parsimonious, simulation based verification of linear...

Parsimonious, Simulation Based Verification Of Linear Systems

Parasara Sridhar Duggirala Mahesh Viswanathan

Safety Verification: Motivation

Adaptive cruise control

Program controller such that v → vf while having 𝑠 > 𝑙𝑖𝑚𝑖𝑡.

CAV 2016 2

𝒔

𝐯𝐟𝐯

Safety Verification: Motivation

Adaptive cruise control

Program controller such that v → vf while having 𝑠 > 𝑙𝑖𝑚𝑖𝑡.

CAV 2016 3

𝒔

𝐯𝐟𝐯

ODE model.ሶs = vf − v;ሶv = −kav + u;

Controller designu = c1v + c2s + c3

Safety Verification: Motivation

Adaptive cruise control

Program controller such that v → vf while having 𝑠 > 𝑙𝑖𝑚𝑖𝑡.

CAV 2016 4

𝒔

𝐯𝐟𝐯

ODE model.ሶs = vf − v;ሶv = −kav + u;

Controller designu = c1v + c2s + c3

Closed loop systemሶsv

=a11 a12a21 a22

sv

+b1b2

represented asሶ𝑥 = 𝐴𝑥 + 𝐵( )

Safety Verification: Motivation

Adaptive cruise control

Program controller such that v → vf while having 𝑠 > 𝑙𝑖𝑚𝑖𝑡.

CAV 2016 5

𝒔

𝐯𝐟𝐯

ODE model.ሶs = vf − v;ሶv = −kav + u;

Controller designu = c1v + c2s + c3

Closed loop systemሶsv

=a11 a12a21 a22

sv

+b1b2

Safety verification problem for linear systems ሶ𝒙 = 𝑨𝒙 + 𝑩From initial set Θ (dis)prove that no trajectory enters the unsafe set U

represented asሶ𝑥 = 𝐴𝑥 + 𝐵( )

Solution: Reachable Set

System: ሶ𝑥 = 𝐴𝑥 + 𝐵, initial set Θ (polyhedra), unsafe set 𝑈.

CAV 2016 6

𝚯

. 𝜉 𝑥0, 𝑡 = 𝑒𝐴𝑡𝑥0 +න0

𝑡

𝑒𝐴(𝑡−𝜏)𝐵𝑑𝜏

𝑥0

Solution: Reachable Set

System: ሶ𝑥 = 𝐴𝑥 + 𝐵, initial set Θ (polyhedra), unsafe set 𝑈.

CAV 2016 7

𝚯

. 𝜉 𝑥0, 𝑡 = 𝑒𝐴𝑡𝑥0 +න0

𝑡

𝑒𝐴(𝑡−𝜏)𝐵𝑑𝜏

𝑥0

Procedure to compute reachable set1. Represent the set Θ using data structure

Data structureSpaceEx – Support FunctionsCORA – ZonotopesFlow* – Taylor Models

Solution: Reachable Set

System: ሶ𝑥 = 𝐴𝑥 + 𝐵, initial set Θ (polyhedra), unsafe set 𝑈.

CAV 2016 8

𝚯

. 𝜉 𝑥0, 𝑡 = 𝑒𝐴𝑡𝑥0 +න0

𝑡

𝑒𝐴(𝑡−𝜏)𝐵𝑑𝜏

𝑥0

Procedure to compute reachable set1. Represent the set Θ using data structure2. Select a time interval ℎ.3. Compute 𝑃𝑜𝑠𝑡(Θ, ℎ) for [0, ℎ]

Data structureSpaceEx – Support FunctionsCORA – ZonotopesFlow* – Taylor Models

Solution: Reachable Set

System: ሶ𝑥 = 𝐴𝑥 + 𝐵, initial set Θ (polyhedra), unsafe set 𝑈.

CAV 2016 9

𝚯

. 𝜉 𝑥0, 𝑡 = 𝑒𝐴𝑡𝑥0 +න0

𝑡

𝑒𝐴(𝑡−𝜏)𝐵𝑑𝜏

𝑥0

Procedure to compute reachable set1. Represent the set Θ using data structure2. Select a time interval ℎ.3. Compute 𝑃𝑜𝑠𝑡(Θ, ℎ) for [0, ℎ]4. Iterate for future intervals.

Data structureSpaceEx – Support FunctionsCORA – ZonotopesFlow* – Taylor Models

Solution: Reachable Set

System: ሶ𝑥 = 𝐴𝑥 + 𝐵, initial set Θ (polyhedra), unsafe set 𝑈.

CAV 2016 10

𝚯

. 𝜉 𝑥0, 𝑡 = 𝑒𝐴𝑡𝑥0 +න0

𝑡

𝑒𝐴(𝑡−𝜏)𝐵𝑑𝜏

𝑥0

Procedure to compute reachable set1. Represent the set Θ using data structure2. Select a time interval ℎ.3. Compute 𝑃𝑜𝑠𝑡(Θ, ℎ) for [0, ℎ]4. Iterate for future intervals.

Data structureSpaceEx – Support FunctionsCORA – ZonotopesFlow* – Taylor Models

Drawbacks1. Representation cost grows with n2. Only overapproximation3. Cannot be directly applied for

time varying linear systems

This Paper: Contributions

New simulation based verification for linear systems.

1. For 𝒏-dimensional system, 𝒏 + 𝟏 simulations suffice.

2. Works for both time invariant and time variant systems.

3. Works for non-convex and unbounded initial set.

4. Can compute over- and under-approximation.

CAV 2016 11

The How: Superposition Principle

CAV 2016 12

𝑥1

𝑥2

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

The How: Superposition Principle

CAV 2016 13

𝑥1

𝑥2

𝜆𝑥1 + (1 − 𝜆)𝑥2

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

.

The How: Superposition Principle

CAV 2016 14

𝑥1

𝑥2

𝜆𝑥1 + (1 − 𝜆)𝑥2

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

𝜉 𝜆𝑥1 + 1 − 𝜆 𝑥2, 𝑡=

𝜆𝜉(𝑥1, 𝑡) + 1 − 𝜆 𝜉(𝑥2, 𝑡)

.

Implications Of Superposition

CAV 2016 15

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

Implications Of Superposition

CAV 2016 16

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

.

..v1′

v2′

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

Implications Of Superposition

CAV 2016 17

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

.

..v1′

v2′

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

𝑥0 + 𝛼1v1 + 𝛼2v2

.

Implications Of Superposition

CAV 2016 18

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

𝜉(𝑥0 + 𝛼1𝑣1 + 𝛼2𝑣2, 𝑡)

.

..v1′

v2′

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

𝑥0 + 𝛼1v1 + 𝛼2v2

.

Implications Of Superposition

CAV 2016 19

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

𝜉(𝑥0 + 𝛼1𝑣1 + 𝛼2𝑣2, 𝑡)

.

..v1′

v2′

.𝛼1v1

′ + 𝛼2v2′

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

𝑥0 + 𝛼1v1 + 𝛼2v2

.

Implications Of Superposition

CAV 2016 20

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

𝜉(𝑥0 + 𝛼1𝑣1 + 𝛼2𝑣2, 𝑡)

.

..v1′

v2′

.𝛼1v1

′ + 𝛼2v2′

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

𝑥0 + 𝛼1v1 + 𝛼2v2

.

Why is this important?Given 𝜉0, 𝜉1, and 𝜉2, one can

compute any simulation startingfrom linear span of 𝑥0, 𝑣1, and 𝑣2.

Implications Of Superposition

CAV 2016 21

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

𝜉(𝑥0 + 𝛼1𝑣1 + 𝛼2𝑣2, 𝑡)

.

..v1′

v2′

.

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

𝜉(𝑥0 + 𝛼1′𝑣1 + 𝛼2

′𝑣2, 𝑡)

𝛼1′v1

′ + 𝛼2′ v2

′

Why is this important?Given 𝜉0, 𝜉1, and 𝜉2, one can

compute any simulation startingfrom linear span of 𝑥0, 𝑣1, and 𝑣2.

Implications Of Superposition

CAV 2016 22

𝜉(𝑥0, 𝑡)

𝜉(𝑥1, 𝑡)

𝜉(𝑥2, 𝑡)

𝜉(𝑥0 + 𝛼1𝑣1 + 𝛼2𝑣2, 𝑡)

.

..v1′

v2′

.

𝑥0

𝑥1

𝑥2

v2

v1

.

.

.

𝜉(𝑥0 + 𝛼1′𝑣1 + 𝛼2

′𝑣2, 𝑡)

𝛼1′v1

′ + 𝛼2′ v2

′

Why is this important?Given 𝜉0, 𝜉1, and 𝜉2, one can

compute any simulation startingfrom linear span of 𝑥0, 𝑣1, and 𝑣2.

Key Idea: Use a set representation that exploits this property

Representation: Generalized Stars

Generalized star is represented as ⟨𝑐, 𝑉, 𝑃⟩

𝑐 – center, 𝑉 – set of vectors, 𝑃 – predicate.

CAV 2016 23

𝑐, 𝑉, 𝑃 = 𝑥 ∃ ത𝛼 = (𝛼1, … , 𝛼𝑛), c + Σ𝑖𝛼𝑖𝑣𝑖 = 𝑥, 𝑃 ത𝛼 = ⊤}

𝑣1

𝑣2

𝑐1

𝑃 𝛼1, 𝛼2≜

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

𝑐1 + 𝛼1𝑣1 + 𝛼2𝑣2.

Representation: Generalized Stars

Generalized star is represented as ⟨𝑐, 𝑉, 𝑃⟩

𝑐 – center, 𝑉 – set of vectors, 𝑃 – predicate.

CAV 2016 24

𝑐, 𝑉, 𝑃 = 𝑥 ∃ ത𝛼 = (𝛼1, … , 𝛼𝑛), c + Σ𝑖𝛼𝑖𝑣𝑖 = 𝑥, 𝑃 ത𝛼 = ⊤}

𝑃 𝛼1, 𝛼2≜

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1 ∧ 𝛼1 + 𝛼2 ≤ 1.5𝑣1

𝑣2

𝑐1

Representation: Generalized Stars

Generalized star is represented as ⟨𝑐, 𝑉, 𝑃⟩

𝑐 – center, 𝑉 – set of vectors, 𝑃 – predicate.

CAV 2016 25

𝑐, 𝑉, 𝑃 = 𝑥 ∃ ത𝛼 = (𝛼1, … , 𝛼𝑛), c + Σ𝑖𝛼𝑖𝑣𝑖 = 𝑥, 𝑃 ത𝛼 = ⊤}

𝑃 𝛼1, 𝛼2≜

𝛼1 ≤ 1 − 𝛼22𝑣1

𝑣2

𝑐1

Representation: Generalized Stars

Generalized star is represented as ⟨𝑐, 𝑉, 𝑃⟩

𝑐 – center, 𝑉 – set of vectors, 𝑃 – predicate.

CAV 2016 26

𝑐, 𝑉, 𝑃 = 𝑥 ∃ ത𝛼 = (𝛼1, … , 𝛼𝑛), c + Σ𝑖𝛼𝑖𝑣𝑖 = 𝑥, 𝑃 ത𝛼 = ⊤}

𝑃 𝛼1, 𝛼2≜

𝑣1

𝑣2

𝑐1 𝟏. 𝟓*𝒔𝒒𝒓𝒕 -𝒂𝒃𝒔 𝒂𝒃𝒔 𝒙 – 𝟏 *𝒂𝒃𝒔 𝟑 – 𝒂𝒃𝒔 𝒙

𝒂𝒃𝒔 𝒙 – 𝟏 * 𝟑 – 𝒂𝒃𝒔 𝒙* 𝟏 +

𝒂𝒃𝒔 𝒂𝒃𝒔 𝒙 – 𝟑

𝒂𝒃𝒔 𝒙 - 𝟑* 𝒔𝒒𝒓𝒕 𝟏 –

𝒙

𝟕

𝟐

+

𝟒.𝟓 + 𝟎. 𝟕𝟓 * 𝒂𝒃𝒔 𝒙 – 𝟎.𝟓 + 𝒂𝒃𝒔 𝒙 + 𝟎. 𝟓 – 𝟐. 𝟕𝟓 * 𝒂𝒃𝒔 𝒙-𝟎. 𝟕𝟓 + 𝒂𝒃𝒔 𝒙 + 𝟎. 𝟕𝟓 * 𝟏 +𝒂𝒃𝒔 𝟏 – 𝒂𝒃𝒔 𝒙

𝟏 – 𝒂𝒃𝒔 𝒙,

-𝟑 *𝒔𝒒𝒓𝒕 𝟏 -𝒙

𝟕

𝟐

*𝒔𝒒𝒓𝒕𝒂𝒃𝒔 𝒂𝒃𝒔 𝒙 – 𝟒

𝒂𝒃𝒔 𝒙 -𝟒, 𝒂𝒃𝒔

𝒙

𝟐– 𝟎.𝟎𝟗𝟏𝟑𝟕𝟐𝟐 * 𝒙𝟐-𝟑 + 𝒔𝒒𝒓𝒕 𝟏 – 𝒂𝒃𝒔 𝒂𝒃𝒔 𝒙 – 𝟐 – 𝟏 𝟐 ,

(𝟐. 𝟕𝟏𝟎𝟓𝟐+ 𝟏. 𝟓 – 𝟎. 𝟓 * 𝒂𝒃𝒔(𝒙) – 𝟏. 𝟑𝟓𝟓𝟐𝟔 * 𝒔𝒒𝒓𝒕(𝟒 – (𝒂𝒃𝒔(𝒙) – 𝟏)^𝟐)) * 𝒔𝒒𝒓𝒕(𝒂𝒃𝒔(𝒂𝒃𝒔(𝒙) – 𝟏)/(𝒂𝒃𝒔(𝒙) – 𝟏))

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set

CAV 2016 27

𝑐 𝑣1

𝑣2Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

CAV 2016 28

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

Reachable set at time 𝑡 is given by ⟨𝑐′, 𝑉′, 𝑃⟩ where1. 𝑐′ is the simulation corresponding to 𝑐2. 𝑣𝑖′ is the difference of simulations from 𝑐 + 𝑣𝑖 and from 𝑐

CAV 2016 29

𝑐 𝑣1

𝑣2

𝑐′𝑣1′

𝑣2′

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

Reachable set at time 𝑡 is given by ⟨𝑐′, 𝑉′, 𝑃⟩ where1. 𝑐′ is the simulation corresponding to 𝑐2. 𝑣𝑖′ is the difference of simulations from 𝑐 + 𝑣𝑖 and from 𝑐

CAV 2016 30

𝑐 𝑣1

𝑣2

𝑐′𝑣1′

𝑣2′

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reach(Θ, t) ≜ ⟨𝑐′, 𝑉′, 𝑃⟩

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

Reachable set at time 𝑡 is given by ⟨𝑐′, 𝑉′, 𝑃⟩ where1. 𝑐′ is the simulation corresponding to 𝑐2. 𝑣𝑖′ is the difference of simulations from 𝑐 + 𝑣𝑖 and from 𝑐

CAV 2016 31

𝑐 𝑣1

𝑣2

𝑐′𝑣1′

𝑣2′

Observation: 𝑹𝒆𝒂𝒄𝒉 preservesthe “shape” of the initial set.𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reach(Θ, t) ≜ ⟨𝑐′, 𝑉′, 𝑃⟩

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

Reachable set at time 𝑡 is given by ⟨𝑐′, 𝑉′, 𝑃⟩ where1. 𝑐′ is the simulation corresponding to 𝑐2. 𝑣𝑖′ is the difference of simulations from 𝑐 + 𝑣𝑖 and from 𝑐

CAV 2016 32

𝑐 𝑣1

𝑣2

𝑐′𝑣1′

𝑣2′

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1 ∧ 𝛼1 + 𝛼2 ≤ 1.5

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1 ∧ 𝛼1 + 𝛼2 ≤ 1.5

Observation: 𝑹𝒆𝒂𝒄𝒉 preservesthe “shape” of the initial set.

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reach(Θ, t) ≜ ⟨𝑐′, 𝑉′, 𝑃⟩

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

Reachable set at time 𝑡 is given by ⟨𝑐′, 𝑉′, 𝑃⟩ where1. 𝑐′ is the simulation corresponding to 𝑐2. 𝑣𝑖′ is the difference of simulations from 𝑐 + 𝑣𝑖 and from 𝑐

CAV 2016 33

𝑐 𝑣1

𝑣2

𝑐′𝑣1′

𝑣2′

𝛼1 ≤ 1 − 𝛼22

𝛼1 ≤ 1 − 𝛼22

Observation: 𝑹𝒆𝒂𝒄𝒉 preservesthe “shape” of the initial set.

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reach(Θ, t) ≜ ⟨𝑐′, 𝑉′, 𝑃⟩

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩ to compute reachable set1. Simulate from 𝑐2. Simulate from 𝑐 + 𝑣𝑖 for each 𝑖

Reachable set at time 𝑡 is given by ⟨𝑐′, 𝑉′, 𝑃⟩ where1. 𝑐′ is the simulation corresponding to 𝑐2. 𝑣𝑖′ is the difference of simulations from 𝑐 + 𝑣𝑖 and from 𝑐

CAV 2016 34

𝑐 𝑣1

𝑣2

𝑐′𝑣1′

𝑣2′

Problem: Exact simulations requires computing 𝒆𝑨𝒕 and is not necessarily finitely representable

𝛼1 ≤ 1 − 𝛼22

𝛼1 ≤ 1 − 𝛼22

Observation: 𝑹𝒆𝒂𝒄𝒉 preservesthe “shape” of the initial set.

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Reach(Θ, t) ≜ ⟨𝑐′, 𝑉′, 𝑃⟩

Validated Simulations

CAV 2016 35

𝜉 𝑥0, 𝑡

𝑥0

𝑣𝑎𝑙𝑆𝑖𝑚(𝑥0, 𝑡) returns sequence of regions such that 𝜉 𝑥0, 𝑡 ∈ 𝑅𝑙 when 𝑡 ∈ [𝑡𝑙 , 𝑡𝑙+1]

𝑑𝑖𝑎𝑚𝑒𝑡𝑒𝑟 𝑅𝑙 → 0 as |t𝑙+1 − 𝑡𝑙| → 0

.

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 36

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

𝑅0

𝑅1

𝑅2

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 37

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

𝑐′𝑣1′

𝑣2′

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 38

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 39

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

𝑐′ 𝑣1′

𝑣2′

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 40

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 41

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 42

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩Over–approximation is the

union of all such stars

Under–approximation is the intersection of all such stars

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 43

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩Over–approximation is the

union of all such stars

Under–approximation is the intersection of all such stars

𝑂𝐴 = 𝑥 ∃𝑐, ∃𝑣1, ∃𝑣2 ∃ ത𝛼, 𝑥 = 𝑐 + 𝛼1𝑣1 + 𝛼2𝑣2}𝑈𝐴 = 𝑥 ∀𝑐, ∀𝑣1, ∀𝑣2 ∃ ത𝛼, 𝑥 = 𝑐 + 𝛼1𝑣1 + 𝛼2𝑣2}

Over- and Under-Approximations Using Validated Simulations

Problem – exact value of 𝑐, 𝑣1′ , and 𝑣2

′ is not known!

CAV 2016 44

𝑐 𝑣1

𝑣2

𝛼1 ≤ 1 ∧ 𝛼2 ≤ 1

Θ ≜ ⟨𝑐, 𝑉, 𝑃⟩Provided in paper:1. Computing overapproximation2. Checking safety violation without using QE for bounded initial sets

Experimental Results - I

Comparison with SpaceEx on Linear Systems

CAV 2016 45

Benchmark Vars. TH Sim.Time. Verif.Time. C2E2 SpaceEx Result

Insulin 8 10 0.157 s 0.049 s 0.20 s 8.07 s Safe

Inslin 8 10 0.166 s 0.034 s 0.2 s 7.89 s Unsafe

Platoon 10 25 0.337 s 0.019 s 0.356 s TO Safe

Platoon 10 25 0.323 s 0.019 s 0.342 s TO Unsafe

Tank–10 10 20 0.745 s 0.206 s 0.951 s 4.886 s Safe

Tank–10 10 20 0.721 s 0.19 s 0.911 s 4.992 s Unsafe

Tank–15 15 20 1.325 s 0.363 s 1.688 s 8.176 s Safe

Tank–18 18 20 1.705 s 0.569 s 2.274 s 10.466 s Safe

Helicopter 28 20 3.192 s 1.634 s 4.826 s 2m 1.66 s Safe

Experimental Results - II

Comparison with Flow* for Linear Time Varying Systems

CAV 2016 46

Benchmark Vars C2E2 Flow*

Tank–TV 2 0.132 s 1.56 s

Tank–TV 4 0.198 s 4.28 s

Tank–TV 6 0.287 s 9.41 s

Tank–TV 8 0.356 s 18.73 s

Tank–TV 10 0.484 s 33.67 s

LTV 5 0.24 s 7.51 s

LTV 7 0.31 s 12.09 s

LTV 9 0.4 s 18.18 s

Experimental Results - III

Verification of Non-convex and Unbounded Initial Sets

CAV 2016 47

Benchmark Dim. TH. Init. Set. Res. Time

ACC 3 2 Non–Convex Safe 2.185

ACC 3 2 Unbounded Safe 1.774

ACC 3 2 Non–Convex Unsafe 1.11

ACC 3 2 Unbounded Unsafe 1.01

Tank 5 1 Non–Convex Safe 2.717

Tank 5 1 Unbounded Safe 2.145

Tank 5 1 Non–Convex Unsafe 1.722

Tank 5 1 Unbounded Unsafe 1.519

Conclusions

New simulation based verification for linear systems

1. For 𝑛–dimensional system, 𝑛 + 1 simulations suffice.2. Works for both time invariant and time variant systems.3. Works for non-convex and unbounded systems4. Can compute over- and under-approximation.5. Reuse the simulations for different initial sets.

CAV 2016 48

Thank You