Safety Verification of Interconnected Hybrid Systems Using Barrier Certificates

1Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai 200062, China 2National Trustworthy Embedded Software Engineering Technology Research Center, East China Normal University, Shanghai 200062, China 3School of Informatics and Electronics, Zhejiang Sci-Tech University, Hangzhou 310018, China 4School of Software Engineering, Tongji University, Shanghai 201804, China


Introduction
The problem of safety verification of hybrid dynamical systems has always been a fundamental issue within the systems, control, and computer communities.In principle, safety verification of hybrid dynamical systems aims to determine that any trajectory starting at admissible initial states cannot evolve to unsafe region in the state space [1].Numerous methods have been developed for the past two decades [2] and a variety of dynamical characteristics have been researched.Particularly, we concentrate on safety verification of a special kind of nonlinear hybrid dynamical system called polynomial hybrid system.Polynomial hybrid systems are hybrid systems where both the dynamical behavior description and the states constraints are given in terms of polynomial nonlinearities.A wide range of applications could be modeled as, transformed into, or approximated by polynomial hybrid systems, for example, in power systems [3] and process control [4].In [5][6][7], computational verification methods based on symbolic computation have been proposed; those methods are mainly based on the theory of ideal over polynomial ring together with techniques such as abstract interpretation.On the other hand, computational verification methods based on numerical computation which originated from [8] have also been well developed.One of the typical methods called barrier certificate generalizes these numerical verification methods and imposes its theoretical foundation on linear matrix inequalities (LMI), semidefinite programming (SDP), sum-of-squares (SOS) programming, and bilinear SOS programming.
Generally speaking, barrier certificate is a function of states whose zero level set separates an unsafe region from all system trajectories starting from an admissible set of initial states.The existence of a barrier certificate is sufficient for safety of dynamical systems, which is analogous to the sufficiency of the existence of a Lyapunov function for asymptotic 2 Mathematical Problems in Engineering stability of dynamical systems.As an important numerical method of safety verification of dynamical systems, barrier certificates have been well developed under the frameworks of general nonlinear systems [9], time-delayed systems [10,11], stochastic systems [12], interconnected continuous systems [13,14], and hybrid systems [1,15].Besides, converse theorem of barrier certificates was discussed recently in [16].
Hybrid systems are dynamical systems exhibiting both continuous and discrete dynamic behaviors, and interconnected hybrid systems are an interconnection of several hybrid systems consisting of assignments relating the inputs and outputs of the individual hybrid systems.Therefore, safety of interconnected hybrid systems relies on both safety of the individual subsystems and their interconnections.In this paper, we propose compositional barrier certificates for safety verification of interconnected hybrid systems.As we know, many networked embedded systems, particularly recently proposed Internet-of-Things and Cyber-Physical Systems [17], are characterized by interconnected hybrid systems; however, safety verification for interconnected hybrid systems has not been well developed.Thus, there is a need to study safety verification method for interconnected hybrid systems.Motivated by the above-mentioned reasons and the practical background, we consider the issue of developing compositional barrier certificates of interconnected hybrid systems for their safety verification.To the best of our knowledge, safety verification has been discussed only for interconnected continuous systems [13,[18][19][20], but not for interconnected hybrid systems yet, which also motivated our research.
Due to the new features deriving from interconnected hybrid systems, finding a compositional barrier certificate for safety verification presents more technical challenges.Considering that the existences of barrier certificates of each interconnected hybrid system are not sufficient for safety of interconnected hybrid systems, additional dissipationinequality-like constraints are required to be imposed on interconnections.Compositional barrier certificates in our paper impose additional dissipation-inequality-like coupling constraints on a set of individual barrier certificates for each subsystem.Furthermore, constructing compositional barrier certificates satisfying dissipation-inequality-like constraints is intractable in general; however, through applying SOS relaxation and generalized S-procedure, some conservative compositional barrier certificates could be derived through numerical computation.Once these compositional barrier certificates composed of individual barrier certificates and coupling constraints are feasible, bilinear SOS programming could be applied to construct such compositional barrier certificates through purely numerical computation.Numerical SOS programming solvers such as SOSTOOLS [21] and SOSOPT [22] are developed for such computations.With this methodology, we are able to verify safety of interconnected hybrid systems without resorting exhaustive simulations.
The paper is organized as follows.Section 2 introduces the notations as well as some preliminary definitions.Section 3 adopts the compositional hybrid I/O automata framework to describe interconnected hybrid systems and presents the formal definition of safety.Section 4 explains how to formulate the verification problem by incorporating interconnections satisfying diagonal stability property with individual barrier certificates.Section 5 shows how to construct the compositional barrier certificates through solving a feasibility problem of bilinear SOS programming.Section 6 presents a numerical example to show the validity of the proposed method and Section 7 comprises conclusions.

Mathematical Preliminaries
Notations.Let R denote the field of real numbers, and R  stand for the -dimensional real vector space.R >0 , N >0 refer to the sets of positive real numbers and positive natural numbers, respectively.Lower case alphabets such as , , , , ,  represent variables, while symbols such as ⃗ , ⃗ , ⃗  are vectorial variables.‖ ⋅ ‖ refers to the Euclidean vector norm.For matrices or vectors, the superscript "" denotes matrix transposition. × is the identity matrix, ⃗ 0 denotes zero vector, 0 is scalar, and 0 × is an  ×  zero matrix.The notation diag{⋅} indicates a square diagonal matrix with the arguments along the diagonal. −1 is the inverse of matrix .

Formal Models of Interconnected Systems
Throughout this paper, we adopt the compositional hybrid I/O automata framework discussed in [23] For each state (  , ⃗   ) ∈ Q  × X  , F  incorporates a differential constraint on the continuous evolution according to the differential equation: where activates and produces a discrete output according to simultaneously. Mathematical For compositional hybrid I/O automata H, ⃗  ∈ X evolves continuously when all trajectories of H  s evolve continuously, while switchings occur once there exists a discrete consecution among H  s.
Based on the concept of trajectories of H, safety of H could be formalized as follows.
Definition 10 (safety of H).Let an interconnected hybrid I/O automaton H = {I, ⋃ ∈I {H  }, N  , N  , K} be given.Take (, ⃗  0 , ⃗ , ⃗   , ⃗   , ⃗   , ⃗   ) as the trajectory of H; then H is unsafe if there exists an instant holds.Furthermore, H is safe when none of the trajectories of H starting from admissible initial states would intersect unsafe states X  of H.

Compositional Barrier Certificates
In this section, we present a brief introduction to the barrier certificate method and propose the compositional barrier certificate for safety verification of compositional hybrid I/O automaton.

Intuitive Interpretation of Barrier Certificates.
To address the safety verification, we need to determine whether a trajectory starting from admissible initial states would reach the set of unsafe states.Barrier certificate methodology could certify safety of a dynamical system through constructing a function called barrier certificate.Generally speaking, barrier certificate  : ⃗  → R ( ⃗  denotes the state space) is a function of states satisfying a set of constraints on both the function itself and states evolution along the trajectories, and states ⃗  ∈ ⃗  satisfying ( ⃗ ) = 0 form a barrier separating all unsafe states from possible system trajectories.( ⃗ ) takes different values on different regions: for example, for each ⃗  ∈   (  denotes unsafe states region), it satisfies ( ⃗  > 0), while for each ⃗  ∈   (  denotes reachable states region of trajectories) ( ⃗  ≤ 0) holds.Thus, system safety could be certified by the existence of a barrier certificate.An intuitive illustration of a barrier certificate is presented in Figure 1.As shown in the figure, unsafe states region is separated from states of trajectories by the barrier certificate.

Compositional Barrier Certificates.
In the following, we present two lemmas to show sufficiency of the existence of barrier certificates for safety of individual hybrid I/O automaton and discuss how to impose inequality constraints on interconnections to construct compositional barrier certificates.

Lemma 11 (conservative barrier certificates for H 𝑖 ). Let an interconnected individual hybrid I/O automaton
where, for the case in (20)
Remark 12. Intuitively, the value of   ( ⃗   ) decreases along both continuous flows as well as switchings, since   ( ⃗  0  ) < 0, all states of trajectories of H  are negative, and reachable states would not intersect with the unsafe states region.It should be admitted that   ( ⃗   ) derived in Lemma 11 is conservative; however, for the safety of interconnected hybrid systems H, this conservatism is justified.

Computation of Barrier Certificates
In this section, we discuss how to construct compositional barrier certificates from the conditions set up in Section 4. Bilinear SOS programming is applied to support the computation of barrier certificates for H. H is defined on semialgebraic sets with all vector fields that are restricted to be polynomial equality as well as inequality.Here, we parameterize the barrier certificates   ( ⃗   )s as polynomials and require the state space and initial, unsafe, and guard sets to be given by polynomial equality or inequality constraints.Through applying generalized S-procedure, constraints in the forms of semialgebraic sets could be incorporated into constraints ( 17)- (20); then Lemma 11 is formulated as a bilinear SOS program (feasibility problem).With the help of numerical solvers such as SOSTOOLS [21] and SOSOPT [22], those barrier certificates could be computed automatically.

Computation of Individual Barrier
Certificates for H  s.To compute individual barrier certificates, all the sets of states in ( 17)-( 20) should be transformed into semialgebraic sets.Let , where those inequalities are satisfied entry-wise.For example, when X is defined as Generalized S-procedure is then introduced to corporate those semialgebraic sets constraints with ( 17)- (20) and Lemma 11 is formulated as a bilinear SOS program.

Theorem 18 (barrier certificates as bilinear SOS program). Let an interconnected hybrid I/O automaton H
, X   } be given, and X  , X 0  , X   , G  have been transformed into semialgebraic sets.The polynomial barrier certificate   ( ⃗   ) could be computed through solving the following bilinear SOS program: Remark 19.Loosely speaking, generalized S-procedure is for determining satisfaction of an inequality constraint  0 ( ⃗ ) ≥ 0 when other inequality constraints  1 ( ⃗ ) ≥ 0, . . .,   ( ⃗ ) ≥ 0 are fulfilled.Through applying generalized S-procedure, the above theorem formulates inequalities (30)-(33) together as a bilinear SOS program computationally tractable for the feasibility of barrier certificates constrained by ( 17)-(20).

Computation of Compositional Barrier Certificate for H.
In order to derive the compositional barrier certificate for H, Γ should be estimated first by solving the following optimization problem: The above optimization is a linear program problem which could be solved with the help of linear programming solvers.With derived Γ, compositional barrier certificates for H could be computed directly by solving a bilinear SOS program.
In conclusion, the derived ( ⃗ ) satisfies Theorem 15, and ( ⃗ ) is the compositional barrier certificate for H; thus, H is safe.
Remark 21.Since ( ⃗ ) is coupled with , the above programming problem satisfying (36)-(39) is a bilinear SOS program.Theorem 20 then formulates the construction of a compositional barrier certificate as a feasibility problem in bilinear SOS problem.It should be noted that compositional barrier certificates derived by Theorem 20 are more conservative than that by Theorem 15; however, Theorem 20 provides a theoretically tractable method to construct compositional barrier certificates.Numerical solvers such as SOSTOOLS or SOSOPT for MATLAB could be used for solving bilinear SOS program automatically.More details on the issues of numerical computation are omitted; we strongly suggest that readers refer to [21] or [22].

Example
In this example, we consider the following interconnected hybrid systems H consisting of two coupled hybrid systems H 1 , H 2 :