1 Formal Models for Stability Analysis of Hybrid Systems: Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December 2004 Joint work with Daniel Liberzon (UIUC) and Nancy Lynch (MIT)

Verifying Average Dwell Time 2 HIOA framework [Lynch Segala Vaandrager]  Expressive: few constraints on continuous and discrete behavior  Compositional: analyze complex systems by looking at parts  Structured: inductive verification Background: Macro Control Theory: Dynamical system + boolean variables  Stability  Controllability  Controller design Computer Science: State transition systems + continuous dynamics  Safety verification  model checking  theorem proving Hybrid Systems

Verifying Average Dwell Time 3 Background: Micro  Develop rich theory for mobile systems  The usual --- time, communication, space complexities  Analysis of mobile algorithms from a CT point of view  Plant: nodes with continuous motion  Controller: algorithm maintaining some structure (routing, leader, MST, etc.)  controlled motion of some mobile robots  Noise, disturbance, uncertainty  Stability and robustness, w.r.t mobility  Probabilistic extensions of HIOA

Verifying Average Dwell Time 4 Outline 1.Background 2.Stability under slow switching : Average dwell time (ADT) 3.Formal Model for hybrid systems 4.Verifying ADT by proving invariants 5.Verifying ADT by solving optimization problems 6.Conclusions

Verifying Average Dwell Time 5 Switching and Stability M1M1 M2M2 M1M1 M2M2 M2M2 M1M1 M3M3 Individually stable subsystems Unstable switched system

Verifying Average Dwell Time 6 Stability Definitions  Stable (Lyapunov) with 0 as the equilibrium point if for every e > 0, there exists d > 0, such that every execution α, |α(0)| ≤ d  |α(t)| <= e for all t.  Asymptotically stable if |α(0)| ≤ d  α(t)  0 as t  infinity.  Globally asymptotically stable if above holds for all d.  Uniformly stable in the sense of Lyapunov, if for every e > 0 there is a d > 0, such that any execution |α(t 0 )| ≤ d  | α(t)| ≤ e, for all t.

Verifying Average Dwell Time 7 2. Stability Under Slow Switchings If all executions satisfy (1), for all t2,t1 then the system is said to have ADT τ a. τaτa N(t 2,t 1 ) ≤ N 0 + (t 2 – t 1 ) / τ a --- (1) N (t 2, t 1 ) : # of switches in the interval t 2, t 1 (t 2 – t 1 ) / τ a : # of “allowed switches” τ a : average dwell time (ADT) system has dwell time τ a system has average dwell time τ a

Verifying Average Dwell Time 8 Stability with ADT Theorem [Hespanha] : Assuming Lyapunov functions for the individual modes exist, global asymptotic stability is guaranteed if τ a is large enough. t decreasing sequence  Q: What are the Lyapunov functions ? (this also determines τ a that guarantees stability)  Q: Given hybrid system A, does it have ADT τ a ? or, what is the largest τ a that is ADT for A ?

Verifying Average Dwell Time 9  V: set of variables, types, valuations val(V), dtypes  Q: set of states, Q  val(V)  : start states,   Q  A: set of actions  D  Q  A  Q: discrete transitions. (v,a,v’) є D is written in short as v  a v’  T: set of trajectories for V, functions describing continuous evolution A trajectory  : J  val(V) T is closed under prefix, suffix, and concatenation 3. Formal Definitions: Hybrid Automata [Lynch, Segala, Vaandrager]

Verifying Average Dwell Time 10  V = V c U V d  A set F of state models for the continuous variables V c  A state model is a locally Lipschitz function f such that the solution to the system of differential equation v = f(v) are in the dtypes of the corresponding continuous variables.  A mode switching function  So, we have only continuous variables changing over trajectories:  Mode switches changing the state models Definitions: Structured HA (SHA).

Verifying Average Dwell Time 11 Definitions: Executions and Invariants  Execution (fragment): sequence  0 a 1  1 a 2  2 …, where:  Each  i є T, (finite if i is not the last index) and  Each (  i.lstate, a i,  i+1.fstate) є D  Invariant I(v) proved by base case : for all v є Ө, I(v) induction discrete: for all v  a v’ є D, I(v)  I(v’) continuous: for all τ є T, I(τ.fstate)  I(τ.lstate)  Proving abstractions…  Language and supporting software tools [Kaynar, Lynch, Mitra]

Verifying Average Dwell Time 12 Different Classes of SHIOA  Initialized  Linear  Rectangular

Verifying Average Dwell Time 13 Input/Output Separation  Makes it possible to define the parallel composition operation on automata with nice properties  V = X U Y U Z  A = I U O U H

Verifying Average Dwell Time 14  Switched system modeled as HIOA:  Each mode is modeled by a trajectory definition  Mode switches are brought about by actions  Usual notions of stability apply  Stability theorems involving Common and Multiple Lyapunov functions carry over Switched system:  is a family of systems  is a switching signal HIOA Model for Switched Systems

Verifying Average Dwell Time Average Dwell Time: Invariant Approach An SHA A has ADT τ a > 0, if there exists N 0 such that for all α  Quantification over all executions: ADT is a property of the executions of the automaton Invariant approach:  Transform the automaton A  A’ so that the ADT property of A becomes an invariant property of A’.  Then use theorem proving or model checking tools to prove the invariant(s) α.ltime: duration of the execution α N(α) ≤ N 0 + α.ltime / τ a Q τ a (α) = N(α) - α.ltime / τ a : # extra switches w.r.t τ a

Verifying Average Dwell Time 16 Transformation for Stability  Uniform stability preserving transformation:  counter Q, for number of extra mode switches  a (reset) timer t  Q min for the smallest value of Q AA’ Theorem : A has average dwell time τ a iff Q- Q min ≤ N 0 in all reachable states of A’. invariant property

Verifying Average Dwell Time 17 Proof If part: we want to show that N(t 1,t 0 ) ≤ N 0 + (t 1 -t 0 )/ τ a N(t 1,0) – N(t 0,0) ≤ N 0 + (t 1 -t 0 )/ τ a Q(t 1 ) + t 1 /τ a – Q(t 0 ) – t 0 /τ a ≤ N 0 + (t 1 -t 0 )/ τ a Q(t 1 ) – Q(t 0 ) ≤ N 0 t0t0 t1t1 t min Q min Case 1: Q(t 1 ) – Q(t 0 ) = Q(t 1, t min ) – Q(t 0,t min ) ≤ Q(t 1,t min ) = Q(t 1 ) – Q min (t 1 ) ≤ N 0 [From the invariant] t0t0 t1t1 t min Q min Only if part: Consider a state s’ = α’(t) of A’ suppose α’(t 0 ) attains Q min, Q min (t) = Q min (t 0 ) N(t,t 0 ) ≤ N 0 + (t-t 0 )/ τ a Q(t) + t/ τ a – Q(t 0 ) – t 0 / τ a ≤ N 0 + (t-t 0 )/ τ a Q(t) – Q min (t) ≤ N 0 Q Q Case 2: Similar…

Verifying Average Dwell Time 18 Case Study: Hysteresis Switch Initialize Find no yes ? Inputs:  Under suitable conditions on (compatible with bounded noise and no unmodeled dynamics), can prove ADT. See CDC paper for details [Mitra, Liberzon]  Used in switching (supervisory) control of uncertain systems

Verifying Average Dwell Time 19 Hysteresis switch details Assumptions on monitoring signals Average dwell time Constant bound on extra switches

Verifying Average Dwell Time Average Dwell Time: Optimization approach An SHA A has ADT if there exists N 0 such that for all α An SHA A does not have ADT if for all N 0 there is execution α such that In general solving OPT1 is hard Finiteness of solution Completeness # extra switches in α w.r.t. τ a

Verifying Average Dwell Time 21 Looking at cyclic counterexample A simple sufficient condition for violating ADT… cyclic execution fragments. Lemma 3: If there is a cyclic execution fragment α of A with extra switches w.r.t τ a, then A does not have ADT τ a. Proof sketch: α. α.α. … will have unbounded number of extra switches. Q: Is this also a necessary condition ? A: For a useful class of SHA it is. Finitely initialized SHA. v  a v’ є M implies v’ є I a is finite Lemma 4: IF SHA A does not have ADT τ a and it is finitely initialized then it has a cyclic execution with extra switches. Now we can solve : OPT2: α* = arg max { S τa (α) | α є cycle A } For linear finitely initialized SHA OPT2 can be formulated as a mixed integer linear program !

Verifying Average Dwell Time 22 Extending to Non-initialized SHA  If there is a subset of variables Z  V, such that if x.Z = y.Z then  x є  implies y є   F(x) = F(y)  x  x’ on a then there exists y’ such that y  y’ on a and x’.Z = y’.Z  x  x’ by traj τ then there exists y’ such that y  y’ on a traj of same length and x’.Z = y’.Z  Z induces a congruence relation and partitions the state space of A into equivalence classes.  We can find a region automaton R z (A) corresponding to A such that, any τ a > 0 is an ADT for A iff it is also an ADT for R z (A).  It is sufficient to have R z (A) finitely initialized (and not A itself ) for the optimization approach to work.

Verifying Average Dwell Time 23 Case Study: Gas Burner from [Alur, Henzinger, et. al] SHA Region automata MILP Soultion ADTObj. value *-2.31e -13  0

Verifying Average Dwell Time Conclusions  SHA, SHIOA model, stability definitions  Verification of ADT property:  Invariant approach --- general but not automatic  MILP approach --- restrictive, can be fully automated  ADT preserving abstractions Summary: Future work:  Characterize the class of SHA for which MILP approach works.  Performance (stability) of mobile algorithms subject to node movement  Probabilistic HIOA and stability of stochastic switched systems

Verifying Average Dwell Time 25 References Mitra, Liberzon, “Verifying average dell time: an invariant based approach”, IEEE CDC, December Mitra, Liberzon, Lynch, “Verifying average dwell time”, 2004, Submitted for review, special issue of IEEE Trans. On Automatic Control Kaynar, Lynch, Mitra, “Specification and Verification of timed systems using TIOA tools”, IEEE RTSS WIP Mitra, Archer, “Reusable proof strategies for proving abstraction relations”, STRATEGIES, July Liberzon, “Switching in systems and control: Foundations and applications”, Birkhauser, Boston, June 2003 Branicky, “ Multiple Lyapunov Functions and Other Analysis Tools for Switched and Hybrid Systems ” IEEE Tran. Automatic Contol 1998 Hespanha, Morse “ Stability of switched systems with average dwell time”, IEEE CDC 1999 Lynch, Segala, Vaandrager, “Hybrid I/O automata” Information and Computation, 185(1), August 2003 Kaynar, Lynch, Segala, Vaandrager, “Theory of time I/O Automata” MIT/LCS/TR-917a, 2004