1. 1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL mitras@csail.mit.edu Research Qualifying Exam 20 th December 2004 Joint work with Daniel Liberzon (UIUC) and Nancy Lynch (MIT) * F ull version of the paper has been sent for journal review.

2. Verifying Average Dwell Time 2 A common math model (HIOA)  Expressive: few constraints on continuous and discrete behavior  Compositional: analyze complex systems by looking at parts  Structured: inductive verification  Compatible: application of CT results e.g. stability, synthesis Motivation: Macro Control Theory: Dynamical system with boolean variables  Stability  Controllability  Controller design Computer Science: State transition systems with continuous dynamics  Safety verification  model checking  theorem proving Hybrid Systems

3. Verifying Average Dwell Time 3 Motivation: Micro  Analysis of mobile algorithms (CT view)  nodes: plant with continuous motion, disturbance  algorithm: controller maintaining some structure  Complexity  Stability and Robustness

4. Verifying Average Dwell Time 4 Outline 1.Background 2.Stability under slow switching 3.Formal Model 4.Invariant Approach 5.MILP Approach 6.Conclusions

5. Verifying Average Dwell Time 5 Switching and Stability M1M1 M2M2 M1M1 M2M2 M2M2 M1M1 M3M3

6. Verifying Average Dwell Time 6 Stability Under Slow Switchings Theorem [Hespanha] : Assuming Lyapunov functions for the individual modes exist, global asymptotic stability is guaranteed if τ a is large enough. # of switches on average dwell time ( ADT ) t decreasing sequence --- (1)

7. Verifying Average Dwell Time 7 Problem Statement  If all the executions of the hybrid system satisfy Equation (1), then the system is said to have ADT τ a.  Q: Given hybrid system A, does it have ADT τ a ? or, what is the largest τ a that is ADT for A ?

8. Verifying Average Dwell Time 8  V: set of variables, types, valuations val(V), dtypes  Q: set of states, Q  val(V)  : start states  A: set of actions  D  Q  A  Q: discrete transitions. (v,a,v) є D is written in short as  T: set of trajectories for V, functions describing continuous evolution A trajectory  : J  val(V) T is closed under prefix, suffix, and concatenation Formal Definitions: Hybrid Automata [Lynch, Segala, Vaandrager]

9. Verifying Average Dwell Time 9  Every variable is either discrete or continuous V = V c U V c  A set F of state models for the continuous variables V c  A state model is a locally Lipschitz function f such that the solution to the system of differential equation d(v) = f(v) are in the dtypes of the corresp. continuous variables  A mode switching function  So, we have only continuous variables changing over trajectories:  Mode switches changing the state models Definitions: Structured HA (SHA)

10. Verifying Average Dwell Time 10 Definitions: Executions and Invariants  Execution (fragment): sequence  0 a 1  1 a 2  2 …, where:  Each  i is a trajectory of the automaton, and  Each (  i.lstate, a i,  i+1.fstate) is a discrete step  Invariant I(s) proved by base case : induction discrete: continuous:  Supporting TIOA software tools [Kaynar, Lynch, Mitra]

11. Verifying Average Dwell Time 11 Different Classes of SHIOA  Initialized  Linear  Rectangular

12. Verifying Average Dwell Time 12 Input/Output Separation  Makes it possible to define the parallel composition operation on automata with nice properties  V = X U Y U Z  A = I U O U H

13. Verifying Average Dwell Time 13  Switched system modeled as HIOA:  Each mode is modeled by a trajectory definition  Mode switches are brought about by actions  Usual notions of stability apply  Stability theorems involving Common and Multiple Lyapunov functions carry over Switched system:  is a family of systems  is a switching signal HIOA Model for Switched Systems

14. Verifying Average Dwell Time 14 Average Dwell Time: Invariant Approach An SHA A has ADT if there exists N 0 such that for all α  Quantification over all executions: ADT is a property of the executions of the automaton Invariant approach:  Transform the automaton A  A’ so that the ADT property of A becomes an invariant property of A’.  Then use theorem proving or model checking tools to prove the invariant(s)

15. Verifying Average Dwell Time 15 Transformation for Stability  Uniform stability preserving transformation:  counter Q, for number of extra mode switches  a (reset) timer t  Q min for the smallest value of Q AA’ Theorem: A has average dwell time τ a iff Q- Q min ≤ N 0 in all reachable states of A’. invariant property

16. Verifying Average Dwell Time 16 Proof If part: we show that t1t1 t2t2 t min Q min Q(t 2,t 1 ) = Q(t 2, t min ) – Q(t 1,t min ) ≤ Q(t 2,t min ) = Q(t 2 ) – Q min (t 2 ) ≤ N 0 t1t1 t2t2 t min Q min Q min (t 2 ) < Q min (t 1 ) Q(t 2,t 1 ) = Q(t 2, t min ) + Q(t 1,t min ) ≤ Q(t 2,t min ) = Q(t 2 ) – Q min (t 2 ) ≤ N 0 Only if part: Consider a state s’ = α’(t) of A’ suppose α’(t 0 ) attains Q min, Q min (t) = Q min (t 0 ) Q(t) – Q min (t) ≤ N 0 Q Q

17. Verifying Average Dwell Time 17 Case Study: Hysteresis Switch Initialize Find no yes ? Inputs:  Under suitable conditions on (compatible with bounded......................................................... noise and no unmodeled dynamics), can prove ADT. See CDC paper for details [Mitra, Liberzon]  Used in switching (supervisory) control of uncertain systems

18. Verifying Average Dwell Time 18 Average Dwell Time : Optimization approach An SHA A has ADT if there exists N 0 such that for all α An SHA A does not have ADT if for all N 0 there is execution α such that In general solving OPT1 is hard Finiteness of solution Completeness # extra switches in α w.r.t. τ a

19. Verifying Average Dwell Time 19 Looking at cyclic counterexample A simple sufficient condition for violating ADT Lemma 3: If there is a cyclic execution of A with extra switches w.r.t τ a, then A does not have ADT τ a. Q: Is this also a necessary condition ? A: For a useful class of SHA it is. Finitely initialized SHA. implies is finite Lemma 4: IF SHA A does not have ADT τ a and it is finitely initialized then it has a cyclic execution with extra switches.

20. Verifying Average Dwell Time 20 Extending to Non-initialized SHA  If there is a subset of variables Z  V, such that if x.Z = y.Z then  x є  implies y є   F(x) = F(y)  x  x’ on a then there exists y’ such that y  y’ on a and x’.Z = y’.Z  x  x’ by traj τ then there exists y’ such that y  y’ on a traj of same length and x’.Z = y’.Z  Z induces a congruence relation and partitions the state space of A into equivalence classes.  We can find a region automaton R z (A) corresponding to A such that, any τ a > 0 is an ADT for A iff it is also an ADT for R z (A).  It is sufficient to have R z (A) finitely initialized (and not A itself ) for the optimization approach to work.

21. Verifying Average Dwell Time 21 Case Study: Gas Burner SHA Region automata MILP Soultion

22. Verifying Average Dwell Time 22 Conclusions  SHA, SHIOA model, stability definitions  Verification of ADT property:  Invariant approach --- general but not automatic  MILP approach --- restrictive, can be fully automated  ADT preserving abstractions Summary: Future work:  Stability of mobile algorithms  Input-output properties (external stability)  Probabilistic HIOA [Cheung, Lynch, Segala, Vaandrager] and stability of stochastic switched systems [Chatterjee, Liberzon, FrA01.1]

23. Verifying Average Dwell Time 23 References [Mitra, Liberzon, Lynch, “Verifying average dwell time”, 2004, http://decision.csl.uiuc.edu/~liberzon]