Deductive-Bounded Verification of ϕ2

To verify ϕ2, we need to show that all hybrid arcs x, starting in set _{S2, eventually} reach the attractive invariant set _{S1. Towards this goal, we use a mixed deductive-} bounded verification approach benefiting from the advection of sets and certificate based deductive verification. Essentially, we use advection of sets for HDS, presented in Sec. 3.1.3, and check whether the advected sets fully submerge in to the set _S1

S1

S2

Figure 3.6: Deductive-Bounded Verification Methodology

after bounded iterations, as depicted in Fig.3.6. After a bounded number of advection steps, for a set which is not a proper subset of setS1, we apply the deductive Escape certificate criterion showing trajectories starting in this set will eventually escape and reach _{S1. This happens when the advection of sets is asymmetrical and submerge in} to set S1 from one direction while its progression from another side is very slow. For example, in fourth order CP PLL, we notice that the set advection is inconclusive as sets do not submerge fully in to_{S1. This scenario is illustrated by the level set of the} red dotted curve in Fig. 3.6. We notice that on the right side of set S1, the advected set enclosed by the red curve is fully immersed in_{S1, its progression however from the} left hand side (shown by the double-sided arrow) is stopped after bounded advection steps. This shows that trajectories starting in the left part of the set jump to the right hand side before reaching the set _{S1. For this part of the set, bounded advection is} inconclusive, and we use the deductive Escape certificate criterion.

Following the deductive-bounded approach illustrated above, we verify the property ϕ2 using Alg.2. The inputs of the algorithm are the sets_{S2, S1, and the HDS model} of the CP PLL. The algorithm determines the truth value of ϕ2 by a combination of deductive Escape certificate and bounded advection of setS2. After initializing different sets, the advection of set _S2advect is performed in Line 5. Following the advection of level sets for HDS, discussed in Sec.3.1.3, the function “Advect” in Line 5 is performed

Algorithm 2 Verification of Property ϕ2

INPUT: : HDS Model of CP PLL, SetsS1, S2 OUTPUT: : ϕ2 Verified in Bounded Time/No-answer

1: S2next ← ∅ 2: S2advect← ∅ 3: _{S2advect← S2} 4: for j← 1 to j ← m do 5: S2next ← Advect(S2advect) 6: if _S2next6⊂ S1 then 7: S2advect← S2next 8: else 9: x_{|= ϕ2, ∀x ∈ S2} 10: break 11: end if 12: end for

13: Try a large value of m 14: if S2next 6⊂ S1 then 15: For_S2next\ (S2

′

next =S1 ∩ S2next) find the Escape Certificate E. 16: if E exists then 17: x|= ϕ2, ∀x ∈ S2 18: break 19: else 20: No Answer about ϕ2 21: end if 22: end if

by the following SOS program. minimize ηi

s.t. Pnext(0) < 0, ∂Pnext

∂x .(v1, v2, φD) T _{> 0,}

s1i− s2iPInitial+ B−hi Pnext+ ηi + m_Ci X k=1 s3ikgik+ m X j=1 s4j(x)aj(u) = 0,

s5i+ s6i(PInitial− µi)− Bi

−hPnext+ ηi + m_Ci X k=1 s7ikgik+ m X j=1 s8j(x)aj(u) = 0, s9i_{− s10}i(PInitial_{− µ}i) + m_Ci X k=1 s11ikgik +∂ 2_Pnext ∂x2 h2 2 − ηi= 0, m_Ci X

Z(PInitial− µ) Z(Bi −hPnext− η) Ψ−h(Pnext) Z(Bi −hPnext+ η) Z(PInitial) Z(Pnext) Bi −h

Figure 3.7: Deductive-Bounded Verification Methodology

Here Pnextis of degree dr, µi > 0, ηi > 0, h > 0, u_{∈ [L U], and s1}i, s2i, s3ik, s4j, s5i, s6i, s7ik, s8j, s9i, s10i, s11ik, s12i, s13i, s14ik, are polynomials of degree d.

Let S2 = Z(PInitial), S1 = Z(P 1) and S2next = Z(Pnext). Here, PInitial, P 1, and Pnext are differentiable polynomials belonging to the set C(Rn, R). Similar to the SOS program for Lyapunov certificates, the SOS program for the advection of sets utilizes the S-procedure discussed in Sec.2.4.4. The first two constraints of this SOS program ensure the advected level sets are closed and connected (see [102] and the references therein). The next two constraints search for a polynomial Pnext, such that when the set Z(Pnext) is backward advected by the first order Taylor advection map Bi

−h, we obtain a set such that,

Z(PInitial)_{⊂ Z(B−h}i Pnext+ ηi)_{⊂ Ψ−h}(_Z(Pnext))_{⊂ Z(B−h}i Pnext_{− η}i)

⊂ Z(PInitial− µi) (3.34) Here µi is used as a precision parameter determining how closely we want the set Z(PInitial) to be approximated by the set_Z(Bi

−hPnext+kηik). Constraints for Ci have been added by using SOS multipliers s3ik, s7ik and the vector inequality gik(x) _{≤ 0.} Furthermore, parameter constraints are added by using SOS multipliers s4j and s8j with the vector inequality aj(u)_{≤ 0. This advection of zero sub-level sets is illustrated} in Fig. 3.7. The last two constraints enforce the truncation error of the first order Taylor approximation such that, k∂2_P

next

∂x2 h 2

The next step in Alg. 2 is checking the intersection of sets S2next and S1 Line-6. To be conservative, and use an over-approximation to the set Ψh(Z(PInitial)), the set membership is encoded as a SOS program utilizing Lemma2.2for the setsZ(Pnext−ηi) and _{S1, i.e.,}

s0_{− s1(P}next− ηi) + P 1 = 0, s0, s1∈ Sn (3.35) If there are feasible SOS polynomials s1, and s2, then, Z(Pnext− ηi)⊂ Z(P 1). Remark 3.2. For the transformed CP PLL HDS, H′, we have identity jump maps, there is therefore no need for constraints on the level sets due to discrete jumps.

After each iteration of the advection of level sets, if the set inclusion S2next ⊂ S1 is true, then property ϕ2 is verified. Alternatively, the algorithm keeps on advecting the set S2next for a user defined bounded number of iterations (Line 7-13). If the property ϕ2 is still not verified (this can happen when the advection of the level sets is asymmetrical and a subset of the set _S2next is not fully immersed in S1), we compute the Escape certificate E for the set,S2next\ S2′next(=S1 ∩ S2next). A feasible Escape certificate in the set_{S2next\ S2}′_next shows that trajectories in this set will eventually leave and reach _{S1 by Prop.} 3.3 (Line 14-18). This either results in the verification of property ϕ2 (respectively ϕ) in set S2, or we conclude inconclusiveness about the truth value of ϕ2 (respectively ϕ). In Line 15, the Escape certificate is searched by the following SOS program,

−∂Ei_∂x (x)Fi(x, u)_{− s1(x)g2(x) + s2(x)g2}′(x)₋ m X j=1 s3j(x)aj(u)_{− ε ∈ S}n, (s1, s2, s3j)∈ Sn. (3.36)

where, S2next := g2(x)≥ 0, and S2′next := g2

′

(x)≥ 0.

Proposition 3.6. If the SOS program of Eq.3.36is feasible, then the Escape certificates satisfy the condition in Prop.3.2.

Proof. The expression in Eq.3.36 being SOS is therefore,

−∂Ei ∂x(x)Fi(x, u)− s1(x)g2(x) + s2(x)g2 ′ (x)₋ m X j=1 s3j(x)aj(u)− ε ≥ 0

every product term is positive semi-definite. Therefore, ∂Ei

∂x (x)Fi(x, u)≤ −ε.

If there is a feasible Escape certificate for the set _S2next\ S2

′

next, then we conclude x _{|= ϕ2, ∀x : x ∈ S2 Line 17. In case we do not find an Escape certificate of some} maximum bounded degree, we declare inconclusiveness about the truth value of ϕ2 Line 20.