Improving SAT Modulo ODE for Hybrid Systems Analysis by ...

Improving SAT Modulo ODE for Hybrid

Systems Analysis by Combining DifferentEnclosure Methods�

Andreas Eggers1, Nacim Ramdani2, Nedialko Nedialkov3, and Martin Franzle1

1 Carl von Ossietzky Universitat, Oldenburg, Germany{eggers,fraenzle}@informatik.uni-oldenburg.de

2 Universite d’Orleans, PRISME, 63 av. de Lattre de Tassigny, 18020 Bourges, [email protected]

3 McMaster University, Hamilton, Ontario, [email protected]

Abstract. Aiming at automatic verification and analysis techniques forhybrid systems, we present a novel combination of enclosure methodsfor ordinary differential equations (ODEs) with the iSAT solver for largeBoolean combinations of arithmetic constraints. Improving on our pre-vious work, the contribution of this paper lies in combining iSAT withVNODE-LP, as a state-of-the-art enclosure method for ODEs, and withbracketing systems which exploit monotonicity properties to find enclo-sures for problems that VNODE-LP alone cannot enclose tightly. Weapply our method to the analysis of a non-linear hybrid system by solv-ing predicative encodings of an inductive stability argument and evaluatethe impact of different methods and their combination.

1 Introduction

The formal analysis of hybrid systems usually involves steps of (ideally safely)approximating their behavior to obtain models that can be handled by avail-able tools, since practical engineering models often incorporate elements that noverification tool can handle in combination. Each of these approximations maycause a loss of precision in the model, e.g. when capturing non-linear behav-ior by a linear model. At the same time, these approximations often have to bedone manually, and worse, have to be repeated when the original model changes.We are therefore convinced that it is highly desirable to develop tools that canhandle as rich dynamics as possible, and hence allow model checking of hybridsystems in a direct way. In this paper, we will not present a comprehensive toolthat achieves this goal, but we show that our improvement of Satisfiability mod-ulo ODE solving is a promising step into this direction, though still of academicnature in the size of problems solvable.� This work has been supported by the German Research Council DFG

within SFB/TR 14 “Automatic Verification and Analysis of Complex Systems”(www.avacs.org) and by the Natural Sciences and Engineering Research Councilof Canada.

G. Barthe, A. Pardo, and G. Schneider (Eds.): SEFM 2011, LNCS 7041, pp. 172–187, 2011.c© Springer-Verlag Berlin Heidelberg 2011

Improving SAT Modulo ODE for Hybrid Systems 173

The underlying idea of hybrid system analysis by Satisfiability (SAT) moduloODE solving is to offer a constraint language, plus the corresponding solvers,featuring as its atomic constraints exactly the equations and inequalities arisingin hybrid-system models, especially algebraic constraints between variables andnon-linear ODEs. With such an expressive constraint language, predicative en-coding of hybrid system dynamics becomes straightforward, rendering intricateencodings and approximations superfluous. Starting from a predicative encodingof a hybrid system, the task of the solver is to prove the absence of or search fora satisfying valuation of the variables, which encode snapshots of the system’sstate at points in time, connected by the transition relation that encodes the be-havior of the system. In the case of bounded model checking (BMC), satisfyingvaluations represent trajectories of the modeled system, starting from an initialstate, performing a bounded number of transitions (jumps and flows) and finallyleading to a target state satisfying a property of interest. The basic principle ofSAT modulo ODE solving is to handle directly ODEs as part of a constraintsystem by evaluating their consistency under the current partial assignment thesolver is investigating and learning implied facts for future search.

ODE enclosures as propagation mechanisms have been applied previously inConstraint Programming [6] for conjunctive Constraint Satisfaction Problems aswell as by Ishii et. al. [8] in a traditional Satisfiability Modulo Theories (SMT)scheme. In contrast to such an integration (i.e., a SAT solver selecting whichtheory atoms shall be satisfied, interleaved with theory solvers evaluating thisconjunction of atoms), the iSAT [5] algorithm performs a search by splittingintervals and hence indirectly ruling out those atoms that become inconsistentunder this valuation, and thus deducing that other arithmetic constraints mustbe satisfied for satisfaction of the entire formula. These constraints then partic-ipate in the search by means of interval constraint propagation (ICP): as theyhave to be satisfied, interval valuations for their variables can be narrowed bypruning off subintervals that cannot contain a solution. Such ICP deductions arewell-known for algebraic constraints and narrow the search space very effectively.

Reasoning about ODEs can be directly integrated into this framework [4] us-ing methods for safe interval enclosures of solutions of ODEs. These methodscompute an interval cover for the states reachable from an interval box of ini-tial states. Since their effectiveness in narrowing the overall search space of theconstraint solver depends on the tightness of the enclosures provided by thesemethods, we have reconsidered the tools used for generating such enclosures,now incorporating the ODE solver VNODE-LP [12] and combining it with asecond layer of reasoning about ODEs, which is only applicable under certainside-conditions, but may yield tighter enclosures. This additional layer generatesbracketing systems [16] for monotonic segments of trajectories, thus reducing theproblem of computing the image of a set of initial states to one of computingbounding trajectories.

In this paper, we describe the resulting algorithm and evaluate it on a classicalnonlinear hybrid system, thereby comparing different combinations of the ODEenclosure mechanisms. The evaluation covers deep unwindings of BMC problems,

174 A. Eggers et al.

as traditionally covered by SMT methods, as well as a novel temporal inductionscheme able to prove a form of stability of hybrid systems.

The exposition starts with an overview of the iSAT algorithm and its interplaywith ODE constraints in Section 2. Section 3 describes the VNODE-LP solver,Section 4 explains the bracketing systems approach, and Section 5 discussesdeducing trajectory directions. Section 6 reports experimental results obtainedon benchmarks, followed by the conclusions presented in Section 7.

2 The iSAT Algorithm for SAT Modulo ODE

In this section, we overview briefly the basic iSAT algorithm (for details cf. [5])and focus on aspects related to the integration of ODE enclosures.

Problem statement. Let Φ be a quantifier-free Boolean combination of arithmeticconstraints over bounded real-, integer-, and Boolean-valued variables, simplebounds, and ODE constraints over real variables with the following properties:

– arithmetic constraints over variables x, y, and z are of the form x ∼ ◦(y, z)or x ∼ ◦(y), where ∼ is a relational operator from {<,≤, =,≥, >}, and ◦ is atotal unary or binary operator from {+,−, ·, sin, cos, powN, exp, min, max};

– simple bounds are of the form x ∼ c with ∼ as above a relational operator,x a variable, and c a constant; and

– ODE constraints are time invariant and given by xi = dxi/dt = f(x1, . . . , xn)with all occurring variables xi themselves being defined by ODE constraintsand f being a function composed of {+, −, ·, /, pow

N, exp, ln, √ , sin, cos}.

These ODE constraints must occur only under an even number of negationsin the formula, allowing e.g. m1 → ((x = sin(y))∧ (y = −x)), but forbiddinge.g. (x = sin(y)) → m1to avoid subtleties in the semantics of the formula.

Additionally, Φ and the variables therein have the structure

Φ = decl[0]∧ · · · ∧ decl[k]∧ init[0]∧ trans[0, 1]∧ · · · ∧ trans[(k − 1), k]∧ target[k]

arising from the k-fold unwinding of the transition system, where decl[i] is thei-th instantiation of the system variables’ domain bounds, init[0] is the predica-tive encoding of the initial state applied to the 0-th variable instance, i.e. to thebeginning of the trace, trans[i, i+1] is the application of the transition predicateto the i-th and (i + 1)-th instances of the variables, e.g. instantiating a′ = a + 1to a[3] = a[2] + 1, and target[k] is the application of the target predicate to thelast variable instance. ODE constraints occur only within the transition relationsince they constrain the continuous flow behavior of the system.

Example. To illustrate this input, Figure 1 shows an encoding of a model from [6].The problem can be stated as follows: find two points A and B on a circle withradius 1 around (1, 0) and from the box [−1, 1]× [−1, 1], such that a trajectory ofa harmonic oscillator around (0, 0) with fixed temporal length (here, we choose1), starting in A ends in a point X , forming an equilateral triangle A, B, X .


DECLfloat [−1, 1] ax, ay, bx, by;float [−10, 10] x, y;float [0, 10] time;float [1, 1] delta time;

INIT−− A and B on circle around (1,0).(ay − 0)ˆ2 + (ax − 1)ˆ2 = 1ˆ2;(by − 0)ˆ2 + (bx − 1)ˆ2 = 1ˆ2;−− A and B must be distinct points.ax != bx or ay != by;−− Trajectory must start in A.x = ax; y = ay; time = 0;

TRANS−− A and B stay the same.ax’ = ax; ay’ = ay;bx’ = bx; by’ = by;−− Trajectory.(d.x / d.time = y);(d.y / d.time = −x);time’ = time + delta time;

TARGET−− Equilateral triangle: equal−− distances between A, B, and X.

(ay − by)ˆ2 + (ax − bx)ˆ2= (ax − x)ˆ2 + (ay − y)ˆ2;

(ay − by)ˆ2 + (ax − bx)ˆ2= (bx − x)ˆ2 + (by − y)ˆ2;

−1

−0.5

0

y

−0.5 0 0.5 1

x

A

B

X

Fig. 1. Illustration of the solver input (before being automatically rewritten into thesolver’s internal format by its frontend) and a possible solution found by iSAT

Satisfiability. As usual, a valuation σ, which maps each variable to a point fromits domain, satisfies Φ iff the constraints satisfied under σ satisfy the Booleanstructure of Φ. Satisfiability is straightforward for simple bounds and arithmeticconstraints, but requires some explanation in the case of ODE constraints.

As noted above, ODEs —describing the evolution of variables over continuoustime— occur only in the transition relation, which constrains the pre-post rela-tion between any two successive instances of variables in a trace. Semantically,a trace is a sequence of snapshots of a real-time trajectory of the hybrid system.Hence, ODE constraints describe the behavior of the system between two suchsnapshots, i.e. describe trajectories emerging from the pre-valuation, followingthe dynamics described by the ODE, and finally reaching the post-valuation.A valuation σ thus satisfies a definitionally closed system of ODE constraints(each occurring variable itself being defined by one of the component ODE con-straints), iff there exists a solution trajectory starting with the pre-valuation andending with the post-valuation after a duration equal to the temporal length ofthe flow, as provided by the value of a special variable delta time.

More formally, given �x = (x1, . . . , xn)T and ODE constraints defining �x :1

�x =(f1(�x), . . . , fn(�x)

)T = �f(�x), (1)

for two BMC unwinding depths i and i + 1, the instantiations of �x are given by�x[i] and �x[i + 1], and their valuations σ(�x[i]) and σ(�x[i + 1])2 together with τ :=σ(delta time[i]) satisfy (1) iff there exists a solution function �y : [0, τ ] → dom(�x)such that �y(0) = σ(�x[i]), �y(t) = �f(�y(t)) for all t ∈ [0, τ ], and �y(τ) = σ(�x[i + 1]).

1 We use explicit vector notation only where confusion with simple variables from aformula might otherwise occur.

2 For simplicity, the valuation of a vector shall be the vector of its valuations.


Flow invariants. Currently, we do not support direct encoding of mode or flowinvariants, i.e. of constraints on the states traversed during a continuous evolu-tion. Such invariants can only be formulated within the pre-post relation. If in theexample in Fig. 1, y should stay ≥ c, we could add constraints like y ≥ c∧y′ ≥ cto the transition system. While for monotonic solutions, no additional behaviorwould be allowed by this notation, for the example system, the direction maychange and thus a trajectory may start and end above c, satisfying the addedconstraint, but violating the flow invariant at a point of time in between. Theconstraint system would thus be an overapproximation of the original system,allowing spurious trajectories that can not be always removed.

Solving. The task of the solver is to find a valuation satisfying the formula orproving its unsatisfiability. Starting from an input formula like the one depictedin Fig. 1, a preprocessing step (see [5] for more details) introduces auxiliaryvariables to split complex arithmetic expressions into the format described aboveand to simplify the Boolean structure into a conjunction of clauses, which arethemselves disjunctions of arithmetic atoms, simple bounds, and trigger variablesrepresenting ODE constraints. The latter are stored separately and are activatedwhenever their respective trigger variable becomes true.

Instead of point-valued valuations, the iSAT algorithm interprets the con-straints over intervals. Initially, each variable receives its whole domain as aninterval valuation. Akin to DPLL-based SAT solving [2,3], the three main in-gredients of the solver are deduction, decision, and conflict resolution. However,constraints cannot only be satisfied or unsatisfied for all valuations from theinterval box, but also contain a mixture of points satisfying or violating a con-straint. For example, consider constraint C : x = 2 · y under the interval valua-tion x ∈ [0, 10], y ∈ [3, 6]. No point with x ∈ [0, 6) or y ∈ (5, 6] satisfies C, whilex ∈ [6, 10], y ∈ [3, 5] contains points (x, y) like (6, 3) satisfying and points like(6.1, 3) violating C.

Clauses (disjunctions of constraints) that contain only one constraint that ispotentially satisfiable under the current valuation are called unit and give rise tounit propagation: the last satisfiable constraint in a clause else containing onlyviolated constraints must be propagated to retain a chance for satisfiability ofthe conjunction of all clauses. If the above example constraint c were such a lastremaining atom of a clause, then interval constraint propagation would allowto prune away those ranges above identified as not containing any solutions,yielding a new valuation x ∈ [6, 10], y ∈ [3, 5] and thus a reduced search space.

When no more propagations are possible or the newly deduced bounds havenegligible progress with respect to the old ones, a decision is performed by se-lecting heuristically a variable and splitting its interval, i.e. introducing a newupper or lower bound at its midpoint. This bound may give rise to new deduc-tions. If all of a clause’s constraints are violated under the current valuation,e.g. due to a prior propagation step, a conflict is encountered, which is resolvedby analyzing the reasons that caused it and generating a conflict clause that isa disjunction of the negated reasons. This clause is added to the formula and


x = sin(x)

pre: x[i]

post: x[i + 1]

0 1 2 3 4 5 6 7 8 9 10

delta time[i]

0

1

2

3x

Fig. 2. An ODE deduction which allows to propagate tighter bounds for delta time[i]

forces at least one of the offending bounds to be chosen differently in the future,effectively removing this part of the search space for the remainder of the search.

Termination. If the solver encounters a conflict from which it cannot recover,because no undoing of decisions would resolve it, it has successfully proven un-satisfiability. Due to the safe overapproximations used in all propagations (e.g.outward rounding for arithmetic evaluations) and always pruning non-solutionsonly, this unsatisfiability result is safe. The solver terminates with unknown, if itencounters a box whose maximum width is below a small, user-defined thresholdand for which deduction cannot show inconsistency. This small box is a candidatesolution box, which merits practical attention when encountered as a potentialcounter example to the safety of an engineered system. As the reported can-didate solution boxes are very small, interval Newton methods may be able toverify that they contain an actual solution. While our algorithm currently doesnot contain such a check, Ishii et al. [8] have implemented it.

Deduction for ODE constraints. Having interval valuations for the variable in-stances occurring in ODEs, again requires lifting their original point-valued in-terpretation to intervals. For arithmetic constraints, we prune away only partsnot containing any solutions. The very same idea applied to ODEs means thatwe may prune away all those points from the post-valuation that are not (for-ward) reachable when starting a trajectory from any point in the pre-valuationand staying on it for any duration contained in the interval valuation of therespective delta time variable. Analogously, we can safely prune away thoseparts of the pre-valuation for which no trajectory can reach any point in thepost-valuation with any of the possible durations (backward propagation). Inaddition, time points t from delta time can be pruned when no trajectorystarting from the pre-valuation reaches any point from the post-valuation at t(cf. Figure 2).

The essential ingredient in the deduction for ODE constraints is thus a methodto safely enclose over a temporal interval all trajectories emerging from the pre-valuation, which is typically an interval box. While our original integration ofsuch an ODE enclosure mechanism into the iSAT algorithm [4] was confined toembedding a relatively weak own implementation of a Taylor-series-based safeintegrator, we base our current approach on VNODE-LP [12].

ODE deductions are performed in strict alternation with the other deductionmechanisms. After completing Boolean and interval constraint propagation as


described above, iSAT’s ODE solving layer uses the current valuation of the trig-ger variables for each instance of the transition system to select the active ODEconstraints. This signature of activated ODEs and the current interval valuationfor the occurring variables together suffice to generate an enclosure. In contrastto normal deductions, whose results are stored only temporarily until they maybe undone later by a backjump when recovering from a conflict, the results ofODE deductions are stored in clauses. This technique, similar to conflict clauselearning, ensures that the same deduction does not have to be repeated sinceits results have been added persistently to the formula. Similarly to constraintsreplication [19], we add copies of the learned clauses for all isomorphic variableinstances arising from the k-fold unwinding of the transition relation.

Before performing an ODE deduction, the algorithm checks whether the samequery has been encountered before and rejects all duplicate queries. A secondlevel of caching holds a limited number of intermediate results, which can bereused when enclosures for a subbox of the original box are requested since in-terval arithmetic’s monotonicity property w.r.t.. set inclusion guarantees thenthat they are still valid (yet coarse) enclosures also for the current valuation.Using a stored solver run, whenever the currently examined valuation is onlyslightly smaller than the original box, partially avoids recomputations. Since thebounds deduced by the ODE solver are subsequently used in interval propaga-tions, it is very likely to encounter kind of slightly changed query, providing thiscaching layer with a significant role in avoiding wasted computations.

Soundness. The correctness of the core algorithm has been detailed in [5]. Sinceour extension to deductions for ODE constraints is restricted to the pruning ofnon-solutions and storing all reasons involved in these deductions explicitly inthe learned clauses, the same arguments hold here, too. An essential ingredientto soundness is the use of validated computations, i.e. outward rounding for inter-val computations, interval evaluation of remainder terms to capture truncationerrors for the numerical enclosure method detailed in the following section, anddetection of overflows during these computations. Technically, many of theseissues are delegated to libraries, in our case the MPFR and filib++ libraries.3

3 Overview of VNODE-LP

In this section, we present an overview of VNODE-LP, Validated NumericalODE through Literate Programming. More details can be found in [12,13].

Consider the initial-value problem, IVP (we omit the�· notation),

x(t) = f(t, x), x(t0) = x0, t ∈ R, x ∈ Rn, (2)

where f : R × Rn is sufficiently smooth (as a consequence, the code list of f

should not contain e.g. branches, abs, or min).

3 http://www.mpfr.org/ andhttp://www2.math.uni-wuppertal.de/~xsc/software/filib.html.

http://www.mpfr.org/

http://www2.math.uni-wuppertal.de/~xsc/software/filib.html


Denote the set of n-dimensional interval vectors by IRn. Given x0 ∈ IR

n andtend = t0 (tend ∈ R), VNODE-LP tries to compute an xend ∈ IR

n at tend thatcontains the solution to (2) at tend for all x0 ∈ x0. If VNODE-LP cannot reachtend, for example the bounds on the solution become too wide, bounds at somet∗ between t0 and tend are returned.

This solver proceeds in a one-step manner from t0 to tend, where it computesbounds at (adaptively) selected points tj ∈ (t0, tend]. To explain an integrationstep, denote by x(tj ; t0, x0) the solution to (2) with an initial condition x0 at t0,and denote by xj an enclosure of this solution at tj . That is,

x(tj ; t0, x0) ∈ xj for all x0 ∈ x0.

On a step from tj to tj+1, VNODE-LP computes first a priori bounds xj suchthat x(t; tj , xj) ∈ xj for all t ∈ [tj , tj+1] and all xj ∈ xj . Then it finds tightbounds xj+1 at tj+1 such that x(tj+1; t0, x0) ∈ xj+1 for all x0 ∈ x0. For anillustration of a priori and tight bounds, see Fig. 3. To compute these bounds,we use interval arithmetic, Taylor series expansion of the solution to (2) at eachintegration point, and various interval techniques; for more details see [12,14].

VNODE-LP is based on Taylor series and the Hermite-Obreschkoff [14] meth-ods. It is a fixed-order, variable-stepsize solver. The stepsize is varied such thatan estimate of the local excess per unit step is below a user-specified tolerance.Typically efficient values for the order can be between 20 (default) and 30 [12].

Generally, VNODE-LP is suitable for computing bounds on the solution ofan IVP ODE with point initial conditions or interval initial conditions with asufficiently small width. If the initial condition set is not small enough and/orlong time integration is desired, the COSY package [1] of Berz and Makino canproduce tighter bounds than VNODE-LP. Alternatively, one can subdivide theinitial interval vector (box) y0 into smaller boxes, perform integrations withthem as initial conditions, and build an enclosure of the solution at tend.

The COSY package bounds the solution using Taylor models, which consistof a high-order Taylor polynomial in the initial conditions plus an enclosure ofthe remainder term. On each integration step, such polynomial representationsof the bounds are propagated, thus effectively reducing the wrapping effect. Incontrast, VNODE-LP, expands the solution with respect to initial conditionup to first order, and propagates parallelepipeds enclosing the solution, whichare generally less effective for reducing the wrapping effect. However, COSY iscomputationally more expensive than VNODE-LP.

On each step from tj to tj+1, iSAT uses the a priori bounds and also computestighter bounds over selected subintervals of [tj , tj+1], in addition to the providedtight bounds by VNODE-LP at tj+1, by calling VNODE-LP with initial point tjand the interval to be refined as interval ending tend ⊂ [tj , tj+1]. These boundsare not computed efficiently by VNODE-LP, as currently it does not provide afacility for evaluating a representation of the solution between integration points;that is, a facility similar to having a continuous interpolant in standard ODEsolving. Such a feature is presently being implemented.


direct a prioriupper bracketing a priorilower bracketing a priori

dense

lower bracketing enclosuredirect enclosure

delta_time

x

upper bracketing enclosure

−30

−20

−10

0

10

20

30

0 2 4 6 8 10 12

denselower bracketing a prioriupper bracketing a priori

direct a priori

delta_time

direct enclosure

x

lower bracketing enclosureupper bracketing enclosure

−3

−2

−1

0

1

2

0 2 4 6 8 10 12

Fig. 3. Comparison of direct and bracketing enclosure. Left: x dimension of a harmonicoscillator x = y, y = −x, x(0), y(0) ∈ [1, 2]. Right: x dimension of x = −p4x−(p1x)/(1+p2y)+p3y+0.1), y = p4x−p3y, all pi = 0, for x(0) ∈ [1, 1.2], y(0) ∈ [0.8, 1], p1 ∈ [0.8, 1],p2 ∈ [1.0, 1.2], p3 ∈ [0.3, 0.5], and p4 ∈ [0.20, 0.25]. Dense enclosures have been obtainedby direct application of VNODE-LP with small fixed stepsize.

4 Using Bracketing Systems as Enclosures

When the starting point of the IVP (2) is a wide interval vector, the enclosuresreturned by VNODE-LP may diverge after a few computation steps. One wayto address this shortcoming, while deriving guaranteed results, is to use thebracketing approach introduced in [16,17], which relies on the classical Muller’sexistence theorem [11,10].

Given the IVP (2), the bracketing method analyzes the signs of the partialderivatives ∂fi/∂xl, evaluated over the enclosure for all t ∈ [tj , tj+1].

(i) Over each time interval [tj , tj+1], where these signs remain constant, themethod builds two dynamical systems that enclose the original uncertain dy-namical system and thus bound the flow pipe between a minimal solution, i.e.a flow that is always lower than the solution flow pipe, and a maximal solutionthat is always larger. Since this bracketing system involves no more uncertainty,VNODE-LP can be efficiently used for the guaranteed computation of the min-imal and maximal solutions, which start as points instead of intervals. Hence,the solution enclosure of the actual IVP is enclosed between a minimal and amaximal solution, obtained as the solution of a new system of coupled ODEs.

(ii) Over each time interval [tj , tj+1], where the sign of at least one partialderivative changes, we merely use VNODE-LP on the original IVP.

In our implementation, the signs of the partial derivatives need not be ana-lyzed over the enclosure set for all t ∈ [tj , tj+1], but are only analyzed over xj ,the tight enclosure at tj . Once the bracketing systems are built and the solu-tion set computed over the whole time interval, these signs are then checked aposteriori: if they remain constant for all t ∈ [tj , tj+1], then it is proven that


the bracketing systems are valid [16], if not, then the bracketing systems arenot valid over whole time interval. In this case the solution is enclosed usingVNODE-LP on the original IVP with interval initial conditions.

Furthermore, our implementation of the bracketing approach is novel. Indeed,the bracketing systems are built automatically on the fly inside iSAT. This isdone through the FADBAD++4 automatic differentiation package, whereas pre-viously they were built manually or using external symbolic algebra.

Figure 3 compares enclosures obtained using our implementation of the brack-eting approach and the direct application of VNODE-LP. Clearly, both methodsshould be combined as their actual performances depend on the analyzed ODE.The performance of the bracketing approach, that is how tight are the computedenclosures when used with a given system, may in fact be known a priori. Formonotone dynamical systems, those whose flows preserve a suitable partial or-dering on states, hence on initial conditions, the computed bracketing systemsare feasible instantiations of the dynamical system under study, hence exhibitthe same convergence and stability properties as the original system. If the lat-ter is convergent and stable, then should the bracketing systems. However, whenthe dynamical system is not a monotone one, the bracketing systems usually suf-fer from a hidden wrapping effect that provokes the derived enclosures to blowup. In spite of that, both experimental and theoretical evaluation show thatwhen the original system exhibits very strong convergence (stability) proper-ties, the latter property can overrule the wrapping effect making the bracketingapproach effective. Finally, the bracketing approach performs badly when thesystem exhibits stable orbits or oscillatory behaviors. Nevertheless, we expectour implementation of bracketing systems within iSAT to simplify the thoroughpractical assessment of its actual performance in the future.

5 Deducing Trajectory Directions

In the case study shown in the following section, we encounter the problem ofshowing that a trajectory cannot stay at the point of its origin when at least aninfinitesimal amount of time (delta time > 0) has been spent. The enclosureschemes presented so far —powerful as they are— are unable to prove this. Onereason for this is that even for point-valued initial conditions x0, the very firsta priori enclosure for an interval t ∈ (0, t1] must also contain the enclosure x0

itself, since the solution trajectory is a continuous function.The simple yet effective solution to this problem is to evaluate the ODEs’

right-hand sides over a prefix delta time ∈ [0, tp] of the already calculatedenclosure. If this evaluation yields a strictly positive result, we can safely deducedelta time ∈ (0, tp] ⇒ x′ > x, i.e. that the post-value is strictly greater thanthe pre-value for this prefix. Analogously, we can deduce delta time ∈ (0, tp] ⇒x′ < x, if the evaluation yields only values strictly less than zero.

A direction deduction performs an interval evaluation of the ODE’s right-handside over the first enclosure step and continues this computation for subsequent4 http://www.fadbad.com

http://www.fadbad.com


x1

k3

x2

k1

·k2

·k4

For x2 > k3:(x1

x2

)=

(k1 − k2

√x1 − x2 + k3

k2

√x1 − x2 + k3 − k4

√x2

)

For x2 ≤ k3:(x1

x2

)=

(k1 − k2

√x1

k2√

x1 − k4√

x2

)

Fig. 4. Structure and dynamics of the two tank hybrid system (from [20])

steps, as long as the calculated intervals do not contain zero. The upper boundof tp is then at the end of either the entire enclosure or the last enclosure stepfor which the evaluation yielded a strictly positive or negative result.

6 Experiments

To evaluate the integrated tool and the influence of the different enclosure meth-ods, we apply our solver to the two-tank model from [20], which has been fre-quently used as a case study for verification tools cf. e.g. [7,18]. This systemcomprises two tanks connected by a tube. The first tank has an inflow of con-stantly k1 = 0.75 volume units, and its base is k3 = 0.5 length units above thebase of the second tank. The connecting tube is characterized by a constantfactor k2 = 1, which also characterizes the outflow of the system as k4 = 1.

Figure 4 illustrates this setting and formalizes the dynamic behavior of theliquid’s height x1 and x2 in the two tanks. The system’s behavior switches be-tween two dynamics, when x2 reaches the outlet from tank 1 and therefore exertsa counter pressure against the incoming flow. Note that the model is implicitlybounded to the case that x2 ≤ x1 + k3, since it does not provide the dynamicsfor the inverse direction. To understand better the dynamics of this system andthe proof obligations we encoded, Fig. 5 depicts simulated trajectories.

Similar to the introductory example in Fig. 1, we encode this model predic-tively using the above description directly as ODE constraints.5

Bounded reachability. To validate the model, we first check bounded reachabilityproperties. As can be assumed from Fig. 5, there should not be any trajectoryleading from region D = [0.70, 0.80]× [0.45, 0.50] to E = [0.45, 0.50]× [0.60, 0.65].This property has been verified by Henzinger et. al. using HyperTech [7].

We restrict the global time ≤ 100 and each step duration delta time ≤ 10. Toavoid unnecessary non-determinism in the model, all steps are explicitly enforcedin the transition relation to take the maximum possible duration. They may beshorter only if they reach the switching surface at x2 = k3, if the time = 100, or if(x1, x2) reaches E. Our solver can prove unsatisfiability of this bounded propertyfor up to 300 unwindings of the transition system within 3109.1 seconds.5http://www.avacs.org/fileadmin/Benchmarks/Open/iSAT_ODE_SEFM_2011_models.tar.gz

http://www.avacs.org/fileadmin/Benchmarks/Open/iSAT_ODE_SEFM_2011_models.tar.gz


C B

A

dci

dco

D

E

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

x1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

x2

k3

x1 + k3 < x2

Fig. 5. Simulated trajectories for the two tanks system, inner and outer bounds of thedon’t care mode, and regions A - E used in the different verification conditions

Table 1 summarizes the runtimes on a 2.4 GHz AMD Opteron machine, whichhas been used for all runtime measurements. The solver is set to continue untilit finds a solution and to keep learned clauses of previous BMC steps in the for-mula. The runtimes clearly indicate that the bulk of the problem lies in refutingthe possibility of a trajectory with a low number of steps, while adding moreunwindings of the formula does not make this problem harder to solve.

Unbounded trajectory containment. Although the formula structure is a boundedunwinding of the transition system, inductive arguments may be used to proveunbounded properties. One can easily see that region A = [0.6, 0.7] × [0.4, 0.6]contains an equilibrium point. However, the simulation also shows that there aretrajectories leaving this region. We extend our model to show that trajectoriescan leave region A only on a bounded prefix, but thereafter stay in A forever.

First, we guess a τ > 0 (supported by looking at some simulated trajectories).With Ml := {all trajectories of length ≥ l}, from showing that

∀�x ∈ M2τ : [0, 2τ ] → R2 : (�x(0) ∈ A ⇒ ∀t ∈ [τ, 2τ ] : �x(t) ∈ A) (3)

follows by inductive application of (3), as facilitated by time invariance,

⇒∀�x ∈ M∞ : [0,∞) → R2 : (�x(0) ∈ A ⇒ ∀t ∈ [τ,∞) : �x(t) ∈ A)

Table 1. CPU time (seconds) for the individual unwinding depths of the boundedreachability check from region D to E

depth k 1 2 3 4 5 6 7 8 9 10 . . . 100 200 300

time 6.6 183.7 344.3 268.8 167.4 15.7 12.7 16.5 10.3 3.7 3.8 7.9 15.0

total 6.6 190.3 534.5 803.4 970.7 986.4 999.1 1015.6 1025.8 1029.5 1308.9 1955.2 3109.1


Table 2. Column all shows results and CPU times (seconds) for checking unboundedcontainment in A using all enclosure methods combined. In the subsequent columns,one of the methods is disabled

depth all no bracketing no direct no direction

1 unknown, 111.9 unknown, 42.0 unknown, 61.5 unknown, 111.5


3 UNSAT, 674.0 UNSAT, 5011.6 UNSAT, 404.2 unknown, 478.8








Intuitively, we show that all trajectories of length 2τ stay in A for delta time ∈[τ, 2τ ] (ignoring their behavior for [0, τ)). All unbounded trajectories must havethese trajectories of length 2τ as prefix. At τ , they are thus (again) in A. Dueto time invariance, we can consider (x1, x2)(τ) as a new starting point. Since itlies in A, we have already proven that for [τ + τ, τ +2τ ], the trajectory will lie inA again. For the time in between, we already know that it is in A. By repeatingthis process ad infinitum, we know that the trajectory can never leave A again.

Note that this proof is related to the idea of region stability [15] and canbe thought of as a stabilization proof for an unknown (and maybe hard tocharacterize) sub-region Ainv ⊆ A into which all trajectories from A stabilize,and which is an invariant region for the system.

Table 2 summarizes runtimes for this proof using iSAT and the different en-closure methods. Our model encodes the above proof scheme in the followingway: if a trajectory exists that is shorter than 2τ or that reaches a point outsideA in time ∈ [τ, 2τ ], this trajectory satisfies the model. The proof is successfulwhen the solver finds an unwinding depth k of the transition system upon whichthe model becomes unsatisfiable. Here, an unwinding depth of 3 suffices to provethe desired property. Without the direction deduction presented in Sect. 5, thesolver fails to prove unsatisfiability, because it always finds counter examplesthat stay on the switching surface, spending there only tiny amounts of time.These trajectories satisfy the target condition of having time ≤ 2τ and do notallow proving (3). Direction deduction hence enables proving the property.

The runtimes show that the approach without the direct enclosure (using onlybracketing enclosures and direction deductions) outperforms both, the restrictionto the direct usage of VNODE-LP with direction deduction and the combinationof all enclosure methods together on this benchmark.

Introducing artificial non-determinism and hysteresis. Trying a direct induc-tive proof for the region B = [0.4, 0.8] × [0.4, 0.7] (i.e. showing that B cannotbe left with one step of the transition system) fails with our tool since B’scorner at (0.4, 0.4) cannot be represented exactly by floating-point numbers.


Table 3. Results and CPU times (seconds) for checking unbounded containment in B

depth all no bracketing no direct no direction





5 UNSAT, 2334.2 UNSAT, 3270.3 unknown, 183.4 unknown, 283.6


7 UNSAT, 2967.1 unknown, 1934.7 unknown, 144.1 unknown, 123.9




To compensate, B is overapproximated to capture rounding errors, hence in-cludes points that lie slightly outside B. Using the same proof scheme as abovecan be expected to work, as the simulated trajectories point inwards from theborder of B. Yet, applying this proof scheme, the solver finds trajectories thatcan chatter indefinitely at P = (0.5, 0.5), since x2 = 0 in P . This chattering isa valid behavior, though irrelevant for the actually intended proof of B’s invari-ance.

We therefore identify intersections of the switching surface with x2 = 0 (i.e.solutions to the constraint system k2

√x1 − k4

√x2 = 0 ∧ x2 = k3) and, finding

only this one in P , add a don’t-care mode around it —depicted in Fig. 5 asdci = [0.49, 0.51]× [0.49, 0.51]. Since this region lies well inside B, we allow anytrajectory that reaches it to jump immediately or after an arbitrary positiveamount of time to the outer border of the don’t-care mode, illustrated by dco,which is ε = 0.0625 away from dci. We also forbid any trajectory to enter dci.This modification trades in accuracy by introducing non-determinism for thebenefit of an artificial hysteresis: trajectories which could formerly stutter in Pcan now jump to any point on the border of dco, but must then move along thesystem’s dynamics again, consuming time.

With this modification, we can prove that B is left for less than τ = 0.0625.Table 3 shows that the proof succeeds for depths k ≥ 5 for all methods combined.Though bracketing enclosures are computed successfully, the direct method gen-erates at least one deduction which is essential to prove unsatisfiability.

Further evaluation. We also applied the same proof scheme to region C =[0.3, 0.4] × [0.6, 0.7] again with unwinding depths 1 to 10. As expected, none ofthe resulting formulae was proven unsatisfiable. Runtimes were within 20.3 sec-onds for unwinding depth 1 without bracketing system usage and 617.6 secondsfor unwinding depth 10 with all methods used in combination.

7 Conclusion

After exploring the feasibility of using ODE enclosures to solve SAT modulo ODEproblems in [4], this paper extends and improves the abilities of the resulting


solver by combining enclosure methods. We have shown that the techniquespresented in this paper have complementary strengths, and that our integratedapproach is capable of handling different types of proof obligations for a nonlinearhybrid system. Our improvements are orthogonal to the application of intervalNewton contractors in [6,8], and could be extended in the same way to gain theability to prove existence of solutions.

One current weakness of our method is its inability to express directly flowinvariants, which constrain variables over the entire duration of a flow. Theresulting formula may thus have solutions that are spurious trajectories in termsof the original model. Our experiments show that proofs can be successfullyobtained in spite of this overapproximation. However, a direct handling of flowinvariants would remove the need to counteract such spurious trajectories.

Ishii et al. handle this issue in [9] by selecting the “first” intersection of anenclosure with a guard condition. However, they discard an enclosure if it con-tains the initial value set under the assumption that this initial point and thenext intersection with the guard are distinct. It is unclear whether this sufficesto guarantee that the first intersection of a trajectory (after its starting point) ischosen. One focus of our future work will be to handle flow invariants by pruningthe enclosures directly.

To accelerate our tool, we plan on extending VNODE-LP to produce en-closures over intervals of time by allowing re-evaluations of the Taylor seriesbetween computed steps, which will be significantly faster than the current eval-uation scheme. Little effort has so far been invested in good decision heuristicsto select likely solutions earlier in the search. We will also explore ways to buildthe bracketing systems when off-diagonal Jacobian elements change sign.

Acknowledgment. We would like to thank Stefan Ratschan, Christian Herde,Tino Teige, Jens Oehlerking, and Corina Mitrohin for discussions on the region-stability-related proof scheme utilized for the experiments in this paper and ourother colleagues from AVACS H1/2 for the joint development of the iSAT core.Additionally, we are grateful to the reviewers for their detailed comments.

References

1. Berz, M.: COSY INFINITY version 8 reference manual. Tech. Rep. MSUCL–1088,National Superconducting Cyclotron Lab., Michigan State University, USA (1997)

2. Davis, M., Logemann, G., Loveland, D.: A Machine Program for Theorem Proving.Commun. ACM 5, 394–397 (1962)

3. Davis, M., Putnam, H.: A Computing Procedure for Quantification Theory. Journalof the ACM 7(3), 201–215 (1960)

4. Eggers, A., Franzle, M., Herde, C.: SAT modulo ODE: A direct SAT approachto hybrid systems. In: Cha, S(S.), Choi, J.-Y., Kim, M., Lee, I., Viswanathan, M.(eds.) ATVA 2008. LNCS, vol. 5311, pp. 171–185. Springer, Heidelberg (2008)

5. Franzle, M., Herde, C., Ratschan, S., Schubert, T., Teige, T.: Efficient solving oflarge non-linear arithmetic constraint systems with complex boolean structure.JSAT Special Issue on Constraint Programming and SAT 1(3-4), 209–236 (2007)


6. Goldsztejn, A., Mullier, O., Eveillard, D., Hosobe, H.: Including ordinary differ-ential equations based constraints in the standard CP framework. In: Cohen, D.(ed.) CP 2010. LNCS, vol. 6308, pp. 221–235. Springer, Heidelberg (2010)

7. Henzinger, T., Horowitz, B., Majumdar, R., Wong-Toi, H.: Beyond HYTECH:Hybrid systems analysis using interval numerical methods. In: Lynch, N., Krogh,B. (eds.) HSCC 2000. LNCS, vol. 1790, pp. 130–144. Springer, Heidelberg (2000)

8. Ishii, D., Ueda, K., Hosobe, H.: An interval-based SAT modulo ODE solver formodel checking nonlinear hybrid systems. International Journal on Software Toolsfor Technology Transfer (STTT), 1–13 (March 2011)

9. Ishii, D., Ueda, K., Hosobe, H., Goldsztejn, A.: Interval-based solving of hybridconstraint systems. In: Proceedings of the 3rd IFAC Conference on Analysis andDesign of Hybrid Systems, pp. 144–149 (2009)

10. Kieffer, M., Walter, E., Simeonov, I.: Guaranteed nonlinear parameter estimationfor continuous-time dynamical models. In: Proceedings 14th IFAC Symposium onSystem Identification, Newcastle, Aus, pp. 843–848 (2006)

11. Muller, M.: Uber das Fundamentaltheorem in der Theorie der gewohnlichen Dif-ferentialgleichungen. Mathematische Zeitschrift 26, 619–645 (1927)

12. Nedialkov, N.S.: VNODE-LP — a validated solver for initial value problems inordinary differential equations. Tech. Rep. CAS-06-06-NN, Department of Com-puting and Software, McMaster University, Hamilton, Ontario, L8S 4K1 (2006),VNODE-LP http://www.cas.mcmaster.ca/~nedialk/vnodelp

13. Nedialkov, N.S.: Implementing a rigorous ODE solver through literate program-ming. In: Rauh, A., Auer, E. (eds.) Modeling, Design, and Simulation of Systemswith Uncertainties, Mathematical Engineering, vol. 3, pp. 3–19. Springer, Heidel-berg (2011)

14. Nedialkov, N.S.: Computing Rigorous Bounds on the Solution of an Initial ValueProblem for an Ordinary Differential Equation. Ph.D. thesis, Department of Com-puter Science, University of Toronto, Toronto, Canada, M5S 3G4 (February 1999)

15. Podelski, A., Wagner, S.: Region stability proofs for hybrid systems. In: Raskin,J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 320–335.Springer, Heidelberg (2007)

16. Ramdani, N., Meslem, N., Candau, Y.: A hybrid bounding method for comput-ing an over-approximation for the reachable space of uncertain nonlinear systems.IEEE Transactions on Automatic Control 54(10), 2352–2364 (2009)

17. Ramdani, N., Meslem, N., Candau, Y.: Computing reachable sets for uncertainnonlinear monotone systems. Nonlinear Analysis: Hybrid Systems 4(2), 263–278(2010)

18. Ratschan, S., She, Z.: Safety verification of hybrid systems by constraint propa-gation based abstraction refinement. ACM Transactions in Embedded ComputingSystems 6(1) (2007)

19. Shtrichman, O.: Tuning SAT checkers for bounded model checking. In: Emerson,E., Sistla, A. (eds.) CAV 2000. LNCS, vol. 1855, pp. 480–494. Springer, Heidelberg(2000)

20. Stursberg, O., Kowalewski, S., Hoffmann, I., Preußig, J.: Comparing timed andhybrid automata as approximations of continuous systems. In: Antsaklis, P., Kohn,W., Nerode, A., Sastry, S. (eds.) HS 1996. LNCS, vol. 1273, pp. 361–377. Springer,Heidelberg (1997)

http://www.cas.mcmaster.ca/~nedialk/vnodelp

Improving SAT Modulo ODE for Hybrid Systems Analysis by ...

Documents