Multiple Shooting, CEGAR-based Falsification for Hybrid Systems Aditya Zutshi Sriram Sankaranarayanan Jyotirmoy Deshmukh James Kapinski

Physical System (plant) Hybrid Systems Physical System (plant) Discrete Controller Actuate Sense Safety Critical ! A quick recap about HS. These are systems which incorporate both continuous time and discrete time dynamics. Many examples of such systems can be found in the domain of Embedded systems, where we have digital processes controlling a physical plant. The controller is usually a piece of embedded software and the plant is a physical system commonly modeled as a set of differential equations. Specific examples of such systems are almost everywhere, like in the automotive industry, medical devices, aviation, railways and power plants…and as most of us are aware these systems are safety critical. Hence the need for rigorous testing and validation.

Falsification Error? System Description Error States Initial States t We can talk about the safety of such systems by talking about reachability, which says… Given a set of initial states and the system definition, what all states can be reached. For finding errors, to falsification we can ask a slightly different question, is there an initial state from which the system can reach an error state? Lets look at the common approaches to solve such a problem…we look at the two ends of the spectrum… Is there a trajectory from an initial state to an error state?

System Description Mode 1 Mode 2 𝑑𝑥 𝑑𝑡 = 𝑓 1 (𝑥) 𝑑𝑥 𝑑𝑡 = 𝑓 2 (𝑥) Most systems do not have Hybrid Automaton models! 𝐺 21 𝑥 =0 𝑥 ′ ≔ 𝑅 21 (𝑥) 𝐺 12 𝑥 =0 𝑥 ′ ≔ 𝑅 12 (𝑥) Mode 1 Mode 2 𝑑𝑥 𝑑𝑡 = 𝑓 2 (𝑥) 𝑑𝑥 𝑑𝑡 = 𝑓 1 (𝑥) Simulink/Stateflow X t X’ SIM(X,t) X, t Remove legacy Don’t go into details of HA… We have sim/state flow,…hjard to convert oto HA Hybrid Automaton Model [Alur, Henzinger, Lygeros, Sastry, Tomlin,…]

Single Shooting Inefficient in the presence of SIM(X,t) System Description Inefficient in the presence of non-linearities and discrete updates Error States Naïve: needs guidance Curse of dimensionality: Scales poorly with increasing states Initial States S-Taliro: [Fainekos, et al.] BREACH: [Donze’] RRT: [Bhatia et al., …]

Multiple Shooting Explore trajectory space Narrow gaps iteratively Proposed Solution CEGAR Gaps Delta t Error States Initial States

Multiple Shooting ↔ CEGAR (Counter Example Guided Refinement) Contributions Multiple Shooting ↔ CEGAR (Counter Example Guided Refinement) 𝑥 2 𝑥 1 Abstract path Trajectory segment B Let us look at our main contributions… In this work We observed that multiple shooting is very closely related to CEGAR To illustrate, lets look at a grid based abstraction, where the state space has been partitioned into rectangular cells If a cell can be reached from another cell, then there exists a representative trajectory segment Infact, a sequence of trajectory segments gives a path in the abstraction! Moreover, the refinement of the abstraction effectively reduces the gap between these trajectory segments Moreover, if we refine the abstraction, then we make an additional observation, that the gaps between the trajectory segments have reduced Refinement Narrowing of gaps A Grid based Abstractions Verification of Hybrid Systems Based on Counterexample-Guided Abstraction Refinement [Clarke, Fehnker, et al.]

Explicit Abstractions Scatter and Simulate Grid based Abstractions Induced by 𝐿 ∞ norm Fundamental question in abstractions: A  B ? 𝑥∈𝐴∧ 𝑥 ′ =𝑆𝐼𝑀(𝑥,𝑡)∧𝑥′∈𝐵 Scatter & Simulate 𝑥 2 𝑥 1 B Explicit Abstractions Black Box: No system dynamics Complex dynamics Curse of Dimensionality Δ𝑡 A

Multiple Shooting & CEGAR Compute 𝐶 𝑖𝑛𝑖𝑡 / 𝐶 𝑒𝑟𝑟 Explore it using scatter & simulate Search Error Paths Trade soundness for efficiency. Find a subset of paths. Assume implicit abstraction Enumerate error paths Check for concrete paths Error Paths done Refine abstraction using CEGAR Assume a finer abstraction Compute 𝐶 𝑖𝑛𝑖𝑡

Multiple Shooting & CEGAR… Compute 𝐶 𝑖𝑛𝑖𝑡 / 𝐶 𝑒𝑟𝑟 Explore it using scatter & simulate Refine by CEGAR Examine abstract error paths Entire path Initial cell Assume implicit abstraction Enumerate error paths Check for concrete paths Error Paths done CEGAR Assume a finer abstraction Finer grid size 𝐶 0 Compute 𝐶 𝑖𝑛𝑖𝑡

Identify reached cells Scatter and Simulate Compute 𝐶 𝑖𝑛𝑖𝑡 / 𝐶 𝑒𝑟𝑟 Error States Get cell from Q Δ𝑡 Sample cell Δ𝑡 Cell Queue Δ𝑡 Simulate for Δ𝑇 Initial States 𝜖 Identify reached cells If new, add cell to Q 𝜖 Error Paths Enumerate error paths

Refinement CEGAR Refine Grid Error Paths Compute 𝐶 𝑖𝑛𝑖𝑡 Scatter & Simulate 𝜖 New Error Paths Enumerate error Paths 𝜖 2

Concretization Described procedure can run forever Solution Only comes up with segmented trajectories No termination guarantee due to numerical errors Solution interleave Concretization: Use random testing on refined initial cells Scatter & Simulate Done!! Concretize CEGAR

Demo Van der Pol – iteration 1 Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖 Add a slide with concrete simulations….and equations…and random testing performance…

Demo Van der Pol – iteration 2 Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

Demo Van der Pol – iteration 3 Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

Demo Van der Pol – iteration 4 Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

Demo Van der Pol – iteration 5 Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

Experiments Van Der Pol Lorenz Brusselator Bouncing Ball 14 Cont. States 625 Modes Experiments Academic Examples Van Der Pol Lorenz Brusselator Bouncing Ball Bouncing Ball + SHM Constrained Pendulum Navigation 30(mod.) Idle Speed Controller MPC Glucose Insulin Quadcopter(mod.) Cardiac Cont. States: 2-14 Modes: 0-625 Complex Benchmarks Radu grosu We run random simulations 100,000 times, all in parallel and S-Taliro ands SS 10 times to get consistent results… As SS is parallelized, and S-Taliro not, we try to compare the num of successful runs instead of just timings…

Comparison Van Der Pol Lorenz Brusselator Bouncing Ball Random Testing Van Der Pol Lorenz Brusselator Bouncing Ball Bouncing Ball + SHM Constrained Pendulum Navigation 30(mod.) Idle Speed Controller MPC Glucose Insulin Quadcopter(mod.) Cardiac Light-weight S-Taliro Scatter and Simulate Add dReach Exhaustive S-Taliro: [Fainekos, et. Al.] dReach: [Gao, et. Al. ]

Experimental Setup Random Testing S-Taliro Scatter & Sim. Times are hard to compare! Experimental Setup Random Testing S-Taliro Scatter & Sim. #𝑣𝑖𝑜. 100,000 #𝑣𝑖𝑜. 10 Random Testing Use random testing to synthesize safety properties when they don’t exist Run 100,000 simulations and find number of violations S-Taliro vs Scatter & Sim. Run 10 times Run terminates if Violation found Timeout: 1hr Tools can restart during a run Time taken is hard to compare S-Taliro has a single threaded impl.

Results - Van Der Pol Random Testing S-Taliro Scatter & Sim. Vs Highly non-linear! 2 continuous States Random Testing S-Taliro Scatter & Sim. 10 10 0 100,000 Vs

Results - Bouncing Ball Hybrid! 4 continuous States 1 mode Random Testing S-Taliro Scatter & Sim. 1 10 10 10 3 100,000 Vs

Results - Navigation30 Random Testing S-Taliro Scatter & Sim. Vs 625 Modes! 4 continuous States 625 modes Random Testing S-Taliro Scatter & Sim. 3 10 10 10 1 100,000 Vs Becnhmarks for Hybrid Systems Verification: [Fehnker and Ivancic]

Results - Idle Speed Controller Inputs! 9 continuous States 4 modes 1 input Random Testing S-Taliro Scatter & Sim. 2 10 10 10 70 100,000 Vs A new algorithm for reachability analysis of hybrid automata : [A. Casagrande, et al.]

In Summary… Falsification technique for Hybrid Systems. No explicit model required! Simulations are cheap and parallelizable! Generalizable in many direction. But… Can not find non-robust trajectories Convergence is not guaranteed Best effort search Can provide asymptotic guarantees Sampling based approach, and does not use a model of the system, we can never detect non robust behaviors

Extra Slides…

Falsification Approaches: Shooting Single Shooting Random testing S-Taliro BREACH Systematic Sim. RRTs … Multiple Shooting Proposed approach: Scatter & Simulate Reverse explanations… Search space…

Single Shooting: Random Testing SIM(X,T) System Description Naïve: needs guidance Curse of dimensionality: Scales poorly with increasing states Error States The simplest kind of Single shooting is random testing. We sample a point, simulate for the given time and check if we find erroneous behavior. Though its very light weight, it can be very powerful when coupled with the insights of engineers. This approach however, is usually not very successful for complex systems for several reasons. Systems with non linear and hybrid dynamics can fail in complex ways and the search space explodes exponentially with increase in states. There have been a lot of improvements over random testing recently and tools like S-Taliro and BREACH which use guided testing, and have been used to falsify complex systems. Although better, these tools still use single shooting which is not very good in handling systems with highly non linear and discrete behaviors. Initial States

Single Shooting: Guided Testing S-Taliro: [Fainekos, et. Al] BREACH: [Donze] Inefficient in the presence of non-linearities and discrete updates Error States 𝜌 Initial States

Multiple Shooting Solution…? Use mature NLP Solvers Distribute non -linearity Solution…? Use mature NLP Solvers Translate the problem as an optimization problem with equality constraints Error States Initial conditons outside intial states Ignore NLP Proposed Solution Use Abstractions and CEGAR Initial States Undesirable Gaps A Trajectory Splicing Approach to Concretizing Counterexamples for Hybrid Systems: [Zutshi, et al.]

Abstractions and CEGAR How to effectively use Multiple Shooting? Use Discrete Abstractions and a refinement procedure CEGAR: Counter Example Guided Refinement 𝑥 2 𝑥 1 Induced by 𝐿 ∞ norm Grid Based Implicit Abstraction Partitions the state space into rectangular Cells Discovers relations using simulation Modify to contributions… Verification of Hybrid Systems Based on Counterexample-Guided Abstraction Refinement [Clarke, Fehnker, et al.]

Grid Based Abstraction Discretizes concrete states Relations induced by Dynamics 𝑥 1 = 𝑙 1 𝑥 1 = ℎ 1 𝑥 2 = ℎ 2 𝑥 2 = 𝑙 2 Abstract State: 𝐶𝑒𝑙𝑙 𝐶 𝑖 Concrete States: 𝑥 𝑖 ∈[ 𝑙 𝑖 , ℎ 𝑖 ) 𝐶 1 𝐶 0 HSolver: [Ratschan, et al.]

Explicit Abstractions Curse of Dimensionality Explicit abstraction construction Used by verification approaches Sound procedure finds relations between adjacent cells Enumerate all abstract error paths 𝑥 2 𝑥 1 In essence, we sample the graph over relations instead of building it entirely. In other words, we never explicitly construct the abstraction, but use simulations to discover the relations Predicate Abstraction for reachability analysis of HS [Alur, Dang, Ivancic]

Exploring Implicit Abstractions Mitigate curse of dimensionality! Implicit Abstractions Use simulations in a multiple shooting fashion Sample relations Efficiently discover a subset of abstract error paths 𝑥 2 𝑥 1 Δ𝑡 Δ𝑡 In essence, we sample the graph over relations instead of building it entirely. In other words, we never explicitly construct the abstraction, but use simulations to discover the relations Δ𝑡