Hybrid Control and Switched Systems Lecture 6 Reachability

Hybrid Control and Switched Systems Lecture #6 Reachability João P. Hespanha University of California at Santa Barbara

Summary Review of previous lecture Reachability • transition systems • reachability algorithm • backward reachability algorithm • invariance algorithm • controller design based on backward reachability

Sequence Properties (signals) Xsig ´ set of all piecewise continuous signals x: [0, T ) ! Rn, T 2 ( 0, 1] Qsig ´ set of all piecewise constant signals q: [0, T )! Q, T 2 ( 0, 1] Sequence property ´ p : Qsig £ Xsig ! {false, true} E. g. , A pair of signals (q, x) 2 Qsig £ Xsig satisfies p if p(q, x) = true A hybrid automaton H satisfies p ( write H ² p ) if p(q, x) = true, for every solution (q, x) of H Sequence analysis ´ Given a hybrid automaton H and a sequence property p show that H ² p When this is not the case, find a witness (q, x) 2 Qsig £ Xsig such that p(q, x) = false (in general for solution starting on a given set of initial states H 0 ½ Q £ Rn)

Example #1: Bouncing ball x 1 · 0 & x 2 < 0 ? t x 2 – c x 2 – Assuming that x 1(0) ¸ 0, the hybrid automaton satisfies: ¤ { x 1 ¸ 0 } ( short for (¤ { x 1(t) ¸ 0 })(0) ) § { x 1 = 0 } ¤ § { x 1 = 0 } § ¤ { x 1 < 1 } (¤ p)(t 0) , 8 t¸t 0, p(t) (§ p )(t 0) , 9 t¸t 0, p(t) (¤ § p)(t 0) , 8 t 1¸t 0, 9 t¸ t 1 p(t) (§ ¤ p)(t 0) , 9 t 1¸t 0, 8 t¸ t 1 p(t)

Safety properties Given a signal x: [0, T) ! Rn, T 2(0, 1], x*: [0, T*) ! Rn is called a prefix to x if T*· T & x*(t) = x(t) 8 t 2[0, T*) safety property ´ a sequence property p that is: 1. nonempty, i. e. , 9 (q, x) such that p(q, x) = true 2. prefix closed, i. e. , given signals (q, x) p(q, x) ) p(q*, x*) for every prefix (q*, x*) to (q, x) 3. limit closed, i. e. , given an infinite sequence of signals (q 1, x 1) , (q 2, x 2), (q 3, x 3), etc. each element satisfying p such that (qk, xk) is a prefix to (qk+1, xk+1) 8 k then (q, x) limk!1 (qk, xk) also satisfies p “Something bad never happens: ” 1. nontrivial 2. a prefix to a good signal is always good 3. if something bad happens, it will happen in finite time

Examples E. g. , p(q, x) = ¤ (q(t), x(t)) 2 F x 2 where F ½ Q£ Rn is a nonempty set F x 1 satisfies p x 2 does not this is a safety property: nonempty, prefix closed, limit closed Other safety properties: p(q, x) = x(t) ¸ 0 8 t (closed F ) p(q, x) = x(t) > 0 8 t (open F ) Nonsafety property: p(q, x) = inft x(t) > 0 (not of the form above; not limit closed, Why? )

Liveness properties Given a signal x: [0, T) ! Rn, T 2(0, 1], x*: [0, T*) ! Rn is called a prefix to x if T*· T & x*(t) = x(t) 8 t 2[0, T*) liveness property ´ a sequence property p with the property that for every finite (q*, x*) 2 Qsig £ Xsig there is some (q, x) 2 Qsig £ Xsig such that: 1. (q*, x*) is a prefix to (q, x) 2. (q, x) satisfies p “Something good can eventually happen: ” for any sequence there is a good continuation. E. g. , p(q, x) = § (q(t), x(t))2 F p(q, x) = ¤ § (q(t), x(t))2 F p(q, x) = § ¤ (q(t), x(t))2 F p(q, x) = 9 L>0 ¤ ||x|| < L p(q, x) = 8 e>0 § ¤ ||x|| < e where F ½ Q£ Rn is a nonempty set (always, eventually: 8 t 1¸t 0, 9 t¸ t 1) (eventually, always: 9 t 1¸t 0, 8 t¸ t 1) what does it mean? very rich class, more difficult to verify

Completeness of liveness/safety Theorem 1: If p is both a liveness and a safety property then every (q, x) 2 Qsig £ Xsig satisfies p, i. e. , p is always true (trivial property) Theorem 2: For every nonempty (not always false) sequence property p there is a safety property p 1 and a liveness property p 2 such that: (q, x) satisfies p if and only if (q, x) satisfies both p 1 an p 2 Thus if we are able to verify safety and liveness properties we are able to verify any sequence property. But sequence properties are not all we may be interested in… “ensemble properties” ´ property of the whole family of solutions e. g. , stability (continuity with respect to initial conditions) is not a sequence property because by looking a each solution (q, x) individually we cannot decide if the system is stable. Much more on this later… Can one find sequence properties that guarantee that the system is stable or unstable?

Reachability Given: hybrid automaton H: set of initial states H 0 ½ Q £ Rn Reach. H(H 0) ´ set of pairs (qf, xf) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts in H 0 1. (q(t 0), x(t 0)) 2 H 0 passes through (qf, xf) 2. 9 t ¸ t 0 : (q(t), x(t)) = (qf, xf) H 0 Reach. H(H 0)

Reachability Given: hybrid automaton H: set of initial states H 0 ½ Q £ Rn Reach. H(H 0) ´ set of pairs (qf, xf) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts in H 0 1. (q(t 0), x(t 0)) 2 H 0 passes through (qf, xf) 2. 9 t ¸ t 0 : (q(t), x(t)) = (qf, xf) Invariant set ´ set S ½ Q £ Rn for which Reach. H(S) = S S

Reachability v. s. Safety Given: hybrid automaton H: set of initial states H 0 ½ Q £ Rn Reach. H(H 0) ´ set of pairs (qf, xf) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts in H 0 1. (q(t 0), x(t 0)) 2 H 0 passes through (qf, xf) 2. 9 t ¸ t 0 : (q(t), x(t)) = (qf, xf) H satisfies a safety property p(q, x) = ¤ (q(t), x(t)) 2 F where F ½ Q£ Rn is a nonempty set if and only if Reach. H(H 0) ½ F Reach(H 0) H 0 F every point in every trajectory starting in H 0 satisfies p

Reachability v. s. Safety Given: hybrid automaton H: set of initial states H 0 ½ Q £ Rn Reach. H(H 0) ´ set of pairs (qf, xf) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts in H 0 1. (q(t 0), x(t 0)) 2 H 0 passes through (qf, xf) 2. 9 t ¸ t 0 : (q(t), x(t)) = (qf, xf) Over-approximation to the reach set ´ any set Rover such that Reach. H(H 0) ½ Rover To prove safety is enough to show that: Rover ½ F Rover Reach(H 0) every point in every trajectory starting in H 0 satisfies p F Are underapproximations useful to study reachability?

Transition system generalization of finite automaton, differential equations, hybrid automaton, etc. S ´ set of states (finite or infinite) E ´ alphabet of events (finite or infinite) T ½ S £ E £ S ´ transition relation transition system T a 1 a b 3 2 b S = {1, 2, 3} E = {a, b} T 2 { (1, a, 2), (2, b, 1), (2, b, 3), (3, a, 1) } execution of a transition system ´ sequence of states { s 0, s 1, s 2, … } such that there exists a sequence of events { e 0, e 1, e 2, … } for which (si, ei, si+1) 2 T 8 i Given a set of initial states S 0 ½ S: Reach. T(S 0) ´ set of states s 2 S for which there is a finite execution that starts in S 0 and ends at s

Transition systems As far as reachability goes … 1. A finite automaton (deterministic or not) can be viewed as a transition system automata M transition system T Q {q 1, q 2, …, qn} ´ finite set of states S {a, b, c, … } ´ finite set of input symbols (alphabet) F: Q£S!Q ´ transition function S=Q ´ set of states (finite) E=S ´ alphabet of events (finite) T = { (s, e, F(s, e)) : s 2 Q , e 2 S } ´ transition relation for nondeterministic finite automaton T = { (s, e, s’) : s 2 Q , e 2 S, s’ 2 F(s, e) } Same set of reachable states

Transition systems As far as reachability goes … Same set of reachable states 1. A hybrid automaton can be viewed as a transition system hybrid automata H transition system T Q Rn f : Q £ Rn ! Rn F : Q £ Rn ! Q £ Rn ´ set of discrete states ´ continuous state-space ´ vector field ´ discrete transition (& reset map) S = Q £ Rn ´ set of states (infinite) E = {t, (qi, qj): qi, qj 2 Q} ´ alphabet of events: T ½ S £ E £S ( (q 0, x 0), (q 0, qf) , (qf, xf) ) 2 T if ( (q 0, x 0), t, (q 0, xf) ) 2 T if 9 tf > 0 s. t. same (q 0, x 0) and t lead to many distinct elements in T (flows modeled as nondetermism) t called the continuous evolution event (qi, qj) called a jump event ´ transition relation

Reachability algorithms: initialization: Reach-1 = ; Reach 0 = S 0 i=0 while Reachi ¹ Reachi-1 do Reachi+1 = Reachi [ {s’ 2 S : 9 s 2 Reachi, e 2 E, (s, e, s’) 2 T} i=i+1 loop: 1 a a b 2 a 4 states one can transition to from Reachi 3 a a 5 b 6 S 0 = {3} Reach 1 = {1, 3, 5, 6} Reach 2 = {1, 2, 3, 5, 6} Reach 3 = Q Reach 4 = Q Reach. T({3}) = Q S 0 = {2} Reach 1 = {2, 4, 5} Reach 2 = {2, 4, 5} Reach. T({2})={2, 4, 5}

Reachability algorithms: initialization: Reach-1 = ; Reach 0 = S 0 i=0 loop: states one can transition to from Reachi while Reachi ¹ Reachi-1 do Reachi+1 = Reachi [ {s’ 2 S : 9 s 2 Reachi, e 2 E, (s, e, s’) 2 T} i=i+1 Theorem: If S is finite then (i) the reachability algorithm finishes in a finite number of steps and (ii) upon exiting the while-loop Reachi = Reach. T(S 0) Why?

Reachability algorithms: initialization: Reach-1 = ; Reach 0 = S 0 i=0 loop: states one can transition to from Reachi while Reachi ¹ Reachi-1 do Reachi+1 = Reachi [ {s’ 2 S : 9 s 2 Reachi, e 2 E, (s, e, s’) 2 T} i=i+1 Theorem: If S is finite then (i) the reachability algorithm finishes in a finite number of steps and (ii) upon exiting the while-loop Reachi = Reach. T(S 0) Why? (i) In each iteration the number of elements in Reachi increases by at least 1. Since it can have, at most, as many elements as S there can only be as many iterations as the number of elements in S (minus the number of elements in S 0). (ii) Reachi ´ the set of states that can be reached in i steps, thus any state that can be reached in a finite number of steps must be in one of the Reachi

Reachability algorithm: initialization: Reach-1 = ; Reach 0 = S 0 i=0 loop: states one can transition to from Reachi while Reachi ¹ Reachi-1 do Reachi+1 = Reachi [ {s’ 2 S : 9 s 2 Reachi, e 2 E, (s, e, s’) 2 T} i=i+1 Two difficulties with hybrid automata 1. the set of states S Q£Rn is not finite (algorithm may not terminate) 2. In the while loop: Reachi+1 = Reachi [ S 1 [ S 2 Computation of S 1 {s’ 2 S : 9 s 2 Reachi, e = (qi, qj) 2 E , (s, e, s’) 2 T} is simple but S 2 {s’ 2 S : 9 s 2 Reachi, e = t, (s, e, s’) 2 T} is not (in general) S 1 = {(qf, xf) 2 S : 9 (q 0, x 0) 2 Reachi, (qf, xf) = F (q 0, x 0)} = F(Reachi) S 2 = {(q 0, xf) 2 S : 9 (q 0, x 0) 2 Reachi, “there is a continuous evolution from x 0 to xf inside mode q 0” }

Example #5: Tank system goal ´ prevent the tank from emptying or filling up pump-on inflow ´ l = 3 d =. 5 ´ delay between command is sent to pump and the time it is executed y constant outflow ´ m = 1 pump off s ¸. 5 ? (q = 1) wait to off (q = 4) y· 1? s 0 wait to on pump on (q = 3) (q = 2) s ¸. 5 ? y¸ 2?

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? 2 1 t event q=1 y q=1 s s Reach 0 = {1} £ Xo Reach 1 = {1} £ X 1 Xo. 5 1 2 y

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? 2 1 q=2 (1, 2) event s y s Reach 1 = {1} £ X 1 Xo . 5 1 2 y Reach 2 = Reach 1 [ { (2, (1, 0)) }

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? q=2 y q=2 s s . 5 1 2 1 t event 2 y Reach 2 = Reach 1 [ {(2, (1, 0)) } 1 2 y Reach 3 = Reach 1 [ {(2, (1 -a, a)) : a 2[0, . 5] }

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? 2 1 q=2 y q=3 s s (2, 3) event . 5 1 2 y Reach 3 = Reach 1 [ {(2, (1 -a, a)) : a 2[0, . 5] } 1 2 y Reach 4 = Reach 3 [ {(3, (. 5, . 5)) }

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? q=3 y q=3 s s . 5 1 2 1 t event 2 Reach 4 = Reach 3 [ {(3, (. 5, . 5)) } y 1 2 y Reach 5 = Reach 3 [ {(3, (. 5, . 5+a)): a 2[0, 1. 5] }

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? 2 1 q=3 y q=4 s s (3, 4) event. 5 1 2 y Reach 5 = Reach 3 [ {(3, (. 5, . 5+a)): a 2[0, 1. 5] } 1 2 y Reach 6 = Reach 5 [ {(4, (2, 0)) }

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? q=4 y q=4 s s . 5 1 2 1 t event 2 Reach 6 = Reach 5 [ {(4, (2, 0)) } y 1 2 y Reach 7 = Reach 5 [ {(4, (2+2 a, a)): a 2[0, . 5] }

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? q=4 y q=1 s s . 5 1 2 1 (4, 1) event 2 Reach 6 = Reach 5 [ {(4, (2, 0)) } y 1 2 y Reach 7 = Reach 6 [ {(1, (3, . 5))}

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? q=1 y q=1 s s . 5 1 2 1 t event 2 y Reach 7 = Reach 6 [ {(1, (3, . 5))} 1 2 y Reach 7 = Reach 6 [ {(1, (a, . 5)): a 2[1, 3]}

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? 2 1 q=2 (1, 2) event s y . 5 1 2 y Reach 7 = Reach 6 [ {(1, (a, . 5)): a 2[1, 3]} 1 2 Reach 8 = Reach 7 !!! y

Reachability algorithm for the tank system s ¸. 5 ? Suppose S 0 { (1, x): x 2 Xo } y· 1? s 0 s Xo y¸ 2? . 5 s ¸. 5 ? q=1 s s s 2 y y q=2 . 5 1 2 1 q=3 . 5 1 2 s y q=4 . 5 1 2 y

Initialized Rectangular Automaton rectangle ´ set of the form I 1 £ I 2 £ … £ In where each Ik is an interval whose finite end-points are rational (in Q) e. g. , [3, 4]£ [5, 6) or (-1, 1) £ (1, 2) or R £ (1/2, 5/4) but not [1, 2][[3, 4] £ [5, 6] or [1, 21/2]£ [3, 4] hybrid automata H Q ´ set of discrete states Rn ´ continuous state-space f : Q £ Rn ! Rn ´ vector field : Q £ Rn ! Q ´ discrete transition r : Q £ Rn ! Rn ´ reset map H is an initialized rectangular automaton if: 1. The set Q is finite 2. f(q, x) = k(q) 2 Q 8 x 2 Rn (constant rational vector fields in each discrete mode) 3. The discrete transitions are of the form conditions for jumps are expressed by rectangles in x where all the Rji are rectangles 4. There is a function n : Q ! Qn such that the resets are independent of x (and rectangles for nondeterministic case)

Example #5: Tank system pump off y 3 s . 5 s ¸. 5 ? wait to off (q = 1) (q = 4) wait to on pump on (q = 3) y· 1? y 1 s 0 (q = 2) s ¸. 5 ? y 2 s 0 y¸ 2? y . 5 s . 5 By adding “no-effect” resets one obtains an initialized rectangular automaton

Decidability H is an initialized rectangular automaton if: 1. the set Q is finite 2. vector field is constant in each discrete mode 3. jump conditions rectangular in x 4. resets independent of x rectangular automaton initialized Theorem: The reachability algorithm finishes in finite time for any initialized rectangular automaton (deterministic or not). Moreover, one can implement the reachability algorithm exactly using finite memory and finite computation • finite number of discrete states & constant resets ) finite termination (only needs to compute a finite number of reach sets inside each mode) • rational numbers needed for exact representation with finite memory • constant vector fields & rectangular jump conditions make possible exact computation of reach sets inside each mode

Decidability H is an initialized rectangular automaton if: 1. the set Q is finite 2. vector field is constant in each discrete mode 3. jump conditions rectangular in x 4. resets independent of x rectangular automaton initialized Perhaps the most restrictive condition is the “initialization” because it clears any memory regarding the previous continuous evolution (other than what was encoded in the discrete state) but without it we may not have finite termination s¸ 1? s Reach 2 Reach 1 x S 0 {1, 0} = Reach 0

Back to safety… Given: hybrid automaton H: set of initial states H 0 ½ Q £ Rn H satisfies a safety property p(q, x) = ¤ (q(t), x(t))2 F, F ½ Q£ Rn if and only if Reach. H(H 0) ½ F Reach(H 0) every point in every trajectory starting in H 0 satisfies p F Reachability algorithm: initialization: Reach-1 = ; Reach 0 = S 0 i=0 algorithm can terminate immediately if one of the Reachi is outside of F loop: while Reachi ¹ Reachi-1 or Reachi Ë F do Reachi+1 = Reachi [ {s’ 2 S : 9 s 2 Reachi, e 2 E, (s, e, s’) 2 T} i=i+1 end: if Reachi = Reachi-1 then H satisfies p else H does not satisfy p

Backward reachability Given: hybrid automaton H: set of final states Hf ½ Q £ Rn Back. Reach. H(Hf) ´ set of pairs (q 0, x 0) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts at (q 0, x 0) 1. (q(t 0), x(t 0)) = (q 0, x 0) passes through Hf 2. 9 t ¸ t 0 : (q(t), x(t)) 2 Hf What can you say about Reach. H(Back. Reach. H(Hf)) Back. Reach. H(H 0)) ? Hf Back. Reach. H(Hf)

Backward reachability Given: hybrid automaton H: set of final states Hf ½ Q £ Rn Back. Reach. H(Hf) ´ set of pairs (q 0, x 0) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts at (q 0, x 0) 1. (q(t 0), x(t 0)) = (q 0, x 0) passes through Hf 2. 9 t ¸ t 0 : (q(t), x(t)) 2 Hf R(BR(Hf)) Hf BR(Hf) In general Reach. H(Back. Reach. H(Hf)) ¾ Hf Back. Reach. H(H 0)) ¾ H 0 For deterministic systems Reach. H(Back. Reach. H(Hf)) = Reach. H(Hf)¾ Hf H 0 BR(R(Hf)) R(H 0) For backwards-in-time deterministic systems Back. Reach. H(H 0)) = Back. Reach. H(H 0) ¾ H 0

Backward reachability Given: hybrid automaton H: set of final states Hf ½ Q £ Rn Back. Reach. H(Hf) ´ set of pairs (q 0, x 0) 2 Q £ Rn for which there is a solution (q, x) to H for which: starts at (q 0, x 0) 1. (q(t 0), x(t 0)) = (q 0, x 0) passes through Hf 2. 9 t ¸ t 0 : (q(t), x(t)) 2 Hf H satisfies a safety property p(q, x) = ¤ (q(t), x(t)) 2 F where F ½ Q£ Rn is a nonempty set if and only if Back. Reach. H(: F) Å H 0 = ; : F Back. Reach(: F) every point in every trajectory starting in H 0 satisfies p H 0 : F means Q £ Rn n F

Transition system S ´ set of states (finite or infinite) E ´ alphabet of events (finite or infinite) T ½ S £ E £ S ´ transition relation transition system T a 1 a b 3 2 b S = {1, 2, 3} E = {a, b} T 2 { (1, a, 2), (2, b, 1), (2, b, 3), (3, a, 1) } execution of a transition system ´ sequence of states { s 0, s 1, s 2, … } such that there exists a sequence of events { e 0, e 1, e 2, … } for which (si, ei, si+1) 2 T 8 i Given a set of initial states S 0 ½ S: Reach. T(S 0) ´ set of states s 2 S for which there is a finite execution that starts in S 0 and ends at s Given a set of final states Sf ½ S: Back. Reach. T(Sf) ´ set of states s 2 S for which there is a finite execution that starts at s and ends in Sf

Backward reachability algorithm: initialization: BReach-1 = ; BReach 0 = Sf i=0 while BReachi ¹ BReachi-1 do BReachi+1 = BReachi [ {s 2 S : 9 s’ 2 BReachi, e 2 E s. t. (s, e, s’) 2 T} i=i+1 loop: 1 a a b 2 a 4 states from where one can transition into BReachi 3 a a 5 b 6 Sf = {5} BReach 0 = {5} BReach 1 = {2, 3, 5} BReach 2 = {1, 2, 3, 5} BReach 3 = {1, 2, 3, 5} Back. Reach. T({5}) = {1, 2, 3, 5}

Backward reachability algorithm: initialization: BReach-1 = ; BReach 0 = Sf i=0 loop: states from where one can transition into BReachi while BReachi ¹ BReachi-1 do BReachi+1 = BReachi [ {s 2 S : 9 s’ 2 BReachi, e 2 E s. t. (s, e, s’) 2 T} i=i+1 Theorem: If S is finite then (i) the backwards reachability algorithm finishes in a finite number of steps and (ii) upon exiting the while-loop BReachi = Back. Reach. T(Sf) Why? (i) In each iteration the number of elements in BReachi increases by at least 1. Since it can have, at most, as many elements as S there can only be as many iterations as the number of elements in S (minus the number of elements in S 0). (ii) BReachi ´ the set of states that can reach Sf in i steps, thus any state from which Sf can be reached in a finite number of steps must be in one of the Reachi

Invariant set algorithm (backward reachability working with complements): initialization: Inv-1 = S Inv 0 = : Sf i=0 Invi : BReachi while Invi ¹ Invi-1 do Invi+1 = Invi Å {s 2 S : 8 s’ Ï Invi, e 2 E s. t. (s, e, s’) Ï T} i=i+1 complement of previous set loop: {s 2 S : 9 s’ Ï Invi, e 2 E s. t. (s, e, s’) 2 T} (new set can be interpreted as “states for which there is no transition out of Invi”) 1 a a b 2 a 4 3 a a 5 b 6 F = {1, 2, 3, 4, 6} (Sf = : F = {5}) Inv 0 = {1, 2, 3, 4, 6} Inv 1 = {1, 4, 6} Inv 2 = {4, 6} Inv 3 = {4, 6} Inv. T({5}) = {4, 6} = : Back. Reach. T({5}) consistent with previous computation: Back. Reach. T({5}) = {1, 2, 3, 5}

Invariant set algorithm (backward reachability working with complements): initialization: Inv-1 = S Inv 0 = : Sf i=0 loop: Invi : BReachi while Invi ¹ Invi-1 do Invi+1 = Invi Å {s 2 S : 8 s’ Ï Invi, e 2 E s. t. (s, e, s’) Ï T} i=i+1 states for which there is no transition out of Invi Theorem: If S is finite then (i) the algorithm finishes in a finite number of steps and (ii) upon exiting the while loop Invi = Inv. T(: Sf) ´ largest invariant set contained in : Sf (= F ) Why? (i) In each iteration the number of elements in Invi decreases by at least 1. There can only be as many iterations as the number of elements in Sn. Sf. (ii) Upon exiting: Inv ½ {s 2 S : 8 s’ Ï Inv, e 2 E, (s, e, s’) Ï T} set of states for which there is no transition out of Inv ß Inv is invariant set

Invariant sets Given: hybrid automaton H: set of final states Hf ½ Q £ Rn Inv. H(Hf) ´ largest invariant set contained in Hf. As just seen, Inv. H(Hf) = : Back. Reach(: Hf) H satisfies a safety property p(q, x) = ¤ (q(t), x(t)) 2 F where F ½ Q£ Rn is a nonempty set if and only if Back. Reach. H(: F) Å H 0 = ; or equivalently : Inv. H(F ) Å H 0 = ; , H 0 ½ Inv. H(F ) Inv(F) H 0 F Inv. H(F) ´ largest set of initial states for which the property is satisfied

Back to safety (again)… Given: hybrid automaton H: set of final states Hf ½ Q £ Rn H satisfies a safety property p(q, x) = ¤ (q(t), x(t)) 2 F ½ Q£ Rn (nonempty set) if and only if Back. Reach. H(: F) Å H 0 = ; every point in every trajectory starting in H 0 satisfies p H 0 : F Back. Reach(: F) Backwards Reachability algorithm: initialization: BReach-1 = ; BReach 0 = Sf : = : F i=0 algorithm can terminate immediately if one of the BReachi intersects H 0 loop: while BReachi ¹ BReachi-1 or BReachi Å H 0 ¹ ; do BReachi+1 = BReachi [ {s 2 S : 9 s’ 2 BReachi, e 2 E, (s, e, s’) 2 T} i=i+1 end: if Reachi = Reachi-1 then H satisfies p else H does not satisfy p

Controller design based on backward reachability Backwards Reachability algorithm: initialization: BReach-1 = ; BReach 0 = Sf : = : F i=0 algorithm can terminate immediately if one of the BReachi intersects H 0 loop: while BReachi ¹ BReachi-1 or BReachi Å H 0 ¹ ; do BReachi+1 = BReachi [ {s 2 S : 9 s’ 2 BReachi, e 2 E, (s, e, s’) 2 T} i=i+1 end: if Reachi = Reachi-1 then H satisfies p else H does not satisfy p When one obtains BReachi+1 Å H 0 ¹ ; it is because {s 2 S : 9 s’ 2 BReachi, e 2 E, (s, e, s’) 2 T} Å H 0 ¹ ; therefore transition from H 0 to BReachi 9 s 2 H 0, s’ 2 BReachi, e 2 E : (s, e, s’) 2 T Safety could be recovered if the transition (s, e, s’) 2 T was removed Control design based on backward reachability: inhibit any transition (s, e, s’) for which s’ 2 BReachi, e 2 E, s 2 H 0 Typically amounts to 1. removing a discrete transition 2. adding a discrete transition to prevent continuous evolution

Next lecture… Lyapunov stability of ODEs • epsilon-delta and beta-function definitions • Lyapunov’s stability theorem • La. Salle’s invariance principle Lyapunov stability of hybrid systems