Analytical Validation Tools for Safety Critical Systems NASA

Analytical Validation Tools for Safety Critical Systems NASA NRA, 2008 -11 (TM: Dr. Christine Belcastro) Participants Univ of Minnesota: Gary Balas UC Berkeley: Andy Packard Barron Associates: Alec Bateman

Our Perspective Linear analysis: provides a quick answer to a related, but different question: Q: How much gain and time-delay variation can be accommodated without undue performance degradation? A: (answers a different question) Here’s a scatter plot of margins at 1000 trim conditions throughout envelope Why does linear analysis have impact in nonlinear problems? – Domain-specific expertise exists to interpret linear analysis and assess relevance – Speed, scalable: Fast, defensible answers on high-dimensional systems Here’s a scatter plot of guaranteed region-of-attraction estimates, in the presence of 40% unmodeled dynamics at plant input, and 3 parametric variations, at 1000 trim conditions throughout the envelope Extend validity of the linearized analysis Infinitesimal → local (with certified estimates) Address uncertainty

Overview Numerical tools to quantify/certify dynamic behavior Locally, near equilibrium points Analysis considered Region-of-attraction, input/output gain, reachability, establishing local IQCs Methodology Enforce Lyapunov/Dissipation inequalities locally, on sublevel sets Set containments via S-procedure and SOS constraints Bilinear semidefinite programs “always” feasible Simulation aids nonconvex proof/certificate search Address model uncertainty Parametric Uncertainty – Parameter-independent Lyapunov/Storage Fcn – Branch-&-Bound Dynamic Uncertainty – Local small-gain theorems

Nonlinear Analysis Autonomous dynamics – equilibrium point – uncertain initial condition, – Question: do all solutions converge to Driven dynamics – equilibrium point – uncertain inputs, , – Question: how large can Uncertain dynamics – Unknown, constant parameters, – Unmodeled dynamics – Same questions… get?

Region-of-Attraction and Reachability Dynamics, equilibrium point By choice of positive-definite V, maximize so that: p: Analyst-defined function whose (well-understood) sublevel sets are to be in region-ofattraction Given a differential equation and a positive definite function p, how large can get, knowing Conditions on Conclusion on ODE

Solution Approach 1. Sum-of-squares to (conservatively) enforce nonnegativity 2. Easy (semidefinite program) to check if a given polynomial is SOS 3. S-procedure to (conservatively) enforce set containment 4. Apply S-procedure to Analysis conditions. For (e. g. ) reachability, minimize β (by choice of si and V) such that 5. SDP iteration: Initialize V, then a) Optimize objective by changing S-procedure multipliers b) Optimize objective by changing V c) Iterate on (a) and (b) 6. Initialization of V is important for the iteration to work a) Simulation of system dynamics yields convex constraints which contain all feasible Lyapunov function candidates. This set can be sampled to initialize V

Quantitative improvement on linearized analysis Consider dynamics These SOS/S-procedure formulations are always feasible using quadratic V where matrix A is Hurwitz, and – function f 23 consists of 2 nd and 3 rd degree polynomials, f 23(0)=0 A nonempty region-of-attraction is certified Consider dynamics For some R>0, where matrix A is Hurwitz, and – f 2, g 2, h 2 quadratic, f 3 cubic – with f 2(0, 0)=f 3(0)=h 2(0)=0, and Consider dynamics For some R>0, where matrix A is Hurwitz, and –functions b bilinear, q quadratic

Sum-of-Squares Sum-of-squares (SOS) decompositions (Parrilo) – certify nonnegativity, and – (with S-procedure) certify set containment conditions A polynomial f, in n real-variables is SOS if it can be expressed as a sum-of-squares of other polys, SDP decides SOS: For f with degree 2 d Each Mi is s×s, where

(s, q) dependence on n and 2 d 2 d n 2 4 6 8 2 3 0 6 6 10 27 15 75 3 4 0 10 20 20 126 35 465 4 5 0 15 50 35 420 70 1990 6 7 0 28 196 84 2646 210 19152 8 9 0 45 540 165 10692 495 109890 10 11 0 66 1210 286 33033 1001 457743

Region-of-atraction: 4 -state aircraft example Aircraft: Short period longitudinal model, pitch axis, with 1 -state linear controller Eliminate parameter uncertainty Simple form for shape factor: – Quadratic (βcert=8. 6) – Fully quartic (quadratic + cubic + quartic) • βcert=15. 3 Other approaches have deficiencies – Directly use commercial BMI solver (PENBMI) • βcert=15. 2, but… • 6 hours… discover divergent trajectories Different Lyapunov function structures 4000 simulations 3 minutes Form LP/Convex. P 0. 5 minutes Get a feasable point 1 minute Assess answer with V 0. 5 minutes SDP Iterate from V 0. 5 min/iteration, 10 iters TOTAL 10 minutes Divergent initial condition g vin pro Certified set of convergent initial conditions Disk in 4 -d state space, centered at equilibrium point

4 -state aircraft example w/uncertainty Aircraft: Short period longitudinal model, pitch axis, with 1 -state linear controller Not-uncertain results Same form for shape factor: 9 -processor Branch-&-Bound – Divide worst region into 9 – Quadratic (βcert=8. 6) – Fully quartic (βcert=15. 3) – Divergent IC,

Unmodeled dynamics: Local small-gain theorem Local induced gain constraint (≤ 1) on Δ M Implies: Starting from x(0)=0, for all Δ causal, globally stable, also satisfies DIE This gives: M

4 -state aircraft example w/uncertainty Δ . 75 C 1. 25 Results Nominal with δM, δCG Nominal 8. 6 (15. 3) 5. 1 (7. 5) with Δ 4. 2 (6. 7) 2. 4 (4. 1) Pδ

Adaptive System: reachability example analysis Model-reference adaptive systems r Reference model Adaptive control - plant e Quadratic vector field, marginally stable linearization Example: 2 -state P, 2 -state ref. model, 3 adaptive parameters –Insert additional disturbance (d) –Bound worst-case effect of external signals (r, d) on tracking error (e) • Initial conditions: Reachability analysis certifies that for all (r, d) with then for all t, There are particular r and d satisfying E 2 1 0 -1 -2 causing e to achieve at some time t. -1 0 E 1 1 2

Wrapup/Perspective Proofs of behavior with certificates Extensive simulation and linearized analysis Tools that handle (cubic, in x, vector field) • 15 states, 3 parameters, unmodeled dynamics, analyze with ∂(V)=2 • 7 states, 3 parameters, unmodeled dynamics, analyze with ∂(V)=4 • Certified answers, however, not clear that these are appropriate for design choices Sproc/SOS/DIE more quantitative than linearization –Linearized analysis: quadratic storage functions, infinitesimal sublevel sets –SOS/S-procedure always works Work to scale up to large, complex systems analysis (e. g. , adaptive flight controls) where “certificates” are desired.