200 likes | 309 Views
Formal Models for Stability Analysis of Hybrid Systems: Verifying Average Dwell Time *. Sayan Mitra MIT,CSAIL mitras@csail.mit.edu Research Qualifying Exam 20 th December 2004. Joint work with Daniel Liberzon (UIUC) and Nancy Lynch (MIT). Background: Macro. Hybrid Systems.
E N D
Formal Models for Stability Analysis of Hybrid Systems: Verifying Average Dwell Time* Sayan Mitra MIT,CSAIL mitras@csail.mit.edu Research Qualifying Exam 20th December 2004 Joint work with Daniel Liberzon (UIUC)and Nancy Lynch (MIT)
Background: Macro Hybrid Systems Control Theory: Dynamical system + boolean variables • Stability • Controllability • Controller design Computer Science: State transition systems + continuous dynamics • Safety verification • model checking • theorem proving HIOA framework [Lynch Segala Vaandrager] • Expressive: few constraints on continuous and discrete behavior • Compositional: analyze complex systems by looking at parts • Structured: inductive verification
Background: Micro • Develop rich theory for mobile systems • The usual --- time, communication, space complexities • Analysis of mobile algorithms from a CT point of view • Plant: nodes with continuous motion • Controller: algorithm maintaining some structure (routing, leader, MST, etc.) • controlled motion of some mobile robots • Noise, disturbance, uncertainty • Stability and robustness, w.r.t mobility • Probabilistic extensions of HIOA
Outline • Background • Stability under slow switching : Average dwell time (ADT) • Formal Model for hybrid systems • Verifying ADT by proving invariants • Verifying ADT by solving optimization problems • Conclusions
M1 M2 M1 M2 Switching and Stability M2 Individually stable subsystems M1 M3 Unstable switched system
τa 2. Stability Under Slow Switchings system has dwell time τa system has average dwell time τa N(t2,t1) ≤ N0 + (t2 – t1) / τa --- (1) N(t2, t1) : # of switches in the interval t2, t1 (t2 – t1) / τa : # of “allowed switches” τa : average dwell time (ADT) If all executions satisfy (1), for all t2,t1 then the system is said to have ADT τa .
decreasing sequence t Stability with ADT Theorem[Hespanha]: Assuming Lyapunov functions for the individual modes exist, global asymptotic stability is guaranteed if τa is large enough. • Q: What are the Lyapunov functions ? (this also determines τa that guarantees stability) • Q: Given hybrid system A, does it have ADT τa? or, what is the largest τathat is ADT for A ?
3. Formal Definitions: Hybrid Automata [Lynch, Segala, Vaandrager] • V: set of variables, types, valuationsval(V), dtypes • Q: set of states, Q val(V) • : start states, Q • A: set of actions • D Q A Q: discrete transitions. (v,a,v’) є D is written in short as vav’ • T: set of trajectories for V, functions describing continuous evolution A trajectory : J val(V) T is closed under prefix, suffix, and concatenation
Definitions: Structured HA (SHA) • V = VcU Vd • A set F of state models for the continuous variables Vc • A state model is a locally Lipschitz function f such that the solution to the system of differential equation v = f(v) are in the dtypes of the corresponding continuous variables. • A mode switching function • So, we have only continuous variables changing over trajectories: • Mode switches changing the state models .
Definitions: Executions and Invariants • Execution (fragment): sequence 0a11a22…, where: • Each i є T, (finite if i is not the last index) and • Each (i.lstate, ai ,i+1.fstate) є D • Invariant I(v) proved by base case : for all vєӨ, I(v) induction discrete:for all vav’ є D, I(v) I(v’) continuous: for all τє T, I(τ.fstate) I(τ.lstate) • Proving abstractions… • Language and supporting software tools [Kaynar, Lynch, Mitra]
4. Average Dwell Time: Invariant Approach An SHA A has ADT τa > 0, if there existsN0such that for allα N(α) ≤ N0 + α.ltime / τa α.ltime: duration of the execution α • Quantification over all executions: ADT is a property of the executions of the automaton Invariant approach: • Transform the automaton A A’ so that the ADT property of A becomes an invariant property of A’. • Then use theorem proving or model checking tools to prove the invariant(s) Qτa(α) = N(α) - α.ltime / τa : # extra switches w.r.t τa
A A’ Transformation for Stability • Uniform stability preserving transformation: • counter Q, for number of extra mode switches • a (reset) timer t • Qmin for the smallest value of Q Theorem :A has average dwell time τa iff Q- Qmin≤ N0in all reachable states of A’. invariant property
Q Qmin tmin t1 t0 Proof If part: we want to show that N(t1,t0) ≤ N0 + (t1-t0)/ τa N(t1,0) – N(t0,0) ≤ N0 + (t1-t0)/ τa Q(t1) + t1/τa– Q(t0) – t0/τa≤ N0 + (t1-t0)/ τa Q(t1) – Q(t0) ≤ N0 Qmin tmin t1 t0 Case 1:Q(t1) – Q(t0) = Q(t1, tmin) – Q(t0,tmin) ≤ Q(t1,tmin) = Q(t1) – Qmin(t1) ≤ N0 [From the invariant] Q Case 2: Similar… Only if part: Consider a state s’ = α’(t) of A’ suppose α’(t0) attains Qmin, Qmin(t) = Qmin(t0) N(t,t0) ≤ N0 + (t-t0)/ τa Q(t) + t/ τa – Q(t0) – t0/ τa ≤ N0 + (t-t0)/ τa Q(t) – Qmin(t) ≤ N0
Case Study: Hysteresis Switch Inputs: Initialize Find ? yes no • Used in switching (supervisory) control of uncertain systems • Under suitable conditions on (compatible with bounded .........................................................noise and no unmodeled dynamics), can prove ADT.See CDC paper for details [Mitra, Liberzon]
An SHA A has ADT if there existsN0such that for allα An SHA A does not have ADT if for allN0 there is execution α such that An SHA A does not have ADT if for allN0 there is execution α such that 5. Average Dwell Time: Optimization approach # extra switches in α w.r.t. τa • In general solving OPT1 is hard • Finiteness of solution • Completeness
Looking at cyclic counterexample A simple sufficient condition for violating ADT… cyclic execution fragments. Lemma 3: If there is a cyclic execution fragment α of A with extra switches w.r.t τa, then A does not have ADT τa. Proof sketch: α. α .α . … will have unbounded number of extra switches. Q: Is this also a necessary condition ? A: For a useful class of SHA it is. Finitely initialized SHA. v a v’ є M implies v’ є Ia is finite Lemma 4: IF SHA A does not have ADT τa and it is finitely initialized then it has a cyclic execution with extra switches. Now we can solve : OPT2: α* = arg max { Sτa(α) | αєcycleA} For linear finitely initialized SHA OPT2 can be formulated as a mixed integer linear program !
Extending to Non-initialized SHA • If there is a subset of variables Z V, such that if x.Z = y.Z then • x єimplies y є • F(x) = F(y) • xx’on a then there exists y’ such that yy’on a and x’.Z = y’.Z • xx’by traj τ then there exists y’ such that yy’on a traj of same lengthand x’.Z = y’.Z • Z induces a congruence relation and partitions the state space of A into equivalence classes. • We can find a region automatonRz(A) corresponding to A such that, any τa > 0 is an ADT for A iff it is also an ADT for Rz(A). • It is sufficient to have Rz(A) finitely initialized (and not A itself )for the optimization approach to work.
Case Study: Gas Burner from [Alur, Henzinger, et. al] Region automata SHA MILP Soultion
6. Conclusions Summary: • SHA, SHIOA model, stability definitions • Verification of ADT property: • Invariant approach --- general but not automatic • MILP approach --- restrictive, can be fully automated • ADT preserving abstractions Future work: • Characterize the class of SHA for which MILP approach works. • Performance (stability) of mobile algorithms subject to node movement • Probabilistic HIOA and stability of stochastic switched systems
References Mitra, Liberzon, “Verifying average dell time: an invariant based approach”, IEEE CDC, December 2004. Mitra, Liberzon, Lynch, “Verifying average dwell time”, 2004, Submitted for review, special issue of IEEE Trans. On Automatic Control http://theory.lcs.mit.edu/~mitras] Kaynar, Lynch, Mitra, “Specification and Verification of timed systems using TIOA tools”, IEEE RTSS WIP 2004. Mitra, Archer, “Reusable proof strategies for proving abstraction relations”, STRATEGIES, July 2004. Liberzon, “Switching in systems and control: Foundations and applications”, Birkhauser, Boston, June 2003 Branicky, “Multiple Lyapunov Functions and Other Analysis Tools for Switched and Hybrid Systems” IEEE Tran. Automatic Contol 1998 Hespanha, Morse “ Stability of switched systems with average dwell time”, IEEE CDC 1999 Lynch, Segala, Vaandrager, “Hybrid I/O automata” Information and Computation, 185(1), August 2003 Kaynar, Lynch, Segala, Vaandrager, “Theory of time I/O Automata” MIT/LCS/TR-917a, 2004