t-Barrier Certificates: A Continuous Analogy to k-Induction

Proceedings, 6th IFAC Conference on Analysis and Design of Hybrid Systems Proceedings, 6th IFAC on Proceedings, 6th 11-13, IFAC Conference Conference on Analysis Analysis and and Design Design of of Hybrid Systems Oxford, UK, July 2018 Hybrid Systems Proceedings, 6th IFAC Conference on Analysis and Design of Hybrid Systems Oxford, UK, July 11-13, 2018 Available online at www.sciencedirect.com Oxford, UK, 2018 Hybrid Proceedings, 6th 11-13, IFAC Conference on Analysis and Design of Oxford,Systems UK, July July 11-13, 2018 Oxford,Systems UK, July 11-13, 2018 Hybrid Oxford, UK, July 11-13, 2018

ScienceDirect

t-Barrier Certificates: t-Barrier Certificates: t-Barrier Certificates: Continuous Analogy to k-Induction t-Barrier Certificates: Continuous Analogy to Continuous Analogy to k-Induction k-Induction t-Barrier Certificates: Continuous Stanley Analogy Bak ∗∗to k-Induction Bak Continuous Stanley Analogy Stanley Bak ∗∗to k-Induction IFAC PapersOnLine 51-16 (2018) 145–150

A A A A A

Stanley Bak ∗ Stanley Bak ∗ Safe Sky Analytics ∗ Safe Sky ∗ Stanley Bak ∗ [email protected] ∗ Safe Sky Analytics Analytics [email protected] ∗ Safe Sky Analytics

Safe Sky Analytics [email protected] [email protected] ∗ Sky Analytics [email protected] Abstract: Safety proofs of discrete andSafe continuous systems often use related proof approaches, [email protected] Abstract: Safety proofs of discrete and continuous systems often use related proof approaches, and insight can be obtained by comparing reasoning methods domains. example, Abstract: Safety proofs of discrete and continuous systems oftenacross use related related proofFor approaches, Abstract: Safety proofs of discrete and continuous systems often use proof approaches, and insight can be obtained by comparing reasoning methods across domains. For example, proofs using inductive invariants in discrete systems are analogous to barrier certificate methods Abstract: Safety proofs of discrete and continuous systems often use related proof approaches, and insight insight can can be be obtained obtained by by comparing comparing reasoning reasoning methods methods across across domains. domains. For For example, example, and proofs using inductive invariants in discrete systems are analogous to barrier certificate methods in continuous systems. In this paper, we present and prove the soundness of continuous and Abstract: Safety proofs of discrete and continuous systems often use related proof approaches, and insight can be obtained by comparing reasoning methods across domains. For example, proofs using inductive invariants in discrete systems are analogous to barrier certificate methods proofs using inductive invariants in discrete systemsand are prove analogous to barrier certificate methods in continuous systems. In this paper, we present the soundness of continuous and hybrid analogs to the k-induction proof rule, which we call t-barrier certificates. and insight can be obtained by comparing reasoning methods across domains. For example, proofs using inductive invariants in discrete systems are analogous to barrier certificate methods in continuous systems. In this paper, we present and prove the soundness of continuous and in continuous systems. In this paper, werule, present and prove the soundness of continuous and hybrid analogs to the k-induction proof which we call t-barrier certificates. proofs using inductive invariants in discrete systems are analogous to barrier certificate methods in continuous systems. In this paper, we present and prove the soundness of continuous and hybrid analogs to the k-induction proof rule, which we call t-barrier certificates. hybrid analogs to the k-induction proof rule, which we call t-barrier certificates. Thecontinuous method combines symbolic reasoning and time-bounded reachability along the barrierand in in systems. In this paper, present and the soundness of continuous hybrid analogs to the k-induction proofwerule, which we prove call t-barrier certificates. The method combines symbolic reasoning and time-bounded reachability along the barrier in order to prove system safety. Compared with traditional barrier certificates, a larger class of hybrid analogs to the k-induction proof rule, which we call t-barrier certificates. The method combines symbolic reasoning and time-bounded reachability along the barrier in The method combines symbolic reasoningwith and traditional time-bounded reachability along the barrier in order to prove system safety. Compared barrier certificates, a larger class of functions can be shown to be t-barrier certificates, so we expect them to be easier to find. The method combines symbolic reasoning and time-bounded reachability along the barrier in order to prove system safety. Compared with traditional barrier certificates, a larger class of order to prove system safety. Compared with traditional barrier certificates, a easier larger to class of functions can be shown to be t-barrier certificates, so we expect them to be find. Compared with traditional reachability analysis, t-barrier certificates can be computationally The method combines symbolic reasoning and time-bounded reachability along the barrier in order to prove system safety. Compared with traditional barrier certificates, a larger class of functions can be shown to be t-barrier certificates, so we expect them to be easier to find. functions can betraditional shown to reachability be t-barrier analysis, certificates, so wecertificates expect them tobebecomputationally easier to find. Compared with t-barrier can tractable in nonlinear settings despite large initial sets, they prove time-unbounded safety. order to prove system safety. with traditional certificates, a easier larger to class of functions can be shown to reachability beCompared t-barrier certificates, so and webarrier expect them tobe find. Compared with traditional reachability analysis, t-barrier certificates can bebecomputationally computationally Compared with traditional analysis, t-barrier certificates can tractable in nonlinear settings despite large initial sets, and they prove time-unbounded safety. We demonstrate the feasibility of the approach with a nonlinear harmonic oscillator example, functions can be shown to be t-barrier certificates, so we expect them to be easier to find. Compared with traditional reachability analysis, t-barrier certificates can be computationally tractable in nonlinear settings despite large initial sets, and they prove time-unbounded safety. tractable in nonlinear settings despite large initial sets, and they prove time-unbounded safety. We demonstrate the feasibility of the approach with aafor nonlinear harmonic oscillator example, using sympy and traditional Z3 symbolic and Flow* analysis. Compared reachability analysis, t-barrier certificates can be computationally tractable inwith nonlinear settings despite large initial sets, andreachability they prove time-unbounded safety. We demonstrate demonstrate the for feasibility ofreasoning the approach approach with nonlinear harmonic oscillator example, We the feasibility of the with a nonlinear harmonic oscillator example, using sympy and Z3 for symbolic reasoning and Flow* for reachability analysis. tractable in nonlinear settings despite large initial sets, and they prove time-unbounded safety. We demonstrate the feasibility of the approach with a nonlinear harmonic oscillator example, using sympy and Z3 for symbolic reasoning and Flow* for reachability analysis. using sympy and Z3 for symbolic reasoning and Flow* for reachability analysis. We demonstrate the feasibility of the approach with a nonlinear harmonic oscillator example, using sympy and Z3 for symbolic reasoning and Flow* for reachability analysis. © 2018, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. 1. INTRODUCTION (i) S ∈ I ⇒ Ψ(S) < 0 1. INTRODUCTION using sympy and Z3 for symbolic reasoning and Flow* for reachability analysis. (i) S ∈ I ⇒ Ψ(S) < (ii) U > 000 1. INTRODUCTION (i) S ∈ I ⇒ Ψ(S) < 1. INTRODUCTION (i) S ∈ I ⇒ Ψ(S) < (ii) S ∈ U ⇒ Ψ(S) > 0 0 1. INTRODUCTION (iii) S Ψ(S) 0⇒ Lf Ψ(S) (i) ∈ Ψ(S) < (ii) U > The k-induction principle has proven useful for the formal (ii) S ∈I U= ⇒ Ψ(S) > 00< (iii) Ψ(S) = 0 ⇒ L Ψ(S) 0 f The k-induction principle has proven useful for the formal 1. INTRODUCTION (i) S ∈ I ⇒ Ψ(S) < 0 (ii) U= > < (iii) Ψ(S) Ψ(S) < analysis of discrete systems. approach was to f The k-induction k-induction principle has The proven useful for for theused formal (iii) Ψ(S) = 00 ⇒ L Lthe < 00 f Ψ(S) The principle has proven useful the formal Here, Lf Ψ is (ii) the Lie derivative, directional derivative analysis of discrete systems. The approach was used to S ∈ U ⇒ Ψ(S) > 0 (iii) Ψ(S) = 0 L Ψ(S) < 0 f directional analyze finite state machines in Sheeran al. (2000), The k-induction principle has The proven useful et for theused formal analysis of discrete discrete systems. The approach was used to of Here, L Ψ is the Lie derivative, the derivative f analysis of systems. approach was to the function Ψ along the vector field f , computed Here, L Ψ the Lie derivative, directional derivative analyze finite state machines in Sheeran et al. (2000), Ψ(S) = the 0 ⇒ vector Lthe < 0 f , computed Here, Lfffunction Ψ is is (iii) the Ψ Lie derivative, the directional derivative f Ψ(S) infinite state discrete systems in De Moura et al. (2003), The k-induction principle has proven useful for the formal analysis of discrete systems. The approach was used to analyze finite state machines in Sheeran et al. (2000), of the along field analyze finitediscrete state machines in De Sheeran etet al. (2000), from each coordinate of the state vector Lf (S) = Here, Lffunction Ψ is the Ψ Liealong derivative, the directional derivative of the the vector field ffS:,, computed infinite state systems in Moura al. (2003), of the function Ψ along the vector field computed and software in Donaldson et al. (2011). Compared with analysis of discrete systems. The approach was used to analyze finite state machines in Sheeran et al. (2000), infinite state state discrete discrete systems systems in in De De Moura Moura et et al. al. (2003), (2003), from each coordinate of the state vector S: L = f (S) infinite Σ (∂Ψ/∂s)f (s). Condition (iii) is similar to the inducHere, L Ψ is the Lie derivative, the directional derivative of the function Ψ along the vector field f , computed s∈S from each coordinate of the state vector S: L = f and software in Donaldson et al. (2011). Compared with each coordinate of the (iii) state vector to S: the Lff (S) (S) = standard induction, k-induction a stronger base case from analyze finite machines inhas Sheeran etet al. (2000), infinite state discrete systems De Moura al. (2003), and software software instate Donaldson et in al. (2011). Compared with Σ (∂Ψ/∂s)f (s). Condition is similar inducs∈S and in Donaldson et al. (2011). Compared with tive step in the discrete case, ensuring that solutions on of the function Ψ along the vector field f , computed from each coordinate of the state vector S: L (S) = Σ (∂Ψ/∂s)f (s). Condition (iii) is similar to the f inducstandard induction, k-induction has a stronger base case s∈S Σ (∂Ψ/∂s)f (s). Condition (iii) is similar to the induca strengthened antecedent during the inductive step, s∈Sstep in the discrete case, ensuring that solutions on infinite state discrete systems in De Moura et al. (2003), and software in Donaldson et al. (2011). Compared with standard induction, k-induction has a stronger base case tive standard induction, k-induction has a stronger base case the zero level set of the barrier function must flow inward. from each coordinate of the state vector S: L (S) = Σ (∂Ψ/∂s)f (s). Condition (iii) is similar to the inductive step in the discrete case, ensuring that solutions on f s∈Sstep in the discrete case, ensuring that solutions on and aasoftware strengthened antecedent during the inductive step, which caninduction, make proving theetconsequent easier asbase there is tive and in Donaldson al. (2011). Compared with standard k-induction has a the stronger case strengthened antecedent during the inductive step, the zero level set of the barrier function must flow inward. and a strengthened antecedent during inductive step, The correctness of barrier certificates is justified by the Σ (∂Ψ/∂s)f (s). Condition (iii) is similar to the inductive step in the discrete case, ensuring that solutions on the zero level set of the barrier function must flow inward. s∈S which can make proving the consequent easier as there is zero level set of of the barrier function ismust flow inward. more available. example, with kbase = 2, we standard k-induction has a the stronger case and a information strengthened antecedent during inductive step, which caninduction, make proving proving the For consequent easier as there is the The correctness barrier certificates justified by the which can make the consequent easier as there is continuity solutions. Solutions mustis start inside tive step inofthe discrete case, ensuring that solutions on the level set of the barrier function flow inward. The correctness of barrier certificates justified by more information available. For example, with k = 2, we Thezero correctness of barrier certificates ismust justified by the the can show a property P holds for all n if we can show: and a strengthened antecedent during the inductive step, which can make proving the consequent easier as there is more information available. For example, with k = 2, we continuity of solutions. Solutions must start inside the more information available. For example, with k = 2, we barrier due to condition (i), and cannot reach an unsafe the zero level set of the barrier function must flow inward. The correctness of barrier certificates is justified by the continuity of solutions. Solutions must start inside can show a property P holds for all n if we can show: continuity of solutions. Solutions must start inside the which can proving consequent easier there is barrier more information available. with kshow: = 2, we can show property P holds for example, all n n if if we we canas show: due to condition (i), reach an unsafe can show aamake property for all can state which must be barrier outside ofand the cannot barrier due toinside condition Base case: PP (0)holds ∧the P For (1) The correctness of justified by continuity Solutions mustis start the barrier due to condition (i), and cannot reach an unsafe barrier dueof to solutions. condition (i),certificates and cannot reach an unsafe more information available. For example, with k = 2, we can show a property P holds for all n if we can show: state which must be outside of the barrier due to condition Base case: P (0) ∧ P (1) (ii), because they would have the pass through the barrier, P (n) ∧ P (n + 1) ⇒ P (n + 2) Inductive step: ∀ continuity of solutions. Solutions must start inside the barrier due to condition (i), and cannot reach an unsafe n state which must be outside of the barrier due to condition Base case: P (0) ∧ P (1) state which must be outside ofthe thepass barrier due to condition P (0) ∧ P∧ (1) canBase showcase: a property holds for all+n1)if we can show: (ii), because they would have through the barrier, P (n) P (n ⇒ P (n + 2) Inductive step: ∀ nP which is impossible due to condition (iii). More details are barrier due to condition (i), and cannot reach an unsafe state which must be outside of the barrier due to condition Base case: P (0) ∧ P (1) (ii), because they would have the pass through the barrier, P (n) ∧ P (n + 1) ⇒ P (n + 2) Inductive step: ∀ n (ii), because they would have the pass(iii). through the barrier, P (n + 1) in⇒theP base (n + 2) In Inductive general, kstep: steps∀need to∧be shown case, which n P (n) is impossible due to condition More details available in (Alur, 2015, Theorem 6.6). state which must be outside of the barrier due to condition Base case: P (0) ∧ P (1) (ii), because they would have the pass through the barrier, P (n) ∧ P (n + 1) ⇒ P (n + 2) Inductive step: ∀ which is is impossible impossible due due to to condition condition (iii). (iii). More More details details are are n assumed In general, k steps need to be shown in the base case, which are and then k steps are in the inductive hypothIn general, k steps need to be shown in the base case, available in (Alur, 2015, Theorem 6.6). In general, ksteps stepsare to∧be shown in⇒theP base case, (ii), because they would have the pass through barrier, (n) P (n + 1) inductive (nhypoth+ 2) Inductive step: ∀need which is impossible due to condition (iii). Morethe details are available in (Alur, 2015, Theorem 6.6). n P and then k assumed in the available in (Alur, 2015, Theorem 6.6). esis in order to try to show P (n + k). The correctness In this paper, we seek continuous and hybrid analogs to In stepsare need to be in shown in the base case, which is impossible due to condition (iii). More details are and then k assumed the hypothandgeneral, then k ksteps steps are assumed in thek).inductive inductive hypothavailable in (Alur, 2015, Theorem 6.6). esis in order to try to show P (n + The correctness In this paper, we seek continuous and hybrid analogs of k-induction follows from strong induction, although k-induction. The main modification is to condition (iii), In general, k steps need to be shown in the base case, and then k steps are assumed in the inductive hypothesis in in order order to to try try to to show show P P (n (n + + k). k). The The correctness correctness In In this paper, paper, we seek seek continuous and hybrid hybrid analogs analogs to to esis this we and to available in (Alur, 2015,continuous Theorem 6.6). of k-induction follows from strong induction, although k-induction. The main modification is to condition (iii), automated methods better with k- In where reachability analysis ofcondition some duration and then k reasoning steps areto assumed in + thework hypothesis in order tofollows try show strong Poften (n k).inductive The correctness thistime-bounded paper,The we main seek continuous and hybrid analogs to of k-induction from induction, although k-induction. modification is to (iii), of k-induction follows from strong induction, although k-induction. The main modification is to condition (iii), automated reasoning methods often work better with kwhere time-bounded reachability analysis of some duration induction rather than with strong induction since it does t is used as a replacement for the condition in k-induction esis in order to try to show P (n + k). The correctness In this paper, we seek continuous and hybrid analogs to of k-induction follows from strong induction, although k-induction. The main modification is to condition (iii), automated reasoning methods often work better with kwhere time-bounded reachability analysis of some duration automatedrather reasoning methods often work better with k- where time-bounded reachability analysis of in some duration induction than with strong induction since it does twhere used as aa The replacement for the condition k-induction not use quantifiers in the antecedent of the inductive that P is true for k steps. of k-induction follows from strong induction, although main modification is to condition (iii), automated reasoning methods often work better with k- k-induction. time-bounded reachability analysis of some duration induction rather than with strong induction since it step. does tt is is used as replacement for the condition in k-induction induction rather than with strong induction since it does is used as a replacement for the condition in k-induction not use quantifiers in the antecedent of the inductive P is true for k steps. automated reasoning methods often work better k- that where reachability of in some duration induction rather than with strong induction since with it step. does is used a replacement for theanalysis condition k-induction not use in antecedent of the P is true for k not use quantifiers quantifiers in the the antecedent of the inductive step. that Ptime-bounded isas true forsoundness k steps. steps. Introduced in the context of verification of inductive nonlinearstep. sys- tthat The theory and of t-barrier certificates is disinduction rather than with strong induction since it does t is used as a replacement for the condition in k-induction not use quantifiers in the antecedent of the inductive step. that P is true for k steps. Introduced in context of of nonlinear sysThe theory and soundness of t-barrier certificates distems in Prajna 2006), barrier certificates a cussed in Section 2. We then apply the approachis to Introduced in the the(2003, context of verification verification of inductive nonlinearare sysThe and of certificates is disIntroduced in the context of verification of nonlinear sysThe theory theory and soundness of t-barrier t-barrier certificates isin disnot use quantifiers in the2006), antecedent of the step. that P in is true forsoundness k2.steps. tems in Prajna (2003, barrier certificates are aa cussed Section We then apply the approach in to continuous version of inductive invariants. A continuous a harmonic oscillator example, which has nonlinear dyIntroduced in the context of verification of nonlinear sysThe theory and soundness of t-barrier certificates is distems in Prajna (2003, 2006), barrier certificates are in 2. then the approach in to tems in Prajna (2003, 2006), barrier certificates are a cussed cussed in Section Section 2. We We then apply apply the approach indyto continuous version of inductive invariants. A continuous a harmonic oscillator example, which has nonlinear ˙ system variables S,2006), dynamics S =certificates (Lipschitz andSection trajectories that to aapproach limit cycle in Introduced in the(2003, context of verification off (S) nonlinear sysThe theory and soundness of converge t-barrier certificates isindistems inwith Prajna barrier are a cussed in 2. We then apply the to continuous version of inductive invariants. A continuous anamics harmonic oscillator example, which has nonlinear dycontinuous version of inductive invariants. A continuous a harmonic oscillator example, which has nonlinear dy˙ system with variables S, dynamics S = ff (S) (Lipschitz namics and trajectories that converge to aaapproach limit cycle in ˙˙uniqueness to ensure existence and of soluSection 3. Section 4 then contains discussion of related tems in Prajna (2003, 2006), barrier certificates are a cussed in Section 2. We then apply the in to continuous version of inductive invariants. A continuous a harmonic oscillator example, which has nonlinear dysystem with variables S, dynamics S = (S) (Lipschitz namics and trajectories that converge to limit cycle in system withtovariables S, dynamics S˙uniqueness = f (S) (Lipschitz namics and trajectories that converge to a limit cycle in continuous ensure existence and of soluSection 3. Section 4 then contains discussion of related tions), initial set of states I, and unsafe set of states U work, followed by a conclusion. continuous version of inductive invariants. A continuous a harmonic oscillator example, which has nonlinear dysystem with variables S, dynamics S = f (S) (Lipschitz namics and trajectories that converge to a limit cycle in to ensure existence and uniqueness of soluSection 3. Section 44 then contains discussion of related continuous to ensure existence and uniqueness of soluSection 3. Section then contains discussion of related tions), initial set of states I, and unsafe set of states U work, followed by a conclusion. ˙ can be verified by of using barrier The system withtovariables S,a smooth dynamics Suniqueness = function fset (S)of (Lipschitz namics and trajectories that converge to a limit in continuous ensure existence and ofΨ.soluSection 3. Section then contains discussion of cycle related tions), initial set states I, and unsafe states U work, followed by aa 4conclusion. tions), initial set of states I, and unsafe set of states U work, followed by conclusion. can be verified by using a smooth barrier function Ψ. The system is safe if: continuous to ensure existence and uniqueness of soluSection 3. Section 4 then contains discussion of related tions), initial set of states I, and unsafe set of states U work, followed by a conclusion. can be verified by using a smooth barrier function Ψ. The can be verified by using a smooth barrier function Ψ. The system is safe set if: tions), initial states I, andbarrier unsafefunction set of states U work, followed by a conclusion. can be verified by of using a smooth Ψ. The system is system is safe safe if: if: can be verified by using a smooth barrier function Ψ. The system is safe if: 2. THEORY system is safe if: 2. THEORY The work was performed while the author was working at the US 2. 2. THEORY THEORY work was performed while DISTRIBUTION the author was working at the US AirThe Force Research Lab (AFRL). A. Approved for The work was while the at 2. THEORY work was performed performed while DISTRIBUTION the author author was was working working at the the US US AirThe Force Research Lab (AFRL). A.88ABW-2018Approved for We first develop three versions of t-barrier certificates for public release; Distribution unlimited. AFRL PA # Air Force Research Lab A. Approved for work was performed while DISTRIBUTION the author was working at the US 2. THEORY AirThe Force Research Lab (AFRL). (AFRL). DISTRIBUTION A.88ABW-2018Approved for We first develop three versions of t-barrier certificates for public release; Distribution unlimited. AFRL PA # 0226 cleared on 19 Jan 2018. continuous systems and then describe a hybrid extension. We first develop three versions of certificates for public release; unlimited. AFRLwas PAworking # Air Force Research Lab (AFRL). DISTRIBUTION A.88ABW-2018Approved for The work wasDistribution performed while the author at the US We first develop three versions of t-barrier t-barrier certificates for public release; 0226 cleared onDistribution 19 Jan 2018.unlimited. AFRL PA # 88ABW-2018continuous systems and then describe a hybrid extension. We first develop three versions of t-barrier certificates for 0226 cleared on 19 Jan 2018. continuous systems and then describe a hybrid extension. public release; Distribution unlimited. AFRL PA # 88ABW-2018Air Force Research Lab (AFRL). DISTRIBUTION A. Approved for 0226 cleared on 19 Jan 2018. continuous systems and then describe a hybrid extension. first develop three of t-barrier certificates for 0226 cleared onDistribution 19IFAC Jan 2018.unlimited. AFRL PA # 88ABW-2018-145 We continuous systems andversions then describe a hybrid extension. public release; Copyright © 2018 Copyright © 2018 IFAC 145 0226 cleared on 19 Jan 2018. continuous systems and then describe a hybrid extension. 2405-8963 © IFAC (International Federation of Automatic Control) Copyright © 2018, 2018 IFAC 145 Hosting by Elsevier Ltd. All rights reserved. Copyright © 2018 IFAC 145 Peer review©under of International Federation of Automatic Copyright 2018 responsibility IFAC 145Control. 10.1016/j.ifacol.2018.08.025 Copyright © 2018 IFAC 145

2018 IFAC ADHS 146 Oxford, UK, July 11-13, 2018

Stanley Bak / IFAC PapersOnLine 51-16 (2018) 145–150

2.1 Continuous Systems As in the introduction, assume we are working with an n-dimensional continuous system with variables S ∈ Rn , Lipschitz continuous dynamics S˙ = f (S), initial set I, and unsafe set U. Since the dynamics are Lipschitz, solutions exist, are unique, and are continuous. Let ξ(S, t) be the solution to the ODEs which starts at state S after t time has elapsed. The system is said to be safe or verified as safe if there are no solution from a state in the initial set to a state in the unsafe set. That is, there is no S ∈ I and t ∈ R≥0 , such that ξ(S, t) ∈ U. Since solutions are unique, we can consider them in reverse time, where if ξ(S, t) = S  then we can write the backwards solution ξ −1 (S  , t) = S. The method of t-barrier certificates is similar to kinduction except it uses continuous solutions rather than incrementing a discrete index. Further, the contrapositive condition is used in the inductive step, since this makes the condition easier to check by using reachability analysis, as will be shown later. For example, with k = 2, the inductive step P (n) ∧ P (n + 1) ⇒ P (n + 2) has a logically equivalent contrapositive condition ¬P (n + 2) ⇒ ¬P (n + 1) ∨ ¬P (n). The method can be used to prove safety of continuous systems. Theorem 1. (t-Barrier Certificates). Given a smooth barrier function Ψ : Rn → R and nonnegative time t, a continuous system is safe if: (i) S ∈ I ∧ t ≤ t ⇒ Ψ(ξ(S, t )) < 0 (ii) S ∈ U ⇒ Ψ(S) > 0 (iii) Ψ(S) = 0 ∧ Lf Ψ(S) ≥ 0 ⇒ ∃t ≤t Ψ(ξ −1 (S, t )) > 0 Proof. Assume by contradiction that a t-barrier certificate exists but the system is not safe. Since solutions are continuous, and the initial states are inside the barrier while the unsafe states are outside, the barrier must be crossed. Further, there must be a first time this occurs. Call the state where this happens S, which is reached at time tc and comes from some initial state I ∈ I, so that ξ(I, tc ) = S and Ψ(S) = 0. Since this is the first time the barrier is crossed, for all times before tc the solution is inside the barrier, ∀tb 0. We can combine the solution times in the forwards and backwards directions so ξ −1 (S, t ) = ξ(I, tc − t ). Notice that tc − t > 0 because t ≤ t and for condition (i) to be true, it must be that tc > t. However, if we let tb = tc − t , we get that both Ψ(ξ(I, tb )) < 0 and Ψ(ξ(I, tb )) > 0, which is a contradiction. Thus, the existence of a t-barrier certificate proves system safety. A modified version of t-barrier certificates is also possible, where rather than checking condition (i) for some time bound, the backwards solutions in condition (iii) are checked to ensure that they do not contain initial states. This makes the first two conditions identical to the traditional barrier certificate case. Theorem 2. (Modified t-Barrier Certificates). Given barrier function Ψ and nonnegative time t, a continuous system is safe if: 146

(i) S ∈ I ⇒ Ψ(S) < 0 (ii) S ∈ U ⇒ Ψ(S) > 0 (iii) Ψ(S) = 0 ∧ Lf Ψ(S) ≥ 0 ⇒ ∃t ≤t Ψ(ξ −1 (S, t )) > 0 ∧ ∀t ≤t ξ −1 (S, t ) ∈ /I Proof. Assume by contradiction that a modified t-barrier certificate exists but the system is not safe. Since solutions are continuous, the barrier must be crossed a first time. Call the state where this happens S, which is reached at time tc and comes from some initial state I ∈ I, so that ξ(I, tc ) = S and Ψ(S) = 0. Since this is the first time the barrier is crossed, for all times before tc the solution is inside the barrier, ∀tb 0. Now, the value tc − t is either nonpositive or positive. In the nonpositive case, tc ≤ t , and so by the second part from condition (iii), ξ −1 (S, tc ) ∈ / I. However, ξ −1 (S, tc ) = I, and I ∈ I, which is a contradiction. Thus, tc − t is positive, and we can combine the solution times in the forwards and backwards directions so ξ −1 (S, t ) = ξ(I, tc −t ). As before, if we take tb = tc − t , we get that both Ψ(ξ(I, tb )) < 0 and Ψ(ξ(I, tb )) > 0, which is a contradiction. Thus, the existence of a modified t-barrier certificate also verifies the system as safe. To check condition (iii) in either case, time-bounded reachability analysis can be used. In particular, we need to first find all the states where the left-hand side is true, Ψ(S) = 0 ∧ Lf Ψ(S) ≥ 0. This can be done using symbolic reasoning and a satisfiability modulo theory (SMT) solver. Next, using this set of states as an initial set, a reachability tool can perform a backwards reachability computation, checking that t time cannot elapse without leaving the barrier. This consists of setting the dynamics to S˙ = −f (S) (to get backwards reachability), adding a clock variable c initialized to zero, and setting the mode’s invariant to be the barrier condition Ψ(S) ≤ 0. If there are no states where c = t is reachable, then condition (iii) is true. For the modified t-barrier certificate condition, an additional check is added to see if a state S ∈ I is reachable.

Rather than looking at states backwards reachable from the barrier and making sure they originated from outside, an alternative formulation would be to look at forward reachable states from the boundary, and ensure they always go back inside the barrier. In this case, we must check that while outside the barrier, no unsafe states are reached. This replaces the check in condition (iii) that no initial states are backwards reachable. Theorem 3. (Forward t-Barrier Certificates). Given barrier function Ψ and nonnegative time t, a continuous system is safe if: (i) S ∈ I ⇒ Ψ(S) < 0 (ii) S ∈ U ⇒ Ψ(S) > 0 (iii) Ψ(S) = 0 ∧ Lf Ψ(S) ≥ 0 ⇒ ∃t ≤t Ψ(ξ(S, t )) < 0 /U ∧ ∀t ≤t ξ(S, t ) ∈ Proof. Once more, assume by contradiction that a forward t-barrier certificate exists but the system is not safe. There must exist some initial state I and time tu such that ξ(I, tu ) ∈ U . Since solutions are continuous, the barrier

2018 IFAC ADHS Oxford, UK, July 11-13, 2018

Stanley Bak / IFAC PapersOnLine 51-16 (2018) 145–150

147

must be crossed before an unsafe state is reached. Call the state where the barrier is touched for the last time along the unsafe solution S, and the time when this happens tc which is less than tu , so that ξ(S, tu − tc ) ∈ U . Since S is on the barrier, Ψ(S) = 0, and the solution after S must be on the outside of the barrier, Lf Ψ(S) ≥ 0, and so the antecedent of condition (iii) is true. From the first part of the consequent of condition (iii), ∃t ≤t Ψ(ξ(S, t )) < 0. Either tf −tc ≤ t or tf −tc > t . In the first case where tf − tc ≤ t , the second part from the consequent of condition (iii) can be applied, replacing t with tf − tc . This gives ξ(S, tf − tc ) ∈ / U , which contradicts the earlier information that ξ(S, tu − tc ) ∈ U . In the other case, tf − tc > t . Since Ψ(ξ(S, t )) < 0, the solution must be inside the barrier at time t before tf − tc . Due to continuity of solutions, the barrier must be crossed again after t in order to get to an unsafe state. This contracts the assumption that tc is the last time the barrier is touched before reaching an unsafe state. Since both cases lead to a contradiction, it is impossible for a forward t-barrier to exist and the system to be unsafe.

 =  and there exists a positive time t such that ξ (x, t) = x and for all δ ∈ [0, t): ξ (x, δ) ∈ Inv(). Here, ξ is the ODE solution to f , the dynamics in mode . A state (, x ) is a discrete successor of another state (, x) if there exists a transition (, γ, υ,  ) ∈ Trans such that x ∈ γ and υ(x) = x . A time-bounded execution of a hybrid system is defined by a finite sequence of states (s0 , s1 , . . . , sm ). Each si+1 is either a continuous or discrete successor of si . We assume executions combine consecutive continuous successors into a single step, so that the sequence does not arise from two repeated continuous successor actions with no discrete successor in between. We further assume the hybrid system does not contain Zeno behaviors, where the number of discrete successors can be unbounded in a finitetime execution. A hybrid system is safe if no execution starts at an initial state and ends at an unsafe state.

The t part of the t-barrier certificates is really only used to provide a bound on t , and is not really necessary for the formal proofs of soundness. Practically, though, having a time bound is useful to ensure reachability analysis will eventually terminate and an answer will be obtained. Similarly, k-induction could be soundly used by saying there exists some k where the base and inductive cases hold, but in practice, a concrete value is used which may be incremented if the system proof does not succeed.

Theorem 4. (Hybrid Forward t-Barrier Certificates). Given a set of barrier functions indexed by the hybrid system’s mode Ψ and nonnegative time t, a hybrid system is safe if: (i) x ∈ Init() ⇒ Ψ (x) < 0 (ii) x ∈ Unsafe() ⇒ Ψ (x) > 0 (iii) Ψ (x) = 0 ∧ Lf Ψ (x) ≥ 0 ⇒ ∃t ≤t Ψ (ξ (x, t )) < 0 / Unsafe() ∧ ∀t ≤t ξ (x, t ) ∈ (iv) x ∈ γ ⇒ Ψ (x) < 0 ∧ Ψ (υ(x)) < 0

Notice that in the case where t = 0, the check for the various versions of t-barrier certificates is identical to traditional barrier certificates. This is because the consequent of condition (iii) is always false when t = 0, and so the check has to ensure that antecedent Lf Ψ(S) ≥ 0 can never be true, which is the traditional barrier certificate condition. This also means that a larger class of functions can be used for t-barrier certificates, because every traditional barrier certificate is also a t-barrier certificate. 2.2 Hybrid Systems A hybrid system is defined by (1) Modes: a finite set of discrete elements, each of which we call a mode; (2) Var = (x1 , . . . , xn ): a list of real-valued variables; (3) Init() ⊆ Rn : a bounded set of initial values for Var for each mode  ∈ Modes; (4) Unsafe() ⊆ Rn : a bounded set of unsafe values for Var for each mode  ∈ Modes; (5) for each  ∈ Modes, dynamics are defined of the form x˙ = f (x), where f is Lipschitz continuous; (6) Trans: a set of discrete transitions, each of which is a 4-tuple (, γ, υ,  ), where  and  are the source and the target modes, γ ⊆ Rn is the guard, and υ : Rn → Rn is the state update function for the transition; (7) Inv () ⊆ Rn : an invariant for each mode  ∈ Modes.

In a hybrid system, a state σ is a tuple (, x). A state ( , x ) is a continuous successor of another state (, x) if

147

Safety can be proven using hybrid t-barrier certificates. We present the forward version, since forward reachability is easier to compute for a hybrid automaton due to the possibility of non-invertible discrete transitions.

Proof. The proof is by contradiction. If the system is unsafe, there is an execution that goes from an initial state to an unsafe state. We can proceed by induction on the sequence of successors in the execution to show it is actually impossible to reach an unsafe state, by showing that for each state in the sequence Ψ (x) < 0. In the first state in the unsafe execution, an initial state of the hybrid system, this is true because of condition (i). In the inductive case, first consider the continuous successor case, where (, x ) is a continuous successor of (, x). Either this is the last pair in the sequence, or the next pair corresponds to a discrete successor because continuous successors must be combined into a single action. If the next pair is a discrete successor, then x ∈ γ, and so condition (iv) results in what is needed Ψ (x ) < 0. If this is the last pair in the sequence, then the situation is similar to in the continuous forward t-barrier certificates proof (the system can not go from inside the barrier to outside due to continuity of the solution). Finally, in the discrete successor case, ( , x ) is a discrete successor of (, x). Here x ∈ γ, which means from condition (iv) we get Ψ (x ) < 0 as needed. Thus, every state in the sequence has Ψ (x) < 0, which contradicts the assumption that the execution ends in an unsafe state, and so the hybrid system is proved as safe. Condition (iv) ensures that discrete successor actions must both start and end in states inside the barrier. Although sound, this is probably a bit more restrictive than necessary, as we could imagine situations where guards and updates could be outside the barrier and the

2018 IFAC ADHS 148 Oxford, UK, July 11-13, 2018

Stanley Bak / IFAC PapersOnLine 51-16 (2018) 145–150

system is still safe. A different check could be used for this case, where executions must eventually go back into the barrier region without reaching the unsafe states in the intermediate time, similar to what is done in the continuous case. 3. EXAMPLE AND IMPLEMENTATION Although theoretically interesting by itself, safety proofs using t-barrier certificates can also be practically performed. Consider a 2-d Van der Pol oscillator system, with x˙ = y and y˙ = (1.0 − x2 )y − x. Solutions to this system approach a limit cycle but do not converge to the origin. Let the initial states be x ∈ [−1, 1], y ∈ [−1, 1], and the unsafe states be y ≥ 3.1. We use a t-barrier function which is a circle of radius 3, Ψ(x, y) = x2 + y 2 − 9, with t = 5. Along the barrier when Ψ(x, y) = 0, the Lie derivative takes both positive and negative values, and so a traditional barrier certificate would not work. A plot of the situation is shown in Figure 1. Our implementation takes as input the system dynamics and the proposed t-barrier certificate data. Using sympy, a Python library for symbolic mathematics described by Meurer et al. (2017), the Lie derivative is computed as Lf Ψ(x, y) = y 2 (2 − 2x2 ). Then, a series of SMT calls is used to identify the regions where the Lie derivative is nonnegative along the barrier. The z3py Python-language interface to the Z3 tool, from De Moura and Bjørner (2008), was used for this process. Multiple calls to Z3 can be used to quickly maximize (or minimize) a bounded continuous function subject to constraints up to some tolerance. This is done by first finding a satisfiable value of the function, then adding a constraint that the function takes a slightly larger value, and increasing this value exponentially until the constraints can no longer be met. Then, a second phase does a binary search between the largest function value where the constraints were found satisfiable and the larger value where the constraints are not satisfiable, up to the desired tolerance. This process was used to first maximize the value of the Lie derivative constrained with the condition that a point is along the barrier, Ψ(x, y) = 0. If the maximum is nonnegative, further calls to Z3 are used to create a rectangle that covers the region of space where the Lie derivative is nonnegative. Rectangles are used because they can be accepted as initial states for reachability analysis tools. The rectangles are computed by using the minimization process described above, finding the minimum radius such that a circle centered at the maximum Lie derivative point intersects the barrier only at points with negative Lie derivative. A rectangle is then constructed to cover the intersection of the interior of the circle and zero level set of the barrier function by maximizing and minimizing in each dimension, subject to the constraints imposed by the intersection conditions between the barrier and circle interior. In the next iteration of the loop, a condition is added so that maximum Lie derivative point must exclude the region inside the rectangle. The process then repeats, maximizing the Lie derivative again to obtain the next rectangle. When the maximum Lie derivative found is neg148

Fig. 1. The Van der Pol system contains derivatives along the barrier that are both inward oriented (negative Lie derivative, large green circles) and outward oriented (nonnegative Lie derivative, small red circles). ative, the process terminates and all covering rectangles have been found. For the Van der Pol system, this process automatically identifies four rectangles that cover the regions where the Lie derivative is nonnegative within a few seconds. The implementation outputs the following information: max Lie der is 18.0 at [0.0, -3.0] circle radius: 1.01466115109 Rect: [(-1.0001, 1.0001), (-3.0001, -2.8283)] max Lie der is 18.0 at [0.0, 3.0] circle radius: 1.01466115109 Rect: [(-1.0001, 1.0001), (2.8283, 3.0001)] max Lie der is 0.0 at [-3.0, 0.0] circle radius: 0.01 Rect: [(-3.0001, -2.9999), (-0.0100, 0.0100)] max Lie der is 0.0 at [3.0, 0.0] circle radius: 0.01 Rect: [(2.9999, 3.0001), (-0.0100, 0.0100)] max Lie der is -0.0016 at [-2.9999, -0.0101] Found all rectangles to remove (count: 4) The check in step (iii) can now be performed using reachability analysis. We use the hypy library from Bak et al. (2016) which allows Python code to interface with a reachability tool by using the Hyst tool from Bak et al. (2015). We construct a model with the reverse dynamics (for backward reachability), an initial set of states equal to one of the rectangles that was found, an invariant that Ψ(x, y) ≤ 0, and an extra clock variable to check that the invariant cannot remain true for t time. Since the system and invariants are nonlinear, we use the nonlinear reachability tool Flow* from Chen et al. (2013). Unfortunately, for large initial states the tool experiences overapproximation error explosion rather than proving the property. This is different than in the discrete case,

2018 IFAC ADHS Oxford, UK, July 11-13, 2018

Stanley Bak / IFAC PapersOnLine 51-16 (2018) 145–150

Fig. 2. The backward reachable states (blue) from the nonnegative Lie derivative barrier states (red) eventually leave the interior of the barrier without touching initial states, demonstrating condition (iii) of the modified t-barrier certificate method. where the successors in an inductive proof could always be computed exactly. To resolve this, we split the rectangle along the biggest dimension and recursively try Flow* with the smaller initial states until the property is provable. The backreachable states computed by Flow* are shown in Figure 2. Since the backreachable states always leave the barrier without intersecting the initial states, condition (iii) of the modified t-barrier certificate method is true, and the system is proven as safe. The computation time was about six minutes, with the majority spent performing reachability computation. We also could try to prove the system safe using forward t-barrier certificates. The plots of the forward reachable states are shown in Figure 3. In this case, significantly less splitting was needed, and the whole process took about 30 seconds. Forward reachable states do eventually re-enter the barrier, as needed in the first part of the consequent of condition (iii). However, they do so while entering an unsafe state (y ≥ 3.1), making second part of the consequent of condition (iii) false, and so the forward t-barrier certificate method does not prove safety of the system. If the unsafe states were different, for example x ≥ 3.1 instead of y ≥ 3.1, either method would work.

This illustrates a difference between how the approaches prove safety. Informally, the backreach version constructs an invariant region by starting with the barrier and subtracting states from inside the barrier that must have originated from the outside. In contrast the forward version starts with the barrier and adds states that are outside but eventually must go back inside.

The proposed t-barrier certificate function, a circle, is significantly simpler than would be necessary for the traditional barrier certificate method. This is similar to what is observed empirically in discrete systems when using kinduction compared with direct inductive invariants. 149

149

Fig. 3. The forward reachable states (blue) from the nonnegative Lie derivative barrier states (red) contain unsafe states, so condition (iii) of the forward t-barrier certificate method is not met, and safety is not proven. We used manually tuned parameters when running Flow*, in this case a time step of 0.025, Taylor model order 4, and remainder estimate 0.01. The accuracy and runtime depends strongly on these parameters, and so automated tuning approaches for parameters, as in Bak et al. (2016), are needed to further automate the process. The success of the approach depends on having a sufficiently powerful reachability analysis method, which depends on factors such as the number and size of the region where the Lie derivative is nonnegative and the complexity of the dynamics. 4. RELATED WORK An outline of various proposed versions of barrier certificates, and discussion of their soundness and completeness is provided in Taly and Tiwari (2009). The methods we presented are similar to some of the incomplete methods described there, as we do not look at higher order Lie derivatives when the first Lie derivative is zero. However, we can still verify the system in these cases by leveraging reachability analysis. Extensions to barrier certificates have been proposed to handle hybrid systems in Prajna and Jadbabaie (2004), stochastic systems in Prajna et al. (2007), compositional analysis in Sloth et al. (2012), and versions which take into account numerical error and use multiple barrier functions in Dai et al. (2017). Although this paper focused on deterministic dynamics, we imagine similar extensions for t-barrier certificates are also possible. The forward t-barrier certificate method is similar to an approach used to create sandboxes for continuous controllers so that they avoid unsafe states in Bak et al. (2014). There, offline analysis was used to create essentially a barrier function, and the system was allowed to leave this region only if, online, one could prove that the system would eventually re-enter the barrier without reaching an unsafe state.

2018 IFAC ADHS 150 Oxford, UK, July 11-13, 2018

Stanley Bak / IFAC PapersOnLine 51-16 (2018) 145–150

The difficulty with barrier certificates is often discovering the barrier function Ψ, which we did not focus on in this paper. For linear systems, sum-of-squares approaches can be used, similar to methods for generating Lyapunov functions as in Parrilo (2000). For polynomial systems, sum-ofsquares decomposition can be combined with semidefinite programming as in Vandenberghe and Boyd (1996) to create barrier certificates that are polynomial with respect to the state dimension. Nonpolynomial dynamics may be handled using iterating polynomial approximations as in Papachristodoulou and Prajna (2002). As these approaches are iterative, it is worth investigating if t-barrier certificates could use the same methods with a smaller number of iterations than what is needed for traditional barrier certificates, using reachability analysis to fill in areas where the strict barrier condition is violated. Alternative approaches for finding candidate barrier functions run simulations and use machine learning classification, as described in Kozarev et al. (2016). 5. CONCLUSION We have proposed four versions of t-barrier certificates and proven they can be used to show the safety of continuous and hybrid systems. Safety can be proven using either forwards or backwards reachability analysis, and we applied both to a nonlinear Van der Pol system. The t-barrier certificate approach makes use of both symbolic methods and computational reachability analysis techniques, with the trade-off being controlled by the choice of the barrier function Ψ. With a Ψ that works as a traditional barrier certificate, the difficulty is pushed entirely onto the symbolic computation and no reachability analysis is needed. On the other extreme, using a barrier function where the zero level set is equal to the unsafe states (in the backreach version) would place maximal burden on the reachability analysis approach to show that no initial states can get there. For the forward version, the equivalent extreme setup is to have the zero level set of Ψ equal to the initial states, and then ensuring that no unsafe states can be reached would depend entirely on reachability methods. In this sense, t-barrier certificates can be seen as an elegant bridge between symbolic and computational methods for system verification. REFERENCES Alur, R. (2015). Principles of cyber-physical systems. MIT Press. Bak, S., Bogomolov, S., and Johnson, T.T. (2015). HyST: A source transformation and translation tool for hybrid automaton models. In 18th International Conference on Hybrid Systems: Computation and Control (HSCC 2015). ACM, Seattle, Washington. Bak, S., Bogomolov, S., and Schiling, C. (2016). High-level hybrid systems analysis with hypy. In 3rd International Workshop on Applied Verification of Continuous and Hybrid Systems, EPiC Series in Computing. EasyChair. Bak, S., Johnson, T.T., Caccamo, M., and Sha, L. (2014). Real-time reachability for verified Simplex design. In 35th IEEE Real-Time Systems Symposium. IEEE Computer Society, Rome, Italy. 150

Chen, X., Abraham, E., and Sankaranarayanan, S. (2013). Flow*: An analyzer for non-linear hybrid systems. In International Conference on Computer Aided Verification (CAV). Dai, L., Gan, T., Xia, B., and Zhan, N. (2017). Barrier certificates revisited. Journal of Symbolic Computation, 80(P1), 62–86. De Moura, L. and Bjørner, N. (2008). Z3: An efficient smt solver. Tools and Algorithms for the Construction and Analysis of Systems, 337–340. De Moura, L., Rueß, H., and Sorea, M. (2003). Bounded model checking and induction: From refutation to verification. Lecture notes in computer science, 14–26. Donaldson, A.F., Haller, L., Kroening, D., and R¨ ummer, P. (2011). Software verification using k-induction. In SAS, volume 11, 351–368. Springer. Kozarev, A., Quindlen, J., How, J., and Topcu, U. (2016). Case studies in data-driven verification of dynamical systems. In Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control, 81–86. ACM. ˇ ık, O., KirMeurer, A., Smith, C.P., Paprocki, M., Cert´ pichev, S.B., Rocklin, M., Kumar, A., Ivanov, S., Moore, J.K., Singh, S., et al. (2017). Sympy: symbolic computing in python. PeerJ Computer Science, 3, e103. Papachristodoulou, A. and Prajna, S. (2002). On the construction of lyapunov functions using the sum of squares decomposition. In Decision and Control, 2002, Proceedings of the 41st IEEE Conference on, volume 3, 3482–3487. IEEE. Parrilo, P.A. (2000). Structured semidefinite programs and semialgebraic geometry methods in robustness and optimization. Ph.D. thesis, California Institute of Technology. Prajna, S. (2003). Barrier certificates for nonlinear model validation. In Decision and Control, 2003. Proceedings. 42nd IEEE Conference on, volume 3, 2884–2889. IEEE. Prajna, S. (2006). Barrier certificates for nonlinear model validation. Automatica, 42(1), 117–126. Prajna, S. and Jadbabaie, A. (2004). Safety verification of hybrid systems using barrier certificates. In HSCC, volume 2993, 477–492. Springer. Prajna, S., Jadbabaie, A., and Pappas, G.J. (2007). A framework for worst-case and stochastic safety verification using barrier certificates. IEEE Transactions on Automatic Control, 52(8), 1415–1428. Sheeran, M., Singh, S., and St˚ almarck, G. (2000). Checking safety properties using induction and a sat-solver. In International conference on formal methods in computer-aided design, 127–144. Springer. Sloth, C., Pappas, G.J., and Wisniewski, R. (2012). Compositional safety analysis using barrier certificates. In Proceedings of the 15th ACM international conference on Hybrid Systems: Computation and Control, 15–24. ACM. Taly, A. and Tiwari, A. (2009). Deductive verification of continuous dynamical systems. In LIPIcs-Leibniz International Proceedings in Informatics, volume 4. Schloss Dagstuhl-Leibniz-Zentrum f¨ ur Informatik. Vandenberghe, L. and Boyd, S. (1996). Semidefinite programming. SIAM review, 38(1), 49–95.