Safe Neighborhood Computation for Hybrid System Verification YiDeng A.AgungJulius ∗ ECSEDepartment ECSEDepartment RensselaerPolytechnicInstitute RensselaerPolytechnicInstitute [email protected] [email protected] For the design and implementation of engineering systems, performing model-based analysis can disclose potential safety issues at an early stage. The analysis of hybrid system models is in gen- eral difficult due to the intrinsic complexity of hybrid dynamics. In this paper, a simulation-based approachtoformalverificationofhybridsystemsispresented. 1 Introduction Hybridsystemsexhibitbothdiscreteandcontinuousdynamics. Thesystemstatecanflowcontinuously, and can also jump by triggering an event (transition). As an important application in the research of hybrid systems, safety verification is concerned with whether a specified set of unsafe states can be reachedbythesystemfromtheinitialset. Onedirectapproachistocomputeorover-approximatetheset ofallreachablestates[8,11,13,16],andthenchecktheintersectionwiththeunsafeset. Theverification problem has also been investigated by using the abstraction approach, i.e., to construct a system model withasmallerorevenfinitestatespace,whoselanguageisequivalenttoorincludesthatoftheoriginal system[15]. Performing analysisoftheabstractionisrelativelyeasy, andallows ustoverifyproperties of the original system. Various effective methods for system abstraction have been proposed [2, 6, 10]. Reachable set computation, system abstraction, and some other approaches such as barrier certificate construction[14]arecapableofformallyprovingthesystemsafety;butformalverificationoftencomes atthepriceofconservatismandlimitedscalability. Ascomplementaryverificationmethods,randomizedapproacheshavebeenproposedtostrategically explore the state space with tools such as Rapidly-Exploring Random Trees (RRTs) and Probabilistic RoadMaps (PRMs) [3, 4]. By simulating trajectories from the initial set, one can falsify the system safety, orevaluateprobabilisticsafety. Therandomizedapproachesareeasytoimplementbecausethey are simulation-based; but usually a large number of trajectories need to be simulated, and no formal verificationcanbeachieved. It is possible to bridge the simulation-based approach and formal verification [7, 12]: with finitely many simulations run for the sampled initial states, one can verify the safety of not only the samples butalsoinfinitelymanycandidatesintheinitialsetwithmathematicallyprovedguarantee. Asin[12],a tubesurroundingeachsimulatedtrajectoryiscomputed,whichover-approximatesthereachablesetfora neighborhoodofinitialstatesaroundthesimulatedone. Ifthesimulatedtrajectoryissafe,anytrajectory initiatedfromtheneighborhoodmustbesafe,andmoreover,musttriggerthesameeventsequenceasthe simulatedtrajectorydoes. Suchneighborhoodiscalledarobustneighborhood, whichhasbothuniform safety and transition properties. If the initial set can be fully covered by the robust neighborhoods of YDandAAJwouldliketoacknowledgethesupportofNSFCAREERgrantCNS-0953976. ∗ M.Bujorianu(Ed.)andR.Wisniewski(Ed.):4thWorkshopon (cid:13)c YiDeng&A.AgungJulius HybridAutonomousSystems2014(HAS2014). Thisworkislicensedunderthe EPTCS174,2015,pp.1–12,doi:10.4204/EPTCS.174.1 CreativeCommonsAttributionLicense. 2 SafeNeighborhoodComputationforHybridSystemVerification finitely many simulated trajectories, then its transition and safety properties are verified. However, we willseeinSection2thatforpuresafetyverificationproblemstheapplicabilityoftherobustneighborhood approach is limited, since the computed robust neighborhood can vanish due to the transition property requiredratherthansafeproperty. Motivated by the robust neighborhood approach, we propose an algorithm for safe neighborhood computationinthepresentwork. Asitsnameimplies,alltrajectoriesinitiatedfromasafeneighborhood are guaranteed safe for certain time horizon, although their event sequences are possibly different from that of the simulated trajectory. The safe neighborhood computed for any initial state is essentially a superset of the robust neighborhood, and may have non-zero measure even if the robust neighborhood vanishes. Consequently, for some initial state that cannot be covered by any robust neighborhood, the computed safe neighborhood is able to cover it; for some initial set where the coverage following [12] never reaches 100%, the present approach using safe neighborhoods is able to reach full coverage and verifycompletesafety. 2 Safe Neighborhood Approach 2.1 HybridAutomataFormulation AhybridautomatonisatupleH =(L X,L X ,D,E,Inv)[1]. 0 0 × × The state space is L X, where L denotes the sets of discrete states (also called locations) and X × denotesthesetofcontinuousstates. TheinitialsetisL X L X. 0 0 × ⊂ × Eachlocation(cid:96) L isassociatedwithaninvariantsetInv((cid:96)) X. Ifthesystemisatlocation(cid:96), the ∈ ⊂ continuousstatex X mustsatisfyx Inv((cid:96)). ThesystemdynamicsDmapsapair((cid:96),x)tox˙, thetime ∈ ∈ derivative of x. Let D(cid:96) denote the restriction of D to (cid:96) X. At location (cid:96), the system state evolves { }× continuously according to D(cid:96) until an event (an instantaneous transition) e:=((cid:96),(cid:96),g,r),e E occurs. (cid:48) ∈ The event is guarded by g Inv((cid:96)). Namely, a necessary condition for the occurrence of e is x g. ⊂ ∈ After the event, the discrete state changes from the source (cid:96) to the target (cid:96), and the continuous state (cid:48) is reset according to the reset map r :Inv((cid:96)) Inv((cid:96)). Let ((cid:96),x) denote the system state that triggers (cid:48) → e=((cid:96),(cid:96),g,r). Thentheresetstateis((cid:96),r(x)). (cid:48) (cid:48) A trajectory ρ((cid:96) ,x ) of the hybrid system is the solution of ((cid:96),x) initiated from ((cid:96) ,x ). Clearly, 0 0 0 0 ρ((cid:96) ,x ) is piece-wise continuous. At each location (cid:96), we write ξ(cid:96)(t,x(cid:96)) Inv((cid:96)),t(cid:96) t t(cid:96) as the 0 0 0 ∈ 0 ≤ ≤ end solution of x, where x(cid:96) = ξ(cid:96)(t(cid:96),x(cid:96)) is the initial condition in (cid:96), and for t(cid:96) t t(cid:96) the function ξ(cid:96) 0 0 0 0 ≤ ≤ end satisfiesthedifferentialequation ∂ξ(cid:96)(t,x0(cid:96)) =D(cid:96)(ξ(cid:96)(t,x(cid:96))). ∂t 0 Consider the system state that reaches the boundary of the invariant set at the time instantt(cid:96) , i.e., end ξ(cid:96)(t(cid:96) ,x(cid:96)) ∂Inv((cid:96)). Ifthereexitsτ >0suchthatforallτ (0,τ),ξ(cid:96)(t(cid:96) +τ ,x(cid:96)) Inv((cid:96)),thenwe end 0 ∈ 1∈ end 1 0 (cid:54)∈ saythecontinuousstateisevolvingoutwardInv((cid:96))attheboundary. Let ∂Inv((cid:96)) denote part of the boundary ∂Inv((cid:96)) where the continuous state is evolving outward out Inv((cid:96)), G(cid:96) denote the set of guards such that the corresponding events all have (cid:96) as the source location. Weassumeforall(cid:96): 1. Forallg ,g G(cid:96),g ,g aredisjoint. 1 2 1 2 ∈ 2. Aneventisforcedtooccurwheneverx ∂Inv((cid:96)) . Withoutthisassumption,thesystemstatewill out ∈ getstuckat∂Inv((cid:96)) ,sinceitisnotallowedtoevolveoutsideInv((cid:96)). Inaddition,assumeevents out canonlybetriggeredat∂Inv((cid:96)) . DefinetheactiveguardsG(cid:96) := g ∂Inv((cid:96)) g G(cid:96) . out act out { ∩ | ∈ } 3. x˙=D(cid:96)(x)admitsanuniqueglobalsolution. 4. Alltheresetmapsarecontinuous. YiDeng&A.AgungJulius 3 2.2 TrajectoryRobustness We briefly review the algorithm proposed in [12] for the computation of robust neighborhood around a simulatedinitialstate,whichisbasedonthetheoryofbisimulationfunctions[9]. Definition 1. [9] Let φ(cid:96) :X X R be a pseudo-metric on the state space of the dynamical system × → x˙=D(cid:96)(x),x X. Let ξ(cid:96)(t,x(cid:96)) denote the solution of D(cid:96) under the initial condition x . If for any initial ∈ 0 0 statesx(cid:96) andx˜(cid:96),thefunctionφ(cid:96)(ξ(cid:96)(t,x(cid:96)),ξ(cid:96)(t,x˜(cid:96)))isnon-increasingwithrespecttotimet,thenφ(cid:96) isa 0 0 0 0 bisimulationfunctionbetweenthesystemanditself. Consider a nominal trajectory ρ((cid:96),x(cid:96)) as shown in Fig. 1, which has been simulated for the time 0 horizon of interest, [t ,t ]. The first segment of ρ((cid:96),x(cid:96)) is ξ(cid:96)(t,x(cid:96)),t(cid:96) <t <t(cid:96) , where t(cid:96) =t is the 0 end 0 0 0 end 0 0 initialtime. Atthetimet(cid:96) ,ρ((cid:96),x(cid:96))leaves(cid:96)bytriggeringtheevente =((cid:96),(cid:96),g ,r ),i.e.,ξ(cid:96)(t(cid:96) ,x(cid:96)) end 0 1 (cid:48) 1 1 end 0 ∈ g . Definetheavoidedset 1 A(cid:96):=U(cid:96) (G(cid:96) gˇ ), (1) act 1 ∪ \ where gˇ is called the allowed part of the guard g . We will formally define gˇ later. Essentially, the 1 1 1 robustneighborhoodistobecomputedbasedontheavoidedsetA(cid:96),sothatalltrajectoriesinitiatedfrom therobustneighborhoodwillnotreachA(cid:96) inlocation(cid:96). Hence,theunsafeU(cid:96) mustbeincludedinA(cid:96),aswellastheundesiredpartofguardsG(cid:96) gˇ . Inthis act 1 \ particular example shown in Fig. 1, the undesired part of guards G(cid:96) gˇ :=g (g gˇ ), where g is act 1 2 1 1 2 \ ∪ \ undesiredbecauseittriggersanevente differentfromtheevente triggeredbythenominaltrajectory, 2 1 while gˇ is excluded from A(cid:96) since trajectories initiated from the robust neighborhood are allowed to 1 reachgˇ andtriggere . Becauseofthemonotonicityofφ(cid:96),foranytimet >t(cid:96) andinitialstatex˜(cid:96), 1 1 0 0 φ(cid:96)(ξ(cid:96)(t,x(cid:96)),ξ(cid:96)(t,x˜(cid:96))) φ(cid:96)(ξ(cid:96)(t(cid:96),x(cid:96)),ξ(cid:96)(t(cid:96),x˜(cid:96)))=φ(cid:96)(x(cid:96),x˜(cid:96)). (2) 0 0 0 0 0 0 0 0 ≤ Therefore,ifx˜(cid:96) satisfies 0 φ(cid:96)(x(cid:96),x˜(cid:96))<γ := inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y), (3) 0 0 a 0 t [t(cid:96),t(cid:96) ]y A(cid:96) ∈ 0 end ∈ thenforallt [t(cid:96),t(cid:96) ],ξ(cid:96)(t,x˜(cid:96)) A(cid:96). ∈ 0 end 0 (cid:54)∈ Thetimehorizon[t(cid:96),t(cid:96) ]abovemaybetooshort,sinceρ((cid:96),x˜(cid:96))mayleave(cid:96)laterthanρ((cid:96),x(cid:96))does. 0 end 0 0 ThistimelagproblemishandledbytheShrinkingprocedure(proposedin[12],andcanalsobefoundin Algorithm5): definedapreliminaryrobustneighborhoodB(x(cid:96),γ ):= φ(cid:96)(x(cid:96),x˜(cid:96))<γ ,andthenshrinks 0 a { 0 0 a} B(x(cid:96),γ ) to a proper size B(x(cid:96),γ) as the robust neighborhood. As a result, for some time lag τ that 0 a 0 lag doesnotexceedthespecifiedparameterτ , alltrajectoriesinitiatedfromB(x(cid:96),γ)areguaranteedto maxlag 0 leaveInv((cid:96))beforet(cid:96) +τ ,andwillnotreachA(cid:96) beforetheytriggere atgˇ . SeeFig. 1. end lag 1 1 Itisalsoproposedin[12]howtocomputetheeventtimeleadτ suchthatalltrajectoriesinitiated lead fromB(x(cid:96),γ)areguaranteedtostayin(cid:96)beforet(cid:96) τ . Weuseτ todenoteanupperboundof 0 end− lead maxlead theeventtimeleadfortherobustneighborhoods. The allowed part of guard gˇ in Eq. (1) is defined according to the robust neighborhood computed 1 for the next location reached by the nominal trajectory using similar steps as Eq. (1), (3): let B(x0(cid:96)(cid:48),γ(cid:48)) denotetherobustneighborhoodcomputedfortheresetinitialstatex0(cid:96)(cid:48) :=r1(ξ(cid:96)(te(cid:96)nd,x0(cid:96))),then gˇ1:=r1−1(B(x0(cid:96)(cid:48),γ(cid:48)))∩g1. (4) Therefore,therobustneighborhoodiscomputedinarecursiveway,fromthelastlocationreachedto thefirstlocationreached. 4 SafeNeighborhoodComputationforHybridSystemVerification ξ‘(t‘end+τlag,x‘0) ξ‘(t‘end,x‘0) ξ‘(t‘end,x‘0) g 1 gˇ1 U‘ g1 U‘ (Unsafe) γ=0 (Unsafe) g2 g2 φ‘(x,x‘)=γ 0 φ‘(x,x‘0)=γa U‘isfaraway. B(x‘,γ)vanishes. B(x‘,γ) 0 0 Figure1: Robustneighborhoodcomputation. Figure2: Guard-criticaltrajectory. Inthelastlocationreached(denotedbyl),theavoidedsetisdefinedinaformdifferentformEq. (1). Al:=Ul Gl . (5) act ∪ Eventtimelagdoesnotneedtobeconsidered,sincelisthelastlocationreached. Fromtheargumentabove,B(x(cid:96),γ)hasthefollowingproperty: 0 Proposition2. Forallx˜(cid:96) B(x(cid:96),γ),thetrajectoryρ((cid:96),x˜(cid:96))musttriggerthesameeventsequenceasthe 0∈ 0 0 nominal trajectory ρ((cid:96),x(cid:96)) does. The time lead and lag for triggering the same event is bounded by 0 τ andτ respectively. Inallthelocationsreachedexceptthelastone,ρ((cid:96),x˜(cid:96))muststaysafe maxlead maxlag 0 beforeitleavesthelocation. Inthelastreachedlocationl,ρ((cid:96),x˜(cid:96))muststaysafeforatleast[tl,tl ]as 0 0 end thenominaltrajectoryρ((cid:96),x(cid:96))does. 0 2.3 CriticalTrajectory Suppose in Fig. 1, the nominal trajectory reaches the closure of g , g gˇ orU(cid:96), then clearly Eq. (3) 2 1 1 \ resultsinzero. Suchatrajectoryiscalledcritical. Definition 3 (Critical Trajectory). If a nominal trajectory reaches the closure of the avoided set in the robustneighborhoodcomputation,thenitiscalledacriticaltrajectory. Directlyfollowingfromthealgorithmin[12],thepropositionbelowholds: Proposition4. Therobustneighborhoodcomputedforanominaltrajectoryhaszeromeasureifandonly ifthenominaltrajectoryisacriticaltrajectory. Essentially, a critical trajectory has trivial robustness. There exists some infinitesimal perturbation of the trajectory that changes its transition or safety property. In particular, we define guard-critical trajectories,whoserobustneighborhoodsvanishduetoguardsratherthantheunsafeset. Definition 5 (Guard-Critical Trajectory). A critical trajectory that does not reach the closure of the unsafesetiscalledaguard-criticaltrajectory. Guard-critical trajectories can cause issues in safety verification problems, where only the safety propertyisofconcern. AsshowninFig. 2,theguard-criticaltrajectorytriggersaneventthroughg ,but 1 it also reaches the closure of g . By the robust neighborhood algorithm, the initial state ((cid:96),x(cid:96)) cannot 2 0 be covered by the robust neighborhood of any initial state. Consequently, if an initial set contains such ((cid:96),x(cid:96)),itcanneverbecoveredfullybyrobustneighborhoods. Ontheotherhand,thenominaltrajectory 0 ρ((cid:96),x(cid:96))isfarfromunsafe. Sotherobustneighborhoodapproachdoesnotworkinasatisfactorywayfor 0 thepurposeofsafetyverification. YiDeng&A.AgungJulius 5 In this work, an adapted approach called safe neighborhood is proposed to deal with this issue. Essentially, for each nominal trajectory, the computed robust neighborhood has both uniform transition andsafetyproperties,whilethesafeneighborhoodhasonlyuniformsafetyproperty. Thelatteristhusa supersetoftheformer. 2.4 SafeNeighborhoodComputation Basic Case In order to illustrate the basic idea of safe neighborhood computation, first consider the simplecaseshowninFig. 3. Forsimplicity,itisassumedthenominaltrajectoryρ((cid:96),x(cid:96))doesnottrigger 0 any event; but it gets sufficiently close to the active part of guard g :=g ∂Inv((cid:96)) within the time act out ∩ horizon[t(cid:96),t(cid:96) ]. Theguardgisassociatedwiththeevente=((cid:96),(cid:96),g,r). Inthelocation(cid:96),thereareno 0 end (cid:48) (cid:48) guards. Theunsafesetisassumedtobeonlyin(cid:96),i.e.,U(cid:96) isempty. (cid:48) ‘ ‘ 0 y ∗ g r(y∗) U‘0 e=(‘,‘0,g,r) (Unsafe) ξ‘(t ,x‘) x‘ ∗ 0 φ‘0(x,r(y∗))=γ0 0 Figure3: Basiccaseofsafeneighborhoodcomputation. Algorithm1Basiccaseofsafeneighborhoodcomputation. 1: compute(t∗,y∗)= argmin φ(cid:96)(ξ(cid:96)(t,x0(cid:96)),y) (cid:46)cl()givestheclosureofaset. t∈[t0(cid:96),te(cid:96)nd],y∈cl(gact) 2: ifφ(cid:96)(ξ(cid:96)(t∗,x0(cid:96)),y∗)≤dthr then 3: simulateatrajectoryfromr(y∗)forthetimehorizont∗≤t ≤te(cid:96)nd 4: computeγ(cid:48)= inf inf φ(cid:96)(cid:48)(ξ(cid:96)(cid:48)(t,r(y∗)),y) y∈U(cid:96)(cid:48)t∈[t∗,te(cid:96)nd] 5: defineg˚act := y gact φ(cid:96)(cid:48)(r(y),r(y∗)) γ(cid:48) { ∈ | ≥ } 6: specifyatimeintervalδ :=[t∗ τlead,t∗+τlag] − 7: computeγ =min inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y),inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y) {t∈[t0(cid:96),te(cid:96)nd]\δy∈gact 0 t∈δy∈g˚act 0 } 8: else 9: computeγ = inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y) 0 t [t(cid:96),t(cid:96) ]y gact ∈ 0 end ∈ 10: endif 11: Safe(x(cid:96)):= x φ(cid:96)(x,x(cid:96)) γ 0 { | 0 ≤ } Atthepointy andthetimeinstantt [t(cid:96),t(cid:96) ],thenominaltrajectoryandtheguardggetsufficiently ∗ ∗∈ 0 end close (φ(cid:96) attains its infimum, and the infimum is smaller than the specified threshold value d , which thr corresponds to the first case in the if-else block of Algorithm 1). Since U(cid:96) is assumed as empty, the bottleneckofrobustneighborhoodcomputationisintheguard. Wesimulateabranchtrajectoryfromy ∗ for the rest of the time: t t t(cid:96) , which triggers e=((cid:96),(cid:96),g,r). In the target location (cid:96), there are ∗ ≤ ≤ end (cid:48) (cid:48) no guards. We compute the infimum value γ(cid:48) of φ(cid:96)(cid:48) generated by the branch trajectory and the unsafe setU(cid:96)(cid:48). Becauseofthemonotonicityofφ(cid:96)(cid:48),forallt ∈[t∗,te(cid:96)nd]andx0(cid:96)(cid:48) ∈{x|φ(cid:96)(cid:48)(x,r(y∗))<γ(cid:48)},ξ(cid:96)(cid:48)(t,x0(cid:96)(cid:48)) cannotreachU(cid:96) (seeargumentsintherobustneighborhoodcomputation). We thus define gˇ := y g φ(cid:96)(cid:48)(r(y),r(y∗))<γ(cid:48) as the allowed part of g. For the specified time { ∈ | } window δ :=[t τ ,t +τ ], consider g˚ :=g gˇ as the avoided set; while for the reset of the ∗ lead ∗ lag act act − \ 6 SafeNeighborhoodComputationforHybridSystemVerification time,[t(cid:96),t(cid:96) ] δ,considertheentireg astheavoidedset. Specifically,wecompute 0 end \ act γ =min inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y),inf inf φ(cid:96)(ξ(cid:96)(t,x(cid:96)),y) . (6) 0 0 {t∈[t0(cid:96),te(cid:96)nd]\δy∈gact t∈δy∈g˚act } Thenforallx˜(cid:96) Safe(x(cid:96)):= x φ(cid:96)(x,x(cid:96))<γ andt t(cid:96),becauseofthemonotonicityofφ(cid:96), 0∈ 0 { | 0 } ≥ 0 φ(cid:96)(ξ(cid:96)(t,x˜(cid:96)),ξ(cid:96)(t,x(cid:96))) φ(cid:96)(ξ(cid:96)(t(cid:96),x˜(cid:96)),ξ(cid:96)(t(cid:96),x(cid:96)))=φ(cid:96)(x˜(cid:96),x(cid:96))<γ. (7) 0 0 0 0 0 0 0 0 ≤ As a result, for all t [t(cid:96),t(cid:96) ] δ, ξ(cid:96)(t,x˜(cid:96)) g , while for all t δ, ξ(cid:96)(t,x˜(cid:96)) g˚ . Namely, the ∈ 0 end \ 0 (cid:54)∈ act ∈ 0 (cid:54)∈ act trajectory ρ((cid:96),x˜(cid:96)) is allowed to escape from gˇ during δ, and then stays in (cid:96) safely for at leastt(cid:96) t . 0 (cid:48) end− ∗ Ifnoeventhasbeentriggered,ρ((cid:96),x˜(cid:96))muststayin(cid:96)safelyasthenominaltrajectoryρ((cid:96),x(cid:96))does. 0 0 GeneralCase Formoregeneralcases,thesafeneighborhoodofanominaltrajectoryρ((cid:96) ,x )canbe 0 0 computed as in Algorithm 2. The time horizon is t t t . For clarity, we denote the trajectory 0 end ≤ ≤ segmentsas ξ(cid:96)i(t,xi),ti t ti N ,whereN isthetotalnumberofeventstriggered. { 0 0≤ ≤ end}i=1 The essential idea is as presented in the basic case: When the nominal trajectory gets sufficiently close to a guard, even if it does not actually trigger the corresponding event, we still simulate a branch trajectoryaccordingtotheevent. Thisiscalledavirtualevent. Forthebranchtrajectorywecomputethe safe neighborhood. Part of guards that maps into the safe neighborhood of the branch trajectory is then considered as the allowed part. We exclude it from the avoided set for a short time window, and thus removedthebottleneckofthebisimulationfunctionvalue. Clearly,thealgorithmmustbeperformedin recursiveway. Thenominaltrajectorycangetsufficientlyclosetomultipleguardsinonelocation,andit canalsogetsufficientlyclosetoguardsinsequentiallyreachedlocations. Foreachlocation,notonlythe event triggered by nominal trajectory itself by also all the virtual events need to be considered. We call thecollectionoftriggeredeventsandvirtualeventstheeventtreeassociatedwiththenominaltrajectory. Properties of Safe Neighborhoods The safe neighborhood computed by Algorithm 2 for a general trajectoryhasthefollowingproperties,whereProposition6directlyfollowsfromprecedingarguments, andProposition9isprovedinAppendix. Proposition 6. For allx˜ Safe(x ), the trajectoryρ((cid:96) ,x˜ )must trigger a path on the event treethat 0 0 0 0 ∈ is triggered by the nominal trajectory ρ((cid:96) ,x ) and all its branch trajectories. The time lead/lag for 0 0 triggeringthesameeventisboundedbyτ andτ respectively. Inalllocationsreachedexcept maxlead maxlag thelastone,ρ((cid:96) ,x˜ )muststaysafebeforeitleavesthelocation. Inthelastreachedlocation,ρ((cid:96) ,x˜ ) 0 0 0 0 muststaysafeforatleastthesametimeintervalasρ((cid:96) ,x )(oritsbranchtrajectory). 0 0 Definition7(CriticalState). Foraguard-criticaltrajectory,ifastateisreachedbythetrajectoryonthe closureofguardsbutdoesnottriggeranyevent,thenitiscalledacriticalstate. Definition 8 (Enlarged Reachable Set). Let (cid:96) be an initial location and Init Inv((cid:96) ) be a compact 0 0 ⊂ initialsetofcontinuousstates. Theenlargedreachablesetofaninitialstate,Reache(x ),isdefinedasfollows: 0 Ifthetrajectoryρ((cid:96) ,x ),t t t isnotguard-critical,thenReache(x )onlyincludesthestates 0 0 0 end 0 ≤ ≤ in ρ((cid:96) ,x ),t t t . Otherwise, Reache(x ) should include the original trajectory as well as all 0 0 0 end 0 ≤ ≤ branchtrajectoriessimulatedfromthecriticalstatesforthetimehorizont t t ,wheret denotes ∗ end ∗ ≤ ≤ thetimeinstantwhenthecriticalstateisreached. TheenlargedreachablesetofaninitialsetisdefinedasReache(Init):= (cid:83) Reache(x ). 0 x Init 0 ∈ Proposition9. Theradiusofthesafeneighborhoodcomputedforx Init doesnotvanishifandonlyif 0 ∈ Reache(x ) cl(Unsafe)=0/. The radii of safe neighborhoods Safe(x ) x Init are bounded from 0 0 0 ∩ { | ∈ } belowbyapositivenumberifandonlyifReache(Init) cl(Unsafe)=0/. ∩ YiDeng&A.AgungJulius 7 Algorithm2Safeneighborhoodcomputationforageneraltrajectory. 1: procedureSAFENEIGHBORHOOD((cid:96)0,x0,t0,tend) 2: fori N to1do ← 3: du inf inf φ(cid:96)i(ξ(cid:96)i(t,xi),y) i ←t [ti,ti ]y U(cid:96)i 0 4: di←m∈in0{edndiu,d∈thr} 5: Ti←{t ∈[t0i,teind]|ProximalGuards((cid:96)i,x0i,t,di)(cid:54)=0/} 6: T Ti,k 0,d(k) ∞ (cid:46)T isthesetoftimeinstantswhenthesystemstategets ← ← ← sufficientlyclosetocertainguards. 7: whileT =0/ do 8: dT (cid:54) inf inf φ(cid:96)i(ξ(cid:96)i(t,xi),y) 9: ifd(←k) t∈TdTy∈tGh(cid:96)aicetn 0 ≤ 10: breakthewhileloop 11: endif 12: k k+1 (cid:46)kisthenumberofpivots. ← 13: t(k) sup argmin inf φ(cid:96)i(ξ(cid:96)i(t,xi),y) (cid:46)Atthepivottimeinstantt(k),thesystem ← { t T y G(cid:96)i 0 } stategetsclosesttothegu∈ardsa∈stactvariesinT . 14: G(ck)←ProximalGuards((cid:96)i,x0i,t(k),di) 15: (k) (k) 16: takeτlead ∈[0,τmaxlead],τlag ∈[0,τmaxlag]suchthatthefollowingconditionsaresatisfied forallτ T(k):=[t(k) τ(k) ,t(k)+τ(k)]: ∈ − lead lag Gτ G(k),whereGτ ProximalGuards((cid:96),xi,τ,d). • c ⊂ c c ← i 0 i g Gτ,let((cid:96),(cid:96),g,r)denotethecorrespondingevent,andy(k) ProximalState((cid:96),xi,t(k),g), • ∀ ∈ c i ← i 0 yτ ProximalState((cid:96),xi,τ,g). Then g Gτ, it is satisfied that yτ S(k) := ← i 0 ∀ ∈ c ∈ r−1(SafeNeighborhood((cid:96),r(y(k)),t(k),tend)), and φ(cid:96)i(yτ,y(k)) α inf φ(cid:96)i(y,y(k)), where α ≤ y S(k) ∈ ∈ (0,1)isaconstant. k 1 17: T(k) T(k) (cid:83)− T(j) (cid:46) T(j) k aredisjoint. ← \ { }j=1 j=1 18: G˘(cid:96)i := (cid:83) g r−1(SafeNeighborhood((cid:96),r(y(k)),t(k),tend)) (cid:46) g Gc(k),((cid:96)i,(cid:96),g,r)is ∩ ∀ ∈ g G(ck) theevent;Gˇ(cid:96)i denot∈estheallowedpartofG(cid:96)i. 19: d(k) inf inf φ(cid:96)i(ξ(cid:96)i(t,xi),y) ←t∈T(k)y∈G(cid:96)aict\Gˇ(cid:96)i 0 20: T T T(k) ← \ 21: endwhile k 2223:: ∆γ˚ii←:=m[ti0in,{teidndiu],\digj(cid:83)=,d1(T1)(,j.),..d,igd←(k)}ti∈,n∆γ˚fiiy←∈inGf(cid:96)aSicthφr(cid:96)ini(kξin(cid:96)ig(t(,γxi)0i),y) 24: endfor 25: γ γ1,Safe(x0):= x φ(cid:96)1(x0,x) γ ← { | ≤ } 26: returnSafe(x0) 27: endprocedure 8 SafeNeighborhoodComputationforHybridSystemVerification Algorithm3Subroutine. Obtainguardsthataresufficientlyclosetoξ(cid:96)(τ,x ). 0 1: procedurePROXIMALGUARDS((cid:96),x0,τ,d) 2: Gc gact G(cid:96)act inf φ(cid:96)(ξ(cid:96)(τ,x0),y) d ←{ ∈ |y gact ≤ } 3: returnGc ∈ (cid:46)OutputGc astheproximalguardsatthetimeinstantτ. 4: endprocedure Algorithm4Subroutine. Obtainthestateontheguardgthatisclosesttoξ(cid:96)(τ,x ). 0 1: procedurePROXIMALSTATE((cid:96),x0,τ,g) 2: Yc argminφ(cid:96)(ξ(cid:96)(τ,x0),y) ← y cl(g) ∈ 3: y Yc (cid:46)Forclarity,weassumeYc isasingleton. Forexample,whentheguardsarehyberplanes, ← Y mustbeasingleton. Ifnot,theprocedurecanbeextendedbychoosingapropery Y . c c ∈ 4: returny (cid:46)Outputyastheproximalstateatthetimeinstantτ. 5: endprocedure Algorithm5Subroutine. Shrinktheradiusγ byaproperamountforeventtimelagcompensation[12]. i 1: procedureSHRINKING(γi) 23:: sd˜iium(τu(cid:48)l)at←eξt(cid:96)i[(tit,ix,nt0iif)+foτr]ytieinnUdf(cid:96)i≤φ(cid:96)ti(≤ξ(cid:96)tiei(ntd,x+0i)τ,mya)xlfaogra0cc≤orτd(cid:48)i≤ngτtmoatxhlaegdynamicsoflocation(cid:96)i ∈ end end (cid:48) ∈ k 4: T(τ(cid:48)):=[teind,teind+τ(cid:48)]\ (cid:83) T(j) (cid:46){T(j)}kj=1 arethesameasinAlgorithm2. j=1 56:: dγ˜˜iig((ττ(cid:48))(cid:48))←←mt∈iiTnn({fτγ(cid:48))i,y∈di˜nGiuf((cid:96)aicτtφ(cid:48))(cid:96),id(˜iξg((cid:96)τi((cid:48)t),}x0i),y)for0≤τ(cid:46)(cid:48)≤Clτemaarlxyla,gγ˜i(0)=γi,andγ˜i(τ(cid:48))isnon-increasing. 7: diinv(τ(cid:48))←t∈[teinsd,uteipnd+τ(cid:48)]y∈Iinnvf((cid:96)i)φ(cid:96)i(ξ(cid:96)i(t,x0i),y)for0≤τ(cid:48)≤τmaxlag (cid:46)Clearly,diinv(0)=0,and dinv(τ )isnon-decreasing. i (cid:48) 8: T (cid:48)←{τ(cid:48)∈[0,τmaxlag]|γ˜i(τ(cid:48))≤diinv(τ(cid:48))} 9: ifT (cid:48) isnotemptythen 10: τlag infT (cid:48) ← 11: else 12: τlag τmaxlag ← 13: endif 14: γi←diinv(τlag) (cid:46) τ [0,τ ], γ˜(τ ) dinv(τ ), which implies γ˜(τ ) dinv(τ )=γ. So the avoided set cannot ∀ (cid:48) ∈ lag i (cid:48) ≥ i (cid:48) i lag ≥ i lag i bereachedbeforeteind+τlag. Besides,diinv(τlag)= sup inf φ(cid:96)i(ξ(cid:96)i(t,x0i),y)=γi. Soany t∈[teind,teind+τlag]y∈Inv((cid:96)) trajectoryinitiatedfromtheshrunkneighborhoodleavesInv((cid:96))beforeti +τ . end lag 15: returnγi (cid:46)Outputγi astheradiusoftheshrunkneighborhood. 16: endprocedure YiDeng&A.AgungJulius 9 2.5 Implementation Therobust/safeneighborhoodapproachissimulation-based,readilyparallelizable,andthussuitablefor numerical implementation. We have developed a MATLAB toolbox STRONG (System Testing with RObust Neighborhood Generation) [5] that integrates the robust neighborhood and safe neighborhood computationfunctionsforhybridsystemswithlineardynamics. Example In order to illustrate the verification procedure, consider the simple example in Fig. 4. The system has three locations. The invariant sets are Inv((cid:96) ) = Inv((cid:96) ) = R2, Inv((cid:96) ) = (x ,x ) 1 2 3 1 2 (cid:18) (cid:19) (cid:18) { (cid:19) ∈ 1 0 2 0 R2|x1 ≥1,x2 ≥1}. Dynamics are D(cid:96)i :x˙=Aix, where A1 = −0 2 ,A2 = −0 1 ,A3 = (cid:18) (cid:19) − − 1 0 −0 3 .Location(cid:96)3 hasguardsg1={(x1,x2)|x1≥1,x2=1}andg2={(x1,x2)|x1=1,x2>1}, − resettingthediscretestateto(cid:96) ,(cid:96) respectivelywithoutchangingthecontinuousstate. Thereisanunsafe 1 2 set (cid:96) ,(cid:96) (x ,x ) 1.2 x 1.4,0.5 x 0.9 . Theinitialstateis(1.25,1.9). 1 2 1 2 1 2 { }×{ | ≤ ≤ ≤ ≤ } x 2 g 2 2 y(2) y(1) 1 g 1 Unsafe 0 1 2 x1 Figure4: Asimulatedtrajectoryofthesimpleexample. Locations(cid:96) ,(cid:96) arereachedsequentially. 3 1 Wecansimulateatrajectoryandcomputetherobustneighborhoodusingthecommand >>traj = RobustTest(sys,sim time,max lead, max lag), wheresysisthesystemmodel,sim timeisthetimehorizon0 t 0.5,max lead=max lag=0.1 ≤ ≤ is the maximum event time lead/lag allowed. The nominal trajectory is shown in Fig. 4, for which the radiusofrobustneighborhoodcomputedasanoutputofthetoolboxis >>traj.ball.d min = [0.0042, 0.1613]. In the last location reached, l=(cid:96) , there are no guards. The toolbox computes the minimum distance 1 (measured by the bisimulation function φ(cid:96)1) from the nominal trajectory segment toUnsafe, which is 0.1613. Sotherobustneighborhoodaroundtheresetinitialstatehasradius0.1613. In the initial location (cid:96) , there are no unsafe states. The toolbox computes the minimum distance 3 (measured by φ(cid:96)3) to undesired part of guards. The nominal trajectory triggers an event ((cid:96)3,(cid:96)1,g1,r) at y(1) g1, where r is identity matrix. Thus, gˇ1 := y g1 φ(cid:96)1(r(y),r(y∗))<0.1613 should be defined ∈ { ∈ | } astheallowedpartofg . Ontheotherhand, theentireguardg isintheavoidedset. Sinceg israther 1 2 2 closetothenominaltrajectory,theradiusoffinalrobustneighborhoodcomputedaroundtheinitialstate dramaticallyshrinksto0.0042. Thesafeneighborhoodcomputationfunctionisinvokedbysettingtheflag >>sys.opt(1) = true, andcallingthesamefunctionRobustTest. The toolbox will simulate a branch trajectory from y(2) and compute the safe neighborhood around r(y(2)), where r is identity matrix. Based on that, part of g will be regarded as the allowed part. The 1 bottleneckofminimumdistancecomputationisthusremoved. Itturnsout >>traj.ball.d min = [0.0515, 0.1613], where0.0515istheradiusoffinalsafeneighborhoodcomputedaroundtheinitialstate. 10 SafeNeighborhoodComputationforHybridSystemVerification 3 Conclusion Thesafeneighborhoodapproachforhybridautomataverificationoffersmathematicallyprovedguarantee for the safety property of infinitely many initial states by a single trajectory simulation. It inherits the advantages of robust neighborhood approach: no need to grid the state space, and easily parallelizable. TheverificationprocedurehasbeenimplementedforlinearhybridsystemsbythetoolboxSTRONG. References [1] R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis & S.Yovine(1995): Thealgorithmicanalysisofhybridsystems. TheoreticalComputerScience138,pp.3–34, doi:10.1016/0304-3975(94)00202-T. [2] R.Alur,T.Dang&F.Ivancic(2002):ReachabilityAnalysisofHybridSystemsviaPredicateAbstraction. In: HSCC,LNCS2289,SpringerBerlinHeidelberg,pp.35–48,doi:10.1007/3-540-45873-5 6. [3] A. Bhatia & E. Frazzoli (2004): Incremental Search Methods for Reachability Analysis of Continuous and HybridSystems. In: HSCC,LNCS2993,Springer,pp.142–156,doi:10.1007/978-3-540-24743-2 10. [4] M.S. Branicky, M.M Curtiss, J. Levine & S. Morgan (2005): Sampling-based reachability algorithms for controlandverificationofcomplexsystems. In: Proc.ThirteenthYaleWorkshoponAdaptiveandLearning Systems,NewHaven,CT,30May-1. [5] Y. Deng, A. Rajhans & A.A. Julius (2013): STRONG: A Trajectory-Based Verification Toolbox for Hybrid Systems. In: Quantitative Evaluation of Systems, LNCS 8054, Springer, pp. 165–168, doi:10.1007/978-3- 642-40196-1 13. [6] A.D’Innocenzo,A.A.Julius,M.D.DiBenedetto&G.J.Pappas(2007): Approximatetimedabstractionsof hybridautomata. In: CDC,pp.4045–4050,doi:10.1109/CDC.2007.4434720. [7] A. Donze & O. Maler (2007): Systematic Simulation Using Sensitivity Analysis. In: HSCC, LNCS 4416, Springer,pp.174–189,doi:10.1007/978-3-540-71493-4 16. [8] A.Girard,C.Guernic&O.Maler(2006): EfficientComputationofReachableSetsofLinearTime-Invariant SystemswithInputs. In: HSCC,LNCS3927,Springer,pp.257–271,doi:10.1007/11730637 21. [9] A. Girard & G.J. Pappas (2007): Approximation Metrics for Discrete and Continuous Systems. Automatic Control,IEEETransactionson52(5),pp.782–798,doi:10.1109/TAC.2007.895849. [10] A.Girard,G.Pola&P.Tabuada(2010): ApproximatelyBisimilarSymbolicModelsforIncrementallyStable Switched Systems. Automatic Control, IEEE Transactions on 55(1), pp. 116–126, doi:10.1007/978-3-540- 78929-1 15. [11] C.Guernic&A.Girard(2009):ReachabilityAnalysisofHybridSystemsUsingSupportFunctions.In:CAV, LNCS5643,Springer,pp.540–554,doi:10.1007/978-3-642-02658-4 40. [12] A.A.Julius,G.E.Fainekos,M.Anand,I.Lee&G.J.Pappas(2007): RobustTestGenerationandCoverage forHybridSystems. In: HSCC,Springer,pp.329–342,doi:10.1007/978-3-540-71493-4 27. [13] A.B.Kurzhanski&P.Varaiya(2000): EllipsoidalTechniquesforReachabilityAnalysis. In: HSCC,LNCS 1790,Springer,pp.202–214,doi:10.1007/3-540-46430-1 19. [14] S.Prajna&A.Jadbabaie(2004):SafetyVerificationofHybridSystemsUsingBarrierCertificates.In:HSCC, LNCS2993,Springer,pp.477–492,doi:10.1007/978-3-540-24743-2 32. [15] P. Tabuada (2009): Verification and Control of Hybrid Systems: A Symbolic Approach. Springer, doi:10.1007/978-1-4419-0224-5. [16] P. Varaiya (2000): Reach Set Computation Using Optimal Control. In: Verification of Digital and Hybrid Systems,NATOASISeries170,Springer,pp.323–331,doi:10.1007/978-3-642-59615-5 15.