1

Formal Models for Stability Analysis : Verifying Average Dwell Time*

Sayan Mitra MIT,CSAIL

mitras@csail.mit.edu

Research Qualifying Exam20th December 2004

Joint work with Daniel Liberzon (UIUC) and Nancy Lynch (MIT)

* Full version of the paper has been sent for journal review.

2Verifying Average Dwell Time

A common math model (HIOA) Expressive: few constraints on continuous and discrete behavior

Compositional: analyze complex systems by looking at parts

Structured: inductive verification

Compatible: application of CT results e.g. stability, synthesis

Motivation: Macro

Control Theory: Dynamical system with boolean variables

Stability

Controllability

Controller design

Computer Science: State transition systems with continuous dynamics

Safety verification model checking theorem proving

Hybrid Systems

3Verifying Average Dwell Time

Motivation: Micro

Analysis of mobile algorithms (CT view) nodes: plant with continuous motion, disturbance

algorithm: controller maintaining some structure

Complexity

Stability and Robustness

4Verifying Average Dwell Time

Outline

1. Background

2. Stability under slow switching

3. Formal Model

4. Invariant Approach

5. MILP Approach

6. Conclusions

5Verifying Average Dwell Time

Switching and Stability

M1

M2

M1M2

M2 M1

M3

6Verifying Average Dwell Time

Stability Under Slow Switchings

Theorem [Hespanha]: Assuming Lyapunov functions for the individual modes exist, global asymptotic stability is guaranteed if τa is large enough.

),( Tt# of switches on average dwell time (ADT)

t1 12 2

)()( tV t decreasing sequence

--- (1)

7Verifying Average Dwell Time

Problem Statement

If all the executions of the hybrid system satisfy Equation (1), then the

system is said to have ADT τa .

Q: Given hybrid system A, does it have ADT τa ? or, what is the largest τa that is ADT for A ?

8Verifying Average Dwell Time

V: set of variables, types, valuations val(V), dtypes Q: set of states, Q val(V) : start states A: set of actions D Q A Q: discrete transitions. (v,a,v) є D is written in

short as

T: set of trajectories for V, functions describing continuous

evolution

A trajectory : J val(V)

T is closed under prefix, suffix, and concatenation

Formal Definitions: Hybrid Automata

[Lynch,Segala,Vaandrager]

9Verifying Average Dwell Time

Every variable is either discrete or continuous V = Vc U Vc

A set F of state models for the continuous variables Vc

A state model is a locally Lipschitz function f such that the solution to the system of differential equation d(v) = f(v) are in the dtypes of the corresp. continuous variables

A mode switching function

So, we have only continuous variables changing over trajectories:

Mode switches changing the state models

Definitions: Structured HA (SHA)

10Verifying Average Dwell Time

Definitions: Executions and Invariants

Execution (fragment): sequence 0 a1 1 a2 2 …, where:

Each i is a trajectory of the automaton, and

Each (i.lstate, ai , i+1.fstate) is a discrete step

Invariant I(s) proved by base case :

induction discrete:

continuous:

Supporting TIOA software tools [Kaynar, Lynch, Mitra]

14Verifying Average Dwell Time

Average Dwell Time: Invariant Approach

An SHA A has ADT if there exists N0 such that for all α

Quantification over all executions: ADT is a property of the executions of the automaton

Invariant approach: Transform the automaton A A’ so that the ADT property of A

becomes an invariant property of A’. Then use theorem proving or model checking tools to prove the

invariant(s)

15Verifying Average Dwell Time

Transformation for Stability Uniform stability preserving transformation:

counter Q, for number of extra mode switches a (reset) timer t Qmin for the smallest value of Q

A A’

Theorem: A has average dwell time τa iff Q- Qmin ≤ N0 in all reachable states of A’. invariant property

16Verifying Average Dwell Time

ProofIf part: we show that

t1 t2tmin

Qmin

Q(t2,t1) = Q(t2, tmin) – Q(t1,tmin)

≤ Q(t2,tmin)

= Q(t2) – Qmin(t2)

≤ N0

t1 t2tmin

Qmin

Qmin(t2) < Qmin(t1)

Q(t2,t1) = Q(t2, tmin) + Q(t1,tmin)

≤ Q(t2,tmin)

= Q(t2) – Qmin(t2)

≤ N0Only if part: Consider a state s’ = α’(t) of A’

suppose α’(t0) attains Qmin, Qmin(t) = Qmin(t0)

Q(t) – Qmin(t) ≤ N0

Q Q

17Verifying Average Dwell Time

Case Study: Hysteresis Switch

Initialize

Find

no yes?

Inputs:

Under suitable conditions on (compatible with bounded .........................................................noise

and no unmodeled dynamics), can prove ADT. See CDC paper for

details [Mitra, Liberzon]

Used in switching (supervisory) control of uncertain systems

18Verifying Average Dwell Time

Average Dwell Time : Optimization approach

An SHA A has ADT if there exists N0 such that for all α

An SHA A does not have ADT if for all N0 there is execution α such thatAn SHA A does not have ADT if for all N0 there is execution α such that

In general solving OPT1 is hard

• Finiteness of solution

• Completeness

# extra switches in α w.r.t. τa

19Verifying Average Dwell Time

Looking at cyclic counterexample

A simple sufficient condition for violating ADT

Lemma 3: If there is a cyclic execution of A with extra switches w.r.t τa, then

A does not have ADT τa.

Q: Is this also a necessary condition ?

A: For a useful class of SHA it is. Finitely initialized SHA.

implies

is finite

Lemma 4: IF SHA A does not have ADT τa and it is finitely initialized then it

has a cyclic execution with extra switches.

20Verifying Average Dwell Time

Extending to Non-initialized SHA

If there is a subset of variables Z V, such that if x.Z = y.Z then x є implies y є F(x) = F(y)

xx’ on a then there exists y’ such that yy’ on a and x’.Z = y’.Z

xx’ by traj τ then there exists y’ such that yy’ on a traj of same length and x’.Z = y’.Z

Z induces a congruence relation and partitions the state space of A into equivalence classes.

We can find a region automaton Rz(A) corresponding to A such that, any τa > 0 is an ADT for A iff it is also an ADT for Rz(A).

It is sufficient to have Rz(A) finitely initialized (and not A itself ) for the optimization approach to work.

21Verifying Average Dwell Time

Case Study: Gas BurnerSHA Region automata

MILP Soultion

22Verifying Average Dwell Time

Conclusions

SHA, SHIOA model, stability definitions Verification of ADT property:

Invariant approach --- general but not automatic MILP approach --- restrictive, can be fully automated

ADT preserving abstractions

Summary:

Future work:

Stability of mobile algorithms

Input-output properties (external stability)

Probabilistic HIOA [Cheung, Lynch, Segala, Vaandrager] and stability of stochastic switched systems [Chatterjee, Liberzon, FrA01.1]

23Verifying Average Dwell Time

References

[Mitra, Liberzon, Lynch, “Verifying average dwell time”, 2004, http://decision.csl.uiuc.edu/~liberzon]