Download pdf - 24: Model Checking & Reachability Analysissymbolaris.com/course/fcps16/reachability.pdf · 24: Model Checking & Reachability Analysis ... editors, Handbook of Model Checking. Springer,

24: Model Checking & Reachability Analysis15-424: Foundations of Cyber-Physical Systems

Goran Frehse Andre Platzer

Verimag

[1] Laurent Doyen, Goran Frehse, George J. Pappas, Andre Platzer.Verification of Hybrid Systems.In Edmund M. Clarke, Thomas A. Henzinger and Helmut Veith,editors, Handbook of Model Checking. Springer, 2017.

Goran Frehse, Andre Platzer () FCPS / 24: Model Checking & Reachability Analysis 1 / 36

http://www.springer.com/us/book/9783319105741

http://www.springer.com/us/book/9783319105741

Outline

1 Hybrid AutomataExampleDefinition and Semantics

2 Set-Based ReachabilityPiecewise Constant DynamicsPiecewise Affine DynamicsSet Representations

3 Conclusions


Outline



3 Conclusions


Outline



3 Conclusions


Example: Ball on String

m

Fs

Fg

xr

xr + L

x

(a) extension

m

Fg

xr

xr + L

x

(b) freefall

dynamics in freefall when x ≥ xr , with mass m

mx = Fg = −mg

dynamics in extension when x ≤ xr , spring constant k , damping d

mx = Fg + Fs = −mg + kxr − kx − dx

transition when x = xr + L, collision factor c ∈ [0, 1] x+ = −cx



m

Fs

Fg

xr

xr + L

x

(c) extension

m

Fg

xr

xr + L

x

(d) freefall

dynamics in freefall when x ≥ xr , with mass m

mx = Fg = −mg

dynamics in extension when x ≤ xr , spring constant k , damping d

mx = Fg + Fs = −mg + kxr − kx − dx

transition when x = xr + L, collision factor c ∈ [0, 1] x+ = −cxGoran Frehse, Andre Platzer () FCPS / 24: Model Checking & Reachability Analysis 2 / 36

Hybrid Automaton Model: Ball on String

auxiliary variable v = x , so v = x

clip from SpaceEx Model Editor1

1G. Frehse, C. L. Guernic, A. Donze, R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang,and O. Maler, “Spaceex: Scalable verification of hybrid systems,” in CAV’11, ser. LNCS,Springer, 2011.


Simulation

0 0.5 1 1.5 2 2.5

−1

0

1

x0

x1

x2

x3x4

x5

t

positionx

0 0.5 1 1.5 2 2.5

−5

0

5

v0

v1

v−2

v2

v3

v4

v5

t

velocity

v


Outline



3 Conclusions


Hybrid Automata (Alur, Henzinger, ’95)[2][3]

locations Loc = ℓ1, . . . , ℓm and variables X = x1, . . . , xndefine the state space Loc× RX

transitions Edg ⊆ Loc× Lab× Loc define location changes withsynchronization labels Lab

evolution domain alias invariant Inv ⊆ Loc× RX ,

flow relation Flow, where Flow(ℓ) ⊆ RX × RX , e.g.,

x = f (x);

jump relation Jump, where Jump(e) ⊆ RX × RX+, e.g.,

Jump(e) = (x, x+) | x ∈ G ∧ x+ = r(x)

initial states Init ⊆ Inv

Except: all described by semialgebraic sets (often polyhedra)


Hybrid Automata (Alur, Henzinger, ’95)[2][3]

locations Loc = ℓ1, . . . , ℓm and variables X = x1, . . . , xndefine the state space Loc× RX

transitions Edg ⊆ Loc× Lab× Loc define location changes withsynchronization labels Lab

evolution domain alias invariant Inv ⊆ Loc× RX ,

flow relation Flow, where Flow(ℓ) ⊆ RX × RX , e.g.,

x = f (x);

jump relation Jump, where Jump(e) ⊆ RX × RX+, e.g.,

Jump(e) = (x, x+) | x ∈ G ∧ x+ = r(x)

initial states Init ⊆ Inv

Except: all described by semialgebraic sets (often polyhedra)


Run Semantics

(ℓ0, x0)δ0,ξ0−−→ (ℓ0, ξ0(δ0))

α0−→ (ℓ1, x1)δ1,ξ1−−→ (ℓ1, ξ1(δ1)) . . .

with (ℓ0, x0) ∈ Init, αi ∈ Lab ∪ τ, and for i = 0, 1, . . .:

1 Trajectories: (ξ(t), ξ(t)) ∈ Flow(ℓ) and ξi(t) ∈ Inv(ℓi)for all t ∈ [0, δi ].

2 Jumps: (ξi(δi), xi+1) ∈ Jump(ei), ei = (ℓi , αi , ℓi+1) ∈ Edg, andxi+1 ∈ Inv(ℓi+1).

A state (ℓ, x) is reachable if there exists a run with (ℓi , xi) = (ℓ, x)for some i .

Usually: Flow(ℓ) is ODE and trajectory ξ(t) its solution


Run Semantics

(ℓ0, x0)δ0,ξ0−−→ (ℓ0, ξ0(δ0))

α0−→ (ℓ1, x1)δ1,ξ1−−→ (ℓ1, ξ1(δ1)) . . .

with (ℓ0, x0) ∈ Init, αi ∈ Lab ∪ τ, and for i = 0, 1, . . .:

1 Trajectories: (ξ(t), ξ(t)) ∈ Flow(ℓ) and ξi(t) ∈ Inv(ℓi)for all t ∈ [0, δi ].

2 Jumps: (ξi(δi), xi+1) ∈ Jump(ei), ei = (ℓi , αi , ℓi+1) ∈ Edg, andxi+1 ∈ Inv(ℓi+1).

A state (ℓ, x) is reachable if there exists a run with (ℓi , xi) = (ℓ, x)for some i .

Usually: Flow(ℓ) is ODE and trajectory ξ(t) its solution



−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1

−5

0

5

x0

ξ0(δ0) = x1

ξ3(δ3) = x4ξ1(δ1)

x2

ξ2(δ2) = x3

ξ4(δ4) = x5

position x

velocity

v


Outline



3 Conclusions


Set-Based Reachability

Extending numerical simulation from numbers to sets

account for nondeterminism

exhaustive

infinite time horizon

Downsides:

only approximate for complex dynamics

generally not scalable in number of variables

trade-off between runtime and accuracy

may not terminate or degenerate to “system could be anywhere”


Reachability Algorithm

One-step successors by time elapse from set of states S ,

PostC (S) =(ℓ, ξ(δ))

∣∣ ∃(ℓ, x) ∈ S : (ℓ, x)δ,ξ−→ (ℓ, ξ(δ))

One-step successors by jump from set of states S ,

PostD(S) =(ℓ′, x′)

∣∣ ∃(ℓ′, x′) ∈ S ,∃α ∈ Lab∪τ:(ℓ, x) α−→ (ℓ′, x′)

R0 := PostC (Init),

Ri+1 := Ri ∪ PostC (PostD(Ri)).

If Ri+1 = Ri , then Ri = reachable states.

may not terminate if states unbounded (counter)

problem undecidable in general2

2T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s decidable about hybridautomata?” Journal of Computer and System Sciences, vol. 57, pp. 94–124, 1998.


Ball on String: Reachable States

(clip from SpaceEx output)


Outline



3 Conclusions


HA of piecewise constant dynamics (PCDA,LHA)

initial states and invariants are conjunctions of linear constraints

xr ≤ x ∧ x ≤ xr + L

flows are conjunctions of linear constraints over derivatives X

x = 5 ∧ v = −1 ∧ 2 ≤ z ∧ z ≤ 5

jumps are conjunctive linear constraints over X ∪ X+,where X+ denote the variables after the jump.

x = xr + L ∧ v > 0 ∧ v+ = −0.5 ∗ v

One-step successors of PCDA can be computed exactly.Often: assume all constraints are compact or at least closed.


Polyhedra in Constraint Form

Conjunctive linear constraints are polyhedra

H-polyhedron (constraint form)

P =x∣∣∣ ∧m

i=1aTi x ≤ bi

,

with facet normals ai ∈ Rn and inhomogeneous coefficients bi ∈ R.vector-matrix notation:

P =x∣∣∣ Ax ≤ b

, with A =

(aT1...aTm

),b =

( b1...bm

).


Time Elapse with Polyhedra

For PCDA, it suffices to consider straight-line trajectories:3

Lemma (Constant Derivatives)

There is a trajectory ξ(t) from x = ξ(0) to x′ = ξ(δ), δ > 0, iffη(t) = x+ qt with q = (x′ − x)/δ is a trajectory from x to x′.

Proof Idea: Average slope is enough by mean-value theorem

3P.-H. Ho, “Automatic analysis of hybrid systems,” Technical Report CSD-TR95-1536,PhD thesis, Cornell University, Aug. 1995.



For PCDA, it suffices to consider straight-line trajectories:3

Lemma (Constant Derivatives)

There is a trajectory ξ(t) from x = ξ(0) to x′ = ξ(δ), δ > 0, iffη(t) = x+ qt with q = (x′ − x)/δ is a trajectory from x to x′.

Proof Idea: Average slope is enough by mean-value theorem

3P.-H. Ho, “Automatic analysis of hybrid systems,” Technical Report CSD-TR95-1536,PhD thesis, Cornell University, Aug. 1995.



Given polyhedra P = x | Ax ≤ b, Q = q | Aq ≤ bTime successors with constant slope ∈ Q (ignores evolution domain):

PQ = x′ | x ∈ P ,q ∈ Q, t ∈ R≥0, x′ = x+ qt.

Eliminating q = x′−xt

for t > 0, plug into Q, and multiplying with t:

PQ =x′∣∣∣ Ax ≤ b ∧ A(x′ − x) ≤ b · t ∧ t ≥ 0

.

Quantifier elimination of t squares the number of constraints. FMMore general union of two polyhedra if Q not compact.Subsequently intersect with evolution domain Inv:

postC (ℓ× P) = ℓ×(PFlow(ℓ)

)∩ Inv(ℓ).


Time Elapse with Polyhedra – Geometric Version

x1

x2

Qpos(Q)

(a) cone pos(Q)

x1

x2

P

Q

P ⊕Q

(b) P ⊕Q

x1

x2

P

P ⊕ pos(Q)

(c) PQ = P ⊕ pos(Q)

cone around Q pos(Q) = q · t | q ∈ Q, t ≥ 0Minkowski sum P ⊕Q = p+ q | p ∈ P ,q ∈ Qconvex hull chull(Q) =

∑qi∈Q λi · qi

∣∣∣ λi ≥ 0,∑

i λi = 1


Polyhedra in Generator Form

H-polyhedron (constraint form)

P =x∣∣∣ Ax ≤ b

, with A =

(aT1...aTm

),b =

( b1...bm

).

V-polyhedron (generator form)

P = (V ,R) = chull (V )⊕ pos(chull(R)).

with vertices V ⊆ Rn and rays R ⊆ Rn

If P = (V ,R) and Q = (V ′,R ′) in generator form and closed, then

PQ = (V ,R)(V ′,R ′) = (V ,R ∪ V ′ ∪ R ′)

But: conversion between H- and V-polyhedra is expensivecube: 2n constraints, 2n verticescross-polytope (diamond): 2n vertices, 2n constraints


Discrete Successors

Edge e = (ℓ, α, ℓ′) with guard x ∈ G and nondeterministic assignmentx+ = Cx+w, w ∈ W ,

postD(ℓ× P) = ℓ′ ×(C (P ∩ G)⊕W

)∩ Inv(ℓ′).

If constant matrix C invertible and everything in constraint form

CP = x | AC−1x ≤ b where P =x∣∣∣ Ax ≤ b

Otherwise requires quantifier elimination


Computational Cost

polyhedraoperation m constraints k generators

cone pos() m2 kMinkowski sum ⊕ exp k2

linear map Ax+b m / exp kintersection ∩ 2m exp

Generator form good for continuous successors PQ = P ⊕ pos(Q)Constraint form is better for discrete successors if no uncertaintyConversion is expensive


Outline



3 Conclusions


Piecewise Affine Dynamics

Hybrid automata with piecewise affine dynamics (PWA)

initial states and invariants are conjunctive linear constraintsover X alias polyhedra

xr ≤ x ∧ x ≤ xr + L

flows are affine ODEs with compact convex polyhedra U

x = Ax+ Bu, u ∈ U ,

jumps have a guard set and assignments

x+ = Cx+w, w ∈ W .


Continuous successors

x = Ax+ Bu, u ∈ U ,

trajectory ξ(t) from ξ(0) = x0 for integrable input signal ζ(t) ∈ U :

ξx0,ζ(t) = eAtx0 +

∫ t

0

eA(t−s)Bζ(s)ds

superposition with“backdated impact eA(t−s) of input ζ(s) at s”

reachable states from set X0 for any input signal:

Xt = eAtX0 ⊕ Yt

Yt =

∫ t

0

eAsUds = eAtX0 ⊕ limδ→0

⌊t/δ⌋⊕k=0

eAδkδU


Computing a Convex Cover

X0

Ω0

Xδ

Ω1

X2δ

Ω2

Compute Ω0,Ω1, . . . for fixed time horizon T such that∪0≤t≤T

Xt ⊆ Ω0 ∪ Ω1 ∪ . . . .


Time Discretization at Step-size δ

X0

Ω0

Xδ

Ω1

X2δ

Ω2

Semi-group property: (Xkδ)δ = X(k+1)δ

Time discretization: X(k+1)δ = eAδXkδ ⊕ Yδ

Given initial approximations Ω0 and Ψδ for the first δ such that∪0≤t≤δ

Xt ⊆ Ω0, Yδ ⊆ Ψδ,

Xt is covered by the sequence

Ωk+1 = eAδΩk ⊕Ψδ.


Initial Approximations

X0

Xδ

Ω0

(a) convex hull and pushing facets (b) convex hull and bloating

By Taylor approximation or by solving optimization problems


Initial Approximations – Forward Bloating

Bloating based on norms bounding Taylor approximation error:4

Ω0 = chull(X0 ∪ eAδX0)⊕ (αδ + βδ)B,Ψδ = βδB,αδ = µ(X0) · (e∥A∥δ − 1− ∥A∥δ),βδ = 1

∥A∥µ(BU) · (e∥A∥δ − 1),

with radius µ(X ) = maxx∈X∥x∥ and unit ball B.

4A. Girard, “Reachability of uncertain linear systems using zonotopes,” in HSCC, 2005,pp. 291–305.


Initial Approximations – Forward Bloating

X0

Ω0

Xδ

Ω1

X2δ

Ω2

Forward bloating is tight on X0 and bloated on Xδ.Improvements:

intersect forward bloating with backward bloating

bloat based on interpolation error


Wrapping Effect: Error Accumulation

X0

eAδX0

Appr(eAδX0)

Appr(eAδAppr(eAδX0))

(a) with wrapping effect

X0

eAδX0

Appr(eAδX0)Appr(eA2δX0)

(b) with wrapping-free algorithm

Avoid increasing complexity through deliberate over-approximation

Ωk+1 = Appr(eAδΩk ⊕Ψδ).

Example: bounding box over-approximation is fast


Wrapping Effect: Wrapping-free Cases

Idea: Over-approximate each image of initial approximation separatelySolution: Split sequence5

Ψk+1 = Appr(eAkδΨδ)⊕ Ψk with Ψ0 = 0,Ωk = Appr(eAkδΩ0)⊕ Ψk from initial Ω0

satisfies Ωk = Appr(Ωk) (wrapping-free) if

Appr(P ⊕Q) = Appr(P)⊕ Appr(Q),

e.g., bounding box.

5A. Girard, C. L. Guernic, and O. Maler, “Efficient computation of reachable sets of lineartime-invariant systems with inputs,” in HSCC, 2006, pp. 257–271.


Outline



3 Conclusions


Polyhedra

X0

Ω0

Xδ

Ω1

X2δ

Ω2

polyhedraoperation m constr. k gen.

convex hull chull exp 2kMinkowski sum ⊕ exp k2

linear map Ax+b m / exp kintersection ∩ 2m exp


Ellipsoids6

X0

Ω0

Xδ

Ω1

X2δ

Ω2

polyhedra ellipsoidsoperation m constr. k gen. n × n matrix

convex hull chull exp 2k approxMinkowski sum ⊕ exp k2 approxlinear map Ax+b m / exp k O(n3)intersection ∩ 2m exp approx

6A. B. Kurzhanski and P. Varaiya, Dynamics and Control of Trajectory Tubes. Springer,2014.


Zonotopes

v1v2

v3

v4c

Zonotope with center c ∈ Rn and generators v1, . . . , vk ∈ Rn

P =

c+

∑k

i=1αivi

∣∣∣∣ αi ∈ [−1, 1]

.

linear map: (Ac, ⟨Av1, . . . ,Avk⟩)Minkowski sum: P ⊕Q = (c+ d, ⟨v1, . . . , vk ,w1, . . . ,wm⟩)Not closed under chull or ∩ so need approximations


Zonotopes7

X0

Ω0

Xδ

Ω1

X2δ

Ω2

polyhedra ellipsoids zonotopesoperation m constr. k gen. n × n matrix k generators

convex hull chull exp 2k approx approxMinkowski sum⊕ exp k2 approx 2klinear map Ax+b m / exp k O(n3) kintersection ∩ 2m exp approx approx

7A. Girard, “Reachability of uncertain linear systems using zonotopes,” in HSCC, 2005,pp. 291–305.


Support Functions of Compact Convex Set P

dρP(d)

P

0

(a) support function in direction d

d3

d4

d1

d2

P

⌈P⌉D

(b) outer approximation

support function ρP(·) by linear optimization (efficient!)

ρP(d) = maxdTx | x ∈ P

computed values define polyhedral outer approximation

⌈P⌉D =∩d∈D

dTx ≤ ρP(d)


Support Functions

dρP(d)

P

0

(a) support function in direction d

d3

d4

d1

d2

P

⌈P⌉D

(b) outer approximation

linear map: ρAX (ℓ) = ρX (ATℓ) O(mn)

convex hull: ρchull(P∪Q)(ℓ) = maxρP(ℓ), ρQ(ℓ) O(1)Minkowski sum: ρX⊕Y(ℓ) = ρX (ℓ) + ρY(ℓ) O(1)Intersection: expressible as optimization problem


Support Functions (Le Guernic, Girard,’09)[9]

X0

Ω0

Xδ

Ω1

X2δ

Ω2

X0

Ω0

Xδ

Ω1

X2δ

Ω2

support functions: lazy approximation on demand

polyhedra ellipsoids zonotopes support f.operation m constr. k gen. n × n matrix k generators —

convex hull chull exp 2k approx approx O(1)Minkowski sum ⊕ exp k2 approx 2k O(1)linear map Ax+b m / exp k O(n3) k O(n2)intersection ∩ 2m exp approx approx opt. / approx


Outline



3 Conclusions


Conclusions

Hybrid automata are challenging for model checking.

Set-based reachability is exhaustive, sufficient for safety andbounded liveness.

expensive, scalable for piecewise affine dynamics

Abstraction lifts reachability to more complex systems

progress with approximate simulation relations

Verification by numerical simulation extends properties fromtraces to sets of states

sampling of initial states limited to low dimensional sets


References

[2] R. Alur, C. Courcoubetis, N. Halbwachs, T. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero,J. Sifakis, and S. Yovine, “The algorithmic analysis of hybrid systems,” TheoreticalComputer Science, vol. 138, pp. 3–34, 1995.

[3] T. A. Henzinger, “The theory of hybrid automata.,” in LICS, Los Alamitos: IEEEComputer Society, 1996, pp. 278–292.

[9] C. Le Guernic and A. Girard, “Reachability analysis of linear systems using supportfunctions,” Nonlinear Analysis: Hybrid Systems, vol. 4, no. 2, pp. 250–262, 2010.
