Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal...
103
Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur, with further contributions from: Andrea Mattioli, Paritosh Pandya, Yusi Ramadian
-
Upload
jessica-ellis -
Category
Documents
-
view
226 -
download
1
Transcript of Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal...
Introduction to Formal Methods for SW and HW Development
11 - Timed and Hybrid Systems:Formal Modeling and Verification
Roberto Sebastiani
Based mostly on the work and slides by Rajeev Alur,with further contributions from:
Andrea Mattioli, Paritosh Pandya, Yusi Ramadian
Trends in Model-Based Design
Emerging notations: UML,Stateflow
Visual, Hierarchical, Object oriented Simulation, code generation
Steady progress in model checking tools
Control design employs tools (Matlab…)
Opportunities to influence design tools
Typically, semantics is not formal Typically, only simulation is supported ….
Model Checker
AdvantagesAutomated formal verification, Effective debugging tool
Increasing industrial successIn-house groups: Intel, Microsoft, Lucent, Motorola…Commercial model checkers: FormalCheck by Cadence
ObstaclesScalability is still a problem (about 500 state vars)Effective use requires great expertise
model
temporalproperty
yes
error-trace
A great success story for CS theory impacting practice (see 2007 Turing award), and a vibrant area of research
Hybrid Modeling
State machines
offon
+ Dynamical systems
dx=kxx<70
dx=-k’xx>60
x>68
x<63
(notation: “dx” abbreviation of “dx/dt”)
Automotive Applications
Coordination Protocols
Interacting Autonomous Robots
Physics-based Animation
Biomolecular Regulatory Networks
Overview
1. Timed systems: Modeling and Semantics Timed automata
2. Symbolic Reachability Analysis for Timed SystemsMaking the state space finite Region automataZone automata
3. Hybrid Systems: Modeling and Semantics Hybrid automata
4. Symbolic Reachability Analysis for Hybrid SystemsLinear Hybrid AutomataApproximations of reachable sets
Acknowledgements
Thanks for providing slides & material to:
Rajeev Alur & colleagues (Penn University)
Paritosh Pandya (IIT Bombay)
Andrea Mattioli, Yusi Ramadian (Univ. Trento)
Disclaimer:Very introductive
Only very-partial coverage
Mostly computer-science centric
Part 1. Timed Systems:
Modeling and Semantics
Outline: Part 1
Timed Automata
Timed Automata
Off Light BrightPress? Press?
Press?
Press?
WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
Simple Light Control
Simple Light Control
Off Light Bright
Solution: Add real-valued clock x
X:=0X<=3
X>3
Press? Press?
Press?
Press?
Adding continuous variables and constraints to state machines
Modeling : timing constraints
Finite graph + finite set of (real-valued) clocks
vertices locations Time can elapse Constraint ( invariant )
edges switches Reset a clock Constraints
Meaning of a clock value: time elapsed since the last time it was reset.
Timed Automata
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of comparisons withinteger bounds
ResetAction performed on clocks
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
wait(1.1)
2 kinds of transitions:
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
wait(1.1)
( n , x=2.4 , y=3.1415 )
wait(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Invariants ensure progress!!
Adding Invariants
Timed Automata: Formal Syntax
• timed automaton A =– L = locations; = initial locations– ∑ = labels– X = clocks– I = Invariants– = set of switches (edges)
a switch = • s, s’ = locations• a = label• φ = clock constraints• = clocks to be reset
EIXLL ,,,,, 0 LL 0
LXLE X 2',,,, sas
X
Clock constraints and clock interpretations
• Set of clock constraints grammar :
only allow comparison of a clock and a constant
• clock interpretation ν :X={x,y,z} , ν(X) = {1.0, 1.5, 0}
• = clock interpretation after δ timeν(X)+δ = {1.2, 1.7, 0.2}
• = assigns 0 to each x YY={y,z}; ={1.0, 0, 0}
21||||: xccxxccx
]0:[ Y]0:[ Y
Example
Clocks { x , y }, can be re/set independently
x is reset to 0 from s0 to s1 on a switch c happens within 1 time-unit
from a because of constraints in s1 and s2
delay between b and the following d is >2
no explicit bounds on time difference between event a-b or c -d
locationswitch
invariant
Semantics
• Semantics of A defined in terms of a (infinite) transition system SA = < Q,Q0, →, ∑ >, s.t.:– Q = {(s, ν)}– Q0 = {(s, ν)} where s L0 and ν(x)=0– → :
• State change due to elapse of time• State change due to a location switch
– ∑ = set of labels of A
State change in transition system
qx<2 q'
a
(q,0)
• (q,0)• Initial state
State change in transition system
• (q,0) (q,1.2)= state change due to elapse of time
qx<2 q'
a
(q,1.2)
2.1
State change in transition system
qx<2 q'
a
(q’,1.2)
• (q,0) (q,1.2) (q’,1.2)= state change due to a location switch• q q and q q’ = q
q’
a 2.1
a a2.1 2.1
Example: Light Switch
• Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”
• Light automatically switches off after 9 time units.
push
pushclick
9y
Example: Light Switch (cont.)
...)9,0,()9),3(9,(
)3,3,(),0,(
),()0,(
)5.3,()0,(
)3(93
5.3
yxoffyxon
yxonyxon
yxonyxon
yxoffyxoff
click
push
push
push
pushclick
9y
Remark : non-zenoness
1. When the invariant is violated some edge must be enabled
2. Automaton should admit the possibility of time to diverge
px<1
px<1
X=1
q
Combination of systems• Complex system = product of
interacting transition systems• S1= and S2=• Product = S1||S2 = • Transition iff :
i. Label a belongs to both alphabets synchronized(synchronization is blocking: an a-labeled switch cannot be
shot singularly)
ii. Label a only in the alphabet of S1 asynchronized
iii. Label a only in the alphabet of S2 asynchronized
1111011 ,,,,, EIXLL 2222
022 ,,,,, EIXLL
EIIXXLLLL ,,,,, 21212102
0121
Transition product
• ∑1 = {a, b}
• ∑2 = {a, c}
p1,q1p1',q1'
a
p1 p1'a
q1 q1'a
p2 p2'b
q2
q2 q2'c
p3
p2,q2p2',q2
b
p3,q2p3,q2'
c
Train – gate controller
• Desired property: AG(s2 -> t2)
Product Construction
s0,t0,u0
approach
s1,t0,u1
in
s2,t0,u1
out
s3,t0,u1
s1,t1,u0
in
s2,t1,u0
out
s3,t1,u0
exit
s0,t1,u2
lower lower lower
s1,t2,u0
in
s2,t2,u0
out
s3,t2,u0
exit
s0,t2,u0
down down down down
raise
s0,t3,u0
s3,t3,u1
s2,t3,u1
out
s1,t3,u1
in
approach
up
up
up
up
s0,t0,u0
approach
s1,t0,u1
in
s2,t0,u1
out
s3,t0,u1
s1,t1,u0
in
s2,t1,u0
out
s3,t1,u0
exit
s0,t1,u2
lower lower lower
s1,t2,u0
in
s2,t2,u0
out
s3,t2,u0
exit
s0,t2,u0
down down down down
raise
s0,t3,u0
s3,t3,u1
s2,t3,u1
out
s1,t3,u1
in
approach
up
up
up
upx≤5 z≤1x:=0,z:=0 x>2
y:=0, z=1
Part 2. Symbolic Reachability
Analysis for Timed Systems
Outline: Part 2
Reachability analysisMaking the state space finiteRegion automataZone automata
Reachability Analysis
• Verification of safety requirement: reachability problem
• Input: a time-automaton A and a set of target locations
• Determining whether LF is reachable in a timed automaton A
• Location s of A is reachable if some state q with location component s is a reachable state of the transition system SA
LLF
Timed/hybrid Systems: problem
Is finite state analysis possible?Is reachability problem decidable?
The transition system SA associated to A has infinitely-many states & symbols:
Idea: Finite Partitioning
Goal: To partition state-space into finitely many equivalence classes so that equivalent states exhibit similar behaviors
Reachability analysis
SA
Time-abstractautomaton
RegionAutomaton
Time abstraction
Finite set of actions
Infinite set of states.
Quotient
Both states and actions are finite sets
Timed AutomatonSemantics
Regions
Infinite set of actions
Infinite set of states.
Outline: Part 2
Reachability Analysis Making the state space finite Region automata Zone automata
Timed Vs Time-Abstract Relations
Transition system associated with a timed/hybrid automaton A:• SA: Labels on continuous steps are delays in
R• Actual delays are suppressed (all continuous
steps have same label): Time-abstract UA
Time-abstract transition system UA
• Only change due to location switch stated explicitly
• Cut system to finitely many labels• UA(instead of SA) allows for capturing untimed
properties (e.g., reachability, safety)
)0,7.0,()9.1,7.0,()2.1,0,()2.1,2.1,()0,0,( 21
7.0
10
2.1
0 sssssba
)0,7.0,()2.1,0,()0,0,( 210 sssba
Stable quotients
• Cut to finitely many states• Collapse equivalent states• Stable
equivalence relation
• Quotient of UA = transition system [UA]~
q q'
a
u u'
a
q ~ u q' ~ u’
Stable according to the transition
LF-sensitive equivalence relation
• Equivalence relation ~ = LF-sensitive• All equivalent states in a class belong to
either LF or not LF
q q'
u u'
v v'
a
c
b
LF
not LFa'
c'
b'
Outline: Part 2
Reachability Analysis Making the state space finite Region Automata Zone automata
Region Equivalence over clock interpretation
• x = 3.7– Integral part : = 3.0– Fractional part = fr(ν(x)) = 0.7
• iff1. For all x, the integral part is the same or
both exceed cx pict. (cx : max constant x is compared to)
2. For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) pict.
3. For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0 pict
'
)(x
next
Constraint 1
0 1 2
1
y
x0 1 2
1
y
x
)(' x= = 1 )(x
back
For all x, the integral part is the same or both exceed cx
Constraint 20 1 2
0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x
fr(v(x)) =fr(v(x))
0 1 2
1
y
x
fr(v(x)) =fr(v(x))
(fr(v(x)) ,fr(v(y)))
(fr(v’(x)) ,fr(v’(y)))
back
For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y))
(fr(v(x)) = fr(v(y)))
Constraint 3
0 1 2
1
y
x
fr(ν(x)) =0
fr(ν’(x)) =0
back
For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0
• Clock region: equivalence class of clock interpretation finite
• Max number of regions =– (k is the number of clocks)
• Number of clock regions exponential in the encoding of the clock constraints
Clock regions
Xx xk ck )22(2!
0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x
2 clocks x, y. cx = 2, cy = 1 • 8 open regions• 14 open line segments • 6 corner points
Regions, intuitive idea:Finite partitioning of state space
x
y Definition
An equivalence class (i.e. a region)in fact there is only a finite number of regions!!
1 2 3
1
2
w @ w’ iff they satisfy the same set of constraints of the formxi < c, xi = c, xi – xj < c, xi –xj =cfor c <= largest const relevant to xi
Alur, Dill, 90
Region Operations
x
y
An equivalence class (i.e. a region)
Successor regions, Succ(r)
r
1 2 3
1
2
Resetregions
{y}r
{x}r
Properties of Regions
The region equivalence relation @ is a time-abstract bisimulation:– Action transitions: If w @ v and (l,w) -a->
(l’,w’) for some w’, then $ v’ @ w’ s.t. (l,v) -a-> (l’,v’)
– Delay transitions: If w @ v then for all real numbers d, there exists d’ s.t. w+d @ v+d’
If w @ v then (l,w) and (l,v) satisfy the same temporal logic formulas
Region automaton
• Equivalent states = identical location + region-equivalent clock
• Classes = finite, stable, LF-sensitive• Region automaton of A = R(A)
– Q = equivalence classes of (s, ν)• Reachability problem (A, LF) search
R(A)
Region graph of a simple timed automata
Complexity of reachability
• Linear with number of locations• Exponential with number of clocks• Exponential in the encoding of
constantsPSPACE-complete
Outline: Part 2
Reachability Analysis Making the state space finite Region Automata Zone Automata
Zone automata
• Collapse regions by convex unions of clock regions
• Clock zone φ = set of clock constraints x-y≤c, x-y<c,x<c,x≤c,x=c,x>c,x≥c
• φ = convex set in the k-dimensional euclidean space Contains all possible relationship for all clock value in a set
Zones: symbolic representation
State(s, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set of states)(s, )
Zone:conjunction ofx-y≤c, x-y<c,x<c,x≤c,x=c,x>c,x≥c
3y4,1x1 ££££
Zone automaton
• Z(A) is a transition system < Q,Q0,∑, → > s.t. – Q = zone of A; Zone = (s, φ)– Q0 = (s,[X:=0]), for every initial location s of
A– ∑ = set of labels or events– → = ((s, φ), a, (s’,succ(φ, e)))
• succ (φ, e) = clock interpretation after executing e
Symbolic transition
• succ (φ, e) =
1. ^ = intersection2. = interpretation for3. = interpretation • closure under the three operations still a
convex set
]0:[ ]0:[
]0:)[)()))(((( sIsI
Φ fulfill invariant of state s
still fulfill invariant of state s after time elapse fulfill the time constraint of switch e
Symbolic Transitions
n
m
x>3
y:=0
x
ydelays to
x
y
x
y conjuncts to
x
y
projects to
1<=x<=41<=y<=3
1<=x, 1<=y-2<=x-y<=3
3<x, 1<=y-2<=x-y<=3
3<x, y=0
Thus (n,1<=x<=4,1<=y<=3) ==> (m,3<x, y=0)
Canonical Data-structures for Zones: Difference-bound
Matrices Matrix representation of constraints
(bounds on a single clock or difference betn 2 clocks)
Reduced form obtained by running all-pairs shortest path algorithm
Reduced DBM is canonical Operations such as reset, time-successor,
inclusion, intersection are efficient Popular choice in timed-automata-based
tools
Difference-bound matrices (DBM)
• k clocks = (k +1) x (k +1) matrix D• Example :
D0i = lower bound
Di0 = upper bound
)0()10()20( 2121 xxxx
Dij = upper bound of xi and xj difference
• i,j: (c,1) Xi-Xj ≤ c
• i,j:(c,0) Xi-Xj < c
• i,j: ∞ absence of bound
Difference-bound matrices (DBM)
• Upper bound of xi - xl = sum of the upper bounds of xi - xj and xj – xl
• Use all-pairs shortest paths, check DBM Satisfiable Canonical – Satisfiable = a nonempty clock zone – Canonical= Matrices with tightest possible constraints
• Canonical Dbms represent clock zones
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2y<=3z-y<=2z<=7
x<=1y-x<=2y<=3z-y<=2z<=7
D1
D2
When are two sets of constraints equivalent?
x x
0 y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0 y
z
1 2
25
0
x
y
z
1 2
27
0
x
y
z
1 2
25
3
3 3
Graph
Graph
Canonical Data-structures for Zones:Difference Bounded Matrices
Complexity
• Theoretically :– Zone automaton may be
exponentially bigger than the region automaton
• Practically : – Fewer reachable vertices performances much improved
Implementation
• Verification problem :– Input = timed automaton Ai
– Process = searching R(||iAi) or Z(||iAi) • BDD-based engine (preferably for region
construction)• On-the-fly enumerative search
(preferably for zone construction)
Timed Automata: summary
Only continuous variables are timers Invariants and Guards: x<const,
x>=const Actions: x:=0 Reachability is decidable Clustering of regions into zones desirable
in practice Tools: Uppaal, Kronos, RED … Symbolic representation: matrices Techniques to construct timed
abstractions of general hybrid systems
Decidable Problems
Model checking branching-time properties of timed automata
Reachability in rectangular automata Timed bisimilarity: are two given timed
automata bisimilar? Optimization: Compute shortest paths
(e.g. minimum time reachability) in timed automata with costs on locations and edges
Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions
Part 3. Hybrid Systems:
Modeling and Semantics
Outline: Part 3
Hybrid Automata
Hybrid Automata
Hybrid Automata
l
l’
jump transformation
edge guard
continuous dynamicsinitial condition
invariant: hybrid automaton may remain in l as long as X Inv(l)
X Inv(l’)
dX Flow(l’)
X Inv(l)
dX Flow(l) X Init(l)
e : g(X)0
J(X, X’)
locations or modes (discrete states)
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
threshold-drivendiscrete dynamics
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F31S
X0
Je
e(t)
Je
jump dynamics
cont. state
discrete state
discrete event
discrete dynamics
Switched Dynamic Systems
F1
F2
F3
1S
continuous dynamics
Hybrid Automata
Set L of locations, and set E of edges Set X of k continuous variables State space: L X Rk, Region: subset of Rk
For each location l, Initial states: region Init(l)
Invariant: region Inv(l)
Continuous dynamics: dX in Flow(l)(X) For each edge e from location l to location l’
Guard: region Guard(e)
Update relation “Jump” over Rk X Rk
Synchronization labels (communication information)
(Finite) Executions of Hybrid Automata
State: (l, x) such that x satisfies Inv(l) Initialization: (l,x) s.t. x satisfies Init(l) Two types of state updates Discrete switches: (l,x) –a-> (l’,x’) if there is
an a-labeled edge e from l to l’ s.t. x satisfies Guard(e) and (x,x’) satisfies update relation Jump(e)
Continuous flows: (l,x) –f-> (l,x’) where f is a continuous function from [0,d] s.t. f(0)=x, f(d)=x’, and for all t<=d, f(t) satisfies Inv(l) and df(t) satisfies Flow(l)(f(t))
Example of (linear) Hybrid Automaton
Gate for a railroad controller
Openh = 90dh = 0
loweringh >= 0
-10<dh <-9
raisingh <= 90
8< dh <10
closedh = 0
dh = 0
h = 90 ?lower
?lower
?raise
?raise
h = 90 h = 0
Part 4. Symbolic Reachability
Analysis for Hybrid Systems
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
Standard Reachability Problem
Model variables X ={x1, … xn} Each var is of finite type, say, boolean
Initialization: I(X) condition over XUpdate: T(X,X’)
How new vars X’ are related to old vars X as a result of executing one step of the program
Target set: F(X)Computational problem:
Can F be satisfied starting with I by repeatedly applying T ?
Graph Search problem
General Symbolic SolutionData type: region to represent state-setsR:=I(X)Repeat
If R intersects F report “yes”Else if R contains Image(R) report “no”Else R := R union Image(R)
Image(R): Set of successors of states in RTermination may or may not be guaranteed
Symbolic Representations
Necessary operations on RegionsUnion
Intersection
Negation
Projection
Renaming
Equality/containment test
Emptiness test
Different choices for different classesBDDs for boolean variables in hardware
verification
Size of representation as opposed to number of states
Reachability for Hybrid Systems
Same algorithm works in principle What’s a suitable representation of
regions? Region: subset of Rk
Main problem: handling continuous dynamics
Precise solutions available for restricted continuous dynamics
Timed automata Linear hybrid automata
Even for linear systems, over-approximations of reachable set needed
Reachability Analysis for Dynamical Systems
Goal: Given an initial region, compute whether a bad state can be reached
Key step is to compute Reach(X) for a given set X under dx/dt = f(x) (hereafter dx = f(x) for short)
X
Reach(X)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
Multi-rate Automata
Modest extension of timed automata• Dynamics of the form dx = const (rate of a
clock is same in all locations) • Guards and invariants: x < const, x > const• Resets: x := const
Simple translation to timed automata that gives time-abstract bisimilar system by scaling
dx = 2dy = 3
x>5 and y <1
du = 1dv = 1
u>5/2 and v <1/3
Rectangular Automata
Interesting extension of timed automata• Dynamics of the form dx in const
interval (rate-bounds of a clock same in all locations)
• Guards/invariants/resets as before Translation to multi-rate automata that
gives time-abstract language-equiv systemdx in
[2,3]
x>5
x<2 dxm = 2dxM = 3
xM>5, xm:=5
xm<2, xM:=2
Puri, Henzinger, 95
Linear Hybrid Automata
Invariants and guards: linear (Ax <= b) Actions: linear transforms (x’:= Ax) Dynamics: time-invarint, state-
independentspecified by a convex polytope constraining ratesE.g. 2 < x <= 3, x = y
Tools: HyTech Symbolic representation: Polyhedra Methodology: abstract dynamics by
differential inclusions bounding rates
Example LHAGate for a railroad controller
Openh = 90dh = 0
loweringh >= 0
-10<dh <-9
raisingh <= 90
8< dh <10
closedh = 0
dh = 0
h = 90 ?lower
?lower
?raise
?raise
h = 90 h = 0
Reachability ComputationBasic element: (location l, polyhedron p)Set of visited states: a list of (l,p) pairsKey steps: Compute “discrete” successors of (l,p) Compute “continuous” successor of (l,p) Check if p intersects with “bad” region Check if newly found p is covered by
already visited polyhedra p1,…, pk (expensive!)
Computing Discrete Successors
Discrete successor of (l,p) Intersect p with g (result r is a polyhedron) Apply linear transformation A to r (result r’
is a polyhedron) Intersect r’ with the invariant of l’ (result r”
is a polyhedron) Successor is (l’,r”)
l l’g(x)-> x := a(x)
Computing Time Successor
x
y
x
y
(3,2)
(1,4)
Rate Polytope
(1,4)
(3,2)p
Reach(p)
Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable)
Basically, apply extremal rates to vertices of p
Summary: Linear Hybrid Automata
HyTech implements this strategy Core computation: manipulation of
polyhedra Bottlenecks
proliferation of polyhedra (unions) computing with higher dimensional polyhedra
Many case studies (active structure control, Philips audio control protocol, steam boiler…)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
Beyond LHA
Exact computation with polyhedra is limiting. If dynamics is dX=AX, and P is a polyhedron,
Reach(P) is not a polyehdron Solutions:
Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh)
Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler)
Level sets method (Greenstreet, Tomlin) Use ellipsoids for representation of sets
(Kurzhanski)
Polyhedral Flow Pipe Approximations
X0
t1
t2
t3
t4
t5t6 t7
t8
t9
• divide R[0,T](X0) into [tk,tk+1] segments
• enclose each segment with a convex polytope
• RM[0,T](X0) = union of polytopes
Wrapping Hyperplanes Around a Set
S
c4
c3
c2c1
Step 1:Choose normal vectors, c1,...,cm
S
c4
c3
c2
c1
Step 2:Compute optimal d in Cx d, CT = [c1 ... cm]:
di = max ciTx
xS
Wrapping Hyperplanes Around a Set
Wrapping a Flow Pipe Segment
Given normal vectors ci, we wrap R[tk,tk+1]
(X0) in a polytope by solving for each i
Optimization problem is solved by embedding simulation into objective function computation
di = max ciTx(t,x0)
xo,t
s.t. x0X0
t [tk,tk+1]
Improvements for Linear Systems
x = Ax x(t, x0) = eAtx0
No longer need to embed simulation into optimization
Flow pipe segment computation depends only on time step t
A segment can be obtained by applying eAt to another segment of the same t
)(ˆ)(ˆ0],0[0],[ XReXR t
Atttt
Example: Van der Pol Equation
X x x0 1 20 8 1 0 { . , }
. ( )
x x
x x x x1 2
2 12
2 10 2 1
Van der Pol Equation
Uniform time stepDtk = 0.5
Initial Set
Summary: Flow Pipe Approximation
• Applies in arbitrary dimensions• Approximation error doesn't grow
with time• Estimation error (Hausdorff
distance) can be made arbitrarily small with Dt < d and size of X0 < d
• Integrated into a complete verification tool (CheckMate)
