Improving Polygonal Hybrid Systems Reachability Analysis through the use of the Phase Portrait Gordon J. Pace Dept. of Computer Science, University of Malta, Msida, Malta
Gerardo Schneider ∗ Dept. of Informatics, University of Oslo, Oslo, Norway
Abstract In this paper we deal with a subclass of planar hybrid automata, denoted by SPDI, which can be represented by piecewise constant differential inclusions. The computation of certain objects of the phase portrait of an SPDI, namely the viability, controllability, invariance kernels and semi-separatrix curves have been shown to be efficiently decidable. On the other hand, although the reachability problem for SPDIs is known to be decidable, its complexity makes it unfeasible on large systems. We present and combine recent results on the use of the SPDI phase portraits for improving reachability analysis by (i) state-space reduction and (ii) decomposition techniques of the state space, enabling compositional parallelization of the analysis. Both techniques contribute to increase the feasibility of reachability analysis on large SPDI systems. Key words: hybrid systems, polygonal differential inclusions; compositional reachability algorithm
1
Introduction
In this paper, we are concerned with systems combining discrete and continuous behavior, common in many models of various artificial and real systems based both in discrete and continuous mathematics. Due to such heterogeneous ∗ Corresponding author. Address: Dept. of Informatics, University of Oslo, P.O. Box 1080 Blindern, NO-0316 Oslo, Norway. e-mail:
[email protected]
Preprint submitted to Information and Computation
20 February 2008
nature the research community has called them hybrid systems. Such systems are widespread and occur in domains like avionics, robotics and bioinformatics. From the verification point of view, reachability analysis has been the main focus of researchers in hybrid systems, even though for most subclasses of hybrid systems few verification questions are decidable. Among the classes for which reachability is decidable we find timed [1] and initialized rectangular automata [14], hybrid automata with linear vector fields [16], piecewise constant derivative systems (PCDs) [17] and polygonal differential inclusion systems (SPDIs) [5]. Compared to reachability verification, qualitative analysis of hybrid systems is a relatively neglected area [10,11,18,24,27]. Typical qualitative questions include: ‘Are there ‘sink’ regions where a trajectory can never leave once it enters the region?’ and ‘Are there regions in which every point in the region is reachable from every other?’. We call the collection of objects in a system satisfying these and similar properties, the phase portrait of the system. Defining and constructing phase portraits of hybrid systems has been directly addressed for PCDs in [18], and for SPDIs in [6]. Given a cycle on an SPDI, the viability kernel is the largest set of points in the cycle which may loop forever within the cycle. The controllability kernel is the largest set of strongly connected points in the cycle (such that any point in the set may be reached from any other). An invariant set is a set of points such that each point must remain within the set forever, and the invariance kernel is the largest such set. Algorithms for computing these kernels have been presented in [6,26] and implemented in the tool set SPeeDI+ [20]. Given the non-compositional nature of hybrid systems, decomposing SPDIs to reduce the state space and to distribute the reachability algorithms is a challenging task. A qualitative analysis of hybrid systems does, however, provide useful information for partitioning the state-space in independent subspaces, thus helping in achieving compositional analysis. In this paper we extend and combine some recent results [22,23] we have obtained, showing how kernels can be used to improve the reachability analysis of SPDIs. The extension comprises a more detailed background, the inclusion of auxiliary results, more detailed proofs, and a discussion about complexity contrasting the original reachability algorithm with the optimized and parallel one presented in this paper. In addition we provide two more optimizations giving immediate answer based on analysis of DIE loops and cycles with identity successors. We use kernel information to (i) reduce the number of states of the SPDI graph, based on topological properties of the plane (and in particular, those of SPDIs); and (ii) partition the reachability questions in a compositional manner, dividing the problem into independent smaller ones and combining the partial results to answer the original question, hence enabling 2
e4
I’
R4
e5
e3 R3
R5
e6
e2 R2
I’
e1 R6
I
R1
I
e0
(a)
(b)
Fig. 1. (a) An SPDI and its trajectory segment; (b) Reachability analysis
parallelization with minimal communication costs.
2
Theoretical Background
In this section, we summarize the main definitions and results about SPDIs; for a more detailed description and proof of the results presented in sections 2.1–2.5 see [7]. Refer to [3] for details concerning sections 2.6 and 2.7. 2.1 Truncated Affine Multivalued Functions As usual in model checking, the reachability question is based on the computation of fix-points, by means of successors and predecessors. We present in this subsection the underlying mathematical functions on which successors and predecessors are based on. An interval is a subset S of a totally ordered set T with the property that for x, y ∈ S with x < z < y then z ∈ S. In this paper we are concerned only with intervals on the real line, i.e., T = R. We will use the notation I ∈ I nterval to denote that I is an interval of R. Definition 1 A (positive) affine function f : R → R is such that f (x) = ax+b with a > 0. An affine multivalued function (AMF) F : R → 2R , denoted F = hfl , fu i, is defined by F (x) = hfl (x), fu (x)i where fl and fu are affine and h·, ·i ∈ I nterval, denotes an interval. For notational convenience, we do not make explicit whether intervals are 3
open, closed, left-open or right-open, unless required for comprehension. For an interval I = hl, ui we have that F (hl, ui) = hfl (l), fu (u)i. Whenever l > u, we define hl, ui to be the empty interval ∅. Definition 2 The inverse of a function F : R → R is defined by F −1 (x) = {y | x ∈ F (y)}. The definition can be extended to operate on intervals of real numbers. The universal inverse of F is defined by F˜ −1 (I) = I ′ where I ′ is the greatest non-empty interval satisfying ∀x ∈ I ′ · F (x) ⊆ I. Clearly, F −1 = hfu−1 , fl−1 i and F˜ −1 = hfl−1 , fu−1 i, provided that hfl−1 , fu−1 i = 6 ∅. Definition 3 Given an AMF F and two intervals S ⊆ R+ and J ⊆ R+ , a truncated affine multivalued function (TAMF) FF,S,J : R → 2R is defined as follows: FF,S,J (x) = F (x) ∩ J if x ∈ S, otherwise FF,S,J (x) = ∅. In what follows we will write F instead of FF,S,J whenever no confusion may arise. Moreover, in the rest of the paper F will always denote an AMF and F a TAMF. For convenience we write F (x) = F ({x} ∩ S) ∩ J instead of F (x) = F (x) ∩ J if x ∈ S. The above definition can be extended to operate on intervals. Given an interval I, F (I) = F (I∩S)∩J and F −1 (I) = F −1 (I∩J)∩S. Definition 4 The universal inverse of F is defined by F˜ −1 (I) = I ′ if and only if I ′ is the greatest non-empty interval such that for all x ∈ I ′ , F (x) ⊆ I and F (x) = F (x). We say that F is normalized if S = Dom(F ) = {x | F (x) ∩ J 6= ∅} (thus, S ⊆ F −1 (J)) and J = Im(F ) = F (S). TAMFs are closed under composition. Theorem 1 The composition of TAMFs F1 (I) = F1 (I ∩S1 ) ∩J1 and F2 (I) = F2 (I ∩ S2 ) ∩ J2 , is the TAMF (F2 ◦ F1 )(I) = F (I) = F (I ∩ S) ∩ J, where F = F2 ◦ F1 , S = S1 ∩ F1−1 (J1 ∩ S2 ) and J = J2 ∩ F2 (J1 ∩ S2 ).
2.2 SPDIs An angle ∠ba on the plane, defined by two non-zero vectors a, b, is the set of all positive linear combinations x = α a + β b, with α, β ≥ 0, and α + β > 0. We will assume that b is situated in the counter-clockwise direction from a. Let P = {Ps }s∈S be a partition (of a subset) of the plane, and F = {φs }s∈S be ˆ s bs < 0. such that each φs is an angle between two vectors as and bs with a 4
A polygonal differential inclusion system 1 (SPDI) consists on a partition of (a subset of) the plane into convex polygonal regions, together with a differential inclusion associated with each region. More formally: Definition 5 A polygonal differential inclusion system (SPDI) is a pair H = (P, F). Each region Ps has dynamics x˙ ∈ φs for x ∈ Ps (given a generic region P we also use the notation φ(P )). Given an SPDI S, let E be the set of edges of S. For a region P , E(P ) ⊆ E denotes the set of edges of P . We say that e is an entry of P if for all x ∈ e and for all c ∈ φ(P ), x + cǫ ∈ P for some ǫ > 0. We say that e is an exit of P if the same condition holds for some ǫ < 0. We denote by in(P ) ⊆ E(P ) the set of all entries of P and by out(P ) ⊆ E(P ) the set of all exits of P . Assumption 1 All the edges in E(P ) are either entries or exits, but not both. An SPDI with the above assumption is said to have the goodness property, or simply to be good. In [5,7] it was proved that reachability for SPDIs is decidable provided the above assumption holds, so in the rest of the paper all the SPDIs we consider are good. Definition 6 A trajectory segment of an SPDI is a continuous function ξ : [0, T ] → R2 which is smooth everywhere except in a discrete set of points, and ˙ is defined then ξ(t) ˙ ∈ φ(P ). such that for all t ∈ [0, T ], if ξ(t) ∈ P and ξ(t) The signature of ξ, denoted Sig(ξ), is the ordered sequence of edges traversed by the trajectory segment, that is, e1 e2 . . . ek , where ξ(ti ) ∈ ei and ti < ti+1 . If T = ∞, a trajectory segment is called a trajectory. Example 1 Consider the SPDI illustrated in Fig. 1-(a). For sake of simplicity we will only show the dynamics associated to regions R1 to R6 in the picture. For each region Ri , 1 ≤ i ≤ 6, there is a pair of vectors (ai , bi ), where: a1 = (45, 100), b1 = (1, 4), a2 = b2 = (1, 10), a3 = b3 = (−2, 3), a4 = b4 = (−2, −3), a5 = b5 = (1, −15), a6 = (1, −2), b6 = (1, −1). A trajectory segment starting on interval I ⊂ e0 and finishing in interval I ′ ⊂ e4 is depicted.
A signature which repeats a certain (possible infinite) number of times is called to be a simple edge-cycle (also called simple cycle, simple loop, or cyclic signature). We will use the notation (e1 . . . en ) to denote simple cycles, making clear that it corresponds to the (possibly infinite) signature e1 . . . en e1 . . . en . . . e1 . . . en . . .. Given a signature σ we also use the notation 1
In the literature the names polygonal hybrid systems and simple planar differential inclusion have been used to describe the same class of systems.
5
σ + to stress that σ is a cyclic signature iterated an unbounded number of times. We say that a signature σ is feasible if and only if there exists a trajectory segment ξ with signature σ, i.e., Sig(ξ) = σ. From this definition, it immediately follows that extending an unfeasible signature can never make it feasible: Proposition 1 If a signature σ is not feasible, then neither is any extension of the signature — for any signatures σ ′ and σ ′′ , the signature σ ′ σσ ′′ is not feasible. Given an SPDI S, with edges E, we can define a graph GS where nodes correspond to edges of S and such that there exists an arc from one node to another if there exists a trajectory segment from the first edge to the second one without traversing any other edge. More formally: Definition 7 Given an SPDI S, the graph of S, is a graph GS = (NG , AG ), with NG = E and AG = {(e, e′ ) | ∃ξ, t . ξ(0) ∈ e ∧ ξ(t) ∈ e′ ∧ Sig(ξ) = ee′ }. We say that a sequence e0 e1 . . . ek of nodes in GS is a path whenever (ei , ei+1 ) ∈ AG for 0 ≤ i ≤ k − 1. 2.3 Successors and Predecessors Given an SPDI with a partition P, we fix a one-dimensional coordinate system on each edge to represent points lying on edges. For notational convenience, we use letter e to denote both the edge and its one-dimensional representation. Accordingly, we write x ∈ e or x ∈ e, to mean “point x in edge e with coordinate x in the one-dimensional coordinate system of e”. The same convention is applied to sets of points of e represented as intervals (e.g., x ∈ I or x ∈ I, where I ⊆ e) and to trajectories (e.g., “ξ starting in x” or “ξ starting in x”). Now, given P ∈ P, e ∈ in(P ) and e′ ∈ out(P ), we define edge-to-edge successors. Definition 8 For I ⊆ e, Succee′ (I) is the set of all points in e′ reachable from some point in I by a trajectory segment ξ : [0, t] → R2 in P (i.e., ξ(0) ∈ I ∧ ξ(t) ∈ e′ ∧ Sig(ξ) = ee′ ). Edge-to-edge successors, Succee′ , are TAMFs. Example 2 Let us consider the sequence of edges e1 . . . e6 e1 , as shown in Fig. 1-(a), where all the edges have local coordinates over [0, 10], and I = [l, u]. We assume a one-dimensional coordinate system. We show only the first and last edge-to-edge TAMF of the sequence: 6
Fe1 e2 (I) =
h
l 9 , u 4 20
Fe6 e1 (I) = [l, 2u] ,
i
h
, S1 = [0, 10] , J1 = 0, 29
i
S6 = [0, 10] , J6 = [0, 10]
with Succei ei+1 (I) = Fei ei+1 (I ∩ Si ) ∩ Ji , for 1 ≤ i ≤ 6 ; Si and Ji are computed as shown in Theorem 1. Given a sequence σ = e1 e2 . . . en , since TAMFs are closed under composition, the successor of I along σ, defined as Succσ (I) = Succen−1 en ◦ . . . ◦ Succe1 e2 (I), is a TAMF. Since the intervals S and J associated to a successor (predecessor) function depends on the signature σ under consideration (cf. Theorem 1), we will usually write Sσ and Jσ , unless understood from the context. Thus, given an edge signature σ we usually write Succσ (I) = F (I ∩ Sσ ) ∩ Jσ . Example 3 Let σ = e1 · · · e6 e1 . For I ⊆ e1 , we have that Succσ (I) = F (I ∩ 9 Sσ ) ∩ Jσ , where: F (I) = [ 4l + 31 , 10 u + 32 ], with Sσ = [0, 10] and Jσ = [ 13 , 29 ]. 3 For computing the kernels we also need the notion of predecessor. Definition 9 For I ⊆ e′ , Preee′ (I) is the set of points in e that can reach a point in I by a trajectory segment in P . g The ∀-predecessor Pre(I) is defined in a similar way to Pre(I) using the universal inverse instead of just the inverse: g ′ (I) is the set of points in e such that any Definition 10 For I ⊆ e′ , Pre ee successor of such points are in I by a trajectory segment in P .
Both definitions can be extended straightforwardly to signatures σ = e1 . . . en : g (I). Preσ (I) and Pre σ Example 4 Let σ = (e1 . . . e6 ) be a simple cycle as in Fig. 1-(a) and I = [l, u]. We have that Preei ei+1 (I) = Fe−1 (I ∩ Ji+1 ) ∩ Si , for 1 ≤ i ≤ 5, and i ei+1 −1 Pree6 e1 (I) = Fe6 e1 (I ∩ J1 ) ∩ S6 , where: Fe−1 (I) = 1 e2 Fe−1 (I) = 3 e4
h
h
h
20 l, 4u 9 2 2 l, u 3 3
i
Fe−1 (I) = [l − 1, u − 1] 2 e3
i
Fe−1 (I) = l + 23 , u + 5 e6
2 3
i
Fe−1 (I) = 4 e5 Fe−1 (I) = 6 e1
h
h
3 3 l, u 2 2 l ,u 2
i
i
.
Besides, Preσ (I) = F −1 (I∩Jσ )∩Sσ , where F −1 (I) = [ 10 l− 20 , 4u− 34 ]. Similarly, 9 27 i h g (I) = F˜ −1 (I ∩ J ) ∩ S , where F˜ −1 (I) = 4l − 4 , 10 u − 20 if we compute Pre σ σ σ 3 9 27 4l − 4 ≤ 10 u − 20 , and F˜ −1 (I) is equal to the empty interval otherwise. 3
9
27
7
From Example 3 we know that Sσ = [0, 10] and Jσ = [ 31 , 29 ]. Hence, for 3 1 3 instance by considering I = [ 2 , 4 ], we get that Preσ (I) = [0, 35 ], meaning that from any point in [0, 35 ] there is at least one segment of trajectory with g (I), which is equal signature σ with final point in I. Similarly, we compute Pre σ 2 15 to [ 3 , 162 ] ∩ [0, 10] = ∅, meaning that there are no points on e1 such that all their successor lie in I.
2.4 Qualitative Analysis of Simple Edge-Cycles Let σ = (e1 · · · ek ) be a simple edge-cycle, i.e., ei 6= ej for all 1 ≤ i 6= j ≤ k. Let Succσ (I) = F (I ∩ Sσ ) ∩ Jσ with F = hfl , fu i (we suppose that this representation is normalized). We denote by Dσ the one-dimensional discretetime dynamical system defined by Succσ , that is xn+1 ∈ Succσ (xn ). In the rest of the paper we will assume the following: Assumption 2 None of the two functions fl , fu is the identity. Without the above assumption the results are still valid but need a special treatment making the presentation more complicated. Given a cyclic signature σ, let l∗ and u∗ be the fix-points 2 of the underlying affine functions of Succσ , fl and fu , respectively, and let hL, Ui denote the interval Sσ ∩ Jσ . 3 Then σ is of one of the following types: STAY. The cycle is not abandoned neither by the leftmost 4 nor the rightmost trajectory, that is, L ≤ l∗ ≤ u∗ ≤ U. DIE. The rightmost trajectory exits the cycle through the left (consequently the leftmost one also exits) or the leftmost trajectory exits the cycle through the right (consequently the rightmost one also exits), that is, u∗ < L ∨ l∗ > U. EXIT-BOTH. The leftmost trajectory exits the cycle through the left and the rightmost one through the right, that is, l∗ < L ∧ u∗ > U. 2
The fix-point x∗ is the solution of f (x∗ ) = x∗ , where f (·) is positive affine. The existence and computation of such fix-points are detailed in [7]. 3 hL, U i = S ∩ J denotes the largest interval on the first edge of the simple cycle σ σ σ such that a trajectory can loop at least once without being obliged to leave the cycle. See [7,25] for more details. 4 The leftmost (respectively rightmost) trajectory is the trajectory induced by following vector b (respectively a) of the dynamic of all the regions traversed by the trajectory. We will give a more formal definition in section 2.6. See [7] for more details.
8
EXIT-LEFT. The leftmost trajectory exits the cycle (through the left) but the rightmost one stays inside, that is, l∗ < L ≤ u∗ ≤ U. EXIT-RIGHT. The rightmost trajectory exits the cycle (through the right) but the leftmost one stays inside, that is, L ≤ l∗ ≤ U < u∗ . Any trajectory that enters a cycle of type DIE will eventually quit it after a finite number of turns. If the cycle is of type STAY, all trajectories that happen to enter it will keep turning inside it forever. In all other cases, some trajectories will remain inside for a while and then exit, and others will remain inside forever. This information is crucial for proving decidability of the reachability problem. Example 5 Let σ = e1 · · · e6 e1 . Then, Sσ ∩ Jσ = hL, Ui = [ 31 , 29 ]. The fix3 20 29 ∗ points from Example 3 are 31 < l∗ = 11 < u = < . Thus, σ is a STAY 25 3 3 cycle.
2.5 Reachability Analysis It has been shown that reachability is decidable for SPDIs. Proof of the decidability result is constructive, giving an algorithmic procedure Reach(S, e, e′ ) based on a depth-first search algorithm [5,7]. An alternative breadth-first search algorithm which can deal with multiple edges more effectively has been presented in [21]. The DFS algorithm for deciding reachability on SPDI depends on pre-processing of trajectory segments and a qualitative analysis to guarantee that it is possible to review the behavior of all the possible signatures, by looking at only a finite set of abstract signatures. Informally, this is achieved as follows: (1) Trajectory segments are simplified — it is sufficient to look at trajectories made up of straight segments across regions, and which do not cross themselves. (2) Trajectory segments are abstracted into signatures, consisting of just the sequence of traversed edges. This result is based on the Poincar´e map [15], that relates n-dimensional continuous-time systems with (n−1)dimensional discrete-time systems. (3) It is shown that it is sufficient to look at signatures which consist only of sequences of edges with simple cycles. (4) Such signatures can be abstracted into types of signatures — signatures which do not take into account the number of times each simple cycle is iterated. The above pre-processing is mainly theoretical, proving that there is only a finite number of types of signatures, guaranteeing termination, which together 9
with the analysis of each simple cycle (cf. section 2.4) gives decidability. From the practical point of view, the above guarantees that it is enough to consider all such types of signatures in order to be exhaustive. The reachability algorithm proceeds by analyzing each type of signature (of the form r1 [s1 ]r2 [s2 ] . . . rn ) based on the fact that it is possible to compute: • The successor for each sequence of edges ri (1 ≤ i ≤ n); • The exits of every loop si (1 ≤ i < n). Each simple loop is classified as explained in section 2.4, and whenever possible, accelerated. In practice, in order to improve the analysis, SPeeDI+ [2,20] implements a number of optimizations. For instance, it considers only types of signature starting and finishing with the relevant edges corresponding to the source and destination points, and it generates all the possible simple loops first as to avoid recalculating them for each type of signature. More details about the optimizations implemented in SPeeDI+ may be found in [3]. The complexity of the above analysis is known to be at least doubly exponential [7]. In section 3 we will present further optimizations based on the analysis of kernels, semiseparatrices and other simple loops. We have then that point-to-point, edgeto-edge, and region-to-region reachability is decidable for SPDIs. Theorem 2 ([5]) The reachability problem for SPDIs is decidable. An edge interval is a pair consisting of an SPDI edge and an interval, and corresponds to the subset of the given edge determined by the given interval. For example, (e, [0, 0.5]) would correspond to the first half of normalized edge e. An edgelist I is a set of edge intervals (I ∈ 2E×I nterval ). Using the edge-to-edge decidability result, reachability between edge intervals and edgelists is decidable. Checking reachability over an edge interval can be done by splitting the edge into three — for example, given an edge e = [0, 1], to check reachability starting from interval [0.2, 0.5] on edge e, one can simply split e into edges e1 , e2 and e3 such that e1 corresponds to the interval [0, 0.2] on e, e2 corresponds to the interval [0.2, 0.5] on e, and finally e3 to the interval [0.5, 1]. Checking edgelist-to-edgelist reachability can be done by checking all possible pairs of input and output edge intervals. Although decidability applies to point-to-point, edge-to-edge, edgelist-to-edgelist and region-to-region, in the rest of this paper, we will only talk about edgelist reachability. Given edgelists I and I ′ , we denote the reachability of (some part S of) I ′ from (some part of) I as I −→ I ′ . Given an SPDI S and edgelist I, we will use the notation S \ I to denote the SPDI without the edge intervals in I. 10
Example 6 Consider the SPDI of Fig. 1-(a). Fig. 1-(b) shows part of the reach set of the interval [8, 10] ⊂ e0 , answering positively to the reachability question: Is [1, 2] ⊂ e4 reachable from [8, 10] ⊂ e0 ? Fig. 1-(b) has been automatically generated by the SPeeDI+ toolbox we have developed for reachability analysis of SPDIs [2,20].
2.6 Kernels
In this section we recall the definitions of invariance, controllability and viability kernels of an SPDI, and we show how to compute such kernels. Full proofs of the following results can be found in [6] and [26]. Given that all the kernels are defined on cyclic signatures, we need to define a subset of the SPDI determined by such signatures. We thus define the following set for a given cyclic signature σ:
Kσ =
k [
(int(Pi ) ∪ ei )
i=1
where Pi ∈ P, a region in the SPDI, is such that ei−1 ∈ in(Pi ), ei ∈ out(Pi ) and int(Pi ) is the interior of Pi . The segment of a trajectory with signature in σ + (i.e., a cyclic signature iterated an unbounded number of times) necessarily stays in Kσ . We need the following preliminary definitions. Now, let σ = (e1 . . . en ) be a simple cycle, ∠baii (1 ≤ i ≤ n) be the dynamics of the regions for which ei is an entry edge and I = [l, u] an interval on edge e1 . Remember that Succe1 e2 (I) = F (I ∩ Se1 e2 ) ∩ Je1 e2 , where F (x) = [a1 x + b1 , a2 x + b2 ]. Let l be the vector corresponding to the point on e1 with local coordinates l and l′ be the vector corresponding to the point on e2 with local coordinates F (l) (similarly, we b1 define u and u′ for F (u)). We define first Succe1 (I) = {l+α(l′ −l) | 0 < α < 1} a1 and Succe1 (I) = {u + α(u′ − u) | 0 < α < 1}. We extend these definitions in a straight way to any signature, and in particular to cyclic signatures σ = b a (e1 . . . en ), denoting them by Succσ (I) and Succσ (I), respectively. Whenever b a applied to the fix-point I ∗ = [l∗ , u∗], we denote Succσ (I ∗ ) and Succσ (I ∗ ) by ξσl and ξσu respectively. Intuitively, ξσl (respectively ξσu ) denotes the piecewise affine closed curve defined by the leftmost (respectively rightmost) fix-point l∗ (u∗ ). 5 5
For clarity of presentation, from now on, we will use the terms ‘leftmost’ and ‘rightmost’ for the corresponding trajectories, instead of the formal definition using successors.
11
2.6.1 Viability Kernel We now recall the definition of viability kernels [8]. Definition 11 A trajectory ξ is viable in a set M if ξ(t) ∈ M for all t ≥ 0. A set K is a viability domain if for every x ∈ K, there exists at least one trajectory ξ, with ξ(0) = x, which is viable in K. The viability kernel of K, denoted Viab(K), is the largest viability domain contained in K. In order to compute SPDI viability kernels we need to extend the definition of predecessor. Definition 12 Given a signature σ = e1 . . . ek , and I ⊆ ek , we define Preσ (I) to be the set of all x ∈ R2 for which there exists a trajectory segment ξ starting in x, that reaches some point in I, such that Sig(ξ) is a suffix of e1 . . . ek . It is easy to see that Preσ (I) is a polygonal subset of the plane which can be calculated using the following procedure. We start by defining Pree (I) = {x | ∃ξ : [0, t] → R2 , t > 0 . ξ(0) = x ∧ ξ(t) ∈ I ∧ Sig(ξ) = e}. Let e ∈ out(P ). In order to effectively compute Pree (I), for each e′ ∈ in(P ) we first compute I ′ = Pree′ e (I). We then obtain the quadrilateral defined by the (global coordinates of the) extremities of I and I ′ ; we call this operation ‘sweep’, Sweepe′ e (I ′ , I). Now Pree (I) is computed by taken the union of the resulting polygons calculated for all e′ ∈ in(P ). More formally: Pree (I) =
[
Sweepe′ e (Pree′ e (I), I).
e′ ∈in(P )
We then apply this operation k times:
Preσ (I) =
k [
Preei (Ii )
i=1
with I1 = I, Ik = Preek e1 (I1 ) and Ii = Preei ei+1 (Ii+1 ), for 2 ≤ i ≤ k − 1. The tool SPeeDI+ [20] uses the procedure above described to compute Preσ (·). The following result suggests a non-iterative algorithmic procedure for computing the viability kernel of Kσ on an SPDI: Theorem 3 If σ is a DIE cycle, then Viab(Kσ ) = ∅, otherwise Viab(Kσ ) = Preσ (Sσ ). 12
(a)
(b)
Fig. 2. (a) Viability kernels; (b) Controllability kernels
Example 7 Fig. 2-(a) shows all the viability kernels of the SPDI given in Example 1. There are 4 cycles with viability kernels — in the picture two of the kernels are overlapping.
2.6.2 Controllability Kernel We say that a set M ⊆ R2 is controllable if for any two points x and y in M there exists a trajectory segment ξ starting in x that reaches an arbitrarily small neighborhood of y without leaving M. 6 More formally:
Definition 13 A set M is controllable if ∀x, y ∈ M, ∀δ > 0, ∃ξ : [0, t] → R2 , t > 0 . (ξ(0) = x ∧ |ξ(t) − y| < δ ∧ ∀t′ ∈ [0, t] . ξ(t′ ) ∈ M). The controllability kernel of a set K, denoted Cntr(K), is the largest controllable subset of K.
6
In the definition of controllability kernel we require to read ‘an arbitrarily small neighborhood’ since the kernel includes the limits in some cases. We could have, however, excluded the limits from the definition and then consider an open set instead.
13
In order to compute the controllability kernel of an SPDI, we need some preliminaries. First, for a given cyclic signature σ, we define CD (σ) as follows:
CD (σ) =
hL, Ui hL, u∗ i ∗
hl , Ui hl∗ , u∗ i ∅
if σ is EXIT-BOTH if σ is EXIT-LEFT if σ is EXIT-RIGHT
(1)
if σ is STAY if σ is DIE
We then need to extend the notion of successor as we did for predecessors. Definition 14 Given a signature σ = e1 . . . ek , and I ⊆ e1 , we define Succσ (I) to be the set of all points y ∈ R2 for which there exists a trajectory segment ξ starting in some point x ∈ I, that reaches y, such that Sig(ξ) is a prefix of e1 . . . ek . The successor Succσ (I) is a polygonal subset of the plane which can be computed similarly to Preσ (I). Finally, we need the following definition: C(σ) = (Succσ ∩ Preσ )(CD (σ)). We compute the controllability kernel of Kσ as follows. Theorem 4 Cntr(Kσ ) = C(σ). Example 8 Fig. 2-(b) shows all the controllability kernels of the SPDI given in Example 1. There are 4 cycles with controllability kernels — in the picture two of the kernels are overlapping. Let Cntrl (Kσ ) be the closed curve obtained by taking the leftmost trajectory and Cntru (Kσ ) be the closed curve obtained by taking the rightmost trajectory which can remain inside the controllability kernel. In other words, Cntrl (Kσ ) and Cntru (Kσ ) are the two polygons defining the controllability kernel. A non-empty controllability kernel Cntr(Kσ ) of a given cyclic signature σ partitions the plane into three disjoint subsets: (1) the controllability kernel itself, (2) the set of points limited by Cntrl (Kσ ) (and not including Cntrl (Kσ )) and (3) the set of points limited by Cntru (Kσ ) (and not including Cntru (Kσ )). We define the inner of Cntr(Kσ ) (denoted by Cntrin (Kσ )) to be the subset defined by (2) above if the cycle is counter-clockwise or to be the subset defined by (3) if it is clockwise. The outer of Cntr(Kσ ) (denoted by Cntrout (Kσ )) is defined to 14
be the subset which is not the inner nor the controllability itself. Note that an edge in the SPDI may intersect a controllability kernel. In such cases, we can generate a different SPDI, with the same dynamics but with the edge split into parts, such that each part is completely inside, on, or outside the kernel. Although the signatures will obviously change, it is easy to prove that the behavior of the SPDI remains identical to the original. In the rest of the paper, we will assume that all edges are either completely inside, on, or completely outside the kernels. We note that in practice splitting is not necessary since we can just consider parts of edges.
2.6.3 Invariance Kernel In general, an invariant set is a set of points such that for any point in the set, every trajectory starting in such point remains in the set forever and the invariance kernel is the largest of such sets. Definition 15 A set M is said to be invariant if for any x ∈ M there exists at least one trajectory starting in it and every trajectory starting in x is viable in M. Given a set K, its largest invariant subset is called the invariance kernel of K and is denoted by Inv(K). In particular, for an SPDI, given a cyclic signature, an invariant set is a set of points which keep rotating in the cycle forever and the invariance kernel is the largest of such sets. We need some preliminary definitions before showing how to compute the kernel. The extended ∀-predecessor of an output edge e of a region R is the set of points in R such that every trajectory segment starting in such point reaches e without traversing any other edge. More formally, let R be a region and e be an edge in out(R), then the e-extended ∀-predecessor g of I, Pree (I) is defined as: g
Pree (I) = {x | ∀ξ . (ξ(0) = x ⇒ ∃t ≥ 0 . (ξ(t) ∈ I ∧ Sig(ξ[0, t]) = e))}. g
It is easy to see that Preσ (I) is a polygonal subset of the plane which can be calculated using a similar procedure as for Preσ (I). We compute the invariance kernel of Kσ as follows: g
g (J )), otherwise it is ∅. Theorem 5 If σ is STAY then Inv(Kσ ) = Preσ (Pre σ σ
Example 9 Fig. 3-(a) shows the unique invariance kernel of the SPDI given in Example 1. 15
(a)
(b)
Fig. 3. (a) Invariance kernel; (b) All the kernels
In a similar way as for the controllability kernel, we define Invl (Kσ ) and Invu (Kσ ) to be the two closed curves defining the kernel. 2.6.4 Kernel Properties The following result which relates controllability and viability kernels, states that the viability kernel of a given cycle is the local basin of attraction of the corresponding controllability kernel. Proposition 2 Any viable trajectory in Kσ converges to Cntr(Kσ ). In what follows, we will need to identify the points lying inside and outside a given kernel. Thus the following definition. Definition 16 Given a controllability kernel C (of a cycle σ — C = Cntr(Kσ )), then let C + be the related viability kernel (C + = Viab(Kσ )), Cin be the inside of the kernel, and Cout be the outside. The following proposition gives conditions for feasible trajectories traversing controllability kernels. Proposition 3 Given two edges e and e′ , one lying completely inside a controllability kernel, and the other outside or on the same controllability kernel, such that ee′ is feasible, then there exists a point on the controllability kernel, which is reachable from e and from which e′ is reachable. Proof: Let e ⊆ Cntrin (Kσ ). Let us assume that e′ ⊆ Cntr(Kσ ); since ee′ is feasible, by the Jordan curve theorem [13], the trajectory must cross Cntrl (Kσ ) 16
or Cntru (Kσ ) at least once. Assume the first holds, then there exists x ∈ Cntrl (Kσ ) such that exe′ is feasible. If e′ ⊆ Cntrout (Kσ ) the proof is conducted in a similar way as the previous case by using the definition of controllability kernel: every point inside the kernel is reachable from any other point in the kernel. 2 The above result can be generalized to the other kernels straightforwardly. The following corollary follows directly from Proposition 2. Corollary 1 Given a controllability kernel C, and related viability kernel C + , then for any e ⊆ C + , e′ ⊆ C, there exists a feasible path eσe′ . The following result relates controllability and invariance kernels. Proposition 4 If σ is STAY then Cntr(Kσ ) ⊆ Inv(Kσ ). Example 10 Fig. 3-(b) shows the viability, controllability and invariance kernels of the SPDI given in Example 1. For any point in the viability kernel of a cycle there exists a trajectory which will converge to its controllability kernel (Proposition 2). It is possible to see in the picture that Cntr(·) ⊂ Inv(.) (Proposition 4). All the above pictures has been obtained with the toolbox SPeeDI+ [20].
2.7 Semi-Separatrix Curves In this section we define the notion of separatrix curves, which are curves dissecting the plane into two mutually non-reachable subsets, and semi-separatrix curves which can only be crossed in one direction. We start by defining these notions independently of SPDIs. Definition 17 Let K ⊆ R2 . A separatrix in K is a closed curve γ partitioning K into three sets KA , KB and γ itself, such that KA , KB and γ are pairwise disjoint, K = KA ∪ KB ∪ γ and the following conditions hold: (1) For any point x0 ∈ KA and trajectory ξ, with ξ(0) = x0 , there is no t such that ξ(t) ∈ KB ; and (2) For any point x0 ∈ KB and trajectory ξ, with ξ(0) = x0 , there is no t such that ξ(t) ∈ KA . If only one of the above conditions holds then we say that the curve is a semiseparatrix. If only condition 1 holds, then we say that KA is the inner of γ (written γin ) and KB is the outer of γ (written γout ). If only condition 2 holds, KB is the inner and KA is the outer of γ. 17
Notice that, as in the case of the controllability kernel, an edge of the SPDI may be split into two by a semi-separatrix — part inside, and part outside. As before, we can split the edge into parts, such that each part is completely inside, or completely outside the semi-separatrix. The above notions are extended to SPDIs straightforwardly. The set of all the separatrices of an SPDI S is denoted by Sep(S), or simply Sep. We show now how to identify semi-separatrices for simple cycles. Theorem 6 Given an SPDI, let σ be a simple cycle, then the following hold: (1) If σ is EXIT-RIGHT then ξσl is a semi-separatrix curve (filtering trajectories from ‘left’ to ‘right’); (2) If σ is EXIT-LEFT then ξσu is a semi-separatrix curve (filtering trajectories from ‘right’ to ‘left’); (3) If σ is STAY, then the two polygons defining the invariance kernel (Invl (Kσ ) and Invu (Kσ )), are semi-separatrices. Proof: (1) By definition of EXIT-RIGHT, any trajectory is bounded to the left by ξσl , which is a piecewise affine closed curve, partitioning R2 into three disjoint sets: KB , the ‘right’ part of ξσl ; KA , the ‘left’ part of ξσl ; and ξσl itself. By Jordan theorem, any trajectory may pass from KB to KA if and only if it cross ξσl . However, by definition of EXIT-RIGHT, this is only possible from KA to KB but not vice-versa. Hence ξσl is a semi-separatrix curve. (2) Symmetric to the previous case. (3) Follows directly from the definition of invariance kernel, since any trajectory with initial point in Inv(Kσ ) ∪ Invin (Kσ ) cannot leave Inv(Kσ ). If the trajectory cycles clockwise it cannot traverse Invl (Kσ ) and if it cycles counter-clockwise it cannot traverse Invu (Kσ ). In both cases no point on Invout (Kσ ) can be reached. Symmetrically, trajectories starting in Inv(Kσ ) ∪ Invout (Kσ ) cannot reach any point on Invin (Kσ ). 2 In the case of STAY cycles, ξσl and ξσu are both also semi-separatrices. Notice that in the above result, computing a semi-separatrix depends only on one simple cycle, and the corresponding algorithm is then reduced to find simple cycles in the SPDI and checking whether it is STAY, EXIT-RIGHT or EXITLEFT. DIE cycles induce an infinite number of semi-separatrices and are not considered here. However, in section 3.3 we will show that DIE cycles can also be used for optimizing reachability. Example 11 Fig. 4 shows all the semi-separatrices of the SPDI given in Example 1, obtained as shown in Theorem 6. The small arrows traversing the 18
Fig. 4. Semi-separatrices
semi-separatrices show the inner and outer of each semi-separatrix: a trajectory may traverse the semi-separatrix following the direction of the arrow, but not vice-versa.
Proposition 5 If, for some semi-separatrix γ, e ∈ γin and e′ ∈ γout , then the signature ee′ is not feasible.
The following result relates feasible signatures and semi-separatrices.
Proposition 6 If, for some semi-separatrix γ, and signature σ (of at least length 2), then, if first(σ) ∈ γin and last(σ) ∈ γout , σ is not feasible.
Proof: The proof proceeds by induction on sequence σ. The base case, when σ is of length 2, reduces to Proposition 5. Now, assuming that the proposition is true for signatures of length n, we are required to prove that it is also true for signatures of length n + 1. Consider the signature σ ′ = ee′ σe′′ , with e ∈ γin and e′′ ∈ γout . Clearly, either e′ ∈ γin or e′ ∈ γout . Case 1: e′ ∈ γin . The signature e′ σe′′ satisfies the conditions and is of length n. Therefore, the inductive property applies, and we can conclude that e′ σe′′ is not feasible. However, since any extension of an unfeasible signature is itself unfeasible, it follows that σ ′ is not feasible. Case 2: e′ ∈ γout . The signature ee′ is unfeasible by proposition 5. Therefore, being an extension of ee′ , σ ′ is also unfeasible (Proposition 1). 2 19
3
State-Space Reduction
The different phase portrait objects can be used to reduce the search statespace of the reachability algorithm. The main idea is to use the information given by the kernels and semi-separatrices to ensure that certain parts of the SPDI underlying graph do not need to be explored during the reachability analysis. In some cases it is even possible to immediately give a positive or a negative answer without further analysis.
3.1 Reduction using Semi-Separatrices Semi-separatrices partition the state space into two parts 7 – once one crosses such a border, all states outside the region can be ignored. We present a technique, which, given an SPDI and a reachability question, enables us to discard portions of the state space based on this information. The approach is based on identifying inert states (edges in the SPDI) not playing a role in the reachability analysis. Definition 18 Given an SPDI S, a semi-separatrix γ ∈ Sep, a source edge e0 and a destination edge e1 , an edge e is said to be inert if it lies outside the semi-separatrix while e0 lies inside, or it lies inside while e1 lies outside: inertγe0 →e1 = {e : E | e0 ∈ γin ∧ e ∈ γout } ∪ {e : E | e1 ∈ γout ∧ e ∈ γin }. We can prove that these inert edges can never appear in a feasible signature: Lemma 1 Given an SPDI S, a semi-separatrix γ, a source edge e0 and a destination edge e1 , and a feasible signature e0 σe1 in S. No inert edge from inertγe0 →e1 may appear in e0 σe1 . Proof: From the definition of inert states, it follows that either both e0 and e1 are inert, or neither is. If both are inert, e0 ∈ γin and e1 ∈ γout . But if this were so, then e0 σe1 is unfeasible by Proposition 6. We can thus consider only inert edges in σ. Let e be an inert edge appearing in σ. Therefore, e0 σe1 = e0 σ1 eσ2 e1 . By definition of inert edges, e can either be inert because (i) it lies outside a semiseparatrix inside which lies e0 , or (ii) it lies inside a semi-separatrix outside which lies e1 . 7
Here, we do not consider the semi-separatrix itself.
20
In the first case, e0 ∈ γin and e ∈ γout . But by Proposition 6, e0 σ1 e is not feasible. Hence, neither is e0 σ1 eσ2 e1 . Case (ii) similarly follows. It thus follows that e0 σe1 is not feasible.
2
Given an SPDI, we can reduce the state space by discarding inert edges. Definition 19 Given an SPDI S, a semi-separatrix γ, and two edges, a source edge e0 and a destination edge e1 , we define the reduced SPDI Seγ0 →e1 to be the same as S but without the inert edges: Seγ0 →e1 = S \ inertγe0 →e1 . This notation is extended to work with a set of semi-separatrices Γ: SeΓ0 →e1 = S \
[
inertγe0 →e1 .
γ∈Γ
Clearly, the resulting SPDI after eliminating inert edges is not bigger than the original one. Proposition 7 For any SPDI S, a set of semi-separatrices Γ, and edges e0 and e1 , S does not have less edges than SeΓ0 →e1 . Finally, we prove that checking reachability on the reduced SPDI is equivalent to checking reachability on the original SPDI: Theorem 7 Given an SPDI S, a semi-separatrix γ, and edges e0 and e1 , S
Seγ
→e
0 1 then, e0 −→ e1 if and only if e0 −→ e1 .
Proof: Since every SPDI edge in Seγ0 →e1 is also in S, if immediately follows that reachability in the reduced graph implies reachability in the full one. Conversely, assume that e1 is reachable from e0 in S. By definition of reachability, there exists a feasible signature e0 σe1 in S. By Lemma 1, no inert edge may appear in e0 σe1 . Therefore, e0 σe1 is also a feasible signature in Seγ0 →e1 , 2 which in turn implies that e1 is reachable from e0 in Se0 →e1 . This result can be easily extended to work with source and destination edgelists, rather than edges. We have shown, that once semi-separatrices are identified, given a reachability question, we can reduce the size of the SPDI to be verified by removing inert edges of all the known semi-separatrices. 21
I
I’
I’
I
(a)
(b)
Fig. 5. Reduction using semi-separatrices
Example 12 The shaded areas of Fig. 5(a) and (b) are examples of subsets of the SPDI edges of the reachability graph, eliminated by the reduction presented in this section applied to all semi-separatrices, when answering reachability questions (in this case to the question: Is I ′ reachable from I?).
3.2 State-space Reduction using Kernels We have already shown that an invariant kernel is essentially defined by a pair of semi-separatrices, so we can use the results from section 2.7 to abstract an SPDI using invariance kernels. We now turn our attention to state space reduction using controllability kernels: Definition 20 Given an SPDI S, a cycle σ, a source edge e0 and a destination edge e1 , an edge e is said to be redundant if it lies on the opposite side of a controllability kernel as both e0 and e1 :
redundantσe0 →e1 = {e : E | {e0 , e1 } ⊆ Cntrin (σ) ∪ Cntr(σ) ∧ e ∈ Cntrout (σ)} ∪ {e : E | {e0 , e1 } ⊆ Cntrout (σ) ∪ Cntr(σ) ∧ e ∈ Cntrin (σ)}. We can prove that we can do without these edges to check feasibility: Lemma 2 Given an SPDI S, a cycle σ, a source edge e0 , a destination edge e1 , and a feasible signature e0 σe1 then there exists a feasible signature e0 σ ′ e1 such that σ ′ contains no redundant edge from redundantσe0 →e1 . 22
Proof: Let e0 σe1 be a feasible signature which contains some redundant edge from the set redundantσe0 →e1 . Without loss of generality, we assume that e0 , e1 ∈ Cntrout (σ) ∪ Cntr(σ). Let f0 and f1 be, respectively, the first and last redundant edges in σ. By definition of redundant edges, it follows that f0 , f1 ∈ Cntrin (σ). The path we are following is thus: e0 σ1 f0 σ2 f1 σ3 e1 . Since f0 (f1 ) is the first (last) redundant edge, it follows that the last element of σ1 (the first element of σ3 ) is inside the controllability kernel. Using Proposition 3, it follows that there exists a point p on the controllability kernel reachable from the last element of σ1 (a point q on the controllability kernel from which the first element of σ3 is reachable). Since all points on the controllability kernel are mutually reachable, it follows that q is reachable from p along some discrete path σ2′ completely within the kernel. We have thus obtained a shorter discrete path e0 σ1 σ2′ σ3 e1 which is feasible and which contains no redundant edges. 2 Given an SPDI, in a similar way as for inert edges, we can reduce the state space by discarding redundant edges. Definition 21 Given an SPDI S, a cycle σ, a source edge e0 and a destination edge e1 , we define the reduced SPDI Seσ0 →e1 to be the same as S but without redundant edges: Seσ0 →e1 = S \ redundantσe0 →e1 . This notation is extended to work with a set of cycles Σ: SeΣ0 →e1 = S \
[
redundantσe0 →e1 .
σ∈Σ
Clearly, the resulting SPDI is smaller than the original one. Proposition 8 For any SPDI S, a cycle σ, a source edge e0 and a destination edge e1 , S does not have less edges than Seσ0 →e1 . Finally, as a direct corollary of Lemma 2, we can prove that reachability on the reduced SPDI is equivalent to reachability on the original one: Theorem 8 Given an SPDI S, a cycle σ, a source edge e0 and a destination Seσ
S
→e
0 1 e1 . edge e1 , then e0 −→ e1 if and only if e0 −→
Proof: The theorem follows immediately from Lemma 2.
2
This result can be easily extended to work on edgelists, as opposed to edges. Given a cycle which has a controllability kernel, we can thus reduce the state space to explore. 23
3.3 Immediate Answers By definition of the controllability kernel, any two points inside it are mutually reachable. This can be used to answer reachability questions in which both the source and destination edge lie (possibly partially) within the same controllability kernel. Using Proposition 2, we know that any point in the viability kernel of a cycle can eventually reach the controllability kernel of the same cycle, which allows us to relax the condition about the source edge to just check whether it (partially) lies within the viability kernel. Definition 22 We extend viability and controllability kernels for a set of cycles Σ by taking the union of the kernels of the individual cycles, with Viab(KΣ ) being the union of all viability kernels of cycles in Σ, and similarly Cntr(KΣ ). We note that the union of non-disjoint controllability sets is itself a controllability set which allows us to extend the result to work for a collection of cycles whose controllability kernels form a strongly connected set. Definition 23 Two cycles σ and σ ′ are said to be compatible if their controllability kernels overlap: Cntr(Kσ ) ∩ Cntr(Kσ′ ) 6= ∅. We extend the notion of compatibility to a set of cycles Σ to mean that all cycles in the set are transitively compatible. The following theorem presents the first immediate answer, based on the fact that (unions of) viability kernels are the basins of attraction of the corresponding (unions of) controllability kernels. Theorem 9 Given an SPDI S, a source edgelist I and a destination edgelist I ′ , then if for some compatible set of cycles Σ if I ⊆ C + and I ′ ⊆ C (where C is the union of their controllability kernels and C + is the union of their viability S kernels) then I −→ I ′ . Proof: The result follows directly from the convergence property of viable trajectories established in Proposition 2. 2 Example 13 Fig. 6-(a) shows a viability and a controllability kernel of a cycle and two intervals I and I ′ . Whether I ′ is reachable from I cannot be answered immediately in this case, but Fig. 6-(b) shows the overlapping of the viability and controllability kernels depicted in Fig. 6-(a) with the kernels of an inner cycle. I ′ thus lies in a compatible controllability kernel, and we can immediately conclude (by Theorem 9) that I ′ is reachable from I. The next theorem provides an immediate answer to edges lying inside and outside invariance kernels. 24
I
I
I’
I’
(a)
(b)
Fig. 6. Answering reachability using kernels
Theorem 10 If one of the following conditions holds, then a destination edge e1 is not reachable from a source edge e0 : (1) e0 ∈ Invin (Kσ ) and e1 ∈ Inv(Kσ ) ∪ Invout (Kσ ); (2) e0 ∈ Inv(Kσ ) ∪ Invout (Kσ ) and e1 ∈ Invin (Kσ ). Proof: The proof follows directly from the definition of invariance kernels. 2 We note that, since an invariance kernel induces a pair of semi-separatrices, this theorem is a specialization of the reduction using semi-separatrix information. We proceed now by giving two more optimizations to provide immediate answers based on the dynamics (and type) of simple cycles. The following lemmas show that we can give an immediate negative answer to the reachability question in many cases whenever: (1) the cycle is DIE; and (2) the underlying affine functions of the successor function of the cycle are the identity. We start by showing that DIE cycles separate the SPDI into two regions such that one of the parts is not reachable from the other. We need some preliminaries first. We recall (see [17,7]) that any trajectory segment (without self-crossing) with a cyclic signature can only be of one of the following forms: (1) clockwise expanding spiral, (2) anti-clockwise expanding spiral, (3) clockwise contracting spiral, (4) anti-clockwise contracting spiral. We say that a DIE cycle σ is expanding if any trajectory segment with signature σ is expanding, and the DIE cycle is contracting otherwise, depending on the fix-point of the cycle and the interval Sσ ∩ Jσ = hL, Ui. 25
Given a cyclic signature σ = (e0 . . . ek ), at the beginning of section 2.6 we defined Kσ to be an open set defined by the polygons induced by the signature. We define here the closure of Kσ , with σ = (e0 . . . ek ), to be the following: Closure(Kσ ) =
[
Pi
ei ∈out(Pi )
Note that, using the Jordan curve theorem, one can partition the plane into two sets — the opposing sides of a closed curve or closed polygonal strip. The inside of the curve is defined to be the bounded set, while the outside of the curve is the unbounded set [13]. The polygonal region defined by Closure(Kσ ) partitions the plane into three disjoint subsets: (i) Closure(Kσ ) itself; (ii) the inside (and not including Closure(Kσ )); and (iii) the outside (and not including Closure(Kσ )). Whenever the cycle σ is of type DIE, we say that (ii) above is the inner of the DIE cycle (denoted by DIEin (Kσ )), and we define the outer of the DIE cycle (denoted by DIEout (Kσ )) to be the subset defined as (iii) above. Theorem 11 Given an SPDI S, a DIE cycle σ, a source edge e0 and a destination edge e1 , then e1 is not reachable from e0 if one of the following conditions hold: (1) The DIE cycle is expanding, and e0 ∈ DIEout (Kσ ) and e1 ∈ DIEin (Kσ ); (2) The DIE cycle is contracting, and e1 ∈ DIEout (Kσ ) and e0 ∈ DIEin (Kσ ). Proof: Let σ be an expanding DIE cycle, e1 ∈ DIEin (Kσ ), and x0 ∈ e0 , where e0 ∈ DIEout (Kσ ). By definition of DIE both the leftmost and rightmost trajectories exit to one of the sides of the cycle. Since we are considering an expanding DIE cycle, we have two cases: The expanding is clockwise: in which case any segment of trajectory ξ, such that ξ(0) = x0 , can not reach any point in DIEin (Kσ ), since by definition of DIE, the trajectory can not cycle even once before being forced to leave the cycle to DIEout (Kσ ) again. Thus e1 is not reachable from e0 . The expanding is anti-clockwise: Similar to the previous case. The second case, whenever the DIE cycle is contracting, is proved in a similar manner. 2 Though for clarity of presentation we have excluded the identity successor function for simple cycles (Assumption 2), the following lemma provides immediate result answers for such cycles. In a similar way as for DIE cycles, we can define Idin (Kσ ) and Idout (Kσ ) for a cycle σ where the successor is the identity function for both underlying affine functions. Recall that for a given 26
simple cycle σ, hL, Ui = Sσ ∩ Jσ , denotes the biggest interval on the first edge of the cycle such that a trajectory can loop at least once without being obliged to leave the cycle. We have then the following optimization. Proposition 9 Let S be an SPDI, σ a simple cyclic signature, I ⊆ e0 a source interval, and I ′ ⊆ e1 a destination interval. If the dynamics of σ is given by the identity function, then I ′ is not reachable from I if any of the following cases hold: (1) (2) (3) (4)
e1 e0 e0 e1
∈ Idout (Kσ ) and e0 ∈ Idin (Kσ ); ∈ Idout (Kσ ) and e1 ∈ Idin (Kσ ); ∈ σ and e1 ∈ Idin (Kσ ) ∪ Idout (Kσ ), with I ⊆ Succσ (hL, Ui); ∈ σ and e0 ∈ Idin (Kσ ) ∪ Idout (Kσ ), with I ′ ⊆ Succσ (hL, Ui).
Proof: For 1 and 2 above, the result follows immediately from the fact that any trajectory segment starting in Idin (Kσ ) (Idout (Kσ )) can only reach any edge in Idout (Kσ ) (Idin (Kσ )) only traversing Kσ , which is impossible by the hypothesis on the nature of the dynamics inside the cycle. The case 3 follows immediately since Succσ (hL, Ui) is an invariant set where all the trajectories with initial point in such set are closed curves (the corresponding successor is the identity): no trajectory can leave such set, and thus 2 I ′ is not reachable from I. Similarly for the last case 4. In practice, we propose to use the results of this section to enable answering certain reachability questions without having to explore the complete state space. It can also be used to reduce reachability questions to (possibly) simpler ones by trying to reach a viability kernel rather than a particular edge. As in the case of semi-separatrices, a preliminary analysis of an SPDI’s kernels be used in all subsequent reachability queries. SPeeDI+ [20] starts by calculating and caching all cycles in the given SPDI, and can thus easily identify maximal compatible sets of cycles. Combining this technique with the semi-separatrix reduction technique gives substantial gains. A more detailed analysis is presented in what follows.
3.4 Complexity The results presented in this section enable us to answer reachability questions on SPDIs more effectively. After the analysis of simple cycles, and in particular the identification of semi-separatrices and kernels, the results enable us to answer reachability questions either immediately (by applying the result from Theorems 9, 10, 11 and Proposition 9) or applied to a smaller state-space (applying the results given in Theorem 7 and Theorem 8). Thanks to the goodness assumption (Assumption 1) a kernel outline or semi-separatrix can 27
only split an edge into two parts, meaning that the subsystems are never more complex than those we start off with. To put the complexity analysis in perspective, it is important to note that (i) the model-checking of an SPDI always requires the identification of simple cycles, so it needs not be added to the complexity of the reduction algorithms; (ii) the complexity of the reachability algorithm is at least doubly exponential in the total number of region edges [7]; (iii) the calculation of the kernels and semi-separatrices is linear in the length of the cycle signature; (iv) the largest number of possible semi-separatrices and kernels in an SPDI corresponds to the number of possible simple cycles, which is factorial on the number of edges of regions (in practice, it is much less than this, since the length of feasible simple cycle is rarely of the same order of magnitude as the number of edges in the SPDI); and (v) checking whether an edge lies within a kernel outline or semi-separatrix can be calculated using the odd-even parity test algorithm [12] which has complexity linear in the number of sides making up the polygon representing the kernel or semi-separatrix. Let us call the number of region edges n, and consider the optimizations we propose in turn: Reduction using semi-separatrices: Given a starting edge and destination edge, and a semi-separatrix, the reduction involves checking whether, for every other edge in the SPDI (n of them), it is inert (checking whether it lies on the relevant opposite side of the semi-separatrix of either the source or destination). Checking whether one edge is inert is linear in the number of sides of the polygon representing the semi-separatrix which cannot be higher than n. The total complexity for the application of this part of the algorithm on one semi-separatrix is thus O(n2 ). This has to be done for each semi-separatrix — at worst all n! of them. The total complexity is thus O(n2 n!). This is subsumed into the doubly exponential reachability analysis. Reduction using kernels: The analysis follows in the same manner as the previous one. Immediate answers: Checking whether two kernels are compatible, requires checking whether they overlap, which, since each kernel consists of no more that n polygons, can be done in at most O(n2 ) time. This has to be done for all all pairs of kernels, resulting a worst case of O(n2 (n!)2 ). In the case of both Theorems 9 and 10, we need to check whether the source and destination edges both lie inside (or outside) a set of compatible kernels. Since the maximum length of a kernel is n, checking whether both edges lie inside is O(n). This is to be done for every possible compatible kernel set, resulting in O(n2 n!). The total complexity is thus O(n2 (n!)2 + n2 n!), which is, once again, subsumed in the doubly exponential complexity of model checking the SPDI, and which may be completely avoided should the checks succeed. 28
The complexity for the cases given by Theorem 11 and Proposition 9 is clearly lower, since in both cases there is no need to compute the compatible kernels and the analysis of simple cycles is sufficient. The worst-case analysis presented here indicates that the processing required to optimize SPDI model checking is subsumed into the complexity of the model checking itself. Furthermore, due to the doubly exponential nature of the model checking algorithm, removing even a few edges from the analysis will result in major returns. However, one has to keep in mind, that the analysis presented is overly pessimistic. For instance, we take the largest possible kernel or semi-separatrix to be of length n, which is highly unlikely to happen in an SPDI. In practice, this complexity can be less due to various constraints induced by the SPDI, including (i) the graph induced by an SPDI is asymmetric due to the constraint on the SPDI dynamics; (ii) the graph has low fan-out since edges can only go to other edges in the same region; (iii) the fact that an SPDI is planar induces a degree of proximity which carries on to the topology of the region edge graph.
4
Compositional Analysis
Some of the properties of the controllability kernels given in the previous section turn out to have other applications in the reachability algorithm, besides the optimization of the search state-space. Indeed, such kernels can be used to decompose an SPDI in independent parallel reachability questions. In this section we present lower and upper bounds for the number of such independent questions and we give a compositional parallel algorithm for reachability analysis of SPDIs.
4.1 SPDI Decomposition In this section, we propose how, given an SPDI and a reachability question, we can use a controllability kernel to decompose the reachability question into two smaller and independent reachability questions. The following theorem states that if the source and destination edgelists lie on opposite sides of a controllability kernel, then we can try (i) to reach the related viability kernel from the source edgelist, and (ii) to reach the destination from the controllability kernel. The original reachability question can be answered affirmatively if and only if both these questions are answered affirmatively. 29
Theorem 12 Given an SPDI S, two edgelists I and I ′ and a controllability S\Cout S kernel C, then if I ⊆ Cin and I ′ ⊆ Cout , then I −→ I ′ if and only if I −→ S\Cin S C + ∧ C −→ I ′ . Similarly, if I ⊆ Cout and I ′ ⊆ Cin , then I −→ I ′ if and only S\Cin S\Cout if I −→ C + ∧ C −→ I ′ . Proof: Without loss of generality, let I ⊆ Cin and I ′ ⊆ Cout . S\Cin
S\Cout
Soundness of decomposition: Let us assume that I −→ C + and C −→ S\Cin I ′ . From I −→ C + we can conclude that there are partial edges e0 ⊆ I and em ⊆ C + , and a path σ in (S \ Cout ), such that e0 σem is a feasible path. S\Cout
Similarly, from C −→ I ′ we can conclude that there are partial edges em′ ⊆ C and ef ⊆ I ′ , and a path σ ′ in (S \ Cin ), such that em′ σ ′ ef is a feasible path. However, since em′ is in a controllability kernel, and em is in the related viability kernel, then by Corollary 1, there exists a feasible path em σ ′′ em′ in S. Therefore, e0 σem σ ′′ em′ σ ′ ef is a feasible path in S. Since S e0 ⊆ I and ef ⊆ I ′ , we can conclude that I −→ I ′ . S Completeness of decomposition: Conversely, let us assume that I −→ I ′ . Then, there must be edges e0 ⊆ I and ef ⊆ I ′ such that e0 σef is feasible in S. By the Jordan curve theorem [13], the trajectory must cross Cntrl (Kσ ) or Cntru (Kσ ) at least once, meaning that there exists a partial edge em in the controllability kernel C such that e0 σ1 em σ2 ef is feasible. But every sub-path of a feasible path is itself feasible, meaning that both e0 σ1 em and em σ2 ef are S S feasible in S, implying that I −→ C + and C −→ I ′ . Consider the feasible path e0 σ1 em . Recall that I ⊆ Cin , and that e0 ⊆ I, hence e0 ⊆ Cin . Assume that σ1 contains some edges in Cout , and let f be the first such edge. The path is thus: e0 σa f σb em . Since f is the first edge inside the kernel, it follows that the last element of σa is outside the kernel. Using Proposition 3, it follows that there exists a point p on the kernel reachable from the last element of σa . We have thus obtained a shorter discrete path e0 σa p which is S\Cin feasible and no point of which lies inside the kernel. Therefore, I −→ C + . S\Cout 2 Similarly, we can prove that C −→ I ′ . 4.2 Unavoidable Kernels Unavoidable kernels are defined geometrically to be kernels which a straight line from the source interval to the destination interval ‘intersects’ an odd number of times. We call the kernel unavoidable since it can be proved that any path from the source to the destination will have to pass through the kernel. Definition 24 Given an SPDI S and two edgelists I and I ′ , we say that a 30
controllability kernel Cntr(Kσ ) is unavoidable if any segment of line with extremes on points lying on I and I ′ intersects with both the edges of Cntrl (Kσ ) and those of Cntru (Kσ ) an odd number of times (disregarding tangential intersections with vertices).
Notice that ‘intersection’ between a segment of line and the controllability kernel has a mathematical meaning, by checking the usual equation relating the segment of line and the polygon Cntrl (Kσ ) (or Cntru (Kσ )). So, the expression ‘an odd number of times’ means that a tangent is counted twice –it corresponds to a double solution. The following theorem gives a characterization of unavoidable kernels, enabling us to discover separating controllability kernels using a simple geometric test. Theorem 13 Given an SPDI S, two edgelists I and I ′ , and a controllability kernel C = Cntr(Kσ ), then C is an unavoidable kernel if and only if one of the following conditions holds (i) I ⊆ Cin and I ′ ⊆ Cout ; or (ii) I ⊆ Cout and I ′ ⊆ Cin .
Proof: This theorem is a standard geometrical technique frequently used in computer graphics [12] (referred to as the odd-even parity test). 2 The following result, relating unavoidable kernels, will be useful to prove the main theorem on the decomposition of a reachability question into independent ones. Proposition 10 Given two disjoint controllability kernels C and C ′ , both unavoidable from I to I ′ , then either C ′ is unavoidable from I to C or C ′ is unavoidable from C to I ′ , but not both.
Proof: This follows directly from definition of unavoidable kernel, the disjointness assumption and Theorem 13. 2 Intuitively, the above proposition states that two disjoint unavoidable kernels satisfying the assumption can only appear in an SPDI following one of the patterns (and the symmetric cases) shown in Fig. 7. In the picture we have abstracted away from the SPDI; the polygons depicted represent the unavoidable kernels. 31
I’ C I’ I
C
I
C’
C’
(a)
(b)
Fig. 7. Relating two unavoidable kernels (Proposition 10)
4.3 Counting Sub-Problems The following theorem bounds the number of times a reachability question may be decomposed into independent sub-questions using Theorem 12. We will consider a collection of mutually disjoint controllability kernels. S
Theorem 14 Given an SPDI S and two edgelists I and I ′ , the question I −→ I ′ can be split into no more than k reachability questions, k is the number of mutually-disjoint controllability kernels. Proof: We note that whenever we decompose an SPDI, the source and destination intervals are always within the sub-SPDI under consideration. S
Now consider a reachability question I −→ I ′ , and a controllability kernel C upon which we can branch. Without loss of generality, we assume I ⊆ Cin and S\Cin I ′ ⊆ Cout . The question is thus decomposed into two questions: I −→ C + S\Cout (question a) and C −→ I ′ (question b). Now consider another controllability kernel C ′ . We now have two possible cases: (i) C ′ ⊆ Cin ; (ii) C ′ ⊆ Cout . Note that by the Jordan curve theorem, C ′ cannot be partially in and partially out of C without intersecting C. In the first case (i), we note that since all edges in S \ Cout lie outside or inside C ′ , this new kernel cannot be used to split question (b) or any question derived from it. Therefore, C ′ can only induce a split in question (a). Case (ii), is the mirror case and the argument follows identically. Therefore, each controllability kernel can contribute at one extra process, bounding the number of reachability questions to k. 2 We now give a lower bound on the number of independent questions induced by Theorem 12 in terms of the number of mutually-disjoint unavoidable con32
I’’
I’
I’ I’’’
C3
C3
I’’
I
I C1
C1
C2
C2
(a)
(b)
Fig. 8. Unavoidable kernels and independent reachability questions
trollability kernels. S
Theorem 15 Given an SPDI S and two edgelists I and I ′ , the question I −→ I ′ can be split into at least u + 1 reachability questions, u is the number of mutually-disjoint unavoidable controllability kernels. Proof: We prove this by induction on the number of mutually-disjoint unavoidable controllability kernels. With u = 0, the number of questions is clearly at least u + 1. S
Now consider the unavoidable controllability kernel C, and the question I −→ I ′ . By Theorem 13, it follows that I and I ′ are on opposite sides of C. The S\Cin reachability question can be thus decomposed to I −→ C + (question a) and S\Cout
C −→ I ′ (question b) by Theorem 12. Also, by Proposition 10, we known that any other unavoidable controllability kernel C ′ from I to I ′ , is also an unavoidable controllability kernel from either I to C or from C to I ′ (but not both). In both cases we obtain a decomposition of the reachability question S\Cout
S\C ′
S\Cin
S\C ′
out into I −→ C and C −→ C ′ (or, I −→ C ′ and C ′ −→in C). Splitting the kernels into the relevant ones to the two questions (u1 kernels relevant to question a and u2 relevant to question b — u = u1 + u2 + 1), we can conclude that the number of questions we get is (u1 + 1) + (u2 + 1) which is u + 1. 2
We have thus given lower and upper bounds on the the number of independent questions generated by applying Theorem 12 over a number of mutually disjoint unavoidable controllability kernels. The results may be extended to work with overlapping kernels. Example 14 Let us consider again the SPDI defined in Example 1 and the 33
function ReachPar(S, I, I ′ ) = ReachParKernels (S, ControllabilityKernels(S), I, I ′ ) function ReachParKernels(S, [], I, I ′ ) = Reach(S, I, I ′ ); function ReachParKernels(S, k:ks, I, I ′ ) = if (ImmedieteAnswer(S, I, I ′ )) then True; elsif (SameSideOfKernel(S, k, I, I ′ )) then S_I := S \ EdgesOnOtherSideOf(S, k, I ′ ); ReachParKernels(S_I, ks, I, I ′ ); else S_I := S \ EdgesOnOtherSideOf(S, k, I); S_I’ := S \ EdgesOnOtherSideOf(S k, I ′ ); parbegin r1 := ReachParKernels(S_I, ks, I, viability(k)); r2 := ReachParKernels(S_I’, ks, k, I ′ ); parend; return (r1 and r2); Fig. 9. Parallel algorithm for reachability of SPDIs.
same intervals I and I ′ . In Fig. 8-(a) we show the unavoidable kernels. The segment of line from I to I ′ traverses C1 and C2 twice and C3 exactly once (an odd number of times). Thus, only C3 is an unavoidable kernel. The reachability S\C3in
question can be split into at least 2 independent questions: I −→ I ′′ and S\C3out I ′′ −→ I ′ . As another example let us consider I and I ′ as in Fig. 8-(b). The segment of line from I to I ′ traverses C1 and C3 exactly once (an odd number of times), while C2 is traversed twice. Thus, there are two unavoidable kernels, namely C1 and C3 . In this case the reachability question can be split into at least 3 S\C1out S\(C1in ∪C3in ) ′′′ S\C3out independent questions: I −→ I ′′ , I ′′ −→ I , and I ′′′ −→ I ′ .
4.4 Parallel Reachability Algorithm In Fig. 9 we give an algorithm for parallel reachability analysis of SPDIs using parallel recursive calls corresponding to independent reachability questions. The function ReachParKernels is called with the SPDI to consider, a list of kernels still to be used for reduction, and the source and destination edgelists. With no kernels to consider, the algorithm simply calls the standard sequential algorithm (Reach). Otherwise, one of the kernels is analyzed, with three 34
possible cases: (1) If the source lies (possibly partially) on the extended kernel, and the destination lies (possibly partially) on the kernel, then we can give an immediate answer (using Theorem 9). (2) If both the edgelists lie on the same side of the kernel, then we simply eliminate redundant parts of the SPDI — anything on the other side of the kernel (Theorem 8). (3) Otherwise, if the kernels both lie on opposite sides of the kernel, we can split the problem into two independent questions (reaching the kernel from the source, and the destination from the kernel) which can be run in parallel (Theorem 12). An affirmative answer from both these subquestions is equivalent to an affirmative answer to the original question. Note that the function ReachParKernels is compositional since each recursive call launches a process which operates in (most cases in) disjoint state spaces which are smaller than the original one (S). The final answer is the composition of the partial reachability questions. S
Given two edgelists I and I ′ , we define the following predicate I −→k I ′ ≡ ReachPar(S, I, I ′ ). The following theorem states that the (compositional) parallel algorithm exactly answers the reachability question, also giving a soundness and completeness proof of the algorithm: S
Theorem 16 Given an SPDI S and two intervals I ⊆ e and I ′ ⊆ e′ , I −→ I ′ S if and only if I −→k I ′ . Proof: The proof follows from Theorems 8, 9 and 12 and induction on ks. 2
4.5 Complexity As noted earlier, the complexity of the model checking algorithm is at least doubly exponential. By splitting the state space into two, except in degenerate cases, one clearly gains much in model checking the sub-graphs separately. The question is to quantify the effort required to decompose the graph into parts. Consider an SPDI with n region edges. Recall from section 3.4 that the largest number of possible semi-separatrices and kernels in an SPDI is factorial on the number of edges of regions and that checking whether an edge lies within a kernel can be calculated with complexity linear in the number of sides making up the polygon representing the kernel (which cannot exceed n). Given a source and destination edge, and a controllability kernel, we can check 35
Fig. 10. Approximating differential equations x˙ = y and y˙ = − MkyR2 − different partitions of the plane.
g sin(x) R
using
whether the kernel is unavoidable by checking whether the edges lie on opposing sides of the kernel, with a complexity of O(n). If it is an unavoidable kernel, one has to calculate on which side of the kernel each edge lies on, taking O(n2 ). Using the algorithm presented in section 2.5, we would then need to launch processes checking whether from the source edge, one can reach any of the edges of the polygon outlining the kernel, and similarly processes checking whether the outline (on the other side) of the kernel can reach the destination edge. Since the way this algorithm can handle checking edgelist source and destination is by running each instance separately, this corresponds to O(n) reachability questions (all with a smaller state space). In total, the processing of a kernel requires O(n2 ), and the resulting model-checking requiring O(n) reachability analysis instances. Another alternative is to use the algorithm presented in [21], which can analyze reachability questions with multiple source and/or destination edgelists more effectively.
5
Concluding Remarks
We have given an overview of and combined recent results on the optimization of SPDI reachability analysis. Using semi-separatrices and kernels, we presented techniques to improve reachability analysis on SPDIs. In all cases, the techniques require the identification and analysis of cycles in the SPDI. We note that most of this information is still required in reachability analysis, and thus no extra work is required to perform the optimization presented in this paper. We have also shown how answering reachability on an SPDI can be reduced to a number of smaller reachability questions. These two techniques can be combined together applying the reduction techniques globally (on the 36
whole SPDI) or locally on the decomposed SPDIs. Since all the results reduce a given reachability question into a number of simpler reachability questions, they can be applied independently of each other. Our work is obviously restricted to planar systems, which enables us to compute these kernels exactly. In higher dimensions and hybrid systems with higher complexity, calculation of kernels is not computable. Other works are thus based on calculations of approximations of these kernels (e.g., [10,9,24]). We are not aware of any work using kernels and semi-separatrices to reduce the state-space of the reachability graph as presented in this paper. The restrictions inherent in the SPDI model make it very difficult to reason about real-life examples, and the applications of SPDIs may seem rather theoretical in nature. Unfortunately, extending the model in most ways, such as allowing jumps with resets (from one edge to another remote one), increasing the number of dimensions and allowing non-linear differential inclusions make the model undecidable with respect to reachability [19,4]. However, a potentially interesting and useful application of SPDIs is the approximation and analysis of two-dimensional non-linear differential equations by splitting the plane into polygons and setting the dynamics of each polygon to be over-approximations of the non-linear differential equation (see Fig. 10). Using more, and smaller polygons enables more precise approximations. The problem with using this approach, is that for most differential equations, using a fixed partition will lead to breaking the goodness assumption since some edges of regions will lie within the differential inclusion. We are currently working on techniques to model check SPDIs without the goodness assumption. Most of the reduction and decomposition techniques presented in this paper do not depend on the goodness assumption, and would thus be directly applicable to the approximation of differential equations. The use of reduction and decomposition techniques presented in this paper will be invaluable to enable fine-grained analysis of differential equations.
References [1] R. Alur and D.L. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235, 1994. [2] E. Asarin, G. Pace, G. Schneider, and S. Yovine. SPeeDI: a verification tool for polygonal hybrid systems. In CAV’2002, volume 2404 of LNCS, 2002. [3] E. Asarin, G. Pace, G. Schneider, and S. Yovine. Algorithmic Analysis of Polygonal Hybrid Systems. Part II: Phase Portrait and Tools. Theoretical Computer Science, 390(1):1–26, January 2008.
37
[4] E. Asarin and G. Schneider. Widening the boundary between decidable and undecidable hybrid systems. In CONCUR’2002, volume 2421 of LNCS, 2002. [5] E. Asarin, G. Schneider, and S. Yovine. On the decidability of the reachability problem for planar differential inclusions. In HSCC’2001, number 2034 in LNCS, pages 89–104, 2001. [6] E. Asarin, G. Schneider, and S. Yovine. Towards computing phase portraits of polygonal differential inclusions. In HSCC’02, volume LNCS 2289, 2002. [7] E. Asarin, G. Schneider, and S. Yovine. Algorithmic Analysis of Polygonal Hybrid Systems. Part I: Reachability. Theoretical Computer Science, 379(12):231–265, 2007. [8] J.-P. Aubin. The substratum of impulse and hybrid control systems. HSCC’01, volume 2034 of LNCS, pages 105–118. Springer, 2001.
In
[9] J.-P. Aubin, J. Lygeros, M. Quincampoix, S. Sastry, and N. Seube. Towards a viability theory for hybrid systems. In European Control Conference, 2001. [10] J.-P. Aubin, J. Lygeros, M. Quincampoix, S. Sastry, and N. Seube. Viability and invariance kernels of impulse differential inclusions. In Conference on Decision and Control, volume 40 of IEEE, pages 340–345, December 2001. [11] A. Deshpande and P. Varaiya. Viable control of hybrid systems. In Hybrid Systems II, number 999 in LNCS, pages 128–147, 1995. [12] J.D. Foley, A. van Dam, S.K. Feiner, and J.F. Hughes. Computer graphics (2nd ed. in C): principles and practice. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1996. [13] M. Henle. A combinatorial introduction to topology. Dover publications, Inc., 1979. [14] T.A. Henzinger, P.W. Kopke, A. Puri, and P. Varaiya. What’s decidable about hybrid automata? In STOC’95, pages 373–382. ACM Press, 1995. [15] M.W. Hirsch and S. Smale. Differential Equations, Dynamical Systems and Linear Algebra. Academic Press Inc., 1974. [16] G. Lafferriere, G. Pappas, and S. Yovine. Symbolic reachability computation of families of linear vector fields. Journal of Symbolic Computation, 32(3):231–253, September 2001. [17] O. Maler and A. Pnueli. Reachability analysis of planar multi-linear systems. In CAV’93, pages 194–209. LNCS 697, Springer Verlag, July 1993. [18] A. Matveev and A. Savkin. Qualitative theory of hybrid dynamical systems. Birkh¨auser Boston, 2000. [19] V. Mysore and A. Pnueli. Refining the undecidability frontier of hybrid automata. In FSTTCS, volume 3821 of LNCS. Springer-Verlag, 2005. [20] G. Pace and G. Schneider. SPeeDI+ . http:\\www.cs.um.edu.mt\speedi.
38
[21] G. Pace and G. Schneider. Model checking polygonal differential inclusions using invariance kernels. In VMCAI’04, number 2937 in LNCS, pages 110–121. Springer Verlag, December 2003. [22] G. Pace and G. Schneider. Compositional algorithm for parallel model checking of polygonal hybrid systems. In 3rd International Colloquium on Theoretical Aspects of Computing (ICTAC’06), volume 4281 of LNCS. Springer-Verlag, 2006. [23] G. Pace and G. Schneider. Static analysis for state-space reduction of polygonal hybrid systems. In Formal Modelling and Analysis of Timed Systems (FORMATS’06), volume 4202 of LNCS. Springer-Verlag, 2006. [24] P. Saint-Pierre. Hybrid kernels and capture basins for impulse constrained systems. In HSCC’02, volume 2289 of LNCS. Springer-Verlag, 2002. [25] G. Schneider. Algorithmic Analysis of Polygonal Hybrid Systems. PhD thesis, VERIMAG – UJF, Grenoble, France, July 2002. [26] G. Schneider. Computing invariance kernels of polygonal hybrid systems. Nordic Journal of Computing, 11(2):194–210, 2004. [27] S. Simi´c, K. Johansson, S. Sastry, and J. Lygeros. Towards a geometric theory of hybrid systems. In HSCC’00, number 1790 in LNCS, 2000.
39