Inner and Outer Approximating Flowpipes for Delay Diﬀerential Equations

. Delay diﬀerential equations are fundamental for modeling networked control systems where the underlying network induces delay for retrieving values from sensors or delivering orders to actuators. They are notoriously diﬃcult to integrate as these are actually functional equations, the initial state being a function. We propose a scheme to compute inner and outer-approximating ﬂowpipes for such equations with uncertain initial states and parameters. Inner-approximating ﬂowpipes are guaranteed to contain only reachable states, while outer-approximating ﬂowpipes enclose all reachable states. We also introduce a notion of robust inner-approximation, which we believe opens promising perspectives for veriﬁcation, beyond property falsiﬁcation. The eﬃciency of our approach relies on the combination of Taylor models in time, with an abstraction or parameterization in space based on aﬃne forms, or zono-topes. It also relies on an extension of the mean-value theorem, which allows us to deduce inner-approximating ﬂowpipes, from ﬂowpipes outer-approximating the solution of the DDE and its Jacobian with respect to constant but uncertain parameters and initial conditions. We present some experimental results obtained with our C++ implementation.


Introduction
Nowadays, many systems are composed of networks of control systems.These systems are highly critical, and formal verification is an essential element for their social acceptability.When the components of the system to model are distributed, delays are naturally introduced in the feedback loop.They may significantly alter the dynamics, and impact safety properties that we want to ensure for the system.The natural model for dynamical systems with such delays is Delay Differential Equations (DDE), in which time derivatives not only depend on the current state, but also on past states.Reachability analysis, which involves computing the set of states reached by the dynamics, is a fundamental tool for the verification of such systems.As the reachable sets are not exactly computable, approximations are used.In particular, outer (also called over)-approximating flowpipes are used to prove that error states will never be reached, whereas inner (also called under)-approximating flowpipes are used to prove that desired states will actually be reached, or to falsify properties.We propose in this article a method to compute both outer-and inner-approximating flowpipes for DDEs.
We concentrate on systems that can be modeled as parametric fixed-delay systems of DDEs, where both the initial condition and right-hand side of the system depend on uncertain parameters, but with a unique constant and exactly known delay: where the continuous vector of variables z belongs to a state-space domain D ⊆ R n , the (constant) vector of parameters β belongs to the domain B ⊆ R m , and f : D × D × B → D is C ∞ and such that Eq. ( 1) admits a unique solution 1 on the time interval [t 0 , T ].The initial condition is defined on t ∈ [t 0 , t 0 + τ ] by a function z 0 : R + × B → D. The method introduced here also applies in the case when the set of initial states is given as the solution of an uncertain system of ODEs instead of being defined by a function.Only the initialization of the algorithm will differ.When several constant delays occur in the system, the description of the method is more complicated, but the same method applies.

Contributions and Outline.
In this work, we extend the method introduced by Goubault and Putot [16] for ODEs, to the computation of inner and outer flowpipes of systems of DDEs.We claim, and experimentally demonstrate with our prototype implementation, that the method we propose here for DDEs is both simple and efficient.Relying on outer-approximations and generalized interval computations, all computations can be safely rounded, so that the results are guaranteed to be sound.Finally, we can compute inner-approximating flowpipes combining existentially and universally quantified parameters, which offers some strong potential for property verification, beyond falsification.
In Sect.2, we first define the notions of inner and outer-approximating flowpipes, as well as robust inner-approximations, and state some preliminaries on generalized interval computations, which are instrumental in our inner flowpipes computations.We then present in Sect. 3 our method for outer-approximating solutions to DDEs.It is based on the combination of Taylor models in time with a space abstraction relying on zonotopes.Section 4 relies on this approach to compute outer-approximations of the Jacobian of the solution of the DDE with respect to the uncertain parameters, using variational equations.Innerapproximating tubes are obtained from these using a generalized mean-value theorem introduced in Sect. 2. We finally demonstrate our method in Sect.5, using our C++ prototype implementation, and show its superiority in terms of accuracy and efficiency compared to the state of the art.Related Work.Reachability analysis for systems described by ordinary differential equations, and their extension to hybrid systems, has been an active topic of research in the last decades.Outer-approximations have been dealt with ellipsoidal [20], sub-polyhedral techniques, such as zonotopes or support functions, and Taylor model based methods, for both linear and nonlinear systems [2,[4][5][6]10,14,17,26].A number of corresponding implementations exist [1,3,7,13,22,25,29].Much less methods have been proposed, that answer the more difficult problem of inner-approximation.The existing approaches use ellipsoids [21] or non-linear approximations [8,16,19,31], but they are often computationally costly and imprecise.Recently, an interval-based method [24] was introduced for bracketing the positive invariant set of a system without relying on integration.However, it relies on space discretization and has only been applied successfully, as far as we know, to low dimensional systems.
Taylor methods for outer-approximating reachable sets of DDEs have been used only recently, in [28,32].We will demonstrate that our approach improves the efficiency and accuracy over these interval-based Taylor methods.
The only previous work we know of for computing inner-approximations of solutions to DDEs, is the method of Xue et al. [30], extending the approach proposed for ODEs in [31].Their method is based on a topological condition and a careful inspection of what happens at the boundary of the initial condition.We provide in the section dedicated to experiments a comparison to the few experimental results given in [30].

Preliminaries on Outer and Inner Approximations
Notations and Definitions.Let us introduce some notations that we will use throughout the paper.Set valued quantities, scalar or vector valued, corresponding to uncertain inputs or parameters, are noted with bold letters, e.g x.When an approximation is introduced by computation, we add brackets: outerapproximating enclosures are noted in bold and enclosed within inward facing brackets, e.g.[x], and inner-approximations are noted in bold and enclosed within outward facing brackets, e.g.]x[.

An outer-approximating extension of a function
. Dually, inner-approximations determine a set of values proved to belong to the range of the function over some input set.An inner-approximating extension of f is a function ]f [: P(R m ) → P(R n ), such that for all x in P(R m ), ]f [(x) ⊆ range(f, x).Inner and outer approximations can be interpreted as quantified propositions: range(f, x) ⊆ [z] can be written Let ϕ(t, β) for time t ≥ t 0 denote the time trajectory of the dynamical system (1) for a parameter value β, and z(t, β) = {ϕ(t, β), β ∈ β} the set of states reachable at time t for the set of parameter values β.We extend the notion of outer and inner-approximations to the case where the function is the solution ϕ(t, β) of system (1) over the set β.An outer-approximating flowpipe is given by an outer-approximation of the set of reachable states, for all t in a time interval: Definition 1 (Outer-approximation).Given a vector of uncertain (constant) parameters or inputs β ∈ β, an outer-approximation at time t of the reachable set of states, is

Definition 2 (Inner-approximation). Given a vector of uncertain (constant) parameters or inputs β ∈ β, an inner-approximation at time t of the reachable set, is
In words, any point of the inner flowpipe is the solution at time t of system (1), for some value of β ∈ β.If the outer and inner approximations are computed accurately, they approximate with arbitrary precision the exact reachable set.
Our method will also solve the more general robust inner-approximation problem of finding an inner-approximation of the reachable set, robust to uncertainty on an uncontrollable subset β A of the vector of parameters β:

Definition 3 (Robust inner-approximation). Given a vector of uncertain (constant) parameters or inputs β = (β A , β E ) ∈ β, an inner-approximation of the reachable set z(t, β) at time t, robust with respect to β
Outer and Inner Interval Approximations.Classical intervals are used in many situations to rigorously compute with interval domains instead of reals, usually leading to outer-approximations of function ranges over boxes.We denote the set of classical intervals by Intervals are non-relational abstractions, in the sense that they rigorously approximate independently each component of a vector function f .We thus consider in this section a function f : R m → R. The natural interval extension consists in replacing real operations by their interval counterparts in the expression of the function.A generally more accurate extension relies on a linearization by the mean-value theorem.Suppose f is differentiable over the interval x.Then, the mean-value theorem implies that (∀x If we can bound the range of the gradient of f over x, by [f ](x), then we can derive the following interval enclosure, usually called the mean-value extension: for any Modal Intervals and Kaucher Arithmetic.The results introduced in this section are mostly based on the work of Goldsztejn et al. [15] on modal intervals.Let us first introduce generalized intervals, i.e., intervals whose bounds are not ordered, and the Kaucher arithmetic [18] on these intervals.
The set of generalized intervals is denoted by

Definition 4 ([15]
).Let f : R m → R be a continuous function and x ∈ IK m , which we can decompose in x A ∈ IR p and x E ∈ (dual IR) where When all intervals in (2) are proper, we retrieve the interpretation of classical interval computation, which gives an outer-approximation of range(f, x), or Kaucher arithmetic [18] provides a computation on generalized intervals that returns intervals that are interpretable as inner-approximations in some simple cases.Kaucher addition extends addition on classical intervals by x + y = [x + y, x + y] and x − y = [x − y, x − y].For multiplication, let us decompose IK in x 0 x}, and dual Z = {x = [x, x], x 0 x}.When restricted to proper intervals, the Kaucher multiplication coincides with the classical interval multiplication.Kaucher multiplication xy extends the classical multiplication to all possible combinations of x and y belonging to these sets.We refer to [18] for more details.

function, given by an arithmetic expression where each variable appears syntactically only once (and with degree 1). Then for
In some cases, Kaucher arithmetic can thus be used to compute an innerapproximation of range(f, x).But the restriction to functions f with single occurrences of variables, that is with no dependency, prevents a wide use.A generalized interval mean-value extension allows us to overcome this limitation: Theorem 1.Let f : R m → R be differentiable, and x ∈ IK m which we can decompose in x A ∈ IR p and x E ∈ (dual IR) q with p + q = m.Suppose that for each i ∈ {1, . . ., m}, we can compute Then, for any x ∈ pro x, the following interval, evaluated with Kaucher arithmetic, is (f, x)-interpretable: When using (4) for inner-approximation, we can only get the following subset of all possible cases in the Kaucher multiplication table : and (x ∈ Z) × (y ∈ dual Z) = 0. Indeed, for an improper x, and x ∈ pro x, it holds that (x − x) is in dual Z.The outer-approximation [Δ i ] of the Jacobian is a proper interval, thus in P, −P or Z, and we can deduce from the multiplication rules that the inner-approximation is non empty only if [Δ i ] does not contain 0.
In Sect.4, we will use Theorem 1 with f being each component (for a ndimensional system) of the solution of the uncertain dynamical system (1): we need an outer enclosure of the solution of the system, and of its Jacobian with respect to the uncertain parameters.This is the objective of the next sections.

Taylor Method for Outer Flowpipes of DDEs
We now introduce a Taylor method to compute outer enclosures of the solution of system (1).The principle is to extend a Taylor method for the solution of ODEs to the case of DDEs, in a similar spirit to the existing work [28,32].This can be done by building a Taylor model version of the method of steps [27], a technique for solving DDEs that reduces these to a sequence of ODEs.

The Method of Steps for Solving DDEs
The principle of the method of steps is that on each time interval [t 0 +iτ, t 0 +(i+ 1)τ ], for i ≥ 1, the function z(t−τ ) is a known history function, already computed as the solution of the DDE on the previous time interval [t 0 + (i − 1)τ, t 0 + iτ ].Plugging the solution of the previous ODE into the DDE yields a new ODE on the next tile interval: we thus have an initial value problem for an ODE with z(t 0 + iτ ) defined by the previous ODE.This process is initialized with z 0 (t) on the first time interval [t 0 , t 0 + τ ].The solution of the DDE can thus be obtained by solving a sequence of IVPs for ODEs.Generally, there is a discontinuity in the first derivative of the solution at t 0 + τ .If this is the case, then because of the term z(t − τ ) in the DDE, a discontinuity will also appear at each t 0 + iτ .
with initial value x(0) = x 0 (0, β) = 1.It admits the analytical solution The solution of the DDE on the time interval [τ, 2τ ] is the solution of the ODE with initial value x(τ ) given by ( 5).An analytical solution can be computed, using the transcendantal lower γ function.

Finite Representation of Functions as Taylor Models
A sufficiently smooth function g (e.g.C ∞ ), can be represented on a time interval [t 0 , t 0 + h] by a Taylor expansion with ξ ∈ [t 0 , t 0 + h], and using the notation g [i] (t) := g (i) (t) i! .We will use such Taylor expansions to represent the solution z(t) of the DDE on each time interval [t 0 + iτ, t 0 + (i + 1)τ ], starting with the initial condition z 0 (t, β) on [t 0 , t 0 + τ ].For more accuracy, we actually define these expansions piecewise on a finer time grid of fixed time step h.The function z 0 (t, β) on time interval [t 0 , t 0 + τ ] is thus represented by p = τ /h Taylor expansions.The l th such Taylor expansion, valid on the time interval [t 0 + lh, t 0 + (l + 1)h] with l ∈ {0, . . ., p − 1}, is for a ξ l ∈ [t 0 + lh, t 0 + (l + 1)h].

An Abstract Taylor Model Representation
In a rigorous version of the expansion (7), the z [i] (t 0 +lh, β) as well as g [k+1] (ξ l , β) are set-valued, as the vector of parameters β is set valued.The simplest way to account for these uncertainties is to use intervals.However, this approach suffers heavily from the wrapping effect, as these uncertainties accumulate with integration time.A more accurate alternative is to use a Taylor form in the parameters β for each z [i] (t 0 + lh, β).This is however very costly.We choose in this work to use a sub-polyhedric abstraction to parameterize Taylor coefficients, expressing some sensitivity of the model to the uncertain parameters: we rely on affine forms [9].The result can be seen as Taylor models of arbitrary order in time, and order close to 1 in the parameters space.
The vector of uncertain parameters or inputs β ∈ β is thus defined as a vector of affine forms over m symbolic variables where the coefficients α i are vectors of real numbers.This abstraction describes the set of values of the parameters as given within a zonotope.In the sequel, we will use for zonotopes the same bold letter notation as for intervals, that account for set valued quantities.
Example 5.In Example 1, β = [ 1  3 , 1] can be represented by the centered form The set of initial conditions x 0 (t, β) is abstracted as a function of the noise symbol ε 1 .For example, at The abstraction of affine arithmetic operators is computed componentwise on the noise symbols ε i , and does not introduce any over-approximation.The abstraction of non affine operations is conservative: an affine approximation of the result is computed, and a new noise term is added, that accounts for the approximation error.Here, using ε 2  1 ∈ [0, 1], affine arithmetic [9] will yield . We are now using notation [x 0 ], denoting an outer-approximation.Indeed, the abstraction is conservative: [x 0 ](−1, β) takes its values in 1  9 [−1, 4], while the exact range of Now, we can represent the initial solution for t ∈ [t 0 , t 0 + τ ] of the DDE (1) as a Taylor model in time with zonotopic coefficients, by evaluating in affine arithmetic the coefficients of its Taylor model (7).Noting r 0j = [t 0 + jh, t 0 + (j + 1)h], we write, for all j = 0, . . ., p − 1, where the Taylor coefficients can be computed by differentiating the initial solution with respect to t ([z 0 ] (l) denotes the l-th time derivative), and evaluating the result in affine arithmetic.We also need [x 00 ] [1] and [x 00 ] [2] .We compute [x 00 ] We evaluate these coefficients with affine arithmetic, similarly to Example 5.

Constructing Flowpipes
The abstract Taylor models (8) introduced in Sect.3.3, define piecewise outerapproximating flowpipes of the solution on [t 0 , t 0 +τ ].Using the method of steps, and plugging into (1) the solution computed on [t 0 +(i−1)τ, t 0 +iτ ], the solution of (1) can be computed by solving the sequence of ODEs where the initial condition z(t 0 + iτ ), and z(t − τ ) for t in [t 0 + iτ, t 0 + (i + 1)τ ], are fully defined by ( 8) when i = 1, and by the solution of (10) at previous step when i is greater than 1.
Let the set of the solutions of (10) at time t and for the initial conditions z(t ) ∈ z at some initial time t ≥ t 0 be denoted by z(t, t , z ).Using a Taylor method for ODEs, we can compute flowpipes that are guaranteed to contain the reachable set of the solutions z(t, t 0 + τ, [z](t 0 + τ )) of ( 10), for all times t in [t 0 + τ, t 0 + 2τ ], with [z](t 0 + τ ) given by the evaluation of the Taylor model ( 8).This can be iterated for further steps of length τ , solving (10) for i = 1, . . ., T/τ, with an initial condition given by the evaluation of the Taylor model for (10) at the previous step.
We now detail the algorithm that results from this principle.Flowpipes are built using two levels of grids.At each step on the coarser grid with step size τ , we define a new ODE.We build the Taylor models for the solution of this ODE on the finer grid of integration step size h = τ /p.We note t i = t 0 + iτ the points of the coarser grid, and t ij = t 0 + iτ + jh the points of the finer grid.In order to compute the flowpipes in a piecewise manner on this grid, the Taylor method relies on Algorithm 1.All Taylor coefficients, as well as Taylor expansion evaluations, are computed in affine arithmetic.
Step 2: Building the Taylor Model.A Taylor expansion of order k of the solution at t ij which is valid on the time interval The Taylor coefficients are defined inductively, and can be computed by automatic differentiation, as follows: (13) The Taylor coefficients for the remainder term are computed in a similar way, evaluating [f ] over the a priori enclosure of the solution on ).The derivatives can be discontinuous at t i0 : the [f i0 ] [l] coefficients correspond to the right-handed limit, at time t + i0 .Let us detail the computation of the coefficients ( 12), ( 13) and ( 14).Let z(t) be the solution of (10).By definition, dz dt (t) = f (z(t), z(t−τ ), β) = f [1] (z(t), z(t− τ ), β) from which we deduce the set valued version (12).We can prove ( 14) by induction on l.Let us denote ∂z the partial derivative with respect to z(t), and ∂z τ with respect to the delayed function z(t − τ ).We have ∂z τ for i between 1 and n, j between 1 and m.Differentiating (1), we obtain that the coefficients of the Jacobian matrix of the flow satisfy with initial condition Example 8.The Jacobian matrix for Example 1 is a scalar since the DDE is real-valued and the parameter is scalar.We easily get J11 (t Equation ( 15) is a DDE of the same form as (1).We can thus use the method introduced in Sect.3.4, and use Taylor models to compute outer-approximating flowpipes for the coefficients of the Jacobian matrix.
Computing Inner-Approximating Flowpipes.Similarly as for ODEs [16], the algorithm that computes inner-approximating flowpipes, first uses Algorithm 1 to compute outer-approximations, on each time interval [t ij , t i(j+1) ], of 1. the solution z(t, β) of the system starting from the initialization function z 0 (t, β) defined by a given β ∈ β 2. the Jacobian J(t, β) of the solution, for all β ∈ β Then, we can deduce inner-approximating flowpipes by using Theorem 1.Let as in Definition 3 β = (β A , β E ) and note J A the matrix obtained by extracting the columns of the Jacobian corresponding to the partial derivatives with respect to β A .Denote by J E the remaining columns.If the quantity defined by Eq. ( 16) ) is an inner-approximation of the reachable set z(t, β) valid on the time interval [t ij , t i(j+1) ], which is robust with respect to the parameters β A , in the sense of Definition 3. Otherwise the innerapproximation is empty.If all parameters are existentially quantified, that is if the subset β A is empty, we obtain the classical inner-approximation of Definition 2. Note that a unique computation of the center solution [z] and the Jacobian matrix [J ] can be used to infer different interpretations as inner-approximations or robust inner-approximations.With this computation, the robust inner flowpipes will always be included in the classical inner flowpipes.The computation of the inner-approximations fully relies on the outerapproximations at each time step.A consequence is that we can soundly implement most of our approach using classical interval-based methods: outward rounding should be used for the outer approximations of flows and Jacobians.Only the final computation by Kaucher arithmetic of improper intervals should be done with inward rounding in order to get a sound computation of the innerapproximation.
Also, the wider the outer-approximation in Taylor models for the center and the Jacobian, the tighter and thus the less accurate is the inner-approximation.This can lead to an empty inner-approximation if the result of Eq. ( 16) in Kaucher arithmetic is not an improper interval.This can occur in two way.Firstly, the Kaucher multiplication [J ] E (dual β E − βE ) in ( 16), yields a nonzero improper interval only if the Jacobian coefficients do not contain 0. Secondly, suppose that the Kaucher multiplication yields an improper interval.It is added to the proper interval ) can be tightly estimated, but the term [J ] A (β A − βA ) that measures robustness with respect to the β A parameters can lead to a wide enclosure.If this sum is wider than the improper interval resulting from the Kaucher multiplication, then the resulting Kaucher sum will be proper and the inner-approximation empty.

Implementation and Experiments
We have implemented our method using the FILIB++ C++ library [23] for interval computations, the FADBAD++2 package for automatic differentiation, and (a slightly modified version of) the aaflib3 library for affine arithmetic.
Let us first consider the running example, with order 2 Taylor models, and an integration step size of 0.05. Figure 1 left presents the results until t = 2 (obtained in 0.03 s) compared to the analytical solution (dashed lines): the solid external lines represent the outer-approximating flowpipe, the filled region represents the inner-approximating flowpipe.Until time t = 0, the DDE is in its initialization phase, and the conservativeness of the outer-approximation is due to the abstraction in affine arithmetic of the set of initialization functions.Using higher-order Taylor models, or refining the time step improves the accuracy.However, for the inner-approximation, there is a specific difficulty: the Jacobian contains 0 at t = −1, so that the inner-approximation is reduced to a point.This case corresponds to the parameter value β = 1.To address this problem, we split the initial parameter set in two sub-intervals of equal width, compute independently the inner and outer flowpipes for these two parameters ranges, and then join the results to obtain Fig. 1 center.It is somehow counter intuitive that we can get this way a larger, thus better quality, inner-approximating set, as the inner-approximation corresponds to the property that there exist a value of β in the parameter set such that a point of the tube is definitely reached.Taking a larger β parameter set would intuitively lead to a larger such inner tube.However, this is in particular due to the fact that we avoid here the zero in the Jacobian.More such a subdivision yields a tighter outer-approximation of the Jacobian, and thus better accuracy when using the mean-value theorem.In order to obtain an inner-approximation without holes, we can use a subdivision of the parameters with some covering.This is the case for instance using 10 subdivisions, with 10% of covering.Results are now much tighter: Fig. 1 right represents a measure γ(x, t) of the quality of the approximations (computed in 45 s) for a time horizon T = 15, with Taylor Model of order 3, a step size of 0.02.This accuracy measure γ(x, t) is defined by γ(x, t) = γu(x) γo(x) where γ u (x) and γ o (x) measure respectively the width of the inner-approximation and outer-approximation, for state variable x.Intuitively, the larger the ratio (bounded by 1), the better the approximation.Here, γ(x, t) almost stabilizes after some time, to a high accuracy of 0.975.We noted that in this example, the order of the Taylor model, the step size and the number of initial subdivisions all have a notable impact on the stabilized value of γ, that can here be decreased arbitrarily.
Example 9. Consider a basic PD-controller for a self-driving car, controlling the car's position x and velocity v by adjusting its acceleration depending on the current distance to a reference position p r , chosen here as p r = 1.We consider a delay τ to transfer the input data to the controller, due to sensing, computation or transmission times.This leads, for t ≥ 0, to: Choosing K p = 2 and K d = 3 guarantees the asymptotic stability of the controlled system when there is no delay.The system is initialized to a constant function ( This example demonstrates that even small delays can have a huge impact on the dynamics.We represent in the left subplot of Fig. 2 the inner and outer approximating flowpipes for the velocity and position, with delay τ = 0.35, until time T = 10.They are obtained in 0.32 s, using Taylor models of order 3 and a time step of 0.03.The parameters were chosen such that the inner-approximation always remains non-empty.We now study the robustness of the behavior of the system to the parameters: K p and K d are time invariant, but now uncertain and known to be bounded by (K p , K d ) ∈ [1.95, 2.05] × [2.95, 3.05].The Jacobian matrix is now of dimension 2 × 4. We choose a delay τ = 0.2, sufficiently small to not induce oscillations.Thanks to the outer-approximation, we prove that the velocity never becomes negative, in contrast to the case of τ = 0.35 where it is proved to oscillate.In Fig. 2 center, we represent, along with the overapproximation, the inner-approximation and a robust inner-approximation.The inner-approximation, in the sense of Definition 2, contains only states for which it is proved that there exists an initialization of the state variables We now demonstrate the efficiency of our approach and its good scaling behavior with respect to the dimension of the state space, by comparing our results with the results of [30] on their seven-dimensional Example 3: We compute outer and inner approximations of the reachable sets of the DDE until time t = 0.1, and compare the quality measure γ(x 1 ), . . ., γ(x 7 ) for the projection of the approximations over each variable x 1 to x 7 , of our method with respect to [30].We obtain for our work the measures 0.998, 0.996, 0.978, 0.964, 0.97, 0.9997, 0.961, to be compared to 0.575, 0.525, 0.527, 0.543, 0.477, 0.366, 0.523 for [30].The results, computed with order 2 Taylor models, are obtained in 0.13 s with our method, and 505 s with [30].Our implementation is thus both much faster and much more accurate.However, this comparison should only be taken as a rough indication, as it is unfair to [30] to compare their inner boxes to our projections on each component.
Example 11.Consider now the model, adapted from [11], of a platoon of n autonomous vehicles.Vehicle C i+1 is just after C i , for i = 1 to n − 1. Vehicle C 1 is the leading vehicle.Sensors of C i+1 measure its current speed v i+1 as well as the speed v i of the vehicle just in front of it.There respective positions are x i+1 and x i .We take a simple model where each vehicle C i+1 accelerates so that to catch up with C i if it measures that v i > v i+1 and acts on its brakes if v i < v i+1 .Because of communication, accelerations are delayed by some time constant τ : We add an equation defining the way the leading car drives.We suppose it adapts its speed between 1 and 3, following a polynomial curve.This needs to adapt the acceleration of vehicle C 2 : ẋ1 (t) = 2 + (x 1 (t)/5 − 1)(x 1 (t)/5 − 2)(x 1 (t)/5 − 3)/6 v2 (t) = α(2 + (x 1 (t)/5 − 1)(x 1 (t)/5 − 2)(x 1 (t)/5 − 3)/6 − v 2 (t − τ )) We choose τ = 0.3 and α = 2.5.The initial position before time 0 of car C i is slightly uncertain, taken to −(i − 1) + [−0.2, 0.2], and its speed is in [1.99,2.01].We represent in the right subplot of Fig. 2 the inner and outer approximations of the position of the vehicles in a 5 vehicles platoon (9-dimensional system) until time T = 10, with a time step of 0.1, and order 3 Taylor models, computed in 2.13 s.As the inner-approximations of different vehicles intersect, there are some unsafe initial conditions, such that the vehicules will collide.This example allows us to demonstrate the good scaling of our method: for 10 vehicles (19-dim system) and with the same parameters, results are obtained in 6.5 s.

Conclusion
We have shown how to compute, efficiently and accurately, outer and inner flowpipes for DDEs with constant delay, using Taylor models combined with an efficient space abstraction.We have also introduced a notion of robust innerapproximation, that can be computed by the same method.We would like to extend this work for fully general DDEs, including variable delay, as well as study further the use of such computations for property verification on networked control systems.Indeed, while testing is a weaker alternative to inner-approximation for property falsification, we believe that robust inner-approximation provides new tools towards robust property verification or control synthesis.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material.If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Example 4 .
Consider the DDE defined in Example 1.On t ∈ [0, τ] the solution of the DDE is solution of the ODE

Fig. 2 .
Fig. 2. Left and center: velocity and position of controlled car (left τ = 0.35, center τ = 0.2); Right: vehicles position in the platoon example x and v in [−0.1, 0.1] × [0, 0.1] and a value of K p and K d in [1.95, 2.05] × [2.95, 3.05], such that these states are solutions of the DDE.The inner-approximation which is robust with respect to the uncertainty in K p and K d , in the sense of Definition 3, contains only states for which it is proved that, whatever the values of K p and K d in [1.95, 2.05] × [2.95, 3.05], there exist an initialization of x and v in [−0.1, 0.1]×[0, 0.1], such that these states are solutions of the DDE.These results are obtained in 0.24 s, with order 3 Taylor models and a time step of 0.04.The robust inner-approximation is naturally included in the inner-approximation.