Abstract
We address the problem of analyzing the reachable set of a polynomial nonlinear continuous system by overapproximating the flowpipe of its dynamics. The common approach to tackle this problem is to perform a numerical integration over a given time horizon based on Taylor expansion and interval arithmetic. However, this method results to be very conservative when there is a large difference in speed between trajectories as time progresses. In this paper, we propose to use combinations of barrier functions, which we call piecewise barrier tube (PBT), to overapproximate flowpipe. The basic idea of PBT is that for each segment of a flowpipe, a coarse box which is big enough to contain the segment is constructed using sampled simulation and then in the box we compute by linear programming a set of barrier functions (called barrier tube or BT for short) which work together to form a tube surrounding the flowpipe. The benefit of using PBT is that (1) BT is independent of time and hence can avoid being stretched and deformed by time; and (2) a small number of BTs can form a tight overapproximation for the flowpipe, which means that the computation required to decide whether the BTs intersect the unsafe set can be reduced significantly. We implemented a prototype called PBTS in C++. Experiments on some benchmark systems show that our approach is effective.
This research was supported by the Austrian Science Fund (FWF) under grants S11402N23, S11405N23 (RiSE/SHiNE) and Z211N23 (Wittgenstein Award).
Download conference paper PDF
1 Introduction
Hybrid systems [17] are widely used to model dynamical systems which exhibit both discrete and continuous behaviors. The reachability analysis of hybrid systems has been a challenging problem over the last few decades. The hard core of this problem lies in dealing with the continuous behavior of systems that are described by ordinary differential equations (ODEs). Although there are currently several quite efficient and scalable approaches for reachability analysis of linear systems [8,9,10, 14, 16, 19, 20, 26, 34], nonlinear ODEs are much harder to handle and the current approaches can be characterized into the following groups.
Invariant Generation [18, 21, 22, 27, 28, 36, 37, 39]. An invariant I for a system S is a set such that any trajectory of S originating from I never escapes from I. Therefore, finding an invariant I such that the initial set \(I_0\subseteq I\) and the unsafe set \(U\cap I=\emptyset \) indicates the safety of the system. In this way, there is no need to compute the flowpipe. The main problem with invariant generation is that it is hard to define a set of high quality constraints which can be solved efficiently.
Abstraction and Hybridization [2, 11, 24, 31, 35]. The basic idea of the abstractionbased approach is first constructing a linear model which overapproximates the original nonlinear dynamics and then applying techniques for linear systems to the abstraction model. However, how to construct an abstraction with the fewest discrete states and sufficiently high accuracy is still a challenging issue.
Satisfiability Modulo Theory (SMT) Over Reals [6, 7, 23]. This approach encodes the reachability problem for nonlinear systems as firstorder logic formulas over the real numbers. These formulas can be solved using for example \(\delta \)complete decision procedures that overcome the theoretical limits in nonlinear theories over the reals, by choosing a desired precision \(\delta \). An SMT implementing such procedures can return either unsat if the reachability problem is unsatisfiable or \(\delta \)sat if the problem is satisfiable given the chosen precision. The \(\delta \)sat verdict does not guarantee that the dynamics of the system will reach a particular region. It may happens that by increasing the precision the problem would result unsat. In general the limit of this approach is that it does not provide as a result a complete and comprehensive description of the reachability set.
Bounded Time Flowpipe Computation [1, 3,4,5, 25, 32]. The common technique to compute a bounded flowpipe is based on interval method or Taylor model. Intervalbased approach is quite efficient even for high dimensional systems [29], but it suffers the wrapping effect of intervals and can quickly accumulate overapproximation errors. In contrast, the Taylormodelbased approach is more precise in that it uses a vector of polynomials plus a vector of small intervals to symbolically represent the flowpipe. However, for the purpose of safety verification or reachability analysis, the Taylor model has to be further overapproximated by intervals, which may bring back the wrapping effect. In particular, the wrapping effect can explode easily when the flowpipe segment over a time interval is stretched drastically due to a large difference in speed between individual trajectories. This case is demonstrated by the following example.
Example 1
(Running example). Consider the 2D system [30] described by \(\dot{x} = y\) and \(\dot{y} = x^2\). Let the initial set \( X_0 \) be a line segment \( x\in [1.0,1.0]\) and \(y\in [1.05,0.95]\), Fig. 1a shows the simulation result on three points in \( X_0 \) over time interval [0, 6.6]. The reachable set at \(t = 6.6\) s is a smooth curve connecting the end points of the three trajectories. As can be seen, the trajectory originating from the top is left far behind the one originating from the bottom, which means that the tiny initial line segment is being stretched into a huge curve very quickly, while the width of the flowpipe is actually converging to 0. As a result, the interval overapproximation of this huge curve can be extremely conservative even if its Taylor model representation is precise, and reducing the time step size is not helpful. To prove this point, we computed with Flow* [3] a Taylor model series for the time horizon of 6.6 s which consists of 13200 Taylor models. Figure 1b shows the interval approximation of the Taylor model series, which apparently starts exploding.
In this paper, we propose to use piecewise barrier tubes (PBTs) to overapproximate flowpipes of polynomial nonlinear systems, which can avoid the issue caused by the excessive stretching of a flowpipe segment. The idea of PBT is inspired from barrier certificate [22, 33]. A barrier certificate \(B(\varvec{x})\) is a realvalued function such that (1) \(B(\varvec{x}) \ge 0\) for all \(\varvec{x}\) in the initial set \( X_0 \); (2) \(B(\varvec{x}) < 0\) for all \(\varvec{x}\) in the unsafe set \( X_U \); (3) no trajectory can escape from \(\{\varvec{x}\in \mathbb {R} ^n \mid B(\varvec{x}) \ge 0 \}\) through the boundary \(\{\varvec{x}\in \mathbb {R} ^n \mid B(\varvec{x}) = 0 \}\). A sufficient condition for this constraint is that the Lie derivative of \(B(\varvec{x})\) w.r.t the dynamics \(\dot{\varvec{x}} = \varvec{f}\) is positive all over the invariant region, i.e., \(\mathcal {L}_{\varvec{f}} B(\varvec{x}) > 0\), which means that all the trajectories must move in the increasing direction of the level sets of \(B(\varvec{\varvec{x}})\).
Barrier certificates can be used to verify safety properties without computing the flowpipe explicitly. The essential idea is to use the zero level set of \(B(\varvec{x})\) as a barrier to separate the flowpipe from the unsafe set. Moreover, if the unsafe set is very close to the boundary of the flowpipe, the barrier has to fit the shape of the flowpipe to make sure that all components of the constraint are satisfied. However, the zero level set of a polynomial of fixed degree may not have the power to mimic the shape of the flowpipe, which means that there may exist no solution for the above constraints even if the system is safe. This problem might be addressed using piecewise barrier certificate, i.e., cutting the flowpipe into small pieces so that every piece is straight enough to have a barrier certificate of simple form. Unfortunately, this is infeasible because we know nothing about the flowpipe locally. Therefore, we have to find another way to proceed.
Instead of computing a single barrier certificate, we propose to compute barrier tubes to piecewise overapproximate the flowpipe. Concretely, in the beginning, we first construct a containing box, called enclosure, for the initial set using interval approach [29] and simulation, then, using linear programming, we compute a group of barrier functions which work together to form a tight tube (called barrier tube) around the flowpipe. Similarly, taking the intersection of the barrier tube and the boundary of the box as the new initial set, we repeat the previous operations to obtain successive barrier tubes step by step. The key point here is how to compute a group of tightly enclosing barriers around the flowpipe without a constraint on the unsafe set inside the box. Our basic idea is to construct a group of auxiliary state sets U around the flowpipe and then, for each \(U_i\in U\), we compute a barrier certificate between \(U_i\) and the flowpipe. If a barrier certificate is found, we expand \(U_i\) towards the flowpipe iteratively until no more barrier certificate can be found; otherwise, we shrink \(U_i\) away from the flowpipe until a barrier certificate is found. Since the auxiliary sets are distributed around the flowpipe, so is the barrier tube. The benefit of such piecewise barrier tubes is that they are time independent, and hence can avoid the issue of stretched flowpipe segments caused by speed differences between trajectories. Moreover, usually a small number of BTs can form a tight overapproximation of the flowpipe, which means that less computation is needed to decide the intersection of PBT and the unsafe set.
The main contributions of this paper are as follows:

1.
We transform the constraintsolving problem for barrier certificates into a linear programming problem using Handelman representation [15];

2.
We introduce PBT to overapproximate the flowpipe of nonlinear systems, thus dealing with flowpipes independent of time and hence avoiding the error explosion caused by stretched flowpipe segments;

3.
We implement a prototype in C++ to compute PTB automatically and we show the effectiveness of our approach by providing a comparison with the stateoftheart tools for reachability analysis of polynomial nonlinear systems such as CORA [1] and Flow* [3].
The paper is organized as follows. Section 2 is devoted to the preliminaries. Section 3 shows how to compute barrier certificates using Handelman representation, while in Sect. 4 we present a method to compute Piecewise Barrier Tubes. Section 5 provides our experimental results and we conclude in Sect. 6.
2 Preliminaries
In this section, we recall some concepts used throughout the paper. We first clarify some notation conventions. If not specified otherwise, we use boldface lower case letters to denote vectors, we use \(\mathbb {R} \) for the real number field and \(\mathbb {N} \) for the set of natural numbers, and we consider multivariate polynomials in \(\mathbb {R} [\varvec{x}]\), where the components of \(\varvec{x}\) act as indeterminates. In addition, for all the polynomials \(B(\varvec{u} ,\varvec{x} )\), we denote by \(\varvec{u} \) the vector composed of all the \(u_i\) and denote by \(\varvec{x} \) the vector composed of all the remaining variables \(x_i\) that occur in the polynomial. We use \(\mathbb {R} _{\ge 0}\) and \(\mathbb {R} _{>0}\) to denote the domain of nonnegative real number and positive real number respectively.
Let \(P\subseteq \mathbb {R} ^n\) be a convex and compact polyhedron with nonempty interior, bounded by linear polynomials \(p_1,\cdots ,p_m \in \mathbb {R} [\varvec{x}]\). Without lose of generality, we may assume \(P=\{\varvec{x}\in \mathbb {R} ^n \mid p_i(\varvec{x})\ge 0, i=1,\cdots ,m\}\).
Next, we present the notation of the Lie derivative, which is widely used in the discipline of differential geometry. Let \(\varvec{f}: \mathbb {R}^n \rightarrow \mathbb {R}^n\) be a continuous vector field such that \(\dot{x}_i = f_i(\varvec{x})\) where \(\dot{x}_i\) is the time derivative of \(x_i(t)\).
Definition 1
(Lie derivative). For a given polynomial \(p\in \mathbb {R} [\varvec{x} ]\) over \(\varvec{x} =(x_1,\dots ,x_n)\) and a continuous system \(\dot{\varvec{x}} = \varvec{f} \), where \(\varvec{f} =(f_1,\dots ,f_n)\), the Lie derivative of \(p\in \mathbb {R} [\varvec{x} ]\) along \(\varvec{f}\) of order k is defined as follows.
Essentially, the kth order Lie derivative of p is the kth derivative of p w.r.t. time, i.e., reflects the change of p over time. We write \(\mathcal {L}_{\varvec{f}} p\) for \(\mathcal {L}_{\varvec{f}} ^{1} p\).
In this paper, we focus on semialgebraic nonlinear systems, which are defined as follows.
Definition 2
(Semialgebraic system). A semialgebraic system is a triple \(M {\mathop { = }\limits ^{\text {def}}} \langle X, \varvec{f}, X_0 , I\rangle \), where

1.
\(X \subseteq \mathbb {R}^n\) is the state space of the system \(M \),

2.
\(\varvec{f} \in \mathbb {R} [\varvec{x} ]^n\) is locally Lipschitz continuous vector function,

3.
\( X_0 \subseteq X\) is the initial set, which is semialgebraic [40],

4.
I is the invariant of the system.
The local Lipschitz continuity guarantees the existence and uniqueness of the differential equation \(\varvec{\dot{x}}=\varvec{f} \) locally. A trajectory of a semialgebraic system is defined as follows.
Definition 3
(Trajectory). Given a semialgebraic system \(M \), a trajectory originating from a point \(\varvec{x} _0\in X_0 \) to time \(T>0\) is a continuous and differentiable function \(\varvec{\zeta } (\varvec{x}_0,t):[0, T)\rightarrow \mathbb {R}^n\) such that (1) \(\varvec{\zeta } (x_0,0)=\varvec{x} _0\) , and (2) \(\forall \tau \in [0,T)\): \(\frac{d\varvec{\zeta }}{dt}\big _{t=\tau } = \varvec{f} (\varvec{\zeta } (\varvec{x}_0,\tau ))\). T is assumed to be within the maximal interval of existence of the solution from \(\varvec{x} _0\).
For ease of readability, we also use \(\zeta (t)\) for \(\zeta (\varvec{x}_0,t)\). In addition, we use \(Flow_{\varvec{f}}( X_0 )\) to denote the flowpipe of initial set \( X_0 \), i.e.,
Definition 4
(Safety). Given an unsafe set \( X_U \subseteq X\), a semialgebraic system \(M = \langle X, \varvec{f}, X_0 , I\rangle \) is said to be safe if no trajectory \(\varvec{\zeta } (\varvec{x}_0,t)\) of \(M \) satisfies that \(\exists \tau \in \mathbb {R}_{\ge 0}:\varvec{x} (\tau )\in X_U \), where \(\varvec{x}_0\in X_0 \).
3 Computing Barrier Certificates
Given a semialgebraic system \(M \), a barrier certificate is a realvalued function \(B(\varvec{x})\) such that (1) \(B(\varvec{x}) \ge 0\) for all \(\varvec{x}\) in the initial set; (2) \(B(\varvec{x}) < 0\) for all \(\varvec{x}\) in the unsafe set; (3) no trajectory can escape from the region of \(B(\varvec{x} ) \ge 0\). Then, the hypersurface \(\{\varvec{x}\in \mathbb {R} ^n \mid B(\varvec{x}) = 0\}\) forms a barrier separating the flowpipe from the unsafe set. To compute such a barrier certificate, the most common approach is template based constraint solving, i.e., firstly figure out a sufficient condition for the above condition and then, set up a template polynomial \(B(\varvec{u},\varvec{x})\) of fixed degree, and finally solve the constraint on \(\varvec{u}\) derived from the sufficient condition on \(B(\varvec{u},\varvec{x})\). There are a couple of sufficient conditions available for this purpose [13, 22, 27]. In order to have an efficient constraint solving method, we adopt the following condition [33].
Theorem 1
Given a semialgebraic system \(M \), let \( X_0 \) and U be the initial set and the unsafe set respectively, the system is guaranteed to be safe if there exists a realvalued function \(B(\varvec{x})\) such that
In Theorem 1, the condition (3) means that all the trajectories of the system always point in the increasing direction of the level sets of \(B(\varvec{x})\) in the region I. Therefore, no trajectory starting from the initial set would cross the zero level set. The benefit of this condition is that it can be solved more efficiently than other existing conditions [13, 22] although it is relatively conservative. The most widely used approach is to transform the constraintsolving problem into a sumofsquares (SOS) programming problem [33], which can be solved in polynomial time. However, a serious problem with SOS programming based approach is that automatic generation of polynomial templates is very hard to perform. We now show an example to demonstrate the reason. For simplicity, we assume that the initial set, the unsafe set and the invariant are defined by the polynomial inequalities \( X_0 (\varvec{x}) \ge 0\), \( X_U (\varvec{x} ) \ge 0\) and \(I(\varvec{x} ) \ge 0\) respectively, then the SOS relaxation of Theorem 1 is that the following polynomials are all SOS
where \(\mu _i(\varvec{x}), i=1,\cdots ,3\) are SOS polynomials as well and \(\epsilon _i > 0, i=1,\cdots ,3\). Suppose the degrees of \( X_0 (\varvec{x})\), \(I(\varvec{x})\) and \( X_U (\varvec{x})\) are all odd numbers. Then, the degree of the template for \(B(\varvec{x})\) must be an odd number too. The reason is that, if deg(B) is an even number, in order for the first and third polynomials to be SOS polynomials, deg(B) must be greater than both \(deg(\mu _3 X_U )\) and \(deg(\mu _1 X_0 )\), which are odd numbers. However, since the first and third condition contain \(B(\varvec{x})\) and \(B(\varvec{x})\) respectively, their leading monomials must have the opposite sign, which means that they cannot be SOS polynomial simultaneously. Moreover, the degrees of the templates for the auxiliary polynomials \(\mu _1(\varvec{x}), \mu _3(\varvec{x})\) must also be chosen properly so that \(deg(\mu _1 X_0 ) = deg(\mu _3 X_U )= deg(B)\), because only in this way the leading monomials (which has an odd degree) of (5) and (7) have the chance to be resolved so that the resultant polynomial can be a SOS. Similarly, in order to make the second polynomial a SOS as well, one has to choose an appropriate degree for \(\mu _2(\varvec{x})\) according to the degree of \(\mathcal {L}_f B\) and \(I(\varvec{x})\). As a result, the tangled constraints on the relevant template polynomials reduce the power of SOS programming significantly.
Due to the above reason, inspired by the work [38], we use Handelman representation to relax Theorem 1. We assume that the initial set \( X_0 \), the unsafe set \( X_U \) and the invariant I are all convex and compact polyhedra, i.e., \( X_0 = \{\varvec{x}\in \mathbb {R} ^n \mid p_1(\varvec{x})\ge 0,\cdots ,p_{m_1}(\varvec{x})\ge 0\}\), \(I = \{\varvec{x}\in \mathbb {R} ^n \mid q_1(\varvec{x})\ge 0,\cdots ,q_{m_2}(\varvec{x})\ge 0\}\) and \( X_U = \{\varvec{x}\in \mathbb {R} ^n \mid r_1(\varvec{x})\ge 0,\cdots ,r_{m_3}(\varvec{x})\ge 0\}\), where \(p_i(\varvec{x}),q_j(\varvec{x}),r_k(\varvec{x})\) are linear polynomials. Then, we have the following theorem.
Theorem 2
Given a semialgebraic system \(M \), let \( X_0 \), \( X_U \) and I be defined as above, the system is guaranteed to be safe if there exists a realvalued polynomial function \(B(\varvec{x})\) such that
where \(\lambda _{\varvec{\alpha }}, \lambda _{\varvec{\beta }}, \lambda _{\varvec{\gamma }}\in \mathbb {R} _{\ge 0}\), \(\epsilon _i \in \mathbb {R} _{>0}\) and \(M_i\in \mathbb {N}, i=1,\cdots ,3\).
Theorem 2 provides us with an alternative to SOS programming to find barrier certificate \(B(\varvec{x})\) by transforming it into a linear programming problem. The basic idea is that we first set up a template \(B(\varvec{u} ,\varvec{x} )\) of fixed degree as well as the appropriate \(M_i, i=1,\cdots ,3\) that make the both sides of the three identities (8)–(10) have the same degree. Since (8)–(10) are identities, the coefficients of the corresponding monomials on both sides must be identical as well. Thus, we derive a system S of linear equations and inequalities over \(\varvec{u} , \lambda _{\varvec{\alpha }}, \lambda _{\varvec{\beta }}, \lambda _{\varvec{\gamma }}\). Now, finding a barrier certificate is just to find a feasible solution for S, which can be solved by linear programming. Compared to SOS programming based approach, this approach is more flexible in choosing the polynomial template as well as other parameters. We consider now a linear system to show how it works.
Example 2
Given a 2D system defined by \(\dot{x} = 2x + 3y, \dot{y} = 4x + 2y\), let \( X_0 =\{(x,y)\in \mathbb {R} ^2\mid p_1 = x + 100 \ge 0, p_2= 90  x \ge 0, p_3 = y + 45 \ge 0, p_4 = 40  y \ge 0\}\), \(I =\{(x,y)\in \mathbb {R} ^2\mid q_1 = x\,+\,110 \ge 0, q_2 = 80\,\,x \ge 0, q_3 = y\,+\,45 \ge 0, q_4 = 20  y \ge 0\}\) and \( X_U =\{(x,y)\in \mathbb {R} ^2\mid r_1 = x + 98 \ge 0, r_2 = 90  x \ge 0, r_3 = y + 24 \ge 0, r_4 = 20  y \ge 0\}\). Assume \(B(\varvec{u},\varvec{x}) = u_1 + u_2x + u_3y\), \(M_i = \epsilon _i = 1\) for \(i=1,\cdots ,3\), then we obtain the following polynomial identities according to Theorem 2
where \(\lambda _{ij}\ge 0\) for \(i=1,\cdots ,3\), \(j=1,\cdots ,4\). By collecting the coefficients of x, y in the above polynomials, we obtain a system S of linear polynomial equations and inequalities over \(u_i, \lambda _{jk}\). By solving S using linear programming, we obtain a feasible solution and Fig. 2a shows the computed linear barrier certificate. Note that, for the aforementioned reason, it is impossible to find a linear barrier certificate using SOS programming for this example.
4 Piecewise Barrier Tubes
In this section, we introduce how to construct PBTs for nonlinear polynomial systems. The basic idea of constructing PBT is that, for each segment of the flowpipe, an enclosure box is first constructed and then, a BT is constructed to form a tighter overapproximation for the flowpipe segment inside the box.
4.1 Constructing an Enclosure Box
Given an initial set, the first task is to construct an enclosure box for the initial set and the following segment of the flowpipe. As pointed out in Sect. 1, one principle to construct an enclosure box is to simplify the shape of the flowpipe segment, or in other words, to approximately bound the twisting of trajectories by some \(\theta \) in the box, where the twisting of a trajectory is defined as follows.
Definition 5
(Twisting of a trajectory). Let \(M\) be a continuous system and \(\zeta (t)\) be a trajectory of \(M\). Then, \(\zeta (t)\) is said to have a twisting of \(\theta \) on the time interval \(I = [T_1, T_2]\), written as \(\xi _I(\zeta )\), if it satisfies that \(\xi _I(\zeta ) = \theta \), where \( \xi _I(\zeta ) {\mathop {=}\limits ^{\text {def}}} \sup _{t_1,t_2 \in I} \arccos \bigg (\frac{\langle \dot{\zeta }(t_1),\,\dot{\zeta }(t_2) \rangle }{\Vert \zeta (t_1)\Vert \Vert \zeta (t_2)\Vert }\bigg )\).
The basic idea to construct an enclosure box is depicted in Algorithm 1.
Remark 1
In Algorithm 1, we use interval arithmetic [29] and simulation to construct an enclosure box E for a given initial set and its following flowpipe segment. Meanwhile, we obtain a coarse range of the intersection of the flowpipe and the boundary of the enclosure, which helps to accelerate the construction of barrier tube. To be simple, the enclosure is constructed in a way such that the flowpipe gets out of the box through a single facet. Given an initial set \( X_0 \), we first sample a set \(S_0\) of points from \( X_0 \) for simulation. Then, we select a point \(\varvec{x}_0\) from \(S_0\) and do \((\theta ,d)\)simulation on \(\varvec{x}_0\) to obtain a time step \(\varDelta T\). A \((\theta ,d)\)simulation is a simulation that stops either when the twisting of the simulation reaches \(\theta \) or when the distance between \(x_0\) and the end point reaches d. On the one hand, by using a small \(\theta \), we aim to achieve a straight flowpipe segment. On the other hand, by specifying a maximal distance d, we make sure that the simulation can stop for a long and straight flowpipe. At each iteration of the while loop in line 5, we first try to construct an enclosure box by interval arithmetic over \(\varDelta T\). If such an enclosure box is created, we then perform a simulation (see line 8) for all the points in \(S_0\) to find out the plane P of facet which intersects with the most of the simulations. The idea behind line 9 is that in order to better overapproximate the intersection of the flowpipe with the boundary of the box using intervals, we push the other planes outwards to make P the only plane where the flowpipe get out of the box. Certainly, simply by simulation we cannot guarantee that the flowpipe does not intersect the other facets. Therefore, we have the following theorem for the decision.
Theorem 3
Given a semialgebraic system \(M\) and an initial set \( X_0 \), a box E is an enclosure of \( X_0 \) and \(F_i\) is a facet of E. Then, \((Flow_f( X_0 ) \cap E) \cap F_i = \emptyset \) if there exists a barrier certificate \(B_i(\varvec{x})\) for \( X_0 \) and \(F_i\) inside E.
Remark 2
According to the definition of barrier certificate, the proof of Theorem 3 is straightforward, which is ignored here. Therefore, to make sure that the flowpipe does not intersect the facet \(F_i\), we only need to find a barrier certificate, which can be done using the approach presented in Sect. 3. Moreover, if no barrier certificate can be found, we further bloat the facet. Next, we still use the running Example 1 to demonstrate the process of constructing an enclosure.
Example 3
(running example). Consider the system in Example 1 and the initial set \(x =1.0, 1.05 \le y \le 0.95\), let the bounding twisting of simulation be \(\theta = \pi /18\), then the time step size we computed for interval evaluation is \(\varDelta T = 0.2947\). The corresponding enclosure computed by interval arithmetic is shown in Fig. 2c. Furthermore, by simulation, we know that the flowpipe can reach both left facet and top facet. Therefore, we have two options to bloat the facet: bloat the left facet to make the flowpipe intersects the top facet only or bloat the top facet to make the flowpipe intersects left facet only. In this example, we choose the latter option and the bloated enclosure is shown in Fig. 2d. In this way, we can overapproximate the intersection of the flowpipe and the facet by intervals if we can obtain its boundary on every side. This can be achieved by finding barrier tube.
4.2 Compute a Barrier Tube Inside a Box
An important fact about the flowpipe of continuous system is that it tends to be straight if it is short enough, given that the initial set is straight as well (otherwise, we can split it). Suppose there is a small box E around a straight flowpipe, it will be easy to compute a barrier certificate for a given initial set and unsafe set inside E. A barrier tube for the flowpipe in E is a group of barrier certificates which form a tube around a flowpipe inside E. Formally,
Definition 6
(Barrier Tube). Given a semialgebraic system \(M\), a box E and an initial set \( X_0 \subseteq E\), a barrier tube is a set of realvalued functions \(BT = \{B_i(\varvec{x}), i=1,\cdots ,m\}\) such that for all \(B_i(\varvec{x})\in BT\): (1) \(\forall \varvec{x}\in X_0 : B_i(\varvec{x}) > 0\) and, (2) \(\forall \varvec{x}\in E: \mathcal {L}_f B_i > 0\).
According to Definition 6, a barrier tube BT is defined by a set of realvalued functions and every function inequality \(B_i(\varvec{x})>0\) is an invariant of \(M\) in E and so do their conjunction. The property of a barrier tube BT is formally described in the following theorem.
Theorem 4
Given a semialgebraic system \(M\), a box E and an initial set \( X_0 \subseteq E\), let \(BT = \{B_i(\varvec{x}): i=1,\cdots ,m\}\) be a barrier tube of \(M\) and \(\varOmega = \{\varvec{x}\in \mathbb {R} ^n \mid \bigwedge B_i(\varvec{x})>0, B_i \in BT\}\), then \(Flow_{\varvec{f}}( X_0 ) \cap E \subseteq \varOmega \cap E\).
Remark 3
Theorem 4 states that an arbitrary barrier tube is able to form an overapproximation for the reach pipe in the box E. Compared to a single barrier certificate, multiple barrier certificates could overapproximate the flowpipe more precisely. However, since there is no constraint on unsafe sets in Definition 6, a barrier tube satisfying the definition could be very conservative. In order to obtain an accurate approximation for the flowpipe, we choose to create additional auxiliary constraints.
Auxiliary Unsafe Set (AUS). To obtain an accurate barrier tube, there are two main questions to be answered: (1) How many barrier certificates are needed? and (2) How do we control their positions to make the tube wellshaped to better overapproximate the flowpipe? The answer for the first question is quite simple: the more, the better. This will be explained later on. For the second question, the answer is to construct a group of properly distributed auxiliary state sets (AUSs). Each set of the AUSs is used as an unsafe set \(U_i\) for the system and then we compute a barrier certificate \(B_i\) for \(U_i\) according to Theorem 2. Since the zero level set of \(B_i\) serves as a barrier between the flowpipe and \(U_i\), the space where a barrier could appear is fully determined by the position of \(U_i\). Roughly speaking, when \(U_i\) is far away from the flowpipe, the space for a barrier to exist is wide as well. Correspondingly, the barrier certificate found would usually locate far away from the flowpipe as well. Certainly, as \(U_i\) gets closer to the flowpipe, the space for barrier certificates also contracts towards the flowpipe accordingly. Therefore, by expanding \(U_i\) towards the flowpipe, we can get more precise overapproximations for the flowpipe.
Why Multiple AUS? Although the accuracy of the barrier certificate overapproximation can be improved by expanding the AUS towards the flowpipe, the capability of a single barrier certificate is very limited because it can erect a barrier which only matches a single profile of the flow pipe. However, if we have a set U of AUSs which are distributed evenly around the flowpipe and there is a barrier certificate \(B_i\) for each \(U_i\in U\), these barrier certificates would be able to overapproximate the flowpipe from a number of profiles. Therefore, increasing the number of AUSs can increase the quality of the overapproximation as well. Furthermore, if all these auxiliary sets are connected, all the barriers would form a tube surrounding the flowpipe. Therefore, if we can create a series of boxes piecewise covering the flowpipe and then construct a barrier tube for every piece of the flowpipe, we obtain an overapproximation for the flowpipe by PBT.
Based on the above idea, we provide Algorithm 2 to compute barrier tube.
Remark 4
In Algorithm 2, for an ndimensional flowpipe segment, we aim to build a barrier tube composed of \(2(n1)\) barrier certificates, which means we need to construct \(2(n1)\) \(\mathtt {AUS}\)s. According to Algorithm 1, we know that the plane \(\mathtt {P}\) is the only exit of the flowpipe from the enclosure \(\mathtt {E}\) and \(\mathtt {G}\) is roughly the region where they intersect. Let \(F^G\) be the facet of \(\mathtt {E}\) that contains \(\mathtt {G}\), then for every facet \(F_{ij}^G\) of \(F^G\), we can take an \((n1)\)dimensional rectangle between \(F_{ij}^G\) and \(G_{ij}\) as an \(\mathtt {AUS}\), where \(G_{ij}\) is the facet of G adjacent to \(F_G^{ij}\). Therefore, enumerating all the facets of G in line 1 would produce \(2(n1)\) positions for \(\mathtt {AUS}\). The loop in line 3 is attempting to find a polynomial barrier certificate of different degrees in D. In the while loop 5, we iteratively compute the best barrier certificate by adjusting the width of \(\mathtt {AUS}\) through binary search until the difference in width between two successive \(\mathtt {AUS}\)s is less than the specified threshold \(\epsilon \).
Example 4
(Running example). Consider the initial set and the enclosure computed in Example 3, we use Algorithm 2 to compute a barrier tube. The initial set is \( X_0 = [1.0,1.0]\times [1.05, 0.95]\) and the enclosure of \( X_0 \) is \(E = [0.84,1.01] \times [1.1,0.75]\), \(G = [0.84,0.84]\times [0.91,0.80]\), the plane P is \(x=0.84\), \(D = \{2\}\) and \(\epsilon = 0.001\). The barrier tube consists of two barrier certificates. As shown in Fig. 3, each of the barrier certificates is derived from an \(\mathtt {AUS}\) (red line segment) which is located respectively on the bottomleft and topleft boundary of E.
4.3 Compute Piecewise Barrier Tube
During the computation of a barrier tube by Algorithm 2, we create a series of \(\mathtt {AUS}\)s around the flowpipe, which build up a rectangular enclosure for the intersection of the flowpipe and the facet of the enclosure box. As a result, such a rectangular enclosure can be taken as an initial set for the following flowpipe segment and then Algorithm 2 can be applied repeatedly to compute a PBT. The basic procedure to compute PBT is presented in Algorithm 3.
Remark 5
In Algorithm 3, initially a box that contains the initial set \(X_0\) is constructed using Algorithm 1. The loop in line 2 consists of 3 major parts: (1) In lines 3–6, a barrier tube BT is firstly computed using Algorithm 2. The while loop keeps shrinking the box until a barrier tube is found; (2) In line 8, the initial set \( X_0 \) is updated for the next box; (3) In line 9, a new box is constructed to contain \( X_0 \) and the process is repeated.
Example 5
(Running example). Let us consider again the running example. We set the length of PBT to 45 and the PBT we obtained is shown in Fig. 2b. Compared to the interval overapproximation of the Taylor model obtained using Flow*, the computed PBT consists of a significantly reduced number of segments and is more precise for the absence of stretching.
Safety Verification Based on PBT. The idea of safety verification based on PBT is straightforward. Given an unsafe set \( X_U \), for each intermediate initial set \( X_0 \) and the corresponding enclosure box E, we first check whether \( X_U \cap E = \emptyset \). If not empty, we would further find a barrier certificate between \( X_U \) and the flowpipe of \( X_0 \) inside E. If empty or barrier found, we continue to compute longer PBT. The refinement of PBT computation can be achieved by using smaller E and higher d for template polynomial.
5 Implementation and Experiments
We have implemented the proposed approach as a C++ prototype called Piecewise Barrier Tube Solver (PBTS), choosing Gurobi [12] as our internal linear programming solver. We have also performed some experiments on a benchmark of four nonlinear polynomial dynamical systems (described in Table 1) to compare the efficiency and the effectiveness of our approach w.r.t. other tools. Our experiments were performed on a desktop computer with a 3.6 GHz Intel Core i77700 8 Core CPU and 32 GB memory. The results are presented in Table 2.
Remark 6
There are a number of outstanding tools for flowpipe computation [1, 3,4,5]. Since our approach is to perform flowpipe computation for polynomial nonlinear systems, we pick two of the most relevant stateoftheart tools for comparison: CORA [1] and Flow* [3]. Note that a big difference between our approach and the other two approaches is that PBTS is timeindependent, which means that we cannot compare PBTS with CORA or Flow* over the exactly same time horizon. To be fair enough, for Flow* and CORA, we have used the same time horizon for the flowpipe computation, while we have computed a slightly longer flowpipe using PBTS. To guide the reader, we have also used different plotting colors to visualize the difference between the flowpipes obtained from the three different tools.
Evaluation. As pointed out in Sect. 1, a common problem with the boundedtime integration based approaches is that the flowpipe segment of a dynamics system can be extremely stretched with time so that the interval overapproximation of the flowpipe segment is very conservative and usually the solver has to stop prematurely due to the error explosion. This fact can be found easily from the figures Fig. 4, 5, 6 and 7. In particular, for Controller 2D, Flow* can give quite nice result in the beginning but started producing an exploding flowpipe very quickly (Note that Flow* offers options to produce better plotting which however is expensive and was not used for safety verification. CORA even failed to give a result after over 30 min of running). This phenomenon reappeared with both Flow* and CORA for Controller 3D. Notice that most of the time horizons used in the experiment are basically the time limits that Flow* and CORA can reach, i.e., a slightly larger value for the time horizon would cause the solvers to fail. In comparison, our tool has no such problem and can survive a much longer flowpipe before exploding or even without exploding as shown in Fig. 4a.
Another important factor of the approaches is the efficiency. As is shown in Table 2, our approach is more efficient on the first three examples but slower on the last example than the other two tools. The reason for this phenomenon is that the degree d of the template polynomial used in the last example is higher than the others and increasing d led to an increase in the number of decision variables in the linear constraint. This suggests that using smaller d on shorter flowpipe segment would be better. In addition, we can also see in Table 2 that the number of the flowpipe segments produced by PBTS is much fewer than that produced by Flow* and CORA. In this respect, PBTS would be more efficient on safety verification.
6 Conclusion
We have presented PBTS, a novel approach to overapproximate flowpipes of nonlinear systems with polynomial dynamics. The benefit of using BTs is that they are timeindependent and hence cannot be stretched or deformed by time. Moreover, this approach only results in a small number of BTs which are sufficient to form a tight overapproximation for the flowpipe, hence the safety verification with PBT can be very efficient.
References
Althoff, M., Grebenyuk, D.: Implementation of interval arithmetic in CORA 2016. In: Proceedings of ARCH@CPSWeek 2016: The 3rd International Workshop on Applied Verification for Continuous and Hybrid Systems, EPiC Series in Computing, vol. 43, pp. 91–105. EasyChair (2017)
Asarin, E., Dang, T., Girard, A.: Hybridization methods for the analysis of nonlinear systems. Acta Inform. 43(7), 451–476 (2007)
Chen, X., Ábrahám, E., Sankaranarayanan, S.: Flow*: an analyzer for nonlinear hybrid systems. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 258–263. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_18
Dang, T., Le Guernic, C., Maler, O.: Computing reachable states for nonlinear biological models. In: Degano, P., Gorrieri, R. (eds.) CMSB 2009. LNCS, vol. 5688, pp. 126–141. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642038457_9
Duggirala, P.S., Mitra, S., Viswanathan, M., Potok, M.: C2E2: a verification tool for stateflow models. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 68–82. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662466810_5
Fränzle, M., Herde, C.: HySAT: an efficient proof engine for bounded model checking of hybrid systems. Form. Methods Syst. Des. 30(3), 179–198 (2007)
Fränzle, M., Herde, C., Teige, T., Ratschan, S., Schubert, T.: Efficient solving of large nonlinear arithmetic constraint systems with complex boolean structure. JSAT 1(3–4), 209–236 (2007)
Frehse, G., et al.: SpaceEx: scalable verification of hybrid systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 379–395. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642221101_30
Girard, A.: Reachability of uncertain linear systems using zonotopes. In: Morari, M., Thiele, L. (eds.) HSCC 2005. LNCS, vol. 3414, pp. 291–305. Springer, Heidelberg (2005). https://doi.org/10.1007/9783540319542_19
Girard, A., Le Guernic, C.: Efficient reachability analysis for linear systems using support functions. In: Proceedings of IFAC World Congress, vol. 41, no. 2, pp. 8966–8971 (2008)
Grosu, R., et al.: From cardiac cells to genetic regulatory networks. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 396–411. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642221101_31
Gu, Z., Rothberg, E., Bixby, R.: Gurobi optimizer reference manual (2017). http://www.gurobi.com/documentation/7.5/refman/refman.html
Gulwani, S., Tiwari, A.: Constraintbased approach for analysis of hybrid systems. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 190–203. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540705451_18
Gurung, A., Ray, R., Bartocci, E., Bogomolov, S., Grosu, R.: Parallel reachability analysis of hybrid systems in xspeed. Int. J. Softw. Tools Technol. Transf. (2018)
Handelman, D.: Representing polynomials by positive linear functions on compact convex polyhedra. Pac. J. Math. 132(1), 35–62 (1988)
Hartmanns, A., Hermanns, H.: The modest toolset: an integrated environment for quantitative modelling and verification. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 593–598. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642548628_51
Henzinger, T.A.: The theory of hybrid automata. In: Proceedings of IEEE Symposium on Logic in Computer Science, pp. 278–292 (1996)
Huang, Z., Fan, C., Mereacre, A., Mitra, S., Kwiatkowska, M.: Invariant verification of nonlinear hybrid automata networks of cardiac cells. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 373–390. Springer, Cham (2014). https://doi.org/10.1007/9783319088679_25
Jiang, Y., Yang, Y., Liu, H., Kong, H., Gu, M., Sun, J., Sha, L.: From stateflow simulation to verified implementation: a verification approach and a realtime train controller design. In: 2016 IEEE RealTime and Embedded Technology and Applications Symposium (RTAS), pp. 1–11. IEEE (2016)
Jiang, Y., Zhang, H., Li, Z., Deng, Y., Song, X., Ming, G., Sun, J.: Design and optimization of multiclocked embedded systems using formal techniques. IEEE Trans. Ind. Electron. 62(2), 1270–1278 (2015)
Kong, H., Bogomolov, S., Schilling, C., Jiang, Y., Henzinger, T.A.: Safety verification of nonlinear hybrid systems based on invariant clusters. In: Proceedings of HSCC 2017: The 20th International Conference on Hybrid Systems: Computation and Control, pp. 163–172. ACM (2017)
Kong, H., He, F., Song, X., Hung, W.N.N., Gu, M.: Exponentialconditionbased barrier certificate generation for safety verification of hybrid systems. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 242–257. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_17
Kong, S., Gao, S., Chen, W., Clarke, E.: dReach: \(\delta \)reachability analysis for hybrid systems. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 200–205. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662466810_15
Krilavicius, T.: Hybrid techniques for hybrid systems. Ph.D. thesis, University of Twente, Enschede, Netherlands (2006)
Lal, R., Prabhakar, P.: Bounded error flowpipe computation of parameterized linear systems. In: Proceedings of EMSOFT 2015: The International Conference on Embedded Software, pp. 237–246. IEEE (2015)
Le Guernic, C., Girard, A.: Reachability analysis of hybrid systems using support functions. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 540–554. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642026584_40
Liu, J., Zhan, N., Zhao, H.: Computing semialgebraic invariants for polynomial dynamical systems. In: Proceedings of EMSOFT 2011: The 11th International Conference on Embedded Software, pp. 97–106. ACM (2011)
Matringe, N., Moura, A.V., Rebiha, R.: Generating invariants for nonlinear hybrid systems by linear algebraic methods. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 373–389. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642157691_23
Nedialkov, N.S.: Interval tools for ODEs and DAEs. In: Proceedings of SCAN 2006: The 12th GAMM  IMACS International Symposium on Scientific Computing, Computer Arithmetic and Validated Numerics, p. 4. IEEE (2006)
Neher, M., Jackson, K.R., Nedialkov, N.S.: On Taylor model based integration of ODEs. SIAM J. Numer. Anal. 45(1), 236–262 (2007)
Prabhakar, P., Soto, M.G.: Hybridization for stability analysis of switched linear systems. In: Proceedings of HSCC 2016: The 19th International Conference on Hybrid Systems: Computation and Control, pp. 71–80. ACM (2016)
Prabhakar, P., Viswanathan, M.: A dynamic algorithm for approximate flow computations. In: Proceedings of HSSC 2011: The 14th International Conference on Hybrid Systems: Computation and Control, pp. 133–142. ACM (2011)
Prajna, S., Jadbabaie, A.: Safety verification of hybrid systems using barrier certificates. In: Alur, R., Pappas, G.J. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 477–492. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540247432_32
Ray, R., et al.: XSpeed: accelerating reachability analysis on multicore processors. In: Piterman, N. (ed.) HVC 2015. LNCS, vol. 9434, pp. 3–18. Springer, Cham (2015). https://doi.org/10.1007/9783319262871_1
Roohi, N., Prabhakar, P., Viswanathan, M.: Hybridization based CEGAR for hybrid automata with affine dynamics. In: Chechik, M., Raskin, J.F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 752–769. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662496749_48
Sankaranarayanan, S.: Automatic invariant generation for hybrid systems using ideal fixed points. In: Proceedings of HSCC 2010: The 13th ACM International Conference on Hybrid Systems: Computation and Control, pp. 221–230. ACM (2010)
Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Constructing invariants for hybrid systems. In: Alur, R., Pappas, G.J. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 539–554. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540247432_36
Sankaranarayanan, S., Chen, X., et al.: Lyapunov function synthesis using handelman representations. In: IFAC Proceedings Volumes, vol. 46, no. 23, pp. 576–581 (2013)
Sogokon, A., Ghorbal, K., Jackson, P.B., Platzer, A.: A method for invariant generation for polynomial continuous systems. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 268–288. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662491225_13
Stengle, G.: A nullstellensatz and a positivstellensatz in semialgebraic geometry. Math. Ann. 207(2), 87–97 (1974)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
This chapter is published under an open access license. Please check the 'Copyright Information' section either on this page or in the PDF for details of this license and what reuse is permitted. If your intended use exceeds what is permitted by the license or if you are unable to locate the licence and reuse information, please contact the Rights and Permissions team.
Copyright information
© 2018 The Author(s)
About this paper
Cite this paper
Kong, H., Bartocci, E., Henzinger, T.A. (2018). Reachable Set OverApproximation for Nonlinear Systems Using Piecewise Barrier Tubes. In: Chockler, H., Weissenbacher, G. (eds) Computer Aided Verification. CAV 2018. Lecture Notes in Computer Science(), vol 10981. Springer, Cham. https://doi.org/10.1007/9783319961453_24
Download citation
DOI: https://doi.org/10.1007/9783319961453_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319961446
Online ISBN: 9783319961453
eBook Packages: Computer ScienceComputer Science (R0)