European Journal of Control 19 (2013) 1–10

Contents lists available at SciVerse ScienceDirect

European Journal of Control

0947-35

http://d

$This

Program

of excel

TREN/0n Corr

E-m

mariado

journal homepage: www.elsevier.com/locate/ejcon

Theory and computation of discrete state space decompositionsfor hybrid systems$

E. De Santis n, M.D. Di Benedetto

University of L’Aquila, DISIM–Dep. of Information Engineering, Computer Science and Mathematics, Center of Excellence DEWS, 67100 L’Aquila, Italy

a r t i c l e i n f o

Article history:

Received 11 June 2009

Accepted 18 September 2012Available online 5 March 2013

Recommended by Y. Ohta / E.F. Camachodetectability. To do so, we characterize general properties of a hybrid system and derive structural

80/$ - see front matter & 2013 European Con

x.doi.org/10.1016/j.ejcon.2012.09.001

work was partially supported by the Europea

me [FP7/2007-2013] under grant agreement

lence IST Network of Excellence HyCON2, an

7/FP6AE/S07.71574/037180.

esponding author. Tel.: þ39 862434435; fax:

ail addresses: elena.desantis@univaq.it (E. De

menica.dibenedetto@univaq.it (M.D. Di Bene

a b s t r a c t

The problem of verifying whether properties such as reachability and safety hold for a hybrid system

can be simplified, for example by using bisimulation. In this paper, we introduce a novel decomposition

method to simplify the problem of verifying also other important properties such as stabilizability and

decompositions with respect to the characterization, which reduce the verification problem to a set of

simpler verification problems on the elements of the decomposition.

& 2013 European Control Association. Published by Elsevier Ltd. All rights reserved.

1. Introduction

A rich set of results on stability, safety, observability, and otherimportant properties for hybrid systems is available in theliterature (e.g., see [8,19,29] for safety, [6,18,26] for stability,[2,3,5,7,11,12,26,30] for observability). However, testing the con-ditions for these properties to hold is in general computationallyintensive.

An effective approach for complexity reduction consists offinding a system that is ‘‘equivalent’’ to the original one withrespect to the properties that we want to verify but that is‘‘simpler’’ to analyze. A powerful tool for complexity reductionis bisimulation equivalence introduced in [21,24]. Extensions of thenotion of bisimulation to continuous and hybrid systems wereexplored in a number of papers (e.g. [1,14–17,22,23,25,28]). If twosystems are bisimilar, then the so-called sequence properties [20],such as reachability and safety, are preserved. Then a procedurethat generates ‘‘simpler’’ systems that are bisimilar to a givensystem under study effectively reduces verification complexity.

In this paper, we address how to reduce complexity forverification problems that involve checking whether a property,which may be more general than a sequence property, e.g.stabilizability, observability or detectability, holds for a hybridsystem. The goal is to extract particular subsystems from theoriginal system, so that checking a property on these subsystems

trol Association. Published by Els

n Union Seventh Framework

n257462 HYCON2 Network

d by STREP iFLY contract n,

þ39 862434403.

Santis),

detto).

is equivalent to checking whether the same property holds for theoriginal system.

The basic idea that inspires our approach can be easily under-stood with the following simple example (see Fig. 1): consider ahybrid system having three discrete states, say 1, 2 and 3, and letS1, S2 and S3 be the corresponding linear dynamic equations. Wesuppose that the system evolves as follows. When in mode 1, aswitching to mode 2 has to occur within 10 s from the lastswitching time. Such a commutation is due to a control action,but is subject to temporal constraints. From mode 2, an uncon-trolled commutation must occur albeit at an unknown timeinstant, after 5–10 s from the last switching time. Finally, anytimean uncontrolled commutation may occur from mode 3 to mode 1.The continuous state x� before the commutation is reset afterswitching to a new state that linearly depends on x�. We supposethat S2 is controllable and that we want to analyze the stabiliz-ability of the overall hybrid system H.

We claim that stabilizability of the hybrid system is equivalentto stabilizability of the subsystem S3. In fact, if the initial state ismode 3, a transition could never occur. Hence S3 has to bestabilizable. Conversely, if the initial state is mode 1, the con-troller can force the commutation to mode 2 when it is allowed,and then, since S2 is controllable, the continuous state can bedriven to zero within 5 s, which is the dwell time in mode 2. If thetransition from 2 to 3 never occurs, then the convergence to zeroof the trajectory is ensured. Otherwise two cases are possible: if atransition from 3 to 1 occurs, then we apply the reasoning againwith initial state 1. If there is no transition from mode 3,stabilizability of S3 ensures the asymptotic convergence to zeroof the trajectory. The same reasoning holds if the initial state iseither mode 2 or 3.

The idea is to generalize this analysis to exploit the structureof the FSM of the hybrid system and the characteristics of the

evier Ltd. All rights reserved.

1

3 2

Fig. 1. The solid arrow denotes controlled transition and the dashed one an

uncontrolled transition.

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–102

subsystems corresponding to the nodes of the FSM to simplify theproperty verification problem. The question is what are thecharacteristics of the properties for which a topological simplifi-cation of the FSM is feasible.

To answer this question, we introduced a new property classi-fication scheme and a procedure to decompose the system thatdepends on this classification. To the best of our knowledge, the onlycontributions dealing with structural decomposition of the discretestate-space of a hybrid system with respect to a given property arereported in [4], where sufficient conditions are given for the genericfinal-state asymptotic determinability in terms of properties of thecycles of the automaton associated to a hybrid system. Further, in[31], the stability test for a class of hybrid systems, where thecontinuous dynamics are linear, the mode switching depends ontime and on the decision of a supervisor, is reduced to a finitenumber of stability tests on suitable subsystems.

The paper is organized as follows. In Section 2, backgroundnotations and definitions are given. In Section 3, we introduce andclassify abstract properties for hybrid systems. In Section 4, wepresent structural decompositions of the hybrid system discretestate-space with respect to those properties. In Section 5, weillustrate some examples of abstract properties introduced in theprevious sections and give some specific results. Concludingremarks are offered in Section 6. The proofs and algorithms thatare not necessary to understand the flow of the paper arepresented in the Appendix.

2. Definitions and background

We introduce a class of hybrid systems where the transitionsdepend either on a disturbance event (switching transitions) oron a discrete input (controlled transitions). For simplicity, wemake the reasonable assumption that at each time tAR only onediscrete disturbance event can affect the system. A discretedisturbance and a discrete input can act simultaneously on thesystem, and the disturbance has the priority. Systems in this classare called H-systems. Let Q ¼ f1,2, . . . ,Ng be the finite set ofdiscrete states (also called modes), and S the mapping thatassociates to iAQ the dynamical system S(i) defined by theequation

_xðtÞ ¼fiðxðtÞ,uðtÞÞ

where tAR, xðtÞARni , the function u : R-Rm belongs to the classU of piecewise continuous functions, fi is a function such that, forany given initial condition xðt0Þ in Rni , 8uAU , the solution xðtÞ

exists and is unique for any tA ½t0,TiÞ, Ti4t0. Therefore the hybridstate space of an H-system is the set X¼

SiAQ fig �Rni and a

hybrid state is ði,xÞ. We are considering here dynamics withdifferent state dimensions. Systems of this kind arise, for example,when applying a hybrid state space decomposition (based onhybrid invariant subspaces as in [11]) to hybrid systems, even ifthe original system has continuous state spaces having the samedimension. See also the recent paper [13], where an impulsivehybrid system with changes of the state dimension models a

specific optimal control problem associated with a multiagentdynamic system.

We are considering here dynamics with different state dimen-sions. Systems of this kind arise, for example, when applying ahybrid state space decomposition (based on hybrid invariantsubspaces as in [11]) to hybrid systems, even if the originalsystem has continuous state spaces having the same dimension.See also the recent paper [13], where an impulsive hybrid systemwith changes of the state dimension models a specific optimalcontrol problem associated with a multiagent dynamic system.

A switch from state i to state j is determined by an eventsAW¼U [ V, where U is the finite set of discrete controls, V isthe finite set of discrete disturbances and U \ V¼ |. The discretestate evolution is described by the collection of transitionsE¼ EU [ EV , with EU �Q � U�Q and EV �Q � V � Q . When atransition e¼ ði,s,jÞ occurs, the continuous component x�ARni ofthe hybrid state before the switching is instantaneously reset to anew value xþ ARnj and ðj,xþ ÞARðs,ði,x�ÞÞ, where R : W�X-2X isthe reset mapping. If sAU, ði,s,jÞ is called controlled transition.Otherwise, if sAV, ði,s,jÞ is called switching transition.

The transition e¼ ði,s,jÞ is enabled at some time t only if at thatt the time elapsed from the last transition belongs to a set g(e),where g : E-2Rþ , being Rþ the set of nonnegative reals. IfgðeÞ ¼Rþ then the transition e may occur anytime. Moreover,we consider a function f : Q-ðRþ [ f1gÞ, describing ‘‘forcing’’conditions for the outgoing transitions from a discrete state: if atsome time t the current discrete state is i and the time Dt elapsedfrom the last transition is equal to f(i), then a transition must takeplace. If f ðiÞ ¼1, then outgoing transitions from i do not necessa-rily occur. The functions g and f generalize the well-knownconcepts of minimum and maximum dwell time (see e.g.[9,10]). The effects of g and f on the system’s temporal evolutionare similar to the effects due to guard or invariance conditions[29]. Guard and invariance conditions are usually described bysets in the continuous state space, and a discrete transition isenabled or forced when the continuous component of the statebelongs to one of those sets. In our definition, the enabling orforcing conditions depend on the time elapsed since the lastswitching time: the function g associates to a transition a guardsubset of Rþ , while the function f associates to a discrete state atime within which a transition certainly takes place. The functionf describes deadlines for controlled transitions or a priori infor-mation available on the discrete disturbances. We do not distin-guish the two cases, for simplicity. The introduction of thefunctions g and f in the hybrid system model allowscontinuous-state dependent transitions to be represented bytransitions triggered by an input (disturbance or control) signal.

For consistency, and in order to prevent blocking phenomenain the system behavior, we assume that if f ðiÞ ¼bt , then(e¼ ði,s,hÞAE with bt AgðeÞ.

We say that an H-system S is a tuple

ðX,W,S,E,g,f ,RÞ

where all the symbols are as defined above. H-systems with U¼ |and Va| are often referred in the literature as ‘‘switching

systems’’ (see e.g. [8]) while H-systems with V¼ | and Ua| arecalled ‘‘switched systems’’ (see [26,27] and references therein).

Consider a function x : R� f0,1, . . . ,g-X and a hybrid timebasis [19] t, which stores the timing of commutations amongdifferent dynamics: t is an infinite or finite collection of setsfIj,j¼ 0,1 . . . Lg, L¼ cardðtÞ�1, where Ij ¼ ftAR : tjrtrt0jg,t0j ¼ tjþ1, IL ¼ ½tL,t0L� or IL ¼ ½tL,t0LÞ, and t0L may be infinite; xðt,jÞ isthe hybrid state at ðt,jÞ and can be written as xðt,jÞ ¼ ðqðjÞ, xðt,jÞÞ,tA Ij, j¼ 0,1, . . . ,L. The set of all hybrid time bases is denoted by Tand each t0j is called switching time. In this paper, we will considerexecutions with t0L4t0. The hybrid system temporal behavior can

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–10 3

be defined by stating conditions such that the pair w¼ ðt,xÞrepresents a feasible evolution (also called execution) of S (seeAppendix A, for a formal definition of hybrid system execution).

Let U be the output space associated with the hybrid system.The available knowledge on the system evolution is summarizedby the function Zo : R-U. We assume throughout the paper thatthe discrete state evolution is unknown before execution, but thevalue of the current discrete state is known instantaneouslyduring the execution. The restriction of Zo to the interval ½t0,t�,denoted as Zo9½t0 ,t�, is said to be the observed output at time t. Let Ybe the class of functions Zo : R-U and Yo ¼ fZo9½t0 ,t�,ZoAY,tZt0g.A control strategy is a function that associates to the observedoutput at time t the value of control inputs (continuous anddiscrete) at time t. More precisely, a control strategy is a functiong : Yo-ðU [ fegÞ �Rm and gðZo9½t0 ,t�Þ ¼ ðuðtÞ,uðtÞÞ, uAUd, uAU ,where Ud is the set of functions u : R-U [ fEg, with E the nullevent and with uðtÞ ¼ E a.e.

For simplicity, we use the term ‘‘hybrid system’’ for the hybridsystem endowed with its output space and observed output. Thesymbol wS denotes the set of all executions of an H-system S.

A hybrid system S with a control strategy is called controlled

hybrid system and is denoted by Sc .

3. Properties for hybrid systems

In this section, we define predicates for a hybrid system, in thesense that we attribute properties to sets of executions of a hybridsystem. We will consider predicate logic, so that a property of aset of executions will be either true or false. Our notion ofproperty will be the technical tool used to decompose the givenhybrid system into simpler subsystems, so that, if each subsystemsatisfies the property, then the given system does too.

Formally we define a property P on subsets of vS asP : 2vS-ftrue,falseg. For F � vS , if F is empty, then PðFÞ ¼ true.

We say that the system S satisfies P (or that P holds) withrespect to Q 0 �Q if there exists a control strategy such that P istrue for the set of all executions of Sc , with initial discrete state inQ 0. For notational simplicity, when the property globally holds,i.e. Q 0 ¼Q , the set with respect to which the property holds is notspecified. If Q 0 is the empty set, then for any P, we say that Ssatisfies P with respect to Q 0.

All the properties we consider in this paper are union closed,i.e. for any finite family fFi � vS , i¼ 1,2, . . .g

PðFiÞ ¼ true, 8i¼ 1,2, . . .

+

PðS

iFiÞ ¼ true

In order to characterize the properties of a hybrid system,some notations are needed. Although the ideas are very simpleand intuitive, the notations have to be precise enough to avoidambiguities. We introduce a composition operator of two execu-tions, which returns the set of all executions that have as prefix asub-execution of the first execution, and as suffix a sub-executionof the second execution. We also define the composition of twosets of executions, as an obvious extension of the above.

Given w¼ ðt,xÞAvS , consider a,bAR [ f1g, t0raobrt0L. Thesymbol w9

½a,bÞ denotes the restriction of the execution w to thetime interval ½a,bÞ. More precisely, w9

½a,bÞ ¼ ðbt,bxÞ, where

h¼max j : aA Ij

k¼min j : bA Ij

bt ¼ fbI j,j¼ 0,1, . . . ,k�hgbI0 ¼ ½a, minfth0,bg�, bI j ¼ Ijþh, bIk�h ¼ ½maxftk,ag,b�bxðt,jÞ ¼ xðt,jþhÞ, j¼ 0,1, . . . ,k�h, tAbI j

Given F1,F2 � vS , we define a composition operator 1, whereF11F2 denotes the set of wAvS such that for some t, t0otrt0L,w9½t0 ,tÞ ¼ w

09½t0 ,tÞ, for some w0AF1 and, if tot0L, w9

½t,t0LÞ¼ w009

½t,t0LÞ, for

some w00AF2. By definition of composition, F1 � F11F2 andF2 � F21F1.

Definition 1. Consider a system S and a property P. Then

�

P is composition closed if for any F1,F2 � vS

PðF1Þ ¼ true AND PðF2Þ ¼ true

+

PðF11F2Þ ¼ true

let F1 be any subset of vS , with the property that each w in F1 is

� finite (see Appendix A), with finite and continuous lengthbounded by Lmax and Tmax, respectively, for some nonnegativeinteger Lmax and nonnegative real Tmax. The property P isbackward extendable if for any F2 � vS

PðF2Þ ¼ true )PðF11F2Þ ¼ true

4. Discrete structure decompositions

This section presents the main results of the paper and isdevoted to decompositions of the given hybrid system S, whichaffect the discrete state space of S by simplifying its topologicalstructure. Such decompositions are based on the FSM ðQ ,W,EÞ andon the functions g and f, but the way in which they can be usedto check a property depends on the closure under compositionand/or backward extensibility of the property itself. Therefore theresults we are going to describe depend on the discrete and

continuous dynamics of S.We prove two results: the first (Theorem 2) states some

conditions under which, if a property holds with respect to someset of discrete initial states, then the same property holds forsome other sets of initial states. The second (Theorem 5) is astructural result and allows the decomposition of the originalsystem into subsystems, so that a property on the original systemcan be checked on these simpler subsystems.

In order to state our results, we need some notations. GivenQ 0 �Q , let

Reach�1ðQ 0Þ

be the set of all initial discrete states such that for some real tAR

and integer j, and for some control strategy, xðt,jÞAS

iAQ 0 fig �Rni ,despite the action of the discrete disturbances.

Clearly Q 0 � Reach�1ðQ 0Þ. Let Q 0 denote the complement in Q

of Q 0.The transitions of the system S ¼ ðX,W,S,E,g,f ,RÞ are described

by the FSM ðQ ,W,EÞ. Given the FSM ðQ ,W,EÞ, we writeðQ 0,W,E0Þ � ðQ ,W,EÞ if Q 0 �Q , E0 � E and ði,s,jÞAE0 only if i,jAQ 0.We recall that a FSM ðQ 0,W,E0Þ is strongly connected if for any pairi,jAQ 0, ia j, there exists a path from i to j. Any FSM with only onediscrete state is assumed to be strongly connected. The inclusion

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–104

defines a partial order among strongly connected FSM’s. Hence, aFSM ðQ ,W,EÞ can be decomposed into its strongly connected compo-

nents, i.e. maximal strongly connected FSM’s ðQ h,W,EhÞ � ðQ ,W,EÞ,h¼ 1, . . . ,ns, 1rnsrN. Given Q 0 �Q , let X0 ¼

SiAQ 0 fig �Rni and

S9Q 0 ¼ ðX0,W,S,E0,g9E0 ,f 9Q 0 ,R9E0�X0 Þ be the subsystem of S associated

to the FSM ðQ 0,W,E0Þ � ðQ ,W,EÞ. By definition, any execution of S9Q 0

is also an execution of S. The subsystem S9Q 0 of S associated to the(maximal) strongly connected component ðQ 0,W,E0Þ of ðQ ,W,EÞ is a(maximal) strongly connected component of S. A sink of S is astrongly connected component of S, associated to ðQ 0,W,E0Þ �ðQ ,W,EÞ, with no successors, i.e. for any iAQ 0, ði,s,hÞAE only ifhAQ 0. A proper strongly connected component is a strongly con-nected component with more than one state.

We can now state the following result:

Theorem 2. Given a property P, an H-system S, Q 0 �Q and

Z�Q 0 , the following holds:

(i)

If P is backward extendable, then

S satisfies P w:r:t: Q 0

+

S satisfies P w:r:t: Reach�1ðQ 0Þ

If P is composition closed, then

(ii)

S satisfies P w:r:t: Q 0 AND S9Q 0satisfies P w.r.t. Z

+

S satisfies P w:r:t: Q 0 [ Z

If P is composition closed and Reach�1ðQ 0Þ ¼Q 0, then

(iii)

S satisfies P w.r.t. Q 0 AND S9Q 0satisfies P w.r.t. Z

if and only if

S satisfies P w:r:t: Q 0 [ Z

Proof. (i) By definition of Reach�1ðQ 0Þ, since P is backward

extendable, the result follows. (ii) Given a control strategy, anycontrolled execution of S, with initial discrete states in Z, comesfrom the composition of controlled executions of S9Q 0

with initialstates in Z and controlled executions of S with initial discretestate in Q 0. Since P is composition closed, then sufficiencyfollows. (iii) Sufficiency follows from (ii). Necessity: by definitionof Reach�1

ðQ 0Þ, if i=2Reach�1ðQ 0Þ, then for any control strategy

there exist an initial state in fig �Rni and a disturbance such thatthe set Q 0 is never reached. Since the discrete state evolutiondoes not depend on the continuous component of the state, thenthe above property holds starting from any initial state infig �Rni . Therefore for any control strategy, starting from anyhybrid state with discrete component in Z, there exists a dis-turbance action such that the set Q 0 is never reached. This provesthe necessity, by definition of S9Q 0

. &

The statement of Theorem 2 requires the knowledge of asubset Q 0 such that the property holds with respect to Q 0. InSection 5, we will show that in some cases the determination ofsuch a subset Q 0 is straightforward. For example, if we considerasymptotic stabilizability for an H-system with linear continuous

dynamics and reset, and with a positive minimum dwell time,then Q 0 is the set of all discrete states associated with acontrollable dynamical system.

The next result offers a decomposition technique that dependson some structural properties of the system and on the char-acteristics of the property P.

The concept of trap, as a set of discrete states starting fromwhich it is not possible to guarantee with a control action that thefuture state evolution will leave the set, was introduced in [32].We adapt this concept to our framework.

Definition 3 (Trap). Consider the H-system S ¼ ðX,W,S,E,g,f ,RÞwith FSM ðQ ,W,EÞ. A trap of S is a strongly connected FSMð ~Q ,W, ~EÞ � ðQ ,W,EÞ, such that, for any control strategy and forany initial state with discrete component in ~Q , there exists anexecution of Sc such that the discrete state belongs to ~Q for anytime interval Ij, j¼0,1,y,L.

The computation of a trap of S only depends on the FSMassociated to the hybrid system S and on the functions g and f.For the sake of notational simplicity, a ‘‘trap of S’’ will denote boththe FSM ð ~Q ,W, ~EÞ and the subsystem of S associated with the FSMð ~Q ,W, ~EÞ. The way ‘‘trap of S’’ is used should be clear from thecontext.

Set inclusion defines a partial order on the set of traps.Therefore the set of traps has at least a maximal element, i.e. atrap T such that the only trap bT with T � bT is T itself. Obviouslytwo maximal traps cannot have any common discrete state andhence the number of maximal traps of a system S is less than thenumber of discrete states. The maximal traps of a system can bedetermined in a finite number of steps as shown in Appendix C.

The next lemma states that there always exists a controlstrategy such that any controlled execution of S is eventually‘‘captured’’ by a trap.

Lemma 4. Given the H-system S, there exists a control strategy gnsuch that

(i)

there exists a time tZ0 and an index j40, such that any

controlled execution with initial discrete state not belonging to a

maximal trap enters a maximal trap within time t, after a

number of switchings less or equal to j;

(ii) once a controlled execution escapes from a maximal trap, it never

enters the same trap again.

Proof. The proof is based on the fact that the discrete stateevolution does not depend on the continuous component of thestate. Therefore, we only have to consider the discrete evolution.(i) By contradiction, let Q be the complement in Q of the union ofall the maximal traps. Then starting from qAQ for any controlaction there would exist an execution that remains in Q . Thismeans that q belongs to a trap contained in Q , which is acontradiction. The fact that there exist bounds tZ0 and j40 thatare the same for all executions entering a maximal trap startingfrom any state in Q , depends on the definition of enabling andforcing functions g and f and on the finiteness of discrete statespace Q. In fact, since the discrete evolution of the system doesnot depend on the continuous state, then for any qAQ there exista control strategy and finite transitions paths, reaching a trap.Since g and f might require a finite amount of time, between twoconsecutive transitions, and since the cardinality of Q is finite,then (i) holds. (ii) Let ð ~Q ,W, ~EÞ be a maximal trap, and let q0=2

~Q ,q�0 A ~Q , ðq�0 ,s,q0ÞAE. Suppose that for any control strategy thereexist a controlled execution and hZ1 such that qð0Þ ¼ q0 andqðhÞA ~Q . Let bQ be the set of discrete states bq such that for anycontrol strategy and for some controlled execution of S there exist

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–10 5

j40 and hZ j such that qð0Þ ¼ q0, qðjÞ ¼ bq and qðhÞA ~Q . Then forany control strategy there exists a controlled execution such thatfor any qð0ÞA bQ , qð1ÞA bQ . Therefore the FSM ð ~Q [ bQ ,W,E9

~Q [bQ Þ is atrap, strictly containing ð ~Q ,W, ~EÞ, which therefore is not a max-imal trap. Hence, the result follows. &

We can now state the last result of this section, which allowsthe decomposition of the hybrid system into simpler subsystems:the maximal traps. Even though there is no role of the continuousdynamics in the computation of a trap, the test of the property,based on the traps, depends also on the continuous dynamics ofthe hybrid system.

Theorem 5. Consider a H-system S and the property P

(i)

If P is composition closed and backward extendable on wS , then

each maximal trap of S satisfies P )S satisfies P

1

3 2

1

3 2

d

s

Fig. 2. The H-system S.

d

If S is a switching system (i.e. a H-system with W¼V) or a

(ii) switched system (i.e. a H-system with W¼U) then

S satisfies P )each maximal trap of S satisfies P

Proof. (i) Consider a switching control strategy g defined asfollows: as far as the current discrete state belongs to a maximaltrap, apply the control strategy such that P is true for all theexecutions of the controlled system associated to that trap. Aslong as the current state is outside the traps, apply the controlstrategy gn of Lemma 4. Let Fi be the set of executions of thecontrolled system Sc that are captured by the i-th trap but do nottouch any other trap. By statement (i) of Lemma 4 and since P isbackward extendable, PðFiÞ is true, iAQ Tr ¼ f1,2, . . . ,mg, where mis the number of maximal traps. By statement (ii) of Lemma 4, theset of all executions of Sc can be obtained as a finite compositionsof executions in fFi,iAQ Trg, i.e.

vSc

¼[

i1 ,i2 ...im A Q Tri1 a i2 a ���a im

Fi11Fi21 . . .1FiTr

where obviously vSc

� vS . Therefore, since P is compositionclosed, and since P is union closed the result follows.

(ii) In the case of switching systems, the time basis t and the

discrete state evolution q do not depend on any control action on

the system. Then, by the definition of a trap, the result follows. In

the case of switched systems, since no discrete disturbance can

affect the system, the result follows by the definition of trap. &

The following example shows that the condition (i) of theabove theorem is in general not necessary: if S satisfies P, then itis not true in general that each maximal trap of S satisfies P.

Example 6. Consider an H-system S ¼ ðX,W,S,E,g,f ,RÞ withX¼ f1,2,3g �R, U¼ fsg, V¼ fdg (see Fig. 2). Let S(1) and S(3) beasymptotically stable linear systems, both described by the equation

_xðtÞ ¼�xðtÞ, let S(2) be unstable, described by the equation_xðtÞ ¼ xðtÞ. Let E¼ fð1,d,2Þ,ð2,d,1Þ,ð2,s,3Þg, gðð1,d,2ÞÞ ¼ ½10,1Þ,gðð2,d,1ÞÞ ¼ gðð2,s,3ÞÞ ¼ ½0,1Þ, f ðiÞ ¼1, i¼ 1,2,3 and finally let R

be such that the continuous state after the switching is equal tothe continuous state before the switching.

Clearly S is asymptotically stabilizable (see the formal defini-

tion in the next section): starting from discrete state 3 the system

S(3) is asymptotically stable and no switching can occur; starting

from 1, either the discrete state remains the same forever (and

hence the continuous state asymptotically converges to the

origin) or the transition ð1,d,2Þ occurs at some time t1A ½10,1Þ.

The system S(2) is unstable, but, since there is no guard condition

on the controlled transition ð2,s,3Þ then at time t1 the controller

can apply the control signal s to the system: the result will be the

transition ð2,d,1Þ or the transition ð2,s,3Þ: hence in both cases, by

iterating the reasoning, asymptotic convergence to the origin is

ensured. The same holds starting from discrete state 2. The

FSM ðf1,2g,fdg, ~EÞ, ~E ¼ fð1,d,2Þ,ð2,d,1Þg, is clearly a trap, but the

H-system ~S ¼ ð ~X,fdg,S9f1,2g,

~E,g9 ~E ,f 9f1,2g,R9 ~E� ~X Þ,

~X ¼ f1,2g �R, is not

asymptotically stabilizable, because starting from 2, it is not

possible to force any jump.

5. Characteristics of some classical properties for hybridsystems

In this section, we consider some well-known properties forhybrid systems, such as asymptotic stabilizability, detectability,reachability and safety, and analyze them with respect to closureunder composition and backward extensibility. The decomposi-tions shown in the previous sections can then be applied w.r.t.those particular properties. The properties introduced in Sections5.5 and 5.6 are examples of a non-composition closed-backwardextendable property, and of a non-composition closed-non-backward extendable property, respectively.

To make all properties well defined, we suppose that thefollowing assumption holds throughout this section.

Assumption 1. The H-system S is non-Zeno, i.e. for each finitetime interval, a finite number of switchings occurs.

5.1. Asymptotic stabilizability

Let B¼S

iAQ fig � Bi �X, Bi ¼ fxARni : JxJr1g, where JxJ isthe Euclidean norm in the appropriate vector space, and for agiven a40 let aB¼

SiAQ fig � aBi. Consider the property Ps.

Definition 7 (Ps-property). Let F be a set of executions of an H-system S. Ps

ðFÞ is true if 8e,d40 there exist tZ0, g40 such thatfor any wAF with initial state xðt0,0Þ ¼ ðq0,x0ÞAdB

(i)

xðt,jÞAgB, 8tA Ij, 8j¼ 0,1, . . . ,L, (ii) xðt,jÞAeB, 8tA Ij \ ½t0þt,1Þ, 8j¼minfj : t0þtA Ijg, . . . ,L:

The definition above requires that all the executions in F haveinfinite continuous length, i.e. the time base t is such thatPL

j ¼ 0ðt0j�tjÞ ¼1.

The standard notion of asymptotic stabilizability can bewritten in terms of property Ps as follows.

Definition 8. An H-system S is asymptotically stabilizable w.r.t.Q 0 �Q if it satisfies the property Ps w.r.t. Q 0.

Theorem 9. Consider an H-system S. The property Ps is composition

closed.

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–106

Proof. See Appendix B.

Proposition 10. Consider a switching system S, with

f ðiÞ ¼1, 8iAQ . S is asymptotically stabilizable if and only if each

strongly connected component is asymptotically stabilizable.

Proof. If S is a switching system, the maximal traps coincidewith the strongly connected components and the set Q is coveredby the maximal traps. Therefore, by specializing the proof ofTheorem 5 to this case, since by Theorem 9 Ps is compositionclosed, the statement follows. &

Consider now an H-system S, and let each system SiAS, iAQ ,be defined by the equations:

_xðtÞ ¼ AixðtÞþBiuðtÞ

yðtÞ ¼ CixðtÞ

AiARni�ni , BiARni�m, CiARp�ni and let R : E� X-X be a linearreset function, i.e. given e¼ ði,s,jÞAE and x¼ ði,xÞAX, Rðe,xÞ ¼ðj,MexÞ, MeARnj�ni . Systems in this subclass are called linear

hybrid systems (also LH-systems). Moreover, the output spaceassociated with the hybrid system is U¼Q �Rp and ZoðtÞ ¼

ðqðjÞ,CqðjÞxðt,jÞÞ, tA ½tj,t0jÞ, 8j such that tjat0j.

Theorem 11. Let S be an LH-system. The property Ps is backward

extendable.

Proof. Let F2 � vS be such that PsðF2Þ ¼ true. Given F1 � vS , where

the executions in F1 have maximum continuous length Tmax40,and maximum finite length LmaxZ1, by the linearity of thesystem there exists a value g such that, for any execution inF11F2, xðt,jÞAgBJx0J, 8tA Ij, 8j¼ 0,1, . . . ,L, and there exists tZ0such that for any execution in F11F2, xðt,jÞAeBJx0J,8tA Ij \ ½t,1Þ, 8j¼minfj : tA Ijg, . . . ,L. Hence, the Ps-property isbackward extendable. &

Let Q 0 be the subset of discrete states whose associatedcontinuous linear dynamics are controllable, i.e.

Q 0 ¼ fiAQ : rankðBi AiBi . . . Ani�1i BiÞ ¼ nig

Then an LH-system S, with gðeÞ ¼ ftARþ : tZdmg, 8eAE, forsome real dm40, satisfies Ps w.r.t. Q 0. Theorem 2 becomes

Proposition 12. Consider an LH-system S, and we assume that full

state information is available, i.e. ZoðtÞ ¼ xðt,jÞ, tA ½tj,t0jÞ, j¼ 0,1, . . . ,L.

Let gðeÞ ¼ ftARþ : tZdmg, 8eAE, for some real dm40. Then

S is asy: stabilizable

3 S9Reach�1

ðQ 0Þis asy: stabilizable

Proof. S is a linear hybrid system. The proof is a consequence ofTheorem 11, Theorem 2 and 9. &

Proposition 13. Consider a linear switching system S (i.e. an LH-

system with W¼V), with f ðiÞa1, 8iAQ and ia j, 8ði,s,jÞAE. S is

asymptotically stabilizable if and only if each proper strongly con-

nected component is asymptotically stabilizable.

Proof. If S is a linear switching system, the maximal trapscoincide with the proper strongly connected components. Sinceby Theorem 9 Ps is composition closed and, by Theorem 11 Ps isbackward extendable, then by specializing the proof of Theorem 5to this case the statement follows. &

Proposition 14. A linear switched system S (i.e. a LH-system, with

W¼U) is asymptotically stabilizable if and only if each sink of S isasymptotically stabilizable.

Proof. If S is a linear switched system, the maximal trapscoincide with the leaves. Since by Theorem 9 Ps is compositionclosed and, by Theorem 11, Ps is backward extendable, then by

specializing the proof of Theorem 5 to this case the statementfollows. &

5.2. Detectability

We consider here the class of autonomous linear switchingsystems, i.e. LH-systems with W¼V, and Bi ¼ 0, 8iAQ .

Detectability is the property of asymptotically reconstructingthe current continuous state of a system, by giving an estimationwith an error which asymptotically converges to zero.

As for the case of asymptotic stabilizability, we only considerexecutions with infinite continuous length. Given an execution wof S, the pair ðt,qÞ represents the discrete state evolution. We canassume here w.l.o.g. that for any two transitions ði,s,jÞ and ði0,s0,j0Þif i¼ i0 and j¼ j0 then s¼ s0.

Let Zow be the observed output associated with the executionw. By linearity, if two executions w1 ¼ ðt,x1Þ, w2 ¼ ðt,x2Þ of S sharethe same discrete state evolution, then the tuple w1 � w29ðt,xÞ,with xðt,jÞ ¼ ðqðjÞ,x1ðt,jÞþx2ðt,jÞÞ is an execution of S. Thereforegiven a set of executions F, an execution whAF is ‘‘hidden’’ if forany w1AF, with the same discrete state evolution as wh, theobserved output associated with w1 is the same as the observedoutput associated to w1 � wh, i.e.

Zow1¼ Zoðw1�whÞ

Let Fh � F be the set of hidden executions in F.

Definition 15 (Po-property). Let F be a set of executions of S;PoðFÞ ¼ true if Ps

ðFhÞ ¼ true.

As in the case of asymptotic stabilizability, the definitionabove requires that all the executions in F have infinite contin-uous length.

Theorem 16. Let S be an autonomous linear switching system. Then

the Po-property is composition closed and backward extendable.

Proof. Autonomous linear switching systems are a subclass ofLH-systems. Since Ps is composition closed and backward extend-able (see Theorems 9 and 11), the result follows. &

The definition of detectability (formerly introduced in [7] andcharacterized in [11]) can be reformulated in our framework as

Definition 17. Given Q 0 �Q , S is Q 0-detectable if it satisfies theproperty Po w.r.t. Q 0.

Let Q 00 be the subset of discrete states, whose associatedobservable dynamics is observable, i.e.

Q 00 ¼ iAQ : rank

Ci

CiAi

^

CiAni�1i

0BBBB@1CCCCA¼ ni

8>>>><>>>>:

9>>>>=>>>>;:Then Theorem 2 becomes

Proposition 18. Consider an autonomous LH-system S. For any

eAE, let gðeÞ ¼ ftARþ : tZdmðeÞ40g. Then

S is detectable 3 S9Reach�1

ðQ 00 Þis detectable

Proof. S is a linear autonomous hybrid system. By Theorem 16,

the Po-property is composition closed and backward extendable.

The system S is detectable w.r.t. Q 0 ¼ Reach�1ðQ 00Þ, by definition

of this last set. and obviously Reach�1ðQ 0Þ ¼Q 0. If S9

Reach�1ðQ 00 Þ

is

detectable, then by statement (iii) of Theorem 2, S is detectable

w.r.t. Reach�1ðQ 00Þ [ Reach�1

ðQ 00Þ ¼Q , and hence S is detectable.

q’

Fig. 3. S satisfies the property Ps with respect to the set fq0g.

Reach-1 (q’)

Fig. 4. S enjoys the property Ps with respect to the set Reach�1ðfq0gÞ (yellow states

in the figure).

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–10 7

Conversely, if S is detectable, then we can write

Q ¼ Reach�1ðQ 00Þ [ Reach�1

ðQ 00Þ. By statement (iii) of Theorem 2,

S is detectable w.r.t. Q 0 and S9Reach�1

ðQ 00 Þis detectable. &

5.3. Reachability

Consider an H-system S and let S denote a subset of the hybridstate space X. Define the reachability property as

Definition 19 (Pr,S-property). Let F � vS . Given S�X, Pr,SðFÞ is

true if for any wAF there exist jZ0 and tA Ij, such that xðt,jÞAS.

Then, reachability of the set S may be defined as follows.

Definition 20. The set S is reachable for the H-system S if Ssatisfies Pr,S.

If S¼S

iAQ fig � f0g, then the above definition boils down tothe concept of 0-controllability.

The following result states that the reachability propertyis composition closed and backward extendable for the class ofH-systems.

Theorem 21. Given any H-system S, for any S�X, the

Pr,S-property is composition closed and backward extendable.

The above result implies that Theorems 2 and 5 apply. Inparticular, reachability of the set S for the H-system S can bechecked, by testing the reachability of S for the traps of S.

5.4. Safety

Consider a switching system S ¼ ðX,W,S,E,g,f ,RÞ, withf ðiÞ ¼1, 8iAQ , and constraints

xðt,jÞAO¼[

iAQ

fig �Oi �X, 8tA Ij, 8IjAt, 8tAT ð1Þ

S is safe with respect to the constraints (1) if there exist a set ofinitial states and a control strategy such that constraints (1) canbe satisfied. Equivalently we can say that S is safe with respect tothe constraints (1) if there exists a controlled invariant set P forS, subset of O. Let such a set P¼

SiAQ ðfig �SiÞ �X be given.

Consider the property

Definition 22 (Pinv,P-property). Let F be a set of executions of S.Pinv,P

ðFÞ is true if for any execution in F with initial statebelonging to P, xðt,jÞAP, 8tA Ij, 8jAf0,1, . . . ,Lg.

Controlled invariance of P can be defined as

Definition 23. Consider a switching system S. The set P iscontrolled invariant for S if S satisfies Pinv,P.

By definition, the Pinv,P-property is composition closed but notbackward extendable.

Theorem 24. Consider a switching system S. For any

P¼S

iAQ ðfig � SiÞ �X, the Pinv,P-property is composition closed.

Since the property is not backward extendable, for the set P tobe controlled invariant, all the traps have to satisfy the property(Theorem 5, (ii)), but the fact that all the traps satisfy the propertydoes not imply that S satisfies the property.

5.5. Finite escape time

Let S be a switching system. We consider here the property ofthe state escaping from a given set in finite time and neverreaching it again. Formally

Definition 25 (Pe,O-property). Given a set O¼S

iAQ 0 fig �Oi �X,Q 0 �Q , and a set F of executions of S, Pe,O

ðFÞ is true if there existsa finite tZ0 (escape time) such that for any execution in F

xðt,jÞ=2O, 8tA ½t0þt,1Þ \ Ij, 8j¼ inffj : t0þtA Ijg, . . . ,L.

Definition 26. Given the switching system S, the set O can beescaped in finite time if S satisfies Pe,O.

We can state the following:

Theorem 27. Consider a switching system S. The Pe,O-property is

backward extendable.

Escapability in finite time is not composition closed, as thefollowing example shows

Example 28. Let S ¼ ðX,W,S,E,g,f ,RÞ be a switching system, withQ ¼ f1,2,3g, Rni ¼R, 8iAQ , V¼ fsg and E¼ fe1 ¼ ð1,s,2Þ,e2 ¼

ð2,s,3Þg, gðeÞ ¼Rþ , 8eAE, f ðe1Þ ¼1, f ðe2Þ ¼D, Rðe,xÞ ¼ x, 8eAE.Let F1 be the set of executions with no switchings, and the discretestate equal to 1 for any time. Consider the set F2 of executions,starting from discrete state 2. Since f ðe2Þ ¼D, then any execution inF2 commutes from 2 to 3, within the maximum time D. Then Pe

ðF1Þ

is true, with t¼ 0, and PeðF2Þ is true, with t¼D, but

PeðF11F2Þ ¼ false, since, by definition of composition, there is no

upper bound on the escape time for the executions in F11F2.

The theorem above implies that only statements (i) ofTheorem 2 and (ii) of 5 hold. Hence, we can only state necessaryconditions for escapability in finite time.

5.6. Norm boundedness

Consider an H-system S with Rni ¼Rn, 8iAQ .

Fig. 5. Subsystem upon which stabilizability has to be tested (Theorem 2).

Fig. 6. decomposition into 5 traps.

Fig. 7. Subsystem upon which stabilizability has to be tested.

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–108

Definition 29 (Pb-property). Given a positive real a and a set F ofexecutions of S, Pb

ðFÞ is true if for any wAF

XL

j ¼ 0

Z t0j

tj

Jxðt,jÞJ dt

!ra

By definition, Pb is not composition closed nor backwardextendable, and hence Theorem 5 does not apply.

6. An example

Consider an LH-system S and let gðeÞ ¼ ftARþ : tZdmg, 8eAE,for some real dm40. Fig. 3 describes the discrete transitions of S:the dashed links represent uncontrolled transitions and the solidlinks represent controlled transitions. Assume that a controllabledynamic system is associated with the discrete state q0. Then Ssatisfies the property Ps with respect to the set fq0g.

By Proposition 12, S satisfies the property Ps with respect tothe set Reach�1

ðfq0gÞ (see Fig. 4). Therefore, from (iii) of Theorem 2,we have to check stabilizability for the subsystem illustrated inFig. 5. The FSM in Fig. 5 can be decomposed into 5 traps shown in

Fig. 6. Finally, by Theorem 5, if all traps satisfy Ps, then the givensystem S does. Hence, we now only need to check if thecontinuous systems associated to the three singletons, and thehybrid systems corresponding to the two cycles in Fig. 7 arestabilizable.

7. Conclusions

We presented abstract properties such as stabilizabilityand detectability for hybrid systems, and presented results ondecomposition of the discrete structure of the hybrid system,which allow a significant reduction of the effort required to testproperties such as stabilizability or detectability. Our techniquecan be used to obtain efficient tests, if combined with state spacedecompositions defined on the continuous component of thestate space.

Appendix A. Hybrid system execution

Consider the function x : R� f0,1, . . . ,g-X and the hybridtime basis t¼ fIj,j¼ 0,1 . . . ,Lg, L¼ cardðtÞ�1, where cardðtÞ willbe called discrete length and Ij ¼ ftAR : tjrtrt0jg, t0j ¼ tjþ1. IfLo1, then IL ¼ ½tL,t0L� or IL ¼ ½tL,t0LÞ, where t0L may be infinite. Thevalue T ¼

PLj ¼ 0ðt

0j�tjÞ is the continuous length

�

finite: if Lo1, To1 and IL ¼ ½tL,t0L�; � infinite: if L¼1 or T ¼1; � Zeno: if L¼1 and To1;

The hybrid state at ðt,jÞ is xðt,jÞ ¼ ðqðjÞ,xðt,jÞÞ, tA Ij, j¼ 0,1, . . . ,L.In order to precisely define the evolution (also called execution) ofS, together with discrete input symbols, let us consider the set Ud

of functions u : R-U [ fEg, with E the null event and with uðtÞ ¼ Ea.e.. We say that ðt,xÞ is an execution of S if for some functionsuAUd and uAU , for some s : f0,1, . . . ,L�1g-W, and for somex0 ¼ ðq0,x0ÞAX, the function x is such that

xðt,jÞ ¼ ðqðjÞ,xðt,jÞÞ, tA Ij, j¼ 0,1, . . . ,L

where xðt0,0Þ ¼ x0, xðtjþ1,jþ1Þ ¼ RðeðjÞ,xðt0j,jÞÞ, j¼ 0,1, . . . ,L�1, q :f0,1, . . . ,Lg-Q and xðt,jÞ is equal to the (unique) solution at time t

of the dynamical system SðqðjÞÞ, with initial time tj, initial condi-tion xðtj,jÞ and control law u; e : f0,1, . . . ,L�1g-E; sðjÞ and qðjþ1Þare such that eðjÞ ¼ ðqðjÞ,sðjÞ,qðjþ1ÞÞAE, j¼ 0,1, . . . ,L�1, andt0j�tjAgðeðjÞÞ. Given tA Ij, if ðqðjÞ,uðtÞ,q0ÞAE, for some q0AQ , thent0j ¼ t, and sðjÞAfuðtjÞg [ V (roughly speaking, this means thatwhen a discrete input is applied to the system, a transition isforced, but not necessarily one corresponding to that discreteinput, since a discrete disturbance and a discrete input can actsimultaneously on the system, and the disturbance has thepriority); let xðt,jÞ ¼ ði,xðt,jÞÞ, and suppose f ðiÞ ¼bt , for somebtARþ . If t¼ tjþbt , then t0j ¼ t.

Appendix B. Proof of Theorem 9

Let Fi � vn be such that PðFiÞ ¼ true, i¼1,2. Then 8d40 thereexist g1ðdÞ,g2ðdÞARþ such that 8w1 ¼ ðt1,x1ÞAF1, with initial statex1ðt01,0Þ ¼ ðq01,x01ÞAdBx1ðt,jÞAg1ðdÞB, 8tA Ij, 8j¼ 0,1, . . . ,cardðt1Þ�1 ð2Þ

and 8w2 ¼ ðt2,x2ÞAF2, with initial state x2ðt02,0Þ ¼ ðq02,x02ÞAdB

x2ðt,jÞAg2ðdÞB, 8tA Ij, 8j¼ 0,1, . . . ,cardðt2Þ�1 ð3Þ

where ti ¼ fIji ¼ ½tji,t0ji�, j¼ 0,1, . . . ,cardðt1Þ�1g, is the time basis

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–10 9

of execution wi, i¼1,2. Therefore, if F11F2a|, by settinggðdÞ ¼ g2ðg1ðdÞÞ, we obtain that 8w¼ ðt,xÞAF11F2, with initialstate xðt0,0Þ ¼ ðq0,x0ÞAdB

xðt,jÞAgB, 8tA Ij, 8j¼ 0,1, . . . ,cardðtÞ�1

where t¼ fIj ¼ ½tj,t0j�, j¼ 0,1, . . . ,cardðtÞ�1g is the time base of

execution w. Therefore condition (i) of Definition 8 holds. Givene and d, let t1ðe,dÞ be such that 8w1 ¼ ðt1,x1ÞAF1, with initial statex1ðt01,0Þ ¼ ðq01,x01ÞAdB

x1ðt,jÞAeB, 8tA Ij1 \ ½t01þt1ðe,dÞ,1Þ8j¼minfj : t01þt1ðe,dÞA Ij1g, . . . ,cardðt1Þ�1 ð4Þ

and let t2ðe,dÞ be such that 8w2 ¼ ðt2,x2ÞAF2, with initial statex2ðt02,0Þ ¼ ðq02,x02ÞAdB

x2ðt,jÞAeB, 8tA Ij2 \ ½t02þt2ðe,dÞ,1Þ8j¼minfj : t02þt2ðe,dÞA Ij2g, . . . ,cardðt2Þ�1 ð5Þ

Then, if F11F2a|, by setting

tðe,dÞ ¼ t1ðe0,dÞþt2ðe,g1ðdÞÞe0 ¼max a : g2ðaÞre

it follows that for any execution w in F11F2

xðt,jÞAeBJx0J, 8tA Ij \ ½t0þtðe,dÞ,1Þ8j¼minfj : t0þtðe,dÞA Ijg, . . . ,cardðtÞ�1

In fact, if we switch from execution w1 to execution w2 at timebt Zt01þt1ðe0,dÞ, by definition of e0, combining conditions (3) and(4) the result follows. Otherwise, if we switch from execution w1

to execution w2 at time bt ot01þt1ðe0,dÞ, by definition of t2ðe,g1ðdÞÞ,combining conditions (2) and (4) the result follows.

Appendix C. Computation of traps

Given an H-system S with FSM ðQ ,W,EÞ, and given a stronglyconnected FSM ðQ 0,W,E0Þ in ðQ ,W,EÞ let exit_pointsðQ 0,W,E0Þdenote the set of discrete states such that for some controlstrategy any controlled execution starting from exit_points

ðQ 0,W,E0Þ is guaranteed to exit from the set Q 0.

Algorithm 30 (Maximal traps computation).

initialize Q c¼Q ;

repeat

STEP 1:

Compute ðQ cj ,W,E9Q c

jÞ, j¼ 1,2, . . . ,f , strongly connected

components of ðQ c ,W ,E9Q c Þ;

TR¼ fðQ cj ,W,E9Q c

jÞ, j¼ 1,2,: :,f g;

STEP 2:

Q e ¼S

j ¼ 1,2,...,f

exit_pointsðQ j,W,EjÞ;

Q 00 ¼ fqAQ c : q=2Q eg; Q c¼Q 00;

until Q e ¼ |;RETURN TR.

Proposition 31. Given S, the Algorithm 30 ends after at most N

iterations. The set TR is the set of all maximal traps of S.

Proof. The number of iterations is bounded by N, the number ofdiscrete states of the system S, since the algorithm at eachiteration removes from the set Q at least a discrete state. Thefact that the set TR is the set of all the maximal traps of S isobvious by definition of trap and exit_points. &

The next propositions give the tools for the computation of theset Reach�1

ðQ 0Þ, Q 0 �Q , and exit_pointsððQ 0,W ,E0ÞÞ, E0 � E, onwhich the computation of the traps of a system are based:

Proposition 32. Given some set Q 0 �Q , the set Reach�1ðQ 0Þ can be

recursively computed as follows:

�

case f ðqÞ ¼1, 8qAQ

Reach�1ðQ 0Þ ¼Q 0

repeat

Q 00 ¼qAQ : (ðq,s,q0ÞAE,sAU,q0AReach�1

ðQ 0Þ

and 8ðq,d,q00ÞAE : dAV, q00AReach�1ðQ 0Þ

( )Reach�1

ðQ 0Þ ¼ Reach�1ðQ 0Þ [ Q 00

until Q 00 ¼ |

�

case f ðqÞa1, 8qAQ

Reach�1ðQ 0Þ ¼Q 0

repeat

Q 00 ¼qAQ : (ðq,s,q0ÞAE,sAW,q0AReach�1

ðQ 0Þ

and 8ðq,d,q00ÞAE : dAV, q00AReach�1ðQ 0Þ

( )Reach�1

ðQ 0Þ ¼ Reach�1ðQ 0Þ [ Q 00

until Q 00 ¼ |

Proposition 33. Given a strongly connected FSM ðQ 0,W ,E0Þ, Q 0 �Qand E0 � E, exit_pointsððQ 0,W ,E0ÞÞ ¼ Reach�1

ð ~Q Þ, where

�

case f ðqÞ ¼1, 8qAQ :

~Q ¼qAQ 0 : (ðq,s,q0ÞAE,sAU,q0=2Q 0

and 8ðq,d,q00ÞAE : dAV, q00=2Q 0

( )

�

f ðqÞa1, 8qAQ :

~Q ¼qAQ 0 : (ðq,s,q0ÞAE,q0=2Q 0

and 8ðq,d,q00ÞAE : dAV,q00=2Q 0

( )

References

[1] R. Alur, T.A. Henzinger, G. Lafferriere, G.J. Pappas, Discrete abstractions ofhybrid systems, Proceedings of the IEEE 88 (2000) 971–984.

[2] M. Babaali, G.J. Pappas, Observability of switched linear systems in contin-uous time (HSCC 05), in: M. Morari, L. Thiele (Eds.), Lecture Notes inComputer Science, vol. 3414, Springer-Verlag, 2005, pp. 103–117.

[3] A. Balluchi, L. Benvenuti, M.D. Di Benedetto, A.L. Sangiovanni-Vincentelli,Design of observers for hybrid systems, in: C.J. Tomlin, M.R. Greenstreet(Eds.), Lecture Notes in Computer Science, vol. 2289, Springer-Verlag, 2002,pp. 76–89.

[4] A. Balluchi, L. Benvenuti, A.L. Sangiovanni-Vincentelli, Discrete and contin-uous structural properties for observability, in: 16th Mathematical Theory ofNetworks and Systems Conference (MTNS2004), Leuen, Belgium, July 5–9,2004.

[5] A. Bemporad, G. Ferrari-Trecate, M. Morari, Observability and controllabilityof piecewise affine and hybrid systems, IEEE Transactions on AutomaticControl 45 (October (10)) (2000) 1864–1876.

[6] R.A. De Carlo, M.S. Branicky, S. Pettersson, B. Lennartson, Perspective andresults on the stability and stabilizability of hybrid systems, Proceedings ofthe IEEE 88 (July (7)) (2000) 1069–1082.

[7] E. De Santis, M.D. Di Benedetto, G. Pola, On observability and detectability ofcontinuous–time linear switching systems, in: Proceedings of the 42nd IEEEConference on Decision and Control (CDC’03), Maui, HI, USA, December 9–12,2003, pp. 5777–5782.

[8] E. De Santis, M.D. Di Benedetto, L. Berardi, Computation of maximal safe setsfor switching systems, IEEE Transactions on Automatic Control 41 (February(10)) (2004) 184–195.

E. De Santis, M.D. Di Benedetto / European Journal of Control 19 (2013) 1–1010

[9] E. De Santis, M.D. Di Benedetto, G. Girasole, Digital idle speed control ofautomotive engines using hybrid models, in: Proceedings 16th IFAC WorldCongress, Prague, July 2005.

[10] E. De Santis, M.D. Di Benedetto, G. Pola, Digital idle speed control ofautomotive engines: a safety problem for hybrid systems, Nonlinear Analy-sis: Hybrid Systems 1 (2006) 1705–1724.

[11] E. De Santis, M.D. Di Benedetto, G. Pola, A structural approach to detectabilityfor a class of hybrid systems, Automatica 45 (5) (2009) 1202–1206.

[12] E. De Santis, M.D. Di Benedetto (Guest Editors), Special issue on observabilityand observer-based control of hybrid systems, International Journal ofRobust and Nonlinear Control 19 (14) (2009) 1519–1520.

[13] R. Galvan-Guerra, V. Azhmyakov, M. Egerstedt, Optimization of multiagentsystems with increasing state dimensions: hybrid LQ approach, in: Proceed-ings of the 2011 American Control Conference (June 2011), pp. 881–887.

[14] E. Haghverdi, P. Tabuada, G.J. Pappas, Bisimulation relations for dynamical,control and hybrid systems, Theoretical Computer Science 342 (2–3) (2005)229–261.

[15] T.A. Henzinger, Hybrid automata with finite bisimulations, in: Z. Fulop,F. Gecseg (Eds.), ICIALP 95: Automata, Languages, and Programming, LectureNotes in Computer Science, vol. 944, Springer, New York, 1995, pp. 324–335.

[16] G. Lafferriere, G.J. Pappas, S. Sastry, Hybrid systems with finite bisimulations,in: P.J. Antsaklis, W. Kohn, M. Lemmon, A. Nerode, S. Sastry (Eds.), HybridSystems, Lecture Notes in Computer Science, Springer, New York, 1998,pp. 186–203.

[17] G. Lafferriere, G.J. Pappas, S. Sastry, O-minimal hybrid systems, Mathematicsof Control, Signals, and Systems 13 (2000) 1–21.

[18] D. Liberzon, Switching in Systems and Control, Birkhauser, Boston, June 2003.[19] J. Lygeros, C. Tomlin, S. Sastry, Controllers for reachability specifications for

hybrid systems, Automatica, Special Issue on Hybrid Systems 35 (1999).[20] Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems:

Specification, Springer-Verlag, Berlin, 1992.

[21] R. Milner, Communication and Concurrency, Prentice Hall, 1989.[22] G.J. Pappas, Bisimilar linear systems, Automatica 39 (2003) 2035–2047.[23] G.J. Pappas, Bisimilar control affine systems, Systems & Control Letters 52

(2004) 49–58.[24] D.M.R. Park, Concurrency and automata on infinite sequences, Lecture Notes

in Computer Science, vol. 104, , 1981, pp. 167–183.[25] G. Pola, A.J. van der Schaft, M.D. Di Benedetto, Equivalence of switching linear

systems by bisimulation, International Journal of Control 79 (2006) 52–74.[26] Z. Sun, S.S. Ge, Analysis and synthesis of switched linear control systems,

Automatica 41 (2005) 181–195.[27] Z. Sun, S.S. Ge, Switched Linear Systems—Control and Design, Communica-

tion and Control Engineering Series, 2005.[28] P. Tabuada, G.J. Pappas, P. Lima, Composing abstractions of hybrid systems,

in: C. Tomlin, M.R. Greenstreet, Hybrid Systems: Computation and Control,Lecture Notes in Computer Science, Springer, Heidelberg, Berlin, 2002,

pp. 436–450.[29] C. Tomlin, J. Lygeros, S. Sastry, Synthesizing controllers for nonlinear hybrid

systems, in: S. Sastry, T. Henzinger (Eds.), First International Workshop,HSCC’98, Hybrid Systems: Computation and Control, Lecture Notes inComputer Science, vol. 1386, 1998, pp. 360–373.

[30] R. Vidal, A. Chiuso, S. Soatto, S. Sastry, Observability of linear hybrid systems,in: A. Pnueli, O. Maler (Eds.), Lecture Notes in Computer Science, vol. 2623,

Springer-Verlag, Berlin, Heidelberg, 2003, pp. 526–539.[31] P.V. Zhivoglyadov, R.H. Middleton, On stability in hybrid systems, in:

Proceedings of the 37th IEEE Conference on Decision and Control (CDC’98),Tampa, FL, USA, December 1998, pp. 3687–3692.

[32] W. Zielonka, Infinite games on finitely coloured graphs with applications toautomata on infinite trees, Theoretical Computer Science 200 (1998)135–183.