TERMINATION ANALYSIS OF SAFETY VERIFICATION
FOR NON-LINEAR ROBUST HYBRID SYSTEMS
Zhikun She
LMIB and School of Mathematics and Systems Science, Beihang University, 100191 Beijing, China
Keywords:
Robust hybrid systems, Abstraction refinement, Reachability constraints, Termination analysis.
Abstract:
Safety verification of hybrid systems is in general undecidable. Due to practical applications, it is sufcient
to only consider robustly safe hybrid systems in which a slight perturbation is guaranteed to result in the
same desired safety property. In this paper, we provide a constraint based abstraction refinement for safety
verification of nonlinear hybrid systems and prove that this refinement procedure will terminate for robustly
safe nonlinear hybrid systems.
1 INTRODUCTION
Hybrid systems (Alur et al., 1995; Schaft and Schu-
macher, 2000; Ratschan and She, 2007) is a class of
dynamical systems, which in addition to the discrete
events also contain continuous behaviors that evolve
according to differential equations or difference equa-
tions. Many examples of hybrid systems (Fehnker
and Ivanˇci´c, 2004) are obtained when a digital sys-
tem is embedded in an analog environment which, in
many cases, is described by physical laws that are
formulated using differential equations or difference
equations. Such systems usually operate in safety-
critical domains, for example, inside automobiles, air-
crafts, and chemical plants. Thus, an important task is
to verify that a given hybrid system is safe, that is, to
verify that every trajectory of a given hybrid system
starting from an initial state never reaches an unsafe
state (i.e., a so-called “bad” state).
The safety verification problem of hybrid sys-
tems is in general undecidable (Henzinger et al.,
1998) and terminating algorithms exist only for cer-
tain special cases, for example, linear hybrid au-
tomata (Henzinger et al., 1998) and o-minimal hybrid
automata (Lafferriere et al., 1999).
Since hybrid systems often model a given real sys-
tem in practice with perturbations, the notation of ro-
bustness (Henzinger and Raskin, 2000; Fr¨anzle, 2001;
Girard and Pappas, 2006; Damm et al., 2007; Julius et
al., 2007) has been introduced to model the given real
system up to perturbations. Hence, from the practical
viewpoint, it is sufficient to only consider robust sys-
tems in which a slight (quantifiable) perturbation is
guaranteed to result in the same desired qualitative
properties (e.g., safety and stability).
In this paper, we will provide a constraint based
approach for safety verification of continuous-time
hybrid systems (Ratschan and She, 2007; Frehse,
2008) such that the termination of our approach is
guaranteed even for a very rich class of models, which
involve function symbols in {+,×,
ˆ,
sin,cos,exp}.
Note that unless otherwise specified, hybrid systems
in this paper denote continuous-time hybrid systems.
Following our earlier works (Ratschan and She,
2007; Ratschan and She, 2006; She and Zheng, 2008),
we continue to use constraints for describing hybrid
systems. In addition, for describing robust hybrid sys-
tems, we use the solution sets to the corresponding
constraints defined for hybrid systems with small per-
turbations.
For verifying safety property of hybrid systems,
we use an abstraction refinement technology. That it,
for a concrete hybrid system, we first split its state
space into boxes and then abstract it to a finite tran-
sition system which over-approximates the concrete
system in a conservative way. During the refinement
procedure, we also include more information from
the concrete system into the abstract one, which is
done by constructing a reachability constraint, check-
ing whether a certain state fulfills this constraint and
removing states that do not fulfill this constraint by an
interval based pruning algorithm. However, the inter-
val based abstraction refinement in some cases results
in the wrapping effect (Neumaier, 1993), which will
251
She Z..
TERMINATION ANALYSIS OF SAFETY VERIFICATION FOR NON-LINEAR ROBUST HYBRID SYSTEMS.
DOI: 10.5220/0003446502510261
In Proceedings of the 8th International Conference on Informatics in Control, Automation and Robotics (ICINCO-2011), pages 251-261
ISBN: 978-989-8425-74-4
Copyright
c
2011 SCITEPRESS (Science and Technology Publications, Lda.)
be explained in Subsection 3.1. For reducing such
a wrapping effect, we propose a quantifier elimina-
tion based remedy. That is, we first construct a con-
straint to describe the reachable set on the boundaries
of boxes such that every free variable only occurs
once; then, we employa special quantifier elimination
method to get the exact solution set to this constructed
constraint; finally, we use this exact solution set in the
reachability constraint for further computation.
Moreover, based on our proposed remedy, we can
prove that our abstraction refinement procedure will
eventually terminate for robustly safe hybrid systems.
Compared to the discrete time model in (Damm
et al., 2007), there are variables for describing dif-
ferentiation, which do not vary over the state space
and may take unbound values. Moreover, compared
to the counter-example guided abstraction refinement
(CEGAR) based approach (Klaedtke et al., 2007), we
avoid solving a large reachability constraint formulat-
ing states reachable via a trajectory over a finite num-
ber of abstract states (i.e., boxes).
This paper is organized as follows. In Section 2
we formulate our basic notions on hybrid systems and
robust hybrid systems. In Section 3, we introduce a
constraint based abstraction refinement for safety ver-
ification of hybrid systems, associated with a remedy
for reducing the wrapping effect in Subsection 3.1
and a special quantifier elimination method in Sub-
section 3.2. In Section 4 we analyze the termination
of our abstraction refinement procedure with our pro-
posed remedy for robustly safe hybrid systems. In
Section 5 we conclude the paper.
2 ROBUST HYBRID SYSTEMS
We fix a variable m ranging over a finite set of dis-
crete modes M = {m
1
,... ,m
n
} and variables x
1
,...,x
k
ranging over closed real intervals I
1
,... ,I
k
. We de-
note by S the resulting state space M ×I
1
×···×I
k
and
let X = {x
1
,... ,x
k
}. For denoting the derivatives of
x
1
,... ,x
k
we use variables ˙x
1
,... , ˙x
k
, ranging over R
each, and let
˙
X = {˙x
1
,... , ˙x
k
}. Moreover, for denot-
ing the targets of jumps, we use variables m
,x
1
,...,x
k
ranging over M and I
1
,... ,I
k
and let X
= {x
1
,... ,x
k
}.
For simplicity, we sometimes use the vector ~x to de-
note x
1
,...,x
k
, and (m,~x) to denote a state. Similar
notations are used for
~
x
and
~
˙x.
In order to describe hybrid systems we use con-
straints that are arbitrary Boolean combinations of
equalities and inequalities over terms. These con-
straints are used, on the one hand, to describe the
possible flows and jumps and, on the other hand, to
mark certain parts of the state space (e.g., the set of
initial/unsafety states).
Definition 1.
1. An arithmetic expression is a term (in the
predicate-logical sense) with function symbols in
{+,×,
ˆ,
sin,cos,exp}.
2. An atomic arithmetic state space constraint is of
form erc, where e is an arithmetic expression, r
{=,<, >,,≥} is a relation operator, and c is a
real-valued constant.
3. A mode constraint is an expression of from m = m
i
or m
= m
i
, where m
i
M.
4. A state space constraint is a Boolean combination
of forms ms aas, where ms is a mode constraint
containing only m, is a Boolean implication,
and aas is a Boolean combination of atomic arith-
metic state space constraints containing variables
only in X.
5. A flow constraint is a Boolean combination of
forms ms fs, where ms is a mode constraint con-
taining only m, is a Boolean implication, and
fs is a Boolean combination of atomic arithmetic
state space constraints containing variables only
in X
˙
X.
6. A jump constraint is a Boolean combination of
forms js js
, where js is a state space constraint,
is a Boolean implication, and js
is a Boolean
combination of mode constraints containing only
m
and atomic arithmetic state space constraints
containing variables only in X X
.
Definition 2. A hybrid system over the state space
S is a tuple (Flow,Jump,Init,UnSafe) consisting of
a flow constraint Flow describing the continuous dy-
namical evolutions, a jump constraint Jump describ-
ing the set of possible discrete jumps, a state space
constraint Init describing the set of initial states, and
a state space constraint UnSafe describing the set of
unsafe states.
For simplicity, we use Flow for describing both
the flow constraint and the subset of S × R
k
sat-
isfying this flow constraint. Similar conventions
are also used for Jump, Init and UnSafe. Thus, a
hybrid system H can also be formulated as a tu-
ple (Flow,Jump, Init,UnSafe), where Flow S×R
k
,
Jump S ×S, Init S, and UnSafe S.
Definition 3.
1. A flow of length l in a mode m is a function r :
[0,l] 7→ S such that
(r(t), ˙r(t)) Flow, where ˙r(t) denotes the
derivative of the projection of r to its contin-
uous part, and
for all t [0,l], the mode of r(t) is m.
ICINCO 2011 - 8th International Conference on Informatics in Control, Automation and Robotics
252
For simplicity, for a flow r, we will use len(r) to
denote its length and m(r) its mode.
2. A trajectory of H is a finite sequence of flows σ =
r
0
,r
1
,... ,r
p
such that:
len(r
i
) = l
i
for all i = 0,... , p,
if i > 0, (r
i1
(l
i1
),r
i
(0)) Jump for all i =
1,... , p,
if l
i
> 0 then for all t [0, l
i
], (m(r),r(t), ˙r(t))
Flow, where ˙r is the derivative of the projection
of r to its continuous part.
3. A hybrid system H = (Flow,Jump,Init,UnSafe)
is safe if and only if, there is no trajectory
r
0
,... ,r
p
of H such that r
0
(0) is in Init and r
p
(l)
is in UnSafe, where l is the length of r
p
.
The semantics of a hybrid system is a tran-
sition system with an uncountable set of states.
Formally, the semantics of a hybrid system H =
(Flow,Jump,Init, UnSafe) is a transition system
M (H ) = (S,S
Init
,Steps,S
UnSafe
) where S = M ×I
1
×
···×I
k
, S
Init
= {s S : s satisfies Init}, S
UnSafe
= {s
S : s satisfies UnSafe}, and Steps is defined as the
union of two transition relations Steps
C
and Steps
D
,
where Steps
C
S×S corresponds to transitions due
to continuous flows and is defined by:
((m,~x),(m,
~
x
)) Steps
C
, if there exists a trajec-
tory σ = r
0
(i.e., a flow r
0
) such that m(r
0
) = m,
r
0
(0) =~x and r(len(r
0
)) =
~
x
,
and Steps
D
S ×S corresponds to transitions due to
discrete jumps and is defined by:
((m,~x),(m
,
~
x
)) Steps
D
if ((m,~x),(m
,
~
x
))
Jump.
It is well-known that checking whether a hybrid
system is safe is an undecidable problem (Henzinger
et al., 1998). However, in practice we are not inter-
ested with a hybrid system whose safety changes un-
der small perturbations. Hence, it is sufficient to have
an algorithm that can prove safety for systems whose
safety does not change under small perturbations.
In order to introduce the notation of perturbations,
we first define a distance measure on constraints as
follows.
Definition 4.
1. The distance between two atomic arithmetic
constraints erc and e
r
c
is defined by
d(e,r,c,e
,r
,c
)
.
= , if e 6= e
or r 6= r
,
and |cc
|, otherwise.
2. The distance between two mode constraints m =
m
1
and m = m
2
is if m
1
6= m
2
and 0, otherwise.
3. The distance between two constraints φ and φ
is
defined by d(φ,φ
)
.
=
, if φ and φ
have a different Boolean structure
or do not have mode constraints at the same
place, and
the maximum of the distances between two cor-
responding atomic (arithmetic or mode) con-
straint, otherwise.
Now, after denoting the distance between two vec-
tors~x and~x
to be
d(~x,~x
) = k~x~x
k
= max
1ik
|x
i
x
i
|.
based on Definition 4, we can define the notion of an
ε-perturbed solution set as follows.
Definition 5. A set P is an ε-perturbed solution set of
a constraint φ if and only if
1. for every ~x P, there is a constraint φ
with
d(φ,φ
) ε and an~x
with d(~x,~x
) ε such that
φ
(~x
) holds.
2. for every ~x / P, there is a constraint φ
with
d(φ,φ
) ε and an~x
with d(~x,~x
) ε such that
φ
(~x
) does not hold.
Example 1. Consider the constraint φ defined by x =
0. Clearly, {x : x = 0} is an ε-perturbed solution set
due to the following:
1. for x = 0, choosing φ as φ
and x as x
, d(φ,φ
) =
0 < ε, d(x,x
) = 0 < ε, and φ
(x
) holds.
2. for any x 6= 0, choosing φ as φ
and x as x
,
d(φ,φ
) = 0 < ε, d(x,x
) = 0 < ε, and φ
(x
) does
not hold.
Moreover, P = {x : x = ε} with ε > 0 is also an ε-
perturbed solution set due to:
1. for x = ε, choosing x = ε/2 as φ
and x
= ε/2,
d(φ,φ
) = ε/2 < ε, d(x, x
) = ε/2 < ε, and φ
(x
)
holds.
2. for any x 6= ε, choosing x = ε/2 as φ
and x
=
x ε/2, d(φ,φ
) = ε/2 < ε, d(x,x
) = ε/2 < ε,
and φ
(x
) does not hold.
Example 2. Consider another constraint φ defined by
x
2
< 0. Clearly, its solution set is empty and
/
0 is an
ε-perturbed solution set of φ. Moveover, P = {x : x
2
<
ε} is also an ε-perturbed solution set of φ due to:
1. for every x P, choosing x
2
< ε as φ
and x
=
min{ε + x,
ε}, d(φ,φ
) = ε, d(x,x
) ε, and
φ
(x
) holds.
2. for every x such that x
ε, choosing x
2
< ε as
φ
and x
= x + ε, d(φ,φ
) = ε, d(x, x
) = ε, and
φ
(x
) does not hold.
3. for every x such that x
ε, choosing x
2
< ε as
φ
and x
= x ε, d(φ,φ
) = ε, d(x, x
) = ε, and
φ
(x
) does not hold.
TERMINATION ANALYSIS OF SAFETY VERIFICATION FOR NON-LINEAR ROBUST HYBRID SYSTEMS
253
Definition 5 is extended for hybrid systems with
small perturbations as follows.
Definition 6. A hybrid system H
ε
=
(Flow
ε
,Jump
ε
,Init
ε
,UnSafe
ε
) is an ε-
perturbed manifestation of a hybrid system
H = (Flow,Jump,Init,UnSafe) if and only if
Flow
ε
, Jump
ε
, Init
ε
and UnSafe
ε
are ε-perturbed
solution sets of Flow, Jump, Init and UnSafe,
respectively.
Definition 6 allows us to define robustness of a
hybrid system with the same desired safety property
as follows.
Definition 7. A hybrid system H =
(Flow,Jump,Init, UnSafe) is robustly safe if
and only if there exists a constant ε > 0
such that all its ε-perturbed manifestations
H
ε
= (Flow
ε
,Jump
ε
,Init
ε
,UnSafe
ε
) are safe.
Example 3. Consider the hybrid system H =
(Flow,Jump,Init, UnSafe), where Flow is ˙x = 0, Jump
is
/
0, Init is x = 0, and UnSafe is x = 1. Clearly, this
hybrid system H is safe. However, H
= ( ˙x = ε,
/
0,x =
0,x = 1) with ε > 0 is an ε-perturbed manifestation
of H but not safe, implying that H is not robustly
safe.
3 CONSTRAINT BASED
ABSTRACTION REFINEMENT
In this section we describe a constraint based algo-
rithm for safety verification of hybrid systems based
on the abstraction refinement technology. That is, we
abstract a hybrid system to a finite transition system
(the abstraction) which is defined to be:
Definition 8. A transition system over a finite set Σ is
a tuple (Trans, Init, Unsafe) where Trans Σ×Σ and
Init Σ, Unsafe Σ. We call the set Σ the state space
of the system.
In contrast to Definition 2, here the state space is
a parameter. This will allow us to add/remove states
to the state space during abstraction refinement.
Definition 9. A trajectory of a transition system
(Trans,Init, UnSafe) over a set Σ is a function r :
{0,.. . , p} 7→ σ such that for all t {1, ..., p}, (r(t
1),r(t)) Trans. The system is safe if and only if there
is no trajectory from an element of Init, to an element
of Unsafe.
When we use abstraction to analyze hybrid sys-
tems, the abstraction should over-approximate the
concrete system in a conservative way: if the abstrac-
tion is safe, then the original system should also be
safe. If the current abstraction is not yet safe, we re-
fine the abstraction, that is, we include more informa-
tion about the concrete system into it. This results in
Algorithm 1.
Algorithm 1: Abstraction Refinement.
Input: a hybrid system H described by constraints
Output: “safe”, if the algorithm terminates
let A be an abstraction of the hybrid system H
while A is not safe do
refine the abstraction A
end while
In order to implement this algorithm, we need
to fix the state space of the abstract system. Here
we use pairs (m,B), where m is one of the modes
{m
1
,... ,m
n
} and B is a hyper-rectangle (box), rep-
resenting subsets of the concrete state space S. To-
gether with an abstract state, we store the infor-
mation whether it is initial or unsafe and the in-
formation from which other states it is reachable.
We call such information the marks of the state.
For the initial abstraction we use the state space
{(m
i
,{~x | (m
i
,~x) S}) | 1 i n}, where all states
are marked as initial, and unsafe, and all transitions
between states are possible.
For refining the abstraction, we split a box into
two pieces, replace one abstract state by two, and in-
clude more information from the concrete system into
the abstract one by removing unreachable elements
from the boxes, removing superfluous marks from the
new abstract states, and removing unreachable states
from the abstraction.
To remove unreachable elements from the boxes
representing the abstraction, we use a constraint that
formalizes when an element of the concrete state
space might be reachable, and then remove elements
that do not fulfill this constraint. In order to do this,
for a box B = [x
1
,x
1
] ×···×[x
k
,x
k
], we let its j-th
lower face be [x
1
,x
1
]×···×[x
j
,x
j
]×···×[x
k
,x
k
] and
its j-th upper face be [x
1
,x
1
] ×··· ×[x
j
,x
j
] ×··· ×
[x
k
,x
k
]. Note that two boxes in the same mode are
non-overlapping if their interiors are disjoint.
Observe that a point in a box B is reachable only if
it is reachable either from the initial set via a flow in
B, from a jump via a flow in B, or from a neighboring
box via a flow in B. So we can formulate constraints
corresponding to each of these conditions and then re-
move points from boxes that do not fulfill at least one
of these constraints. For this, we first give a constraint
describing flows within boxes as follows, which has
been described in (Ratschan and She, 2006).
Lemma 1. For a box B R
k
and a mode m, if there is
a ow in B and m from a point~x = (x
1
,... ,x
k
)
T
B to
ICINCO 2011 - 8th International Conference on Informatics in Control, Automation and Robotics
254
a point~y = (y
1
,... ,y
k
)
T
B such that for every point
~u on the flow with its derivative
˙
~u, (m,~u,
˙
~u) satisfies
the flow constraint Flow(m,~x,
˙
~x), then
t R
0
[ flow
B
(t,~x,~y)], (1)
where flow
B
(t,~x,~y) denotes
^
1ik
a
1
,... ,a
k
, ˙a
1
,... , ˙a
k
[(a
1
,... ,a
k
) B
Flow(m,(a
1
,... ,a
k
),( ˙a
1
,... , ˙a
k
))y
i
= x
i
+ ˙a
i
·t]
We denote the above constraint by
Reach
B
(m,~x,~y). Notice that in Lemma 1, the
state (m,~y) is assumed to be reachable from (m,~x)
via a flow in B. However, the information on the
state (m,~x) is missing, which in fact requires to
be reachable via a trajectory starting from initial.
Without loss of generality, we can beforehand assume
that we already have a constraint Reachable
B
(m,~x)
describing that (m,~x) is reachable from initial. Thus,
the above three possibilities for reachability allow us
to formulate the following theorem:
Theorem 1. For a set of abstract states B , a pair
(m
,B
) B and a point~z B
, if (m
,~z) is reachable
and z is not an element of the box of any other abstract
state in B , then
Ifl
B
(m
,~z)
_
(m,B)B
Jfl
B,B
(m,m
,~z)
_
(m,B)B ,m=m
,B6=B
Bfl
B,B
(m
,~z)
where Ifl
B
(m
,~z), Jfl
B,B
(m,m
,~z), and Bfl
B,B
(m
,~z)
denote the following three constraints, respectively:
~x B
[Init(m
,~x) Reach
B
(m
,~x,~z)],
~x B~x
B
[Reachable
B
(m,~x)
Jump(m,~x,m
,~x
) Reach
B
(m
,~x
,~z)]
~x BB
[Reachable
B
(m,~x)[faces F of B
[~x
F in
F
m
,B
(~x)]] Reach
B
(m
,~x,~z)].
Here, in
F
m
,B
(~x) = ˙x
1
,... ,˙x
k
[Flow(m
,~x,( ˙x
1
,..., ˙x
k
))
˙x
j
0] if F is the j-th lower face of B
, and
in
F
m
,B
(~x) = ˙x
1
,... ,˙x
k
[Flow(m
,~x,( ˙x
1
,... , ˙x
k
))
˙x
j
0] if F is the j-th upper face of B
.
Based on Theorem 1, if we can prove that a cer-
tain point does not fulfill the big constraint in The-
orem 1, we know that it is not reachable from the
set of initial states. However, the big constraint
is not first-order, since it uses some defined predi-
cates (e.g., Reachable
B
and faces F of B
). Thus,
we need to eliminate the defined predicates by sub-
stituting the constraints implied by their definitions.
For this, we first have to fix a certain constraint for
Reachable
B
(m,~x).
As an over-approximation, the first and simplest
choice is to define the constraint Reachable
B
(m,~x)
as ~x B and denote the resulting constraint by
Reachable
0
B ,B
(m
,~z). We have studied this case with
computational examples in (Ratschan and She, 2005;
Ratschan and She, 2007; Ratschan and She, 2007a;
Ratschan and She, 2006) by using a pruning algo-
rithm (Ratschan, 2002) that takes a constraint, and an
abstract state (m
,B
) and returns a sub-box of B
that
still contains all the solutions of the constraint in B
.
By using the pruning algorithm, we can get
a new B
by removing certain points that are
not reachable and thus do not fulfill the con-
straint Reachable
0
B ,B
(m
,~z). Since the constraint
Reachable
0
B ,B
(s
,~z) depends on all current abstract
states, a change of B
might allow further pruning of
other abstract states. So we can repeat pruning until a
fixpoint is reached. For a given set of abstract states
B , we denote the resulting fixpoint by Prune
H
(B ).
Moreover, since we do not need to consider unreach-
able parts of the state space in the abstraction, we can
do the operation B Prune
H
(B ) anywhere in Algo-
rithm 1. We do this at the beginning, and each time B
is refined by splitting a box.
Thus, the abstraction over Prune
H
(B ) for H is
constructed as follows:
1. mark an abstract state (m
,B
) as initial if we can-
not disprove Ifl
B
(m
,~z) in Theorem 1;
2. mark an abstract state (m
,B
) as unsafe if we can-
not disprove the constraint ~x B
UnSafe(m
,~x);
3. let Trans = Trans
C
Trans
D
, where Trans
C
cor-
responds to the transitions due to the continuous
flows, Trans
D
corresponds to the the transitions
due to the discrete jumps, and Trans
C
and Trans
D
are computed according to the following cases:
m = m
and B = B
: ((m, B), (m, B)) Trans
C
;
m = m
, B 6= B
and we cannot disprove
the constraint B fl
m,B,B
in Theorem 1:
((m,B),(m,B
)) Trans
C
;
If we cannot disprove the constraint x
Bx
B
Jfl
B,B
(m,x,m
,x
) in Theorem 1:
((m,B),(m
,B
)) Trans
D
.
The above abstraction is easily computed since the
set of abstract states is finite. Denoting the resulting
transition system by Abstract
H
(B ), we have that:
Theorem 2. (Ratschan and She, 2007) For a hybrid
system H and sets of abstract states B , containing
all elements of the state space reachable from initial,
such that all boxes corresponding to the same mode
are non-overlapping, the safety of Abstract
H
(B ) im-
plies the safety of the hybrid system H .
TERMINATION ANALYSIS OF SAFETY VERIFICATION FOR NON-LINEAR ROBUST HYBRID SYSTEMS
255
Based on the first choice, our second choice is to
substitute Reachable
0
B ,B
(m,~x) for Reachable
B
(m,~x)
in the big constraint in Theorem 1, resulting in a con-
straint Reachable
1
B ,B
(m
,~z).
Similarly, due to recursion, we have constraints
Reachable
i
B ,B
(m
,~z) with i {0,...}. Clearly, all
these constraints also fulfill Theorem 1.
Since Reachable
i
B ,B
(m
,~z) with i 1 is a
very large constraint, we will avoid directly dis-
proving such a constraint by computing an over-
approximation of the reach set on the boundary of B,
arriving at the following constraint that expresses a
disjunction over all faces:
_
F,face of B
h
~x F Reachable
0
B ,B
(m
,~x)
i
.
We denote it by reachbound
B ,B
(m
,~x), and for
each face F of B, we denote the corresponding dis-
junct by reachbound
B ,B,F
(m
,~x). Since the disjuncts
only depend on one box, we have to apply the prun-
ing algorithm only for one abstract state, and we can
store the resulting faces with that abstract state and
use such information in the constraint Bfl
B,B
(m
,~z).
Since these faces enclose the set of states where a
flow might leave the abstract state, we call them the
outflow-faces of the abstract state (cf., the use of faces
in the analysis of rectangular automata (Preußig et
al., 1998) and the use of faces for CEGAR based
reachable analysis in Algorithm 4 in (Klaedtke et
al., 2007)). Note that this recursive reasoning based
method with computational examples has also been
described in (Ratschan and She, 2008) and imple-
mented in (Ratschan and She, 2007a).
3.1 A Remedy for Reducing the
Wrapping Effect
We have introduced a recursive reasoning based
method for safety verification of hybrid systems
above. However, box splitting in some cases will still
lead to an worse over-approximation (Preußig et al.,
1998). This phenomenon is called as the wrapping
effect (Neumaier, 1993), which is illustrated by the
following example.
Example 4. Consider a box [0,2] ×[0,2] ×[0,4] and
let the initial set be F
I
= {0 x 1y = 0t = 0}
and the flow constraint be φ = {˙x = ˙y =
˙
t = 1}.
Clearly, the exact reachable set on the face is F
E
=
{x = 2y = t 1 y 2}.
However, after using the recursive version the
original box, we get a box [0,2] ×[0,2] ×[0, 2] as
the over-approximative reachable set. The over-
approximative reachable set on the face is F
R,1
= {x =
21 y 2 1 t 2}.
Spilt [0,2] ×[0,2] ×[0,2] into the following four
boxes:
B
1
= [0,1] ×[0,1] ×[0, 2],B
2
= [0,1] ×[1, 2] ×[0, 2],
B
3
= [1,2] ×[0,1] ×[0, 2],B
4
= [1,2] ×[1, 2] ×[0, 2].
Using our recursive version again, we get the follow-
ing three boxes:
B
1
= [0,1] ×[0,1] ×[0, 1],
B
3
= [1,2] ×[0,1] ×[0, 2],
B
4
= [1,2] ×[1,2] ×[0, 2].
Associated with these three boxes, we have the follow-
ing faces:
F
I
= {0 x 1y = 0 t = 0};
F
1
= {x = 10 y 10 t 1);
F
2
= {1 x 2y = 10 t 2);
F
R,2
= {x = 21 y 20 t 2).
Clearly, F
E
F
R,1
F
R,2
.
So, we will in this subsection provide a remedy
for reducing the wrapping effect. Specifically, we im-
prove the recursive reasoning by four complements
which are described in details as follows:
1. For each abstract (m,B) B , we first compute the
intervals for the corresponding components of the
derivatives of the states in (m, B). That is, we ap-
ply our pruning algorithm to the following con-
straint and R
k
:
a
1
,...,a
k
(a
1
,... ,a
k
) B
Flow(m,(a
1
,... ,a
k
),( ˙a
1
,... , ˙a
k
))
(2)
to obtain a box containing all the solutions on
˙a
1
,... , ˙a
k
satisfying the above constraint. We de-
note this resulting box by
˙
B. This information has
in fact been computed when we apply our pruning
algorithm to the big constraint in Theorem 1 and
(m,B). So, we just need to store this computed
information and do not need to apply our pruning
algorithm once more.
2. For each (m,B), letting
˙
B =
˙
B
1
× ··· ×
˙
B
k
=
[ ˙a
1
, ˙a
1
] ×···×[ ˙a
k
, ˙a
k
] in Reach
B
(m,~x,~y), we ar-
rive at
t R
0
^
1ik
˙a
i
[ ˙a
i
˙a
i
˙a
i
y
i
= x
i
+ ˙a
i
·t]
.
(3)
We denote this constraint by Reach
B
(m,~x,~y).
Then, we use Reach
B
(m,~x,~y) instead of
Reach
B
(m,~x,~y) in reachbound
B ,B,F
(m
,~x) to
get a new constraint, which is denoted by
reachbound
B ,B,F
(m
,~x).
ICINCO 2011 - 8th International Conference on Informatics in Control, Automation and Robotics
256
3. For every predicate of form ~x B
in reachbound
B ,B,F
(m
,~x), where B =
[x
1
,x
1
] × ··· × [x
k
,x
k
], we will replace it by
V
k
i=1
x
i
x
i
x
i
, arriving at the constraint
reachbound
′′
B ,B,F
(m
,~x). Then, we use a quanti-
fier elimination method to reachbound
′′
B ,B,F
(m
,~x)
to compute the reachable states on the face F,
which will be discussed in Subsection 3.2.
Note that in this way, for every face F, we
get the exact solutions of ~x to the constraint
reachbound
B ,B,F
(m
,~x), which describes the
reachable information on the face F. Moreover,
note that for abstract states marked as initial
or reachable with jumps, we do not need to
recompute the exact solution set on the faces
but directly use the over-approximations instead,
which can be easily understood after termination
analysis in Section 4.
4. We use the reachable information on the faces in
the constraint Bfl
B,B
(m
,~z) for further computa-
tion until a fixpoint is reached.
Now, for Example 4, starting with the initial ab-
straction, after applying the above improvement, the
over-approximative reachable set on the face is com-
puted to be
F
R
= {x = 2y = t 1 y 2},
which is the exact reachable set F
E
.
Clearly, except for the initial constraint and the
jump constraint, every arithmetic expression in the
constraint reachbound
′′
B ,B,F
(m
,~x) is either a linear
equality or a linear inequality. Hence, the so-
lution set to reachbound
′′
B ,B,F
(m
,~x) can be easily
computed by the quantifier elimination. Note that
we do not directly apply the quantifier elimination
to reachbound
B ,B,F
(m
,~x) due to the fact that the
flow constraint used in Reach
B
(m,~x,~y) may be non-
polynomial.
Thus, based on the above four complements, let-
ting Abstract
H
(B ) be the resulting system, we have
the following theorem which is similar to Theorem 2.
Theorem 3. For a hybrid system H and sets of
abstract states B , containing all elements of the
state space reachable from the initial set such that
all boxes corresponding to the same mode are non-
overlapping, the safety of Abstract
H
(B ) implies the
safety of the hybrid system H .
3.2 Quantifier Elimination
In this subsection, we will discuss how to apply the
quantifier elimination mentioned in Subsection 3.1.
We first assume that
˙
B =
˙
B
1
×···×
˙
B
k
is the box
obtained by applying the pruning algorithm to Con-
straint (2) and R
k
. Let I be the set {i : 0
˙
B
i
}. With-
out loss of generality, let I = {i
1
,... ,i
m
} and consider
the following constraint:
t R
0
h
^
1 j k
j /{i
1
,. . ., i
m
}
˙a
j
[ ˙a
j
˙a
j
˙a
j
y
j
= x
j
+ ˙a
j
·t]
^
^
j∈{i
1
,...,i
m
}
˙a
j
[ ˙a
j
˙a
j
˙a
j
y
j
= x
j
+ ˙a
j
·t]
i
.
(4)
Clearly, t in Constraint (4) can be easily elimi-
nated. Moreover, x
i
and y
i
satisfying the constraint
are in a polyhedron defined by a combination of lin-
ear (in)equalities over~x and~y.
Specifically, this combination has
1. (k m)(k m1)/2 (in)equalities of form
˙a
i
/ ˙a
j
(y
j
x
j
) (y
i
x
i
) ˙a
i
/ ˙a
j
(y
j
x
j
), if
˙a
i
˙a
j
> 0, or
˙a
i
/ ˙a
j
(y
j
x
j
) (y
i
x
i
) ˙a
i
/ ˙a
j
(y
j
x
j
), if
˙a
i
˙a
j
< 0,
where i, j {1,.. . , k}\{i
1
,... ,i
m
},i 6= j,
2. (k m)m (in)equalities of form
˙a
i
/ ˙a
j
(y
j
x
j
) (y
i
x
i
) ˙a
i
/ ˙a
j
(y
j
x
j
), if
˙a
j
> 0, or
˙a
i
/ ˙a
j
(y
j
x
j
) (y
i
x
i
) ˙a
i
/ ˙a
j
(y
j
x
j
), if
˙a
j
< 0,
where j {1,... , k}\{i
1
,...,i
m
},i {i
1
,... ,i
m
},
and
3. (k m) (in)equalities of form y
i
x
i
0 or y
i
x
i
0, which are determined by the signs of the
rate intervals.
If the solution set for ~x is defined by a polyhe-
dron which is formulated by a combination of linear
(in)equalitiesover~x, the solutions set for~y will also be
formulated by a combination of linear (in)equalities
over~y, implying that the solution set for~y is also de-
fined by a polyhedron.
4 TERMINATION ANALYSIS FOR
SAFETY VERIFICATION
In this section, we will analyze the termination of
our abstraction refinement based procedure for ro-
bustly safe hybrid systems, associated with the rem-
edy described in Subsection 3.1. Note that we here
TERMINATION ANALYSIS OF SAFETY VERIFICATION FOR NON-LINEAR ROBUST HYBRID SYSTEMS
257
simply assume that the continuous behaviors evolve
according to differential equations, that is, we only
consider deterministic continuous evolutions. For the
non-deterministic cases, we can similarly handle it.
Without loss of generality, we assume that in the
flow constraint, the right side of the implication is
of form
˙
~x f
m
(~x) = 0, where f
m
is Lipschitz on
I
1
×···×I
k
with the Lipschitz constant L
m
. Let L =
max
mM
L
m
. In addition, let d(B) = max
~x,~x
B
d(~x,~x
)
and d(B ) = max
BB
d(B). Moreover, for two sets A
and B with B A, let d(A, B) = sup
~xA
inf
~x
B
d(~x,~x
).
For every mode m and box B, let φ(m,B) be the
solution set of φ
(m,B)
in R
k
and Prune(φ
m,B
,R
k
) be
the result of applying our interval based pruning al-
gorithm to φ
(m,B)
and R
k
. Due to the convergence of
the interval based pruning algorithm (Ratschan, 2002;
Damm et al., 2007), we have:
Theorem 4. (Ratschan, 2002; Damm et al., 2007)
For every mode m and box B,
lim
d(B)0
d(Prune(φ
(m,B)
,R
k
),φ(m,B)) = 0.
Assume that the system H =
(Flow,Jump,Init,UnSafe) is robustly safe, that
is, there is an ε such that all its ε-perturbed
manifestations H
ε
are also safe. In addition, we
assume that for each refinement step, the ab-
straction computed by our improved procedure
is Abstract
B
(H ) = (Trans
,Init
,UnSafe
) with
Trans
= Trans
C
Trans
D
, where Trans
C
corresponds
to flows and Trans
D
corresponds to jumps.
Due to Theorem 4, for the given constant
ε/3, there is a σ
1
such that when d(B) σ
1
,
d(Prune(φ,(m, B)),φ(m, B)) ε/3. Letting ε
1
=
min{σ
1
,ε/3}, we can beforehand assume that d(B )
σ = min{
ε
1
kL
,ε
1
}.
Without loss of generality, let us first assume that
the solution set of Jump(m,~x,m
,~x
) is empty.
Let Init
ε
be the set {(m,~x) : d(~x,~x
)
ε,Init(m,~x
)}. Clearly, Init Init
ε
. Moreover,
Init
ε
is an ε-perturbed solution set of Init due to
1. for every ~x Init
ε
, choosing Init as φ
and an
~x
such that d(~x,~x
) ε and Init(m,~x
) as ~x
,
d(Init, φ
) = 0 ε and φ
(m,~x
) holds.
2. for every~x /Init
ε
, choosing Init as φ
and~x as~x
,
d(Init, φ
) = 0 ε, d(~x,~x
) = 0 ε and Init(m,~x)
does not hold.
Similarly, let UnSafe
ε
be the set {(m,~x) : d(~x,~x
)
ε,UnSafe(m,~x
)}. Then, UnSafe UnSafe
ε
and
UnSafe
ε
is an ε-perturbed solution set of UnSafe.
Let Flow
ε
be the set {(m,~x,
~
˙x) : d((~x,
~
˙x), (~x
,
~
˙x
))
ε,Flow(m,~x
,
~
˙x
)}. Then, Flow Flow
ε
and Flow
ε
is
an ε-perturbed solution set of Flow.
Now, let H
ε
= (Init
ε
,Flow
ε
,
/
0,UnSafe
ε
).
1
Clearly,
H
ε
is an ε-perturbed manifestation of H . Similarly,
we can define H
ε
1
and H
ε/3
.
In addition, let ReachSet
ε
1
, ReachSet
ε/3
, and
ReachSet
ε
be the reachable set of H
ε
1
, H
ε/3
, and H
ε
.
Clearly, ReachSet
ε
1
ReachSet
ε/3
ReachSet
ε
.
Since we are just interested with the abstract states
that are reachable from Init
instead of reachable by
possible loops (or, cycles), it is sufficient to only con-
sider the abstract states that can be reachable from
Init
. That is, letting
RS = {(m,~x)|(m,~x) (m,B),(m,B) B ,
and (m,B) can be reachable from Init
},
for terminating analysis, it is sufficient to prove that
RS ReachSet
ε
.
For proving that RS ReachSet
ε
, we first intro-
duce some notations as follows:
1. For each face F
of (m
,B
), let S
B
,F
be the so-
lution set of reachout
B ,B
,F
(m
,~z) in F
by apply-
ing the quantifier elimination method introduced
in Subsection 3.2.
2. For an arbitrary but fix state (m,~x), let B((m,~x),σ)
be the set
{(m,~z) : d((m,~z),(m,~x)) σ}.
3. For an arbitrary but fix set (m,S) of states , let
B((m,S), σ) be the set
{(m,~z) : ~x S[d((m,~z),(m,~x)) σ]}.
Due to the definitions of Init
ε
and Flow
ε
, we have
the following two lemmas.
Lemma 2. For each (m,B) Init
, (m,B) Init
ε
1
Init
ε
.
Proof. Clearly, Init
ε
1
Init
ε
. So, for each (m,B)
Init
, we only need to prove that for each (m, B)
Init
, (m,B) Init
ε
1
. For this, it is sufficient to prove
that for each (m,~x) (m,B), (m,~x) Init
ε
1
.
Since (m,B) Init
, there is a ~x
B such that
Init(m,~x
) holds. Moreover, since ~x,~x
B and
d(B) ε
1
, we have d(~x,~x
) ε
1
. Due to the defini-
tion of Init
ε
1
, we proved that for each (m,~x) (m,B),
(m,~x) Init
ε
1
.
Lemma 3. For each pair (m
,B
) B , assume that
(m
,B
) is reachable from Init
via finite transitions in
Trans
C
. Then, for each face F
of (m
,B
), S
B
,F
ReachSet
ε
if S
B
,F
6=
/
0. Moreover, B(S
B
,F
,σ)
ReachSet
ε
, which implies that (m
,B
) ReachSet
ε
.
1
In H
ε
, due to the definition of Flow
ε
, the continuous
evolutions are non-deterministic.
ICINCO 2011 - 8th International Conference on Informatics in Control, Automation and Robotics
258
Proof. We will prove it by the induction method.
Letting (m,B) Init
, we want to prove that for
each face F of (m,B), F = S
B,F
ReachSet
ε
and
B(F,σ) ReachSet
ε
. According to Lemma 2,
(m,B) Init
ε
1
ReachSet
ε
, which implies that
for each face F of (m,B), S
B,F
ReachSet
ε
and
B(F,σ) ReachSet
ε
.
Assume that (m, B) is reachable from
Init
such that for each face F of (m,B),
(m,S
B,F
) ReachSet
ε
and B(F,σ) ReachSet
ε
when S
B,F
6=
/
0. First, we want to prove that if
((m,B),(m
,B
)) Trans
C
, then for each face F
of (m
,B
), S
B
,F
ReachSet
ε
when S
B
,F
6=
/
0.
According to Theorem 1 and Eq. (3), if S
B
,F
is not empty, then for each (m,~y) S
B
,F
, there
is a state (m,~x) S
B,F
such that Reach
B
(m,~x,~y)
holds. That is, the following constraint holds:
t R
0
^
1ik
˙a
i
[ ˙a
i
˙a
i
˙a
i
y
i
= x
i
+ ˙a
i
·t]
.
(5)
So, it is sufficient to provethat (m,~y) ReachSet
ε
.
Equivalently, letting ˙x
i
= ˙a
i
, it is sufficient to
prove that d(( ˙a
1
,... , ˙a
k
), f(~y)) ε, which can
be completed by combining the following argu-
ments:
Let A
i
= inf{˙a
i
: ˙a
i
= f
m,i
(~a),~a B
} and A
i
=
sup{˙a
i
: ˙a
i
= f
m,i
(~a),~a B
}. Moreover, let~y
B
be such that A
i
= f
m,i
(~y) and~x B
be such
that A
i
= f
m,i
(~x). Since f
m
is Lipschitz with the
Lipschitz constant L
m
, d(A
i
,A
i
) = kf
m,i
(~y)
f
m,i
(~x)k Lky xk
2
kLd(y,x) ε
1
, when
d(B
) σ = min{
ε
1
kL
,ε
1
}.
Let
˙
B = [ ˙a
1
, ˙a
1
] ×···×[ ˙a
k
, ˙a
k
] be the result of
applying our interval based pruning algorithm.
Since d(B
) σ, due to Theorem 4 and our as-
sumptions, d( ˙a
i
,
˙
A
i
) ε/3 and d( ˙a
i
,
˙
A
i
) ε/3.
If ˙a
i
[a
i
,A
i
], then d( ˙a
i
, f
m,i
(~y))
d( ˙a
i
,A
i
) + d(A
i
, f
m,i
(~y)) ε/3 + ε
1
;
If ˙a
i
[A
i
,a
i
], then d( ˙a
i
, f
m,i
(~y))
d( ˙a
i
,A
i
) + d(A
i
, f
m,i
(~y)) ε/3 + ε
1
; And if
˙a
i
[A
i
,A
i
], then d( ˙a
i
, f
m,i
(~y)) d(A
i
,A
i
) ε
1
.
Thus, due to the above arguments, we proved that
for each face F
of (m
,B
), S
B
,F
ReachSet
3ε
1
when S
B
,F
6=
/
0.
Second, we want to prove that B(S
B
,F
,σ)
ReachSet
ε
. Since for every arbitrary but fix state
(m
,~y
) B(S
B
,F
,σ), there exists a state (m
,~y)
S
B
,F
such that d(~y,~y
) σ. According to the def-
inition of S
B
,F
, there is a state (m,~x) S
B,F
such
that (m
,~y) is reachable from (m,~x) via a flow de-
termined by
˙
~x =
˙
~a, where
˙
~a
i
, i = 1, . ..k, is the
same as the one occurs in Eq.(5). Clearly, (m
,~y
)
can be reachable from a state (m,~x +~y
~y) via
the flow determined by
˙
~x =
˙
~a. Since B(S
B,F
,σ)
ReachSet
ε
,
d( f
m
(~y), f
m
(~y
)) kLd(~y,~y
) ε
1
when d(B ) σ = min{
ε
1
kL
,ε
1
}, and thus
d(
˙
~a, f
m
(~y
)) d(
˙
~a, f
m
(~y)) + d( f
m
(~y), f
m
(~y
))
ε/3+ 2ε
1
ε, implying that (m
,~y
) ReachSet
ε
.
Thus, B(S
B
,F
,σ) ReachSet
ε
.
Third, since d(B ) σ, (m
,B
) B(S
B
,F
,σ),
which implies that (m
,B
) ReachSet
ε
.
Thus, due to the above induction method, we com-
pleted the proof.
Now, consider the case that Jump(m,~x,m
,~x
) is
non-empty. Let
Jump
ε
= {((m,~x),(m
,~x
)) : d((~x,~x
),(~x
,~x
′∗
)) ε,
Jump(m,~x
,m
,~x
′∗
)}.
Clearly, Jump Jump
ε
. Moreover, Jump
ε
is an ε-
perturbed solution set of Jump. Similarly, we can de-
fine Jump
ε
1
and Jump
2ε
1
.
Due to the definition of Jump
ε
, we have the fol-
lowing lemmas.
Lemma 4. For each pair ((m, B),(m
,B
)) Trans
D
,
((m,B),(m
,B
)) Jump
ε
1
Jump
ε
. Moreover,
((m,B),B((m
,B
),ε
1
)) Jump
2ε
1
Jump
ε
.
Proof. Clearly, Jump
ε
1
Jump
2ε
1
Jump
ε
. For
each pair ((m,B),(m
,B
)) Trans
D
, we first want to
prove: for each ((m,~x),(m
,~x
)) ((m,B),(m
,B
)),
((m,~x),(m
,~x
)) Jump
ε
1
.
Since ((m,B), (m
,B
)) Trans
D
, there is a
pair (~x
,~x
′∗
) (B,B
) such that the constraint
Jump(m,~x
,m
,~x
′∗
) holds. Moreover, since ~x,~x
B, ~x
,~x
′∗
B
, d(B) ε
1
, and d(B
) ε
1
, we have
d(~x,~x
) ε
1
and d(~x
,~x
′∗
) ε
1
. Due to the def-
inition of Jump
ε
1
((m,~x),(m
,~x
)) Jump
ε
1
. Thus,
((m,B),(m
,B
)) Jump
ε
1
.
Similarly, we can prove that for each
((m,~x),(m
,~x
)) ((m,B),B((m
,B
),ε
1
)),
((m,~x),(m
,~x
)) Jump
2ε
1
. Thus,
((m,B),B((m
,B
),ε
1
)) Jump
2ε
1
.
Based on Lemma 4, we can easily extend
Lemma 3 to the case that the solution set of
Jump(m,~x,m
,~x
) is not empty.
Lemma 5. For each (m
,B
) B , assume that
(m
,B
) is reachable from Init
. Then for each face
F
of (m
,B
), S
B
,F
ReachSet
ε
when S
B
,F
6=
/
0.
Moreover, B(S
B
,F
,σ) ReachSet
ε
, implying that
(m
,B
) ReachSet
ε
.
TERMINATION ANALYSIS OF SAFETY VERIFICATION FOR NON-LINEAR ROBUST HYBRID SYSTEMS
259
Proof. Since (m
,B
) is reachable from Init
,
there is a trajectory such that (m
0
,B
0
) Init
,
((m
i
,B
i
)),(m
i+1
,B
i+1
)) Trans
and (m
p
,B
p
) =
(m
,B
) for i = 0,..., p 1. For proving that for
each face F
of (m
,B
), S
B
,F
ReachSet
ε
when
S
B
,F
6=
/
0, we proceed as follows.
First, assume that there is a certain j such that
((m
j
,B
j
)),(m
j+1
,B
j+1
)) Trans
D
(or possi-
bly, ((m
j
,B
j
)),(m
j
,B
j
)) Trans
D
), and
for all l such that 0 l < j,
((m
l
,B
l
),(m
l+1
,B
l+1
)) Trans
C
,
((m
l
,B
l
),(m
l
,B
l
)) / Trans
D
and
((m
l
,B
l
),(m
l+1
,B
l+1
)) / Trans
D
.
By Lemma 3, S
B
j1
,B
j1
B
j
ReachSet
ε
and B(S
B
j1
,B
j1
B
j
,σ) ReachSet
ε
. Since
(m
j
,B
j
) B(S
B
j1
,B
j1
B
j
,σ), (m
j
,B
j
)
ReachSet
ε
. From Lemma 4,
if ((m
j
,B
j
)),(m
j+1
,B
j+1
)) Trans
D
,
then (m
j+1
,B
j+1
) ReachSet
ε
and also
B((m
j+1
,B
j+1
),σ) ReachSet
ε
;
if ((m
j
,B
j
)),(m
j
,B
j
)) Trans
D
, also
B((m
j
,B
j
),σ) ReachSet
ε
.
Second, let I be the set
{i : 0 i p1, ((m
i
,B
i
),(m
i+1
,B
i+1
) Trans
D
or ((m
i
,B
i
),(m
i
,B
i
)) Trans
D
}
and q be the number of elements in I. With the as-
sumption that the elements in I are l
1
,... ,l
q
such
that l
1
··· l
q
, we divide the trajectory into
q+ 1 parts (i.e.,r
0
,r
1
,r
2
,... ,r
q
) such that
for 0 i l
1
, r
0
(i) = r(i).
for each k {1,2,.. . , q 1}, if
((m
i
,B
i
),(m
i
,B
i
)) Trans
D
, then for each
0 i l
k+1
l
k
, r
k
(i) = r(l
k
+ i); if
((m
i
,B
i
),(m
i+1
,B
i+1
)) Trans
D
, then for
each 0 i l
k+1
l
k
1, r
k
(i) = r(l
k
+ i+ 1).
if ((m
l
q
,B
l
q
),(m
l
q
,B
l
q
)) Trans
D
, then for
each 0 i p l
q
, r
q
(i) = r(l
q
+ i); if
((m
l
q
,B
l
q
),(m
l
q
+1
,B
l
q
+1
)) Trans
D
, then for
each 0 i pl
q
1, r
k
(i) = r(l
k
+ i+ 1).
Due to Lemma 3, r
0
(l
0
) ReachSet
ε
. From
Lemma 4, r
1
(0) ReachSet
ε
and (r
1
(0),σ)
ReachSet
ε
. Again, based on Lemmas 3 and 4, by
using the induction method and by proceeding in
the same ways as described for proving Lemma 3
and as described in Item (1), we can obtain that for
each face F
of (m
,B
), S
B
,F
ReachSet
ε
and
B(S
B
,F
,σ) ReachSet
ε
when S
B
,F
6=
/
0.
Moreover, since d(B ) σ, (m
,B
) B(S
B
,F
,σ),
which implies that (m
,B
) ReachSet
ε
.
Due to the definition of UnSafe
ε
and the similarity
to Lemma 2, we have the following lemma.
Lemma 6. For each (m,B) UnSafe
, (m,B)
UnSafe
ε
1
UnSafe
ε
.
Thus, based on Lemmas 2, 5 and 6, we reach our
main result of this paper, which is described as fol-
lows:
Theorem 5. If H
ε
is safe, then Abstract
H
(B ) with
d(B ) σ is also safe, which implies that the abstrac-
tion refinement procedure terminates and returns the
positive answer.
Proof. Assume that Abstract
H
(B ) with d(B ) σ is
unsafe. We want to deduce a contradiction. Since
H
ε
is safe, Init
UnSafe
=
/
0 when d(B ) σ.
Thus, there is a trajectory from Init
to UnSafe
such
that r(0) Init
, and r(p) UnSafe
and for all
i {1, . .., p 1}, r(i) / UnSafe
. Due to Lemma
5, r(p) ReachSet
ε
. Due to Lemma 6, r(p)
UnSafe
ε
1
UnSafe
ε
, implying that H
ε
is unsafe, con-
tradicting with the condition that H
ε
is safe. Thus,
we proved that if H
ε
is safe, then Abstract
H
(B ) with
d(B ) σ is also safe. Therefore, our abstraction re-
finement process terminates and returns the positive
answer.
From Theorem 5, we know that for a robustly safe
hybrid system, our constraint based abstraction refine-
ment procedure with our remedy will eventually ter-
minate.
5 CONCLUSIONS
Safety verification of hybrid systems is in general un-
decidable. Due to practical applications, it is suffi-
cient to only consider robustly safe hybrid systems in
which a slight perturbation is guaranteed to result in
the same desired safety property. In this paper, we
provide a constraint based abstraction refinement for
safety verification of nonlinear hybrid systems by re-
moving states that do not fulfill the reachability con-
straint. Moreover, we propose a remedy to reduce the
wrapping effect caused by our interval based abstrac-
tion refinement. Based on this remedy, we prove that
our refinement procedure will terminate for robustly
safe nonlinear hybrid systems.
ACKNOWLEDGEMENTS
This work was supported by NSFC-61003021 and
Beijing Nova Program. Moreover, the author thanks
Dr. Stefan Ratschan for his numerous favorable helps.
ICINCO 2011 - 8th International Conference on Informatics in Control, Automation and Robotics
260
REFERENCES
Alur, R. and Courcoubetis, C. and Halbwachs, N. and Hen-
zinger,T. A. and Ho,P.-H. and Nicollin, X. and Oliv-
ero, A. and Sifakis, J. and Yovine, S. 1995. The algo-
rithmic analysis of hybrid systems. Theoretical Com-
puter Science, 138: 3–34.
Damm, W. and Pinto, G. and Ratschan, S. 2007. Guaran-
teed termination in the verification of LTL properties
of non-linear robust discrete time hybrid systems. In-
ternational Journal of Foundations of Computer Sci-
ence (IJFCS), 18(1): 63–86.
Fehnker, A. and Ivanˇci´c, F. 2004. Benchmarks for hybrid
systems verification. In R. Alur and G. J. Pappas, edi-
tors, HSCC’04, LNCS, Vol. 2993, Springer.
Fr¨anzle, M. 2001. What will be eventually true of
polynomial hybrid automata. In N. Kobayashi and
B. C. Pierce, editors, Theoretical Aspects of Computer
Software (TACS 2001), LNCS, Vol. 2215, Springer-
Verlag.
Frehse, G. 2008. Phaver: algorithmic verification of hy-
brid systems past hytech. International Journal on
Software Tools for Technology Transfer (STTT), 10(3):
263–279.
Girard, A. and Pappas, G. 2006. Verification using simula-
tion. In J. Hespanha and A. Tiwari, editors, HSCC’06,
LNCS, Vol. 3927, pp. 272–286.
Henzinger, T. A. and Kopke, P. W. and Puri, A. and Varaiya,
P. 1998. What’s decidable about hybrid automata.
Journal of Computer and System Sciences, 57: 94–
124.
Henzinger, T. A. and Raskin, J.-F. 2000. Robust undecid-
ability of timed and hybrid systems. In N. Lynch and
B. Krogh, editors, Proc. HSCC’00, LNCS, Vol. 1790,
Springer.
Julius, A. A. and Fainekos, G. E. and Anand, M. and Lee,
I. and Pappas, G. J. 2007. Robust test generation and
coverage for hybrid systems. In A. Bemporad, A. Bic-
chi, and G. Buttazzo, editors, Hybrid Systems: Com-
putation and Control, LNCS, Vol. 4416, pp. 329–242,
Springer.
Klaedtke, F. and Ratschan, S. and She, Z. 2007. Language-
based abstraction refinement for hybrid system veri-
fication. In Proceedings of the Eighth International
Conference on Verification, Model Checking and Ab-
straction Interpretation, LNCS, Vol. 4349, pp. 151
166, Springer.
Lafferriere, G. and Pappas, G. J. and Yovine, S. 1999. A
new class of decidable hybrid systems. In HSCC, pp.
137–151.
Neumaier, A. 1993. The wrapping effect, ellipsoid arith-
metic, stability and confidence regions. Computing
Supplementum, 9: 175–190.
Preußig, J. and Kowalewski, S. and Wong-Toi, H. and Hen-
zinger, T. 1998. An algorithm for the approximative
analysis of rectangular automata. In 5th Int. School
and Symp. on Formal Techniques in Fault Tolerant and
Real Time Systems, LNCS, Vol. 1486, Springer.
Ratschan, S. 2006. Efficient solving of quantified inequality
constraints over the real numbers. ACM Transactions
on Computational Logic, 7(4): 723–748.
Ratschan, S. and She, Z. 2007a. HSOLVER.
http://hsolver.sourceforge.net. Software package.
Ratschan, S. and She, Z. 2005. Safety verification of hybrid
systems by constraint propagation based abstraction
refinement. In M. Morari and L. Thiele, editors, Hy-
brid Systems: Computation and Control, LNCS, Vol.
3414, pp. 573–589, Springer.
Ratschan, S. and She, Z., 2006. Constraints for continuous
reachability in the verification of hybrid systems. In
Proc. 8th Int. Conf. on Artif. Intell. and Symb. Comp.,
AISC’2006, LNCS, Vol. 4120, pp. 196–210, Springer.
Ratschan, S. and She, Z., 2007. Safety verification of hybrid
systems by constraint propagation-based abstraction
refinement. ACM Transactions on Embedded Com-
puting Systems, 6(1).
Ratschan, S. and She, Z., 2008. Recursive and back-
ward reasoning in the verification on hybrid systems.
In Proceedings of the Fifth International Conference
on Informatics in Control, Automaton and Robotics,
Vol. 4, INSTICC Press.
She, Z. and Zheng, Z. 2008. Tightened reachability con-
straints for the verification of linear hybrid systems.
Nonlinear Analysis: Hybrid Systems, 2(4): 1222–
1231.
Van der Schaft, A. J. and Schumacher, J. M. 2000. An In-
troduction to Hybrid Dynamical Systems. Springer.
TERMINATION ANALYSIS OF SAFETY VERIFICATION FOR NON-LINEAR ROBUST HYBRID SYSTEMS
261