formal models for stability analysis of hybrid systems: verifying average dwell time *

1

Formal Models for Stability Analysis of Hybrid Systems: Verifying Average Dwell Time*

Sayan Mitra MIT,CSAIL

[email protected]

Research Qualifying Exam20th December 2004

Joint work with Daniel Liberzon (UIUC) and Nancy Lynch (MIT)

2

Verifying Average Dwell Time

HIOA framework [Lynch Segala Vaandrager]

Expressive: few constraints on continuous and discrete behavior

Compositional: analyze complex systems by looking at parts

Structured: inductive verification

Background: Macro

Control Theory: Dynamical system + boolean variables

Stability

Controllability

Controller design

Computer Science: State transition systems + continuous dynamics

Safety verification model checking theorem proving

Hybrid Systems

3


Background: Micro

Develop rich theory for mobile systems The usual --- time, communication, space complexities

Analysis of mobile algorithms from a CT point of view Plant: nodes with continuous motion Controller: algorithm maintaining some structure (routing, leader, MST, etc.)

controlled motion of some mobile robots

Noise, disturbance, uncertainty

Stability and robustness, w.r.t mobility Probabilistic extensions of HIOA

4


Outline

1. Background

2. Stability under slow switching : Average dwell time (ADT)

3. Formal Model for hybrid systems

4. Verifying ADT by proving invariants

5. Verifying ADT by solving optimization problems

6. Conclusions

5


Switching and Stability

M1

M2

M1M2

M2 M1

M3

Individually stable

subsystems

Unstable switched system

7


2. Stability Under Slow Switchings

If all executions satisfy (1), for all t2,t1 then the system is said to have ADT τa .

τa

N(t2,t1) ≤ N0 + (t2 – t1) / τa --- (1)

N(t2, t1) : # of switches in the interval t2, t1

(t2 – t1) / τa : # of “allowed switches”τa : average dwell time (ADT)

system has dwell time τasystem has average dwell time τa

8


Stability with ADT

Theorem [Hespanha]: Assuming Lyapunov functions for the individual modes exist, global asymptotic stability is guaranteed if τa is large enough.

t

)()( tV t

decreasing sequence

Q: What are the Lyapunov functions ? (this also determines τa that guarantees stability)

Q: Given hybrid system A, does it have ADT τa ? or, what is the largest τa that is ADT for A ?

9


V: set of variables, types, valuations val(V), dtypes Q: set of states, Q val(V) : start states, Q A: set of actions D Q A Q: discrete transitions. (v,a,v’) є D is written in

short as vav’

T: set of trajectories for V, functions describing continuous

evolution

A trajectory : J val(V)

T is closed under prefix, suffix, and concatenation

3. Formal Definitions: Hybrid Automata

[Lynch,Segala,Vaandrager]

10


V = Vc U Vd

A set F of state models for the continuous variables Vc

A state model is a locally Lipschitz function f such that the solution to the system of differential equation v = f(v) are in the dtypes of the corresponding continuous variables.

A mode switching function

So, we have only continuous variables changing over trajectories:

Mode switches changing the state models

Definitions: Structured HA (SHA)

.

11


Definitions: Executions and Invariants

Execution (fragment): sequence 0 a1 1 a2 2 …, where:

Each i є T, (finite if i is not the last index) and

Each (i.lstate, ai , i+1.fstate) є D

Invariant I(v) proved by base case : for all v є Ө, I(v)

induction discrete: for all vav’ є D, I(v) I(v’)

continuous: for all τ є T, I(τ.fstate) I(τ.lstate)

Proving abstractions…

Language and supporting software tools [Kaynar, Lynch, Mitra]

15


4. Average Dwell Time: Invariant Approach

An SHA A has ADT τa > 0, if there exists N0 such that for all α

Quantification over all executions: ADT is a property of the executions of the automaton

Invariant approach:

Transform the automaton A A’ so that the ADT property of A becomes an invariant property of A’.

Then use theorem proving or model checking tools to prove the invariant(s)

α.ltime: duration of the execution αN(α) ≤ N0 + α.ltime / τa

Qτa(α) = N(α) - α.ltime / τa : # extra switches w.r.t τa

16


Transformation for Stability Uniform stability preserving transformation:

counter Q, for number of extra mode switches a (reset) timer t Qmin for the smallest value of Q

A A’

Theorem : A has average dwell time τa iff Q- Qmin ≤ N0 in all reachable states of A’. invariant property

17


ProofIf part: we want to show that N(t1,t0) ≤ N0 + (t1-t0)/ τa

N(t1,0) – N(t0,0) ≤ N0 + (t1-t0)/ τa

Q(t1) + t1/τa – Q(t0) – t0/τa ≤ N0 + (t1-t0)/ τa

Q(t1) – Q(t0) ≤ N0

t0 t1tmin

Qmin

Case 1: Q(t1) – Q(t0) = Q(t1, tmin) – Q(t0,tmin)

≤ Q(t1,tmin)

= Q(t1) – Qmin(t1)

≤ N0 [From the invariant]

t0 t1tmin

Qmin

Only if part: Consider a state s’ = α’(t) of A’

suppose α’(t0) attains Qmin, Qmin(t) = Qmin(t0)

N(t,t0) ≤ N0 + (t-t0)/ τa

Q(t) + t/ τa – Q(t0) – t0/ τa ≤ N0 + (t-t0)/ τa

Q(t) – Qmin(t) ≤ N0

Q

Q

Case 2: Similar…

18


Case Study: Hysteresis Switch

Initialize

Find

no yes?

Inputs:

Under suitable conditions on (compatible with bounded .........................................................noise

and no unmodeled dynamics), can prove ADT. See CDC paper for

details [Mitra, Liberzon]

Used in switching (supervisory) control of uncertain systems

20


5. Average Dwell Time: Optimization approach

An SHA A has ADT if there exists N0 such that for all α

An SHA A does not have ADT if for all N0 there is execution α such thatAn SHA A does not have ADT if for all N0 there is execution α such that

In general solving OPT1 is hard

• Finiteness of solution

• Completeness

# extra switches in α w.r.t. τa

21


Looking at cyclic counterexampleA simple sufficient condition for violating ADT… cyclic execution fragments.

Lemma 3: If there is a cyclic execution fragment α of A with extra switches w.r.t τa, then A does not have ADT τa.

Proof sketch: α. α .α . … will have unbounded number of extra switches.

Q: Is this also a necessary condition ?

A: For a useful class of SHA it is. Finitely initialized SHA.

v a v’ є M implies v’ є Ia

is finite

Lemma 4: IF SHA A does not have ADT τa and it is finitely initialized then it has a cyclic execution with extra switches.

Now we can solve :

OPT2: α* = arg max { Sτa(α) | α є cycleA}

For linear finitely initialized SHA OPT2 can be formulated as a mixed integer linear program !

22


Extending to Non-initialized SHA

If there is a subset of variables Z V, such that if x.Z = y.Z then x є implies y є F(x) = F(y)

xx’ on a then there exists y’ such that yy’ on a and x’.Z = y’.Z

xx’ by traj τ then there exists y’ such that yy’ on a traj of same length and x’.Z = y’.Z

Z induces a congruence relation and partitions the state space of A into equivalence classes.

We can find a region automaton Rz(A) corresponding to A such that, any τa > 0 is an ADT for A iff it is also an ADT for Rz(A).

It is sufficient to have Rz(A) finitely initialized (and not A itself ) for the optimization approach to work.

23


Case Study: Gas Burner from [Alur, Henzinger, et. al]

SHA Region automata

MILP Soultion

ADT Obj. value

10 -0.4

12* -2.31e-13 0

24


6. Conclusions

SHA, SHIOA model, stability definitions Verification of ADT property:

Invariant approach --- general but not automatic MILP approach --- restrictive, can be fully automated

ADT preserving abstractions

Summary:

Future work:

Characterize the class of SHA for which MILP approach works.

Performance (stability) of mobile algorithms subject to node movement

Probabilistic HIOA and stability of stochastic switched systems

25


ReferencesMitra, Liberzon, “Verifying average dell time: an invariant based approach”, IEEE CDC, December 2004.

Mitra, Liberzon, Lynch, “Verifying average dwell time”, 2004, Submitted for review, special issue ofIEEE Trans. On Automatic Control http://theory.lcs.mit.edu/~mitras]

Kaynar, Lynch, Mitra, “Specification and Verification of timed systems using TIOA tools”,IEEE RTSS WIP 2004.

Mitra, Archer, “Reusable proof strategies for proving abstraction relations”, STRATEGIES, July 2004.

Liberzon, “Switching in systems and control: Foundations and applications”, Birkhauser, Boston, June 2003

Branicky, “Multiple Lyapunov Functions and Other Analysis Tools for Switched and Hybrid Systems”IEEE Tran. Automatic Contol 1998

Hespanha, Morse “ Stability of switched systems with average dwell time”,IEEE CDC 1999

Lynch, Segala, Vaandrager, “Hybrid I/O automata”Information and Computation, 185(1), August 2003

Kaynar, Lynch, Segala, Vaandrager, “Theory of time I/O Automata”MIT/LCS/TR-917a, 2004

formal models for stability analysis of hybrid systems: verifying average dwell time *

Documents