NumericallyRobust Inductive Proof Rules for Continuous Dynamical Systems
 4.1k Downloads
Abstract
We formulate numericallyrobust inductive proof rules for unbounded stability and safety properties of continuous dynamical systems. These induction rules robustify standard notions of Lyapunov functions and barrier certificates so that they can tolerate small numerical errors. In this way, numericallydriven decision procedures can establish a sound and relativecomplete proof system for unbounded properties of very general nonlinear systems. We demonstrate the effectiveness of the proposed rules for rigorously verifying unbounded properties of various nonlinear systems, including a challenging powertrain control model.
1 Introduction
Infinitetime stability and safety properties of continuous dynamical systems are typically established via inductive arguments over continuous time. For instance, proving stability of a dynamical system is similar to proving termination of a program. A system is stable at the origin in the sense of Lyapunov, if one can find a Lyapunov function (essentially a ranking function) that is everywhere positive except for reaching exactly zero at the origin, and never increases over time along the direction of the system dynamics [11]. Likewise, proving unbounded safety of a dynamical system requires one to find a barrier function (or differential invariant [19]) that separates the system’s initial state from the unsafe regions, and whenever the system states reach the barrier, the system dynamics always points towards the safe side of the barrier [21]. In both cases, once a candidate certificate (Lyapunov or barrier functions) is proposed, the verification problem is reduced to checking the validity of a universallyquantified firstorder formula over realvalued variables. The standard approaches for the validation step use symbolic quantifier elimination [4] or SumofSquares techniques [17, 18, 24]. However, these algorithms are either extremely expensive or numerically brittle. Most importantly, they can not handle systems with nonpolynomial nonlinearity, and thus fall short of a general framework for verifying practical systems of significant complexity.
The standard approach of checking invariance conditions in program analysis is to use Satisfiability Modulo Theories (SMT) solvers [16]. However, to check the inductive conditions for nonlinear dynamical systems, one has to solve nonlinear SMT problems over real numbers, which are highly intractable or undecidable [23]. Recent work on numericallydriven decision procedures provides a promising direction to bypass this difficulty [5, 6]. They have been used for many boundedtime verification and synthesis problems for highly nonlinear systems [12]. However, the fundamental challenge with using numericallydriven methods in inductive proofs is that numerical errors make it impossible to verify the induction steps in the standard sense. Take the Lyapunov analysis of stability properties as an example. A dynamical system is stable if there exists a function that vanishes exactly at the origin and its derivatives strictly decreases over time. Since any numerical error blurs the difference between strict and nonstrict inequality, one can conclude that numericallydriven methods are not suitable for verifying these strict constraints. However, proving a system is stable within an arbitrarily tiny neighborhood around the origin is all we really need in practice. Thus, there is a discrepancy between what the standard theory requires and what is needed in practice, or what can be achieved computationally. To bridge this gap, we need to rethink about the fundamental definitions.

We define \(\varepsilon \)stability and \(\varepsilon \)Lyapunov functions in Sect. 3. We prove that finding \(\varepsilon \)Lyapunov functions is sufficient for establishing \(\varepsilon \)stability.

We define two types of robust proof rules for unbounded safety in Sect. 3, which we call Type 1 and Type 2 \(\varepsilon \)barrier functions. The former relies on strict contraction, and the latter relies on reachableset computation to guarantee bounded escape.

We prove that \(\delta \)complete decision procedures provide a sound and relativecomplete proof system for the proposed numericallyrobust induction rules, in both Sects. 3 and 4.
We demonstrate the effectiveness of the proposed methods on various nonlinear systems in Sect. 5. Section 2 covers the basic definitions and Sect. 6 concludes the paper.
Related Work. Several lines of work have proposed relaxed and practical notions to capture the spirit of the stability requirements. Early work from the 1960s introduced practical stability, which defined bounds on system behaviors over finite time horizons [2, 14, 26, 27]. These methods can show whether a system leaves a safe set or enters a goal set over a finite time horizon based on Lyapunovlike functions. Stability defined in this sense is equivalent to estimating the reachable set over a finite time horizon. Thus, the shortcoming is that it may not capture the desired behavior of the system over unbounded time. Similarly, notions of boundedness and ultimate boundedness specify limits on the system behaviors [11]. Boundedness specifies whether the system remains within a given bounded region. Ultimate boundedness specifies that the system eventually returns to the given bounded region. These properties can be established based on Lyapunovlike conditions. Related notions have been generalized to switched systems [29, 30]. Also, the related notion of region stability defines systems that eventually enter and remain within a specified set [20]. We present stability concepts that unify and extend the above notions. A related relaxation of the traditional notions of stability includes almost Lyapunov functions [15], which allow the strict stability conditions to be neglected in a region near the equilibrium point. The challenge of applying this technique in practice is that the size and shape of the neglected region are not specified a priori, so a constructive technique for specifying a stability region is not straightforward. Our work is related to efforts to construct and check robust barrier certificates using Lyapunovlike functions to ensure that controllers satisfy safety constraints [28]. This work provides a framework in which to specify analytic constraints on controller behaviors. By contrast, our work focuses on providing constraints that can be checked fully automatically. Our notion of \(\varepsilon \)barrier functions is closely related to tbarrier certificates from [1], though we choose to focus on distance bounds from the barrier (\(\varepsilon \)) rather than time bounds that indicate how long it takes for behaviors to reenter the barrier once it has left (t).
2 Background
2.1 Dynamical Systems
Definition 1
(Lie Derivative). Let Open image in new window define a vector field. Write the i^{th} component of f as Open image in new window . Let Open image in new window be a differentiable scalar function. The Lie derivative of V over f is defined as Open image in new window
2.2 FirstOrder Language over the Reals \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)
We will make extensive use of firstorder formulas over real numbers with Type 2 computable functions [25] to express and infer properties of nonlinear dynamical systems. Definition 2 introduces the syntax of these formulas.
Definition 2
We regard Open image in new window as an operation that is defined inductively as usual. For instance, Open image in new window is defined as Open image in new window , and Open image in new window is defined as Open image in new window . For any \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) terms u and v, variable x, and \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) predicate \(\varphi \), we write \(\exists ^{[u,v]}x\varphi \) and \(\forall ^{[u,v]}x\varphi \) to denote Open image in new window and Open image in new window , respectively, which applies to open intervals too. Next, Definition 3 introduces syntactic perturbation of formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\).
Definition 3
(\(\delta \)Strengthening and Robust Formulas [7]). Let \(\delta \in \mathbb {Q}^+\) be arbitrary. Let \(\varphi \) be an arbitrary \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) formula. The \(\delta \)strengthening of \(\varphi \), denoted by \(\varphi ^{+\delta }\), is obtained from \(\varphi \) by replacing every atomic predicate of the form \(t(x)>0\) and Open image in new window with \(t(x)\delta >0\) and Open image in new window , respectively. We say \(\varphi \) is \(\delta \) robust Open image in new window \(\varphi ^{+\delta }\leftrightarrow \varphi \).
Definition 4

\(\mathsf {true}:\) \(\varphi \) is true.

\(\delta \)\(\mathsf {false}:\) \(\varphi ^{+\delta }\) is false.
When the two cases overlap, either decision can be returned.
It follows that if \(\varphi \) is \(\delta \)robust, then a \(\delta \)complete decision procedure can correctly determine the truth value of \(\varphi \).
3 Robust Proofs for Stability
We first focus on stability. We will define the notion of \(\varepsilon \)stability, as a relaxation of the standard Lyapunov stability, and then define \(\varepsilon \)Lyapunov functions, which are sufficient for proving \(\varepsilon \)stability in a robust way.
3.1 Stability and Lyapunov Functions
Conventionally, \(\varepsilon \) and \(\delta \) are used to best highlight the connection with \(\varepsilon \)\(\delta \) conditions for continuity. We will mostly reserve the use of \(\varepsilon \) for defining conditions that are robust under \(\varepsilon \)bounded numerical errors. Thus, we replace \(\varepsilon \) by \(\tau \) in the standard definitions to avoid confusion.
Definition 5
Definition 6
Proposition 1
For any dynamical system defined by f, if there exists a Lyapunov function V, then the system is stable. Namely, Open image in new window .
3.2 EpsilonStability
The standard definitions of stability requires a system to stabilize within arbitrarily small neighborhoods around the origin. However, very small neighborhoods are practically indistinguishable from the origin. Thus, it is practically sufficient to prove that a system is stable within some sufficiently small neighborhood. We capture this intuition by making a minor change to the standard definition, by simply putting a lower bound \(\varepsilon \) on the \(\tau \) parameter in Definition 5. As a result, the system is required to exhibit the same behavior as standard stable systems outside the \(\varepsilon \)ball, but can behave arbitrarily within the \(\varepsilon \)ball (for instance, oscillate around the origin). The formal definition is as follows:
Definition 7
Proposition 2
For any Open image in new window , \(\mathsf {Stable}(f)\rightarrow \mathsf {Stable}_{\varepsilon }(f)\).
Thus, any system that is stable in the standard definition is also \(\varepsilon \)stable for any Open image in new window . On the other hand, one can always choose small enough \(\varepsilon \) such that an \(\varepsilon \)stable system is practically indistinguishable from stable systems in the standard definition.
3.3 EpsilonLyapunov Function
We now define the corresponding notion of Lyapunov function that can be used for proving \(\varepsilon \)stability. The robustness problem in the standard definition comes from the singularity of the origin. With the relaxed notion of stability, the system may oscillate within some \(\varepsilon \)neighborhood of the origin. With the relaxation, we now have room for constructing a few nested neighborhoods that can trap the trajectories in a way that is robust under sufficiently small perturbations. To achieve this, we make use of balls of different sizes, as shown in the following definition. We write \(\mathcal {B}_{\varepsilon }\) to denote open \(\varepsilon \)balls around the origin.
Definition 8
 1.
Outside the \(\varepsilon \)ball, there is some positive lower bound on the value of V. Namely, there exists Open image in new window such that for any \(x\in D\setminus \mathcal {B}_{\varepsilon }\), Open image in new window .
 2.
Inside the \(\varepsilon \)ball, there is a strictly smaller \(\varepsilon '\)ball in which the value of V is bounded from above, to create a gap with its values outside the \(\varepsilon \)ball. Formally, there exists \(\varepsilon '\in (0,\varepsilon )\) and \(\beta \in (0,\alpha )\) such that for all \(x\in \mathcal {B}_{\varepsilon '}\), \(V(x)\le \beta \).
 3.
The Lie derivative of V is strictly negative outside of \(\mathcal {B}_{\varepsilon '}\). Formally, there exists Open image in new window such that for all \(x\in D\setminus \mathcal {B}_{\varepsilon '}\), the Lie derivative of V along f satisfies Open image in new window .
It is important to note that \(\varepsilon '\), \(\alpha \), \(\beta \), and \(\gamma \), are not fixed constants, but existentially quantified variables. Thus the condition can hold true for infinitely many values of these parameters, which is critical to robustness. The only free variable in the formula is \(\varepsilon \), used in \(\mathcal {B}_{\varepsilon }\) and the bound for \(\varepsilon '\). Note also that neither of \(\mathsf {LF}_{\varepsilon }(f,V)\) and the standard definition \(\mathsf {LF}(f,V)\) implies the other.
Remark 1
The logical structure of \(\mathsf {LF}_{\varepsilon }(f,V)\) is seemingly more complex than the standard Lyapunov conditions in Definition 6 because of the extra existential quantification. In Theorem 3, we show that it does not add computational complexity in checking the conditions.
The key result is that the conditions for an \(\varepsilon \)Lyapunov function are sufficient for establishing \(\varepsilon \)stability.
Theorem 1
If there exists an \(\varepsilon \)Lyapunov function V for a dynamical system defined by f, then the system is \(\varepsilon \)stable. Namely, \(\mathsf {LF}_{\varepsilon }(f,V)\rightarrow \mathsf {Stable}_{\varepsilon }(f)\).
Proof
Remark 2
Proof of Theorem 1 shows that once state of the system enters \(\mathcal {B}_{\varepsilon '}\), it never leaves \(\mathcal {B}_{\varepsilon }\). However, it would be still possible for the state to leave \(\mathcal {B}_{\varepsilon '}\). One the other hand, since closure of \(\mathcal {B}_{\varepsilon }\setminus \mathcal {B}_{\varepsilon '}\) is bounded, and for every x in this area, V is continuous at x and Open image in new window , no trajectory can be trapped in the closure of \(\mathcal {B}_{\varepsilon }\setminus \mathcal {B}_{\varepsilon '}\). Therefore, even though state of the system might leave \(\mathcal {B}_{\varepsilon '}\), it will visit inside of this ball infinitely often.
Example 1
3.4 Automated Proofs with DeltaDecisions

(Soundness) A \(\delta \)complete decision procedure is always correct when it confirms the existence of an \(\varepsilon \)Lyapunov function.

(Relative Completeness) For a given \(\varepsilon \)inductive certificate, there exists \(\delta >0\) such that a \(\delta '\)complete procedure is able to verify it, for any \(0<\delta '\le \delta \).
To prove these properties, the key fact is that the continuity of the functions in the induction conditions ensures that there is room for numerical errors in the conditions. Consequently, the formulas allow \(\delta \)perturbations in their parameters. This is captured by Lemma 1, and the proof is given in [8].
Lemma 1
For any Open image in new window , there exists Open image in new window such that \(\mathsf {LF}_{\varepsilon }(f,V)\) is \(\delta \)robust.
Note that if a formula \(\phi \) is \(\delta \)robust then for every \(\delta '\in (0,\delta )\), \(\phi \) is \(\delta '\)robust as well. The soundness and relativecompleteness then follow naturally.
Theorem 2
(Soundness). If a \(\delta \)complete decision procedure confirms that \(\mathsf {LF}_{\varepsilon }(f,V)\) is true then V is indeed an \(\varepsilon \)Lyapunov function, and f is \(\varepsilon \)stable.
Proof
Using Definition 4, we know \(\mathsf {LF}_{\varepsilon }(f,V)\), exactly as specified in Definition 8, is true. Therefore, V is \(\varepsilon \)Lyapunov. Using Theorem 1, f is \(\varepsilon \)stable. \(\square \)
Theorem 3
(Relative Completeness). For any Open image in new window , if \(\mathsf {LF}_{\varepsilon }(f,V)\) is true then there exists Open image in new window such that any \(\delta \)complete decision procedure must return that \(\mathsf {LF}_{\varepsilon }(f,V)\) is true.
Proof
Fix an arbitrary Open image in new window for which \(\mathsf {LF}_{\varepsilon }(f,V)\) is true. Let Open image in new window , and using Lemma 1, let Open image in new window be such that \(\phi \) is \(\delta \)robust. Since \(\phi \) is true, we conclude \(\phi ^{+\delta }\) is true as well. Using Definition 4, no \(\delta \)complete decision procedure can return \(\delta \)\(\mathsf {false}\) for \(\phi \). \(\square \)
4 Robust Proofs for Safety
In this section, we define two types of \(\varepsilon \)barrier functions that are robust to numerical perturbations.
Proving unbounded safety requires the use of barrier functions. The idea is that if one can find a barrier function that separates initial conditions from the set of unsafe states, such that no trajectories can cross the barrier from the safe to the unsafe side, then the system is safe. Here we use a formulation similar to the that of Prajna [21]. The standard conditions on barrier functions include constraints on the vector field of the system at the exact boundary of the barrier set, which introduces robustness problems. We show that it is possible to avoid these problems using two different formulations, which we call Type 1 and Type 2 \(\varepsilon \)barrier functions. Type 1 \(\varepsilon \)barrier functions strengthen the original definition and requires strict contraction of the barrier. Instead of only asking the system to be contractive exactly on the barrier’s border, we force it to be contractive when reaching any state within a small distance from the border. Type 2 \(\varepsilon \)barrier functions allow the system to escape the barrier for a controllable distance and a limited period of time. It should then return to the interior of the safe region. Type 1 \(\varepsilon \)barriers can be seen as a subclass of Type 2 \(\varepsilon \)barriers. The benefit for allowing bounded escape is that the shape of the barrier no longer needs to be an invariant set, which can be particularly helpful when the shape of the system invariants cannot be determined or expressed symbolically. The downside to Type 2 \(\varepsilon \)barriers is that checking the corresponding conditions requires integration of the dynamics, which can be expensive but can still be handled by \(\delta \)complete decision procedures. The intuition behind the two definitions is shown in Fig. 2 and will be explained in detail in this section.
4.1 Safety and Barrier Functions
Before formally introducing robust safety and \(\varepsilon \)barrier functions, we define the safety and barrier functions first. It is easy to see that the robustness problem with the barrier functions is similar to that of Lyapunov functions: if the boundary is exactly separating the safe and unsafe regions then the inductive conditions are not robust, since deviations in the variables by even a small amount from the barrier will make it impossible to complete the proof.
Definition 9
Definition 10
Proposition 3
4.2 Type 1: Strict Contraction
In the standard definition, the boundary of the barrier set is typically a manifold defined by equality, which is not numerically robust. To avoid this problem, we need the barrier boundary to be beltshaped in the sense that there is a clear gap between the safe and unsafe regions. The idea is as shown in Fig. 2c: we need a second and stronger barrier defined by \(B=\varepsilon \) for some reasonable \(\varepsilon \), so that the system is clearly separated from \(B=0\). The formal definition is as follows.
Definition 11

For all x, \(\mathsf {init}(x)\) implies \(B(x)\le \varepsilon \).

There exists Open image in new window such that for all x, \(B(x)= \varepsilon \) implies Open image in new window .
It should be intuitively clear from the definition that the existence of \(\varepsilon \)barrier functions is sufficient for establishing invariants and safety properties. The new requirement is that the system stays robustly within the barrier, by the area defined by \(\varepsilon \le B(x)\le 0\).
Theorem 4
For any Open image in new window , \(\mathsf {Barrier}_{\varepsilon }(f,\mathsf {init},B)\rightarrow \mathsf {Safe}(f,\mathsf {init},B)\).
Proof
Assume \(\mathsf {Barrier}_{\varepsilon }(f,\mathsf {init},B)\) is true. It is easy to see \(\mathsf {Barrier}(f,\mathsf {init},B+\varepsilon )\), as specified in Definition 10, is also true. Therefore, using Proposition 3, we know \(\mathsf {Safe}(f,\mathsf {init},B+\epsilon )\) and hence \(\mathsf {Safe}(f,\mathsf {init},B)\) are both true. \(\square \)
It is clear that there is room for numerically perturbing the size of the area and still obtaining a robust proof. The proof is similar to the one for Lemma 1 as shown in [8].
Theorem 5
For any Open image in new window , there exists Open image in new window such that \(\mathsf {Barrier}_{\varepsilon }(f, \mathsf {init}, B)\) is a \(\delta \)robust formula.
Example 2
(Type 1 \(\varepsilon \)Barrier for timedreversed Van der Pol). Consider the timereversed Van der Pol system introduced in Example 1. We use the same example to demonstrate the effect of numerical errors in proving barrier certificates. The level sets of the Lyapunov functions in the stable region are barrier certificates; however, for the barriers that are very close to the limiting cycle, numerical sensitivity becomes a problem. In experiments, when \(\varepsilon =10^{5}\) and \(\delta =10^{4}\), we can verify that the level set \(z^TPz=90\), is a Type 1 \(\varepsilon \)barrier. Table 2 lists parameters used in this proof. Figure 3 (Left) shows the direction field for the timedreversed Van der Pol dynamics, the border of the set \(z^TPz\le 90\), which we prove is a type 1 \(\varepsilon \)barrier, and the boundary of set \(z^TPz\le 110\), which is clearly not a barrier, since it is outside of the limit cycle.
The conditions for \(\varepsilon \)Lyapunov and \(\varepsilon \)barrier functions look very similar, but there is an important difference. In the case of Lyapunov functions, we do not evaluate the Lie derivative of the balls. Thus, the balls do not define barrier sets. On the other hand, the level sets of Lyapunov functions always define barriers.
Remark 3
The \(\varepsilon \)barrier functions can also be used as a sufficient condition for \(\varepsilon \)stability, if a barrier can be found within the \(\varepsilon \)ball required in \(\varepsilon \)stability.
Remark 4
A technical requirement for proving robustness of the \(\varepsilon \)barrier conditions is that Open image in new window defines a simple set that can be overapproximated, such that for every Open image in new window , there is Open image in new window such that for any point that satisfies Open image in new window there is an \(\varepsilon \)close point that satisfies Open image in new window . A sufficient condition for this restriction is that \(\mathsf {init}\) be of the form Open image in new window , where Open image in new window are arbitrary constants, and \(\varphi \) is a quantifierfree formula with only strict inequalities [22].
4.3 Type 2: Bounded Escape

(Contraction) Similar to the strengthening in barrier certificates, we require that the system does not sit at the boundary: the dynamics at the boundary should be contracting. The difference with Type 1 \(\varepsilon \)barriers is that, this condition is not imposed through the vector field on the boundary. Instead, it is a reachability condition: after some amount of time, all states should return to the interior of an appropriate set.

(Bounded Escape) Before reaching back to the invariant set, we allow the system to step outside the invariant, but only up to a bounded distance from the boundary.
The intuition is depicted in Fig. 2d. In the formal definition, we parameterize the conditions with the time for contraction and the maximum deviation from the invariant set, as follows.
Definition 12
 1.
For any x, \(\mathsf {init}(x)\) implies \(B(x)\le \varepsilon \).
 2.
There exists \(\varepsilon '> \varepsilon \) such that any state in \(B(x)\le \varepsilon \) will enter \(B(x)\le \varepsilon '\) after time T.
 3.
During time [0, T], the system may step outside of \(B(x)\le \varepsilon \) but there exists some \(\varepsilon ^*\in (0,\varepsilon ]\) such that all states stay within \(B(x)\le \varepsilon ^*\).
Theorem 6, shows that conditions in Definition 12 ensure that the system never leaves the invariant \(B\le 0\). The key is the second condition: induction works because all states come back to the interior of the set defined by \(B\le \varepsilon \). With the third condition only, we cannot perform induction because the set may keep growing.
Theorem 6
For any Open image in new window , Open image in new window .
Proof
For the purpose of contradiction, suppose starting from \(x_0\in \mathsf {init}\), the system is unsafe. Using continuity of the barrier B and the solution function F, let Open image in new window be a time at which \(B(x(t))=0\), where x(t) is by definition \(F(x_0,t)\). By the 1^{st} property in Definition 12, we know \(B(x_0)\le \varepsilon <0\). Using continuity of B and F, let \(t'\in [0,t)\) be the supremum of all times at which \(B(x(t'))=\varepsilon \). By the 3^{rd} property in Definition 12, we know \(tt'>T\), and by the 2^{nd} property in Definition 12, we know \(B(x(t'+T))\le \varepsilon '<\varepsilon \). Using continuity of B and F, we know there is a time \(t''\in (t'+T,t)\) at which \(B(x(t''))=\varepsilon \). However, this is in contradiction with \(t'\) being the supremum. \(\square \)
Theorem 7
For any Open image in new window , there exists Open image in new window such that \(\mathsf {Barrier}_{T,\varepsilon }(f, \mathsf {init}, B)\) is a \(\delta \)robust formula.
Example 3
5 Experiments
Results for the \(\varepsilon \)Lyapunov functions. Each Lyapunov function is of the form \(z^T P z\), where z is a vector of monomials over the state variables. We report the constant values satisfying the \(\varepsilon \)Lyapunov conditions, and the time that verification of each example takes (in seconds).
Example  \(\alpha \)  \(\beta \)  \(\gamma \)  \(\varepsilon \)  \(\varepsilon '\)  Time (s) 

T.R. Van der Pol  \({2.10\times 10^{23}}\)  \({1.70\times 10^{23}}\)  \({10^{25}}\)  \(10^{12}\)  \({5\times 10^{13}}\)  0.05 
Norm. Pend.  \({7.07\times 10^{23}}\)  \({3.97\times 10^{23}}\)  \(10^{50}\)  \(10^{12}\)  \({5\times 10^{13}}\)  0.01 
MooreGreitzer  \({2.95\times 10^{19}}\)  \({2.55\times 10^{19}}\)  \(10^{20}\)  \(10^{10}\)  \({5\times 10^{11}}\)  0.04 
Results for the \(\varepsilon \)barrier functions. Each barrier function B(x) is of the form \(z^T P z  \ell \), where z is a vector of monomials over x. We indicate the highest degree of the monomials used in z, the size of the P, the level \(\ell \) used for each barrier function, and the value of \(\varepsilon \) and \(\gamma \) used to the check Open image in new window .
Example  \(\ell \)  \(\varepsilon \)  \(\gamma \)  degree (z)  Size of P  Time (s) 

T.R. Van der Pol  90  \(10^{5}\)  \(10^{5}\)  3  \(9\times 9\)  6.47 
Norm. Pend.  \(10^{2}\)  \(10^{2}\)  1  \(2\times 2\)  0.08  
MooreGreitzer  \(10^{1}\)  \(10^{1}\)  4  \(5\times 5\)  13.80  
PTC  0.01  \(10^{5}\)  \(10^{5}\)  2  \(14\times 14\)  428.75 
Table 1 contains parameters we use to verify requirements of Definition 8 for \(\varepsilon \)Lyapunov functions in our examples. Table 2 contains parameters we use to verify requirements of Definition 11 for Type 1 \(\varepsilon \)barrier functions in our examples. The \(\varepsilon \)Lyapunov functions in these examples are of the form Open image in new window , where z is a vector of products of the state variables and P is a constant matrix obtained using simulationguided techniques from [10]. All the P matrices are given in [8].
TimeReversed Van der Pol. The timereversed Van der Pol system has been used as an example in the previous sections. Figure 3 (Left) shows the direction field of this system around the origin. Using dReal with Open image in new window , we are able to establish a \(10^{12}\)Lyapunov function and a \(10^{5}\)barrier function.
Using dReal with Open image in new window , we are able to prove that for any value \(\ell \in [1,10]\), the function Open image in new window , with x being the system state, z being the vector of monomials defined in the previous section, and P a constant matrix given in [8], is a Type 1 0.1barrier function.
6 Conclusion
We formulated new inductive proof rules for stability and safety for dynamical systems. The rules are numerically robust, making them amenable to verification using automated reasoning tools such as those based on \(\delta \)decision procedures. We presented several examples demonstrating the value of the new approach, including safety verification tasks for highly nonlinear systems. The examples show that the framework can be used to prove stability and safety for examples that were out of reach for existing tools. The new framework relies on the ability to generate reasonable candidate Lyapunov functions, which are analogous to ranking functions from program analysis. Future work will include improved techniques for efficiently generating the \(\varepsilon \)Lyapunov and \(\varepsilon \)barrier functions and related theoretical questions.
Notes
Acknowledgement
Our work is supported by the United States Air Force and DARPA under Contract No. FA875018C0092, AFOSR No. FA95501910041, and the National Science Foundation under NSF CNS No. 1830399. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force and DARPA.
References
 1.Bak, S.: tBarrier certificates: a continuous analogy to kinduction. In: IFAC Conference on Analysis and Design of Hybrid Systems (2018)CrossRefGoogle Scholar
 2.Bernfeld, S.R., Lakshmikantham, V.: Practical stability and Lyapunov functions. Tohoku Math. J. (2) 32(4), 607–613 (1980)MathSciNetCrossRefGoogle Scholar
 3.Bobiti, R., Lazar, M.: A deltasampling verification theorem for discretetime, possibly discontinuous systems. In: HSCC (2015)Google Scholar
 4.Collins, G.E.: Quantifier elimination for real closed fields by cylindrical algebraic decompostion. In: Brakhage, H. (ed.) GIFachtagung 1975. LNCS, vol. 33, pp. 134–183. Springer, Heidelberg (1975). https://doi.org/10.1007/3540074074_17CrossRefGoogle Scholar
 5.Fränzle, M., Herde, C., Teige, T., Ratschan, S., Schubert, T.: Efficient solving of large nonlinear arithmetic constraint systems with complex boolean structure. JSAT 1(3–4), 209–236 (2007)zbMATHGoogle Scholar
 6.Gao, S., Avigad, J., Clarke, E.: Deltacomplete decision procedures for satisfiability over the reals. In: Proceedings of the Automated Reasoning  6th International Joint Conference, IJCAR 2012, Manchester, UK, 26–29 June 2012, pp. 286–300 (2012)Google Scholar
 7.Gao, S., Avigad, J., Clarke, E.M.: Deltadecidability over the reals. In: LICS, pp. 305–314. IEEE Computer Society (2012)Google Scholar
 8.Gao, S., et al.: Numericallyrobust inductive proof rules for continuous dynamical systems (extended version) (2019). https://dreal.github.io/CAV19/
 9.Gao, S., Kong, S., Clarke, E.M.: dReal: an SMT solver for nonlinear theories over the reals. In: Bonacina, M.P. (ed.) CADE 2013. LNCS (LNAI), vol. 7898, pp. 208–214. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642385742_14CrossRefGoogle Scholar
 10.Kapinski, J., Deshmukh, J.V., Sankaranarayanan, S., Aréchiga, N.: Simulationguided Lyapunov analysis for hybrid dynamical systems. In: Hybrid Systems: Computation and Control (2014)Google Scholar
 11.Khalil, H.K.: Nonlinear Systems. Prentice Hall, Upper Saddle River (1996)Google Scholar
 12.Kong, S., Gao, S., Chen, W., Clarke, E.: dReach: \(\delta \)reachability analysis for hybrid systems. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 200–205. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662466810_15CrossRefGoogle Scholar
 13.Kong, S., SolarLezama, A., Gao, S.: Deltadecision procedures for existsforall problems over the reals. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10982, pp. 219–235. Springer, Cham (2018). https://doi.org/10.1007/9783319961422_15CrossRefGoogle Scholar
 14.LaSalle, J.P., Lefschetz, S.: Stability by Liapunov’s Direct Method: With Applications. Mathematics in Science and Engineering. Academic Press, New York (1961)zbMATHGoogle Scholar
 15.Liberzon, D., Ying, C., Zharnitsky, V.: On almost Lyapunov functions. In: 2014 IEEE 53rd Annual Conference on Decision and Control (CDC), pp. 3083–3088, December 2014Google Scholar
 16.Monniaux, D.: A survey of satisfiability modulo theory. In: Gerdt, V.P., Koepf, W., Seiler, W.M., Vorozhtsov, E.V. (eds.) CASC 2016. LNCS, vol. 9890, pp. 401–425. Springer, Cham (2016). https://doi.org/10.1007/9783319456416_26CrossRefGoogle Scholar
 17.Papachristodoulou, A., Prajna, S.: Analysis of nonpolynomial systems using the sum of squares decomposition. In: Henrion, D., Garulli, A. (eds.) Positive Polynomials in Control. LNCIS, vol. 312, pp. 23–43. Springer, Heidelberg (2005). https://doi.org/10.1007/10997703_2CrossRefGoogle Scholar
 18.Parrilo, P.: Structured semidenite programs and semialgebraic geometry methods in robustness and optimization. Ph.D. thesis, August 2000Google Scholar
 19.Platzer, A., Clarke, E.M.: Computing differential invariants of hybrid systems as fixedpoints. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 176–189. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540705451_17CrossRefGoogle Scholar
 20.Podelski, A., Wagner, S.: Model checking of hybrid systems: from reachability towards stability. In: Hespanha, J.P., Tiwari, A. (eds.) HSCC 2006. LNCS, vol. 3927, pp. 507–521. Springer, Heidelberg (2006). https://doi.org/10.1007/11730637_38CrossRefzbMATHGoogle Scholar
 21.Prajna, S.: Optimizationbased methods for nonlinear and hybrid systems verification. Ph.D. thesis, California Institute of Technology, Pasadena, CA, USA (2005). AAI3185641Google Scholar
 22.Roohi, N., Prabhakar, P., Viswanathan, M.: Relating syntactic and semantic perturbations of hybrid automata. In: CONCUR, pp. 26:1–26:16 (2018)Google Scholar
 23.Tarski, A.: A Decision Method for Elementary Algebra and Geometry, 2nd edn. University of California Press, Berkeley (1951)zbMATHGoogle Scholar
 24.Topcu, U., Packard, A., Seiler, P.: Local stability analysis using simulations and sumofsquares programming. Automatica 44, 2669–2675 (2008)MathSciNetCrossRefGoogle Scholar
 25.Weihrauch, K.: Computable Analysis: An Introduction, 1st edn. Springer, Heidelberg (2013)zbMATHGoogle Scholar
 26.Weiss, L., Infante, E.F.: On the stability of systems defined over a finite time interval. Proc. Nat. Acad. Sci. U.S.A. 54(1), 44 (1965)MathSciNetCrossRefGoogle Scholar
 27.Weiss, L., Infante, E.F.: Finite time stability under perturbing forces and on product spaces. IEEE Trans. Autom. Control 12(1), 54–59 (1967)MathSciNetCrossRefGoogle Scholar
 28.Xu, X., Tabuada, P., Grizzle, J.W., Ames, A.D.: Robustness of control barrier functions for safety critical control. IFACPapersOnLine 48(27), 54–61 (2015)CrossRefGoogle Scholar
 29.Zhai, G., Michel, A.N.: On practical stability of switched systems. In: Proceedings of the 41st IEEE Conference on Decision and Control, vol. 3, pp. 3488–3493, December 2002Google Scholar
 30.Zhai, G., Michel, A.N.: Generalized practical stability analysis of discontinuous dynamical systems. In: Proceedings of the 42nd IEEE Conference on Decision and Control, vol. 2, pp. 1663–1668. IEEE (2003)Google Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.