Hybrid System Verification Using Discrete Model Approximations

1
Hybrid System Verification Using Discrete Model
Approximations

• Alongkrit Chutinan
• Department of Electrical and Computer Engineering
• Carnegie Mellon University
• Pittsburgh, PA, USA.

2
Outline

• Hybrid Systems and Verification
• MATLAB Verification Tool
• Verification Example
• Conclusions

3
Hybrid Systems

• Continuous
• Dynamics
• Differential Equations/Inclusions
• Stopwatch Timers
• etc.

• Discrete
• Dynamics
• Finite State Automata
• Petri Nets
• etc.

4
Hybrid Systems

• Found virtually everywhere
• Result of switching logic in many
  computer-controlled applications
• Extremely difficult to analyze
• Small perturbation can lead to drastically
  different behavior
• No universally accepted framework for analysis
  and control

5
Focus The Verification Problem
system property (specification)
Does the system satisfy the property?
Yes/No
system model

• Very important problem for safety-critical
  applications
• All behaviors must be taken into account

6
Outline

• Hybrid Systems and Verification
• MATLAB Verification Tool
• Verification Example
• Conclusions

7
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
8
Threshold-event-driven Hybrid Systems (TEDHS)
9
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
10
TEDHS Front End

• Built on top of Simulink in MATLAB
• Simulinks simulation capability can be exploited
• Special blocks customized through Simulinks
  masking mechanism
• Major supported block types
• Switched Continuous System Block (SCSB)
• Polyhedral Threshold Block (PTHB)
• Finite State Machine Block (FSMB)
• Multiplexer and Logical Operators (And, Or, Not)

11
Switched Continuous System

• Parameter Switching function f
• Input Discrete condition signal u
• Output Continuous state vector x
• Description Continuous dynamics selected by
  discrete input signal

12
Polyhedral Threshold

• Parameters C,d
• Input Continuous state vector x
• Output Boolean signal
• 1 if Cx ? d
• 0 otherwise
• Description Outputs Boolean signal indicating
  whether continuous state variable x is in
  polyhedron Cx ? d

13
Finite State Machine (Stateflow)

• Inputs
• Data Boolean condition signals which are
  functions of PTHB and FSMB outputs
• Event Transition edges of Boolean condition
  signals which are functions of PTHB outputs
• Output Discrete signal (integer) indicating
  active state of FSM
• Description State transitions are driven by
  input data and event signals.

14
Finite State Machine (Stateflow)

• Inputs
• Data Boolean condition signals which are
  functions of PTHB and FSMB outputs
• Event Transition edges of Boolean condition
  signals which are functions of PTHB outputs
• Output Discrete signal (integer) indicating
  active state of FSM
• Description State transitions are driven by
  input data and event signals.

15
Finite State Machine (Stateflow)

• Inputs
• Data Boolean condition signals which are
  functions of PTHB and FSMB outputs
• Event Transition edges of Boolean condition
  signals which are functions of PTHB outputs
• Output Discrete signal (integer) indicating
  active state of FSM
• Description State transitions are driven by
  input data and event signals.

16
Finite State Machine (Stateflow)

• Inputs
• Data Boolean condition signals which are
  functions of PTHB and FSMB outputs
• Event Transition edges of Boolean condition
  signals which are functions of PTHB outputs
• Output Discrete signal (integer) indicating
  active state of FSM
• Description State transitions are driven by
  input data and event signals.

17
Sample Block Diagram
18
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
19
Hybrid Automaton
guard condition
location (discrete state)
edge
u
u
reset condition
invariant hybrid automaton may remain in u as
long as x ? I(u)
initial condition
continuous dynamics
20
Reset Condition
exit states
entry states
21
Polyhedral-Invariant Hybrid Automaton (PIHA)
identity reset
u
hyperplane guard
invariant is the convex polytope defined from
complements of the guards
ordinary differential equation
22
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
23
Hybrid System State Space

• Given by cross product Xc ? Xd
• Continuous state space Xc given by cross product
  of nscs state spaces for all SCSBs.
• Xc Xc1 ? ? Xcnscs
• Discrete state space Xd given by cross product of
  nfsm state spaces for all FSMBs.
• Xd Xd1 ? ? Xdnfsm

24
Continuous State Space Partition
analysis region
cell
hyperplane

• Restrict our attention to bounded subset of Xc
  called analysis region (AR)
• Partition Xc into polyhedral cells by all
  hyperplanes cTx d from all PTHBs
• Output values of all PTHBs are constant across
  all xc in each cell

25
PIHA Construction

• Each location is a pair (p,q)
• p cell p
• q FSM states
• p is the invariant
• p determines outputs of PTHBs in the TEDHS
• q contains outputs of FSMBs in the TEDHS
• q directly determines continuous dynamics

26
Location Transition
h

• Events occur when continuous trajectory x crosses
  hyperplane h on boundary of cell p
• Determine neighboring cell p that is reached by
  crossing h
• Use p and p to compute PTHB outputs before and
  after hyperplane crossing
• Determine events that occur and make FSM state
  transition from q to q
• Transition to a special (empty) location when
  crossing hyperplane on analysis boundary

h
p
p
(p,q)
h
h
out of AR
(p,q)
27
Location Transition
h

• Events occur when continuous trajectory x crosses
  hyperplane h on boundary of cell p
• Determine neighboring cell p that is reached by
  crossing h
• Use p and p to compute PTHB outputs before and
  after hyperplane crossing
• Determine events that occur and make FSM state
  transition from q to q
• Transition to a special (empty) location when
  crossing hyperplane on analysis boundary

h
p
p
(p,q)
h
h
out of AR
(p,q)
28
Location Transition
h

• Events occur when continuous trajectory x crosses
  hyperplane h on boundary of cell p
• Determine neighboring cell p that is reached by
  crossing h
• Use p and p to compute PTHB outputs before and
  after hyperplane crossing
• Determine events that occur and make FSM state
  transition from q to q
• Transition to a special (empty) location when
  crossing hyperplane on analysis boundary

h
p
p
(p,q)
h
h
out of AR
(p,q)
29
Location Transition
h

• Events occur when continuous trajectory x crosses
  hyperplane h on boundary of cell p
• Determine neighboring cell p that is reached by
  crossing h
• Use p and p to compute PTHB outputs before and
  after hyperplane crossing
• Determine events that occur and make FSM state
  transition from q to q
• Transition to a special (empty) location when
  crossing hyperplane on analysis boundary

h
p
p
(p,q)
h
h
out of AR
(p,q)
30
Location Transition
h

• Events occur when continuous trajectory x crosses
  hyperplane h on boundary of cell p
• Determine neighboring cell p that is reached by
  crossing h
• Use p and p to compute PTHB outputs before and
  after hyperplane crossing
• Determine events that occur and make FSM state
  transition from q to q
• Transition to a special (empty) location when
  crossing hyperplane on analysis boundary

h
p
p
(p,q)
h
h
out of AR
(p,q)
31
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
32
Transition Systems

• T (Q,?,Q0)
• Q set of states (possibly infinite/continuum)
• ? ?Q?Q transition relation
• Q0 initial states
• T (Q,?,Q0,2AP,L)
• AP set of atomic propositions
• LQ ? 2AP labeling function

unlabeled
labeled
33
PIHA SemanticsDiscrete-Trace Transition Systems

• Given a hybrid system H,
• TH (X0?Xentry?q?u ,?H,X0)
• Discrete Transitions
• (x,u) ?H (x',u') ? u ? u', e (u,u'), and there
  is a continuous trajectory from x to a state x''
  ? G(e) such that x' ? R(e,x'')
• Null Transitions
• (x,u) ?H q?u ? there is a continuous trajectory
  from x that never leaves the location u

completely masks the continuous-time behavior
34
TH Illustration
exit states
entry states
35
Simulation of Transition Systems

• Given T1 (Q1, ?1, Q1o, 2AP,L1), T2 (Q2, ?2,
  Q2o,2AP,L2), T2 simulates T1 if there exists a
  binary relation ? ??Q1 ? Q2 such that
• is total (involves all of Q1)
• q1 ? q2 ? (q1?Q1o ? q2?Q2o and L1(q1) L2(q2))
• q1 ? q2 and q1 ?1 q1? ?
  there exists q2? such that q1?
  ? q2? and q2 ?2 q2?

q1?
Q1
q2?
Q2
q1
q2
T1 ? T2
36
Bisimulation

• Given T1 (Q1, ?1,Q1o,2AP,L1), T2 (Q2, ?2,
  Q2o,2AP,L2), a relation ??? Q1 ? Q2 is a
  bisimulation if
• ? is a simulation relation of T1 by T2
• ?-1 is a simulation relation of T2 by T1

Q1
q1?
Q2
q2?
q1
q2
T1? T2
37
Simulation vs. Bisimulation

• Simulation
• Conservative approximation of labeled behaviors
• Can be used to verify universal specifications
• Bisimulation
• Equivalent to original system wrt labeled
  behaviors
• Obtained through iterative refinements of
  quotient transition systems
• Can be used to verify all specifications

38
Quotient Transition Systems (QTS)

• Given transition system T (Q,?,Q0)
• Pre(P) q ?p?P, q ? p
• Post(P) q ?p?P, p ? q
• Quotient transition system
• T/P (P,?P , Q0/P)
• where
• P a partition of Q
• P1 ?P P2 for P1,P2 ? P
• ? q1 ? q2 for some q1?P1, q2 ?P2
• ? Post(P1) ? P2 ? ?
• ? P1 ? Pre(P2) ? ?

T
T/P
39
Facts About QTS
1. T ? T/P
2. T/P is a bisimulation if and only if P ?
Pre(P') ? or P for all P, P' ? P
stopping condition for bisimulation procedure
40
Approximating QTS

• Reachability approximation (for continuous
  dynamics) ? Quotient transition system
  approximation
• Computing QTS requires computation of reachable
  sets in Pre and Post operators
• Reachable set cannot be computed exactly in
  general

41
Approximate QTS

• Given reachability approximation method M
• Pre(P) ? PreM(P)
• Post(P) ? PostM(P)
• Approximate quotient transition system
• TM/P (P,?PM , Q0/P)
• where
• P1 ?PM P2 for P1,P2 ? P ? PostM(P1) ? P2 ? ?

conservative
42
Facts About Approximate QTS
can use TM/P to verify universal specification
1. T ? T/P ? TM/P
usual ? bisimulation condition no longer holds
for approximation
2. TM/P is a bisimulation if (PostM(P) ? P')
??p?P,?p'?P',p?p and ?P,P'?P, PostM(P) ? P'
? or PostM(P)
P has at most one successor
stopping condition for bisimulation with
approximation
43
Application to PIHATH/P Approximation

• Partition
• Initial States
• Entry States Faces of cell p for each location
  (p,q)
• Each state is (?,p,q) where ? is a polytope
• on boundary of cell p or
• contained in the continuous initial set
• for some location (p,q)
• Use flow pipe approximations to computePost
  M((?,p,q))

44
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
45
Approximating Reachable Sets Previous Work

• Model theory and quantifier elimination
• R. Alur, T.A. Henzinger, and P.-H. Ho. Automatic
  symbolic verification of embedded systems, 1996.
  (linear hybrid automata)
• G. Lafferriere, G.J. Pappas, and S. Yovine.
  Decidable hybrid systems, 1996. (special classes
  of linear hybrid systems)
• Rectangular Discretizations
• E.K. Kornoushenko. Finite-automaton approximation
  to the behavior of continuous plants, 1975.
• O. Stursberg, S. Kowalewski, and S. Engell. On
  the generation of timed discrete approximations
  for continuous systems, 1997.
• T. Dang and O. Maler, Reachability Analysis via
  Face Lifting, 1998.
• Piecewise linear hybrid automaton approximation
• A. Puri, P. Varaiya, and V. Borkar.
  ?-approximation of differential inclusion, 1996.
• T.A. Henzinger, P.-H. Ho, and H. Wong-Toi.
  Algorithmic analysis of nonlinear hybrid systems,
  1998.

46
Quantifier EliminationLinear Hybrid Automata

• Continuous dynamics of the form
• where F is a constant convex polytope
• Reachable set is a polyhedron

47
Rectangular Discretization

• Information about vector field is used to
  iteratively include reachable cells

Figure from T. Dang and O. Maler, Reachability
Analysis via Face Lifting, HS'98
48
Flow Pipe Approximations Problem Statement

• Given a continuous dynamic system,

• and a set of initial states, X0
• Conservatively approximate the set of reachable
  states R0,T(X0) from time t 0 to t T

49
Polyhedral Flow Pipe Approximations
X0

• R0,T(X0) union of polytopes

A. Chutinan and B. H. Krogh, Computing polyhedral
approximations to dynamic flow pipes, IEEE CDC,
1998
50
Wrapping Hyperplanes Around a Set (1)

• Step 1
• Choose normal vectors, c1,...,cm

c2
c1
S
c3
c4
51
Wrapping Hyperplanes Around a Set (2)

• Step 2
• Adjust each hyperplane so that it just touches S
• By solving for each i optimization problem

c2
c1
S
c3
c4
52
Wrapping a Flow Pipe Segment

• Given normal vectors ci, we shrink wrap
  in a polytope by solving for each i

• The optimization problem is solved by embedding
  simulation into objective function computation
  routine

53
Choosing Normal Vectors

• We probably need a different set of normal
  vectors ci to shrink wrap each segment
• Heuristics
• Compute vertices of X0 at times tk and tk1 using
  ODE solver
• Form convex hull from these points
• Use normal vectors from faces of convex hull

54
Flow Pipe Segment Approximation
Vertices(X0) at tk
Step 1. a. Simulate trajectories from each vertex
of X0.
Vertices(X0) at tk1
55
Example 1 Van der Pol Equation
Van der Pol Equation
Initial Set
Uniform time step Dtk 0.5
56
Improvements for Linear Systems

• ? analytical solution

• Flow pipe segment computation depends only on
  time step ?t
• A segment can be obtained by applying affine
  transformation to another segment with the same ?t

• No longer need to embed numerical integration
  into optimization when b 0

57
Transforming A Polytope
y Txv
P
T
v
58
Example 2 Linear System
Vertices for X0
Uniform time step Dtk 0.1

• Compute first segment
• Then transform it with eA?t 49 times

59
Approximation Error

• Can be made arbitrarily small for each segment

• Time step
• Size of X0
• Lipschitz constant
• Vector field
• Dimension

60
Flow Pipe Approximation

• Applies in arbitrary dimensions
• Approximation error does not accumulate from
  previous time step
• Approximation error can be made arbitrarily small
  by bounds
• dt - size of segment time step
• independent of the starting time for the segment
• dx0 - size of initial set partition
• depends on the starting time for the segment

61
Approximating Transitions in TH/P
q
q'
p
p'
?'1
?'2
?
(?'1,p',q')
(?,p,q)
(?'2,p',q')
62
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
63
Selecting Initial Partition

• Start with faces of invariant cell for each
  location (p,q)
• Look at vector field fq(x) on each face with
  normal vector c
• Split polytopes recursively to satisfy
• Vector field direction tolerance
• Vector field variation tolerance
• Size tolerance
• Group continuous states with similar qualitative
  behaviors

64
Initial Partition Tolerances
65
Splitting Polytopes for Initial Partitions (and
Refinement)

• c split direction
• dmin,max min,max cTx
• x?P

P
66
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
67
Finite-State Transition System
unfold

• State-transition graph

• Computation tree

68
Computation Tree Logic (CTL)

• Specify evolutions along paths in computation
  tree from a given state

• Can specify safety, liveness, fairness, etc.

AG safe system is safe along all paths AG(AF
reset) system is reset infinitely often along
every computation path
69
Model Checking Program
Find the set of states where the given CTL
formula is true.

• Implemented in MATLAB using graph search
  algorithms
• Complexity linear in the product of system size
  and length of CTL formula

70
ACTL

• Restricted class of CTL allowing only universal
  path quantifier
• f ? ap ?ap f ? f f ? f
• AX f AF f AG f A f U f

THM/P satisfies ACTL spec ? TH satisfies ACTL spec
71
Atomic Propositions in the Tool

• Two types of atomic propositions (AP)
• Polyhedral Threshold Atomic Proposition
• ltPTHBgt
• Identified by name of each PTHB
• Specify output for each PTHB (true if PTHB output
  is 1)
• Truth value determined directly from cell p for
  each state (?,p,q) in THM/P

72
Atomic Propositions (cont.)

• Finite State Machine Atomic Proposition
• ltFSMB stategt
• Specify active state for each FSMB
• Truth value determined directly from q for each
  state (?,p,q) in THM/P

73
MATLAB Tool Overview
Simulink/Stateflow Front End (graphical editing,
simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow Pipe Approximations
Conversion
Quotient Transition System
Partition Refinement
Polyhedral-Invariant Hybrid Automaton (PIHA)
ACTL Verification
Initial Partition
74
Quotient Transition System Refinement

• Bisimulation refinement
• Splits P into part that can reach P' (P1) and
  part that cannot (P2)
• Difficult to implement
• Set subtractions
• Non-convex sets

P1
P'
P
P2
75
Alternative Refinement Procedure

• Refine states with more than one successor state
• Motivated by bisimulation condition for
  approximation
• Use bisection refinement instead of bisimulation
  refinement
• Selective refinement w.r.t. ACTL specification
• Refine only initial states not satisfying ACTL
  specification and all descendants
• Reduce computational cost
• Slow down state explosion

76
Summary of Verification Procedure

• Approximate initial quotient transition system
  THM/P0 for PIHA converted from TEDHS
• If all initial states in THM /PN satisfy ACTL
  specification
• Stop, system is verified
• Otherwise
• For each initial state in THM /PN violating ACTL
  specification and all its descendants, split the
  associated polytope
• Recompute mappings and transitions for new
  polytopes to approximate THM /PN1
• N N 1 and repeat

77
Outline

• Hybrid Systems and Verification
• MATLAB Verification Tool
• Verification Example
• Conclusions

78
Simulink Model
79
Switched Continuous System Parameters
80
Approximation Parameters Specification
81
Visualization Tool
82
Visualization Tool
83
Visualization Tool
84
Partition P0

• Specification unsatisfied

85
Partition P1

• Specification unsatisfied

86
Partition P2

• Specification unsatisfied

87
Partition P3

• Specification unsatisfied

88
Partition P4

• Specification unsatisfied

89
Partition P5

• Specification unsatisfied

90
Partition P6

• Specification satisfied

91
Bound on Number of Switchings
92
Outline

• Hybrid Systems and Verification
• MATLAB Verification Tool
• Verification Example
• Conclusions

93
Contributions

• Approximate quotient transition systems for
  verification of hybrid systems
• Discrete-trace transition system
• Bisimulation condition for approximate quotient
  transition systems
• Verification results in some cases where finite
  bisimulation does not exist

94
Contributions

• Flow pipe approximations
• Handles general ODEs in arbitrary dimensions
• Efficient computations for affine systems
• Arbitrarily close approximations
• Error does not accumulate from previous time
  steps
• Realization of quotient transition system
  verification

95
Contributions

• MATLAB verification tool
• TEDHS modeling front end
• Conversion from TEDHS to PIHA
• Automatic generation and refinements of
  approximate quotient transition systems
• Polyhedral library (convex hull, etc.)
• ACTL parser and finite-state model checking
  library

96
Research Directions

• Flow pipe approximations
• More efficient nonlinear flow pipe approximations
• Extension to differential inclusions
• Numerical methods to guarantee conservative
  approximation
• using floating point or integer arithmetic
• global optimization technique
• Null transition identification methods

97
Research Directions

• More restrictive refinement set
• Identify states along particular paths from the
  initial states that violate ACTL specification
• As opposed to all reachable states from the
  initial states that violate ACTL specification
• More efficient PIHA conversion for the tool
• The tool introduces many cells between which no
  discrete transition actually occurs
• Consolidate adjacent cells with same discrete
  state
• Extension of theory/tool to handle jumps in
  continuous dynamics