Constraints for Continuous Reachability in the Verification of Hybrid Systems

Constraints for Continuous Reachability in the

Verification of Hybrid Systems ⋆

Stefan Ratschan and Zhikun She

Max-Planck-Institut fur Informatik, Saarbrucken, Germany{stefan.ratschan,zhikun.she}@mpi-sb.mpg.de

Abstract. We describe two new ways of efficiently deriving continuousreach set information for hybrid systems. In both cases, we overapproxi-mate the differential equations to constraints that are then solved using asolver for first-order predicate logical formulae over the reals. We provesome properties about the amount of introduced over-approximations.Moreover, we embed the results in our earlier method for verification ofhybrid systems using abstraction refinement and provide some timingsthat document the resulting improvement.

1 Introduction

The computation of the reach set of differential equations has traditionally usedtwo main methodologies: either to directly handle the differential equations [5,7, 10], or to rewrite the problem to a decidable constraint solving problem [14].The first case is usually more efficient, but requires a large implementation effort.The second case can reuse existing constraint solving technology, but the hugecomplexity of the corresponding constraint solving algorithms [9], makes thisapproach infeasible for all but small problems.

In this paper we use a new, alternative, approach: do rewrite the reach setcomputation problem to a constraint solving problem, but do not require theresulting constraint to fall into a decidable class. Instead, we want to be ableto efficiently over-approximate their solutions. Moreover, in order to decreasethe amount of over-approximation, we include the method in an abstractionrefinement process [20, 19].

The advantages of this approach are: it allows the use of a rich languageof constraints that includes function symbols such as sin, cos, exp that natu-rally arise as solutions of linear differential equations; and, since it does not tryto compute exact solutions to these constraints, but uses over-approximationinstead, it is efficient.

More specifically, in this paper we study two types of constraints that modelthe reachability problem: one, for linear differential equations, is related to the

⋆ This work was partly supported by the German Research Council (DFG) as partof the Transregional Collaborative Research Center “Automatic Verification andAnalysis of Complex Systems” (SFB/TR 14 AVACS). See www.avacs.org for moreinformation.

2 Stefan Ratschan and Zhikun She

explicit solution of such equations; and the second, for general differential con-straints, is based on the mean-value theorem. Both constraints are quite simpleto derive and similar ones have been used before in the literature. However, herewe study in detail, how they behave when using interval based constraint propa-gation techniques for solving them, and how this behavior reflects in our methodof verification of hybrid systems using constraint propagation based abstractionrefinement [20].

We will provide a version of our verification software HSolver [19], that willallow the user to experiment with these, and additional, user-defined, constraints.

Regarding additional related work, the approach by Hickey and Witten-berg [11] puts the level of modelling even higher, by employing a constraint logicprogramming language [12] that directly can deal with differential equations. In-ternally it solves constraints by transforming them into polynomial constraintsusing Taylor expansion, and then solves these using a similar solver as ours. Theapproach does not provide a comparison of different formulations of these con-straints, and does not employ abstraction refinement to concentrate on refiningthe solution which is relevant for a given safety verification problem.

Tiwari [23] derives simple polynomial constraints from linear differentialequations by manually doing an over-approximating quantifier elimination ona similar constraint as one of the constraints employed here. In contrast to that,since our solver can handle function symbols such as sin, cos, and exp, we candirectly work on the original constraint, and—using an abstraction refinementscheme—approximate it arbitrarily closely.

Anai and Weispfenning [1] provide a classification, when the time variablecan be symbolically eliminated from the solution of linear differential equations(which may contain transcendental function symbols).

Similar constraints as employed here, which are based on the mean-valuetheorem or Taylor expansion, are ubiquitous in the integration of ODE’s.

The content of the paper is as follows: In Section 2 we discuss eigenvalueand eigenvector based constraints for modeling reachability of linear differentialequations; in Section 3 we discuss constraints based on the mean-value theorem;in Section 4 we discuss how we solve these constraints; in Section 5 we comparethe constraints theoretically; in Section 6 we review our method of verificationusing abstraction refinement; in Section 7 we study empirically, how the con-straints behave within that method; and in Section 8 we conclude the paper.

2 Constraints Based on Eigenvalues and Eigenvectors

Assume a differential equation of the form x = Ax, where A ∈ Qk×k. Differential

equations of the form x = Ax + B can be reduced to that form by shifting theequilibrium, provided that the equation Ax + B = 0 has solutions. Given aninitial set Init, we have the exact solution x(t) = eAtx0, where x0 ∈ Init and

eAt is defined by∑∞

k=0tk

k!Ak. Thus, if x is reachable, then

∃t ∈ R≥0∃x0 ∈ Rk[x0 ∈ Init ∧ x = eAtx0].

Reachability Constraints 3

Since the matrix A appears in an exponent, it is difficult to directly solvethis constraint. We use another constraint introduced by Tiwari [23], that over-approximates the reach set, that can be easily computed from the matrix A, andthat does not contain matrix exponentiation.

For this we re-express the real eigenvalues and the complex eigenvalues ofAT using the following two sets:

Λ1 ={

λ ∈ R | ∃c ∈ Rk[

c 6= 0 ∧AT c = λc]}

;

Λ2 ={

(a, b) ∈ R × R>0 | ∃c ∈ Rk[

c 6= 0 ∧ ((AT )2 − 2aAT + (a2 + b2)I)c = 0]}

.

For every λ ∈ Λ1, let c(1, λ) be an orthonormal basis of {c : AT c = λc}; forevery (a, b) ∈ Λ2, let c(2, (a, b)) be an orthonormal basis of {c : ((AT )2−2aAT +(a2 + b2))c = 0}.

Then we can describe an over-approximation of the set of reachable states asfollows.

Lemma 1. For a differential equation x = Ax and a hyper-rectangle (box) B ⊆Rk, if there is a trajectory in B from a point x = (x1, . . . , xk)T ∈ B to a pointy = (y1, . . . , yk)T ∈ B on which x = Ax holds, then

∃t ∈ R≥0[eigen∗A,B(t, x, y)], (1)

where eigen∗A,B(t, x, y) denotes

[

∧

λ∈Λ1

[

∧

c∈c(1,λ)

cT y = cTxeλt]

]

∧

[

∧

(a,b)∈Λ2

∃x ∈ Rk

[

x = Ax ∧∧

c∈c(2,(a,b))

cT y = eatcT(

x cos(bt) +x− xa

bsin(bt)

)

]

]

Note that this expression is a formula in the first-order predicate languageover the real numbers—it does not contain higher-order expressions such asderivatives (x does not denote the derivative of x but simply a new variable).However, this restriction to the first-order theory of the reals is still undecidable,since it contains function symbols like sin (this allows encoding of the integers).However, there are over-approximating constraint solvers, that can be used (seeSection 4).

We denote the above Constraint 1 by eigenA,B(x, y). Note that if A has kdifferent real eigenvalues and B = Rk, then this constraint describes the exactsolution of the differential equation.

3 Constraints Based on the Mean-Value Theorem

In this section, we will produce a constraint describing the reachability not onlyfor linear differential equations, but for much more general descriptions of con-tinuous evolution. We assume that the continuous dynamics is defined by a dif-ferential constraint D(x, x) (or short, D) which can be an arbitrary first-order


formula in the theory of the reals over the tuples of variables x and x. Thisincludes explicit and implicit differential equations and inequalities, and evendifferential-algebraic equations and inequalities.

Earlier [20] we used a constraint flowD,B(x, y) describing the reachability inboxes as follows:

Lemma 2. For a differential constraint D(x, x) and a box B ⊆ IRk, if there is atrajectory in B from a point x = (x1, . . . , xk)T ∈ B to a point y = (y1, . . . , yk)T ∈B such that for every point u on the trajectory and its derivative u, the pair(u, u) satisfies D(x, x), then

∧

1≤m<n≤k

∃a1, . . . , ak, a1, . . . , ak[(a1, . . . , ak) ∈ B∧

D((a1, . . . , ak), (a1, . . . , ak)) ∧ an · (ym − xm) = am · (yn − xn)]

Observe that whenever a given pair of points (x, y) fulfills the above con-straint flowD,B(x, y)—indicating that there is a possible flow from x to y—thenalso the flipped pair (y, x) fulfills the constraint. That is, the constraint doesnot distinguish time flowing forward, and time flowing backward. In order toavoid this loss of information we use the mean value theorem to formulate thefollowing constraint:

Lemma 3. For a differential constraint D(x, x) and a box B ⊆ IRk, if there is atrajectory in B from a point x = (x1, . . . , xk)T ∈ B to a point y = (y1, . . . , yk)T ∈B such that for every point u on the trajectory and its derivative u, the pair(u, u) satisfies D(x, x), then

∃t ∈ R≥0[flow∗D,B(t, x, y)], (2)

where flow∗D,B(t, x, y) denotes

∧

1≤i≤k

∃a1, . . . , ak, a1, . . . , ak[(a1, . . . , ak) ∈ B

∧D((a1, . . . , ak), (a1, . . . , ak)) ∧ yi = xi + ai · t]

We denote the above Constraint 2 by flow′D,B(x, y). Although both the con-

straint flowD,B(x, y) and the constraint flow′D,B(x, y) are quite simple, it is

not at all clear, whether flow′D,B(x, y) really allows to derive tighter reach set

information than flowD,B(x, y).

4 Solving the Constraints

We solve the constraints using our constraint solver RSolver [17], which imple-ments interval constraint propagation techniques [8, 3, 13, 18]. These techniquescan, for a given constraint and intervals for all its variables, contract these in-tervals to smaller ones, without losing any solutions. We illustrate the idea on


an example: Given the constraint x2 − 1 ≤ 0, and the interval [−2, 2] for x, themethod first decomposes this constraint into a conjunction of so-called primitiveconstraints, arriving at x2 = t0∧t0−1 = t1∧t1 ≤ 0. Here t0 and t1 are new, aux-iliary variables. Then it takes the interval [−∞,+∞] for all auxiliary variablesand tries to contract all intervals wrt. the primitive constraints: using x2 = t0we can contract the interval [−∞,∞] for t0 to [0, 4], using t0 − 1 = t1 contract[−∞,∞] for t1 to [−1, 3], using t1 ≤ 0 contract [−1, 3] for t1 to [−1, 0], usingt0 − 1 = t1 contract [0, 4] for t0 to [0, 1], and using x2 = t0, contract [−2, 2] forx to [−1, 1]. This process continues until a fixpoint is reached, which will alwayshappen eventually, due to the finiteness of floating point numbers. We call theresulting algorithm a pruning function and, given a constraint φ and a box B,we denote the result of applying this function to φ and B by Prune(φ,B).

Definition 1. Given a constraint φ, pruning is optimal for φ iff for all boxesB, Prune(φ,B) is the smallest floating-point box containing all solutions of φin B.

Property 1. For every constraint φ, that contains every variable just once, prun-ing is optimal.

There are special techniques for handling disjunctions and quantifiers [18].Moreover, there are various optimizations and extensions of the techniques dis-cussed above. Most of them spend additional time to deal with the problem thatpruning is in general not optimal if some variables occur more than once. Sinceour constraints usually only have few occurrences of the same variables, and sincein our abstraction refinement approach (see Section 6) we will do thousands ofprunings, it does not seem promising to use such optimizations here.

5 Theoretical Evaluation of the Constraints

In this section we will do a theoretical comparison of the constraints flowD,B(x, y),flow′

D,B(x, y) and eigenA,B(x, y). Moreover, based on the gained insight, we willintroduce a new constraint that combines their advantages.

We start with comparing flow′D,B(x, y) with flowD,B(x, y). Let us first dis-

cuss the size of the produced constraints. For k dimensions, flowD,B(x, y) hask(k−1)/2 conjuncts, whereas flow′

D,B(x, y) has just k. So, for dimensions largerthan 2, flow′

D,B(x, y) is smaller, and its size increases only linearly instead ofquadratically. Hence pruning will take less time on flow′

D,B(x, y), especially forhigh dimensions.

Let us now compare the effectiveness of the two constraints. For the one-dimensional case, flowD,B(x, y) reduces to a conjunction with zero conjuncts,that is, to a constraint that is trivially true. So in that case, flow′

D,B(x, y) isdefinitely better. For higher dimensions, the relationship between the two con-straints is more complicated. Therefore, we will first study the relationship be-tween flowD,B(x, y) and flow′

D,B(x, y) themselves, and then between the resultof applying the pruning function to them.


Here we will use the following notation: Given two constraints φS,B(x, y) andψS,B(x, y), where S is a differential constraint D or a matrix A, and B is a box,we will write φS,B � ψS,B (φS,B ≡ ψS,B) iff for all S and all B, the solution setof φS,B in B × B is a subset of (equal to) the solution set of ψS,B in B × B.Analogously, we will write φS,B �P ψS,B (φS,B ≡P ψS,B) iff for all S, all B andall B0, where B0 is a sub-box of B, Prune(φS,B, B0×B) is a subset of (equal to)Prune(ψS,B, B0×B). Note that here we restrict B0 to be a subset of B becausewe use the constraints always in such a context.

There is no clearcut relationship between flowD,B(x, y) and flow′D,B(x, y):

Property 2. Neither flowD,B � flow′D,B nor flow′

D,B � flowD,B.

Proof. For showing the first part, we use a differential constraint x1 = 0∧ x2 = 0and a box B = [0, 2]× [0, 2]. Obviously, ((1, 1), (2, 2)) ∈ {(x, y) : flowD,B(x, y)},but ((1, 1), (2, 2)) /∈ {(x, y) : flow′

D,B(x, y)}. The reason lies in the fact thatthe derivatives are zero for this example, and in such a case, the equality inflowD,B(x, y) reduces to the trivial equality 0 = 0 that is true for all x, y.

For showing the second part, we use a differential constraint x1 = x1 + x2 +1 ∧ x2 = x1 + x2 + 1 and a box B = [0, 2] × [0, 2]. Obviously, ((0, 0), (1, 1

5 )) ∈{(x, y) : flow′

D,B(x, y)}, but ((0, 0), (1, 15 )) /∈ {(x, y) : flowD,B(x, y)}. This is

because we need am and an to be derivatives of am and an at the same pointin flowD,B(x, y), but in flow′

D,B(x, y), ai, can be the derivative of a differentpoint for every i. ⊓⊔

However, in our method, instead of computing exact solutions to these con-straints, we only use over-approximations computed by the pruning algorithm,and a tighter constraint does not necessarily give rise to a tighter pruning result.

So let us compare these over-approximations. Throughout the analysis weassume that the resulting intervals enclose the solutions exactly without roundingoutwards to the next floating point number. We want to discuss the relationbetween Prune(flowD,B(x, y), B0 ×B) and Prune(flow′

D,B(x, y), B0 ×B).

Theorem 1. flow′D,B �P flowD,B.

Proof. We transform the constraints into a conjunction without existential quan-tifiers as follows: Rename the variables a1, . . . , ak and a1, . . . , ak to a differenttuple of variables in each branch, and then drop all corresponding existentialquantifiers. As a result, in addition to x and y, flow′

D,B has 2k2 + 1 free vari-

ables and flowD,B has k2(k − 1) free variables.Given a set of variables V and a box B for which each component corresponds

to a certain variable, we denote by πV (B) the projection of B to the componentscorresponding to the variables in V . Obviously, we now have to prove

πx,y(Prune(flow′D,B(x, y), B0 ×B × R≥0 × R2k2

)) ⊆

πx,y(Prune(flowD,B(x, y), B0 ×B × Rk2(k−1))).


Now let φ′B.=

∧

1≤i≤k yi = xi + ait, and φB.=

∧

1≤m<n≤k an(ym − xm) =am(yn − xn). Since (a1, . . . , ak) ∈ B ∧D((a1, . . . , ak), (a1, . . . , ak)) is shared byboth flow′

D,B(x, y) and flowD,B(x, y), it suffices to prove that for an arbitrary,

but fixed k-dimensional box A,

πx,y(Prune(φ′B(x, y), B0 ×B × R≥0 × A)) ⊆

πx,y(Prune(φB(x, y), B0 ×B × A)).

Now let P = Prune(φ′B , B0 × B × R≥0 × A). Let (x, y) ∈ πx,y(P ). We will

prove that (x, y) is in πx,y(Prune(φB , B0 ×B × A)).Since each conjunct of φ′B contains each variable just once, we know that for

all t ∈ πt(P ) there are a1, . . . , ak ∈ πa1,...,ak(P ) such that these values satisfy

the conjunct. So we also know that there are (t, a1, . . . , ak) ∈ πt,a1,...,ak(P ) such

that (x, y, t, a1, . . . , ak) satisfies the whole constraint φ′B . Choose a t∗, a∗1, . . . , a∗k

with that property.Since pruning must not remove solutions of φB within B0×B× A, it suffices

to prove that there are (a1, . . . , ak) ∈ A such that (x, y, a1, . . . , ak) satisfiesφB . Choose a1, . . . , ak as a∗1, . . . , a

∗k. For proving that (x, y, a∗1, . . . , a

∗k) satisfies

∧

1≤m<n≤k a∗n(ym − xm) = a∗m(yn − xn), let m,n be arbitrary, but fixed, such

that 1 ≤ m < n ≤ k. We prove that (x, y, a∗1, . . . , a∗k) is in the solution set of the

corresponding conjunct. Here we have three cases:

– a∗m 6= 0, a∗n 6= 0: Then ym−xm

a∗

m

= t∗ and yn−xn

a∗

n

= t∗, so ym−xm

a∗

m

= yn−xn

a∗

n

, and

hence a∗n(ym − xm) = a∗m(yn − xn)– a∗m = 0: then xm = ym, and both sides of the equality a∗n(ym − xm) =a∗m(yn − xn) are zero,

– a∗n = 0, analogous to previous case.⊓⊔

So, we can prune as least as tightly using flow′D,B(x, y) as using flowD,B(x, y).

In fact, we can prune strictly tighter!

Property 3. Not flow′D,B ≡P flowD,B

Proof. Take a differential constraint x1 = 1∧ x2 = 1 and a box B = [0, 2]× [0, 2].Let B0 = {(1, 1)}, then Prune(flow′

D,B(x, y), B0 × B) = B0 × [1, 2] × [1, 2] andPrune(flowD,B(x, y), B0 ×B) = B0 ×B. ⊓⊔

To sum up, the theoretical evaluation shows that although none of the twoconstraints always has a smaller solution set than the other, flow′

D,B(x, y) hasa definite advantage in size and in pruning power. Hence we only use the latterfrom now on.

Next, we will compare flow′x=Ax,B(x, y) (or short: flow′

A,B(x, y)) with theconstraint eigenA,B(x, y) for linear differential equations x = Ax

If A has k different real eigenvalues and B = Rk, then eigenA,B(x, y) de-scribes the exact solutions of the differential equations. But, flow′

A,B(x, y) em-ploys the first-order Taylor expansion to over-approximate the exact solutions.


Thus, eigenA,B � flow′A,B? No! Only in cases where all trajectories leave the

box, and do not enter it again. Otherwise, eigenA,B(x, y) also includes the part ofthe trajectory that enters the box again, but flow′

A,B(x, y) does not necessarily.Now we compare the two constraints wrt. pruning. For linear differential

equations, pruning is optimal for flow′D,B. This follows from an analysis of the

proof of Theorem 1, and the fact that the differential equation constrains eachderivative x using a constraint x = Ax, where each equation of this constraintcontains only one component of x, and contains each component of x only once.However, this is in general not the case for eigenA,B due to multiple occurrencesof variables.

There is no clearcut relationship between Prune(flow′A,B(x, y), B0 ×B) and

Prune(eigenA,B(x, y), B0 ×B):

Property 4. Neither flow′A,B �P eigenA,B nor eigenA,B �P flow′

A,B.

Proof. This can be directly proven using only one example with a differentialequation (x1, x2) = (−x1 − x2, x1 − x2) and a box B = [0, 4] × [0, 4]. If we setB0 = [2.5, 3] × [0, 0], then Prune(flow′

A,B, B0 × B) = B0 × [0, 3] × [0, 4] andPrune(eigenA,B, B0 ×B) = B0 × [0, 3.5] × [0, 3]. ⊓⊔

Moreover, there are even some cases, where pruning flow′A,B returns a strict

subset of pruning eigenA,B and vice versa: The former happens for a differ-ential equation (x1, x2) = (x1 − x2, x1 + x2) and a box B = [0, 2] × [0, 4]. Ifwe set B0 = [2, 2] × [2, 4], then Prune(flow′

A,B, B0 × B) = B0 × [0, 2] × [2, 4]and Prune(eigenA,B, B0 × B) = B0 × B. This is because the left-hand side ofeigenA,B, cT y, evaluates to zero on some element in B. Hence every solution ofx cos(bt) + x−xa

bsin(bt) = 0 fulfills the constraint. There is such a solution, and

since sin and cos are periodic, the solution set is not bounded for t, and interval[0,+∞] for t will not be pruned. Since a is positive, the interval derived for theterm eat will also stay unbounded, and no intervals will be pruned. But, t ∈ [0, 1]in flow′

A,B, which does provide some pruning.The latter happens for a differential equation (x1, x2) = (x1, x2) and a box

B = [0, 2]× [0, 2]. If we set B0 = {(0, 0)}, Prune(flow′A,B, B0×B) = B0×B and

Prune(eigenA,B, B0 × B) = B0 × B0. This is because eigenA,B here describesthe exact solution starting from the initial point. But, since x1 and x2 can bezero, pruning flow′

A,B results in t ∈ [0,∞]. Thus, also the intervals for y1 andy2 cannot be pruned.

Since there is no clearcut relationship between Prune(flow′A,B, B0 ×B) and

Prune(eigenA,B, B0 × B), we strengthen both constraints by combining them.Thus, by sharing the same time variable we allow timing information to bepropagated between them as follows:

Lemma 4. For a linear differential equation x = Ax and a box B, if there is atrajectory in B from a point x = (x1, . . . , xk)T ∈ B to a point y = (y1, . . . , yk)T ∈B on which x = Ax holds, then

∃t ∈ R≥0[flow∗A,B(t, x, y) ∧ eigen∗

A,B(t, x, y)] (3)


We denote the above new Constraint 3 by combA,B(x, y). Clearly, this con-straint implies flow′

A,B(x, y), and also implies eigenA,B(x, y). That is, combA,B �flow′

A,B and combA,B � eigenA,B. Moreover, we have:

Theorem 2. combA,B �P flow′A,B and combA,B �P eigenA,B.

So, the combination constraint is at least as good as flow′A,B(x, y) and

eigenA,B(x, y). But, in fact, it is better!

Property 5. Neither combA,B ≡P flow′D,B nor combA,B ≡P eigenA,B.

Proof. This can be seen on an example with a differential equation (x1, x2) =(−x1 − x2, x1 − x2) and a box B = [0, 4] × [0, 4]. If we set B0 = [2.5, 3] × [0, 0],then Prune(flow′

A,B, B0 ×B) = B0 × [0, 3]× [0, 4], Prune(eigenA,B, B0 ×B) =B0 × [0, 3.5]× [0, 3] and Prune(combA,B, B0 ×B) = B0 × [0, 3]× [0, 3]. ⊓⊔

However, the combination constraint is bigger than both flow′A,B(s, x, y) and

eigenB(s, x, y). Thus, pruning will take more time on it.

6 Constraint Propagation Based Abstraction Refinement

In order to reduce the amount of over-approximations introduced (both by usingover-approximating constraints and an over-approximating constraint solver), weput the introduced constraints into an abstraction refinement approach [20].

Our technique assumes a bounded state space, and decomposes it into finitelymany boxes. For each pair of boxes, it sets an abstract transition, only if it cannotprove the absence of trajectories between them. Also, it marks boxes as initial(unsafe), if it cannot prove the absence of an initial (unsafe) element in the box.If the resulting finite abstraction is safe, we know that the concrete hybrid systemis safe. If it is not safe, we refine the abstraction by splitting boxes into piecesand recomputing the affected information in the abstraction. Note that whenthe longest side-length of all boxes goes to zero, our constraint solver eventuallywill over-approximate the exact solution of all constraints arbitrarily closely.

Moreover, we have a mechanism for removing unreachable elements fromboxes. For this observe that a point in a box B is reachable only if it is reachableeither from the initial set via a flow in B, from a jump via a flow in B, or froma neighboring box via a flow in B. So we formulate constraints corresponding toeach of these conditions and then remove points from boxes that do not fulfillat least one of these constraints.

The approach can be used with any constraint describing that y can bereachable from x via a flow in B and mode s, for example the ones introducedin this paper. We denote the used constraint by ReachableB(s, x, y).

Assume that a hybrid system has a flow constraint Flow(s, x, x), a jumpconstraint Jump(s, x, s′, x′), an initial constraint Init(s, x) and an unsafety con-straint UnSafe(s, x). We have the following theorem:


Theorem 3. For a set of abstract states B such that all boxes corresponding tothe same mode are non-overlapping, a pair (s′, B′) ∈ B and a point z ∈ B′, if(s′, z) is reachable, then

initflowB′(s′, z) ∨∨

(s,B)∈B

jumpflowB,B′(s, s′, z)

∨∨

(s,B)∈B,s=s′,B 6=B′

boundaryflowB,B′(s′, z)

where initf lowB′(s′, z), jumpflowB,B′(s, s′, z) and boundaryflowB,B′(s′, z) de-note the following three constraints, respectively:

– ∃y ∈ B′ [Init(s, y) ∧ ReachableB′(s, y, z)],– ∃x ∈ B∃x′ ∈ B′ [Jump(s, x, s′, x′) ∧ReachableB′(s′, x′, z)],– ∃a ∈ B∩B′ [[∀faces F of B[a ∈ F ⇒ outFs′,B,B′(a)]

]

∧ ReachableB′(s′, a, z)]

.

Here, outFs′,B,B′(a) is one of the following constraints:

– ∃aj [Flow(s′, a, (a1, . . . , ak)) ∧ aj ≤ 0], if F is the j-th lower face of B, and– ∃aj [Flow(s′, a, (a1, . . . , ak)) ∧ aj ≥ 0], if F is the j-th upper face of B.

We denote the main constraint (i.e., the disjunction) by reachableB′(s′, z).If we can prove that a certain point does not fulfill this constraint, we know thatit is not reachable. In Section 4 we have a pruning algorithm that takes such aconstraint and an abstract state (s′, B′), and returns a sub-box of B′ that stillcontains all the solutions of the constraint in B′.

We remove the initial mark from an abstract state (s′, B′) if we can disproveinitf lowB′(s′, z) in Theorem 3, and we remove the unsafe mark of an abstractstate state (s′, B′) if we can disprove the constraint ∃x ∈ B′ UnSafe(s′, x).Moreover, we remove a transition from (s,B) to (s′, B′) if we can disprove bothboundaryflowB,B′(s′, z′) and jumpflowB,B′(s, s′, z′) from Theorem 3.

7 Empirical Evaluation

In this section we evaluate the constraints by using them in the verificationmethod introduced in the previous section. That is, we replace all occurrences ofReachableB(s, x, y) introduced in Theorem 3 by flowD,B (or, flowA,B), flow′

D,B

(or, flow′A,B), eigenA,B and combA,B, respectively. We illustrate the behavior

of our implementation on a few benchmark problems. Note that in the literatureon the verification of hybrid systems the habit prevails to test new methodsonly on 2-3, or even less examples. We do not follow this tradition and do moreextensive benchmarking. We will publish the corresponding HSolver input fileson its web-page [19].

Note that we used the following splitting strategies here: we split severalboxes at a time, bisecting one box per mode, choosing a box with widest side-length for each mode, and employing the usual round-robin strategy for choosing


a certain variable within a box. The computations were performed on a PentiumIV, 2.60GHz with 1 GB RAM, and they were canceled when computation didnot terminate before 5 hours of computation time.

We used the following benchmark problems for comparing flowD,B andflow′

D,B with computation results shown in Table 1:Example 1:

Flow: (x1, x2) = (−x1 − x2, x1 − x2), empty jump relationInit: 2.5 ≤ x1 ≤ 3 ∧ x2 = 0, Unsafe: x1 > 3 ∨ x2 > 3The state space: [0, 4] × [0, 4]Example 2:

Flow: (x1, x2) = (x1 − x2, x1 + x2), empty jump relationInit: 2.5 ≤ x1 ≤ 3 ∧ x2 = 0, Unsafe: x1 ≤ 2The state space: [0, 4] × [0, 4]Example 3: The flow constraints are constructed by setting all the parametersin the two tanks problem [22] to 1.

Flow:(

s = 1 →(

x1

x2

)

=( 1−√

x1√x1−

√x2

))

∧(

s = 2 →(

x1

x2

)

=( 1−

√x1−x2+1√

x1−x2+1−√x2

))

Jump: (s = 1 ∧ 0.99 ≤ x2 ≤ 1) → (s′ = 2 ∧ x′1 = x1 ∧ x′2 = 1)

Init: s = 1 ∧ (x1 − 5.5)2 + (x2 − 0.25)2 ≤ 0.0625Unsafe:

(

s = 1 ∧ (x1 − 4.25)2 + (x2 − 0.25)2 < 0.0625)

The state space: (1, [4, 6]× [0, 1]) ∪ (2, [4, 6]× [1, 2])Example 4: This is a predator-prey example.Flow:

(

s = 1 →(

x1

x2

)

=(−x1+x1x2

x2−x1x2

))

∧(

s = 2 →(

x1

x2

)

=(−x1+x1x2

x2−x1x2

))

Jump:(

(s = 1 ∧ 0.875 ≤ x2 ≤ 0.9) → (s′ = 2 ∧ (x′1 − 1.2)2 + (x′2 − 1.8)2 ≤ 0.01)

∨(

(s = 2∧1.1 ≤ x2 ≤ 1.125) → (s′ = 1∧(x′1−0.7)2+(x′2−0.7)2 ≤ 0.01))

Init: s = 1 ∧ (x1 − 0.8)2 + (x2 − 0.2)2 ≤ 0.01Unsafe:

(

s = 1 ∧ x1 > 0.8 ∧ x2 > 0.8 ∧ x1 <= 0.9 ∧ x2 ≤ 0.9)

State space: (1, [0.1, 0.9]× [0.1, 0.9]) ∪ (2, [1.1, 1.9]× [1.1, 1.9])Example 5: This is a simple example with a clock variable.Flow: (x, y, t) = (−5.5y + y2, 6x− x2, 1), empty jump relationInit: 4 ≤ x ≤ 4.5 ∧ y = 1 ∧ t = 0Unsafe: (1 ≤ x < 2 ∧ 2 < y < 3 ∧ 2 ≤ t ≤ 4)The state space: [1, 5] × [1, 5]× [0, 4]Example 6: A three-dimensional and nonlinear example about a simple con-troller that steers a car along a straight road [6].

The three continuous variables are the position x, the heading angle γ andthe internal timer c. Since we cannot prove the safety property described in theoriginal paper, in this paper the unsafe space is reset to be x ≤ −4.Example 7: A linear collision avoidance example from a part of the car convoicontrol from a paper by A. Puri and P. Varaiya [16].

Let gap, vr, vl and ar respectively represent the distance between the twocars (di−1 − di in the original paper), the velocity of the rear car (di), thevelocity of the leading car (di−1) and the acceleration of the rear car (di). Byusing these variables and restricting vl by −2 ≤ vl ≤ −0.5 we transformedthe original higher-order differential equation into a four-dimensional differential(in)equation of order one.


We set the state space to [0, 4] × [0, 2] × [0, 2] × [−2,−0.5], and we want toverify that gap > 0 when starting from gap = 1, vr = 2, vl = 2 and ar = −0.5.Example 8: A four-dimensional and nonlinear example about a mixing-tank-system from a paper by O. Stursberg, S. Kowalewski and S. Engell [21].

In the original paper, the system is simplified to a two-dimensional system.In this paper, we keep the differential equations (V1, V2) = (0.008, 0.015) in theflow constraint, where V1 and V2 are two inlet streams. Then, initially, V1(0) =1, V2(0) = 1, and (h(0), c(0)) ∈ [1.32, 1.5] × [1.2, 1.32], where h is liquid heightand c is concentration. We want to verify that the state {(V1, V2, h, c) : h ∈[1.1, 1.3] ∧ c ∈ [1.68, 1.80]} is unreachable.Example 9: A two-dimensional and nonlinear example about a tunnel-diodeoscillator circuit [10]. It models the voltage drop V and the current I.

The original problem was to prove that all trajectories eventually reach acertain set and stay there. We transformed it to a reachability problem, usingthe state space [−0.1, 0.6] × [−0.002, 0.002] and the unsafety constraint V <−0.04 ∨ V > 0.54 ∨ I < −0.0015∨ I > 0.00175.Example 10: A linear, three-dimensional model of a mutant of V. fischeri [2].

Let x1, x2 and x3 respectively represent the protein LuxI, the autoinducer Aiand the complex Co described in the original paper. The model has two modeswith dynamics in the form x = Ax+ bi, i = 1, 2, where x = (x1, x2, x3)

T and

A =

−1/3600 0 07.5e− 5 −(1/36000 + 7.5e− 9) 1.5e− 9

0 0.005 −1/3600− 0.01

and b1 = (0.00375, 0, 0)T and b2 = (3.75375, 0, 0)T .We set the state space to be [0, 30000]×[0, 60000]×[0, 30000] and the switches

occur when the plane x3 = 1000 is reachable and x2 ∈ [1000, 45000]. We wantto verify that x1 ≥ 27500∨ x2 ≥ 50000∨ x3 ≥ 25000 cannot be reachable whenstarting from [17500, 20000]× [40000, 45000]× [5000, 7500] in mode 1.

Table 1. Computation results for flowD,B and flow′

D,B

Example flowD,B flow′

D,B

CPU Splitting Pruning CPU Splitting Pruningtime steps number time steps number

1 0.041s 6 79 0.020s 2 30

2 0.34s 71 1572 0.38s 58 1203

3 0.18s 11 397 0.24s 11 397

4 0.57s 43 2250 0.66s 42 1884

5 2.59s 93 3552 1.69s 81 2929

6 0.35s 1 88 0.14s 0 41

7 187.96s 369 69158 105.55s 367 68675

8 7.68s 54 3138 43.95s 294 39281

9 13.209s 165 12215 3.653s 57 4655

10 1876s 1889 366681 686s 1417 270078


The results show that the new constraint improves the number of pruningsteps for all examples except for Example 8, which we will discuss below. Asexpected, this also decreases the run-time of the method except for 2-dimensionalexamples, where the new constraint has more conjuncts than the old one.

We analyzed the anomaly in the behavior on Example 8 in more detail. Af-ter applying the pruning algorithm for the first time to reachableB′(s′, z), usingflow′

D,B we can prune the box [0, 2] × [0, 2] × [0.5, 1.5]× [1.2, 1.8] to a new box[1, 1.53333333333]× [1, 2] × [1.22034017148, 1.5]× [1.2, 1.8]; but, after we applythe pruning algorithm to reachableB′(s′, z) using flowD,B, we can only prune thebox [0, 2]×[0, 2]×[0.5, 1.5]×[1.2, 1.8] to a new box [0.466666666667, 1.53333333333]×[0, 2] × [1.22034017148, 1.5]× [1.2, 1.8]. So, in fact, the new method is better atthe beginning! However, it seems that this improvement at the beginning turnsout to be bad luck later since our method is very sensitive to splitting heuristics,and the improved pruning results in different choices of boxes for splitting duringthe algorithm. This suggests that a detailed study of splitting heuristics, will beable to significantly improve the method further.

In addition to the linear examples from above (Examples 1, 2 and 10), weused the following benchmarks for comparing flow′

A,B, eigenA,B and combA,B

with results shown in Table 2:Example 11: A linear, three-dimensional example.Flow: (x1, x2, x3) = (0.80x2+0.6x3−1.8, 0.8x1+0.7x3−15.2, 0.6x1+0.7x2−1.8);Empty jump relation; Init: 19 ≤ x1 ≤ 20 ∧ 19 ≤ x2 ≤ 20 ∧ 19 ≤ x3 ≤ 20;Unsafe: x1 ≤ 21 ∧ x2 ≤ 20 ∧ x3 ≥ 22.5;The state space: [15, 24]× [15, 24]× [15, 24].Example 12: A linear collision avoidance example similar to Example 6.

We restrict vl by vl = 0, and reset the state space to be [0, 10] × [0, 30] ×[0, 30]×[−2, 5] and the initial set to be −0.8522vr−0.1478vl−0.3177ar+gap > 10.Example 13: A linear, four-dimensional navigation benchmark proposed in [10].

The map and the dynamics of the 4-dimensional state vector are given by

B 2 42 2 41 1 A

and

(

xv

)

=

(

0 I0 M

) (

xv

)

−

(

0M

) (

0vd(i)

)

with M =

(

−1.2 0.10.1 −1.2

)

,

where i are the integers given in the map and vd(i) = (sin(iπ/4), cos(iπ/4))T .The state space for v is chosen to be [−0.5, 0.5] × [−0.5, 0.5]. Additionally,

the initial states for this instance are defined by x0 ∈ [2, 3] × [1, 2] and v0 ∈[−0.2, 0.2]× [−0.15, 0.05]. We want to verify that B cannot be reachable.

The results show that the combination decreases the size of the abstractionand the number of calls to the constraint solver. However, as expected, this willfor some cases increase the run-time of the method, due to the bigger size ofthis constraint. This phenomenon is reflected by Examples 1, 2, 12 and 13. But,for hard (and thus realistic) problems (e.g., Example 10), the improvement dueto the first phenomenon will always dominate: in such cases the time spent onconstraint solving will always be dominated by computations on the abstraction,and hence it is essential to keep the abstraction small.


Table 2. Computation results for flow′

A,B , eigenA,B and combA,B

Example flow′

A,B eigenA,B combA,B

CPU Splitting Pruning CPU Splitting Pruning CPU Splitting Pruningtime steps number time steps number time steps number

1 0.020s 2 30 unknown 0.038s 0 3

2 0.38s 58 1203 unknown 5.362s 58 1203

10 686s 1417 270078 12534s 3279 560082 122s 235 46540

11 unknown unknown 0.319s 5 61

12 unknown 0.465s 0 3 0.756s 0 3

13 unknown 1.005s 1 47 1.254s 1 43

For some cases, the safety property cannot be verified using eigenA,B in ourmethod. For Examples 1 and 2 this can be explained using an observation alreadydiscussed in Section 5: the eigenvalues are complex with non-zero imaginaryparts, and in such a case, since t occurs several times in the term cT (x cos(bt) +(x−ax)

bsin(bt)), we will get an over-approximating interval for this term.

On Examples 10 and 11 it can be seen nicely that the combined constraintcan be stronger than either flow′

A,B or eigenA,B in isolation.Note that we did not use Examples 11, 12 and 13 in Table 1 because their

safety properties cannot be verified using either flowA,B or flow′A,B.

8 Conclusion

We have provided a detailed study of two types of constraints in the verificationof hybrid systems. The overall approach, to formulate reach set computationas a constraint solving problem, and to apply an efficiently over-approximatingconstraint solver to it, can be extended to various new types of constraints.Specifically we will study the use of higher order Taylor approximations insteadof the constraint based on the mean value theorem. Our software is publicallyavailable [19], and we will include an interface that allows the incorporation ofand experimentation with new, user-defined constraints. Based on the gainedexperience and user feedback, we will optimize the constraint solver especiallyfor the most useful ones.

References

1. H. Anai and V. Weispfenning. Reach set computation using real quantifier elim-ination. In Proceedings of 4th International Workshop on Hybrid Systems: Com-putation and Control (HSCC2001), volume 2034 of LNCS, pages 63–76. Springer,2001.

2. C. Belta, J. Schug, T. Dang, V. Kumar, G. Pappas, H. Rubin, and P. Dunlap.Stability and reachability analysis of a hybrid model of luminescence in the marinebacterium vibrio fisheri. In CDC’01 - Conference on Decision and Control. Florida,USA, 2001.


3. F. Benhamou and W. J. Older. Applying interval arithmetic to real, integer andBoolean constraints. Journal of Logic Programming, 32(1):1–24, 1997.

4. B. F. Caviness and J. R. Johnson, editors. Quantifier Elimination and CylindricalAlgebraic Decomposition. Springer, Wien, 1998.

5. A. Chutinan and B. H. Krogh. Verification of polyhedral-invariant hybrid automatausing polygonal flow pipe approximations. In F. Vaandrager and J. van Schuppen,editors, HSCC’99, number 1569 in LNCS, pages 76–90. Springer, 1999.

6. E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided ab-straction refinement for symbolic model checking. Journal of the ACM, 50(5):752–794, 2003.

7. T. Dang and O. Maler. Reachability analysis via face lifting. In T. A. Henzingerand S. Sastry, editors, Hybrid Systems: Computation and Control (HSCC), number1386 in LNCS, pages 96–109. Springer, 1998.

8. E. Davis. Constraint propagation with interval labels. Artificial Intelligence,32(3):281–331, 1987.

9. M. J. Fischer and M. O. Rabin. Super-exponential complexity of presburger arith-metic. SIAM-AMS Proceedings, 7:27–41, 1974. Also in [4].

10. G. Frehse. PHAVer: Algorithmic verification of hybrid systems past HyTech. InMorari and Thiele [15].

11. T. Hickey and D. Wittenberg. Rigorous modeling of hybrid systems using intervalarithmetic constraints. In R. Alur and G. J. Pappas, editors, Hybrid Systems:Computation and Control, number 2993 in LNCS. Springer, 2004.

12. T. J. Hickey. Analytic constraint solving and interval arithmetic. In Proceedings ofthe 27th Annual ACM SIGACT-SIGPLAN Symposium on Principles of Program-ming Languages, 2000.

13. T. J. Hickey. Metalevel interval arithmetic and verifiable constraint solving. Jour-nal of Functional and Logic Programming, 2001(7), October 2001.

14. G. Lafferriere, G. J. Pappas, and S. Yovine. Symbolic reachability computation forfamilies of linear vector fields. Journal of Symbolic Computation, 32(3):231–253,2001.

15. M. Morari and L. Thiele, editors. Hybrid Systems: Computation and Control,volume 3414 of LNCS. Springer, 2005.

16. A. Puri and P. Varaiya. Driving safely in smart cars. In Proc. of the 1995 AmericanControl Conference, pages 3597–3599, 1995.

17. S. Ratschan. Rsolver. http://rsolver.sourceforge.net, 2004. Software package.18. S. Ratschan. Efficient solving of quantified inequality constraints over the real

numbers. ACM Transactions on Computational Logic, 2005. To appear.19. S. Ratschan and Z. She. Hsolver. http://www.mpi-sb.mpg.de/~ratschan/

hsolver, 2004. Software package.20. S. Ratschan and Z. She. Safety verification of hybrid systems by constraint prop-

agation based abstraction refinement. In Morari and Thiele [15].21. O. Stursberg, S. Kowalewski, and S. Engell. On the generation of timed discrete

approximations for continuous systems. Mathematical and Computer Models ofDynamical Systems, 6:51–70, 2000.

22. O. Stursberg, S. Kowalewski, I. Hoffmann, and J. Preußig. Comparing timed andhybrid automata as approximations of continuous systems. In P. J. Antsaklis,W. Kohn, A. Nerode, and S. Sastry, editors, Hybrid Systems, number 1273 inLNCS, pages 361–377. Springer, 1997.

23. A. Tiwari. Approximate reachability for linear systems. In O. Maler and A. Pnueli,editors, Hybrid Systems: Computation and Control (HSCC), number 2623 in LNCS.Springer, 2003.

Documents

Constraints for Continuous Reachability in the Verification of Hybrid Systems