystemVerification
3 Conclusion
Thesafeneighborhoodapproachforhybridautomataverificationoffersmathematicallyprovedguarantee
for the safety property of infinitely many initial states by a single trajectory simulation. It inherits the
advantages of robust neighborhood approach: no need to grid the state space, and easily parallelizable.
TheverificationprocedurehasbeenimplementedforlinearhybridsystemsbythetoolboxSTRONG.
References
[1] R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis &
S.Yovine(1995): Thealgorithmicanalysisofhybridsystems. TheoreticalComputerScience138,pp.3–34,
doi:10.1016/0304-3975(94)00202-T.
[2] R.Alur,T.Dang&F.Ivancic(2002):ReachabilityAnalysisofHybridSystemsviaPredicateAbstraction. In:
HSCC,LNCS2289,SpringerBerlinHeidelberg,pp.35–48,doi:10.1007/3-540-45873-5 6.
[3] A. Bhatia & E. Frazzoli (2004): Incremental Search Methods for Reachability Analysis of Continuous and
HybridSystems. In: HSCC,LNCS2993,Springer,pp.142–156,doi:10.1007/978-3-540-24743-2 10.
[4] M.S. Branicky, M.M Curtiss, J. Levine & S. Morgan (2005): Sampling-based reachability algorithms for
controlandverificationofcomplexsystems. In: Proc.ThirteenthYaleWorkshoponAdaptiveandLearning
Systems,NewHaven,CT,30May-1.
[5] Y. Deng, A. Rajhans & A.A. Julius (2013): STRONG: A Trajectory-Based Verification Toolbox for Hybrid
Systems. In: Quantitative Evaluation of Systems, LNCS 8054, Springer, pp. 165–168, doi:10.1007/978-3-
642-40196-1 13.
[6] A.D’Innocenzo,A.A.Julius,M.D.DiBenedetto&G.J.Pappas(2007): Approximatetimedabstractionsof
hybridautomata. In: CDC,pp.4045–4050,doi:10.1109/CDC.2007.4434720.
[7] A. Donze & O. Maler (2007): Systematic Simulation Using Sensitivity Analysis. In: HSCC, LNCS 4416,
Springer,pp.174–189,doi:10.1007/978-3-540-71493-4 16.
[8] A.Girard,C.Guernic&O.Maler(2006): EfficientComputationofReachableSetsofLinearTime-Invariant
SystemswithInputs. In: HSCC,LNCS3927,Springer,pp.257–271,doi:10.1007/11730637 21.
[9] A. Girard & G.J. Pappas (2007): Approximation Metrics for Discrete and Continuous Systems. Automatic
Control,IEEETransactionson52(5),pp.782–798,doi:10.1109/TAC.2007.895849.
[10] A.Girard,G.Pola&P.Tabuada(2010): ApproximatelyBisimilarSymbolicModelsforIncrementallyStable
Switched Systems. Automatic Control, IEEE Transactions on 55(1), pp. 116–126, doi:10.1007/978-3-540-
78929-1 15.
[11] C.Guernic&A.Girard(2009):ReachabilityAnalysisofHybridSystemsUsingSupportFunctions.In:CAV,
LNCS5643,Springer,pp.540–554,doi:10.1007/978-3-642-02658-4 40.
[12] A.A.Julius,G.E.Fainekos,M.Anand,I.Lee&G.J.Pappas(2007): RobustTestGenerationandCoverage
forHybridSystems. In: HSCC,Springer,pp.329–342,doi:10.1007/978-3-540-71493-4 27.
[13] A.B.Kurzhanski&P.Varaiya(2000): EllipsoidalTechniquesforReachabilityAnalysis. In: HSCC,LNCS
1790,Springer,pp.202–214,doi:10.1007/3-540-46430-1 19.
[14] S.Prajna&A.Jadbabaie(2004):SafetyVerificationofHybridSystemsUsingBarrierCertificates.In:HSCC,
LNCS2993,Springer,pp.477–492,doi:10.1007/978-3-540-24743-2 32.
[15] P. Tabuada (2009): Verification and Control of Hybrid Systems: A Symbolic Approach. Springer,
doi:10.1007/978-1-4419-0224-5.
[16] P. Varaiya (2000): Reach Set Computation Using Optimal Control. In: Verification of Digital and Hybrid
Systems,NATOASISeries170,Springer,pp.323–331,doi:10.1007/978-3-642-59615-5 15.
