introduction to formal methods for sw and hw development 11 - timed and hybrid systems: formal...

Introduction to Formal Methods for SW and HW Development

11 - Timed and Hybrid Systems:Formal Modeling and Verification

Roberto Sebastiani

Based mostly on the work and slides by Rajeev Alur,with further contributions from:

Andrea Mattioli, Paritosh Pandya, Yusi Ramadian

Trends in Model-Based Design

Emerging notations: UML,Stateflow

Visual, Hierarchical, Object oriented Simulation, code generation

Steady progress in model checking tools

Control design employs tools (Matlab…)

Opportunities to influence design tools

Typically, semantics is not formal Typically, only simulation is supported ….

Model Checker

AdvantagesAutomated formal verification, Effective debugging tool

Increasing industrial successIn-house groups: Intel, Microsoft, Lucent, Motorola…Commercial model checkers: FormalCheck by Cadence

ObstaclesScalability is still a problem (about 500 state vars)Effective use requires great expertise

model

temporalproperty

yes

error-trace

A great success story for CS theory impacting practice (see 2007 Turing award), and a vibrant area of research

Hybrid Modeling

State machines

offon

+ Dynamical systems

dx=kxx<70

dx=-k’xx>60

x>68

x<63

(notation: “dx” abbreviation of “dx/dt”)

Automotive Applications

Coordination Protocols

Interacting Autonomous Robots

Physics-based Animation

Biomolecular Regulatory Networks

Overview

1. Timed systems: Modeling and Semantics Timed automata

2. Symbolic Reachability Analysis for Timed SystemsMaking the state space finite Region automataZone automata

3. Hybrid Systems: Modeling and Semantics Hybrid automata

4. Symbolic Reachability Analysis for Hybrid SystemsLinear Hybrid AutomataApproximations of reachable sets

Acknowledgements

Thanks for providing slides & material to:

Rajeev Alur & colleagues (Penn University)

Paritosh Pandya (IIT Bombay)

Andrea Mattioli, Yusi Ramadian (Univ. Trento)

Disclaimer:Very introductive

Only very-partial coverage

Mostly computer-science centric

Part 1. Timed Systems:

Modeling and Semantics

Outline: Part 1

Timed Automata

Timed Automata

Off Light BrightPress? Press?

Press?

Press?

WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

Simple Light Control

Simple Light Control

Off Light Bright

Solution: Add real-valued clock x

X:=0X<=3

X>3

Press? Press?

Press?

Press?

Adding continuous variables and constraints to state machines

Modeling : timing constraints

Finite graph + finite set of (real-valued) clocks

vertices locations Time can elapse Constraint ( invariant )

edges switches Reset a clock Constraints

Meaning of a clock value: time elapsed since the last time it was reset.

Timed Automata

n

m

a

Clocks: x, y

x<=5 & y>3

x := 0

Guard Boolean combination of comparisons withinteger bounds

ResetAction performed on clocks

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

wait(1.1)

2 kinds of transitions:

( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )

a

State ( location , x=v , y=u ) where v,u are in R

Actionused

for synchronization

n

m

a

Clocks: x, y

x<=5 & y>3

x := 0

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

wait(1.1)

( n , x=2.4 , y=3.1415 )

wait(3.2)

x<=5

y<=10

LocationInvariants

g1g2 g3

g4

Invariants ensure progress!!

Adding Invariants

Timed Automata: Formal Syntax

• timed automaton A =– L = locations; = initial locations– ∑ = labels– X = clocks– I = Invariants– = set of switches (edges)

a switch = • s, s’ = locations• a = label• φ = clock constraints• = clocks to be reset

EIXLL ,,,,, 0 LL 0

LXLE X 2',,,, sas

X

Clock constraints and clock interpretations

• Set of clock constraints grammar :

only allow comparison of a clock and a constant

• clock interpretation ν :X={x,y,z} , ν(X) = {1.0, 1.5, 0}

• = clock interpretation after δ timeν(X)+δ = {1.2, 1.7, 0.2}

• = assigns 0 to each x YY={y,z}; ={1.0, 0, 0}

21||||: xccxxccx

]0:[ Y]0:[ Y

Example

Clocks { x , y }, can be re/set independently

x is reset to 0 from s0 to s1 on a switch c happens within 1 time-unit

from a because of constraints in s1 and s2

delay between b and the following d is >2

no explicit bounds on time difference between event a-b or c -d

locationswitch

invariant

Semantics

• Semantics of A defined in terms of a (infinite) transition system SA = < Q,Q0, →, ∑ >, s.t.:– Q = {(s, ν)}– Q0 = {(s, ν)} where s L0 and ν(x)=0– → :

• State change due to elapse of time• State change due to a location switch

– ∑ = set of labels of A

State change in transition system

qx<2 q'

a

(q,0)

• (q,0)• Initial state

State change in transition system

• (q,0) (q,1.2)= state change due to elapse of time

qx<2 q'

a

(q,1.2)

2.1

State change in transition system

qx<2 q'

a

(q’,1.2)

• (q,0) (q,1.2) (q’,1.2)= state change due to a location switch• q q and q q’ = q

q’

a 2.1

a a2.1 2.1

Example: Light Switch

• Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”

• Light automatically switches off after 9 time units.

push

pushclick

9y

Example: Light Switch (cont.)

...)9,0,()9),3(9,(

)3,3,(),0,(

),()0,(

)5.3,()0,(

)3(93

5.3

yxoffyxon

yxonyxon

yxonyxon

yxoffyxoff

click

push

push

push

pushclick

9y

Remark : non-zenoness

1. When the invariant is violated some edge must be enabled

2. Automaton should admit the possibility of time to diverge

px<1

px<1

X=1

q

Combination of systems• Complex system = product of

interacting transition systems• S1= and S2=• Product = S1||S2 = • Transition iff :

i. Label a belongs to both alphabets synchronized(synchronization is blocking: an a-labeled switch cannot be

shot singularly)

ii. Label a only in the alphabet of S1 asynchronized

iii. Label a only in the alphabet of S2 asynchronized

1111011 ,,,,, EIXLL 2222

022 ,,,,, EIXLL

EIIXXLLLL ,,,,, 21212102

0121

Transition product

• ∑1 = {a, b}

• ∑2 = {a, c}

p1,q1p1',q1'

a

p1 p1'a

q1 q1'a

p2 p2'b

q2

q2 q2'c

p3

p2,q2p2',q2

b

p3,q2p3,q2'

c

Train – gate controller

• Desired property: AG(s2 -> t2)

Product Construction

s0,t0,u0

approach

s1,t0,u1

in

s2,t0,u1

out

s3,t0,u1

s1,t1,u0

in

s2,t1,u0

out

s3,t1,u0

exit

s0,t1,u2

lower lower lower

s1,t2,u0

in

s2,t2,u0

out

s3,t2,u0

exit

s0,t2,u0

down down down down

raise

s0,t3,u0

s3,t3,u1

s2,t3,u1

out

s1,t3,u1

in

approach

up

up

up

up

s0,t0,u0

approach

s1,t0,u1

in

s2,t0,u1

out

s3,t0,u1

s1,t1,u0

in

s2,t1,u0

out

s3,t1,u0

exit

s0,t1,u2

lower lower lower

s1,t2,u0

in

s2,t2,u0

out

s3,t2,u0

exit

s0,t2,u0

down down down down

raise

s0,t3,u0

s3,t3,u1

s2,t3,u1

out

s1,t3,u1

in

approach

up

up

up

upx≤5 z≤1x:=0,z:=0 x>2

y:=0, z=1

Part 2. Symbolic Reachability

Analysis for Timed Systems

Outline: Part 2

Reachability analysisMaking the state space finiteRegion automataZone automata

Reachability Analysis

• Verification of safety requirement: reachability problem

• Input: a time-automaton A and a set of target locations

• Determining whether LF is reachable in a timed automaton A

• Location s of A is reachable if some state q with location component s is a reachable state of the transition system SA

LLF

Timed/hybrid Systems: problem

Is finite state analysis possible?Is reachability problem decidable?

The transition system SA associated to A has infinitely-many states & symbols:

Idea: Finite Partitioning

Goal: To partition state-space into finitely many equivalence classes so that equivalent states exhibit similar behaviors

Reachability analysis

SA

Time-abstractautomaton

RegionAutomaton

Time abstraction

Finite set of actions

Infinite set of states.

Quotient

Both states and actions are finite sets

Timed AutomatonSemantics

Regions

Infinite set of actions

Infinite set of states.

Outline: Part 2

Reachability Analysis Making the state space finite Region automata Zone automata

Timed Vs Time-Abstract Relations

Transition system associated with a timed/hybrid automaton A:• SA: Labels on continuous steps are delays in

R• Actual delays are suppressed (all continuous

steps have same label): Time-abstract UA

Time-abstract transition system UA

• Only change due to location switch stated explicitly

• Cut system to finitely many labels• UA(instead of SA) allows for capturing untimed

properties (e.g., reachability, safety)

)0,7.0,()9.1,7.0,()2.1,0,()2.1,2.1,()0,0,( 21

7.0

10

2.1

0 sssssba

)0,7.0,()2.1,0,()0,0,( 210 sssba

Stable quotients

• Cut to finitely many states• Collapse equivalent states• Stable

equivalence relation

• Quotient of UA = transition system [UA]~

q q'

a

u u'

a

q ~ u q' ~ u’

Stable according to the transition

LF-sensitive equivalence relation

• Equivalence relation ~ = LF-sensitive• All equivalent states in a class belong to

either LF or not LF

q q'

u u'

v v'

a

c

b

LF

not LFa'

c'

b'

Outline: Part 2

Reachability Analysis Making the state space finite Region Automata Zone automata

Region Equivalence over clock interpretation

• x = 3.7– Integral part : = 3.0– Fractional part = fr(ν(x)) = 0.7

• iff1. For all x, the integral part is the same or

both exceed cx pict. (cx : max constant x is compared to)

2. For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) pict.

3. For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0 pict

'

)(x

next

Constraint 1

0 1 2

1

y

x0 1 2

1

y

x

)(' x= = 1 )(x

back

For all x, the integral part is the same or both exceed cx

Constraint 20 1 2

0 1 2

1

y

x0 1 2

1

y

x0 1 2

1

y

x

fr(v(x)) =fr(v(x))

0 1 2

1

y

x

fr(v(x)) =fr(v(x))

(fr(v(x)) ,fr(v(y)))

(fr(v’(x)) ,fr(v’(y)))

back

For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y))

(fr(v(x)) = fr(v(y)))

Constraint 3

0 1 2

1

y

x

fr(ν(x)) =0

fr(ν’(x)) =0

back

For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0

• Clock region: equivalence class of clock interpretation finite

• Max number of regions =– (k is the number of clocks)

• Number of clock regions exponential in the encoding of the clock constraints

Clock regions

Xx xk ck )22(2!

0 1 2

1

y

x0 1 2

1

y

x0 1 2

1

y

x0 1 2

1

y

x0 1 2

1

y

x0 1 2

1

y

x

2 clocks x, y. cx = 2, cy = 1 • 8 open regions• 14 open line segments • 6 corner points

Regions, intuitive idea:Finite partitioning of state space

x

y Definition

An equivalence class (i.e. a region)in fact there is only a finite number of regions!!

1 2 3

1

2

w @ w’ iff they satisfy the same set of constraints of the formxi < c, xi = c, xi – xj < c, xi –xj =cfor c <= largest const relevant to xi

Alur, Dill, 90

Region Operations

x

y

An equivalence class (i.e. a region)

Successor regions, Succ(r)

r

1 2 3

1

2

Resetregions

{y}r

{x}r

Properties of Regions

The region equivalence relation @ is a time-abstract bisimulation:– Action transitions: If w @ v and (l,w) -a->

(l’,w’) for some w’, then $ v’ @ w’ s.t. (l,v) -a-> (l’,v’)

– Delay transitions: If w @ v then for all real numbers d, there exists d’ s.t. w+d @ v+d’

If w @ v then (l,w) and (l,v) satisfy the same temporal logic formulas

Region automaton

• Equivalent states = identical location + region-equivalent clock

• Classes = finite, stable, LF-sensitive• Region automaton of A = R(A)

– Q = equivalence classes of (s, ν)• Reachability problem (A, LF) search

R(A)

Region graph of a simple timed automata

Complexity of reachability

• Linear with number of locations• Exponential with number of clocks• Exponential in the encoding of

constantsPSPACE-complete

Outline: Part 2

Reachability Analysis Making the state space finite Region Automata Zone Automata

Zone automata

• Collapse regions by convex unions of clock regions

• Clock zone φ = set of clock constraints x-y≤c, x-y<c,x<c,x≤c,x=c,x>c,x≥c

• φ = convex set in the k-dimensional euclidean space Contains all possible relationship for all clock value in a set

Zones: symbolic representation

State(s, x=3.2, y=2.5 )

x

y

x

y

Symbolic state (set of states)(s, )

Zone:conjunction ofx-y≤c, x-y<c,x<c,x≤c,x=c,x>c,x≥c

3y4,1x1 ££££

Zone automaton

• Z(A) is a transition system < Q,Q0,∑, → > s.t. – Q = zone of A; Zone = (s, φ)– Q0 = (s,[X:=0]), for every initial location s of

A– ∑ = set of labels or events– → = ((s, φ), a, (s’,succ(φ, e)))

• succ (φ, e) = clock interpretation after executing e

Symbolic transition

• succ (φ, e) =

1. ^ = intersection2. = interpretation for3. = interpretation • closure under the three operations still a

convex set

]0:[ ]0:[

]0:)[)()))(((( sIsI

Φ fulfill invariant of state s

still fulfill invariant of state s after time elapse fulfill the time constraint of switch e

Symbolic Transitions

n

m

x>3

y:=0

x

ydelays to

x

y

x

y conjuncts to

x

y

projects to

1<=x<=41<=y<=3

1<=x, 1<=y-2<=x-y<=3

3<x, 1<=y-2<=x-y<=3

3<x, y=0

Thus (n,1<=x<=4,1<=y<=3) ==> (m,3<x, y=0)

Canonical Data-structures for Zones: Difference-bound

Matrices Matrix representation of constraints

(bounds on a single clock or difference betn 2 clocks)

Reduced form obtained by running all-pairs shortest path algorithm

Reduced DBM is canonical Operations such as reset, time-successor,

inclusion, intersection are efficient Popular choice in timed-automata-based

tools

Difference-bound matrices (DBM)

• k clocks = (k +1) x (k +1) matrix D• Example :

D0i = lower bound

Di0 = upper bound

)0()10()20( 2121 xxxx

Dij = upper bound of xi and xj difference

• i,j: (c,1) Xi-Xj ≤ c

• i,j:(c,0) Xi-Xj < c

• i,j: ∞ absence of bound

Difference-bound matrices (DBM)

• Upper bound of xi - xl = sum of the upper bounds of xi - xj and xj – xl

• Use all-pairs shortest paths, check DBM Satisfiable Canonical – Satisfiable = a nonempty clock zone – Canonical= Matrices with tightest possible constraints

• Canonical Dbms represent clock zones

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2y<=3z-y<=2z<=7

x<=1y-x<=2y<=3z-y<=2z<=7

D1

D2

When are two sets of constraints equivalent?

x x

0 y

z

1 2

29

ShortestPath

Closure

ShortestPath

Closure

0 y

z

1 2

25

0

x

y

z

1 2

27

0

x

y

z

1 2

25

3

3 3

Graph

Graph

Canonical Data-structures for Zones:Difference Bounded Matrices

Complexity

• Theoretically :– Zone automaton may be

exponentially bigger than the region automaton

• Practically : – Fewer reachable vertices performances much improved

Implementation

• Verification problem :– Input = timed automaton Ai

– Process = searching R(||iAi) or Z(||iAi) • BDD-based engine (preferably for region

construction)• On-the-fly enumerative search

(preferably for zone construction)

Timed Automata: summary

Only continuous variables are timers Invariants and Guards: x<const,

x>=const Actions: x:=0 Reachability is decidable Clustering of regions into zones desirable

in practice Tools: Uppaal, Kronos, RED … Symbolic representation: matrices Techniques to construct timed

abstractions of general hybrid systems

Decidable Problems

Model checking branching-time properties of timed automata

Reachability in rectangular automata Timed bisimilarity: are two given timed

automata bisimilar? Optimization: Compute shortest paths

(e.g. minimum time reachability) in timed automata with costs on locations and edges

Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions

Part 3. Hybrid Systems:

Modeling and Semantics

Outline: Part 3

Hybrid Automata

Hybrid Automata

Hybrid Automata

l

l’

jump transformation

edge guard

continuous dynamicsinitial condition

invariant: hybrid automaton may remain in l as long as X Inv(l)

X Inv(l’)

dX Flow(l’)

X Inv(l)

dX Flow(l) X Init(l)

e : g(X)0

J(X, X’)

locations or modes (discrete states)

modeselect

integrator

m(t)

xdot(t)

flow constraints

x(t)

x(t)

jump mapping

initial condition

e(t)

threshold-drivendiscrete dynamics

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F31S

X0

Je

e(t)

Je

jump dynamics

cont. state

discrete state

discrete event

discrete dynamics

Switched Dynamic Systems

F1

F2

F3

1S

continuous dynamics

Hybrid Automata

Set L of locations, and set E of edges Set X of k continuous variables State space: L X Rk, Region: subset of Rk

For each location l, Initial states: region Init(l)

Invariant: region Inv(l)

Continuous dynamics: dX in Flow(l)(X) For each edge e from location l to location l’

Guard: region Guard(e)

Update relation “Jump” over Rk X Rk

Synchronization labels (communication information)

(Finite) Executions of Hybrid Automata

State: (l, x) such that x satisfies Inv(l) Initialization: (l,x) s.t. x satisfies Init(l) Two types of state updates Discrete switches: (l,x) –a-> (l’,x’) if there is

an a-labeled edge e from l to l’ s.t. x satisfies Guard(e) and (x,x’) satisfies update relation Jump(e)

Continuous flows: (l,x) –f-> (l,x’) where f is a continuous function from [0,d] s.t. f(0)=x, f(d)=x’, and for all t<=d, f(t) satisfies Inv(l) and df(t) satisfies Flow(l)(f(t))

Example of (linear) Hybrid Automaton

Gate for a railroad controller

Openh = 90dh = 0

loweringh >= 0

-10<dh <-9

raisingh <= 90

8< dh <10

closedh = 0

dh = 0

h = 90 ?lower

?lower

?raise

?raise

h = 90 h = 0

Part 4. Symbolic Reachability

Analysis for Hybrid Systems

Outline: Part 4

Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe

Approximations (CheckMate)

Standard Reachability Problem

Model variables X ={x1, … xn} Each var is of finite type, say, boolean

Initialization: I(X) condition over XUpdate: T(X,X’)

How new vars X’ are related to old vars X as a result of executing one step of the program

Target set: F(X)Computational problem:

Can F be satisfied starting with I by repeatedly applying T ?

Graph Search problem

General Symbolic SolutionData type: region to represent state-setsR:=I(X)Repeat

If R intersects F report “yes”Else if R contains Image(R) report “no”Else R := R union Image(R)

Image(R): Set of successors of states in RTermination may or may not be guaranteed

Symbolic Representations

Necessary operations on RegionsUnion

Intersection

Negation

Projection

Renaming

Equality/containment test

Emptiness test

Different choices for different classesBDDs for boolean variables in hardware

verification

Size of representation as opposed to number of states

Reachability for Hybrid Systems

Same algorithm works in principle What’s a suitable representation of

regions? Region: subset of Rk

Main problem: handling continuous dynamics

Precise solutions available for restricted continuous dynamics

Timed automata Linear hybrid automata

Even for linear systems, over-approximations of reachable set needed

Reachability Analysis for Dynamical Systems

Goal: Given an initial region, compute whether a bad state can be reached

Key step is to compute Reach(X) for a given set X under dx/dt = f(x) (hereafter dx = f(x) for short)

X

Reach(X)

Outline: Part 4

Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe

Approximations (CheckMate)

Multi-rate Automata

Modest extension of timed automata• Dynamics of the form dx = const (rate of a

clock is same in all locations) • Guards and invariants: x < const, x > const• Resets: x := const

Simple translation to timed automata that gives time-abstract bisimilar system by scaling

dx = 2dy = 3

x>5 and y <1

du = 1dv = 1

u>5/2 and v <1/3

Rectangular Automata

Interesting extension of timed automata• Dynamics of the form dx in const

interval (rate-bounds of a clock same in all locations)

• Guards/invariants/resets as before Translation to multi-rate automata that

gives time-abstract language-equiv systemdx in

[2,3]

x>5

x<2 dxm = 2dxM = 3

xM>5, xm:=5

xm<2, xM:=2

Puri, Henzinger, 95

Linear Hybrid Automata

Invariants and guards: linear (Ax <= b) Actions: linear transforms (x’:= Ax) Dynamics: time-invarint, state-

independentspecified by a convex polytope constraining ratesE.g. 2 < x <= 3, x = y

Tools: HyTech Symbolic representation: Polyhedra Methodology: abstract dynamics by

differential inclusions bounding rates

Example LHAGate for a railroad controller

Openh = 90dh = 0

loweringh >= 0

-10<dh <-9

raisingh <= 90

8< dh <10

closedh = 0

dh = 0

h = 90 ?lower

?lower

?raise

?raise

h = 90 h = 0

Reachability ComputationBasic element: (location l, polyhedron p)Set of visited states: a list of (l,p) pairsKey steps: Compute “discrete” successors of (l,p) Compute “continuous” successor of (l,p) Check if p intersects with “bad” region Check if newly found p is covered by

already visited polyhedra p1,…, pk (expensive!)

Computing Discrete Successors

Discrete successor of (l,p) Intersect p with g (result r is a polyhedron) Apply linear transformation A to r (result r’

is a polyhedron) Intersect r’ with the invariant of l’ (result r”

is a polyhedron) Successor is (l’,r”)

l l’g(x)-> x := a(x)

Computing Time Successor

x

y

x

y

(3,2)

(1,4)

Rate Polytope

(1,4)

(3,2)p

Reach(p)

Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable)

Basically, apply extremal rates to vertices of p

Summary: Linear Hybrid Automata

HyTech implements this strategy Core computation: manipulation of

polyhedra Bottlenecks

proliferation of polyhedra (unions) computing with higher dimensional polyhedra

Many case studies (active structure control, Philips audio control protocol, steam boiler…)

Outline: Part 4

Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe

Approximations (CheckMate)

Beyond LHA

Exact computation with polyhedra is limiting. If dynamics is dX=AX, and P is a polyhedron,

Reach(P) is not a polyehdron Solutions:

Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh)

Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler)

Level sets method (Greenstreet, Tomlin) Use ellipsoids for representation of sets

(Kurzhanski)

Polyhedral Flow Pipe Approximations

X0

t1

t2

t3

t4

t5t6 t7

t8

t9

• divide R[0,T](X0) into [tk,tk+1] segments

• enclose each segment with a convex polytope

• RM[0,T](X0) = union of polytopes

Wrapping Hyperplanes Around a Set

S

c4

c3

c2c1

Step 1:Choose normal vectors, c1,...,cm

S

c4

c3

c2

c1

Step 2:Compute optimal d in Cx d, CT = [c1 ... cm]:

di = max ciTx

xS

Wrapping Hyperplanes Around a Set

Wrapping a Flow Pipe Segment

Given normal vectors ci, we wrap R[tk,tk+1]

(X0) in a polytope by solving for each i

Optimization problem is solved by embedding simulation into objective function computation

di = max ciTx(t,x0)

xo,t

s.t. x0X0

t [tk,tk+1]

Improvements for Linear Systems

x = Ax x(t, x0) = eAtx0

No longer need to embed simulation into optimization

Flow pipe segment computation depends only on time step t

A segment can be obtained by applying eAt to another segment of the same t

)(ˆ)(ˆ0],0[0],[ XReXR t

Atttt

Example: Van der Pol Equation

X x x0 1 20 8 1 0 { . , }

. ( )

x x

x x x x1 2

2 12

2 10 2 1

Van der Pol Equation

Uniform time stepDtk = 0.5

Initial Set

Summary: Flow Pipe Approximation

• Applies in arbitrary dimensions• Approximation error doesn't grow

with time• Estimation error (Hausdorff

distance) can be made arbitrarily small with Dt < d and size of X0 < d

• Integrated into a complete verification tool (CheckMate)