Cyber-Physical Systems { Modeling and Simulation …schulzef/2015-06-12-Matthias...2015/06/12 · Cyber-Physical Systems { Modeling and Simulation of Hybrid Systems Matthias Altho

Cyber-Physical Systems – Modeling and Simulation ofHybrid Systems

Matthias Althoff

TU Munchen

05. June 2015

Matthias Althoff Modeling and Simulation of Hybrid Systems 05. June 2015 1 / 28

Overview

Overview

Hybrid Systems

Modeling as hybrid automata

Other modeling formalisms

Properties of hybrid systems

Numerical simulation of hybrid automata

Stability analysis of hybrid systems (next lecture)

Reachability analysis of hybrid systems (next lecture)

Hybrid systems are the most general class of systems considered in thiscourse. Timed automata can already be considered as hybrid systems witha simple continuous dynamics (ci = 1).


Modeling as Hybrid Automata

Why combine discrete and continuous dynamics?

In many cyber-physical systems, the continuous dynamics and the discretedynamics cannot be designed separately (see first lecture):

automated drivingsource: Carnegie Mellon University

automated farmingsource: Kesmac

human-robot collaborationsource: Rethink Robotics

surgical robotssource: daVinci

smart gridssource: Siemens

air traffic controlsource: NASA



Hybrid Automata

Hybrid automata describe the dynamics of systems that can be described by afinite set of discrete states zi and continuous state variables xi ∈ R. Starting froman initial state z(t0), initial continuous values xi (t0), a continuous input trajectoryuc(t), and a timed input sequence

u =((u(t0), t0), (u(t1), t1), (u(t2), t2), . . .

)

a finite state automaton creates a continuous output trajectory yc(t) and a timedoutput sequence

y =((y(t0), t0), (y(t1), t1), (y(t2), t2), . . .

),

where it is not required that the times ti and ti are synchronized.

u Hybridautomaton

y

uc(t) yc (t)



Syntax of Hybrid Automata

Definition

A hybrid automaton HA is a tuple (ordered set):

HA = (Z,X ,U ,Y,Uc ,Yc ,T, inv, g, h, f, z0, x0),

where z0 is the discrete initial state, x0 is the continuous initial state

Z = {z1, . . . , zn} set of discrete statesX ⊆ Rn continuous state spaceU = {u1, . . . , up} set of input symbols (input alphabet)Y = {y1, . . . , yq} set of output symbols (output alphabet)Uc ⊆ Rm continuous input spaceYc ⊆ Ro continuous output spaceT ⊆ Z × U × Z × Y set of transitionsinv : Z → P(X ) invariant functiong : T → P(X ) guard functionh : T×X → X jump functionf : Z × X × Uc → Rn flow function

There exist many variations of definitions of hybrid automata in the literature. AMatthias Althoff Modeling and Simulation of Hybrid Systems 05. June 2015 5 / 28


Semantics of Hybrid Automata

Our definition of a hybrid automaton has the following semantics:

The hybrid automaton starts at the discrete state z0 and thecontinuous state x0.

The continuous state evolves according to the flow function that isassigned to each location zi : x = f (zi , x , uc ).

As soon as the continuous state x is within a guard set g(z , u, z ′, y) ofa transition (z , u) → (z ′, y), the corresponding transition is activated.

As soon as the input event u of an activated transition occurs, thetransition is taken and the output event y is generated.

A transition is enforced if the continuous state would leave theinvariant inv(zi).

After a transition is taken, the jump function resets the continuousstate:

x ′ = h((z , u, z ′, y), x

)



Animation of Hybrid Automata

initialcontinuous

set

trajectory

guards

invariant

x1

x2z1 z2

Continuous evolution

Start at z0 and x0

x(t) is the solution of x(t) = f (z(t), x(t), uc (t))




initialcontinuous

set

trajectory

guards

jumpinvariant

x1

x2z1 z2

Activation of discrete transition

Transition (z , u, z ′, y) is activated when x(t) ∈ g(z , u, z ′, y) (z :before transition, z ′: after transition)

Transition is taken as soon as event u occurs

Transition is enforced when x(t) leaves inv(z)




initialcontinuous

set

trajectory

guards

jump

invariant

x1

x2z1 z2

Discrete transition and jump of continuous state

Location changes from z to z ′

Output event y is generated

Continuous state may jump: x ′ = h((z , u, z ′, y), x

)

(x ′: continuous state after jump)




initialcontinuous

set

trajectory

guards

jump

invariant

x1

x2z1 z2

... and so on ...



Hybrid Automaton of a Bouncing Ball

Given is a ball with dynamics s = −g , where s is the vertical position andg is the gravity constant. After impact with the ground at s = 0, thevelocity changes to v ′ = −αv (v = s) with α ∈ [0, 1].

s0

v0

g

Z = {z1}X = R+ × R (ball above ground)U = Y = {ǫ}Uc = Yc = {}T = {(z1, ǫ, z1, ǫ)}inv(z1) = {[x1, x2]T |x1 ∈ R+

0 , x2 ∈ R}g((z1, ǫ, z1, ǫ)

)= {[x1, x2]T |x1 = 0, x2 ∈ R−

0 }h((z1, ǫ, z1, ǫ), x

)=

[x1

−αx2

]

f(z1, x) =

[x2−g

]



Graphical Representation of the Bouncing Ball

A typical representation of hybrid automata is as follows:

Discrete states are represented by circles (or similar shapes).

Transitions are illustrated by arrows to which input and outputevents, guards, and jump functions are attached.

The continuous dynamics is written within the discrete states above adashed line.

The invariant is placed underneath the dashed line.

x1 = x2x2 = −g

x1 ≥ 0

x1 = 0 ∧ x2 ≤ 0

x2 := −αx2invariant

differentialequations

guard

jump function



Trajectory of the Bouncing Ball

The trajectories of the bouncing ball are plotted for s0 = 30 [m] (quitehigh, but then we can reasonably plot the result together with velocity),v0 = 0 [m/s], and α = 0.8 [-].

0 2 4 6 8 10 12 14 16 18 20−30

−20

−10

0

10

20

30

t

s(t),v(t)

s(t)

v(t)


Other Modeling Formalisms

Hybrid Statecharts

When a hybrid automata has many locations, it is useful to group themusing statecharts.

Guards: Are modeled as conditions of discrete transitions.

Flow function: Is specified after the keyword throughout(MATLAB/Stateflow: during/du) within a state.

Jump function: Is specified after the keyword exit within a state orattached to a discrete transition.

Invariant: Most work does not specify invariants for statecharts.Instead, an urgent semantics is assumed, i.e. a transition is taken assoon as a state is in a guard. Why does one not require invariants inthis case?



Hybrid Statecharts: Electric Motor (I)

We model an electric motor with several operation modes. The torqueT = km i of our motor is proportional to the applied current i . We alsomodel friction as Tf = −kf ω and denote the disturbance torque by Td sothat the overall dynamics of the angular velocity ω for the rotationalinertia J is

Jω = T = km i − kf ω + Td .

To control the speed, we use a simple P-controller i = KP(ωd − ω) so thatwe obtain

ω =kmJKP(ωd − ω)− kf ω + Td .

The motor has the following modes:

The motor is switched off.

The motor is fully accelerating with current imax until the speed ωd isreached or when the speed drops below 0.8ωd .

The motor is controlled to keep the speed ωd .



Hybrid Statecharts: Electric Motor (II)

power off

power on

acceleration const speed

during:ω = f1(ω,Td )



on

off

ω ≥ ωd

ω < 0.8ωd

f1(ω,Td ) = −kf ω + Td ,

f2(ω,Td ) =kmJimax − kf ω + Td ,

f3(ω,Td ) =kmJKP(ωd − ω)− kf ω + Td .



Hybrid Statecharts: Bouncing Ball in MATLAB/Stateflow

In a similar way, one can model hybrid statecharts inMATLAB/Stateflow.

MATLAB also assume urgent semantics, i.e. a transition is taken assoon as a state is in a guard.

The bouncing ball example in MATLAB/Stateflow:



Interaction of Discrete and Continuous Components (I)

Many engineering tools realize hybrid systems by combining discreteand continuous components.No explicit modeling formalism: Discrete states, guards, etc. areimplicitly described by the interaction of continuous and discretecomponents.

Example: Bouncing ball modeled in MATLAB/Simulink



Interaction of Discrete and Continuous Components (II)

Advantages

Intuitive modeling.

Components can be easily exchanged, which might cause changing thediscrete transition structure of many locations in a hybrid automata.

Disadvantages

The modeling formalism is not suited for formal analysis.

The modeling formalism is not formally defined. What happens whenseveral discrete components switch at the same time?


Properties of Hybrid Automata

Deadlock and Livelock

Due to bad design, the undesired event of deadlock and livelock can occur.

Deadlock

A deadlock occurs when thecontinuous state leaves the invariantand is not in any guard set. x1

x2 guard

invariant

trajectory

deadlock

Livelock

A livelock occurs when the system switches infinitely often betweendiscrete states and no time passes in between discrete transitions.

Example: A continuous statejumps in between guard setsthat cause transitions inbetween each other.

x1

x2

inv(z1) inv(z2)

g((z1, ǫ, z2, ǫ)

)g((z2, ǫ, z1, ǫ)

)



Nondeterminism

Since finite state automata are a special case of hybrid automata, it is obviousthat hybrid automata can be nondeterministic. The sources of nondeterminismare manifold:

Guard regions can overlap so that several goal locations are possible.

The jump function can be nondeterministic.

When the guard set is full-dimensional (see figure below), the switching timeis nondeterministic.

The differential equations have uncertain continuous inputs.

One can define hybrid automata with nondeterministic initial states.

x1

x2

g((z1, ǫ, z2, ǫ)

)g((z1, ǫ, z2, ǫ)

)

inv(z1)inv(z1)

deterministic non-deterministic



Zeno Behavior (I)

Zeno behavior occurs when the duration δi between the i th and the(i + 1)th transition decreases and

∑∞i=0 δi is finite. With other words, an

infinite number of transitions occurs in finite time.

Example: Bouncing Ball

Let us introduce the velocity vi and the time ti at the i th transition:

vi+1 = αvi ti+1 = ti +2α

gvi

vi = αiv0 ti = t0 +2v0g

(α− αi+1

1− α

)

vzeno = limi→∞

vi = 0 tzeno = limi→∞

ti = t0 +2v0g

(α

1− α

)

(we use∑n−1

k=0 axk = a 1−xn

1−x (x 6= 1) )



Zeno Behavior (II)

For the values v0 = 1 [m/s] (here: velocity at initial contact), α = 0.8 wehave

tzeno =2

g· 4 ≈ 0.82 [s]

The ball dynamics cannot proceed beyond 0.82 [s]. In reality, the elasticityof the ball causes the ball not take off after a certain time.

Zeno of Elea

Greek philosopher who is famous for his paradoxes, such as the one ofAchilles and the tortoise: A tortoise wants to race against Achilles and hegives it a head start. After both start running, the tortoise has alreadymoved to s1 when Achilles arrives at its initial position s0. Then Achillesruns to s1 when the tortoise is at s2. Zeno claims that by thisargumentation, Achilles can never overtake the tortoise.



Finite Escape Time

One speaks of finite escape time, when ‖x‖ → ∞ in finite time. Finiteescape time is also possible for purely continuous systems when they arenonlinear:

x = 1 + x2(t), x0 = 0

The solution of the differential equation is

x(t) = tan(t),

which has an ”explosion time” at t = π2 .


Numerical Simulation of Hybrid Automata


As for nonlinear continuous systems, for most hybrid systems modelingreal world problems, there exists no analytical solution.

Steps in hybrid system simulation

1 Simulation of the continuous dynamics within the current location(see lecture ”Modeling and Simulation of Continuous Systems”) aslong as the state is in the invariant;

2 Detection whether the current state is within a guard set and whetherit is activated by the required input event;

3 Update of the discrete state once the transition is taken and generatethe output event;

4 Update of the continuous state according to the jump function;

5 Continue with step 1.



Guard detection

Step 1 (continuous evolution) has been previously discussed and ise.g. performed via Runge-Kutta methods.

Step 3 and 4 (discrete and continuous update) are trivial.

We need to focus on step 2 (guard detection).

For simplicity we only consider deterministic guards, i.e. guards that canonly be hit at one point in time. Those guards are usually only activatedby the state: g

((z , ǫ, z ′, ǫ)

). Why?

Reminder:

x1

x2

g((z1, ǫ, z2, ǫ)

)g((z1, ǫ, z2, ǫ)

)

inv(z1)inv(z1)

deterministic non-deterministic



Modeling of Guards

We model the guard by a level set function l(x), which allows arbitraryshapes:

g((z , ǫ, z ′, ǫ)

)= {x |l(x) = 0}.

Examples:

hyperplane: l(x) = nT x − d , where n ∈ Rn is the normal vector andd ∈ R is the distance from the origin to the hyperplane.

x1

x2d

nT

hyperplane

hypersphere: l(x) = ‖x − c‖2 − r , where c ∈ Rn is the center andr ∈ R is the radius of the hypersphere.

x1

x2 c

r hypersphere



Guard Detection without Hitting Time Detection

A guard has been crossed when the level set function l(x) changes its sign:

x1

x2

guard: l(x) = 0trajectory

in z1

z1

z2

trajectory in z2without hitting time detection

x(tn)x(tn+1)

l(x) < 0

l(x) > 0

trajectory with exacthitting time detection

A simple method is to perform a discrete transition as soon as a signchange of l(x) is detected, without determining the exact switching time.This is computationally cheap, but creates larger errors.



Guard Detection with Hitting Time Detection

More accurate results are obtained when the solver iteratively searches forthe exact hitting time until the value of l(x) is in a ǫ-region: ‖l(x)‖2 ≤ ǫ.

x1

x2

guard: l(x) = 0trajectory

in z1

z1

z2

x(tn)x(tn+1)

l(x) < 0

l(x) > 0

trajectory with exacthitting time detection

1

2

3

4

An iterative method for hitting time detection is presented in the exercise.



Further Reading

A. van der Schaft and H. Schumacher: An Introduction to HybridDynamical Systems, Springer, 2000.

R. Alur, C. Coucoubetis, N. Halbwachs, T.A. Henzinger, P.H. Ho, X.Nicolin, A. Olivero, J. Sifakis, S. Yovine: The Algorithmic Analysis ofHybrid Systems, Theoretical Computer Science, 1995, 138, pages3-34.

Y. Kesten and A. Pnueli: Timed and Hybrid Statecharts and theirtextual representation, Formal Techniques in Real-Time andFault-Tolerant Systems, LNCS 571, 1991, pages 591-620.

M. Otter, H. Elmqvist, and Sven Erik Mattsson: Hybrid Modeling inModelica based on the Synchronous Data Flow Principle, Proc. ofComputer Aided Control System Design, 1999.



Conclusions

In many cyber-physical systems, the continuous dynamics and thediscrete dynamics cannot be designed separately.

Hybrid automata are an extension of finite state automata bycontinuous dynamics.

There exists a large number of alternative modeling formalisms:Hybrid statecharts, hybrid Petri nets, hybrid bond graphs, etc.

Hybrid systems can exhibit a variety of phenomena:DeadlockLivelockNondeterminismZeno behaviorFinite escape time

The main difficulty in extending numerical solvers for continuoussystems is guard detection.


Cyber-Physical Systems – Analysis of Hybrid Systems

Matthias Althoff

TU Munchen

12. June 2015

Matthias Althoff Analysis of Hybrid Systems 12. June 2015 1 / 39

Overview

Overview

Hybrid Systems

Stability analysis of hybrid systems:

Common Lyapunov functionMultiple Lyapunov function

Reachability analysis of hybrid systems

Applications


Stability Analysis of Hybrid Systems

Motivating Example (I)

Warning

Even if a hybrid system is Lyapunov stable in all locations, the hybridsystem is not necessarily stable!

Example: Hybrid automaton with two locations Z = {z1, z2}, twocontinuous state variables X = {x1, x2}, and no inputs and outputs:

T = {(z1, ǫ, z2, ǫ), (z2, ǫ, z1, ǫ)}inv(z1) = {[x1, x2]T |x1x2 ≤ 0, x1 ∈ R, x2 ∈ R}inv(z2) = {[x1, x2]T |x1x2 ≥ 0, x1 ∈ R, x2 ∈ R}g((z1, ǫ, z2, ǫ)

)= g

((z2, ǫ, z1, ǫ)

)= {[x1, x2]T |x1x2 = 0, x1 ∈ R, x2 ∈ R}

h((z1, ǫ, z2, ǫ), x

)= h

((z2, ǫ, z1, ǫ), x

)= x

f(z1, x) =

[−1 4−1 −1

]x

f(z2, x) =

[−1 1−4 −1

]x



Motivating Example (II)

The phase portraits of each subsystem are as follows:location z1:

−1 0 1

−3

−2

−1

0

1

2

3

x1

x 2

location z2:

−3 −2 −1 0 1 2 3−1.5

−1

−0.5

0

0.5

1

1.5

x1

x 2



Motivating Example (III)

It can be seen from the phase portrait, that the system is unstable(left figure).

When exchanging the flow functions, the system is stabilized (rightfigure).

Trajectory of original switchingsequence:

−90 −80 −70 −60 −50 −40 −30 −20 −10 0 10−40

−20

0

20

40

60

80

100

x1

x 2

Trajectory of modified switchingsequence:

−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4−0.2

0

0.2

0.4

0.6

0.8

1

1.2

x1

x 2


Common Lyapunov Function


We first address the problem that we have a system of which themodes can be arbitrarily switched.

Arbitrary switching can be modeled by defining ∀i : g(Ti ) = Rn,where Ti is the i th transition. External events are used to perform theswitching.

Common Lyapunov function is sufficient (proof omitted)

If the continuous systems of all locations share a common Lyapunovfunction, the hybrid dynamics is stable.

Common Lyapunov function is necessary (proof omitted)

If a hybrid system is stable for arbitrary sequences of locations, alllocations share a common Lyapunov function.

A common Lyapunov function is necessary and sufficient.Matthias Althoff Analysis of Hybrid Systems 12. June 2015 6 / 39


Lyapunov Function for Linear Systems

Given is a linear systemx(t) = Ax(t). (1)

Lyapunov function for LTI systems

The Lyapunov function V (x) = xTPx , P > 0 proves that an LTI system isstable if

PA+ ATP < 0

Proof: Using (AB)T = BTAT , we have that

V (x) = xTPx + xTPx = xTPAx + xTATPx = xT (PA + ATP)x

so that PA+ ATP < 0 when the system is stable.

Lyapunov function is necessary (no proof)

One can show that if (1) is stable → there has to exist a P such thatPA+ ATP < 0.



Common Lyapunov Function: Switched Linear Systems

For switched linear systems

x(t) = A(i)x(t)

where i refers to the i th location, it is natural to use the quadraticLyapunov function

V (x) = xTPx , P > 0

so that PA(i) + (A(i))TP < 0 when the i th location has a stable dynamics.This problem can be written as linear matrix inequalities for whichpowerful solvers exist:

P > 0

∀i : A(i)P + PA(i) < 0



Common Lyapunov Function: Infeasibility Test

For switched linear systems there exists an infeasibility test for quadraticLyapunov functions:

Infeasibility Test (no proof)

If there exist M positive definite matrices R (i) > 0 (M: number oflocations) such that

M∑

i=1

R (i)(A(i))T + A(i)R (i) > 0

then there is no P > 0 such that

∀i ∈ {1, . . . ,M} : (A(i))TP + PA(i) < 0



Example for the Infeasibility Test

Does stability of a switched linear system imply existence of a commonquadratic Lyapunov function?

No, the system

A(1) =

[−1 −11 −1

], A(2) =

[−1 −100.1 −1

]

is stable for arbitrary switching, but does not have a common quadraticLyapunov function since

R (1) =

[0.2996 0.70480.7048 2.4704

], R (2) =

[0.2123 −0.5532−0.5532 1.9719

]

satisfy the infeasibility condition.

However, there is a common piecewise quadratic Lyapunov function.


Multiple Lyapunov Function


It is often easier to use a different Lyapunov function V (zi , x) for eachlocation zi .

Lyapunov’s stability theorem for hybrid systems

The origin is a stable equilibrium of a hybrid automata if for all zi ∈ Z andx ∈ D

1 V (zi , 0) = 0, ∀x ∈ D \ {0} : V (zi , x) > 0

2 V (zi , x) ≤ 0, ∀x ∈ D

3 For all discrete transition times ti we have that for ti > tj andz(ti) = z(tj) that V (z(ti), x(ti )) < V (z(tj), x(tj )).

One of the difficulties is that one has to know the discrete sequences inadvance and that they strongly depend on the initial state.



Possible Evolution of Lyapunov Function Values

t

V (z , t)

t0 t1 t2 t3 t4

V (z1, t)

V (z2, t)

active inactive


Reachability Analysis of Hybrid Systems

Reachability Analysis

possibletrajectory

exactreachable set

jump

steady state

initial set

x1

x2

Informal Definition

A reachable set is the set of states that can be reached by a dynamicalsystem in finite or infinite time for a

set of initial states,

uncertain inputs,

and uncertain parameters.



Verification Task

overapproximativereachable set exact

reachable setinvariant set

unsafe set

initial set

x1

x2

Verification Task

Check if a set of unsafe states is never reached.

Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.

Overapproximation might lead to spurious counterexamples.

Simulation cannot prove correctness.


Reachability Analysis of Hybrid Systems Linear Systems

Linear Systems: Overview of Reachable Set Computation

x(t) = Ax(t) + u(t), A ∈ Rn×n, x(t) ∈ Rn, x(0) ∈ R(0), u(t) ∈ uc ⊕ U

1 Compute reachable set H(r) = eArR(0)⊕∫ r

t=0eA(r−t)dt uc at time r neglecting

the uncertain input (C ⊕ D := {c + d |c ∈ C, d ∈ D}).2 Obtain convex hull of initial set R(0) and H(r).

3 Enlarge reachable set to account for (1) uncertain inputs, (2) curvature oftrajectories.

4 Continue with further time intervals [kr , (k + 1)r ], k ∈ N.

Known algorithm, similar to work of A. Girard at HSCC’05.

R(0)

H(r)convexhull of

R(0), H(r) R([0, r ])

➀ ➁ ➂

enlargement


Reachability Analysis of Hybrid Systems Nonlinear Systems

Nonlinear Reachability Analysis: Overall Algorithm

initial set R(0), input set U , time step k = 1

linearize system

compute reachable set Rlin without linearization error

obtain set of linearization errors L based onRlin and L (L: set of admissible linearization errors)

L ⊆ L ? enlarge L

compute reachable set Rerr due to L

R = Rlin ⊕ Rerr

k:=

k+

1

yes

no



Overall Algorithm: Animation

R(0)

linearize system




Rlin([0, r ])

compute reachable set Rlin

without linearization error




Rlin([0, r ])⊕Rerr ([0, r ])

Rerr : reachable set due to L

obtain set of linearizationerrors L based on

Rlin([0, r ]) ⊕Rerr ([0, r ])




R([0, r ]) =

Rlin([0, r ])⊕Rerr ([0, r ])

L ⊆ L ?




R([r , 2r ])

reachable set ofnext time interval




R([0, tf ])

reachable set ofthe complete time horizon tf

possibletrajectories



Scalability of the Linearization Approach

x1

xn−1

xn

u

... (more tanks)

Water tank system.

1 2 3 4

2

3

4

5

6

x1

x6

initial set

possibletrajectories

Projected reachable set(n = 6).

Complexity with respect to the number of continuous state variables n: O(n3).

Dimension n 5 10 20 50 100

CPU-time [sec] 1.19 1.73 3.11 11.59 35.78


Reachability Analysis of Hybrid Systems Hybrid Systems


Hybrid systems additionally require intersections of guard sets:

x1

x2

R(0)

Rg

R([tk , tk+1])

guard

(a) Classical approach.x1

x2

R(0)

Rg

R([tk , tk+1])

R(tη)

guard

(b) New approach.

tη: last point in time before intersecting the hyperplane.

Rg : Overapproximation of the guard set intersection.



Scalability of the Mapping-Based Approach

Jm J1 J2 JθJl

ks k1 k2 kθ

Θm

Θ1 Θ2 Θθ

Θl

gear

enginedynamics

uTm

Θs

2α

Powertrain with backlash.

−0.1 0 0.1 0.2

0

20

40

60

80

Θs −Θ1

Θref

guard set

R(0)

sampletraj.

Projected reachable set(n = 101).

Complexity with respect to the number of continuous state variables n: O(n5).

Dimension n 11 21 31 41 51 101

CPU time [sec] 8.122 14.31 23.72 31.83 53.74 1550



Comparison With SpaceEx

SpaceEx: state of the art tool for reachability analysis of hybrid systems.

Uses geometric guard intersection.

Example sensitive to overapproximation → comparison for initial set with5% of initial size and n = 7.

−0.05 0 0.05 0.1−20

0

20

40

60

80

Θs −Θ1

Tm

SpaceEx

mappingapproach

guard

R0.05(0)

−0.05 0 0.05 0.1

0

20

40

60

80

Θs −Θ1

Θref

SpaceEx

mappingapproachguard

R0.05(0)

Computational times: 10023 s (new approach: 0.133 s).


Applications

Ensuring Safety for Complete Vehicle Control

➀ occupancy prediction ➁ trajectory planning

➂ collision checking➃ trajectory tracking

controller


Applications

Consideration of Uncertainty

obstacle

reference trajectory


Applications


obstacle

reference trajectoryvehicle occupation


Applications


obstacle

reference trajectoryreachable set of the center

Robust Safety Problem

Is the planned maneuver of the autonomous vehicle still safe under

uncertain initial states,uncertain measurements,and disturbances?

Objective: Guarantee safety when bounds on uncertainties are known.


Applications


reachable set of the center vehicle occupation

possible collision

Robust Safety Problem

Is the planned maneuver of the autonomous vehicle still safe under

uncertain initial states,uncertain measurements,and disturbances?

Objective: Guarantee safety when bounds on uncertainties are known.


Applications

Online Verification Of Automated Driving

lane change

maneuver B

lane change

maneuver A

Test site Test vehicle

−20 0 20 40 60 80 100 120−5

0

5

reference trajectory

other vehicle

ego vehicle ego vehicle (braking part)

initial occupancy

final occupancyobstacle

x-position [m]

y-position[m

]


Applications

Test Drive Results

[sxsy

] Ψ

β

δ

x

y

v

sx , sy [m] x- and y-positionΨ [rad] orientationβ [rad] slip angle at center of massδ [rad] front wheel anglev [m/s] velocity

2.5 3−0.5

0

0.5

Ψ [rad]

Ψ[rad

/s]

lc B lc A−0.2 0 0.2

2.4

2.6

2.8

3

δ [rad]

Ψ[rad

]

−0.2 0 0.2−0.5

0

0.5

δ [rad]

Ψ[rad

/s]

lc A

lc B

computation time: ≈ 1.8 times faster than maneuver time (Intel i7, 1.6GHz)


Applications

Use Cases for Power Systems

Transient stability analysis(specific fault)

Transient stability analysis(region of attraction)

Stability prediction underuncertain power demandand production

final set

pre-faultset

post-faultset

x1

x2

pre-faultset

post-faultset

x1

x2

reachableset

allowedvoltage/phase

limits

time t

voltage/phase


Applications

Abstraction of the Dynamic Model

Original dynamic model (semi-explicit, index-1 DAEs)

x = f (x(t), y(t), u(t))

0 = g(x(t), y(t), u(t)),

[xT (0), yT (0)]T ∈ R(0), u(t) ∈ U ,x ∈ Rnd , y ∈ Rna : differential & algebraic states, u ∈ Rm: inputs,R(0): set of initial states, U : set of uncertain inputs

Abstraction by a linear differential inclusion

For t ∈ τk = [tk , tk+1] (k : time step):

˙x ∈ A(k)x ⊕ U(k),

x ∈ Rnd new differential states, U : new set of uncertain inputs

The algebraic states are extracted from the differential states (see later).Matthias Althoff Analysis of Hybrid Systems 12. June 2015 27 / 39

Applications

IEEE 14-Bus Benchmark System

GG

G

G

G

1

2

3

76

4

12

13

14

1110

9

58


Applications

Dynamic and Algebraic Equations

The algebraic equations are obtained from the standard equations of abus-network.

Generator/Synchronous Condenser Dynamics

The dynamics for each generator and synchronous condenser are described by thefollowing set of equations:

δi = ωi − ω1

ωi = −Di

Mi(ωi − ω1) +

1

MiTm,i −

1

MiPg ,i

Tm,i = − 1

TSV ,iRD,iωs(ωi − ωs)−

1

TSV ,iTm,i +

1

TSV ,iPc,i ,

Mi [MJ/Hz2] is the rotational inertia, Di [s/rad] the damping coefficient, TSV ,i [s]is the time constant of the governor, and 1

RD,i[-] is the proportional gain of the

governor.

Overall, the system has 14 dynamic state variables and 28 algebraic statevariables.


Applications

Reachable Set of the Dynamic Variables

Black lines: random simulations; gray area: reachable set; white box: initial set

−0.6 −0.4 −0.2374.5

375

375.5

376

376.5

377

377.5

378

δ2

ω2

−0.8 −0.6 −0.4

375.5

376

376.5

377

377.5

δ3

ω3

−0.8 −0.6 −0.4

376

376.5

377

δ4

ω4

−0.8 −0.6 −0.4375.8

376

376.2

376.4

376.6

376.8

377

δ5

ω5

374 376 378 380

2.02

2.025

2.03

2.035

2.04

2.045

ω1

Tm,1

375 376 377 378

0.425

0.43

0.435

0.44

ω2

Tm,2


Applications

Reachable Set of the Algebraic Variables

Black lines: random simulations; dark gray area: pre- and post-fault reachable set; lightgray area: fault-on reachable set

1.05 1.1 1.15

−0.7

−0.6

−0.5

−0.4

−0.3

E1

Θ1

1.1 1.12 1.14 1.16 1.18−0.7

−0.6

−0.5

−0.4

−0.3

E2

Θ2

1.02 1.04 1.06 1.08−0.8

−0.7

−0.6

−0.5

−0.4

E3

Θ3

1.08 1.09 1.1

−0.8

−0.7

−0.6

−0.5

−0.4

E4

Θ4

1.12 1.122 1.124

−0.8

−0.7

−0.6

−0.5

−0.4

E5

Θ5

1.015 1.02 1.025

−0.7

−0.6

−0.5

−0.4

V7

Θ7


Applications

Verification of a Phase-Locked Loop (PLL)

Digital phase-locked loop with charge pumps:

Ci

Cp1

CP

Rp2

Rp3

frequencydivider1/N

Cp3

vi

vp1 vpip

ii

Φref

Φv

Φoutphase

frequencydetector(PFD)

RefUP

VCO

DN


Applications

Hybrid Automaton Description of the PLL

both offUP = 0,DW = 0

up activeUP = 1,DW = 0

dw activeUP = 0,DW = 1

both activeUP = 1,DW = 1

guard: Φref == 2πreset: Φv := Φv − 2π

Φref := 0

guard: Φv == 2πreset: Φref := Φref − 2π

Φv := 0

guard: Φv == 0reset: t := 0

guard: Φref == 0reset: t := 0

guard: t == td


Applications

Hybrid Automaton Description of the PLL

both offUP = 0,DW = 0

up activeUP = 1,DW = 0

both activeUP = 1,DW = 1

guard: Φref == 2πreset: Φv := Φv − 2π

Φref := 0

guard: Φv == 0reset: t := 0

guard: t == td

IUPi

ton td

Φref

Φv

ii

t

t

t2π

2π

dw active

0

0

0


Applications

Continuous Dynamics of the PLL

x = Ax + Bu + c ,

A =

0 0 0 0 0

0 − 1Cp1

(1

Rp2+ 1

Rp3

)1

Cp1Rp30 0

0 1Cp3Rp3

− 1Cp3Rp3

0 0Ki

N 0Kp

N 0 00 0 0 0 0

,B =

1Ci

0

0 1Cp1

0 00 00 0

, c =

000

2πN f0

2πfref

Input values vary depending on the signals leaving the phase-frequency detector:

u =

[IUPi , IUP

p ], if UP = 1, DW = 0

[IDWi , IDW

p ], if UP = 0, DW = 1

[IUPi + IDW

i , IUPp + IDW

p ], if UP = 1, DW = 1

[0, 0], if UP = 0, DW = 0


Applications

Specification

Transient BehaviorGiven any initial state and any valid set of parameters, verify that thelocked condition (|Φref −Φv | < ∆Φlock) is reached in less than kcycles.

Invariant BehaviorGiven a set of states in the locked condition, show that the lockedcondition is an invariant.

0 500 1000 1500

−0.3

−0.2

−0.1

0

cycle number

ph

ase

di"

ere

nce

∆

Φ

transientpart

invariantpart

allowed∆Φ


Applications

Reachable Sets of the Phase-Locked Loop (first 200 cycles)

0.35 0.4 0.45 0.5 0.55 0.6 0.65−4

−2

0

2

4

6

8

10

vi in [V]

v p1 in

[V]

0.35 0.4 0.45 0.5 0.55 0.6 0.65−0.5

−0.4

−0.3

−0.2

−0.1

0

0.1

0.2

vi in [V]

(Φv −

Φre

f)/2Π

in [r

ad]

−4 −2 0 2 4 6 8 10−4

−2

0

2

4

6

8

10

vp1

in [V]

v p in [V

]

−4 −2 0 2 4 6 8 10−0.5

−0.4

−0.3

−0.2

−0.1

0

0.1

0.2

vp in [V]

(Φv −

Φre

f)/2Π

in [r

ad]


Applications

Computation Times

reachability analysis: avg. MATLAB simulation:∆Φ(0) total [s] 1 cycle [s] total [s] 1 cycle [s]

[−1,−0.8]π 55.0461 0.0270 48.3297 0.0237[−0.8,−0.6]π 54.4418 0.0275 47.9096 0.0242[−0.6,−0.4]π 53.4820 0.0280 46.2673 0.0242[−0.4,−0.2]π 47.8208 0.0264 44.4596 0.0245[−0.2, 0]π 42.9191 0.0260 38.5102 0.0233

Show videos...


Applications

Further Reading

Stability:

M. Johansson: Piecewise Linear Control Systems – A ComputationalApproach, Springer Lecture Notes in Control and InformationSciences no. 284, 2002.

R.A. DeCarlo, M.S. Branicky, S. Pettersson, and B. Lennartsson:Perspectives and Results on the Stability and Stabilizability of HybridSystems, Proceedings of the IEEE, Vol 88, No. 7, 2000.

Reachability:

M. Althoff: Reachability Analysis and its Application to the SafetyAssessment of Autonomous Cars, Technische Universitat Munchen,2010.

E. Asarin, T. Dang, G. Frehse, A. Girard, C. Le Guernic, O. Maler:Recent Progress in Continuous and Hybrid Reachability Analysis,Proc. of the IEEE Conference on Computer Aided Control SystemsDesign, 2006, pages 1582-1587.


Conclusions

Conclusions

Stability:

Switching between stable subsystems can destabilize a system.

A common Lyapunov function is necessary and sufficient for arbitrarilyswitched systems.

When the system is not arbitrarily switched, one often requiresmultiple Lyapunov functions to prove stability.

Reachability:

For most hybrid systems it is theoretically impossible to exactlycompute the reachable set.

Overapproximations of reachable sets can prove the correctness ofhybrid systems. This is not possible with simulation techniques.


Documents

Cyber-Physical Systems { Modeling and Simulation …schulzef/2015-06-12-Matthias...2015/06/12 · Cyber-Physical Systems { Modeling and Simulation of Hybrid Systems Matthias Altho