Numerically-Robust Inductive Proof Rules for Continuous Dynamical Systems

Abstract

We formulate numerically-robust inductive proof rules for unbounded stability and safety properties of continuous dynamical systems. These induction rules robustify standard notions of Lyapunov functions and barrier certificates so that they can tolerate small numerical errors. In this way, numerically-driven decision procedures can establish a sound and relative-complete proof system for unbounded properties of very general nonlinear systems. We demonstrate the effectiveness of the proposed rules for rigorously verifying unbounded properties of various nonlinear systems, including a challenging powertrain control model.

1 Introduction

Infinite-time stability and safety properties of continuous dynamical systems are typically established via inductive arguments over continuous time. For instance, proving stability of a dynamical system is similar to proving termination of a program. A system is stable at the origin in the sense of Lyapunov, if one can find a Lyapunov function (essentially a ranking function) that is everywhere positive except for reaching exactly zero at the origin, and never increases over time along the direction of the system dynamics [11]. Likewise, proving unbounded safety of a dynamical system requires one to find a barrier function (or differential invariant [19]) that separates the system’s initial state from the unsafe regions, and whenever the system states reach the barrier, the system dynamics always points towards the safe side of the barrier [21]. In both cases, once a candidate certificate (Lyapunov or barrier functions) is proposed, the verification problem is reduced to checking the validity of a universally-quantified first-order formula over real-valued variables. The standard approaches for the validation step use symbolic quantifier elimination [4] or Sum-of-Squares techniques [17, 18, 24]. However, these algorithms are either extremely expensive or numerically brittle. Most importantly, they can not handle systems with non-polynomial nonlinearity, and thus fall short of a general framework for verifying practical systems of significant complexity.

The standard approach of checking invariance conditions in program analysis is to use Satisfiability Modulo Theories (SMT) solvers [16]. However, to check the inductive conditions for nonlinear dynamical systems, one has to solve nonlinear SMT problems over real numbers, which are highly intractable or undecidable [23]. Recent work on numerically-driven decision procedures provides a promising direction to bypass this difficulty [5, 6]. They have been used for many bounded-time verification and synthesis problems for highly nonlinear systems [12]. However, the fundamental challenge with using numerically-driven methods in inductive proofs is that numerical errors make it impossible to verify the induction steps in the standard sense. Take the Lyapunov analysis of stability properties as an example. A dynamical system is stable if there exists a function that vanishes exactly at the origin and its derivatives strictly decreases over time. Since any numerical error blurs the difference between strict and non-strict inequality, one can conclude that numerically-driven methods are not suitable for verifying these strict constraints. However, proving a system is stable within an arbitrarily tiny neighborhood around the origin is all we really need in practice. Thus, there is a discrepancy between what the standard theory requires and what is needed in practice, or what can be achieved computationally. To bridge this gap, we need to rethink about the fundamental definitions.

In this paper, we formulate new inductive proof rules for continuous dynamical systems for establishing robust notions of stability and safety. These proof rules are practically useful and computationally certifiable in a very general sense. For instance, for stability, we define the notion of \(\varepsilon \)-stability that requires the system to be stable within an \(\varepsilon \)-bounded distance from the origin, instead of exactly at the origin. When \(\varepsilon \) is small enough, \(\varepsilon \)-stable systems are practically indistinguishable from stable systems. We then define the notion of \(\varepsilon \)-Lyapunov functions that are sufficient for establishing \(\varepsilon \)-stability. We then rigorously prove that the \(\varepsilon \)-Lyapunov conditions are numerically stable and can be correctly determined by \(\delta \)-complete decisions procedures for nonlinear real arithmetic [7]. In this way, we can rely on various numerically-driven SMT solvers to establish a sound and relative-complete proof systems for unbounded stability and safety properties of highly nonlinear dynamical systems. We believe these new definitions have eliminated the core difficulty for reasoning about infinite-time properties of nonlinear systems, and will pave the way for adapting a wide range of automated methods from program analysis to continuous and hybrid systems. In short, the paper makes the following contributions:

• We define \(\varepsilon \)-stability and \(\varepsilon \)-Lyapunov functions in Sect. 3. We prove that finding \(\varepsilon \)-Lyapunov functions is sufficient for establishing \(\varepsilon \)-stability.

• We define two types of robust proof rules for unbounded safety in Sect. 3, which we call Type 1 and Type 2 \(\varepsilon \)-barrier functions. The former relies on strict contraction, and the latter relies on reachable-set computation to guarantee bounded escape.

• We prove that \(\delta \)-complete decision procedures provide a sound and relative-complete proof system for the proposed numerically-robust induction rules, in both Sects. 3 and 4.

We demonstrate the effectiveness of the proposed methods on various nonlinear systems in Sect. 5. Section 2 covers the basic definitions and Sect. 6 concludes the paper.

Related Work. Several lines of work have proposed relaxed and practical notions to capture the spirit of the stability requirements. Early work from the 1960s introduced practical stability, which defined bounds on system behaviors over finite time horizons [2, 14, 26, 27]. These methods can show whether a system leaves a safe set or enters a goal set over a finite time horizon based on Lyapunov-like functions. Stability defined in this sense is equivalent to estimating the reachable set over a finite time horizon. Thus, the shortcoming is that it may not capture the desired behavior of the system over unbounded time. Similarly, notions of boundedness and ultimate boundedness specify limits on the system behaviors [11]. Boundedness specifies whether the system remains within a given bounded region. Ultimate boundedness specifies that the system eventually returns to the given bounded region. These properties can be established based on Lyapunov-like conditions. Related notions have been generalized to switched systems [29, 30]. Also, the related notion of region stability defines systems that eventually enter and remain within a specified set [20]. We present stability concepts that unify and extend the above notions. A related relaxation of the traditional notions of stability includes almost Lyapunov functions [15], which allow the strict stability conditions to be neglected in a region near the equilibrium point. The challenge of applying this technique in practice is that the size and shape of the neglected region are not specified a priori, so a constructive technique for specifying a stability region is not straightforward. Our work is related to efforts to construct and check robust barrier certificates using Lyapunov-like functions to ensure that controllers satisfy safety constraints [28]. This work provides a framework in which to specify analytic constraints on controller behaviors. By contrast, our work focuses on providing constraints that can be checked fully automatically. Our notion of \(\varepsilon \)-barrier functions is closely related to t-barrier certificates from [1], though we choose to focus on distance bounds from the barrier (\(\varepsilon \)) rather than time bounds that indicate how long it takes for behaviors to re-enter the barrier once it has left (t).

2 Background

2.1 Dynamical Systems

Throughout the paper, we use the following definition of an n-dimensional autonomous dynamical system:

(1)

where an open set is the state space, is a set of initial states, and \(f: D\rightarrow \mathbb {R}^n\) is a vector field specified by Lipschitz-continuous functions on each dimension. For notational simplicity, all variable and function symbols can represent vectors. When vectors are used in logic formulas, they represent conjunctions of the formulas for each dimension. For instance, when \(x = (x_1,\ldots ,x_n)\), we write \(x=0\) to denote the formula \(x_1=0\wedge \cdots \wedge x_n=0\). For any system defined by (1), we write its solution function as

(2)

Note that F usually does not have an analytic form. However, since f is Lipschitz-continuous, F exists and is unique. We will often use Lie derivatives to measure the change of a scalar function along the flow defined by another vector field:

Definition 1

(Lie Derivative). Let define a vector field. Write the i^th component of f as . Let be a differentiable scalar function. The Lie derivative of V over f is defined as

2.2 First-Order Language over the Reals \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)

We will make extensive use of first-order formulas over real numbers with Type 2 computable functions [25] to express and infer properties of nonlinear dynamical systems. Definition 2 introduces the syntax of these formulas.

Definition 2

(Syntax of \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)). Let be the class of all Type 2 computable functions over real numbers. We define:

We regard as an operation that is defined inductively as usual. For instance, is defined as , and is defined as . For any \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) terms u and v, variable x, and \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) predicate \(\varphi \), we write \(\exists ^{[u,v]}x\varphi \) and \(\forall ^{[u,v]}x\varphi \) to denote and , respectively, which applies to open intervals too. Next, Definition 3 introduces syntactic perturbation of formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\).

Definition 3

(\(\delta \)-Strengthening and Robust Formulas [7]). Let \(\delta \in \mathbb {Q}^+\) be arbitrary. Let \(\varphi \) be an arbitrary \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) formula. The \(\delta \)-strengthening of \(\varphi \), denoted by \(\varphi ^{+\delta }\), is obtained from \(\varphi \) by replacing every atomic predicate of the form \(t(x)>0\) and with \(t(x)-\delta >0\) and , respectively. We say \(\varphi \) is \(\delta \) -robust \(\varphi ^{+\delta }\leftrightarrow \varphi \).

Definition 4

(\(\delta \)-Complete Decision Procedures [7]). Let S be a class of \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)-sentences. We say a decision procedure is \(\delta \)-complete over S for any \(\varphi \in S\), the procedure correctly returns one of the following answers:

• \(\mathsf {true}:\) \(\varphi \) is true.

• \(\delta \)-\(\mathsf {false}:\) \(\varphi ^{+\delta }\) is false.

When the two cases overlap, either decision can be returned.

It follows that if \(\varphi \) is \(\delta \)-robust, then a \(\delta \)-complete decision procedure can correctly determine the truth value of \(\varphi \).

3 Robust Proofs for Stability

We first focus on stability. We will define the notion of \(\varepsilon \)-stability, as a relaxation of the standard Lyapunov stability, and then define \(\varepsilon \)-Lyapunov functions, which are sufficient for proving \(\varepsilon \)-stability in a robust way.

3.1 Stability and Lyapunov Functions

Conventionally, \(\varepsilon \) and \(\delta \) are used to best highlight the connection with \(\varepsilon \)-\(\delta \) conditions for continuity. We will mostly reserve the use of \(\varepsilon \) for defining conditions that are robust under \(\varepsilon \)-bounded numerical errors. Thus, we replace \(\varepsilon \) by \(\tau \) in the standard definitions to avoid confusion.

Definition 5

(Stability). We say the system in (1) is stable at the origin in the sense of Lyapunov, for any \(\tau \)-ball neighborhood of the origin, there exists a \(\delta \)-ball around the origin, such that, if the system starts within the \(\delta \)-ball then it never escapes the \(\tau \)-ball. We capture the definition by the following \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)-formula:

Definition 6

(Lyapunov Function). Consider a dynamical system given in the form of (1), and let be a differentiable function. We say V is a non-strict Lyapunov function for the system, the following predicate is true:

Proposition 1

For any dynamical system defined by f, if there exists a Lyapunov function V, then the system is stable. Namely, .

3.2 Epsilon-Stability

The standard definitions of stability requires a system to stabilize within arbitrarily small neighborhoods around the origin. However, very small neighborhoods are practically indistinguishable from the origin. Thus, it is practically sufficient to prove that a system is stable within some sufficiently small neighborhood. We capture this intuition by making a minor change to the standard definition, by simply putting a lower bound \(\varepsilon \) on the \(\tau \) parameter in Definition 5. As a result, the system is required to exhibit the same behavior as standard stable systems outside the \(\varepsilon \)-ball, but can behave arbitrarily within the \(\varepsilon \)-ball (for instance, oscillate around the origin). The formal definition is as follows:

Definition 7

(Epsilon-Stability). Let be arbitrary. We say a dynamical system in (1) is \(\varepsilon \)-stable at the origin in the sense of Lyapunov, it satisfies the following condition:

In words, for any , there exists \(\delta \) such that all trajectories that start within the \(\delta \)-ball will stay within a \(\tau \)-ball around the origin.

Note that the only difference with the standard definition is that \(\tau \) is bounded from below by a positive \(\varepsilon \) instead of 0. The definition is depicted in Fig. 1c, which shows the difference with the standard notion in Fig. 1a. Since the only difference with the standard definition is the lower bound on the universally quantified \(\tau \), it is clear that \(\varepsilon \)-stability is strictly weaker than standard stability.

Fig. 1.

Standard and \(\varepsilon \)-relaxed notions of stability and Lyapunov functions

Proposition 2

For any , \(\mathsf {Stable}(f)\rightarrow \mathsf {Stable}_{\varepsilon }(f)\).

Thus, any system that is stable in the standard definition is also \(\varepsilon \)-stable for any . On the other hand, one can always choose small enough \(\varepsilon \) such that an \(\varepsilon \)-stable system is practically indistinguishable from stable systems in the standard definition.

3.3 Epsilon-Lyapunov Function

We now define the corresponding notion of Lyapunov function that can be used for proving \(\varepsilon \)-stability. The robustness problem in the standard definition comes from the singularity of the origin. With the relaxed notion of stability, the system may oscillate within some \(\varepsilon \)-neighborhood of the origin. With the relaxation, we now have room for constructing a few nested neighborhoods that can trap the trajectories in a way that is robust under sufficiently small perturbations. To achieve this, we make use of balls of different sizes, as shown in the following definition. We write \(\mathcal {B}_{\varepsilon }\) to denote open \(\varepsilon \)-balls around the origin.

Definition 8

(Epsilon-Lyapunov Functions). Let be a differentiable scalar function defined for the system in (1), and let be an arbitrary value. We say V is an \(\varepsilon \)-Lyapunov function for the system, it satisfies the following conditions:

1. 1.

   Outside the \(\varepsilon \)-ball, there is some positive lower bound on the value of V. Namely, there exists such that for any \(x\in D\setminus \mathcal {B}_{\varepsilon }\), .

2. 2.

   Inside the \(\varepsilon \)-ball, there is a strictly smaller \(\varepsilon '\)-ball in which the value of V is bounded from above, to create a gap with its values outside the \(\varepsilon \)-ball. Formally, there exists \(\varepsilon '\in (0,\varepsilon )\) and \(\beta \in (0,\alpha )\) such that for all \(x\in \mathcal {B}_{\varepsilon '}\), \(V(x)\le \beta \).

3. 3.

   The Lie derivative of V is strictly negative outside of \(\mathcal {B}_{\varepsilon '}\). Formally, there exists such that for all \(x\in D\setminus \mathcal {B}_{\varepsilon '}\), the Lie derivative of V along f satisfies .

In sum, the three conditions can be expressed with the following \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)-formula:

It is important to note that \(\varepsilon '\), \(\alpha \), \(\beta \), and \(\gamma \), are not fixed constants, but existentially quantified variables. Thus the condition can hold true for infinitely many values of these parameters, which is critical to robustness. The only free variable in the formula is \(\varepsilon \), used in \(\mathcal {B}_{\varepsilon }\) and the bound for \(\varepsilon '\). Note also that neither of \(\mathsf {LF}_{\varepsilon }(f,V)\) and the standard definition \(\mathsf {LF}(f,V)\) implies the other.

Remark 1

The logical structure of \(\mathsf {LF}_{\varepsilon }(f,V)\) is seemingly more complex than the standard Lyapunov conditions in Definition 6 because of the extra existential quantification. In Theorem 3, we show that it does not add computational complexity in checking the conditions.

The key result is that the conditions for an \(\varepsilon \)-Lyapunov function are sufficient for establishing \(\varepsilon \)-stability.

Theorem 1

If there exists an \(\varepsilon \)-Lyapunov function V for a dynamical system defined by f, then the system is \(\varepsilon \)-stable. Namely, \(\mathsf {LF}_{\varepsilon }(f,V)\rightarrow \mathsf {Stable}_{\varepsilon }(f)\).

Proof

Let be arbitrary, and let , \(\beta \in (0,\alpha )\), and \(\varepsilon '\in (0,\varepsilon )\) be as specified by the definition of \(\mathsf {LF}_{\varepsilon }(f,V)\). Let \(x_0\in \mathcal {B}_{\varepsilon '}\) be an arbitrary point. For any , let be the system state as defined in (2). We use contradiction to prove for any , inequality holds. Since \(\varepsilon '<\varepsilon \) and \(F(x_0,.)\) is continuous, we know \(t_1\) and \(t_2\) with the following conditions exists (\(\partial \mathcal {B}_{\varepsilon '}\) and \(\partial \mathcal {B}_{\varepsilon }\) are boundaries of the corresponding balls):

$$ 0\le t_1<t_2\le t \text{, }\quad x(t_1)\in \partial \mathcal {B}_{\varepsilon '} \text{, }\quad x(t_2)\in \partial \mathcal {B}_{\varepsilon } \text{, }\quad \forall ^{(t_1,t_2)} t'\Big (x(t')\in \mathcal {B}_\varepsilon \setminus \mathcal {B}_{\varepsilon '}\Big ) $$

We know \(V(x(t_1))\le \beta <\alpha \le V(x(t_2))\) and hence \(V(x(t_1))<V(x(t_2))\) are both true; however, this is in contradiction with the mean value theorem and the fact that \(\mathcal {B}_\varepsilon \subset D\) and .    \(\square \)

Remark 2

Proof of Theorem 1 shows that once state of the system enters \(\mathcal {B}_{\varepsilon '}\), it never leaves \(\mathcal {B}_{\varepsilon }\). However, it would be still possible for the state to leave \(\mathcal {B}_{\varepsilon '}\). One the other hand, since closure of \(\mathcal {B}_{\varepsilon }\setminus \mathcal {B}_{\varepsilon '}\) is bounded, and for every x in this area, V is continuous at x and , no trajectory can be trapped in the closure of \(\mathcal {B}_{\varepsilon }\setminus \mathcal {B}_{\varepsilon '}\). Therefore, even though state of the system might leave \(\mathcal {B}_{\varepsilon '}\), it will visit inside of this ball infinitely often.

Example 1

Consider the time-reversed Van der Pol system given by the following dynamics. Figure 3 shows the vector field of this system around the origin.

$$ \left[ \begin{array}{c} \dot{x}_1 \\ \dot{x}_2 \end{array}\right] = \left[ \begin{array}{c} -x_2 \\ (x_1^2-1)x_2+x_1 \end{array}\right] $$

A Lyapunov function \(z^T P z\), where \(z^T\) is , and P is the \(9\times 9\) constant matrix given in [8], is a 6-degree polynomial that can be obtained using simulation-guided techniques from [10]. Using dReal [9] with and the Euclidean norm, we are able to prove that \(z^T P z\) is a \(10^{-12}\)-Lyapunov function. Table 1 lists the parameters used for this proof.

3.4 Automated Proofs with Delta-Decisions

We now prove that unlike the conventional conditions, the new inductive proof rules are numerically robust. It follows that \(\delta \)-decision procedures provide a sound and relative-complete proof system for establishing the conditions in the following sense:

• (Soundness) A \(\delta \)-complete decision procedure is always correct when it confirms the existence of an \(\varepsilon \)-Lyapunov function.

• (Relative Completeness) For a given \(\varepsilon \)-inductive certificate, there exists \(\delta >0\) such that a \(\delta '\)-complete procedure is able to verify it, for any \(0<\delta '\le \delta \).

To prove these properties, the key fact is that the continuity of the functions in the induction conditions ensures that there is room for numerical errors in the conditions. Consequently, the formulas allow \(\delta \)-perturbations in their parameters. This is captured by Lemma 1, and the proof is given in [8].

Lemma 1

For any , there exists such that \(\mathsf {LF}_{\varepsilon }(f,V)\) is \(\delta \)-robust.

Note that if a formula \(\phi \) is \(\delta \)-robust then for every \(\delta '\in (0,\delta )\), \(\phi \) is \(\delta '\)-robust as well. The soundness and relative-completeness then follow naturally.

Theorem 2

(Soundness). If a \(\delta \)-complete decision procedure confirms that \(\mathsf {LF}_{\varepsilon }(f,V)\) is true then V is indeed an \(\varepsilon \)-Lyapunov function, and f is \(\varepsilon \)-stable.

Proof

Using Definition 4, we know \(\mathsf {LF}_{\varepsilon }(f,V)\), exactly as specified in Definition 8, is true. Therefore, V is \(\varepsilon \)-Lyapunov. Using Theorem 1, f is \(\varepsilon \)-stable.    \(\square \)

Theorem 3

(Relative Completeness). For any , if \(\mathsf {LF}_{\varepsilon }(f,V)\) is true then there exists such that any \(\delta \)-complete decision procedure must return that \(\mathsf {LF}_{\varepsilon }(f,V)\) is true.

Proof

Fix an arbitrary for which \(\mathsf {LF}_{\varepsilon }(f,V)\) is true. Let , and using Lemma 1, let be such that \(\phi \) is \(\delta \)-robust. Since \(\phi \) is true, we conclude \(\phi ^{+\delta }\) is true as well. Using Definition 4, no \(\delta \)-complete decision procedure can return \(\delta \)-\(\mathsf {false}\) for \(\phi \).    \(\square \)

We remark that the quantifier alternation used in Definition 8 can be eliminated without extra search steps. It confirms that we only need to run SMT solving to handle the universally quantified subformula. The reason is that the \(\alpha \), \(\beta \), and \(\gamma \) parameters can be found by estimating the range of V(x) and in the different neighborhoods. In fact, we can rewrite \(\mathsf {LF}_{\varepsilon }(f,V)\) in the following way to eliminate the use of \(\alpha \), \(\beta \), and \(\gamma \):

$$\begin{aligned} \mathsf {LF}_{\varepsilon }(f,V) \leftrightarrow \exists ^{(0,\varepsilon )} \varepsilon ' \bigg ( \sup _{x\in \mathcal {B}_{\varepsilon '}}V(x)< \inf _{x\in D\setminus \mathcal {B}_{\varepsilon }}V(x) \wedge \sup _{x\in D\setminus \mathcal {B}_{\varepsilon '}} \nabla _fV(x) < 0 \bigg ) \end{aligned}$$

Note that in this form the universal quantification is implicit in the \(\sup \) and \(\inf \) operators. In this way, the formula is existentially quantified on only \(\varepsilon '\), which can then be handled by binary search. This is an efficient way of checking the conditions in practice. We also remark that without this method, the original formulation with multiple parameters can be directly solved as \(\exists \forall \)-formulas as well using more expensive algorithms [13].

4 Robust Proofs for Safety

In this section, we define two types of \(\varepsilon \)-barrier functions that are robust to numerical perturbations.

Proving unbounded safety requires the use of barrier functions. The idea is that if one can find a barrier function that separates initial conditions from the set of unsafe states, such that no trajectories can cross the barrier from the safe to the unsafe side, then the system is safe. Here we use a formulation similar to the that of Prajna [21]. The standard conditions on barrier functions include constraints on the vector field of the system at the exact boundary of the barrier set, which introduces robustness problems. We show that it is possible to avoid these problems using two different formulations, which we call Type 1 and Type 2 \(\varepsilon \)-barrier functions. Type 1 \(\varepsilon \)-barrier functions strengthen the original definition and requires strict contraction of the barrier. Instead of only asking the system to be contractive exactly on the barrier’s border, we force it to be contractive when reaching any state within a small distance from the border. Type 2 \(\varepsilon \)-barrier functions allow the system to escape the barrier for a controllable distance and a limited period of time. It should then return to the interior of the safe region. Type 1 \(\varepsilon \)-barriers can be seen as a subclass of Type 2 \(\varepsilon \)-barriers. The benefit for allowing bounded escape is that the shape of the barrier no longer needs to be an invariant set, which can be particularly helpful when the shape of the system invariants cannot be determined or expressed symbolically. The downside to Type 2 \(\varepsilon \)-barriers is that checking the corresponding conditions requires integration of the dynamics, which can be expensive but can still be handled by \(\delta \)-complete decision procedures. The intuition behind the two definitions is shown in Fig. 2 and will be explained in detail in this section.

4.1 Safety and Barrier Functions

Before formally introducing robust safety and \(\varepsilon \)-barrier functions, we define the safety and barrier functions first. It is easy to see that the robustness problem with the barrier functions is similar to that of Lyapunov functions: if the boundary is exactly separating the safe and unsafe regions then the inductive conditions are not robust, since deviations in the variables by even a small amount from the barrier will make it impossible to complete the proof.

Definition 9

(Safety). Let be a scalar function defined for the system in (1). We say \(B\le 0\) defines a safe (or forward invariant) set for the system, the following formula is true:

Definition 10

(Barrier Function). Let be a differentiable scalar function defined for the system in (1). We say B is a barrier function for the system, the following formula is true:

Proposition 3

.

Fig. 2.

Type 1 and Type 2 \(\varepsilon \)-Barriers

4.2 Type 1: Strict Contraction

In the standard definition, the boundary of the barrier set is typically a manifold defined by equality, which is not numerically robust. To avoid this problem, we need the barrier boundary to be belt-shaped in the sense that there is a clear gap between the safe and unsafe regions. The idea is as shown in Fig. 2c: we need a second and stronger barrier defined by \(B=-\varepsilon \) for some reasonable \(\varepsilon \), so that the system is clearly separated from \(B=0\). The formal definition is as follows.

Definition 11

(\(\varepsilon \)-Barrier Certificates). Let be arbitrary. A differentiable scalar function is an \(\varepsilon \)-barrier function the following conditions are true:

• For all x, \(\mathsf {init}(x)\) implies \(B(x)\le -\varepsilon \).

• There exists such that for all x, \(B(x)= -\varepsilon \) implies .

Formally, the condition is defined as

It should be intuitively clear from the definition that the existence of \(\varepsilon \)-barrier functions is sufficient for establishing invariants and safety properties. The new requirement is that the system stays robustly within the barrier, by the area defined by \(-\varepsilon \le B(x)\le 0\).

Theorem 4

For any , \(\mathsf {Barrier}_{\varepsilon }(f,\mathsf {init},B)\rightarrow \mathsf {Safe}(f,\mathsf {init},B)\).

Proof

Assume \(\mathsf {Barrier}_{\varepsilon }(f,\mathsf {init},B)\) is true. It is easy to see \(\mathsf {Barrier}(f,\mathsf {init},B+\varepsilon )\), as specified in Definition 10, is also true. Therefore, using Proposition 3, we know \(\mathsf {Safe}(f,\mathsf {init},B+\epsilon )\) and hence \(\mathsf {Safe}(f,\mathsf {init},B)\) are both true.    \(\square \)

It is clear that there is room for numerically perturbing the size of the area and still obtaining a robust proof. The proof is similar to the one for Lemma 1 as shown in [8].

Theorem 5

For any , there exists such that \(\mathsf {Barrier}_{\varepsilon }(f, \mathsf {init}, B)\) is a \(\delta \)-robust formula.

Example 2

(Type 1 \(\varepsilon \)-Barrier for timed-reversed Van der Pol). Consider the time-reversed Van der Pol system introduced in Example 1. We use the same example to demonstrate the effect of numerical errors in proving barrier certificates. The level sets of the Lyapunov functions in the stable region are barrier certificates; however, for the barriers that are very close to the limiting cycle, numerical sensitivity becomes a problem. In experiments, when \(\varepsilon =10^{-5}\) and \(\delta =10^{-4}\), we can verify that the level set \(z^TPz=90\), is a Type 1 \(\varepsilon \)-barrier. Table 2 lists parameters used in this proof. Figure 3 (Left) shows the direction field for the timed-reversed Van der Pol dynamics, the border of the set \(z^TPz\le 90\), which we prove is a type 1 \(\varepsilon \)-barrier, and the boundary of set \(z^TPz\le 110\), which is clearly not a barrier, since it is outside of the limit cycle.

Fig. 3.

(Left) Van der pol example (Right) Type 2 barrier example

The conditions for \(\varepsilon \)-Lyapunov and \(\varepsilon \)-barrier functions look very similar, but there is an important difference. In the case of Lyapunov functions, we do not evaluate the Lie derivative of the balls. Thus, the balls do not define barrier sets. On the other hand, the level sets of Lyapunov functions always define barriers.

Remark 3

The \(\varepsilon \)-barrier functions can also be used as a sufficient condition for \(\varepsilon \)-stability, if a barrier can be found within the \(\varepsilon \)-ball required in \(\varepsilon \)-stability.

Remark 4

A technical requirement for proving robustness of the \(\varepsilon \)-barrier conditions is that defines a simple set that can be over-approximated, such that for every , there is such that for any point that satisfies there is an \(\varepsilon \)-close point that satisfies . A sufficient condition for this restriction is that \(\mathsf {init}\) be of the form , where are arbitrary constants, and \(\varphi \) is a quantifier-free formula with only strict inequalities [22].

4.3 Type 2: Bounded Escape

We now introduce the second set of conditions for establishing \(\varepsilon \)-invariant sets. This set of conditions can be used only when the \(\varepsilon \)-variations are considered. This notion is inspired by the notion of k-step invariants [3] for discrete-time systems. The \(\varepsilon \)-margin that we allow at the boundary of the invariants allows us to exploit more techniques. Using reachable set computation, we can directly check if all states stay within the barrier set at each step. To ensure that the conditions are inductive and useful, we need to impose the following two requirements:

• (Contraction) Similar to the strengthening in barrier certificates, we require that the system does not sit at the boundary: the dynamics at the boundary should be contracting. The difference with Type 1 \(\varepsilon \)-barriers is that, this condition is not imposed through the vector field on the boundary. Instead, it is a reachability condition: after some amount of time, all states should return to the interior of an appropriate set.

• (Bounded Escape) Before reaching back to the invariant set, we allow the system to step outside the invariant, but only up to a bounded distance from the boundary.

The intuition is depicted in Fig. 2d. In the formal definition, we parameterize the conditions with the time for contraction and the maximum deviation from the invariant set, as follows.

Definition 12

(Type 2 Barrier Functions). Let be arbitrary. We say a continuous scalar function B defines a \((T,\varepsilon )\)-elastic barrier function, the following conditions hold:

1. 1.

   For any x, \(\mathsf {init}(x)\) implies \(B(x)\le -\varepsilon \).

2. 2.

   There exists \(\varepsilon '> \varepsilon \) such that any state in \(B(x)\le -\varepsilon \) will enter \(B(x)\le -\varepsilon '\) after time T.

3. 3.

   During time [0, T], the system may step outside of \(B(x)\le -\varepsilon \) but there exists some \(\varepsilon ^*\in (0,\varepsilon ]\) such that all states stay within \(B(x)\le -\varepsilon ^*\).

In all, we define the conditions with the following formula

Theorem 6, shows that conditions in Definition 12 ensure that the system never leaves the invariant \(B\le 0\). The key is the second condition: induction works because all states come back to the interior of the set defined by \(B\le -\varepsilon \). With the third condition only, we cannot perform induction because the set may keep growing.

Theorem 6

For any , .

Proof

For the purpose of contradiction, suppose starting from \(x_0\in \mathsf {init}\), the system is unsafe. Using continuity of the barrier B and the solution function F, let be a time at which \(B(x(t))=0\), where x(t) is by definition \(F(x_0,t)\). By the 1^st property in Definition 12, we know \(B(x_0)\le -\varepsilon <0\). Using continuity of B and F, let \(t'\in [0,t)\) be the supremum of all times at which \(B(x(t'))=-\varepsilon \). By the 3^rd property in Definition 12, we know \(t-t'>T\), and by the 2^nd property in Definition 12, we know \(B(x(t'+T))\le -\varepsilon '<-\varepsilon \). Using continuity of B and F, we know there is a time \(t''\in (t'+T,t)\) at which \(B(x(t''))=-\varepsilon \). However, this is in contradiction with \(t'\) being the supremum.    \(\square \)

Theorem 7

For any , there exists such that \(\mathsf {Barrier}_{T,\varepsilon }(f, \mathsf {init}, B)\) is a \(\delta \)-robust formula.

Example 3

We use this example to show how Type 2 \(\varepsilon \)-barriers can be used to establish safety. Consider the following system.

$$ \left[ \begin{array}{c} \dot{x}_1 \\ \dot{x}_2 \end{array}\right] = \left[ \begin{array}{cc} -0.1 &{} -10 \\ 4 &{} -2 \end{array}\right] \left[ \begin{array}{c} x_1\\ x_2 \end{array}\right] $$

Let \(\mathsf {init}\) be the set \(\{ x \mid -0.1\le x_1\le 0.1, -0.1\le x_2\le 0.1 \}\), and let U, the unsafe set, be the set \(\{ x \mid -2.0\le x_1\le -1.1, -2.0\le x_2\le -1.1 \}\). The system is stable and safe with respect to the designated unsafe set. However, the safety cannot be shown using any invariant of the form , where is a constant, in the standard definition. This is because the vector field on the boundary of such sets do not satisfy the inductive conditions. Nevertheless, we can show that for \(c=1\), B(x) is a Type 2 \(\varepsilon \)-barrier. The dReal query verifies the conditions with \(\varepsilon =0.1\). Since and , we know that the system cannot reach any unsafe states. Figure 3 (Right), illustrates the example. The green set at the center represents \(\mathsf {init}\), and the red set represents unsafe set U. The \(B(x)=0\) level set is not invariant, as evidenced in the figure by the forward images at \(t=0.14\) and \(t=0.28\) leaving the set; however, as the dReal query proves, the reachable set over \(0\le t \le 10\) does not leave the \(B(x)=1.0\) level set and is completely contained in the \(B(x)=-0.1\) level set by \(t=0.4\). Since and , then the system cannot reach any state in U.

5 Experiments

In this section, we show examples of nonlinear systems that can be verified to be \(\varepsilon \)-stable or safe with \(\varepsilon \)-barriers.

Table 1. Results for the \(\varepsilon \)-Lyapunov functions. Each Lyapunov function is of the form \(z^T P z\), where z is a vector of monomials over the state variables. We report the constant values satisfying the \(\varepsilon \)-Lyapunov conditions, and the time that verification of each example takes (in seconds).

Table 2. Results for the \(\varepsilon \)-barrier functions. Each barrier function B(x) is of the form \(z^T P z - \ell \), where z is a vector of monomials over x. We indicate the highest degree of the monomials used in z, the size of the P, the level \(\ell \) used for each barrier function, and the value of \(\varepsilon \) and \(\gamma \) used to the check .

Table 1 contains parameters we use to verify requirements of Definition 8 for \(\varepsilon \)-Lyapunov functions in our examples. Table 2 contains parameters we use to verify requirements of Definition 11 for Type 1 \(\varepsilon \)-barrier functions in our examples. The \(\varepsilon \)-Lyapunov functions in these examples are of the form , where z is a vector of products of the state variables and P is a constant matrix obtained using simulation-guided techniques from [10]. All the P matrices are given in [8].

Time-Reversed Van der Pol. The time-reversed Van der Pol system has been used as an example in the previous sections. Figure 3 (Left) shows the direction field of this system around the origin. Using dReal with , we are able to establish a \(10^{-12}\)-Lyapunov function and a \(10^{-5}\)-barrier function.

Normalized Pendulum. A standard pendulum system has continuous dynamics containing a transcendental function, which causes difficulty for many techniques. Here, we consider a normalized pendulum system with the following dynamics, in which \(x_1\) and \(x_2\) represent angular position and velocity, respectively. In our experiment, using \(\delta =10^{-50}\), we can prove that function is \(\varepsilon \)-Lyapunov, where .

$$\begin{aligned} \left[ \begin{array}{c} \dot{x}_1 \\ \dot{x}_2 \end{array} \right] = \left[ \begin{array}{c} x_2 \\ -\sin (x_1)-x_2 \end{array} \right] \end{aligned}$$

(3)

Using , we are able to prove that for any value \(\ell \in [0.1,10]\), the function , with x being the system state, and P a constant matrix given in [8], is a Type 1 0.01-barrier function.

Moore-Greitzer Jet Engine. Next, we consider a simplified version of the Moore-Greitzer model for a jet engine. The system has the following dynamics, in which \(x_1\) and \(x_2\) are states related to mass flow and pressure rise.

$$\begin{aligned} \left[ \begin{array}{c} \dot{x}_1 \\ \dot{x}_2 \end{array} \right] = \left[ \begin{array}{c} -x_2-\frac{3}{2}x_1^2-\frac{1}{2}x_1^3 \\ 3x_1-x_2 \end{array} \right] \end{aligned}$$

(4)

In our experiment, using \(\delta =10^{-20}\) and , we can prove that function is \(\varepsilon \)-Lyapunov, where .

Using dReal with , we are able to prove that for any value \(\ell \in [1,10]\), the function , with x being the system state, z being the vector of monomials defined in the previous section, and P a constant matrix given in [8], is a Type 1 0.1-barrier function.

Powertrain Control System. Next, we consider a closed-loop model of a powertrain control (PTC) system for an automotive application. The system dynamics consist of four state variables, two associated with a plant and two for a controller. The plant models fuel and air dynamics of an internal combustion engine and the controller is designed to regulate the air-fuel (A/F) ratio within a given range of an optimal value, referred as stoichiometric value. Two states related to the plant represent the manifold pressure, p, and the ratio between actual A/F ratio and stoichiometric value, r. The two associated with the controller are the estimated manifold pressure, \(p_{est}\), and the internal state of the PI controller, i. The system is highly nonlinear, with the following dynamics

$$\begin{aligned} \begin{array}{lll} \dot{p} &{} = &{} \displaystyle c_1 \left( 2\hat{u_1}\sqrt{\frac{p}{c_{11}}-\left( \frac{p}{c_{11}} \right) ^2} - \left( c_3+c_4c_2p + c_5 c_2 p^2 + c_6 c_2^2 p \right) \right) \\ \dot{r} &{} = &{} \displaystyle 4\left( \frac{c_3 + c_4 c_2 p + c_5c_2 p^2 + c_6 c_2^2 p}{c_{13} (c_3 + c_4 c_2 p_{est}+ c_5 c_2 p_{est}^2 + c_6 c_2^2 p_{est})(1 + i + c_{14}(r - c_{16}))} -r \right) \\ \dot{p}_{est}&{} = &{} c_1 \left( 2 \hat{u_1}\sqrt{\frac{p}{c_{11}} - \left( \frac{p}{c_{11}}\right) ^2} - c_{13}\left( c_3 + c_4 c_2 p_{est}+ c_5 c_2 p_{est}^2 + c_6 c_2^2 p_{est}\right) \right) \\ \dot{i} &{} = &{} c_{15}(r-c_{16}) \end{array} \end{aligned}$$

which followed the detailed description of the model and the constant parameter values in [10]. We verified that there exists a function of the form \(B(x) = z^T P z - 0.01\) (z consist of 14 monomials with a maximum degree of 2), where , when \(B(x) = -\varepsilon \).

6 Conclusion

We formulated new inductive proof rules for stability and safety for dynamical systems. The rules are numerically robust, making them amenable to verification using automated reasoning tools such as those based on \(\delta \)-decision procedures. We presented several examples demonstrating the value of the new approach, including safety verification tasks for highly nonlinear systems. The examples show that the framework can be used to prove stability and safety for examples that were out of reach for existing tools. The new framework relies on the ability to generate reasonable candidate Lyapunov functions, which are analogous to ranking functions from program analysis. Future work will include improved techniques for efficiently generating the \(\varepsilon \)-Lyapunov and \(\varepsilon \)-barrier functions and related theoretical questions.