Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December 2003

Hybrid System Verification Synchronous Workshop 2003 Scientific Models Discrete systems –CSs’ favourite domain –What I should be talking about here … Continuous systems –Engineers’ domain –Differential equations Hybrid Systems

Hybrid System Verification Synchronous Workshop 2003 A Hybrid System Typical example: A heated room with a a thermostat. Room temperature T continuous variable, State of heater (on or off) is a discrete variable, Different (continuous/differential) equations regulate room temperature depending whether heater is on or off.

Hybrid System Verification Synchronous Workshop 2003 The Heated Room: Required Parameters Dynamics in different (discrete) states; When to switch from one state to another; Whether any continuous variables are reset discontinuously when switching from one state to another.

Hybrid System Verification Synchronous Workshop 2003 The Heated Room: Typical questions Reachability questions: Can the room temperature rise over 5% above the thermostat setting? ‘Qualitative’ system behaviour: Given a loop (a sequence of discrete states) what continuous behaviour is possible within that loop?

Hybrid System Verification Synchronous Workshop 2003 Hybrid Automata OnOff

Hybrid System Verification Synchronous Workshop 2003 OnOff Label Dynamics Invariant Guard Reset Hybrid Automata

Hybrid System Verification Synchronous Workshop 2003 Verification of Hybrid Automata Undecidable in general. Even (good) testing is difficult! Most complete approaches look at sub- problems eg limiting differential equations, limiting number of continuous variables.

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Swimmer in a whirlpool

Hybrid System Verification Synchronous Workshop 2003 Polygonal Differential Inclusion Systems (SPDIs) A partition of the plane into convex polygons Constant differential inclusion for each region describing allowable dynamics

Hybrid System Verification Synchronous Workshop 2003 Swimmer SPDI

Hybrid System Verification Synchronous Workshop 2003 Swimmer SPDI Arrows: System dynamics Polygons: Discrete states (Transformed) coordinates: two continuous states

Hybrid System Verification Synchronous Workshop 2003 Swimmer SPDI Arrows: System dynamics Polygons: Discrete states Position on line: one continuous state

Hybrid System Verification Synchronous Workshop 2003 Swimmer SPDI

Hybrid System Verification Synchronous Workshop 2003 Swimmer SPDI

Hybrid System Verification Synchronous Workshop 2003 Some undecidable extensions Three or more dimensions Variant differential inclusions SPDIs with arbitrary resets

Hybrid System Verification Synchronous Workshop 2003 Some observations (1) Position on edges can be described as a single real number. Starting from a position s on an edge and ending at t on another edge, the linear inclusion limits guarantees: t 2 [  1 s +  2,  1 s +  2 ] Similarly if we went through a number of edges in between.

Hybrid System Verification Synchronous Workshop 2003 Result: Given a loop of region edges, we can compute the reachable polygon without iterating. We can compute the effect of following an abstract trace: e 1 …e i (e i+1 …e j ) * e j+1 …e k (e k+1 …e l ) * … e n

Hybrid System Verification Synchronous Workshop 2003 Some observations (2) For any self-crossing path through an SPDI, there exists a non-self-crossing one with the same start and end points. A path which follows a loop (a number of times), leaves it and goes through the loop again, can be replaced by one which enters the loop only once.

Hybrid System Verification Synchronous Workshop 2003 Result: Any path through an abstract trace which is ‘too long’ also belongs to a shorter abstract path: e 1 …e i (e i+1 …e j ) * e j+1 …e k (e k+1 …e l ) * … e n Only a finite number of paths need be explored to check reachability.

Hybrid System Verification Synchronous Workshop 2003 Summary We can (non-iteratively) calculate the effect of following an abstract path. A finite number of abstract paths cover all possible concrete paths from one edge to another. These abstract paths can be calculated.

Hybrid System Verification Synchronous Workshop 2003 Summary We can (non-iteratively) calculate the effect of following an abstract path. A finite number of abstract paths cover all possible concrete paths from one edge to another. These abstract paths can be calculated. We have an algorithm to decide SPDI reachability

Hybrid System Verification Synchronous Workshop 2003 Summary We can (non-iteratively) calculate the effect of following an abstract path. A finite number of abstract paths cover all possible concrete paths from one edge to another. These abstract paths can be calculated. But it does not guarantee shortest counter-example unless exhaustive search is performed

Hybrid System Verification Synchronous Workshop 2003 Forward model checking       [   Termination Condition:   

Hybrid System Verification Synchronous Workshop 2003 SPDI model checking       [   [   Termination Condition:   [    [ 

Hybrid System Verification Synchronous Workshop 2003 SPDI model checking       [   [   Termination Condition:   [    [  This follows loops (non-iteratively) in one step

Hybrid System Verification Synchronous Workshop 2003 SPDI model checking       [   [   Termination Condition:   [    [  This is the invariance kernel of the SPDI

Hybrid System Verification Synchronous Workshop 2003 Invariance kernel of a loop The greatest set of points such that every trajectory starting in such points must remain in the set forever. Can be calculated using a non-iterative algorithm. The set  is the union of all invariance kernels.

Hybrid System Verification Synchronous Workshop 2003 Invariance kernel of a loop The greatest set of points such that every trajectory starting in such points must remain in the set forever. Can be calculated using a non-iterative algorithm. The set  is the union of all invariance kernels. BFS algorithm which guarantees shortest abstract counter-example

Hybrid System Verification Synchronous Workshop 2003 Invariance kernel of a loop The greatest set of points such that every trajectory starting in such points must remain in the set forever. Can be calculated using a non-iterative algorithm. The set  is the union of all invariance kernels. Allows us to apply standard model-checking verification optimisations to SPDI verification

Hybrid System Verification Synchronous Workshop 2003 Future work Implementation of the new algorithm and standard optimisations Case studies and safe approximation generators How can this be applied to discrete systems with one continuous variable and differential inclusion transitions?

Hybrid System Verification Synchronous Workshop 2003 x 2 [min{c 1,  1 x +  2 }, max{c 1,  1 s +  2 }]