Conference PaperPDF Available

Computing descent direction of MTL robustness for non-linear systems



The automatic analysis of transient properties of nonlinear dynamical systems is a challenging problem. The problem is even more challenging when complex state-space and timing requirements must be satisfied by the system. Such complex requirements can be captured by Metric Temporal Logic (MTL) specifications. The problem of finding system behaviors that do not satisfy an MTL specification is referred to as MTL falsification. This paper presents an approach for improving stochastic MTL falsification methods by performing local search in the set of initial conditions. In particular, MTL robustness quantifies how correct or wrong is a system trajectory with respect to an MTL specification. Positive values indicate satisfaction of the property while negative values indicate falsification. A stochastic falsification method attempts to minimize the system's robustness with respect to the MTL property. Given some arbitrary initial state, this paper presents a method to compute a descent direction in the set of initial conditions, such that the new system trajectory gets closer to the unsafe set of behaviors. This technique can be iterated in order to converge to a local minimum of the robustness landscape. The paper demonstrates the applicability of the method on some challenging nonlinear systems from the literature.
Computing Descent Direction of MTL Robustness for Non-Linear Systems
Houssam Abbas and Georgios Fainekos
AbstractThe automatic analysis of transient properties of
nonlinear dynamical systems is achallenging problem. The
problem is even morechallenging when complex state-space
and timing requirements must be satisfied by the system. Such
complex requirements can be captured by Metric Temporal
Logic (MTL) specifications. The problem of finding system
behaviors that do not satisfy an MTL specification is referred
to as MTL falsification. This paper presents an approach for
improving stochastic MTL falsification methods by performing
local search in the set of initial conditions. In particular,
MTL robustness quantifies howcorrect or wrong is asystem
trajectory with respect to an MTL specification. Positivevalues
indicate satisfaction of the property while negativevalues
indicate falsification. Astochastic falsification method attempts
to minimize the system’srobustness with respect to the MTL
property.Given some arbitrary initial state, this paper presents
amethod to compute adescent direction in the set of initial
conditions, such that the new system trajectory gets closer to the
unsafe set of behaviors. This technique can be iterated in order
to converge to alocal minimum of the robustness landscape.
The paper demonstrates the applicability of the method on
some challenging nonlinear systems from the literature.
Anumber of applications can only be accurately modeled
using nonlinear dynamical models. Typical such applications
include analog circuits [1]–[3] and biological and medical
systems [4]–[7]. Acommon theme of all the aforementioned
applications is the need to verify transient or periodic proper-
ties of the system. Such properties might involvesequencing
of events, conditional reachability and invariants and real-
time constraints and can be formally captured using temporal
logics [4], [8].
Unfortunately,for complexnonlinear systems, these types
of properties are hard if not impossible to verify algorith-
mically.Therefore, recent research efforts havebeen invested
in property falsification methods [9]–[12]. In falsification,
the space of operating conditions and/or inputs is searched
in order to find an initial condition and/or parameter that
will force the system to exhibit an unsafe behavior with
respect to the formal requirement. In turn, the unsafe system
trajectory can be used in order to manually or automatically
modify the system to achievethe desired system behavior
and performance [13], [14].
In [10], [15], the temporal logic falsification problem
is converted into an optimization (minimization) problem
based on the notion of robustness of temporal logics [16].
Essentially,asystem trajectory with negativerobustness is
one that proves the existence of unsafe system behaviors.
This work was partially supported by the NSF awards CNS-1017074 and
H. Abbas and G. Fainekos are with the Schools of Engineering at Arizona
State University,Tempe, AZ, E-mail: {hyabbas,fainekos}
Then, anumber of stochastic optimization methods can be
utilized in order to solvethe optimization problem and
find asystem trajectory that minimizes the temporal logic
robustness metric.
However,in [10], [15], the system is treated as ablack-
box. In order,to improvethe rate of convergence of stochas-
tic search methods, it is desirable to havetechniques that
can compute local descent directions in the search space.
In particular,if atest is performed starting from an initial
condition xwith property robustness f(x),then adescent
vector dmust be computed so that starting from x+dthe
system has robustness f(x+d)<f(x).Such aprocess
has the potential to speed up the stochastic search method
by enabling gradient descent in the searchspace. In [17],
we demonstrated that in the case of linear hybrid systems
improvements in the convergence rate can be achieved.
Contributions: In this paper,we present amethod forthe
computation of descent vectors for reducing specification
robustness for continuous nonlinear dynamical systems. In
particular,given an arbitrary MetricTemporal Logic (MTL)
specification [18], we determine acritical point on the system
trajectory which if changed, then the MTL robustness will
be changed as well. Weutilize nonsmooth optimization
theory [19] in order to derivethe equations that compute
adescent vector in the set of initial conditions that will
result in reduced MTL robustness. Finally,we demonstrate
the applicability of our approach on some nonlinear models
from the literature. Weenvision that our results can be
extended to handle arbitrary temporal logic specifications
over trajectories of hybrid systems.
Related Work: Combined state-space and real-time tem-
poral logic properties havebeen studied in anumber of
different settings. MTL properties of nonlinear systems have
been studied in [12] through abstractions to Linear Pa-
rameter Varying (LPV) systems. The work in [11] studies
the applicability of statistical model checking methods on
stochastic hybrid systems. The temporal logic falsification
problem can be viewed as adual problem to the optimal
control problem under temporal logic requirements. In [20],
the optimal control problem under Linear Temporal Logic
(LTL) specifications is studied for mixed-logical discrete-
time linear dynamical systems. However,there do not ex-
ist anyoptimal control problem formulations for nonlinear
systems under MTL specifications.
The work that appears in [4] and [21] is the closest to the
results that we present here. In particular,in [21], the authors
use sensitivity analysis in order to quantify neighborhoods
of trajectories with the same qualitativebehavior.Then, the
results of [21] are extended in [4] to estimating parameter
2013 American Control Conference (ACC)
Washington, DC, USA, June 17-19, 2013
978-1-4799-0178-4/$31.00 ©2013 AACC 4405
ranges and initial conditions for which the system satisfies
some real-time temporal logic specification. Even though we
are also using sensitivity analysis in our problem solution,
our objectiveis very different from the work in [4]. Our
goal is to develop the local search tools needed in order
to improvethe performance of stochastic MTL falsification
methods [10], [15]. Stochastic falsification methods avoid
the state-explosion problems that occur when attempting to
cover ahigh-dimensional set of parameters.
Weconsider adynamical system with state xX
˙x=F(t, x)(1)
for aC1flowF:RnRnwith initial conditions x0X0.
Assumption 2.1: For every xX0and finite time T>0,
there exists aunique solution s(·,x):[0,T]7→ Rnto the
differential equation (1). Also, the solution sx(·)is absolutely
continuous. Finally,the flowFis locally bounded, that is,
for all compact sets [0,t]×C[0,T]×X0,there exists
m>0such that F([0,T]×C)mB,where Bis the unit
ball centered at 0.
Weformally capture specifications regarding the correct
system behavior using Metric Temporal Logic (MTL) [18].
MTL formulas are built over aset of propositions using
combinations of the traditional and temporal operators. In
this work, the set of atomic propositions AP label subsets of
the state space X.In other words, we define an observation
map O:AP P(X)such that for each πAP the
corresponding set is O(π)X.Here, P(S)denotes the
powerset of aset S.Traditional logic operators are the con-
junction (), disjunction (), negation (¬),implication ()
and equivalence (). Some of the temporal operators are
eventually (I),always (I)and until (UI).The subscript
Iimposes timing constraints on the temporal operators.
The interval Imust be non-empty (I6=). For example,
MTL can capture the requirement that “all the trajectories
x(t)Rattain avalue in the set [10,+)(p1with
O(p1)=[10,+))or that “whenever the value of xdrops
below10, then it should go above10 within 5sec and remain
above10 for at least 10 sec((¬p1[0,5][0,10]p1)).
Wecan quantify howrobustly asystem trajectory sx(t)=
s(t, x)satisfies aspecification φin MTL [16]. Namely,we
define afunction fφ(x)that returns the radius of the largest
neighborhood we can fit around sxsuch that anytrajectory in
that neighborhood satisfies the same MTL specification φas
sx.Moreover,fφ(x)takes positivevalues if sxsatisfies φand
negativevaluesotherwise. The falsification of specification
φ,i.e. detecting asystem behavior that does not satisfy φ,can
thus be re-cast as the problem of finding initial states xX0
with negativefφ-values. This can be done using stochastic
search techniques [10], [15]. These can be improved by
computing local descent directions for fφ.
In this paper,our objectiveis to solvethe following sub-
problem: Let UXbe aset of ‘unsafe’ system states -in
the next section we see exactly what such aUlooks like.
There may be manysuch sets. Wedefine the robustness of
atrajectory relativeto U:
Definition 2.1 (Robustness): Let xX0,T>0and sx(·)
be the unique solution of (1) starting from time 0,then the
robustness of the solution sxwith respect to Uis
0tTdU(s(t;x)) (2)
where dU(x)=infu∈U kxukis the distance function of a
point xfrom U.
The function fis non-differentiable, and generally non-
convex. Then, our problem is:
Problem 1: Given xX0,T>0and the unsafe set U,
find avector d(x)Rnsuch that
f(x+hd(x)) <f(x)for all 0<h<h
for some h>0.
Although Problem 1was defined for asingle unsafe set,
Prop. 3.1 belowshows that robustness w.r.t. ageneral MTL
formula (with several sets) equals the robustness w.r.t. one
of the formula’satomic propositions (one of the sets).
Some proofs are omitted due to space constraints.
In this section, we provide an informal reviewof the robust
semantics of MTL formulas. Formal details are available in
our previous work [16].
Definition 3.1 (MTL Syntax): Let AP be the set of atomic
propositions and Ibe anynon-empty interval of R0.The
set MTLof all well-formed MTL formulas is inductively
defined as ϕ::= T|p|¬ϕ|ϕϕ|ϕUIϕ,where
pAP and Tis true.
The robust semantics maps an MTL formula ϕand a
trajectory sxto avalue drawn from R{±∞}.The seman-
tics for the atomic propositions evaluated for sx(t)consists
of the distance between sx(t)and the set O(p)labeling
atomic proposition p.Intuitively,this distance represents how
robustly the point sx(t)lies within (or isoutside) the set
O(p).If this distance is zero, then the smallest perturbation
of the point sx(t)can affect the outcome of sx(t)O(p).
The semantics for aformula are naturally defined from the
semantics for the atomic propositions. Wedenote the robust
valuation of the formula ϕover the trajectory sxat time
tstarting at initial condition xby [[ϕ, O]](sx,t).It is easy
to show[16] that if the signal satisfies the property,then
its robustness is non-negative, and if the signal does not
satisfy the property,then its robustness is non-positive. In [8],
we presented algorithms for efficiently computing the MTL
robustness of adiscrete-time trajectory.The analysis can be
extended to continuous-time signals under some assumptions
on the system [16].
For computational reasons, we must impose additional
assumptions on the sets O(p):
Assumption 3.1: For each pAP ,we haveO(p)=
i{xRn|ai·xbi}where aiRnand biR.
Under the assumption that (1) is well-behaved, there exist
at least one point in time tand an atomic proposition psuch
that the MTL robustness is equal to the distance of sx(t)from
O(p).The proof of the following proposition is based on the
assumption that the trajectory is continuous and bounded for
all time in [0,T].
Proposition 3.1: Consider an MTL formula φand atra-
jectory sxof (1) starting from some xX0such that
[[φ, O]](sx,0) >0.If (1) satisfies Assumption 2.1, then there
exist tr[0,T]and pAP such that
[[φ, O]](sx,0) =Dist(sx(tr),O(p))
where the signed distance Dist(z,S)=dS(z)if zS,and
dS(z)otherwise. Weremark that given atrajectory of (1),
then the sample of the trajectory that represents the critical
distance can be easily computed by modifying the algorithm
in [8].
In order to detect abad system behavior with respect to
an MTL specification, our goal is to reduce such critical dis-
tances. Therefore, in the following, we focus on aparticular
set O(p)or one of its defining half-spaces which we refer
to as the unsafe set U.
In general, φmay haveseveral predicates pand cor-
responding sets O(p).Tofalsify φwill require finding a
trajectory that visits these O(p)in some order and under
some timing constraints. In this paper,we derivethe descent
vector relativeto only one O(p)at atime. Different unsafe
sets O(p)are chosen by the stochastic falsification algorithm,
which calls the local descent algorithm on the chosen unsafe
In this section we compute adescent direction using
tools from nonsmooth analysis. Westart by solving the
unconstrained problem X0=Rnin sub-section IV-A. The
constrained problem is later addressed in sub-section IV-B.
A. Descent vector
In general, two trajectories starting arbitrarily close may
achievevery different robustness values, at very different
points in time. The following theorem shows that for some
systems that are themselves ‘Lipschitz’ (in the sense below),
the objectivefunction is Lipshitz:
Theorem 4.1 (Lipschitz objective): If for every xX0,
there exist b>0and Kx>0s.t. ks(t;x1)s(t;x2)k
Kxkx1x2kfor all x1,x2Bb(x)and all 0tT,then
the objectivefunction fis Lipschitz.
The condition of the theorem can be shown to hold if we
assume Fto be Lipschitz in xon [0,T]×X,and Xis open
connected. Moreover,the constant Kxis then independent
of x.
Nonsmooth analysis [19] provides us with the tools to
compute descent directions.
Theorem 4.2 (Thm. 5.2.5 in [19]): Let f:Rnbe
locally Lipschitz at x.The direction dRnis adescent
direction at xif
where fois the generalized directional derivativeof fat x
fo(x;d)=lim sup
Theorem 4.3 (2.1.3(i) in [19]): Let g:Rnbe a
convexfunction with aLipschitz constant Kat x.Then,
the directional derivativein each direction vRnexists
and satisfies
In this section we will work from the definition of general-
ized derivativeto derive a descent dsuch that fo(x;d)<0.
By definition of robustness (2), we have
fo(x;d)=lim sup
=lim sup
By definition of limit, there exists sequences (yi)x
Rnand (hi)0R+and i0Nsuch that, for i>i0,
It is easily seen that for positivefunctions g(t)and k(t),
mintg(t)mintk(t) mint[k(t)g(t)].Identifying
g(t)=dU(t;yi+hid)and k(t)=dU(t;yi),we have
min0tT[dU(s(t;yi)) dU(s(t;yi+hid))]
[dU(s(t;yi)) dU(s(t;yi+hid))]
As i→ ∞,1/i 0,hi0,yixand s(t;yi+hid)
s(t;yi)in norm by Assumption 2.1. So
i→∞ min
[dU(s(t;yi)) dU(s(t;yi+hid))]
[dU(s(t;yi)) dU(s(t;yi+hid))]
yix,hiց0dU(s(t;yi+hid)) dU(s(t;yi))]
(Wecan showthat the interchange of limit and min above
is valid). Linearizing s(t;yi+hid)in the second argument,
and ignoring higher-order terms o(hi):
Assumption 4.1: Weassume that the sensitivity matrix
yexists, is invertible, and that it is spectral
norm-continuous in y.
Weremark that A(t;y)is the sensitivity of the trajectory
with respect to the initial conditions and can be computed
as indicated in [22], [23]. Then,
≤ − min
If the limit in brackets does not exist, i.e., it is +,then
fo(x;d)<0and we are done. Otherwise, it can be shown
that the limit in brackets equals d
U(s(t;A(t;x)d):that is, the
directional derivativeof dUat s(t;x)Rn,in the direction
fo(x;d)≤ − min[d
U(s(t;x); A(t;x)d)]
U(s(t;x); A(t;x)d)
Recall that we want fo(x;d)<0,so we seek to upper-
bound the RHS, that is,
U(s(t;x); A(t;x)d)<0,
which is equivalent to
U(s(t;x); A(t;x)d)<0t[0,T]
Fix tfor now.For ease of notation, we’ll just write sand
Afor s(t;x)and A(t;x),respectively.By Theorem 4.3,
Thus, it is necessary that there exist an h>0s.t.
Let ns(x)(t)Rnbe the vector that gives the direction of
the shortest distance between s(t;x)and U.We’ll write n
for short, and call it an approachvector.Then
So set A(t;x)d(t)=ns(x)(t)d(t)=A(t;x)1ns(x)(t),
where we made explicit the dependence of the descent vector
on time (different points on the trajectory will havedifferent
descent vectors). Thus, d(t)=A(t;x)1ns(x)(t)satisfies
U(s(t;x); A(t;x)d(t)) <0at every t.In particular at
U(s(t;x); A(t;x)d(t)),
we still have
U(s(t;x); A(t;x)d(t)<0
is adescent direction for fat x,subject to the foregoing
It remains to compute t.Wecan showthat t=
argmin0tTdU(s(t;x)),and the proof is omitted.
Weconclude this section by noting that Eq.(5) can be
generalized by choosing adifferent approach vector than
n,conditioned on satisfying (4). The particular choice will
depend on the geometry of the problem.
B. Constrained problem
WenowremoveAssumption (A3) and we consider the
constrained problem where X06=Rn.In other words, what
if x+d/X0?
If we use µd, µ<1,then
U(s(tr;x); µ·ns(x)(tr)) =
dU(s(tr;x)+·ds(x)(t)) dU(s(tr;x))
by Eq. (4). So we can shrink dto fit x+din X0,and still
have a descent. This simple approach circumvents the need
to calculate or approximate the subdifferential of fsubject
to the constraints, which is anon-trivial task given the form
of f.
This brings up the issue of step-size: in principle, any
method for computing astep-size, that does not require dif-
ferentiability,can be used, once we have a descent direction
(and indeed we use backtracking in our experiments); see
e.g. [19], [24], [25]. In practice, amethod that does not
use aline-search is preferable, since line searches require
additional evaluations of the objectivefunction, and this
implies simulating the system. Such simulations might prove
too costly.Wewill simply highlight two requirements on
anystep-size that transpire from abovearguments: that it
be “small enough” for the o(h)terms in (3) to be safely
ignored, and that it be smaller than the robustness dU(s(t;x))
as per (4). Additional, generic, conditions can be reviewed
in standard texts, such as [19, Section II.2.1.2].
Example 1: Our first example is 2-dimensional system
taken from [12] (Example 4), given by
˙x(t)=0.05x1(t)sin2(x2(t)) 2.5x2(t)
Wepresent two representative experiments with this sys-
tem, both using atrajectory duration of 10 time units,
the specification is ¬p1with O(p1)=[0.11,0.08] ×
[0,0.01] and x0=(0.5,0.2)T.First, we consider h=1.
Fig.1 shows asequence of starting points, and correspond-
ing trajectories, generated by computing successivedescent
vectors according to Eq. (5). Descents of different directions
are generated, and successivetrajectories get closer to the
unsafe set ascan be seen in Fig.2. Ten descent vectors reduce
robustness from 0.016097 to 0.011181.
Starting with h=0.1,the iterations reach alocal mini-
mum after 4descents -the dcomputed by Eq.(5) no longer
decreases the objectivefunction value for anystep-size. A
small ball around the current x0was sampled to verify it is
indeed alocal minimum.
Example 2: Our second example is taken from [15], given
x2(t)cos(2πx2(t)) x1(t)sin(2πx1(t)) +0.1t
with initial condition x(0) =x0X0=[1,1] ×[1,1],
and specification ¬p2with O(p2)=[1.6,1.4] ×
−0.2 00.2 0.4 0.6 0.8
Fig. 1. Inital set (bottom right), unsafe set (red (black) box in top left)
and trajectories for Example 1.
−0.13 −0.125 −0.12 −0.115 −0.11 −0.105
Fig. 2. SuccessiveExample 1trajectories descending towards unsafe set.
[0.9,1.1].If the trajectory duration is6units, allowing
the trajectories to settle, and starting from (0,0)T,alocal
minimum is reached in only 2iterations. Inspection of the
descent direction lead us to try astart point x0=(0.5,0.5)T:
from here, robustness was reduced from 1.9 to 1.19 in
10 iterations, decreasing at every iteration. If the trajectory
duration is only 2units, thus remaining in the transient mode,
we can see more clearly the effect of choosing adescent
direction: Fig.3 shows the unsafe set relativeto the initial
set, and the trajectories chosen by descent.
To verify that this change in trajectory was not ‘accidental’
(e.g. as aresult of the step-size leading to an entirely different
local min), but rather was driven by agenuine descent,we
plot the contour curves of the objectivefunction (obtained by
sampling it on agrid of 500 points). Fig.4 shows aconsistent
descent towards levels of decreasing robustness. As further
verification, we moved the unsafe set to [1.251.75]×[1.1
0.9].Fig.5 shows the resulting trajectories chosen by descent.
In order to demonstrate the potential of the proposed
approach to the MTL falsification problem, we incorporated
the descent method with the Simulated Annealing (SA)
falsification method of [15]. Wefalsified the specification
where O(p3)and O(p4)are the dark boxes in Fig.6. Infor-
mally,the specification requires that if the system trajectory
is in O(p3)at time t1,then O(p4)should be avoided for all
time in [t1,t1+1].For the specification to be falsified dis-
tances to both sets O(p3)and O(p4)must become zero. Note
that in Fig. 6, our algorithm attempts to minimize both dis-
tances. Torigorously assess the efficiencyof SA+DESCENT
compared to pure SA, athorough statistical study will be
conducted in future research.
−2 −1.5 −1 −0.5 00.5 11.5
Fig. 3. Transient trajectories of Example 2. Note the qualitativechange in
the trajectories, from 1to 5, as aresult of descending towards the unsafe
set. Circles mark the initial points, and long black arrows are us(t;x).
0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55
Fig. 4. Contour plot of fin Example 2, with initial points chosen by
Example 3: Our third example is the quorum sensing
system of the luminescent marine bacterium Vibrio Fischeri
(VF) [5]. This is modeled as a9-dimensional non-linear
system. Asimplified hybrid model of amutant VF bacterium
has 2equilibrium points (one luminescent, the other non-
luminescent) [5]. Wechoose the unsafe set to be disjoint
from neighborhoods around these 2equilibria. Namely,we
consider the specification ¬p2with O(p5)={x
R9|13625 x313626,36330 x736331,17968
x817969}.Starting from x0=(1e5,1,...,1)T,and
−1 −0.5 00.5 11.5 22.5
Fig. 5. Example 2with adifferent unsafe set.
Fig. 6. Example 2with φ3.O(p3)is the left dark square, O(p4)is the
right dark square, X0is the white rectangle.
computing trajectories of duration 5units, 10 computations
of adescent vector with step size h=0.1reduce robustness
from 36327 to 14099,with robustness decreasing at each
Wehavepresented the derivation of the equations that can
be used for the computation of robustness descent vectors in
the set of initial conditions for nonlinear dynamical systems.
These results are necessary for enabling “gray box” MTL
falsification methods for dynamical systems. In the future, we
will focus on extending our newapproach to hybridsystems
and non-autonomous systems.
[1] S. Steinhorst and L. Hedrich, “Model checking of analog systems us-
ing an analog specification language,in Proceedings of the conference
on Design, automation and test in Europe,ser.DATE ’08. New York,
NY,USA: ACM, 2008, pp. 324–329.
[2] M. H. Zaki, S. Tahar,and G. Bois,“Formal verification of analog and
mixed-signal designs: Asurvey,Microelectronics Journal,vol. 39, p.
13951404, 2008.
[3] S. Little, D. Walter,K. Jones, and C. J. Myers, Analog/mixed-signal
circuit verification using models generatedfrom simulation traces,
in Proceedings of the 5th International Symposium on Automated
Technology for Verification and Analysis (ATVA),ser.LNCS, vol. 4762.
Springer,2007, pp. 114–128.
[4] A. Donze, E. Fanchon, L. M. Gattepaille, O. Maler,and P.Tracqui,
“Robustness analysis and behavior discrimination in enzymatic reac-
tion networks,PLoS ONE,vol. 6, no. 9, p. e24246, 09 2011.
[5] C. Belta, J. Schug, T.Dang, V.Kumar,G. Pappas, and H. Rubin,
“Stability and rechability analysis of ahybrid model of luminescence
in the marine bacterium vibrio fischeri,in Proceedings of the 40th
IEEE Conference on Decision and Control,December 2001.
[6] A. A. Julius, ´
A. M. Hal´
asz, M. S. Sakar,H. Rubin, V.Kumar,and G. J.
Pappas, “Stochastic modeling and control of biological systems: The
lactose regulation system of escherichia coli,IEEE Trans. Automat.
Contr.,vol. 53, pp. 51–65, 2008.
[7] S. Sankaranarayanan and G. Fainekos, “Simulating insulin infusion
pump risks by in-silico modeling of the insulin-glucose regulatory
system,in International Conference on Computational Methods in
Systems Biology,2012, [ToAppear].
[8] G. Fainekos, S. Sankaranarayanan, K. Ueda, and H. Yazarel, “Verifica-
tion of automotivecontrol applications using s-taliro,in Proceedings
of the American Control Conference,2012.
[9] E. Plaku, L. E. Kavraki, and M. Y.Vardi, “Falsification of ltl safety
properties in hybrid systems,in Proc. of the Conf.on Tools and
Algorithms for the Construction and Analysisof Systems (TACAS),
ser.LNCS, vol. 5505, 2009, pp. 368 – 382.
[10] T.Nghiem, S. Sankaranarayanan, G. Fainekos, F.Ivancic, A. Gupta,
and G. Pappas, “Monte-carlo techniques for falsification of temporal
properties of non-linear hybrid systems,in Hybrid Systems: Compu-
tation and Control,2010.
[11] P.Zuliani, A. Platzer,and E. M. Clarke, “Bayesian statistical model
checking with application to simulink/stateflowverification,in Pro-
ceedings of the 13th ACM International Conference on Hybrid Sys-
tems: Computation and Control,2010, pp. 243–252.
[12] G. E. Fainekos and G. J. Pappas, “Mtl robust testing and verification
for lpv systems,in Proceedings of the American Control Conference,
2009, pp. 3748–3753.
[13] A. Rizk, G. Batt, F.Fages, and S. Soliman, “Continuous valuations of
temporal logic specifications with applications to parameter optimiza-
tion and robustness measures,Theor.Comput. Sci.,vol. 412, no. 26,
pp. 2827–2839, 2011.
[14] A. Donze, G. Clermont, and C. J. Langmead, “Parameter synthesisin
nonlinear dynamical systems: Application to systems biology,Journal
of Computational Biology,vol. 17, no. 3, pp. 325–336, 2010.
[15] H. Abbas, G. E. Fainekos, S. Sankaranarayanan, F.Ivancic, A. Gupta,
and G. J. Pappas, “Probabilistic temporal logic falsification of cyber-
physical systems,ACM Transactions on Embedded Computing Sys-
tems,vol. (Accepted), 2011.
[16] G. Fainekos and G. Pappas, “Robustness of temporal logic specifica-
tions for continuous-time signals,Theoretical Computer Science,vol.
410, no. 42, pp. 4262–4291, September 2009.
[17] H. Abbas and G. Fainekos, “Linear hybrid system falsification through
local search,in Automated Technology for Verification and Analysis,
ser.LNCS, vol. 6996. Springer,2011, pp. 503–510.
[18] R. Koymans, “Specifying real-time properties with metric temporal
logic.Real-Time Systems,vol. 2, no. 4, pp. 255–299, 1990.
[19] M. M. Makela and P.Neittaanmaki,Nonsmooth optimization.World
Scientific, 1992.
[20] S. Karaman, R. Sanfelice, and E. Frazzoli, “Optimal control of mixed
logical dynamical systems with linear temporal logic specifications,
in IEEE Conf.on Decision and Control,2008.
[21] A. Donze and O. Maler,“Systematic simulation using sensitivity
analysis,in Hybrid Systems: Computation and Control,ser.LNCS,
vol. 4416. Springer,2007, pp. 174–189.
[22] R. Serban and A. Hindmarsh, “Cvodes: the sensitivity-enabled ode
solver in sundials,in Proceedings of IDETC/CIE,2005.
[23] I. Hiskens and M. Pai, “Trajectory sensitivity analysis of hybrid sys-
tems,Circuits and Systems I: Fundamental Theory and Applications,
IEEE Transactions on,vol. 47, no. 2, pp. 204 –220, feb 2000.
[24] S. Boyd and L. Vandenberghe, ConvexOptimization.Cambridge
University Press, 2004.
[25] J. Goffin, “On convergence rates of subgradient optimization methods,
Mathematical Programming,no. 13, pp. 329–347, 1977.
... In this work, we particularly consider the cases of real-valued continuous-time signals which naturally includes the case of discrete-time signals. In other words, the state space is ⊆ R and the time domain is either T := R or T := Z. 1 For any set T we denote by T = T ∪ {±∞}, for instance, R := R ∪ {±∞} and Z := Z ∪ {±∞} are the extended real numbers and integers, respectively. Finally, we denote the set of all signals x : T → as the signal space T . ...
... Take a look at Fig. 1. The signal x := [x (1) , x (2) ] presented in Fig.1(a) is finite and discrete-time, its state at each time step = 0, . . . , 9 is := [ (1) , (2) ] ∈ R 2 . ...
... Let us next analyze under which conditions these time shifts directly correlate with time shifts in the underlying signal x. Consider a signal x : T → with its state := ( (1) . . . , ( ) ) ∈ R . ...
Full-text available
We study the temporal robustness of temporal logic specifications and show how to design temporally robust control laws for time-critical control systems. This topic is of particular interest in connected systems and interleaving processes such as multi-robot and human-robot systems where uncertainty in the behavior of individual agents and humans can induce timing uncertainty. Despite the importance of time-critical systems, temporal robustness of temporal logic specifications has not been studied, especially from a control design point of view. We define synchronous and asynchronous temporal robustness and show that these notions quantify the robustness with respect to synchronous and asynchronous time shifts in the predicates of the temporal logic specification. It is further shown that the synchronous temporal robustness upper bounds the asynchronous temporal robustness. We then study the control design problem in which we aim to design a control law that maximizes the temporal robustness of a dynamical system. Our solution consists of a Mixed-Integer Linear Programming (MILP) encoding that can be used to obtain a sequence of optimal control inputs. While asynchronous temporal robustness is arguably more nuanced than synchronous temporal robustness, we show that control design using synchronous temporal robustness is computationally more efficient. This trade-off can be exploited by the designer depending on the particular application at hand. We conclude the paper with a variety of case studies.
... ⇒ [1,5] x > 1000)) ⇒ [20,100] ...
... Thus controlling the L 2 signal reconstruction error does not always yield a control of the robustness computation error. The next result, a generalization of[1, Thm. 4.1], shows that we should control for the sup norm of the reconstruction error. ...
In multi-agent systems, robots transmit their planned trajectories to each other or to a central controller, and each receiver plans its own actions by maximizing a measure of mission satisfaction. For missions expressed in temporal logic, the robustness function plays the role of satisfaction measure. Currently, a Piece-Wise Linear (PWL) or piece-wise constant reconstruction is used at the receiver. This allows an efficient robustness computation algorithm - a.k.a. monitoring - but is not adaptive to the signal class of interest, and does not leverage the compression properties of more general representations. When communication capacity is at a premium, this is a serious bottleneck. In this paper we first show that the robustness computation is significantly affected by how the continuous-time signal is reconstructed from the received samples, which can mean the difference between a successful control and a crash. We show that monitoring general spline-based reconstructions yields a smaller robustness error, and that it can be done with the same time complexity as monitoring the simpler PWL reconstructions. Thus robustness computation can now be adapted to the signal class of interest. We further show that the monitoring error is tightly upper-bounded by the L ∞ signal reconstruction error. We present a (non-linear) L ∞ -based scheme which yields even lower monitoring error than the spline-based schemes (which have the advantage of being faster to compute), and illustrate all results on two case studies. As an application of these results, we show how time-frequency specifications can be efficiently monitored online.
... 2.2. Even more challenging is the fact that θ ϕ includes signal shifts according to (3)-(4), thus, commonly used techniques such as smooth approximators [16], [11], non-smooth optimization theory [17] or Monte-Carlo optimization techniques [18] are not applicable. In this work we instead propose a Mixed-Integer Linear Program (MILP) solution that relies on an explicit encoding of such signal shifts. ...
Full-text available
We present a robust control framework for time-critical systems in which satisfying real-time constraints is of utmost importance for the safety of the system. Signal Temporal Logic (STL) provides a formal means to express a variety of real-time constraints over signals and is suited for planning and control purposes as it allows us to reason about the time robustness of such constraints. The time robustness of STL particularly quantifies the extent to which timing uncertainties can be tolerated without violating real-time specifications. In this paper, we first pose a control problem in which we aim to find an optimal input sequence to a control system that maximizes the time robustness of an STL constraint. We then propose a Mixed Integer Linear Program (MILP) encoding and provide correctness guarantees and a complexity analysis of the encoding. We also show in two case studies that maximizing STL time robustness allows to account for timing uncertainties of the underlying control system.
... STL can be thought of as Boolean logic with added temporal operators to capture temporal behavior. It allows the succinct and unambiguous specification of a wide variety of complex system behaviors over time [2], [3], [4] and has been used extensively to formalize control objectives, e.g. [4]. ...
We present a solution to the problem of fairly planning a fleet of Unmanned Aerial Vehicles (UAVs) that have different missions and operators, such that no one operator unfairly gets to finish its missions early at the expense of others - unless this was explicitly negotiated. When hundreds of UAVs share an urban airspace, the relevant authorities should allocate corridors to them such that they complete their missions, but no one vehicle is accidentally given an exceptionally fast path at the expense of another, which is thus forced to wait and waste energy. Our solution, FairFly, addresses the fair planning question for general autonomous systems, including UAV fleets, subject to complex missions typical of urban applications. FairFly formalizes each mission in temporal logic. An offline search finds the fairest paths that satisfy the missions and can be flown by the UAVs, leading to lighter online control load. It allows explicit negotiation between UAVs to enable imbalanced path durations if desired. We present three fairness notions, including one that reduces energy consumption. We validate our results in simulation, and demonstrate a lighter computational load and less UAV energy consumption as a result of flying fair trajectories.
In this work, we present an integrated Framework for Autonomous Drone Safety (FADS). The demand for safe and efficient mobility of people and goods is growing rapidly, in line with the growth in population in US urban centers. In response, new technologies to meet these urban mobility demands are also rapidly maturing in preparation for future full-scale deployment. As surface congestion increases and the technology surrounding unmanned aerial systems (UAS) matures, more people are looking to the urban airspace and Urban Air Mobility (UAM) as a piece of the puzzle to promote mobility in cities. However, the lack of coordination between UAS stakeholders, federal UAS safety regulations, and researchers developing UAS algorithms continues to be a critical barrier to widespread UAS adoption. FADS takes into account federal UAS safety requirements, UAM challenge scenarios, contingency events, as well as stakeholder-specific operational requirements. FADS formalizes these requirements, through Signal Temporal Logic (STL) representations, and a trajectory planning optimization for multi-rotor UAS fleets guarantees robust and continuous-time satisfaction of the requirements and mission objectives. The intuitive FADS user interface makes it easy to plan missions in a variety of environments; we demonstrate this through several rural and urban environment-based case studies. FADS holistically integrates high-level stakeholder objectives with low-level trajectory planning; combined with a user-friendly interface, FADS reduces the complexity of stakeholder coordination within the UAM context.
Safe autonomous operation of dynamical systems has become one of the most important research problems. Algorithms for planning and control of such systems are now finding place on production vehicles, and are fast becoming ubiquitous on the roads and air-spaces. However most algorithms for such operations, that provide guarantees, either do not scale well or rely on over-simplifying abstractions that make them impractical for real world implementations. On the other hand, the algorithms that are computationally tractable and amenable to implementation generally lack any guarantees on their behavior. In this work, we aim to bridge the gap between provable and scalable planning and control for dynamical systems. The research covered herein can be broadly categorized into: i) multi-agent planning with temporal logic specifications, and ii) robust predictive control that takes into account the performance of the perception algorithms used to process information for control. In the first part, we focus on multi-robot systems with complicated mission requirements, and develop a planning algorithm that can take into account a) spatial, b) temporal and c) reactive mission requirements across multiple robots. The algorithm not only guarantees continuous time satisfaction of the mission requirements, but also that the generated trajectories can be followed by the robot. The other part develops a robust, predictive control algorithm to control the the dynamical system to follow the trajectories generated by the first part, within some desired bounds. This relies on a contract-based framework wherein the control algorithm controls the dynamical system as well as a resource/quality trade-off in a perception-based state estimation algorithm. We show that this predictive algorithm remains feasible with respect to constraints while following a desired trajectory, and also stabilizes the dynamical system under control. Through simulations, as well as experiments on actual robotic systems, we show that the planning method is computationally efficient as well as scales better than other state-of-the art algorithms that use similar formal specification. We also show that the robust control algorithm provides better control performance, and is also computationally more efficient than similar algorithms that do not leverage the resource/quality trade-off of the perception-based state estimator
One way to analyze Cyber-Physical Systems is by modeling them as hybrid automata. Since reachability analysis for hybrid nonlinear automata is a very challenging and computationally expensive problem, in practice, engineers try to solve the requirements falsification problem. In one method, the falsification problem is solved by minimizing a robustness metric induced by the requirements. This optimization problem is usually a non-convex non-smooth problem that requires heuristic and analytical guidance to be solved. In this paper, functional gradient descent for hybrid systems is utilized for locally decreasing the robustness metric. The local descent method is combined with Simulated Annealing as a global optimization method to search for unsafe behaviors.
Conference Paper
Full-text available
CVODES, which is part of the SUNDIALS software suite, is a stiff and nonstiff ordinary differential equation initial value problem solver with sensitivity analysis capabilities. CVODES is written in a data-independent manner, with a highly modular structure to allow incorporation of different preconditioning and/or linear solver methods. It shares with the other SUNDIALS solvers several common modules, most notably the generic kernel of vector operations and a set of generic linear solvers and preconditioners. CVODES solves the IVP by one of two methods — backward differentiation formula or Adams-Moulton — both implemented in a variable-step, variable-order form. The forward sensitivity module in CVODES implements the simultaneous corrector method, as well as two flavors of staggered corrector methods. Its adjoint sensitivity module provides a combination of checkpointing and cubic Hermite interpolation for the efficient generation of the forward solution during the adjoint system integration. We describe the current capabilities of CVODES, its design principles, and its user interface, and provide an example problem to illustrate the performance of CVODES.
Full-text available
We present a Monte-Carlo optimization technique for finding system behaviors that falsify a metric temporal logic (MTL) property. Our approach performs a random walk over the space of system inputs guided by a robustness metric defined by the MTL property. Robustness is guiding the search for a falsifying behavior by exploring trajectories with smaller robustness values. The resulting testing framework can be applied to a wide class of cyber-physical systems (CPS). We show through experiments on complex system models that using our framework can help automatically falsify properties with more consistency as compared to other means, such as uniform sampling.
Conference Paper
Full-text available
We present a case study on the use of robustness-guided and statistical model checking approaches for simulating risks due to insulin infusion pump usage by diabetic patients. Insulin infusion pumps allow for a continuous delivery of insulin with varying rates and delivery profiles to help patients self-regulate their blood glucose levels. However, the use of infusion pumps and continuous glucose monitors can pose risks to the patient including chronically elevated blood glucose levels (hyperglycemia) or dangerously low glucose levels (hypoglycemia). In this paper, we use mathematical models of the basic insulin-glucose regulatory system in a diabetic patient, insulin infusion pumps, and the user’s interaction with these pumps defined by commonly used insulin infusion strategies for maintaining normal glucose levels. These strategies include common guidelines taught to patients by physicians and certified diabetes educators and have been implemented in commercially available insulin bolus calculators. Furthermore, we model the failures in the devices themselves along with common errors in the usage of the pump. We compose these models together and analyze them using two related techniques: (a) robustness guided state-space search to explore worst-case scenarios and (b) statistical model checking techniques to assess the probabilities of hyper- and hypoglycemia risks. Our technique can be used to identify the worst-case effects of the combination of many different kinds of failures and place high confidence bounds on their probabilities.
Conference Paper
Full-text available
S-TALIRO is a software toolbox that performs stochastic search for system trajectories that falsify realtime temporal logic specifications. S-TaLiRo is founded on the notion of robustness of temporal logic specifications. In this paper, we present a dynamic programming algorithm for computing the robustness of temporal logic specifications with respect to system trajectories. We also demonstrate that typical automotive functional requirements can be captured and falsified using temporal logics and S-TALIRO.
Conference Paper
Full-text available
Addresses the mathematical modeling and analysis of the quorum sensing system found in unicellular bacteria that exhibit bioluminescence. The luminescence is governed by the expression of genes in the cell, which in turn is controlled by the density of cells in a population. The paper illustrates the application of standard tools in control theory and some tools in hybrid systems to the quorum sensing system, and demonstrates that bioluminescence can be modeled and understood as the output of a switched dynamical system
Conference Paper
Full-text available
This paper deals with the robust metric temporal logic (MTL) testing and verification of linear systems with parametric uncertainties. This is a very general class of systems that includes not only linear time invariant (LTI) systems with unknown constant parameters, but also linear time varying (LTV) systems and certain classes of nonlinear systems through abstraction. The two main tools for the solution of this problem are the approximate bisimulation relations and a notion of robustness for temporal logic formulas.
Convex optimization problems arise frequently in many different fields. A comprehensive introduction to the subject, this book shows in detail how such problems can be solved numerically with great efficiency. The focus is on recognizing convex optimization problems and then finding the most appropriate technique for solving them. The text contains many worked examples and homework exercises and will appeal to students, researchers and practitioners in fields such as engineering, computer science, mathematics, statistics, finance, and economics.
Rates of convergence of subgradient optimization are studied. If the step size is chosen to be a geometric progression with ratio the convergence, if it occurs, is geometric with rate. For convergence to occur, it is necessary that the initial step size be large enough, and that the ratio be greater than a sustainable ratez(), which depends upon a condition number, defined for both differentiable and nondifferentiable functions. The sustainable ratez() is closely related to the rate of convergence of the steepest ascent method for differentiable functions: in fact it is identical if the function is not too well conditioned.
Analog and mixed signal (AMS) designs are an important part of embedded systems that link digital designs to the analog world. Due to challenges associated with its verification process, AMS designs require a considerable portion of the total design cycle time. In contrast to digital designs, the verification of AMS systems is a challenging task that requires lots of expertise and deep understanding of their behavior. Researchers started lately studying the applicability of formal methods for the verification of AMS systems as a way to tackle the limitations of conventional verification methods like simulation. This paper surveys research activities in the formal verification of AMS designs as well as compares the different proposed approaches.