Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Trends in Formal Analysis and Synthesis ofTime-Delayed Systems
Indecision and Delay Are the Parents of Failure— Towards a theory of networked hybrid systems —
Naijun Zhan
State Key Laboratory of Computer Science, Institute of Software, CAS, Beijing, China
Real-Time Scheduling Open Problems Seminar 2019, Paris, July 24, 2019
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 1 / 25
Hybrid Systems
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmentalinfluence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Loads ofcontinuouscomputations
interleavedwith discretedecisions
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmentalinfluence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Crucial question:• How do the controller and the plant interact?
Traditional answer:• Coupling assumed to be (or at least modeled as) delay-free.⇒ Mode dynamics is covered by the conjunction of the individual ODEs.⇒ Switching btw. modes is an immediate reaction to environmental conditions.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 2 / 25
Hybrid Systems
Loads ofcontinuouscomputations
interleavedwith discretedecisions
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmentalinfluence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Loads ofcontinuouscomputations
interleavedwith discretedecisions
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmentalinfluence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Crucial question:• How do the controller and the plant interact?
Traditional answer:• Coupling assumed to be (or at least modeled as) delay-free.⇒ Mode dynamics is covered by the conjunction of the individual ODEs.⇒ Switching btw. modes is an immediate reaction to environmental conditions.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 2 / 25
Hybrid Systems
Loads ofcontinuouscomputations
interleavedwith discretedecisions
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmentalinfluence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Crucial question:• How do the controller and the plant interact?
Traditional answer:• Coupling assumed to be (or at least modeled as) delay-free.⇒ Mode dynamics is covered by the conjunction of the individual ODEs.⇒ Switching btw. modes is an immediate reaction to environmental conditions.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 2 / 25
Is Instantaneous Coupling Realistic?Digital control needs A/D and D/A conversion,which induces latency in signal forwarding.
Digital signal processing, especially in complexsensors like CV, needs processing time, addingsignal delays.
Networked control introduces communicationlatency into the feedback control loop.
Harvesting, fusing, and forwarding datathrough sensor networks enlarge the latter byorders of magnitude.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 3 / 25
Is Instantaneous Coupling Realistic? No.Digital control needs A/D and D/A conversion,which induces latency in signal forwarding.
Digital signal processing, especially in complexsensors like CV, needs processing time, addingsignal delays.
Networked control introduces communicationlatency into the feedback control loop.
Harvesting, fusing, and forwarding datathrough sensor networks enlarge the latter byorders of magnitude.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 3 / 25
Do Delays Have Observable Effect?ddtx(t) = −x(t)x(0) = 1
0 5 10 15−0.5
0
0.5
1
t
x
ddtx(t) = −x(t−1)x([−1, 0]) ≡ 1
0 5 10 15−0.5
0
0.5
1
t
x
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 4 / 25
Do Delays Have Observable Effect? Yes, they have.ddtx(t) = −x(t)x(0) = 1
0 5 10 15−0.5
0
0.5
1
t
x
ddtx(t) = −x(t−1)x([−1, 0]) ≡ 1
0 5 10 15−0.5
0
0.5
1
t
x
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 4 / 25
May the Effects be Harmful?• Delayed logistic equation [G. Hutchinson, 1948]:
d
dtN(t) = N(t)[1−N(t− r)]
0 50 1000
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2r=0.25
t
N
0 50 1000
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2r=1.52
t
N
0 50 1000
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2r=1.65
t
N
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 5 / 25
May the Effects be Harmful? Yes, delays may well annihilate
control performance.
• Delayed logistic equation [G. Hutchinson, 1948]:d
dtN(t) = N(t)[1−N(t− r)]
0 50 1000
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2r=0.25
t
N
0 50 1000
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2r=1.52
t
N
0 50 1000
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2r=1.65
t
N
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 5 / 25
Consequences• Delays in feedback control loops are ubiquitous.• They may well invalidate the safety/stability/. . . certificates obtained
by verifying delay-free abstractions of the feedback control system.Automatic verification/synthesis methods addressing feedbackdelays in hybrid systems should therefore abound!
Surprisingly, they don’t:1 S. Prajna, A. Jadbabaie: Meth. f. safety verification of time-delay syst. (CDC’05)2 L. Zou, M. Fränzle, ZNJ, P.N. Mosaad: Autom. verific. of stabil. and safety (CAV ’15)3 H. Trinh, P.T. Nam, P.N. Pathirana, H.P. Le: On bwd.s and fwd.s reachable sets
bounding for perturbed time-delay systems. (Appl. Math. & Comput. 269, ’15)4 Z. Huang, C. Fan, S. Mitra: Bounded invariant verification for time-delayed nonlinear
networked dynamical systems (NAHS ’16)5 P.N. Mosaad, M. Fränzle, B. Xue: Temporal logic verification for DDE (ICTAC ’16)6 M. Chen, M. Fränzle, Y. Li, P.N. Mosaad, ZNJ: Validat. simul.-based verific. (FM ’16)7 B. Xue, P. Mosaad, M. Fränzle, M. Chen, Y. Li and ZNJ: Safe over- and
under-approximation of reachable sets for delay differential equations (FORMATS ’17)8 E. Goubault, S. Putot, and L. Sahlmann: Inner and outer approximating flowpipes for
delay differential equations (CAV ’18)9 M. Chen, M. Fränzle, Y. Li, P. Mosad and ZNJ: What’s to come is still unsure:
Synthesizing synthesizers resilient to delayed reaction (ATVA ’18)10 S. Feng, M. Chen, ZNJ et al.: Taming delays in dynamical systems: Unbounded
verification of DDEs (CAV ’19)
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 6 / 25
Consequences• Delays in feedback control loops are ubiquitous.• They may well invalidate the safety/stability/. . . certificates obtained
by verifying delay-free abstractions of the feedback control system.Automatic verification/synthesis methods addressing feedbackdelays in hybrid systems should therefore abound!
Surprisingly, they don’t:1 S. Prajna, A. Jadbabaie: Meth. f. safety verification of time-delay syst. (CDC’05)2 L. Zou, M. Fränzle, ZNJ, P.N. Mosaad: Autom. verific. of stabil. and safety (CAV ’15)3 H. Trinh, P.T. Nam, P.N. Pathirana, H.P. Le: On bwd.s and fwd.s reachable sets
bounding for perturbed time-delay systems. (Appl. Math. & Comput. 269, ’15)4 Z. Huang, C. Fan, S. Mitra: Bounded invariant verification for time-delayed nonlinear
networked dynamical systems (NAHS ’16)5 P.N. Mosaad, M. Fränzle, B. Xue: Temporal logic verification for DDE (ICTAC ’16)6 M. Chen, M. Fränzle, Y. Li, P.N. Mosaad, ZNJ: Validat. simul.-based verific. (FM ’16)7 B. Xue, P. Mosaad, M. Fränzle, M. Chen, Y. Li and ZNJ: Safe over- and
under-approximation of reachable sets for delay differential equations (FORMATS ’17)8 E. Goubault, S. Putot, and L. Sahlmann: Inner and outer approximating flowpipes for
delay differential equations (CAV ’18)9 M. Chen, M. Fränzle, Y. Li, P. Mosad and ZNJ: What’s to come is still unsure:
Synthesizing synthesizers resilient to delayed reaction (ATVA ’18)10 S. Feng, M. Chen, ZNJ et al.: Taming delays in dynamical systems: Unbounded
verification of DDEs (CAV ’19)RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 6 / 25
The Agenda
1 Controller synthesis for time-delayed systems• Controller synthesis by reduction to playing safety games in the setting
of discrete time• Trends and challenges in controller synthesis for more complicated
time-delayed systems
2 Stability analysis and verification of delay differential equations• Bounded reachability analysis• Unbounded verification• Trends and challenges in analysis and verification of more complicated
time-delayed systems3 Other potential directions
• Weakly hard scheduling• · · ·
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 7 / 25
Discrete Safety Games
Staying safe and reaching an objectivewhen observation & actuation is confined by delays
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 8 / 25
A Trivial Safety GameA Trivial Safety Game
a
b u
u
u
b
a
a
b
u
u
v
v
e3
a3
a4
e2
a
a1
e1
2
a5
Goal: Avoid a5 by appropriateactions of player e.
Strategy: May always play "a"except in e3:
e1, e2 7→ ae3 7→ b
PKU MAVeLoS Workshop, Beijing, Oct. 8, 2017 · Martin Fränzle: Indecision and Delay · 13 / 39
Goal: Avoid a5 by appropriateactions of player e.
Strategy: May always play "a" exceptin e3:
e1, e2 7→ ae3 7→ b
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 9 / 25
A Trivial Safety GameA Trivial Safety Game
a
b u
u
u
b
a
a
b
u
u
v
v
e3
a3
a4
e2
a
a1
e1
2
a5
Goal: Avoid a5 by appropriateactions of player e.
Strategy: May always play "a"except in e3:
e1, e2 7→ ae3 7→ b
PKU MAVeLoS Workshop, Beijing, Oct. 8, 2017 · Martin Fränzle: Indecision and Delay · 13 / 39
Goal: Avoid a5 by appropriateactions of player e.
Strategy: May always play "a" exceptin e3:
e1, e2 7→ ae3 7→ b
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 9 / 25
Playing Safety Game Subject to Discrete DelayPlaying Subject to Discrete Delay
Shift registersGame state AdversaryEgo player
Observation: It doesn’t make an observable difference for the joint dynamicswhether delay occurs in perception, actuation, or both.
Consequence: There is an1 obvious reduction to a safety game of perfectinformation.
1
In fact, two different ones: To mimic opacity of the shift registers, delay has to bemoved to actuation/sensing for ego/adversary, resp. The two thus play different games!
PKU MAVeLoS Workshop, Beijing, Oct. 8, 2017 · Martin Fränzle: Indecision and Delay · 14 / 39
Observation: It doesn’t make an observable difference for the jointdynamics whether delay occurs in perception, actuation, or both.
Consequence: There is an1obvious reduction to a safety game of perfectinformation.
1In fact, two different ones: To mimic opacity of the shift registers, delay has to bemoved to actuation/sensing for ego/adversary, resp. The two thus play different games!
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 10 / 25
Playing Safety Game Subject to Discrete DelayPlaying Subject to Discrete Delay
Shift registersGame state AdversaryEgo player
Observation: It doesn’t make an observable difference for the joint dynamicswhether delay occurs in perception, actuation, or both.
Consequence: There is an1 obvious reduction to a safety game of perfectinformation.
1
In fact, two different ones: To mimic opacity of the shift registers, delay has to bemoved to actuation/sensing for ego/adversary, resp. The two thus play different games!
PKU MAVeLoS Workshop, Beijing, Oct. 8, 2017 · Martin Fränzle: Indecision and Delay · 14 / 39
Observation: It doesn’t make an observable difference for the jointdynamics whether delay occurs in perception, actuation, or both.
Consequence: There is an1obvious reduction to a safety game of perfectinformation.
1In fact, two different ones: To mimic opacity of the shift registers, delay has to bemoved to actuation/sensing for ego/adversary, resp. The two thus play different games!
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 10 / 25
Reduction to Delay-Free Gamesfrom Ego-Player Perspective
The Reductionfrom Ego-Player Perspective
Egoinput Σ
Shift register
Σ / Ego inp. Adv. inp.
Safe / unsafe
Gam
e g
raph
Σ
Safety games w. delay can be solved algorithmically.
Game graph incurs blow-up by factor |Alphabet(ego)|delay.
PKU MAVeLoS Workshop, Beijing, Oct. 8, 2017 · Martin Fränzle: Indecision and Delay · 15 / 39
Safety games w. delay can be solved algorithmically ([M. Zimmermann.LICS’18, GandALF’17], [F. Klein & M. Zimmermann. ICALP’15, CSL’15]).Game graph incurs blow-up by factor |Alphabet(ego)|delay.A more efficient algorithm is presented in [Chen et al., ATVA’18](distinguished paper awards)
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 11 / 25
Reduction to Delay-Free Gamesfrom Ego-Player Perspective
The Reductionfrom Ego-Player Perspective
Egoinput Σ
Shift register
Σ / Ego inp. Adv. inp.
Safe / unsafe
Gam
e g
raph
Σ
Safety games w. delay can be solved algorithmically.
Game graph incurs blow-up by factor |Alphabet(ego)|delay.
PKU MAVeLoS Workshop, Beijing, Oct. 8, 2017 · Martin Fränzle: Indecision and Delay · 15 / 39
Safety games w. delay can be solved algorithmically ([M. Zimmermann.LICS’18, GandALF’17], [F. Klein & M. Zimmermann. ICALP’15, CSL’15]).Game graph incurs blow-up by factor |Alphabet(ego)|delay.A more efficient algorithm is presented in [Chen et al., ATVA’18](distinguished paper awards)
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 11 / 25
Towards Incremental Synthesis of Delay-TolerantStrategiesObservation: A winning strategy for delay k′ > k can always be utilized
for a safe win under delay k.Consequence: That a position is winning for delay k is a necessary
condition for it being winning under delay k′ > k.
Idea: Incrementally filter out loss states &incrementally synthesize winning strategy for the remaining:
1 Synthesize winning strategy for underlying delay-free safetygame.
2 For each winning state, lift strategy from delay k to k + 1.3 Remove states where this does not succeed.4 Repeat from 2 until either delay-resilience suffices or initial
state turns lossy.
M. Chen, M. Fraenzle, Y. Li, P. Mosad and N. Zhan: Whats to come is stillunsure: Synthesizing synthesizers resilient to delayed reaction. ATVA ’18.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 12 / 25
Towards Incremental Synthesis of Delay-TolerantStrategiesObservation: A winning strategy for delay k′ > k can always be utilized
for a safe win under delay k.Consequence: That a position is winning for delay k is a necessary
condition for it being winning under delay k′ > k.
Idea: Incrementally filter out loss states &incrementally synthesize winning strategy for the remaining:
1 Synthesize winning strategy for underlying delay-free safetygame.
2 For each winning state, lift strategy from delay k to k + 1.3 Remove states where this does not succeed.4 Repeat from 2 until either delay-resilience suffices or initial
state turns lossy.
M. Chen, M. Fraenzle, Y. Li, P. Mosad and N. Zhan: Whats to come is stillunsure: Synthesizing synthesizers resilient to delayed reaction. ATVA ’18.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 12 / 25
Arriving Out of Order (Acta Informatica 2019)
Observations may arrive out-of-order:Maximum delay 5
Out of order!
60
57
65
62
59
56
61
58
62
61
63
60
64
59Sample #
t
But this may only reduce effective delay, improving controllability:
More recent
state information
available earlier
Effective
delay 2
Maximum delay 5
Factual delay 3
61
58
60
57
65
62
64
59
62
61
63
60Sample #
t !
W.r.t. qualitative controllability, the worst-case of out-of-order delivery isequivalent to order-preserving delay k.Stochastically expected controllability even better than for strict delay k.
M. Chen, M. Fraenzle, Y. Li, P. Mosad and N. Zhan: In decision and delays arethe parents of failure – Taming them algorithmically by synthesizing delay-resilientcontrol. Acta Informatica, 2019.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 13 / 25
Arriving Out of Order (Acta Informatica 2019)
Observations may arrive out-of-order:Maximum delay 5
Out of order!
60
57
65
62
59
56
61
58
62
61
63
60
64
59Sample #
t
But this may only reduce effective delay, improving controllability:
More recent
state information
available earlier
Effective
delay 2
Maximum delay 5
Factual delay 3
61
58
60
57
65
62
64
59
62
61
63
60Sample #
t !
W.r.t. qualitative controllability, the worst-case of out-of-order delivery isequivalent to order-preserving delay k.Stochastically expected controllability even better than for strict delay k.
M. Chen, M. Fraenzle, Y. Li, P. Mosad and N. Zhan: In decision and delays arethe parents of failure – Taming them algorithmically by synthesizing delay-resilientcontrol. Acta Informatica, 2019.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 13 / 25
Arriving Out of Order (Acta Informatica 2019)
Observations may arrive out-of-order:Maximum delay 5
Out of order!
60
57
65
62
59
56
61
58
62
61
63
60
64
59Sample #
t
But this may only reduce effective delay, improving controllability:
More recent
state information
available earlier
Effective
delay 2
Maximum delay 5
Factual delay 3
61
58
60
57
65
62
64
59
62
61
63
60Sample #
t !
W.r.t. qualitative controllability, the worst-case of out-of-order delivery isequivalent to order-preserving delay k.Stochastically expected controllability even better than for strict delay k.
M. Chen, M. Fraenzle, Y. Li, P. Mosad and N. Zhan: In decision and delays arethe parents of failure – Taming them algorithmically by synthesizing delay-resilientcontrol. Acta Informatica, 2019.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 13 / 25
Future Directions
• Integrate stochastic models of message delays into safety synthesisprocesses
• Distributions on delays can be modeled• and leveraged in synthesis against quantitative safety targets.
• Let synthesis constructively leverage the advantages of (partial)control on out-of-order delivery
• Many network technologies permit influence on message delay (QoSfeatures, differentiated message classes like emergency messages, . . . )
• These do not strictly control, yet have significant impact on messagedelivery sequence.
• Could thus be exploited in control synthesis.
• Model delays by delay differential equations, and synthesizecontrollers for delay hybrid systems
• Multiple players, non-zero sum game, e.g., unmanned vehicle
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 14 / 25
Future Directions
• Integrate stochastic models of message delays into safety synthesisprocesses
• Distributions on delays can be modeled• and leveraged in synthesis against quantitative safety targets.
• Let synthesis constructively leverage the advantages of (partial)control on out-of-order delivery
• Many network technologies permit influence on message delay (QoSfeatures, differentiated message classes like emergency messages, . . . )
• These do not strictly control, yet have significant impact on messagedelivery sequence.
• Could thus be exploited in control synthesis.
• Model delays by delay differential equations, and synthesizecontrollers for delay hybrid systems
• Multiple players, non-zero sum game, e.g., unmanned vehicle
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 14 / 25
Future Directions
• Integrate stochastic models of message delays into safety synthesisprocesses
• Distributions on delays can be modeled• and leveraged in synthesis against quantitative safety targets.
• Let synthesis constructively leverage the advantages of (partial)control on out-of-order delivery
• Many network technologies permit influence on message delay (QoSfeatures, differentiated message classes like emergency messages, . . . )
• These do not strictly control, yet have significant impact on messagedelivery sequence.
• Could thus be exploited in control synthesis.
• Model delays by delay differential equations, and synthesizecontrollers for delay hybrid systems
• Multiple players, non-zero sum game, e.g., unmanned vehicle
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 14 / 25
Future Directions
• Integrate stochastic models of message delays into safety synthesisprocesses
• Distributions on delays can be modeled• and leveraged in synthesis against quantitative safety targets.
• Let synthesis constructively leverage the advantages of (partial)control on out-of-order delivery
• Many network technologies permit influence on message delay (QoSfeatures, differentiated message classes like emergency messages, . . . )
• These do not strictly control, yet have significant impact on messagedelivery sequence.
• Could thus be exploited in control synthesis.
• Model delays by delay differential equations, and synthesizecontrollers for delay hybrid systems
• Multiple players, non-zero sum game, e.g., unmanned vehicle
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 14 / 25
Solving Delay Differential Equations (DDE)
A formal model of delayed feedback control
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 15 / 25
DDE — The HistoryHistorical motivation (predating digital control):
“Despite [...] very satisfactory state of affairs as far as [ordinary]differential equations are concerned, we are nevertheless forced to turnto the study of more complex equations. Detailed studies of the realworld impel us, albeit reluctantly, to take account of the fact that therate of change of physical systems depends not only on their presentstate, but also on their past history.”
[Richard Bellman and Kenneth L. Cooke, 1963]
Mathematical form:d
dtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn)), with δn > . . . > δ1 > 0,
Simplest instance (which we will mostly concentrate on in the remainder):
d
dtx(t) = f(x(t− δ))
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 16 / 25
DDE — The HistoryHistorical motivation (predating digital control):
“Despite [...] very satisfactory state of affairs as far as [ordinary]differential equations are concerned, we are nevertheless forced to turnto the study of more complex equations. Detailed studies of the realworld impel us, albeit reluctantly, to take account of the fact that therate of change of physical systems depends not only on their presentstate, but also on their past history.”
[Richard Bellman and Kenneth L. Cooke, 1963]
Mathematical form:d
dtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn)), with δn > . . . > δ1 > 0,
Simplest instance (which we will mostly concentrate on in the remainder):
d
dtx(t) = f(x(t− δ))
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 16 / 25
DDE — The HistoryHistorical motivation (predating digital control):
“Despite [...] very satisfactory state of affairs as far as [ordinary]differential equations are concerned, we are nevertheless forced to turnto the study of more complex equations. Detailed studies of the realworld impel us, albeit reluctantly, to take account of the fact that therate of change of physical systems depends not only on their presentstate, but also on their past history.”
[Richard Bellman and Kenneth L. Cooke, 1963]
Mathematical form:d
dtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn)), with δn > . . . > δ1 > 0,
Simplest instance (which we will mostly concentrate on in the remainder):
d
dtx(t) = f(x(t− δ))
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 16 / 25
DDE — Why They are Hard(er)x = f0
ddtx = −f0
d3
dtx = −f0
d2
dtx = f0
d10
dtx = f0
ddtx(t) = −x(t− 1)
DDE constitute a model of system dy-namics beyond “state snapshots”:• They feature “functional state”
instead of state in the Rn.• Thus providing rather infallible,
infinite-dimensional memory ofthe past.
N.B.: More complex transformations may beapplied to the initial segment f0 according tothe DDE’s right-hand side. f0 will neverthe-less hardly ever vanish from the state space.
Try only if
to you!infinite state no longer is scary enough
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 17 / 25
DDE — Why They are Hard(er)x = f0
ddtx = −f0
d3
dtx = −f0
d2
dtx = f0
d10
dtx = f0
ddtx(t) = −x(t− 1)
DDE constitute a model of system dy-namics beyond “state snapshots”:• They feature “functional state”
instead of state in the Rn.• Thus providing rather infallible,
infinite-dimensional memory ofthe past.
N.B.: More complex transformations may beapplied to the initial segment f0 according tothe DDE’s right-hand side. f0 will neverthe-less hardly ever vanish from the state space.
Try only if
to you!infinite state no longer is scary enough
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 17 / 25
Formal Verification for DDE: An OverviewBounded-time verification:• Verification goal: given a time-bound τ show that the solutions to the
DDE on time interval [0, τ ] satisfy a given invariance property.
• Means:1 Simulation-based verification:
• do numerical simulation on a (sufficiently dense) sample of initialstates,
• add (pessimistic) error analysis and sensitivity analysis,• “bloat” the resulting trajectories accordingly.• See [Z. Huang, C. Fan, S. Mitra, NAHS 2016];
[M. Chen, M. Fränzle, Y. Li, P. Mosaad, ZNJ, FM’16].
2 Reachability analysis + homeomorphism:• over- and under-approximate reachable sets symbolically,• compute the largest time-delay term such that any delay smaller than
the bound, the reachable set computation for the next step can bereduced to compute the boundaries of the over- and under-approximatereachable sets of previous segment by exploiting homeomorphism.
• See ([B. Xue, M. Fränzle, ZNJ, FORMATS ’17 ])([B. Xue, ZNJ, Q. Wang, S. Feng, IEEE TAC 2019 ])
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 18 / 25
Formal Verification for DDE: An OverviewBounded-time verification:• Verification goal: given a time-bound τ show that the solutions to the
DDE on time interval [0, τ ] satisfy a given invariance property.• Means:
1 Simulation-based verification:• do numerical simulation on a (sufficiently dense) sample of initial
states,• add (pessimistic) error analysis and sensitivity analysis,• “bloat” the resulting trajectories accordingly.• See [Z. Huang, C. Fan, S. Mitra, NAHS 2016];
[M. Chen, M. Fränzle, Y. Li, P. Mosaad, ZNJ, FM’16].
x
y
t
2 Reachability analysis + homeomorphism:• over- and under-approximate reachable sets symbolically,• compute the largest time-delay term such that any delay smaller than
the bound, the reachable set computation for the next step can bereduced to compute the boundaries of the over- and under-approximatereachable sets of previous segment by exploiting homeomorphism.
• See ([B. Xue, M. Fränzle, ZNJ, FORMATS ’17 ])([B. Xue, ZNJ, Q. Wang, S. Feng, IEEE TAC 2019 ])
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 18 / 25
Formal Verification for DDE: An OverviewBounded-time verification:• Verification goal: given a time-bound τ show that the solutions to the
DDE on time interval [0, τ ] satisfy a given invariance property.• Means:
1 Simulation-based verification:• do numerical simulation on a (sufficiently dense) sample of initial
states,• add (pessimistic) error analysis and sensitivity analysis,• “bloat” the resulting trajectories accordingly.• See [Z. Huang, C. Fan, S. Mitra, NAHS 2016];
[M. Chen, M. Fränzle, Y. Li, P. Mosaad, ZNJ, FM’16].
x
y
t
2 Reachability analysis + homeomorphism:• over- and under-approximate reachable sets symbolically,• compute the largest time-delay term such that any delay smaller than
the bound, the reachable set computation for the next step can bereduced to compute the boundaries of the over- and under-approximatereachable sets of previous segment by exploiting homeomorphism.
• See ([B. Xue, M. Fränzle, ZNJ, FORMATS ’17 ])([B. Xue, ZNJ, Q. Wang, S. Feng, IEEE TAC 2019 ])
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 18 / 25
Formal Verification for DDE: An OverviewBounded-time verification:• Verification goal: given a time-bound τ show that the solutions to the
DDE on time interval [0, τ ] satisfy a given invariance property.• Means:
1 Simulation-based verification:• do numerical simulation on a (sufficiently dense) sample of initial
states,• add (pessimistic) error analysis and sensitivity analysis,• “bloat” the resulting trajectories accordingly.• See [Z. Huang, C. Fan, S. Mitra, NAHS 2016];
[M. Chen, M. Fränzle, Y. Li, P. Mosaad, ZNJ, FM’16].
x
y
t
2 Reachability analysis + homeomorphism:• over- and under-approximate reachable sets symbolically,• compute the largest time-delay term such that any delay smaller than
the bound, the reachable set computation for the next step can bereduced to compute the boundaries of the over- and under-approximatereachable sets of previous segment by exploiting homeomorphism.
• See ([B. Xue, M. Fränzle, ZNJ, FORMATS ’17 ])([B. Xue, ZNJ, Q. Wang, S. Feng, IEEE TAC 2019 ])
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 18 / 25
Formal Verification for DDE: An OverviewBounded-time verification:• Verification goal: given a time-bound τ show that the solutions to the
DDE on time interval [0, τ ] satisfy a given invariance property.• Means:
1 Simulation-based verification:• do numerical simulation on a (sufficiently dense) sample of initial
states,• add (pessimistic) error analysis and sensitivity analysis,• “bloat” the resulting trajectories accordingly.• See [Z. Huang, C. Fan, S. Mitra, NAHS 2016];
[M. Chen, M. Fränzle, Y. Li, P. Mosaad, ZNJ, FM’16].
2 Reachability analysis + homeomorphism:• over- and under-approximate reachable sets symbolically,• compute the largest time-delay term such that any delay smaller than
the bound, the reachable set computation for the next step can bereduced to compute the boundaries of the over- and under-approximatereachable sets of previous segment by exploiting homeomorphism.
• See ([B. Xue, M. Fränzle, ZNJ, FORMATS ’17 ])([B. Xue, ZNJ, Q. Wang, S. Feng, IEEE TAC 2019 ])
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 18 / 25
Formal Verification for DDE: An Overview (cont’d)Unbounded verification:• Verification goal: show that the solutions to the DDE satisfy a given
invariance property (the trajectory could be infinite).
• Means:1 interval Taylor model + stability analysis (only for simplest DDEs):
• predefine a parametric interval polynomial containing all possiblesolutions of the DDE on the given segment,
• derive an operator between the paramenters of the solution on theprevious segment and the ones on the next segment, forming atime-invariant discrete dynamical system
• exploting the stability analysis of the resulted time-invariant dynamicalsystem, reduce the safety verification and stability analysis to boundedcases.
• See ([L. Zou, P. Mosaad, M. Fränzle, X. Bai, ZNJ, CAV ’15]).2 Liearization + spectral analysis (for general DDEs):
• linearise a non-linear DDE,• exploiting spectral analysis, obtain the stability of the linear part,• reduce unbounded verification and analysis to bounded case.• See ([S. Feng, M. Chen, ZNJ, M. Fränzle, X. Bai, CAV ’19]).
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 19 / 25
Formal Verification for DDE: An Overview (cont’d)Unbounded verification:• Verification goal: show that the solutions to the DDE satisfy a given
invariance property (the trajectory could be infinite).• Means:
1 interval Taylor model + stability analysis (only for simplest DDEs):• predefine a parametric interval polynomial containing all possible
solutions of the DDE on the given segment,• derive an operator between the paramenters of the solution on the
previous segment and the ones on the next segment, forming atime-invariant discrete dynamical system
• exploting the stability analysis of the resulted time-invariant dynamicalsystem, reduce the safety verification and stability analysis to boundedcases.
• See ([L. Zou, P. Mosaad, M. Fränzle, X. Bai, ZNJ, CAV ’15]).
2 Liearization + spectral analysis (for general DDEs):• linearise a non-linear DDE,• exploiting spectral analysis, obtain the stability of the linear part,• reduce unbounded verification and analysis to bounded case.• See ([S. Feng, M. Chen, ZNJ, M. Fränzle, X. Bai, CAV ’19]).
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 19 / 25
Formal Verification for DDE: An Overview (cont’d)Unbounded verification:• Verification goal: show that the solutions to the DDE satisfy a given
invariance property (the trajectory could be infinite).• Means:
1 interval Taylor model + stability analysis (only for simplest DDEs):• predefine a parametric interval polynomial containing all possible
solutions of the DDE on the given segment,• derive an operator between the paramenters of the solution on the
previous segment and the ones on the next segment, forming atime-invariant discrete dynamical system
• exploting the stability analysis of the resulted time-invariant dynamicalsystem, reduce the safety verification and stability analysis to boundedcases.
• See ([L. Zou, P. Mosaad, M. Fränzle, X. Bai, ZNJ, CAV ’15]).2 Liearization + spectral analysis (for general DDEs):
• linearise a non-linear DDE,• exploiting spectral analysis, obtain the stability of the linear part,• reduce unbounded verification and analysis to bounded case.• See ([S. Feng, M. Chen, ZNJ, M. Fränzle, X. Bai, CAV ’19]).
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 19 / 25
Unbounded Analysis for ddtx(t) = f(x(t− δ))
Main Ingredients
1 Generate the Taylor series for the segment x |[nδ,(n+1)δ] by integratingf(x) |[(n−1)δ,nδ].
Degree of Taylor series grows indefinitely (and rapidly so i.g.).Computationally intractable.Lacking means for analysing unbounded behaviour.
2 Overapproximate segments by interval Taylor series of fixed degreeTractable (if degree low enough).Thus permits bounded model checking.Still no immediate means for unbounded analysis.
3 Extract operator computing next ITS from current one;analyse its properties
Unbounded safety and stability analysis become feasible.
L. Zou, M. Fraenzle, N. Zhan and P. Mosaad: Automatic stability and safetyverification for delay differential equations. CAV ’15.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 20 / 25
Unbounded Analysis for ddtx(t) = f(x(t− δ))
Main Ingredients
1 Generate the Taylor series for the segment x |[nδ,(n+1)δ] by integratingf(x) |[(n−1)δ,nδ].
Degree of Taylor series grows indefinitely (and rapidly so i.g.).Computationally intractable.Lacking means for analysing unbounded behaviour.
2 Overapproximate segments by interval Taylor series of fixed degreeTractable (if degree low enough).Thus permits bounded model checking.Still no immediate means for unbounded analysis.
3 Extract operator computing next ITS from current one;analyse its properties
Unbounded safety and stability analysis become feasible.
L. Zou, M. Fraenzle, N. Zhan and P. Mosaad: Automatic stability and safetyverification for delay differential equations. CAV ’15.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 20 / 25
Unbounded Analysis for ddtx(t) = f(x(t− δ))
Main Ingredients
1 Generate the Taylor series for the segment x |[nδ,(n+1)δ] by integratingf(x) |[(n−1)δ,nδ].
Degree of Taylor series grows indefinitely (and rapidly so i.g.).Computationally intractable.Lacking means for analysing unbounded behaviour.
2 Overapproximate segments by interval Taylor series of fixed degreeTractable (if degree low enough).Thus permits bounded model checking.Still no immediate means for unbounded analysis.
3 Extract operator computing next ITS from current one;analyse its properties
Unbounded safety and stability analysis become feasible.
L. Zou, M. Fraenzle, N. Zhan and P. Mosaad: Automatic stability and safetyverification for delay differential equations. CAV ’15.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 20 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Stability of Linear Dynamics by Spectral Analysis
For linear DDEs:
d
dtx (t) = Ax (t) +Bx (t− r)
The characteristic equation:
det (λI −A−) = 0
Globally exponentially stable if ∀λ : R(λ) < 0, i.e.,
∃K > 0. ∃α < 0: ‖ξϕ(t)‖ ≤ K ‖ϕ‖ eαt, ∀t ≥ 0, ∀ϕ ∈ Cr
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 21 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Stability of Linear Dynamics by Spectral Analysis
For linear DDEs:
d
dtx (t) = Ax (t) +Bx (t− r)
The characteristic equation:
det(λI −A−Be−rλ
)= 0
Globally exponentially stable if ∀λ : R(λ) < 0, i.e.,
∃K > 0. ∃α < 0: ‖ξϕ(t)‖ ≤ K ‖ϕ‖ eαt, ∀t ≥ 0, ∀ϕ ∈ Cr
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 21 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Stability of Linear Dynamics by Spectral Analysis
For linear DDEs:
d
dtx (t) = Ax (t) +Bx (t− r)
The characteristic equation:
det(λI −A−Be−rλ
)= 0
Globally exponentially stable if ∀λ : R(λ) < 0, i.e.,
∃K > 0. ∃α < 0: ‖ξϕ(t)‖ ≤ K ‖ϕ‖ eαt, ∀t ≥ 0, ∀ϕ ∈ Cr
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 21 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Stability of Linear Dynamics by Spectral Analysis
For linear DDEs:
d
dtx (t) = Ax (t) +Bx (t− r)
The characteristic equation:
det(λI −A−Be−rλ
)= 0
-5 -4 -3 -2 -1 0
-150
-100
-50
0
50
100
150
R(λ)
I(λ
)
Globally exponentially stable if ∀λ : R(λ) < 0, i.e.,
∃K > 0. ∃α < 0: ‖ξϕ(t)‖ ≤ K ‖ϕ‖ eαt, ∀t ≥ 0, ∀ϕ ∈ Cr
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 21 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Stability of Linear Dynamics by Spectral Analysis
For linear DDEs:
d
dtx (t) = Ax (t) +Bx (t− r)
The characteristic equation:
det(λI −A−Be−rλ
)= 0
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R(λ)
I(λ
)
Globally exponentially stable if ∀λ : R(λ) < 0, i.e.,
∃K > 0. ∃α < 0: ‖ξϕ(t)‖ ≤ K ‖ϕ‖ eαt, ∀t ≥ 0, ∀ϕ ∈ Cr
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 21 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Stability of Linear Dynamics by Spectral Analysis
For linear DDEs:
d
dtx (t) = Ax (t) +Bx (t− r)
The characteristic equation:
det(λI −A−Be−rλ
)= 0
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R(λ)
I(λ
)
Globally exponentially stable if ∀λ : R(λ) < 0, i.e.,
∃K > 0. ∃α < 0: ‖ξϕ(t)‖ ≤ K ‖ϕ‖ eαt, ∀t ≥ 0, ∀ϕ ∈ Cr
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 21 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Reducing Unbounded Verification to Bounded One
1 Identify the rightmost eigenvalue (and hence α), then construct Kand δ.
2 Compute T ∗, as well as T ′ (by bounded verifiers) s.t. ‖Ω‖ < δ withinT ′.
3 Reduce to bounded verifi., i.e., ∀T > T ′ + T ∗, ∞-safe ⇐⇒ T -safe.4
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R (λ)
I( λ
)
(a)
0 40 60 80 100T′ + T*
-0.4
-0.2
0.0
0.2
0.4
t
u(t)
(b)
4.2 (a) h(z) 计
maxλ∈σ R (λ) < α < 0 α = −0.5 (b) Taylor
[91]所 (4.20) T >
(T ′ + T ∗) = 15.5s ∞- T-
Figure 4.2 Ubounded safety verification of the population dynamics. (a) The identified right-
most eigenvalues of h(z) and an upper bound α = −0.5 such that maxλ∈σ R (λ) < α < 0;
(b) Overapproximation of the reachable set of the system (4.20) produced by the method
in [91] using Taylor models for bounded verification. Together with this overapproxi-
mation we prove the equivalence of ∞-safety and T-safety of the system, for any T >
(T ′ + T ∗) = 15.5s.
[−1, 15.5] 与 U (4.20)
DDEs: 所 单 理论
指 计 理 (2.1)
DDEs 别 ∥B∥ e−rα∑ki=1 ∥Ai∥ e−riα ∥B∥ ∑k
i=1 ∥Ai∥ 中 Ai 中 x(t − ri)
Jacobian
[8]中 理 1.2 中 所
4.3
所 Wolfram
M [152]中 DDE-BIFTOOL6 计
6http://ddebiftool.sourceforge.net/
59
δ = minδϵ, δϵ/
(Ke−rα
(1 + ∥B∥
∫ r0
e−ατ dτ))
δϵ = Ke−rα(1 + ∥B∥
∫ r0
e−ατ dτ)∥ϕ∥ eϵKe−rαt+αt
ϵ ≤ −α/(2Ke−rα)
S. Feng, M. Chen, N. Zhan, M. Fränzle, B. Xue: Taming delays in dyn. syst.:Unbounded verif. of DDEs. CAV ’19.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 22 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Reducing Unbounded Verification to Bounded One
1 Identify the rightmost eigenvalue (and hence α), then construct Kand δ.
2 Compute T ∗, as well as T ′ (by bounded verifiers) s.t. ‖Ω‖ < δ withinT ′.
3 Reduce to bounded verifi., i.e., ∀T > T ′ + T ∗, ∞-safe ⇐⇒ T -safe.4
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R (λ)
I( λ
)
(a)
0 40 60 80 100T′ + T*
-0.4
-0.2
0.0
0.2
0.4
t
u(t)
(b)
4.2 (a) h(z) 计
maxλ∈σ R (λ) < α < 0 α = −0.5 (b) Taylor
[91]所 (4.20) T >
(T ′ + T ∗) = 15.5s ∞- T-
Figure 4.2 Ubounded safety verification of the population dynamics. (a) The identified right-
most eigenvalues of h(z) and an upper bound α = −0.5 such that maxλ∈σ R (λ) < α < 0;
(b) Overapproximation of the reachable set of the system (4.20) produced by the method
in [91] using Taylor models for bounded verification. Together with this overapproxi-
mation we prove the equivalence of ∞-safety and T-safety of the system, for any T >
(T ′ + T ∗) = 15.5s.
[−1, 15.5] 与 U (4.20)
DDEs: 所 单 理论
指 计 理 (2.1)
DDEs 别 ∥B∥ e−rα∑ki=1 ∥Ai∥ e−riα ∥B∥ ∑k
i=1 ∥Ai∥ 中 Ai 中 x(t − ri)
Jacobian
[8]中 理 1.2 中 所
4.3
所 Wolfram
M [152]中 DDE-BIFTOOL6 计
6http://ddebiftool.sourceforge.net/
59
4
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R (λ)
I( λ
)
(a)
0 40 60 80 100T′ + T*
-0.4
-0.2
0.0
0.2
0.4
t
u(t)
(b)
4.2 (a) h(z) 计
maxλ∈σ R (λ) < α < 0 α = −0.5 (b) Taylor
[91]所 (4.20) T >
(T ′ + T ∗) = 15.5s ∞- T-
Figure 4.2 Ubounded safety verification of the population dynamics. (a) The identified right-
most eigenvalues of h(z) and an upper bound α = −0.5 such that maxλ∈σ R (λ) < α < 0;
(b) Overapproximation of the reachable set of the system (4.20) produced by the method
in [91] using Taylor models for bounded verification. Together with this overapproxi-
mation we prove the equivalence of ∞-safety and T-safety of the system, for any T >
(T ′ + T ∗) = 15.5s.
[−1, 15.5] 与 U (4.20)
DDEs: 所 单 理论
指 计 理 (2.1)
DDEs 别 ∥B∥ e−rα∑ki=1 ∥Ai∥ e−riα ∥B∥ ∑k
i=1 ∥Ai∥ 中 Ai 中 x(t − ri)
Jacobian
[8]中 理 1.2 中 所
4.3
所 Wolfram
M [152]中 DDE-BIFTOOL6 计
6http://ddebiftool.sourceforge.net/
59
S. Feng, M. Chen, N. Zhan, M. Fränzle, B. Xue: Taming delays in dyn. syst.:Unbounded verif. of DDEs. CAV ’19.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 22 / 25
Unb. Ana. for ddtx(t) = f(x(t),x(t− δ1), . . . ,x(t− δn))
Reducing Unbounded Verification to Bounded One
1 Identify the rightmost eigenvalue (and hence α), then construct Kand δ.
2 Compute T ∗, as well as T ′ (by bounded verifiers) s.t. ‖Ω‖ < δ withinT ′.
3 Reduce to bounded verifi., i.e., ∀T > T ′ + T ∗, ∞-safe ⇐⇒ T -safe.4
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R (λ)
I( λ
)
(a)
0 40 60 80 100T′ + T*
-0.4
-0.2
0.0
0.2
0.4
t
u(t)
(b)
4.2 (a) h(z) 计
maxλ∈σ R (λ) < α < 0 α = −0.5 (b) Taylor
[91]所 (4.20) T >
(T ′ + T ∗) = 15.5s ∞- T-
Figure 4.2 Ubounded safety verification of the population dynamics. (a) The identified right-
most eigenvalues of h(z) and an upper bound α = −0.5 such that maxλ∈σ R (λ) < α < 0;
(b) Overapproximation of the reachable set of the system (4.20) produced by the method
in [91] using Taylor models for bounded verification. Together with this overapproxi-
mation we prove the equivalence of ∞-safety and T-safety of the system, for any T >
(T ′ + T ∗) = 15.5s.
[−1, 15.5] 与 U (4.20)
DDEs: 所 单 理论
指 计 理 (2.1)
DDEs 别 ∥B∥ e−rα∑ki=1 ∥Ai∥ e−riα ∥B∥ ∑k
i=1 ∥Ai∥ 中 Ai 中 x(t − ri)
Jacobian
[8]中 理 1.2 中 所
4.3
所 Wolfram
M [152]中 DDE-BIFTOOL6 计
6http://ddebiftool.sourceforge.net/
59
4
-5 -4 -3 -2 -1 0α-150
-100
-50
0
50
100
150
R (λ)
I( λ
)
(a)
0 40 60 80 100T′ + T*
-0.4
-0.2
0.0
0.2
0.4
t
u(t)
(b)
4.2 (a) h(z) 计
maxλ∈σ R (λ) < α < 0 α = −0.5 (b) Taylor
[91]所 (4.20) T >
(T ′ + T ∗) = 15.5s ∞- T-
Figure 4.2 Ubounded safety verification of the population dynamics. (a) The identified right-
most eigenvalues of h(z) and an upper bound α = −0.5 such that maxλ∈σ R (λ) < α < 0;
(b) Overapproximation of the reachable set of the system (4.20) produced by the method
in [91] using Taylor models for bounded verification. Together with this overapproxi-
mation we prove the equivalence of ∞-safety and T-safety of the system, for any T >
(T ′ + T ∗) = 15.5s.
[−1, 15.5] 与 U (4.20)
DDEs: 所 单 理论
指 计 理 (2.1)
DDEs 别 ∥B∥ e−rα∑ki=1 ∥Ai∥ e−riα ∥B∥ ∑k
i=1 ∥Ai∥ 中 Ai 中 x(t − ri)
Jacobian
[8]中 理 1.2 中 所
4.3
所 Wolfram
M [152]中 DDE-BIFTOOL6 计
6http://ddebiftool.sourceforge.net/
59
S. Feng, M. Chen, N. Zhan, M. Fränzle, B. Xue: Taming delays in dyn. syst.:Unbounded verif. of DDEs. CAV ’19.
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 22 / 25
Future DirectionsExtend the method to more general forms of DDE:• DDE also featuring immediate state feedback and disturbance, as
suggested by ODE models of the plant dynamics,(partially addressed in [B. Xue, M. Fränzle, P. Mosaad, CDC ’17];
[B. Xue, Q. Wang, S. Feng, ZNJ, HSCC’19])• DDE covering multiple different, constant feedback delays (on-going),• DDE exhibiting state-dependent delay (on-going),• DDE featuring randomly distributed delay,• stochastic DDE.
Extend the method to delayed hybrid-state dynamics:• Hybrid automata comprising DDE instead of ODE.• Hybrid automata additionally featuring latency in their discrete
reactive behaviour.Invariant generation for time-delayed systems. (on-going)• Some first try was done by Prajna&Jadbabaie [ CDC’05].
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 23 / 25
Potential Directions
Related to Weakly Hard Systems
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 24 / 25
Weakly Hard System Courtesy by Dr. Chao Huang
Sample 𝑥 1 Compute 𝑢2
1
Sample 𝑥 𝑇 Allow occasional deadline misses
0
𝑥 = 𝑓 𝑥 + 𝑔 𝑥 𝑢
𝑢 = 𝑢0 = 0
𝑡
0
𝑊 Deadline
Sample 𝑥 0 Compute 𝑢1
𝑢 = 𝑢1
𝑇
Sampling period
2𝑇 +𝑊
2𝑇 3𝑇
𝑢 = 𝑢3
Sample 𝑥 2 Compute 𝑢2
𝑇 +𝑊
𝑢 = 𝑢1
Is an 𝒎,𝑲 weakly-hard system safe?
𝑚,𝐾 constraint: at most 𝑚 deadline misses among any 𝐾 consecutive periods[G. Bernat et al., 2001]
Timing disturbance Communication delay, sensing failure…
RTSOPS 2019, Paris, July. 24, 2019 · Naijun Zhan: Indecision and Delay · 25 / 25