Automated and Formal Synthesis of Neural Barrier Certificates for Dynamical Models
AAutomated Formal Synthesis of Neural BarrierCertificates for Dynamical Models
Andrea Peruffo , Daniele Ahmed , Alessandro Abate Department of Computer Science, Department of Computer ScienceUniversity of OxfordParks Road OX1 3QD {name.surname}@cs.ox.ac.uk Amazon Inc, London, UK
Abstract.
We introduce an automated, formal, counterexample-basedapproach to synthesise Barrier Certificates (BC) for the safety verificationof continuous and hybrid dynamical models. The approach is underpinnedby an inductive framework: this is structured as a sequential loop betweena learner, which manipulates a candidate BC as a neural network, anda sound verifier, which either certifies through algorithmic proofs thecandidate’s validity or generates counter-examples to further guide thelearner. We compare the approach against state-of-the-art techniques,over polynomial and non-polynomial dynamical models: the outcomesshow that we can synthesise sound BCs up to two orders of magnitudefaster, with in particular a stark speedup on the verification engine (upto five orders less), whilst needing a far smaller data set (up to threeorders less) for the learning part. Beyond the state of the art, we furtherchallenge the (verification side of the) approach on a hybrid dynamicalmodel.
Barrier Certificates (BC) are an effective and powerful technique to prove safetyproperties on models of continuous and hybrid dynamical systems [19,20]. When-ever existing, a BC partitions the state space of the model into two parts, ensuringthat all trajectories starting from a given initial set, located within one side of theBC, cannot reach a given set of states (deemed to be unsafe), located on the otherside. Thus a successful synthesis of a BC (usually not a unique object) representsa formal proof of safety for the dynamical model. This work addresses the safetyof systems modelled by non-linear differential equations (ODE), and presents anovel method for the automated and formal synthesis of BC. Our new approachleverages Satisfiability Modulo Theory (SMT) and inductive reasoning (CEGIS,Figure 1, introduced later), to guarantee the formal correctness of the synthesisprocedure: this soundness prevents algorithmic or numerical errors related to BCsynthesis [9]. a r X i v : . [ ee ss . S Y ] J u l ackground A few techniques have been developed to synthesise BC. Forpolynomial models, sum-of-squares (SOS) and semi-definite programming relax-ations [9,13,15,26] convert the BC synthesis problem into constraints expressedas linear or bilinear matrix inequalities, which are however numerically solved un-soundly. To increase scalability and to enhance expressiveness, numerous barrierformats have been considered: BC based on exponential conditions are presentedin [13]; BC based on Darboux polynomials are outlined in [30]; [27] newly intro-duces a multi-dimensional generalisation of BC, thus broadening their scope andapplicability. BC can also be used to verify safety of uncertain (e.g. parametric)models [18]. BC find various applications spanning robotics, multi-agent systems,and biology [6,29].Model invariants (namely, regions that provably contain model trajectories)can be employed as BC, though their synthesis is less general, as it does notcomprise the unsafe set: [17] introduces a fixpoint algorithm to find algebraic-differential invariants for hybrid models; invariants can be characterised ana-lytically [3] or synthesised computationally [7]. Invariants can be alternativelystudied by
Lyapunov theory [4], which provides stability guarantees for dynamicalmodels, and thus can characterise invariants (and barriers) as side products.Whilst Lyapunov theory is classically approached either analytically (explicit syn-thesis) or numerically (with unsound techniques), relevant for the automated andsound results of this work Lyapunov function synthesis has been recently studiedvia SMT. In [25] Lyapunov functions are soundly found within a parametricframework, by constructing a system of linear inequality constraints over un-known coefficients. Similarly [21,22,23] employ a counterexample-based approachto synthesise Lyapunov functions.
LearnerNN VerifierSMTcounter-examplecandidate
BC B valid
Fig. 1.
Schematic representation of the CEGIS loop.
Contributions
We introduce a method that efficiently exploits machine learn-ing, whilst guaranteeing formal proofs of correctness via SMT. We follow aCounterExample-Guided Inductive Synthesis (CEGIS) procedure [28], which isstructured as an inductive loop between a learner and a verifier (cf. Fig. 1).A learner numerically trains a neural network (NN) to fit the conditions for aBC expressed as a loss function; then a verifier through an SMT solver eitherformally proves the validity or provides a counter-example, where the barrierconditions are violated, that is passed back to the learner. Our synthesis methodor neural BC is formally sound and fully automatic, and is shown to be muchfaster and to evidently require less data than state-of-the-art cognate results.
Beyond the State of the Art
Cognate work [31] presents a method tocompute BC using neural networks and to verify their correctness a-posteriori: assuch, it does not generate counter-examples within an inductive loop, as in thiswork. [31] considers large sample sets that are randomly divided into batchesand fed to a feed-forward NN; the verification at the end of the (rather long)training either validates the candidate, or invalidates it and the training startsanew on the same dataset. In Section 4 the method in [31] is shown to be slower(both in the training and in the verification), and to require more data than theCEGIS-based approach underpinning this work, which furthermore introducesnumerous bespoke optimisations, as outlined in Section 3: our CEGIS-basedtechnique exploits fast learning, fast verification, and an enhanced communicationbetween these two components. Related to the work on BC is the synthesis ofLyapunov functions, mentioned above. The construction of
Lyapunov NeuralNetworks (LNNs) has been studied with approaches based on simulations andnumerical optimisation, which are formally unsound [24]. Formal methods forLyapunov synthesis are introduced in [4], together with a counterexample-basedapproach using polynomial candidates. The work is later extended in [1], whichemploys NN as candidates. The generation of control Lyapunov functions usingcounterexample-based NN is similarly considered in [8], however by means ofdiffering architectural details and with a different SMT solver.
We address the safety verification of continuous-time dynamical models by de-signing barrier certificates (BC) over the continuous state space X of the model.We consider n -dimensional dynamical models described by ˙ x ( t ) = dxdt = f ( x ) , x (0) = x ∈ X ⊂ X, (1)where f : X → R n is a continuous vector field, X ⊆ R n is an open set definingthe state space of the system, and X represents the set of initial states. Givenmodel (1) and an unsafe set X u ⊂ X , the safety verification problem concernschecking whether or not all trajectories of the model originating from X reachthe unsafe region X u . BC offer a sufficient condition asserting the safety of themodel. Definition 1.
The Lie derivative of a continuously differentiable scalar function B : X → R , with respect to a vector field f , is defined as follows ˙ B ( x ) = ∇ B ( x ) · f ( x ) = n (cid:88) i =1 ∂B∂x i dx i dt = n (cid:88) i =1 ∂B∂x i f i ( x ) . (2) Intuitively, this derivative denotes the rate of change of function B along themodel trajectories. roposition 1 (Barrier Certificate for Safety Verification, [19]). Let themodel in (1) and the sets X , X and X u be given. Suppose there exists a function B : X → R that is differentiable with respect to its argument and satisfies thefollowing conditions: B ( x ) ≤ ∀ x ∈ X , B ( x ) > ∀ x ∈ X u , ˙ B ( x ) ≤ ∀ x ∈ X s.t. B ( x ) = 0 , (3) then the safety of the model is guaranteed. That is, there exists no trajectory ofthe model contained in X , starting from an initial state in X , that ever entersset X u . Consider a trajectory x ( t ) starting in x ∈ X and the evolution of B ( x ( t )) alongthis trajectory. Whilst the first of the three conditions guarantees that B ( x ) < ,the last condition asserts that the value of B ( x ( t )) along a trajectory x ( t ) cannotbecome positive. Hence such a trajectory x ( t ) cannot enter the set X u , where B ( x ) > (second condition), thus ensuring the safety of the model. We introduce an automated and formal approach for the construction of barriercertificates (BC) that are expressed as feed-forward neural networks (NN). Theprocedure leverages CEGIS (see Fig. 1) [28], an automated and sound procedurefor solving second-order logic synthesis problems, which comprises two interactingparts. The first component is a learner , which provides candidate BC functionsby training a NN over a finite set of sample inputs. The candidate is passed tothe second component, a verifier , which acts as an oracle: either it proves thatthe solution is valid, or it finds one (or more) instance (called a counter-example)where the candidate BC does not comply with required conditions. The verifierconsists of an SMT solver [14], namely an algorithmic decision procedure thatextends Boolean SAT problems to richer, more expressive theories, such as linearand non-linear arithmetics.More precisely, the learner trains a NN composed of n of input neurons(this matches the dimension of the model f ), k hidden layers, and one outputneuron (recall that B ( x ) is a scalar function): this NN candidate B is requiredto closely match the conditions in Eq. (3) over a discrete set of samples S , whichis initialised randomly. The verifier checks whether the candidate B violates anyof the conditions in Eq. (3) over the entire set X and, if so, produces one (ormore) counter-examples c . We add c to the samples set S as the loop restarts,hence forcing the NN to be trained also over the generated counter-examples c .This loop repeats until the SMT verifier proves that no counter-examples existor until a timeout is reached. CEGIS offers a scalable and flexible alternativefor BC synthesis: on the one hand, the learner does not require soundness, andensures a rapid synthesis exploiting the training of NN architectures; on theother, the algorithm is sound , i.e. a valid output from the SMT-based verifier isprovably correct; of course we cannot claim any completeness , since CEGIS mightn general not terminate with a solution because it operates over a continuousmodel and its domain X .The performance of the CEGIS algorithm in practice hinges on the effectiveexchange of information between the learner and the verifier [2]. A core contri-bution of this work is to tailor the CEGIS architecture to the problem of BCsynthesis: we devise several improvements to NN training, such as a bespokeloss function and a multi-layer NN architecture, together with an informativecounter-example generation by the SMT verifier that is adapted to the candidateBC and the underlying dynamical model. These tailored architectural detailsgenerate in practice a rapid and efficient CEGIS loop, which is shown in thiswork to clearly outperform state-of-the-art methods. The learner instantiates the candidate BC using the hyper-parameters k and h (depth and width of the NN), trains it over the N samples in the set S , and laterrefines its training whenever the verifier adds counter-examples to the set S . Theclass of candidate BC comprises multi-layered, feed-forward NN with polynomial activation functions. Unlike most learning applications, the choice of polynomialactivations comes from the need for interpretable outputs from the NN, whoseanalytical expression must be readily processed by the verifier. Whilst this workemphasises the novel use of polynomial activation functions, we remark thatalternatives are possible: in particular, as displayed in one case study, tanh arewell-suited to our objective, being universal function approximators. The order γ of the polynomial activations is a hyper-parameter fed at the start of the CEGISprocedure. Specifically, we split the i -th hidden layer into γ portions and applypolynomial activations of order j to the neurons of the j -th portion, as shownnext. Example 1 (Polynomial Activations).
Assume a NN composed of an input x ,5 hidden neurons and 1 activation-free output, with γ -th order polynomialactivation, γ = 5 . We split the hidden layer in γ sub-vectors, each containing oneneuron. The hidden layer after the activation results in z = (cid:104) W (1)1 x + b ( W (1)2 x + b ) ( W (1)3 x + b ) ( W (1)4 x + b ) ( W (1)5 x + b ) (cid:105) T , where the W (1) i are the i -th row of the first-layer weight matrix, and the b i formthe bias vector. (cid:117)(cid:116) The learning process updates the NN parameters to improve the satisfaction ofthe BC conditions in (3): B ( x ) ≤ for x ∈ X , B ( x ) > for x ∈ X u , and anegative Lie derivative ˙ B (eq. (2)) over the set implicitly defined by B ( x ) = 0 .he training minimises a loss comprising thee terms, namely L = L + L u + L d = 1 N N (cid:88) i =1 max s i ∈ X { τ , B ( s i ) } + max s i ∈ X u { τ u , − B ( s i ) } + max s i : B ( s i )=0 { τ d , ˙ B ( s i ) } , (4)where s i , i = 1 , . . . , N are the samples taken from the set S . The constants τ , τ u , τ d are offsets, added to improve the numerical stability of the training. Notably, B ( x ) = 0 is a measure-zero set, thus it is highly unlikely that a single sample s will satisfy B ( s ) = 0 . We then relax this last condition and consider a belt B around B ( s ) = 0 , namely B = | B ( x ) | ≤ β , which depends on the hyper-parameter β . Note that we must use continuously differentiable activations throughout, aswe require the existence of Lie derivatives (cf. Eq. (2)), and thus cannot leveragesimple ReLUs. Enhanced Loss Functions
The loss function in Eq. (4) experimentally yieldspossible drawbacks, which suggest a few ameliorations. Terms L and L u solelypenalise samples with incorrect value of B ( x ) without further providing a rewardfor samples with a correct value. The NN thus stops learning when the samplesreturn correct values of B ( x ) without further increasing the positivity of B over X u or the negativity over X . As such, the training often returns a candidate B ( x ) with values just below τ in X or above τ u in X u . These candidates areeasily falsified, thus potentially leading to a large number of CEGIS iterations.We improve the learning by adopting a (saturated) Leaky
ReLU, hencerewarding samples that evaluate to a correct value of B ( x ) . Noting that LeakyReLU( α, x ) = ReLU( x ) − α ReLU( − x ) , (5)where α is a small positive constant, we rewrite term L as L = 1 N (cid:88) s i ∈ X ReLU( B ( s i ) − τ ) − α · satReLU( − B ( s i ) + τ ) , (6)where satReLU is the saturated ReLU function. Term L u is similarly modified. Inview of the composite nature of our training objective, incorrect samples accountfor the major contribution to the loss function, leading the NN to correct thosefirst. At a second stage, the network finds a direction of improvement by followingthe leaky portion of the loss function. This is saturated to prevent the trainingfrom following only one of these directions, without improving the other lossterms.Another possible drawback of the loss function in (4) derives from the term L d :it solely accounts for a penalisation of the sample points within B . To quickly andmyopically improve the loss function, the training can generate a candidate BCfor which no samples are within B - we experimentally find that this behaviourpersists, regardless of the value of β . Similarly to L and L u , we reward the pointsithin a belt fulfilling the BC condition: namely, we solely apply the satReLU function to reward samples s with a negative ˙ B ( s ) , whilst not penalising values ˙ B ( s ) ≥ . The training is driven to include more samples in B , guiding towardsa negative ˙ B ( s ) , and finally enhancing learning. The expression of L d results in L d = − N (cid:88) s ∈B satReLU( − ˙ B ( s ) + τ d ) . (7)Finally, we choose an asymmetric belt B = − β ≤ B ( s ) ≤ β , with β > β > to both ensure a wider sample set and a stronger safety certificate. Multi-layer Networks
Polynomial activation functions generate interpretablebarrier certificates with analytical expressions that are readily verifiable by anSMT solver. However, when considering polynomial networks, the use of multi-layer architectures quickly increase the order of the barrier function: a k -layernetwork with γ -th order activations returns a polynomial of kγ degree. Wehave experienced that deep NN provide numerical robustness to our method,although the verification complexity increases with the order of the polynomialactivation functions used and with the depth of the NN. As a consequence, ourprocedure leverages a deep architecture whilst maintaining a low-order polynomialby interchanging linear and polynomial activations over adjacent layers. Linearactivations positively affect the training, providing the robustness needed to thesynthesis of BC, without increasing the order by new polynomial terms. Learning in Separate Batches
The structure of the conditions in (3) and thelearning loss in (4) naturally suggests a separate, parallel approach to training.We then split the dataset S into three batches S , S u and S x , each includingsamples belonging to X , X u and the complement X \ { X , X u } , respectively.For training, we compute the loss function in a parallel fashion. Similarly, for theverifier, generated counter-examples are added to the relevant batch. Every candidate BC function B ( x ) which the learner generates requires to becertified by the verifier. Equivalently, in practice the SMT-based verifier aims atfinding states that violate the barrier conditions in (3) over the continuous domain X . To this end, we express the negation of such requirements, and formulate anonlinear constrained problem over real numbers, as ( x ∈ X ∧ B ( x ) > ∨ ( x ∈ X u ∧ B ( x ) ≤ ∨ ( B ( x ) = 0 ∧ ˙ B ( x ) > . (8)The verifier searches for solutions of the constraints in Eq. (8): this requiresmanipulating non-convex functions, in view of our choice of activations. Inparticular, tanh activations result in a more complex task: whilst still decidable,non-polynomial clauses render the computation NP-hard [14]. On the one hand,he soundness of our CEGIS procedure heavily relies on the correctness of SMTsolving: an SMT solver never fails to assert the absence of solutions for (8). As aresult, when it states that formula (8) is unsatisfiable, i.e. returns unsat , B ( x ) isformally guaranteed to fulfil the BC conditions in Eq. (3). On the other hand, theCEGIS algorithm offers flexibility in the choice of the verifier, hence we implementand discuss two SMT solvers: dReal [12] and Z3 [10]. dReal is a δ -complete solver,namely the unsat decision is correct [11], whereas when a solution for (8) isfound, this comes with a δ -error bound. The value of δ characterises the procedureprecision. In our setting, it is then possible to return spurious counter-examples:nevertheless, these are then used as additional samples and do not invalidate thesound outcomes of the procedure, but rather help synthesising a more robustbarrier candidate. dReal is capable of handling non-polynomial terms, such as asexponentials or trigonometric vector fields f for some of the models consideredin Section 4. Z3 is a powerful, sound and complete SMT-solver, namely itsconclusions are provably correct both when it determines the validity of a BCcandidate and when it provides counter-examples. The shortcoming of Z3 is thatit is unable to fully handle non-polynomial formulae. Prioritisation and Relaxation of Constraints
The effectiveness of theCEGIS framework is underpinned by rapid exchanges between the learner andthe verifier, as well as by quick NN training and SMT verification procedures.We have experienced that the bottleneck resides in the handling of the constraint η d = ( B ( x ) = 0 ∧ ˙ B ( x ) > by the SMT solver, since the formula contains thehigh-order expression ˙ B ( x ) and because it is defined over the thin region of thestate space implicitly characterised by B ( x ) = 0 . As a consequence, we haveprioritised constraints η = ( x ∈ X ∧ B ( x ) > and η u = ( x ∈ X u ∧ B ( x ) ≤ :that is, if either clauses is satisfied, i.e. a counter-example is found for at least oneof them, the verifier omits testing η d whilst the obtained counter-examples arepassed to the learner. The constraint η d is thus checked solely if η and η u are bothdeemed to be unsat . Whenever this occurs, and the verification of η d times out,the solver searches for a solution of a relaxed constraint ( | B ( x ) | < τ v ∧ ˙ B ( x ) > ,similarly to the improved learning conditions discussed in Eq. (7). Whilst thisconstraint is arguably easier to solve in general, it may generate spurious counter-examples, namely a sample ¯ x that satisfy the relaxed constraint, but such that B (¯ x ) (cid:54) = 0 . The generation of these samples does not contradict the soundnessof the procedure, and indeed are shown to improve the robustness of the nextcandidate BC – this of course comes with the cost of increasing the number ofCEGIS iterations. Increased Information from Counter-examples
The verification taskencompasses an SMT solver attempting to generate a counter-example, namelya (single) instance satisfying Eq. (8). However, a lone sample might not alwaysprovide insightful information for the learner to process. Naïvely asking theSMT solver to generate more than one counter-example is generally expensive,as it is done sequentially. Specifically, the verifier solves Eq. (8) to find a firstcounter-example ¯ x ; then, to find any additional sample, we include the statement x (cid:54) = ¯ x ) and solve again for the resulting formula. We are interested in findingnumerous points invalidating the BC conditions and feed them to the learner asa batch, or perhaps in increasing the information generated by the verifier byfinding a sample that maximises the violation of the BC conditions. To this end,we randomly generate a cloud of points around the generated counter-example:in view of the continuity of the candidate function B , samples around a counter-example are also likely to invalidate the BC conditions. Secondly, for all points inthe cloud, we compute the gradient of B (or of ˙ B ) and follow the direction thatmaximises the violation of the BC constraints. As such, we follow the B (resp. ˙ B )maximisation when considering x ∈ X ( x s.t. | B ( x ) | < τ v ), and viceversa when x ∈ X u . This gradient computation is extremely fast as it exploits the neuralarchitecture, and it provides more informative samples for further use by thelearner. Algorithm 1
Synthesis of Neural Barrier Certificate function
Learner ( S , f ) repeat B ( S ) ← NN( S ) ˙ B ( S ) ← ∇ B ( S ) · f ( S ) compute loss L , update NN until convergence return NN end functionfunction Verifier ( B , ˙ B )encode conditions in (8)Cex or unsat ← SMTcheck( B , ˙ B ) return Cex or unsat end function function
CEGIS ( f )initialise NN, S repeat NN ← Learner ( S , f ) B ( x ) , ˙ B ( x ) ← Translate(NN, f )Cex or unsat ← Verifier ( B , ˙ B )S ← S ∪ Cex until unsat return B ( x ) , ˙ B ( x ) end function We have implemented the discussed new procedure using the PyTorch library.Corroborating the flexibility and scalability of the approach, all experimentsare performed on an unassuming laptop workstation, running Ubuntu 18.04with 8 GB RAM. We demonstrate that the proposed method finds provablycorrect BCs on benchmarks from literature comprising both polynomial andnon-polynomial dynamics (vector fields f ), and we newly tackle a hybrid model(this is a model with two different operating models and associated dynamics)that is challenging for the verification engine. To confirm the flexibility of ourarchitecture in accepting different SMT solvers, we verify generated candidateBC using dReal in the first four benchmarks, whereas we study the hybrid modelsing the Z3 tool. In all the examples, we use a learning rate of 0.1 for the NNand the loss function described in Section 3.1 with α = 10 − , τ = τ u = τ d = 0 . .The region in Eq. (7) is limited by β = 0 . whilst β = ∞ . We set a verificationparameter τ v = 0 . (cf. Sec. 3.2), and the verification precision for dReal to δ = 10 − .Table 1 summarises the outcomes. For the first four benchmarks, we compareour procedure, denoted as CEGIS, with the results from [31], which however doesnot handle the hybrid model in the last benchmark. We have run the algorithmin [31] and reported the cumulative synthesis time under the ‘Learn’ column,however the verification (we emphasise this is done only once, a-posteriori, in[31]) is not included in the repeatability package, hence we report the results from[31] (these are generated with much more powerful hardware). The outcomessuggest that we obtain much faster synthesis and verification times (up to fiveorders of magnitude), whilst requiring up to only 0.02% (see Obstacle AvoidanceProblem) of the training data: [31] performs a uniform sampling of the space X ,hence suffers especially in the 3-d case, where the learning runs two orders ofmagnitude faster. It is instructive to notice that all the case studies are solvedwith a small number of iterations (up to 8) of the CEGIS loop, which is thuspromising to tackle synthesis problems over more complex models. The analyticalexpression of the models under study, together with a detailed analysis of theCEGIS iterations, are reported in the Supplementary Material. Benchmark CEGIS (this work) BC from [31]Darboux ModelExponential ModelObstacle AvoidancePolynomial ModelHybrid Model Learn Verify Samples Iters27.2 0.04 0.5 113.9 0.01 0.5 119.6 0.01 0.5 164.3 0.02 1 28.97 15.51 0.5 8 Learn Verify Samples54.9 20.8 65234.0 11.3 653165.3 1003.3 20971731.0 635.3 65– – –
Table 1.
Outcomes of the case studies: Cumulative time for Learning and Verificationsteps are given in seconds; ‘Samples’ indicates the size of input data for the Learner (inthousands); ‘Iters’ is the number of iterations of the CEGIS loop (specific of our work).The ‘Hybrid Model’ is new.
Darboux Model
This 2-dimensional model is approached using polynomial BC.The initial and unsafe sets are depicted in green and red, respectively, whereasthe level set B ( x ) = 0 is outlined in black. The work [30] reports that LMI-basedmethods fail to verify this model using polynomial templates of degree 6. Ourapproach generates the BC shown in Fig. 2 (left) in less than 30 seconds, roughlyhalf as much as in [31], and using only 500 initial samples vs more than 65000.The BC is derived from a 3-layer architecture of 10 nodes each, with linear,polynomial with γ = 3 , and linear activations respectively. ig. 2. The BC for the Darboux (top left), Exponential (middle left), and ObstacleAvoidance (the 3D study, bottom left) models with corresponding vector fields (rightcolumn). Initial and unsafe sets are represented in green and red, respectively; the blackline outlines the level curve B ( x ) = 0 . Exponential Model
This model from [16] shows that our approach extends tonon-polynomial systems encompassing exponential and trigonometric functions.Our algorithm provides a valid BC in 14 seconds, around 5% of the results in [31],again using solely 500 initial samples. The BC, depicted in Fig.2 (centre), resultsrom a single-layer neural architecture of 10 nodes, with polynomial activationfunction with γ = 3 . Obstacle Avoidance Problem
This 3-dimensional model, originally presentedin [5], describes a robotic application: the control of the angular velocity of atwo-dimensional airplane, aimed at avoiding a still obstacle. The BC is obtainedfrom a single-layer NN comprising 10 neurons, using polynomial activations with γ = 2 . Fig. 2 (right) plots the vector field on the plane z = 0 . Our procedure takes0.6% of the computational time in [31], providing a valid BC with 1 iterationstarting from an initial dataset of 500 samples. Polynomial Model
This model describes a polynomial system [20] and presentsinitial and unsafe sets with complex, non convex shapes [31]. Approaches fromliterature, such as (unsound) SOS-based procedures [15,26], have required high-order polynomial templates, which has suggested the use of alternative activationfunctions. The BC, shown in Fig. 3, is generated using a 10-layer NN with tanh activations. Needing just around 1 min and only 1000 initial samples, the overallprocedure is 30 times faster than that in [31].
Fig. 3.
The BC for the polynomial model (top left) and the hybrid model (top right)with the respective vector field (below).
Hybrid Model
We finally challenge our procedure with a 2-dimensional hybridmodel, which extends beyond the capability of the results in [31]. This hybridframework partitions the set X into two non-overlapping subsets, X and X .ach subset is associated to different model dynamics, respectively f and f . Inother words, the model trajectories evolve according to the f dynamics whenin X , and according to f when in X . The structure of this model representsa non-trivial task for the verification engine, for which we employ the Z3 SMTsolver: notice the dimensionally larger computation times. The learning phasehas instead been quite fast. The BC (Fig.3) is obtained from a single-layer NNcomprising 3 neurons, using polynomial activations with γ = 2 , overall in lessthan 30 seconds, starting with an initial dataset of 500 samples. We have presented a new inductive, formal, automated technique to synthesiseneural-based barrier certificates for polynomial and non-polynomial, continuousand hybrid dynamical models. Thanks to a number of architectural choices forthe new procedure, our method requires less training data and thus displays fasterlearning, as well as quicker verification time, than state-of-the-art techniques.Beyond improving the scalability of the approach, future work includes thedevelopment of an automatic selection of activation functions that are tailoredto the dynamical models of interest.
References
1. Alessandro Abate, Daniele Ahmed, Mirco Giacobbe, and Andrea Peruffo. Au-tomated Formal Synthesis of Lyapunov Neural Networks. arXiv preprintarXiv:2003.08910 , 2020.2. Alessandro Abate, Cristina David, Pascal Kesseli, Daniel Kroening, and ElizabethPolgreen. Counterexample Guided Inductive Synthesis Modulo Theories. In
Proceedings of CAV, LNCS 10981 , pages 270–288, 2018.3. Alessandro Abate, Ashish Tiwari, and Shankar Sastry. Box Invariance in Biologically-inspired Dynamical Systems.
Automatica , 45(7):1601–1610, 2009.4. Daniele Ahmed, Andrea Peruffo, and Alessandro Abate. Automated and SoundSynthesis of Lyapunov Functions with SMT Solvers. In
TACAS (1) , volume 12078of
LNCS , pages 97–114. Springer, 2020.5. Andrew J Barry, Anirudha Majumdar, and Russ Tedrake. Safety Verificationof Reactive Controllers for UAV Flight in Cluttered Environments using BarrierCertificates. In ,pages 484–490. IEEE, 2012.6. Urs Borrmann, Li Wang, Aaron D Ames, and Magnus Egerstedt. Control BarrierCertificates for Safe Swarm Behavior.
IFAC-PapersOnLine , 48(27):68–73, 2015.7. Dario Cattaruzza, Alessandro Abate, Peter Schrammel, and Daniel Kroening.Unbounded-Time Safety Verification of Guarded LTI Models with Inputs by Ab-stract Acceleration.
Journal of Automated Reasoning , 2020.8. Ya-Chien Chang, Nima Roohi, and Sicun Gao. Neural Lyapunov Control. In
NeurIPS , pages 3240–3249, 2019.9. Liyun Dai, Ting Gan, Bican Xia, and Naijun Zhan. Barrier Certificates Revisited.
Journal of Symbolic Computation , 80:62–86, 2017.0. Leonardo de Moura and Nikolaj Bjørner. Z3: An Efficient SMT Solver. In
TACAS ,volume 4963 of
LNCS , pages 337–340. Springer, 2008.11. Sicun Gao, Jeremy Avigad, and Edmund M Clarke. δ -complete Decision Proceduresfor Satisfiability over the Reals. In International Joint Conference on AutomatedReasoning , pages 286–300. Springer, 2012.12. Sicun Gao, Soonho Kong, and Edmund M Clarke. dReal: An SMT Solver forNonlinear Theories over the Reals. In
International conference on automateddeduction , pages 208–214. Springer, 2013.13. Hui Kong, Fei He, Xiaoyu Song, William NN Hung, and Ming Gu. Exponential-condition-based Barrier Certificate Generation for Safety Verification of HybridSystems. In
International Conference on Computer Aided Verification , pages242–257. Springer, 2013.14. Daniel Kroening and Ofer Strichman.
Decision Procedures - An Algorithmic Pointof View . Springer Verlag, 2016.15. Benoît Legat, Paulo Tabuada, and Raphaël M Jungers. Sum-of-Squares Methods forControlled Invariant Sets with Applications to Model-predictive Control.
NonlinearAnalysis: Hybrid Systems , 36:100858, 2020.16. Jiang Liu, Naijun Zhan, Hengjun Zhao, and Liang Zou. Abstraction of ElementaryHybrid Systems by Variable Transformation. In
International Symposium on FormalMethods , pages 360–377. Springer, 2015.17. André Platzer and Edmund M Clarke. Computing Differential Invariants of Hy-brid Systems as Fixedpoints. In
International Conference on Computer AidedVerification , pages 176–189. Springer, 2008.18. Stephen Prajna. Barrier Certificates for Nonlinear Model Validation.
Automatica ,42(1):117–126, 2006.19. Stephen Prajna and Ali Jadbabaie. Safety Verification of Hybrid Systems UsingBarrier Certificates. In
International Workshop on Hybrid Systems: Computationand Control , pages 477–492. Springer, 2004.20. Stephen Prajna, Ali Jadbabaie, and George J Pappas. A Framework for Worst-caseand Stochastic Safety Verification Using Barrier Certificates.
IEEE Transactionson Automatic Control , 52(8):1415–1428, 2007.21. Hadi Ravanbakhsh and Sriram Sankaranarayanan. Counter-example guided syn-thesis of control lyapunov functions for switched systems. In
IEEE Control andDecision Conference (CDC) , pages 4232–4239, 2015.22. Hadi Ravanbakhsh and Sriram Sankaranarayanan. Robust Controller Synthesisof Switched Systems Using Counterexample Guided Framework. In
ACM/IEEEConference on Embedded Software (EMSOFT) , pages 8:1–8:10, 2016.23. Hadi Ravanbakhsh and Sriram Sankaranarayanan. Learning Control LyapunovFunctions from Counterexamples and Demonstrations.
Autonomous Robots , pages1–33, 2018.24. Spencer M. Richards, Felix Berkenkamp, and Andreas Krause. The LyapunovNeural Network: Adaptive Stability Certification for Safe Learning of DynamicalSystems. In
CoRL , volume 87 of
Proceedings of Machine Learning Research , pages466–476. PMLR, 2018.25. Sriram Sankaranarayanan, Xin Chen, and Erika Abraham. Lyapunov FunctionSynthesis using Handelman Representations.
IFAC Proceedings Volumes , 46(23):576–581, 2013.26. Christoffer Sloth, George J Pappas, and Rafael Wisniewski. Compositional SafetyAnalysis using Barrier Certificates. In
Proceedings of the 15th ACM internationalconference on Hybrid Systems: Computation and Control , pages 15–24, 2012.7. Andrew Sogokon, Khalil Ghorbal, Yong Kiam Tan, and André Platzer. VectorBarrier Certificates and Comparison Systems. In
International Symposium onFormal Methods , pages 418–437. Springer, 2018.28. Armando Solar-Lezama, Liviu Tancau, Rastislav Bodik, Sanjit Seshia, and VijaySaraswat. Combinatorial sketching for finite programs. In
Proceedings of the 12thinternational conference on Architectural support for programming languages andoperating systems , pages 404–415, 2006.29. Li Wang, Aaron D Ames, and Magnus Egerstedt. Safety Barrier Certificates forCollisions-free Multirobot Systems.
IEEE Transactions on Robotics , 33(3):661–674,2017.30. Xia Zeng, Wang Lin, Zhengfeng Yang, Xin Chen, and Lilei Wang. Darboux-type Barrier Certificates for Safety Verification of Nonlinear Hybrid Systems. In
Proceedings of the 13th International Conference on Embedded Software , pages 1–10,2016.31. Hengjun Zhao, Xia Zeng, Taolue Chen, and Zhiming Liu. Synthesizing BarrierCertificates Using Neural Networks. In
Proceedings of the 23rd InternationalConference on Hybrid Systems: Computation and Control , HSCC ’20, New York,NY, USA, 2020. Association for Computing Machinery. upplementary MaterialModel Dynamics
We report below the full expressions of the dynamics, of the feedback controlarchitectures, and of the spatial domain X (as a set of constrains), the set ofinitial conditions X ⊂ X and the unsafe set X u ⊂ X , for the five case studies. Darboux Model (cid:40) ˙ x = y + 2 xy ˙ y = − x + 2 x − y X = {− ≤ x, y ≤ } ,X = { ≤ x ≤ , ≤ y ≤ } ,X u = { x + y ≤ } Exponential Model (cid:40) ˙ x = e − x + y − y = − sin xX = {− ≤ x, y ≤ } X = { ( x + 0 . + ( y − . ≤ . } X u = { ( x − . + ( y + 0 . ≤ . } Obstacle Avoidance Problem ˙ x = v sin ϕ ˙ y = v cos ϕ ˙ ϕ = u, where u = − sin ϕ + 3 · x sin ϕ + y cos ϕ . x + y X = {− ≤ x, y ≤ , − π / < ϕ < π / } X = {− . ≤ x ≤ . , − ≤ y ≤ − . , − π / < ϕ < π / } X u = { x + y ≤ . } Polynomial Model (cid:40) ˙ x = y ˙ y = − x + / x − y = {− . ≤ x ≤ , − ≤ y ≤ } X = { ( x − . + y ≤ . ∨ ( x ≥ − . ∧ x ≤ − . ∧ y ≥ − . ∧ y ≤ . ∨ ( x ≥ − . ∧ x ≤ − . ∧ y ≥ − . ∧ y ≤ . } X u = { ( x + 1) + ( y + 1) ≤ . ∨ ( x ≥ . ∧ x ≤ . ∧ y ≥ . ∧ y ≤ . ∨ ( x ≥ . ∧ x ≤ . ∧ y ≥ . ∧ y ≤ . } Hybrid Model f = (cid:40) ˙ x = y ˙ y = − x − . x f = (cid:40) ˙ x = y ˙ y = x − . y Domain for f = { ( x, y ) : x < } Domain for f = { ( x, y ) : x ≥ } X = { x + y ≤ } X = { ( x + 1) + ( y + 1) ≤ . } X u = { ( x − + ( y − ≤ . } xperimental Repeatability and Codebase Robustness Our algorithm uses pseudo-random number generators in three instances: theinitial samples set, the initialisation of the NN, and the generation of counterex-amples. Whilst we manually seed the initialisation of the NN for repeatability(with prime number 167), we leave the other two instances seed-less. The resultsshowed in the article are obtained after a single run of our algorithm: we nowoutline a statistical analysis of the results. To test the performance of the algo-rithm, we report learning time, verification time and number of iterations, over100 runs, in Table 2. The obtained statistics include the average running timesand the average number of iterations, along with the minimum and maximumvalues over the 100 runs. Note that these values represent the average learningand verification times in each iteration of the CEGIS procedure: that is, theseare the average runtimes of single calls of the learning and verification engines,respectively. In the main article we have instead reported the sum of the learningand verification run times, over the overall number of iterations of the CEGISprocedure.
Benchmark Learner Verifier ItersDarboux Model 27.47 [26.9, 27.9] 0.024 [0.021, 0.028] 1 [1, 1]Exponential Model 12.51 [8.1, 21.5] 0.002 [0.001, 0.003] 2 [2, 2]Obstacle Avoidance 22.07 [17.9, 27.5] 0.005 [0.004, 0.007] 1 [1, 1]Polynomial Model 29.63 [26.5, 33.8] 0.01 [0.006, 0.017] 2 [2, 2]Hybrid Model 0.55 [0.5, 0.8] 2.50 [2.0, 2.9] 1.9 [1, 10]