Exact Safety Verification of Hybrid Systems Using Sums-Of-Squares Representation
aa r X i v : . [ c s . S E ] D ec Exact Safety Verification of Hybrid Systems UsingSums-Of-Squares Representation ✩ Wang Lin a,b , Min Wu a , Zhengfeng Yang a , Zhenbing Zeng a a Shanghai Key Laboratory of Trustworthy Computing,East China Normal University, Shanghai 200062, China b College of Mathematics and Information Science,Wenzhou University, Zhejiang 325035, China
Abstract
In this paper we discuss how to generate inductive invariants for safety verifi-cation of hybrid systems. A hybrid symbolic-numeric method is presented tocompute inequality inductive invariants of the given systems. A numericalinvariant of the given system can be obtained by solving a parameterizedpolynomial optimization problem via sum-of-squares (SOS) relaxation. Anda method based on Gauss-Newton refinement and rational vector recoveryis deployed to obtain the invariants with rational coefficients, which exactly satisfy the conditions of invariants. Several examples are given to illustrateour algorithm.
Keywords: semidefinite programming, sum-of-squares relaxation, safetyverification, invariant generation
1. Introduction
Complex physical systems are systems in which the techniques of sensing,control, communication and coordination are involved and interacted with ✩ This material is supported in part by the Chinese National Natural Science Foundationunder Grants 91018012(Wu, Yang, Zeng) and 10801052(Wu) and 10901055(Yang), and theScientific Research Project of The Graduate School of East China Normal University underGrant CX2011009.
Email addresses: [email protected] (Wang Lin), [email protected] (MinWu), [email protected] (Zhengfeng Yang), [email protected] (Zhenbing Zeng)
Preprint submitted to Elsevier September 23, 2018 ach other. Among complex physical systems, many of them are safety crit-ical systems, such as airplanes, railway, and automotive applications. Dueto the complexity, ensuring correct functioning of these systems, e.g., spatialseparation, especially collision avoidance of aircrafts during the entire flights,is among the most challenging and most important problems in computer sci-ence, mathematics and engineering.As a common mathematical model for complex physical systems, hybridsystems [3, 8] are dynamical systems that are governed by interacting dis-crete and continuous dynamics [1, 6, 8]. Continuous dynamics is specifiedby differential equations, which is possibly subject to domain restrictions oralgebraic relations resulting from physical circumstances or the interaction ofcontinuous dynamics with discrete control. For discrete transitions, the hy-brid system changes state instantaneously and possibly discontinuously, forexample, the instantaneous change of control variables like the acceleration(e.g., the changing of a by setting a := − b with braking force b > safety , i.e., deciding whether a givenproperty ψ holds in all the reachable states, and the dual of safety, i.e., reach-ability , deciding if there exists a trajectory starting from the initial set thatreaches a state satisfying the given property ψ . In principle, safety verifica-tion or reachability analysis aims to show that all trajectories of the hybridsystems starting from the initial set cannot enter some unsafe regions in thestate space.Safety verification or reachability analysis of hybrid systems presents amore difficult challenge, primarily due to the infinite number of possible statesin continuous state space. Some well-established techniques have been pro-posed. In [2, 11], quantifier elimination was used to calculate exact reachablesets for linear systems with certain eigenstructures and semialgebraic initialsets. Tiwari [28] generalized this method to handle linear systems with al-most arbitrary eigenstructures. In [5, 30, 10], level set methods, ellipsoidaltechniques and flow-pipe approximations have been presented for computingapproximate reachable sets of hybrid systems.Recently, some methods [20, 21, 25, 28] based on invariant generation havebeen proposed for safety verification of hybrid systems. An invariant [24] ofa hybrid system is a property that holds in all the reachable states of thesystem, in other words, it is an over-approximation of all the reachable states2f the system. Invariants are useful facts about the dynamics of a givensystem, and are widely used in numerous approaches to analyze and verifysystems. For example, if the invariants lie inside the safe regions, or theirintersection with the unsafe regions is empty, then safety of hybrid systemsis verified.The problem of generating invariants of an arbitrary form is known tobe computationally hard, intractable even for the simplest classes. Theusual technique for generating invariants is to produce an inductive invari-ant , i.e., an assertion that holds at the initial states of the system, and ispreserved by all discrete and continuous state changes. There has been aconsiderable volume of work towards invariant generation for hybrid sys-tems using techniques in convex optimization, semi-algebraic system solving[4, 7, 13, 15, 17, 18, 20, 24, 25, 27, 29]. However, some of these techniquesare only applicable to linear systems, some are subject to numerical errorsand some suffer from high complexity. In virtue of the efficiency of nu-merical computation and the error-free property of symbolic computation, ahybrid symbolic-numeric method via SOS relaxation and exact certificate ispresented in [31] to construct inequality invariants for continuous dynamicsystems given by nonlinear vector fields.In this work, we study how to generate inequality invariants for safety ver-ification of nonlinear hybrid systems. We present a hybrid symbolic-numericmethod, based on sum-of-squares (SOS) relaxation via semidefinite program-ming (SDP) and exact SOS representation recovery, to generate inequalityinvariants of hybrid systems, which guarantee that all the reachable statesnever enter the given unsafe regions. The idea is as follows: (1) Given a safeproperty, we predeterminate the templates of the invariants, and constructa semidefinite programming (SDP) system to solve the corresponding para-metric polynomial optimization problem. (2) An exact invariant is obtainedby recovering the exact SOS representation from the approximate solutionof the associated SDP system. In the recovery step, Gauss-Newton iterationis deployed to refine the approximate solution from SDP solver. Then safetyproperty of the hybrid systems can be easily verified, by the exact SOS rep-resentations of the conditions of the invariants. More details will be shownin Section 3.Unlike the numerical approaches, our method can yield exact invariants,which can overcome the unsoundness in the verification of hybrid systemscaused by numerical errors [19]. In comparison with some symbolic ap-proaches of invariant generation based on qualifier elimination technique,3ur approach is more efficient and practical, because parametric polynomialoptimization problem, based on SOS relaxation method, can be solved inpolynomial time theoretically.The rest of the paper is organized as follows. In Section 2, we introducesome notions about hybrid systems and invariants. Section 3 is devoted toillustrating a symbolic-numeric approach to generate invariants for safetyverification of hybrid systems. In Section 4, we present some examples oninvariant generation for safety verification of hybrid systems. Section 5 con-cludes the paper and discusses some future work.
2. Invariants
To model hybrid systems, we recall the definition of hybrid automata [8,25].
Definition 1 (Hybrid system) . A hybrid system H : h V, L, T , Θ , D , Ψ , ℓ i consists of the following components: • V = { x , ..., x n } , a set of real-valued system variables . A state is aninterpretation of V , assigning to each x i ∈ V a real value. An assertion is a first-order formula over V . A state s satisfies an assertion ϕ ,written as s | = ϕ , if ϕ holds on the state s . We will also write ϕ | = ϕ for two assertions ϕ , ϕ to denote that ϕ is true at least in all thestates in which ϕ is true; • L , a finite set of locations; • T , a set of (discrete) transitions. Each transition τ : h ℓ, ℓ ′ , g τ , ρ τ i ∈T consists of a prelocation ℓ ∈ L , a postlocation ℓ ′ ∈ L , the guardcondition g τ over V , and an assertion ρ τ over V ∪ V ′ representingthe next-state relation, where V ′ = { x ′ , ..., x ′ n } denotes the next-statevariables. Note that the transition τ can take place only if g τ holds; • Θ , an assertion specifying the initial condition; • D , a map that maps each location ℓ ∈ L to a differential rule (alsoknown as a vector field or a flow field ) D ( ℓ ) , of the form ˙ x i = f ℓ,i ( V ) for each x i ∈ V , written briefly as ˙ x = f ℓ ( x ) . The differential rule at alocation specifies how the system variables evolve in that location; Ψ , a map that maps each location ℓ ∈ L to a location condition (loca-tion invariant) Ψ( ℓ ) , an assertion over V ; • ℓ ∈ L , the initial condition . We assume that the initial conditionsatisfies the location invariant at the initial location, that is, Θ | = Ψ( ℓ ) . By a state of a hybrid system H : h V, L, T , Θ , D , Ψ , ℓ i , we mean the tuple( ℓ, x ) ∈ L × R n where n is the number of program variables in H . Definition 2 (Computation) . [25] A computation of a hybrid system H isan infinite sequence of states < l , x >, < l , x >, · · · , < l i , x i >, < l i +1 , x i +1 >, · · · such that • [Initiation] l = ℓ and x | = Θ ;Furthermore, for each consecutive pair < l i , x i >, < l i +1 , x i +1 > , one ofthe two consecution conditions holds: • [Discrete Consecution] There exists a transition τ : h ℓ, ℓ ′ , g τ , ρ τ i such that l i = ℓ, l i +1 = ℓ ′ and ( x i , x i +1 ) | = ρ τ ( x i , x i +1 ) if g τ holds, or • [Continuous Consecution] l i = l i +1 = ℓ , and there exists a timeinterval δ > and a smooth (continuous and differentiable to all or-ders) function f : [0 , δ ] → R n s.t. f evolves from x i to x i +1 accordingto the differential rule D ( ℓ ) at location ℓ , while satisfying the locationinvariant Ψ( ℓ ) . Formally, – f (0) = x i , f ( δ ) = x i +1 and ∀ t ∈ [0 , δ ] , f ( t ) | = Ψ( ℓ ) , – ∀ t ∈ [0 , δ ) , ( f ( t ) , ˙ f ( t )) | = D ( ℓ ) . A state h ℓ, x i is a reachable state of a hybrid system H if it appears in acomputation of H .Figure 1 is a graphical representation of a hybrid system with two loca-tions ℓ , ℓ . A state of this hybrid system is denoted by h ℓ, x i ∈ { ℓ , ℓ } × R n ,and the initial state set is ℓ × Θ. During a continuous flow, the discretelocation ℓ i is maintained and the continuous state variables x evolve accord-ing to the differential equations ˙ x = f ℓ i ( x ), with x satisfying the locationinvariant Ψ( ℓ i ). At the state h ℓ i , x i , if the guard condition g ( ℓ i , ℓ j ) is met,5 x = f ( x ) ˙ x = f ( x )Ψ( ℓ ) ℓ ℓ Ψ( ℓ )Initial: Θ g ( ℓ ,ℓ ) ρ ( ℓ ,ℓ ) g ( ℓ ,ℓ ) ρ ( ℓ ,ℓ ) Figure 1:
An example of hybrid system H the system may undergo a transition to location ℓ j , and x will take the newvalue x ′ , which is determined by the reset map ρ ( ℓ i , ℓ j ).Given a hybrid system with an initial set and a prespecified safe (orunsafe) region, the system is safe if starting from any state in the initialset, this system would never evolve to the given unsafe region or the systemwould always stay inside the safe region. More specifically, consider thehybrid system H shown in Figure 1 and let X u ⊂ R n be an unsafe region.The system H is said to be safe if all trajectories of the system starting fromany state in h ℓ , x i ∈ ℓ × Θ can not reach X u , or any state in X u is notreachable.In this work, we will apply the invariant generation method to verifysafety of hybrid systems. The following definitions of invariants of hybridsystems come from [25]. Definition 3 (Invariant) . An invariant of a hybrid system at location ℓ isan assertion I such that for any reachable state h ℓ, x i of the hybrid system, x | = I .An invariant of a hybrid system is an assertion that holds in all the reach-able states of the system. The problem to generate invariants with arbitrary form is known to becomputationally hard, intractable even for the simplest classes. The usualtechnique for generating invariants is to compute inductive invariants, definedas follows.
Definition 4 (Inductive invariant) . An inductive assertion map I of a hy-brid system H : h V, L, T , Θ , D , Ψ , ℓ i is a map that associates with each lo-cation ℓ ∈ L an assertion I ( ℓ ) that holds initially and is preserved by all iscrete transitions and continuous flows of H . More formally, an inductiveassertion map satisfies the following requirements: (i) [Initial] Θ | = I ( ℓ ) . (ii) [Discrete Consecution] For each discrete transition τ : h ℓ, ℓ ′ , g τ , ρ τ i , starting from a state satisfying I ( ℓ ) , and taking τ leads to a state sat-isfying I ( ℓ ′ ) . Formally, I ( ℓ ) ∧ g τ ∧ ρ τ | = I ( ℓ ′ ) where I ( ℓ ′ ) represents the assertion I ( ℓ ) with the current state vari-ables x , . . . , x n replaced by the next state variables x ′ , . . . , x ′ n , respec-tively. (iii) [Continuous Consecution] For every location ℓ ∈ L and states h ℓ, x i , h ℓ, x i such that x evolves from x according to the differential rule D ( ℓ ) at ℓ , if x | = I ( ℓ ) then x | = I ( ℓ ) . Our definition of inductive invariants is slightly modified from that ofDefinition 4 in [25], and the only change made is taking the guard conditionsinto account.For a hybrid system, a formula I ( x ) is called a differential invariant atlocation ℓ if I ( x ) satisfies conditions (i) and (iii), that is, I ( x ) holds initiallyand is preserved by the continuous flow at a single location. There are sev-eral literature to compute differential invariants. [13] presented an approachbased on the computable algebraic-geometry theory to generate differentialinvariants. [20] computed differential invariants using a verification logic forhybrid systems. [31] suggested a hybrid symbolic-numeric method to com-pute inequality differential invariants. Remark 1.
Clearly, inductive invariants are over-approximation of the reach-able sets of hybrid systems, since an inductive invariant is true for all thereachable states of the system.
3. Safety Verification of Hybrid Systems
The aim of this section is to translate the problem of safety verificationof hybrid systems into that of generating invariants, which can be trans-formed further into polynomial optimization problem with parameters. We7ill present a hybrid symbolic-numeric method, based on SOS relaxation, tosolve this polynomial optimization problem, and obtain the invariants, whichcan guarantee the safety property of hybrid systems.
In this paper, we are interested in hybrid systems in which the relationsare given by (real) polynomials over the system variables. Then we define
Definition 5 (Polynomial Hybrid System) . A polynomial hybrid system isa hybrid system: H : h V, L , T , Θ , D , Ψ , ℓ i , where • for each transition τ : h ℓ, ℓ ′ , g τ , ρ τ i ∈ T , the guard condition g τ (resp.the reset relation ρ τ ) is a conjunction of polynomial inequalities over V (resp. V ∪ V ′ ); also, the initial condition Θ and the location invari-ant Ψ( ℓ ) , for each ℓ ∈ L , are conjunctions of polynomial inequalitiesover V ; • each rule D ( ℓ ) is of the form ˙ x i = f ℓ,i ( x ) for each x i ∈ V , where f ℓ,i ( x ) ∈ R [ x ] . We are interested in finding invariants of the form ϕ ℓ ( x ) ≥ ℓ ∈ L . Below is an alternative expression of Definition 4. Theorem 1.
Let H : h V, L , T , Θ , D , Ψ , ℓ i be a hybrid system. Supposefor each location ℓ ∈ L , there exists a function ϕ ℓ ( x ) satisfying the followingconditions: (i) Θ | = ϕ ℓ ( x ) ≥ , (ii) ϕ ℓ ( x ) ≥ ∧ g ( ℓ, ℓ ′ ) ∧ ρ ( ℓ, ℓ ′ ) | = ϕ ℓ ′ ( x ′ ) ≥ , for any transition h ℓ, ℓ ′ , g, ρ i going out from ℓ , (iii) ϕ ℓ ( x ) ≥ ∧ Ψ( ℓ ) | = ˙ ϕ ℓ ( x ) > , here ˙ ϕ ℓ ( x ) denotes the Lie-derivative of ϕ ℓ along the vector field D ( ℓ ) , i.e., ˙ ϕ ℓ ( x ) = P ni =1 ∂ϕ ℓ ∂x i · f ℓ,i ( x ) ,then ϕ ℓ ( x ) ≥ is an invariant of the hybrid system H at location ℓ .Proof. The proof follows directly from Definition 4.Remarked that if the functions ϕ ℓ ( x ) at all locations are identical to ϕ ( x ),then ϕ ( x ) is an inductive invariant of the given hybrid system, as describedin the following theorem. 8 heorem 2. Let H be a hybrid system. Suppose there exists a function ϕ ( x ) satisfying the following conditions: (i) Θ | = ϕ ( x ) ≥ , (ii) ϕ ( x ) ≥ ∧ g ( ℓ, ℓ ′ ) ∧ ρ ( ℓ, ℓ ′ ) | = ϕ ( x ′ ) ≥ , for any transition h ℓ, ℓ ′ , g, ρ i going out from ℓ , (iii) ϕ ( x ) ≥ ∧ Ψ( ℓ ) | = ˙ ϕ ( x ) > , then ϕ ( x ) ≥ is an inductive invariant of the system H . In the sequel, for brevity, we shall use ϕ ℓ ( x ) to denote both the invari-ant ϕ ℓ ( x ) ≥ ϕ ℓ ( x ).The following theorem shows that invariants can be applied to verify thesafety property of hybrid systems. Theorem 3.
Let H be a hybrid system, and X u ( ℓ ) be the unsafe region atlocation ℓ . Suppose there exists functions ϕ ℓ ( x ) , for ℓ ∈ L , that satisfy theconditions (i-iii) in Theorem 1, and moreover, (iv) X u ( ℓ ) | = ϕ ℓ ( x ) < , ∀ ℓ ∈ L, then the safety of the system H is guaranteed.Proof. Clearly, ϕ ℓ ( x ) ≥ H at location ℓ .Then the condition (iv) implies that all reachable sets at location ℓ lie outsidethe unsafe region X u ( ℓ ), yielding the safety of the system.Similarly, inductive invariants can be applied to verify safety of hybridsystems. Theorem 4.
Let H be a hybrid system, and X u ( ℓ ) be the unsafe region atlocation ℓ . Suppose there exists a function ϕ ( x ) that satisfies the conditions(i-iii) in Theorem 2, and moreover, (iv) X u ( ℓ ) | = ϕ ( x ) < , ∀ ℓ ∈ L, then the safety of the system is guaranteed.Proof. The proof is similar to that of Theorem 3.
Remark 2.
Functions ϕ ℓ ( x ) and ϕ ( x ) in Theorems 3 and 4 are also knownas barrier certificates in [21]. .2. Sum of Squares Relaxation According to Theorems 3 and 4, to verify the safety of hybrid system H ,it suffices to compute real polynomials ϕ ℓ ( x ) or ϕ ( x ).In the following, we only discuss how to find the invariant ϕ ℓ ( x ) at eachlocation ℓ ∈ L . The problem of computing the inductive invariant ϕ ( x ) canbe handled similarly.Our idea of computing ϕ ℓ ( x ) or ϕ ( x ), based on Sum-of-Squares (SOS)relaxation and rational vector recovery, is as follows. Step 1:
Predetermine a template of polynomial invariants with the givendegree and convert the problem of computing polynomial invariantsto the associated parametric polynomial optimization problem. SOSrelaxation method is then applied to obtain a polynomial invariantwith floating point coefficients.
Step 2:
Apply Gauss-Newton refinement and rational vector recovery onthe approximate polynomial invariant to get polynomials with rationalcoefficients, which exactly satisfy the conditions of invariants of thegiven hybrid system.The problem of computing the invariant ϕ ℓ ( x ) at each location ℓ ∈ L , thatsatisfy the conditions in Theorem 3 can be transformed into the followingproblem find ϕ ℓ ( x ) ∈ R [ x ] , ∀ ℓ ∈ L s.t. Θ | = ϕ ℓ ( x ) ≥ ,ϕ ℓ ( x ) ≥ ∧ g ( ℓ, ℓ ′ ) ∧ ρ ( ℓ, ℓ ′ ) | = ϕ ℓ ′ ( x ′ ) ≥ ,ϕ ℓ ( x ) ≥ ∧ Ψ( ℓ ) | = ˙ ϕ ℓ ( x ) > ,X u ( ℓ ) | = ϕ ℓ ( x ) < . (1)Let us first predetermine a template of polynomial invariants with thegiven degree d , that is, we assume ϕ ℓ ( x ) = X α c α x α , (2)where x α = x α · · · x α n n and c α ∈ R are parameters, with α ∈ Z n ≥ and P ni =1 α i ≤ d . One can apply quantifier elimination methods to solve thecorresponding parametric semi-algebraic systems, and for the given tem-plate, quantifier elimination methods can yield the sufficient and necessary10onditions for the existence of invariants. Several Maple packages, such asRAGLib[16] and DISCOVERER [32], are available to solve this problem.However, quantifier elimination method based on the cylindrical algebraicdecomposition (CAD) are of high complexity. Instead, we will explore theSOS relaxation techniques based on semidefinite programming (SDP) solvingto obtain polynomial invariants.In the sequel, we suppose thatΘ = { x ∈ R n : q ^ l =1 θ l ( x ) ≥ } , X u ( ℓ ) = { x ∈ R n : p ^ j =1 ζ ℓ,j ( x ) ≥ } , Ψ( ℓ ) = { x ∈ R n : r ^ k =1 ψ ℓ,k ( x ) ≥ } , g ( ℓ, ℓ ′ ) = { x ∈ R n : s ^ i =1 g ℓℓ ′ , i ( x ) ≥ } ,ρ ( ℓ, ℓ ′ )( x , x ′ ) = { x ′ ∈ R n : t ^ u =1 ρ ℓℓ ′ ,u ( x , x ′ ) ≥ } , where ℓ, ℓ ′ ∈ L , and θ l ( x ), ζ ℓ,j ( x ), ψ ℓ,k ( x ), g ℓℓ ′ , i ( x ) and ρ ℓℓ ′ ,u ( x , x ′ ) are poly-nomials.Clearly, a sufficient condition for r ( x ) ∈ R [ x ] with degree 2 e to be positivesemidefinite is that there exists an SOS of r ( x ): r ( x ) = X i r i ( x ) , with r i ( x ) ∈ R [ x ] , (3)or, equivalently, r ( x ) can be represented as r ( x ) = m ( x ) T · W · m ( x ) , where W is a real symmetric and positive semidefinite matrix, and m ( x ) isa vector of terms in R [ x ] with degree ≤ e .When a polynomial r ( x ) can be written as an SOS in R [ x ], we simply call r ( x ) an SOS. Denote by Σ n, e the set of all SOSes of degree ≤ e in variables x , ..., x n , i.e.,Σ n, e = { r ( x ) ∈ R [ x ] : r ( x ) is an SOS , deg( r ( x )) ≤ e } . Based on the SOS relaxation, the constraints in (1) can be replaced bystronger ones. For instance, to find a polynomial ϕ ℓ ( x ) satisfyingΘ | = ϕ ℓ ( x ) ≥ ϕ ℓ ( x ) such that ϕ ℓ ( x ) = σ ( x ) + q X l =1 σ l ( x ) θ l ( x ) , where σ , σ l ∈ R [ x ] are SOSes. Therefore, the problem of computing poly-nomials ϕ ℓ ( x ) is transformed into the following SOS program:find ϕ ℓ ( x ) ∈ R [ x ] , ∀ ℓ ∈ L s.t. ϕ ℓ ( x ) = σ ( x ) + P ql =1 σ l ( x ) θ l ( x ) ,ϕ ℓ ′ ( x ′ ) = λ ℓℓ ′ , ( x ) + P si =1 λ ℓℓ ′ ,i ( x ) g ℓℓ ′ ,i ( x )+ P tu =1 γ ℓℓ ′ ,u ( x ) ρ ℓℓ ′ ,u ( x , x ′ ) + η ℓℓ ′ ( x ) ϕ ℓ ( x ) , ˙ ϕ ℓ ( x ) = φ ℓ, ( x ) + P rk =1 φ ℓ,k ( x ) ψ ℓ,k ( x ) + ν ℓ ( x ) ϕ ℓ ( x ) + ǫ ℓ, − ϕ ℓ ( x ) = µ ℓ, ( x ) + P pj =1 µ ℓ,j ( x ) ζ ℓ,j ( x ) + ǫ ℓ, , (4)where σ l ( x ) , λ ℓℓ ′ ,i ( x ) , γ ℓℓ ′ ,u ( x ) , η ℓℓ ′ ( x ) , φ ℓ,k ( x ) , ν ℓ ( x ) , µ ℓ,j ( x ) ∈ Σ n, e and ǫ ℓ, , ǫ ℓ, ∈ R + . The decision variables are the coefficients of all polynomialsappearing in (4), such as ϕ ℓ ( x ) , σ l ( x ) , λ ℓℓ ′ ,i ( x ).Since the coefficients of ϕ ℓ ( x ) , η ℓℓ ′ ( x ) and ν ℓ ( x ) are unknown, some non-linear terms that are products of these coefficients, occur in the second andthird constraints of (4). The SOS relaxation will then lead to a non-convexbilinear matrix inequalities (BMI) problem. To avoid BMI problem, we adoptstronger conditions to compute the invariants of hybrid systems. Theorem 5.
Under the assumptions in Theorem 1, suppose for each ℓ ∈ L , ϕ ℓ ( x ) satisfies the following conditions: (i) Θ | = ϕ ℓ ( x ) ≥ , (ii’) g ( ℓ, ℓ ′ ) ∧ ρ ( ℓ, ℓ ′ ) | = ϕ ℓ ′ ( x ′ ) ≥ , for any transition h ℓ, ℓ ′ , g, ρ i going outfrom ℓ , (iii’) Ψ( ℓ ) | = ˙ ϕ ℓ ( x ) > , then ϕ ℓ ( x ) ≥ is an invariant of the hybrid system H at location ℓ . Inaddition, if ϕ ℓ ( x ) satisfies (iv) X u ( ℓ ) | = ϕ ℓ ( x ) < , ∀ ℓ ∈ L, then the safety of the system is guaranteed. roof. Since the conditions (ii’) and (iii’) are stronger than the conditions (ii) and (iii) in Theorem 1 respectively, ϕ ℓ is an invariant at location ℓ .According to Theorem 3, the condition (iv) can guarantee the safety of thissystem.A similar conclusion can be attained for inductive invariants, as stated inthe following Theorem 6.
Under the assumptions in Theorem 2, suppose there exists apolynomial ϕ ( x ) satisfying the following conditions: (i) Θ | = ϕ ( x ) ≥ , (ii’) g ( ℓ, ℓ ′ ) ∧ ρ ( ℓ, ℓ ′ ) | = ϕ ( x ′ ) ≥ , for any transition h ℓ, ℓ ′ , g, ρ i going outfrom ℓ , (iii’) Ψ( ℓ ) | = ˙ ϕ ( x ) > , ∀ ℓ ∈ L ,then ϕ ( x ) ≥ is an inductive invariant of the hybrid system H . In addition,if ϕ ( x ) satisfies (iv) X u ( ℓ ) | = ϕ ( x ) < , ∀ ℓ ∈ L, then the safety of the system is guaranteed. Having Theorem 5, the program (4) can be modified into the followingproblem:find ϕ ℓ ( x ) ∈ R [ x ] , ∀ ℓ ∈ L s.t. ϕ ℓ ( x ) = σ ( x ) + P ql =1 σ l ( x ) θ l ( x ) ,ϕ ℓ ′ ( x ′ ) = λ ℓℓ ′ , ( x ) + P si =1 λ ℓℓ ′ ,i ( x ) g ℓℓ ′ ,i ( x ) + P tu =1 γ ℓℓ ′ ,u ( x ) ρ ℓℓ ′ ,u ( x , x ′ ) , ˙ ϕ ℓ ( x ) = φ ℓ, ( x ) + P rk =1 φ ℓ,k ( x ) ψ ℓ,k ( x ) + ǫ ℓ, , − ϕ ℓ ( x ) = µ ℓ, ( x ) + P pj =1 µ ℓ,j ( x ) ζ ℓ,j ( x ) + ǫ ℓ, , (5)where σ l ( x ) , λ ℓℓ ′ ,i ( x ) , γ ℓℓ ′ ,u ( x ) , φ ℓ,k ( x ) , µ ℓ,j ( x ) ∈ Σ n, e and ǫ ℓ, , ǫ ℓ, ∈ R + . The13rogram is equivalent to the following SDP problem:inf Tr( M, W, V, P, Q )s.t. ϕ ℓ ( x ) = m ( x ) T · M [0] · m ( x ) + P ql =1 m l ( x ) T · M [ l ] · m l ( x ) θ l ( x ) ,ϕ ℓ ′ ( x ′ ) = w ℓℓ ′ , ( x ) T · W [ ℓℓ ′ , · w ℓℓ ′ , ( x )+ P si =1 w ℓℓ ′ ,i ( x ) T · W [ ℓℓ ′ ,i ] · w ℓℓ ′ ,i ( x ) g ℓℓ ′ ,i ( x )+ P tu =1 v ℓℓ ′ ,u ( x ) T · V [ ℓℓ ′ ,u ] · v ℓℓ ′ ,u ( x ) ρ ℓℓ ′ ,u ( x , x ′ ) , ˙ ϕ ℓ ( x ) = p ℓ, ( x ) T · P [ ℓ, · p ℓ, ( x )+ P rk =1 p ℓ,k ( x ) T · P [ ℓ,k ] · p ℓ,k ( x ) ψ ℓ,k ( x ) + ǫ ℓ, ,ϕ ℓ ( x ) = − q ℓ, ( x ) T · Q [ ℓ, · q ℓ, ( x ) − P pj =1 q ℓ,j ( x ) T · Q [ ℓ,j ] · q ℓ,j ( x ) ζ ℓ,j ( x ) − ǫ ℓ, , (6)where all the matrices M [ l ] , W [ ℓℓ ′ ,i ] , V [ ℓℓ ′ ,u ] , P [ ℓ,k ] , Q [ ℓ,j ] are symmetric and pos-itive semidefinite, and the function Tr( M, W, V, P, Q ) denotes the sum oftraces of all these matrices, which acts as a dummy objective function com-monly used in SDP for optimization problem with no objective function.Many Matlab packages of SDP solvers, such as SOSTOOLS [22], YALMIP[14], and SeDuMi [26], are available to solve the problem (6) efficiently.
Since the SDP solvers in Matlab is running in fixed precision, the tech-niques in Section 3.2 will yield numerical solutions to the associated SDPproblem (6), where the numerical polynomial ϕ ℓ ( x ) and numerical positivesemidefinite matrices M [ l ] , . . . , Q [ ℓ,j ] satisfy the constraints in (6) approxi-mately , for instance, ϕ ℓ ( x ) ≈ m ( x ) T · M [0] · m ( x ) + P ql =1 m l ( x ) T · M [ l ] · m l ( x ) θ l ( x ) , M [ l ] v . (7)However, due to round-off errors, ϕ ℓ ( x ) ≥ ℓ , because the constraintsin (6) may not hold exactly, for example, (7) means that ϕ ℓ ( x ) may notbe positive semidefinite exactly within the initial set Θ. Therefore in thenext step, from the numerical polynomials ϕ ℓ ( x ) and the numerical positivesemidefinite matrices M [ l ] , . . . , Q [ ℓ,j ] , we will recover polynomials e ϕ ℓ ( x ) withrational coefficients, which satisfy (6) exactly .As described in [9], finding a polynomial with rational coefficients canbe translated into the problem of rational vector recovery. In Section 3.2,14 numerical vector v ∗ ℓ denoting the coefficient (column) vector of ϕ ℓ ( x ) isobtained by solving the SDP system, i.e., ϕ ℓ ( x ) = v ∗ ℓ T · T ℓ ( x ), where T ℓ ( x ) isthe column vector of all terms in ϕ ℓ ( x ). To obtain a rational vector ˜ v ℓ nearto v ∗ ℓ , we can employ the simultaneous Diophantine approximation algorithm[12], once the bound of the common denominator of ˜ v ℓ is given.The recovery of the matrices M [ l ] , . . . , Q [ ℓ,j ] into rational positive semidefi-nite matrices is split into two steps. We first recover the matrices f M [ l ] , . . . , e Q [ ℓ,j ] for 1 ≤ l ≤ q, . . . , ≤ j ≤ p and then recover f M [0] , . . . , e Q [ ℓ, . To illustratethe idea, we only discuss how to recover M [ l ] for 1 ≤ l ≤ q and the matri-ces W [ ℓℓ ′ ,i ] , V [ ℓℓ ′ ,u ] , P [ ℓ,k ] , Q [ ℓ,j ] can be recovered similarly.Given the numerical positive semidefinite matrices M [ l ] , 1 ≤ l ≤ q in (6),we can find the nearby rational positive semidefinite matrices f M [ l ] by use ofthe rational vector recovery technique. In practice, all the M [ l ] are numericaldiagonal matrices, in other words, the off-diagonal entries are very tiny andthe diagonal entries are nonnegative. Therefore, by setting the small entriesof M [ l ] to be zeros we easily get the nearby rational positive semidefinitematrices M [ l ] for l = 1 , . . . , q . The nearby rational positive semidefinitematrices f W [ ℓℓ ′ ,i ] , e V [ ℓℓ ′ ,u ] , e P [ ℓ,k ] , e Q [ ℓ,j ] can be recovered similarly.Having e ϕ ℓ ( x ) = ˜ v ℓT · T ℓ ( x ) and f M [ l ] , . . . , e Q [ ℓ,j ] for 1 ≤ l ≤ q, . . . , ≤ j ≤ p ,the program (6) is converted toinf Tr( M [0] , W [ ℓℓ ′ , , P [ ℓ, , Q [ ℓ, )s.t. e ϕ ℓ ( x ) − P ql =1 m l ( x ) T · f M [ l ] · m l ( x ) θ l ( x ) ≈ m ( x ) T · M [0] · m ( x ) , e ϕ ℓ ′ ( x ′ ) − P si =1 w ℓℓ ′ ,i ( x ) T · f W [ ℓℓ ′ ,i ] · w ℓℓ ′ ,i ( x ) g ℓℓ ′ ,i ( x ) − P tu =1 v ℓℓ ′ ,u ( x ) T · e V [ ℓℓ ′ ,u ] · v ℓℓ ′ ,u ( x ) ρ ℓℓ ′ ,u ( x , x ′ ) ≈ w ℓℓ ′ , ( x ) T · W [ ℓℓ ′ , · w ℓℓ ′ , ( x )˙ e ϕ ℓ ( x ) − P rk =1 p ℓ,k ( x ) T · e P [ ℓ,k ] · p ℓ,k ( x ) ψ ℓ,k ( x ) − e ǫ ℓ, ≈ p ℓ, ( x ) T · P [ ℓ, · p ℓ, ( x ) e ϕ ℓ ( x ) + P pj =1 q ℓ,j ( x ) T · e Q [ ℓ,j ] · q ℓ,j ( x ) ζ ℓ,j ( x ) + e ǫ ℓ, ≈ − q ℓ, ( x ) T · Q [ ℓ, · q ℓ, ( x ) (8)Observing (8), the matrices M [0] , . . . , Q [ ℓ, have floating point entries, whilethe matrices f M [ l ] , . . . , e Q [ ℓ,j ] are rational positive semidefinite matrices. There-fore, the remaining task is to find nearby rational positive semidefinite ma-trices f M [0] , . . . , e Q [ ℓ, such that the constraints in (8) hold exactly. To fulfil15his task, we can first apply Gauss-Newton iteration to refine M [0] , . . . , Q [ ℓ, ,and then recover the rational positive definite matrices f M [0] , . . . , e Q [ ℓ, re-spectively from the refined M [0] , . . . , Q [ ℓ, , by orthogonal projection if theinvolved matrix is of full rank, or by rational vector recovery method other-wise.Finally, we check if all the matrices f M [0] , . . . , e Q [ ℓ, are positive semidefi-nite. If so, then return e ϕ ℓ ( x ) ≥ ℓ ∈ L ; otherwise, return ”we cannot find invariants of the givendegree bound”. Remark 3.
The above technique based on SOS relaxation and exact polyno-mial recovery can be applied to computing the inductive invariants of hybridsystems, which guarantee the safety of the given hybrid system.3.4. Algorithm
The discussion in Section 3.3 leads to an algorithm of computing the(inductive) invariants of polynomial hybrid systems. As stated above, weonly present how to compute the invariants ϕ ℓ ( x ), for ℓ ∈ L , that satisfy (6),and the case of computing the inductive invariants is similar. Algorithm Polynomial Inequality Invariant Generation
Input: ◮ H : h V, L, T , Θ , D , Ψ , ℓ i a polynomial hybrid system. ◮ d ∈ Z > : the degree bound of the candidate polynomial invari-ants. ◮ D ∈ Z > : the bound of the common denominator of the coeffi-cient vector of the polynomial invariants. ◮ e ∈ Z ≥ : the degree bound 2 e of the SOSes used to constructthe SDP system. ◮ τ ∈ R > : the given tolerance.Output: ◮ e ϕ ℓ ( x ) ≥
0: the verified polynomia invariant at each location ℓ ∈ L .1. Compute the candidates of polynomial invariants(i) For each locaiton ℓ ∈ L , predetermine the templates of ϕ ℓ ( x ), withdegree d , and construct an SDP system of the form (6), where thedegree bounds of all the involved SOSes are 2 e . • If the SDP system (6) has no feasible solutions,return ”we can’t find polynomial invariants with degree ≤ d at each location”; 16 Otherwise,obtain a numerical vector v ∗ ℓ , numerical constants ǫ ℓ, , ǫ ℓ, andnumerical positive semidefinite matrices M [ l ] , W [ ℓℓ ′ ,i ] , V [ ℓℓ ′ ,u ] , P [ ℓ,k ] , Q [ ℓ,j ] for 0 ≤ l ≤ q, ≤ i ≤ s, ≤ u ≤ t, ≤ k ≤ r, ≤ j ≤ p .(ii) For the common denominator bound D , compute from v ∗ ℓ a ratio-nal vector e v ℓ by Diophantine approximation algorithm, and getthe associated rational polynomial e ϕ ℓ ( x ). Similarly, the nearbypositive contants e ǫ ℓ, and e ǫ ℓ, are obtained.(iii) Convert all the M [ l ] , . . . , Q [ ℓ,j ] into rational and positive semidefi-nite matrices f M [ l ] , . . . , e Q [ ℓ,j ] , for 1 ≤ l ≤ q, . . . , ≤ j ≤ p .2. Compute the exact SOS decomposition(i) Reconstruct an SDP system of the form (8) to get approximatepositive semidefinite matrices M [0] , . . . , Q [ ℓ, satisfying (8).(ii) Apply Gauss-Newton iteration to refine the matrices M [0] , . . . , Q [ ℓ, obtained in Step 2 (i).(iii) From the refined M [0] , . . . , Q [ ℓ, , compute the rational matrices f M [0] , . . . , e Q [ ℓ, respectively by orthogonal projection method ifthe involved matrix is of full rank, or by rational vector recoveryif the matrix is singular.(iv) Check whether all the matrices f M [0] , . . . , e Q [ ℓ, are positive semidef-inite. • If so, return e ϕ ℓ ( x ) ≥ ℓ ∈ L ; • Otherwise,return ”we can’t find polynomial invariants with degree ≤ d .” Remark 4.
Our algorithm cannot guarantee rational solutions will alwaysbe found since there exists limitations in the above algorithm on choosingthe degree bound e and the common denominator bound D . Furthermore,it is difficult to determine in advance whether there exists invariants withrational coefficients or not. Therefore, even if our algorithm cannot find theinvariants, it does not mean that the given hybrid system has no invariantswith the given degree bound d .
4. Experiments
In this section, some examples are presented to illustrate our method forsafety verification of hybrid systems. 17 xample 1. [23, Example CLOCK] Consider a nonlinear continuous system (cid:20) ˙ x ˙ y (cid:21) = (cid:20) − y + y x − x (cid:21) , with location invariant Ψ = { ( x, y ) ∈ R : 1 ≤ x ≤ ∧ ≤ y ≤ } . Theproblem is to verify that all trajectories of the system starting from the initialset Θ = { ( x, y ) ∈ R : 4 ≤ x ≤ . ∧ y = 1 } will never reach the unsafeset X u = { ( x, y ) ∈ R : 1 ≤ x ≤ ∧ ≤ y ≤ } . The safety of thecontinuous system can be verified if we can find a polynomial ϕ ( x, y ) whichsatisfies conditions in Theorem 5. We rewrite Θ , X u , Ψ as follows Θ = { ( x, y ) ∈ R : θ ( x, y ) ≥ ∧ θ ( x, y ) ≥ ∧ θ ( x, y ) ≥ } , Ψ = { ( x, y ) ∈ R : ψ ( x, y ) ≥ ∧ ψ ( x, y ) ≥ } ,X u = { ( x, y ) ∈ R : ζ ( x, y ) ≥ ∧ ζ ( x, y ) ≥ } , where θ ( x, y ) = (4 − x )( x − . , θ ( x, y ) = y − , θ ( x, y ) = 1 − y,ψ ( x, y ) = (1 − x )( x − , ψ ( x, y ) = (1 − y )( y − ,ζ ( x, y ) = (1 − x )( x − , ζ ( x, y ) = (2 − y )( y − . Assuming deg( ϕ ( x, y )) = d , for d = 1 , , ... and the degree bound of all theinvolved SOSes in the program (5) is e = 10 . Then the SOS program (5)becomes ϕ ( x, y ) = σ ( x, y ) + σ ( x, y ) θ ( x, y ) + σ ( x, y ) θ ( x, y ) + σ ( x, y ) θ ( x, y ) , ˙ ϕ ( x, y ) = φ ( x, y ) + φ ( x, y ) ψ ( x, y ) + φ ( x, y ) ψ ( x, y ) + ǫ , − ϕ ( x, y ) = µ ( x, y ) + µ ( x, y ) ζ ( x, y ) + µ ( x, y ) ζ ( x, y ) + ǫ , where σ i ( x, y ) , φ j ( x, y ) , µ k ( x, y ) ∈ Σ , e , ǫ , ǫ ∈ R + . We apply the algorithmin Section 3.4, and increment d by 1 from to until a feasible solution ofthe SDP system is obtained. When d = 4 , we obtain a feasible solution ofthe associated SDP system. Here we just list one approximate polynomial ϕ ( x, y ) = − . − . x − . y + 0 . x + 0 . xy + 0 . y + ... + 0 . × − x + 0 . × − y . et the tolerance τ = 10 − , and the bound of the common denominator ofthe polynomial coefficients vector be . By use of the rational SOS re-covery technique described in Section 3.3, we obtain all the correspondingpolynomials with rational coefficients, for instance, e ϕ ( x, y ) = − − x − y + 879950 x + 3495 y + 738 xy − xy − x . Furthermore, a certificate of SOS representation shows e ϕ ( x, y ) satisfies theconditions in Theorem 5 exactly . Therefore, the safety of this continuoussystem is proved. Example 2. [23, Example ECO] Consider a predator-prey hybrid systemdepicted in Figure 2, where f ( x ) = f ( x ) = (cid:18) − x + x x x − x x (cid:19) . ( x − . x − . ≤ x = f ( x )( x − . x − . ≤
0Θ ( x − . x − . ≤ x − . x − . ≤ g (1 ,
2) : ( x − . x − . ≤ ρ (1 ,
2) : ( x − . + ( x − . ≤ . g (2 ,
1) : ( x − . x − . ≤ ρ (2 ,
1) : ( x − . + ( x − . ≤ . ℓ ℓ ˙ x = f ( x ) Figure 2:
Hybrid system of example 2
The system starts in location ℓ , with an initial state in Θ = { ( x , x ) ∈ R : ( x − . + ( x − . ≤ . } . Our task is to verify the system never reach the states in X u ( ℓ ) = { ( x , x ) ∈ R : 0 . ≤ x ≤ . ∧ . ≤ x ≤ . } . To verify the safety of this system, we need find the corresponding invari-ant polynomials ϕ ( x , x ) and ϕ ( x , x ) at locations ℓ and ℓ , respectively. imilar to Example 1, we construct the associated SOS system, and findthe feasible numerical solutions from SDP solver: ϕ = 0 . − . x + 0 . x + 0 . x − . x x + 0 .. x ,ϕ = 0 . . x + 0 . x + 0 . x − . x x − .. x . Let the tolerance τ = 10 − , and the bound of the common denominatorof the polynomial coefficients vector be . By use of the rational SOSrecovery technique , we obtain all the corresponding polynomials with rationalcoefficients. The invariant polynomials with rational coefficients are e ϕ ( x , x ) = 329944 − x + 17944 x − x x + 209944 x + 85472 x , e ϕ ( x , x ) = 11944 + 1217944 x + 267472 x − x x + 839944 x − x . Furthermore, all the remaining related polynomials in (5) can be written asSOSes of the polynomials, which means e ϕ and e ϕ satisfy all the conditionsin Theorem 5. So the safety of hybrid system is proved. ˙ x = f ( x )Θ ℓ ℓ ˙ x = f ( x ) g (1 ,
2) : ( x − . x − ≤ ρ (2 ,
1) : ( x − + ( x − ≤ .
01 ( x − . x − ≤ x − . x − ≤ x + 1)( x − ≤ x + 1)( x − ≤ g (2 ,
1) : ( x − . x − . ≤ ρ (1 ,
2) : ( x − . + ( x − . ≤ . Figure 3:
Hybrid system of example 3
Example 3.
Consider a hybrid system depicted in Figure 3, where f ( x ) = (cid:18) x + x x x − x − (cid:19) , f ( x ) = (cid:18) x − x + x (cid:19) . The system starts in location ℓ , with an initial state in Θ = { ( x , x ) ∈ R : ( x − . + x ≤ . } . ur task is to verify the system never reach the states in X u ( ℓ ) = { ( x , x ) ∈ R : ( x + 1) + ( x + 1) ≤ . } . To prove the safety of the hybrid system, it suffices to find an inductiveinvariant polynomial ϕ ( x , x ) which satisfies all the conditions in Theorem 6.Using the same techniques illustrated in Examples and , we obtain theinductive invariant polynomial with rational coefficients e ϕ ( x , x ) = − x − x + 239931 x . Moreover, e ϕ satisfies the conditions in Theorem 6 exactly. Therefore, the in-ductive invariant can guarantee the safety of the hybrid system. More detailsabout the verification of conditions in Theorem 6, based on SOS representa-tions of polynomials with rational coefficients can be found in Appendix.
5. Conclusions
In this paper, we present a symbolic-numeric approach to compute in-equality invariants for safety verification of hybrid systems. Employing SOSrelaxation and rational vector recovery techniques, it can be guaranteed thatan exact invariant, rather than a numerical one, can be obtained efficientlyand practically. This approach avoids both the weakness of numerical ap-proaches to verify safety of hybrid systems and the high complexity of sym-bolic invariant generation methods based on quantifier elimination.
References [1] Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T., Ho, P.,Nicollin, X., Olivero, A., Sifakis, J., Yovine, S., 1995. The algorithmicanalysis of hybrid systems. Theoretical Computer Science 138, 3–34.[2] Anai, H., Weispfenning, V., 2001. Reach set computations usingreal quantifier elimination. In: Proceedings of the 4th InternationalWorkshop on Hybrid Systems: Computation and Control. HSCC ’01.Springer, London, UK, pp. 63–76.[3] Branicky, M., 1995. General hybrid dynamical systems: modeling, anal-ysis, and control. In: Alur, R., Henzinger, T.A. Sontag, E.D., eds: Hy-brid Systems, LNCS. Vol. 1066. pp. 186–200.214] Carbonell, E. R., Tiwari, A., 2005. Generating polynomial invariants forhybrid systems. In: HSCC, LNCS. Vol. 3414. pp. 590–605.[5] Chutinan, A., Krogh, B. H., 2003. Computational techniques for hybridsystem verification. IEEE Transactions on Automatic Control 48 (1),64–75.[6] Davoren, J., Nerode, A., 2000. Logics for hybrid systems. In: Proceed-ings of the IEEE. Vol. 88. pp. 985–1010.[7] Gulwani, S., Tiwari, A., 2008. Constraint-based approach for analysisof hybrid systems. In: CAV, LNCS. Vol. 5123. Springer, pp. 190–203.[8] Henzinger, T., 1996. The theory of hybrid automata. In: Proceedings ofthe 11th Annual IEEE Symposium on Logic in Computer Science. IEEEComputer Society, pp. 278–292.[9] Kaltofen, E., Li, B., Yang, Z., Zhi, L., 2012. Exact certification in globalpolynomial optimization via sums-of-squares of rational functions withrational coefficients. Journal of Symbolic Computation 47 (1), 1–15.[10] Kurzhanski, A. B., Varaiya, P., 2000. Ellipsoidal techniques for reach-ability analysis. In: Proceedings of the Third International Workshopon Hybrid Systems: Computation and Control. HSCC ’00. Springer,London, UK, pp. 202–214.[11] Lafferriere, G., Pappas, G. J., Yovine, S., 2001. Symbolic reachabilitycomputations for families of linear vector fields. J. Symbolic Computa-tion 32 (3), 231–253.[12] Lagarias, J. C., 1985. The computational complexity of simultaneousdiophantine approximation problems. SIAM J. Comp. 14, 196–209.[13] Liu, J., Zhan, N., Zhao, H., 2011. A complete method to polyno-mial differential invariant generation for hybrid systems. Arxiv preprintarXiv:1102.0705.[14] L¨ofberg, J., 2004. YALMIP: A toolbox for modeling and optimizationin MATLAB. In: Proceedings of the CACSD. Taipei, Taiwan, availableat http://control.ee.ethz.ch/~joloef/yalmip.php .2215] Matringe, N., Moura, A. V., Rebiha, R., 2009. Morphisms for non-trivialnon-linear invariant generation for algebraic hybrid systems. In: HSCC,LNCS. Vol. 5469. pp. 445–449.[16] Mohab, S. E. D., 2003. Raglib (real algebraic library maple package),available at .[17] Platzer, A., 2007. Differential-algebraic dynamic logic for differential-algebraic programs. Journal of Logic and Computation 20, 309–352.[18] Platzer, A., 2008. Differential dynamic logic for hybrid systems. Journalof Automated Reasoning 41 (2), 143–189.[19] Platzer, A., Clarke, E. M., 2007. The image computation problem inhybrid systems model checking. In: Bemporad et al (Ed.). Springer, pp.473–486.[20] Platzer, A., Clarke, E. M., August 2009. Computing differential invari-ants of hybrid systems as fixedpoints. Form. Methods Syst. Des. 35,98–120.[21] Prajna, S., 2005. Optimization-based methods for nonlinear and hybridsystems verification. Ph.D. thesis, California Institute of Technology.[22] Prajna, S., Papachristodoulou, A., Parrilo, P., 2002. SOSTOOLS:Sum of squares optimization toolbox for MATLAB. Available at .[23] Ratschan, S., She, Z., 2005. Safety verification of hybrid systems byconstraint propagation based abstraction refinement. Hybrid Systems:Computation and Control, 573–589.[24] Sankaranarayanan, S., 2010. Automatic invariant generation for hybridsystems using ideal fixed points. In: Proceedings of the 13th ACM In-ternational Conference on Hybrid Systems: Computation and Control.New York, NY, USA, pp. 221–230.[25] Sankaranarayanan, S., Sipma, H., Manna, Z., 2008. Constructing invari-ants for hybrid systems. Formal Methods in System Design 32, 25–55.2326] Sturm, J. F., 1999. Using SeDuMi 1.02, a MATLAB toolbox for op-timization over symmetric cones. Optimization Methods and Software11/12, 625–653.[27] Sturm, T., Tiwari, A., 2011. Verification and synthesis using real quan-tifier elimination. In: Proceedings of the 36th International Symposiumon Symbolic and Algebraic Computation. ACM, pp. 329–336.[28] Tiwari, A., 2003. Approximate reachability for linear systems. In: Maler,O., Pnueli, A. (Eds.), Hybrid Systems: Computation and Control. Vol.2623 of LNCS. Springer, pp. 514–525.[29] Tiwari, A., Khanna, G., 2004. Nonlinear systems: Approximating reachsets. Lecture Notes of Computer Science 2993, 600–614.[30] Tomlin, C., Mitchell, I., Bayen, A. M., Oishi, M., 2003. Computationaltechniques for the verification of hybrid systems. Proceedings of theIEEE 91 (7), 986–1001.[31] Wu, M., Yang, Z., 2011. Generating invariants of hybrid systems viasums-of-squares of polynomials with rational coefficients. In: SNC’11Proc. 2011 Internat. Workshop on Symbolic-Numeric Comput. ACMPress, New York, N. Y., pp. 104–111.[32] Xia, B., 2007. DISCOVERER: a tool for solving semi-algebraic systems.ACM Commun. Compute. Algebra 41 (3), 102–103.
6. Appendix
Solution to Example 3:The initial state Θ, the unsafe region X u ( ℓ ), the state invariant Ψ( ℓ ),24he guard condition g ( ℓ, ℓ ′ ) and the reset map ρ ( ℓ, ℓ ′ ) can be expressed asΘ = { ( x , x ) ∈ R : θ ( x , x ) ≥ } , Ψ(1) = { ( x , x ) ∈ R : ψ , ( x , x ) ≥ ∧ ψ , ( x , x ) ≥ } , Ψ(2) = { ( x , x ) ∈ R : ψ , ( x , x ) ≥ ∧ ψ , ( x , x ) ≥ } ,g (1 ,
2) = { ( x , x ) ∈ R : g ( x , x ) ≥ } ,g (2 ,
1) = { ( x , x ) ∈ R : g ( x , x ) ≥ } ,ρ (1 ,
2) = { ( x , x ) ∈ R : ρ ( x , x ) ≥ } ,ρ (2 ,
1) = { ( x , x ) ∈ R : ρ ( x , x ) ≥ } ,X u (1)( x , x ) = { ( x , x ) ∈ R : ζ ( x , x ) ≥ } , where θ ( x , x ) = 0 . − ( x − . − x ,ζ ( x , x ) = 0 . − ( x + 1) − ( x + 1) ,ψ , ( x , x ) = ( x + 1)(2 − x ) , ψ , ( x , x ) = ( x + 1)(2 − x ) ,ψ , ( x , x ) = ( x − . − x ) , ψ , ( x , x ) = ( x − . − x ) ,g ( x , x ) = ( x − . − x ) , g ( x , x ) = ( x − . . − x ) ,ρ ( x , x ) = 0 . − ( x − . − ( x − . ,ρ ( x , x ) = 0 . − ( x − − ( x − . Let the tolerance τ = 10 − , and the bound of the common denominatorof the polynomial coefficients vector be 1000, we can find that the inductiveinvariant polynomial e ϕ ( x , x ) satisfies e ϕ ( x , x ) = e σ ( x , x ) + e σ ( x , x ) θ ( x , x ) , e ϕ ( x , x ) = e λ ( x , x ) + e λ ( x , x ) g ( x , x ) + e γ ( x , x ) ρ ( x , x ) , e ϕ ( x , x ) = e λ ( x , x ) + e λ ( x , x ) g ( x , x ) + e γ ( x , x ) ρ ( x , x ) , ˙ e ϕ ( x , x ) = e φ ( x , x ) + e φ ( x , x ) ψ ( x , x ) + e φ ( x , x ) ψ ( x , x ) + ǫ , ˙ e ϕ ( x , x ) = e φ ( x , x ) + e φ ( x , x ) ψ ( x , x ) + e φ ( x , x ) ψ ( x , x ) + ǫ , − e ϕ ( x , x ) = e µ ( x , x ) + e µ ( x , x ) ζ ( x , x ) + e ǫ, e ϕ ( x , x ) = − + x − x + x , e σ ( x , x ) = − x − x + x + x , e σ = , e λ ( x , x ) = − x − x + x + x , e λ = , e γ = , e λ ( x , x ) = − x − x + x + x , e λ = , e γ = , e φ ( x , x ) = + x + x + x x + x + x , e φ = , e φ = , e ǫ = , e φ ( x , x ) = − x − x + x + x x + x , e φ = , e φ = , e ǫ = , e µ ( x , x ) = − x + x + x x + x + x , e µ = , e ǫ = . The exact SOS representations of above polynomials are as follows: e σ ( x , x ) = h + h + h , e λ ( x , x ) = h + h + h , e λ ( x , x ) = h + h + h , e φ ( x, y ) = h + h + h , e φ ( x, y ) = h + h + h , e µ ( x , x ) = h + h + h , where h = − x − x , h = x − x , h = x .h = − x − x , h = x − x , h = x .h = − x − x , h = x − x , h = x .h = + x + x , h = x − x , h = x .h = − x − x , h = x + x , h = x .h = + x + x , h = x − x , h = x ..