Switched Systems as Hybrid Programs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Switched Systems as Hybrid Programs ?
Yong Kiam Tan André Platzer
Computer Science Department, Carnegie Mellon University,
Pittsburgh, USA (e-mail: {yongkiat,aplatzer}@cs.cmu.edu)
Abstract: Real world systems of interest often feature interactions between discrete and
continuous dynamics. Various hybrid system formalisms have been used to model and analyze
this combination of dynamics, ranging from mathematical descriptions, e.g., using impulsive
differential equations and switching, to automata-theoretic and language-based approaches.
This paper bridges two such formalisms by showing how various classes of switched systems
can be modeled using the language of hybrid programs from differential dynamic logic (dL).
The resulting models enable the formal specification and verification of switched systems using
arXiv:2101.06195v2 [cs.LO] 29 Apr 2021
dL and its existing deductive verification tools such as KeYmaera X. Switched systems also
provide a natural avenue for the generalization of dL’s deductive proof theory for differential
equations. The completeness results for switched system invariants proved in this paper enable
effective safety verification of those systems in dL.
Keywords: Hybrid and switched systems modeling · reachability analysis, verification and
abstraction of hybrid systems · hybrid programs · differential dynamic logic
1. INTRODUCTION Differential dynamic logic (dL) (Platzer, 2010, 2018) pro-
vides the language of hybrid programs, whose hybrid dy-
The study of hybrid systems, i.e., mathematical models namics arise from combining discrete programming con-
that combine discrete and continuous dynamics, is mo- structs with continuous ODEs. This combination yields a
tivated by the need to understand the hybrid dynam- rich and flexible language for describing hybrid systems,
ics present in many real world systems (Liberzon, 2003; e.g., with event- or time-triggered design paradigms.
Platzer, 2018). Various formalisms can be used to describe
This paper shows how various classes of switched systems
hybrid systems, for example, impulsive differential equa-
can be fruitfully modeled in the language of hybrid pro-
tions (Haddad et al., 2006); switched systems (Liberzon,
grams. The contributions are as follows:
2003; Sun and Ge, 2011); hybrid time combinations of dis-
crete and continuous dynamics (Goebel et al., 2009, 2012); (1) Important classes of switched systems are modeled
hybrid automata (Henzinger, 1996); and language-based as hybrid programs in Sections 3–4. Subtleties asso-
models (Rönkkö et al., 2003; Liu et al., 2010; Platzer, ciated with those models are investigated, along with
2010, 2018). These formalisms differ in their generality methods for detecting and avoiding those pitfalls.
and in how the discrete-continuous dynamical combination (2) Completeness results for differential equation invari-
is modeled, e.g., ranging from differential equations with ants in dL (Platzer and Tan, 2020) are extended to
discontinuous right-hand sides, to combinators that piece invariants of switched systems, yielding an effective
together discrete and continuous programs. Consequently, technique for proving switched system safety.
different formalisms may be better suited for different
hybrid system applications and it is worthwhile to explore These contributions enable sound deductive verification
connections between different formalisms in order to ex- of switched systems in dL and they lay the groundwork
ploit their various strengths for a given application. for further development of proof automation for switched
systems, such as in the KeYmaera X (Fulton et al., 2015)
A switched system consists of a family of continuous ordi- hybrid systems prover based on dL. To demonstrate the
nary differential equations (ODEs) together with a discrete versatility of the proposed hybrid program models, Sec-
switching signal that prescribes the active ODE the system tion 5 uses KeYmaera X to formally verify stability for
follows at each time. These models are commonly found several switched system examples using standard Lya-
in control designs where appropriately designed switch- punov function techniques (Liberzon, 2003). All proofs are
ing can be used to achieve control goals that cannot be available in Appendix A.
achieved by purely continuous means (Liberzon, 2003).
? This research was sponsored by the AFOSR under grant number
FA9550-16-1-0288. The first author was also supported by A*STAR, 2. BACKGROUND
Singapore. The views and conclusions contained in this document are
those of the authors and should not be interpreted as representing
the official policies, either expressed or implied, of any sponsoring This section informally recalls differential dynamic logic
institution, the U.S. government or any other entity. (dL) and the language of hybrid programs used to model
© 2021 the authors. This work has been accepted to IFAC for switched systems in Sections 3 and 4. Formal presentations
publication under a Creative Commons Licence CC-BY-NC-ND. of dL are available elsewhere (Platzer, 2010, 2017, 2018).2.1 Hybrid Programs hybrid program α (Platzer, 2017, 2018). The box modality
formula [α]P says that formula P is true for all states
The language of hybrid programs is generated by the reachable by following the nondeterministic evolutions of
following grammar, where x is a variable, e is a dL term, hybrid program α, while the diamond modality formula
e.g., a polynomial over x, and Q is a dL formula. hαiP says that formula P is true for some reachable state
α, β ::= x := e | ?Q | x0 = f (x) & Q | α; β | α ∪ β | α∗ of α. This paper focuses on using box modality formulas
for specifying safety properties of hybrid programs. For
Discrete assignment x := e sets the value of variable x example, formula R → [α∗ ]P says that initial states satis-
to that of term e in the current state. Test ?Q checks fying precondition R remain in the safe region P after any
that formula Q is true in the current state and aborts number of runs of the loop α∗ . A key technique for proving
the run otherwise. The continuous program x0 = f (x) & Q safety properties of such a loop is to identify an invariant
continuously evolves the system state by following the I of α such that formula I → [α]I is valid, i.e., true in
ODE x0 = f (x) for a nondeterministically chosen duration all states (Platzer, 2018). To enable effective proofs of
t ≥ 0, as long as the system remains in the domain safety, invariance, and various other properties of interest,
constraint Q for all times 0 ≤ τ ≤ t. The sequence program dL provides compositional reasoning principles for hybrid
α; β runs program β after α, the choice program α ∪ β programs (Platzer, 2017, 2018) and a complete axiomati-
nondeterministically chooses to run either α or β, and the zation for ODE invariants (Platzer and Tan, 2020).
loop program α∗ repeats α for n ∈ N iterations where n is
chosen nondeterministically. The nondeterminism inherent 2.2 Switched Systems
in hybrid programs is useful for abstractly modeling real
world behaviors (Platzer, 2018). The evolution of various
A switched system is described by the following data:
hybrid programs is illustrated in parts A–C and G of Fig. 1.
A) x := e; x0 = f (x) (1) an open, connected set D ⊆ Rn which is the state
space of interest for the system,
G) α∗ (2) a finite (non-empty) family P of ODEs x0 = fp (x) for
B) x0 =f (x) ∪ x0 =g(x)
p ∈ P, and,
(3) for each initial state ω ∈ D, a set of switching signals
σ : [0, ∞) → P prescribing the ODE x0 = fσ(t) (x) to
F) Controlled C.i) ?Q (true) C.ii) ?Q (false) follow at time t for the system’s evolution from ω. 1
switching
Switching phenomena can either be described explicitly as
E) Time-dependent switching D) State-dependent a function of time, or implicitly, e.g., as a state predicate,
t=2 t=0 switching depending on the real world switching mechanism being
t≥τ modeled. Several standard classes of switching mechanisms
t=1
are studied in Sections 3 and 4, following the nomenclature
from Liberzon (2003). These switching mechanisms are
Fig. 1. The green initial state evolving according to a illustrated in parts D–F of Fig. 1.
hybrid program featuring (clockwise from top):
A a discrete assignment (dashed line) followed sequen- For simplicity, this paper assumes that the state space is
tially by continuous ODE evolution (solid line), D = Rn . More general definitions of switched systems are
B a choice between two ODEs (Section 3.1), possible but are left out of scope, see Liberzon (2003).
C a test that aborts (red ×) system evolutions leaving Q, For example, P can more generally be an (uncountably)
D switching when the system state crosses the thick blue infinite family and some switched systems may have im-
switching surface (Section 3.2), pulse effects where the system state is allowed to make
E switching after time t ≥ τ has elapsed (Section 4.1), instantaneous, discontinuous jumps during the system’s
F switching control that is designed to drive the system evolution, such as the dashed jump in part A of Fig. 1.
state close to its initial position (Section 4.2), and
G a loop that repeats system evolution (in lighter colors). 3. ARBITRARY AND STATE-DEPENDENT
SWITCHING
Notationally, x = (x1 , . . . , xn ) are the state variables of an
n-dimensional system, so x0 = f (x) & Q is an autonomous
3.1 Arbitrary Switching
n-dimensional system of ordinary differential equations
over x; the ODE is written as x0 = f (x) when there is
no domain constraint, i.e., Q ≡ true. For simplicity, all Real world systems can exhibit switching mechanisms that
ODEs have polynomial right-hand sides, dL terms e are are uncontrolled, a priori unknown, or too complicated
polynomial over x, and P, Q are formulas of first-order to describe succinctly in a model. For example, a driving
real arithmetic over x; extensions of the term language vehicle may encounter several different road conditions
to Noetherian functions are described in Platzer and depending on the time of day, weather, and other un-
Tan (2020). The single-sided conditional if is defined as predictable factors—given the multitude of combinations
if(P ){α} ≡ (?P ; α) ∪ (?¬P ). Nondeterministic choice to consider, it is desirable to have a single model that
exhibits and switches between all of those road conditions.
over a finite family of hybrid S programs αp for p ∈ P,
P ≡ {1, . . . , m} is denoted p∈P αp ≡ α1 ∪ α2 ∪ . . . ∪ αm . 1 A more precise definition is given in Appendix A, where the
switching signals σ are also required to be well-defined (Liberzon,
The formula language of dL extends first-order logic formu- 2003; Sun and Ge, 2011) so that they model physically realizable
las with dynamic modalities for specifying properties of a switching.x following result generalizes Proposition 1 to consider only
states reached while obeying the specified domains.
Proposition 2. A state is reachable by hybrid program
αstate iff it is reachable in finite time by a switched system
x0 = fp (x) for p ∈ P following a switching signal σ while
t obeying the domains Qp .
Fig. 2. Evolution of αarb for x0 = x (solid blue), x0 = 1 The next two results are syntactically provable in dL and
(dotted black), and x0 = −x (dashed red) from the they provide sound and complete invariance reasoning
initial state (black circle). Switching steps are marked principles for state-dependent (and arbitrary) switching.
by green circles and faded colors illustrate progression Formula φ is computable from a set of inputs iff there is
in loop iterations for the loop operator in αarb . an algorithm that outputs φ when given those inputs.
Lemma 3. Formula I is an invariant for αstate iff I is
Arbitrary switching is a useful paradigm for such systems invariant for all constituent ODEs x0 = fp (x) & Qp , p ∈ P.
because it considers all possible switching signals and their
corresponding system evolutions. The arbitrary switching Theorem 4. From input ODEs x0 = fp (x) & Qp , p ∈ P and
mechanism is modeled by the following hybrid program formula I, there is a computable formula of real arithmetic
and illustrated in Fig. 2. φ such that formula I is invariant for αstate iff φ is valid.
[ ∗
αarb ≡ x0 = fp (x) In particular, invariance for αstate is decidable.
p∈P Lemma 3 shows that when searching for an invariant of
αstate , it suffices to search for a common invariant of every
Observe that i) the system nondeterministically chooses constituent ODE. Theorem 4 enables sound and complete
which ODE to follow at each loop iteration; ii) it follows invariance proofs for systems with state-dependent switch-
the chosen ODE for a nondeterministic duration; iii) each ing in dL, relying on dL’s complete axiomatization for ODE
loop iteration corresponds to a switching step and the loop invariance and decidability of first-order real arithmetic
repeats for a finite, nondeterministically chosen number over polynomial terms (Tarski, 1951). These results also
of iterations. Two subtle behaviors are illustrated by the extend to Noetherian functions, e.g., exponentials and
bottom trajectory in Fig. 2: αarb can switch to the same trigonometric functions, at the cost of losing decidability
ODE across a loop iteration or it can chatter by making of the resulting arithmetic (Platzer and Tan, 2020).
several discrete switches without continuously evolving its
state between those switches (Sogokon et al., 2017). These 3.3 Modeling Subtleties
behaviors are harmless for safety verification because they
do not change the set of reachable states of the switched The model αstate as defined above makes no a priori
system. Formally, the adequacy of αarb as a model of assumptions about how the ODEs and their domains
arbitrary switching is shown in the following proposition. x0 = fp (x) & Qp are designed, so results like Theorem 4
Proposition 1. A state is reachable by hybrid program apply generally to all state-dependent switching designs.
αarb iff it is reachable in finite time by a switched system However, state-dependent switching can exhibit some well-
x0 = fp (x) for p ∈ P following a switching signal σ. known subtleties (Liberzon, 2003; Sogokon et al., 2017)
and it becomes the onus of modelers to appropriately
By Proposition 1, the dL formula [αarb ]P specifies safety account for these subtleties. This section examines various
for arbitrary switching, i.e., for any switching signal σ, the subtleties that can arise in αstate and prescribes sufficient
system states reached at all times by switching according arithmetical criteria for avoiding them; like Theorem 4,
to σ satisfy the safety postcondition P . these arithmetical criteria are decidable for systems with
polynomial terms (Tarski, 1951). As a running example, let
3.2 State-Dependent Switching the line x1 = x2 be a switching surface, i.e., the example
systems described below are intended to exhibit switching
Arbitrary switching can be constrained by enabling switch- when their system state reaches this line.
ing to the ODE x0 = fp (x) only when the system state be- Well-defined switching. First, observe that the domains
longs to a corresponding domain specified by formula Qp . Qp must cover the entire state space; otherwise, there
This yields the state-dependent switching paradigm, which would be system states of interest where no continuous
is useful for modeling real systems that are either known or dynamics is active. This can be formally guaranteed by
designed to have particular switching surfaces. For the fi- W
deciding validity of the formula 1 : p∈P Qp . Next, con-
nite family of ODEs with domains x0 = fp (x) & Qp , p ∈ P,
sider the following ODEs:
state-dependent switching is modeled as follows:
[ ∗
αstate ≡ x0 = fp (x) & Qp x01 = 0, x02 = 1 & x1 ≥ x2
p∈P
| {z }
x0 =fA (x) & QA
Operationally, if the system is currently evolving in do-
main Qi and is about to leave the domain, it must switch x01 = −1, x02 = 0 & x1 < x2
to another ODE with domain Qj that is true in the current | {z }
state to continue its evolution. Arbitrary switching αarb is x0 =fB (x) & QB
the special case of αstate with no domain restrictions. TheConsider the system evolution starting in QA ≡ x1 ≥ x2 of domains Qp , p ∈ P meeting conditions 1 and 2 ,
illustrated above on the right. When the system reaches hysteresis switching can be introduced by replacing each
x1 = x2 (the illustration is offset for clarity), it is about Qp with its closed ε-neighborhood for some chosen ε > 0.
to locally progress into QB ≡ x1 < x2 by switching to
ODE x0 = fB (x) but it gets stuck because it cannot make
the infinitesimal jump from QA to enter QB ; augmenting x1≤x2 x1≤x2+1
2
domain QB to x1 ≤ x2 enables the switch. More generally,
=x
x2 x2
x1
to avoid the need for infinitesimal jumps, domains Qp
should be augmented to include states that locally progress
into Qp under the ODE x0 = fp (x) and, symmetrically, x1≥x2 x1≥x2-1
states that locally exit Qp (Sogokon et al., 2017). Local
progress (and exit) for ODEs is characterized as follows. x1 x1
Theorem 5. (Platzer and Tan (2020)). From input ODE
x0 = f (x) & Q, there are computable formulas of real arith- To guarantee the absence of stuck states, by Theorem 5, it
.
. . W (∗)
metic
(∗)
(Q)f ,
(∗)
(Q)−f
that respectively characterize the suffices to decide validity of the formula 3 : p∈P (Qp )fp ,
0
states from which x = f (x) locally progresses into Q and i.e., every point in the state space can switch to an ODE
those from which it locally exits Q. which locally progresses in its associated domain. Models
meeting conditions 2 and 3 also meet condition 1 .
By Theorem 5, to avoid the stuck states exemplified above
for ODEs x0 = fp (x) & Qp , p ∈ P in αstate , it suffices to Zeno behavior. Hybrid and switched system models can
.
(∗)
.
(∗) also exhibit Zeno behavior, where the model makes in-
decide validity of the formula 2 : (Qp )fp ∨ (Qp )−fp → Qp finitely many discrete transitions in a finite time inter-
for each p ∈ P. Condition 2 is syntactically significantly val (Zhang et al., 2001). Such behaviors are an artifact of
simpler but equivalent to the domain augmentation pre- the model and are not reflective of the real world. Zeno
sented in Sogokon et al. (2017) for piecewise continuous traces are typically excluded when reasoning about hybrid
models, a form of state-dependent switching. system models (Zhang et al., 2001), e.g., Proposition 2
specifies safety for all finite (thus non-Zeno) executions of
Sliding modes. The preceding subtlety arose from incom- state-dependent switching. The detection of Zeno behavior
plete domain constraint specifications. Another subtlety in switched systems is left out of scope for this paper.
that can arise because of incomplete specification of ODE
dynamics is exemplified by the following ODEs: 4. TIME-DEPENDENT AND CONTROLLED
SWITCHING
x01 = 0, x02 = 1 & x1 ≥ x2
| {z } x1≤x2 4.1 Time-Dependent Switching
x0 =fA (x) & QA
x2 The time-dependent switching paradigm imposes timing
x01 = 1, x02 = 0 & x1 ≤ x2 constraints on switching signals. To specify such con-
| {z } x1≥x2 straints syntactically, each ODE in the family p ∈ P is
x0 =fB (x) & QB extended with a common, fresh clock variable t with t0 = 1
x1 yielding ODEs of the form x0 = fp (x), t0 = 1, and a fresh
(discrete) flag variable u is used to select and track the
Systems starting in QA ≡ x1 ≥ x2 or QB ≡ x1 ≤ x2 ODE to follow at each time. One form of timing constraint
eventually reach the line x1 = x2 but they then get is slow switching, where the system switches arbitrarily
stuck because the ODEs on either side of x1 = x2 drive between ODEs but must spend a minimum dwell time
system evolution onto the line. Mathematically, the system τ > 0 between each switch. Sufficiently large dwell times
enters a sliding mode (Liberzon, 2003) along x1 = x2 ; as can be used to stabilize some systems (see Section 5). Slow
illustrated above, this can be thought of as infinitely fast switching is modeled by the following hybrid program:
switching between the ODEs that results in a new sliding [ ∗
dynamics along the switching surface x1 = x2 . αslow ≡ αr ; if(t ≥ τ ){αr }; ?u=p; x0 =fp (x), t0 =1
p∈P
When the sliding dynamics can be calculated exactly, it [
suffices to add those dynamics to the switched system, e.g., αr ≡ t := 0; u := p
adding the sliding dynamics x01 = 12 , x02 = 12 & x1 = x2 to p∈P
the example above allows stuck system states on x1 = x2
to continuously progress along the line (illustrated below, The program αr resets the clock t to 0 and nondetermin-
left). An alternative is hysteresis switching (Liberzon, istically chooses a new value for the flag u. For each loop
2003) which enlarges domains adjacent to the sliding mode iteration of αslow , the guard t ≥ τ checks if the current
so that a system that reaches the sliding surface is allowed ODE has executed for at least time τ before running αr to
to briefly continue following its current dynamics before pick a new value for u. The subsequent choice selects the
switching. For example, for a fixed ε > 0, the enlarged ODE to follow based on the value of flag u.
domains QA ≡ x1 ≥ x2 − ε and QB ≡ x1 ≤ x2 + ε allows Proposition 6. A state is reachable by hybrid program
the stuck states to evolve off the line for a short distance. αslow iff it is reachable in finite time by a switched system
This yields arbitrary switching in the overlapped part x0 = fp (x) for p ∈ P following a switching signal σ that
of both domains (illustrated below, right). For a family spends at least time τ between its switching times.Theorem 7. From input ODEs x0 = fp (x), p ∈ P and σ is simply ignored after the blowup time, but such blowup
formula I, there is a computable formula of real arithmetic phenomena may not accurately reflect real world behavior.
φ such that formula I is invariant for αslow iff φ is valid. Global existence of solutions for all ODEs in the switched
In particular, invariance for αslow is decidable. system can be verified in dL (Tan and Platzer, 2021).
4.2 Controlled Switching 5. STABILITY VERIFICATION IN KEYMAERA X
The discrete fragment of hybrid programs can be used to This section shows how stability can be formally verified
flexibly model (computable) controlled switching mecha- in dL using the KeYmaera X theorem prover 2 (Fulton
nisms, e.g., those that combine state-dependent and time- et al., 2015) for the switched systems modeled by α ∈
dependent switching constraints, or make complex switch- {αarb , αstate , αslow }. For these systems, the origin 0 ∈ Rn
ing decisions based on the state of the system. An abstract is stable iff the following formula is valid:
controlled switching model is shown below, where program ∀ε > 0 ∃δ > 0 ∀x (kxk2 < δ 2 → [α] kxk2 < ε2 )
αi initializes the system state (e.g., of the clock or flag) and
αu models a controller that assigns a decision u := p. This formula expresses that, for initial states sufficiently
[ ∗ close to the origin (kxk2 < δ 2 for δ > 0), all states reached
αctrl ≡ αi ; αu ; ?u = p; x0 = fp (x), t0 = 1 & Qp
p∈P
by hybrid program α from those states remain close to the
origin (kxk2 < ε2 for ε > 0). By Propositions 1, 2, and 6,
Hybrid program αctrl resembles the shape of standard the formula specifies stability for the switched systems
models of event-triggered and time-triggered systems in modeled by α ∈ {αarb , αstate , αslow } uniformly in their
dL (Platzer, 2018) but is adapted for controlled switching. respective sets of switching signals (Liberzon, 2003).
The controller program αu inspects the current state Unlike invariance, a switched system can be stable (resp.
variables x and the clock t. It can modify the clock, e.g., by unstable) even if all of its constituent ODEs are unsta-
resetting it with t := 0, but αu must not discretely change ble (resp. stable), depending on the switching mecha-
the state variables x. The subsequent choice selects the nism (Liberzon, 2003). Stability verification for such sys-
ODE to follow based on the value of flag u assigned in αu . tems is important because it provides formal guarantees
The slow switching model αslow is an instance of αctrl that specific switching designs correctly eliminate poten-
where the controller program switches only after the dwell tial instabilities in systems of interest. An important tech-
time is exceeded. Another example is periodic switching, nique for proving stability for ODEs and switched systems
where the controller periodically cycles through a family is to design an appropriate Lyapunov function, i.e., an
of ODEs. Switching with sufficiently fast period can be auxiliary energy measure that is non-increasing along all
used to stabilize a family of unstable ODEs, e.g., for linear system trajectories (Liapounoff, 1907; Liberzon, 2003).
ODEs whose system matrices have a stable convex com- Example 9. Consider arbitrary switching αarb with ODEs:
bination (Tokarzewski, 1987). Without loss of generality, x01 = −x1 + x32 , x02 = −x1 − x2
assume that P ≡ {1, . . . , m}, the desired switching order
is 1, . . . , m, and the periodic signal is required to follow the x01 = −x1 , x02 = −x2
i-th ODE for exactly time ζi > 0. Periodic fast switching
Both ODEs are stable and share the common Lyapunov
is modeled as an instance of αctrl as follows: x2 x4
αfast ≡ αctrl where αi ≡ t := 0; u := 1, Qp ≡ t ≤ ζp , and function v = 21 + 42 . To prove stability for this example,
( ) the key idea is to show that v < k ∧ x21 + x22 < ε is a loop
[ t := 0; u := u + 1; invariant of αarb , where k is an upper bound on the initial
αu ≡ if(u = p ∧ t = ζp )
if(u > m){u := 1} value of v close to the origin.
p∈P
Example 10. The following ODEs A and B are individ-
The system is initialized with t = 0, u = 1 at the start ually stable (Liberzon, 2003, Example 3.1). However, as
of the cycle. The controller program αu then deterministi- illustrated below on the right, there is a switching signal
cally cycles through u = 1, . . . , m by discretely increment- that causes the system to diverge from the origin, i.e., these
ing the flag variable whenever the time limit ζp for the ODEs are not stable under arbitrary switching.
currently chosen ODE is reached. The domain constraints
Qp respectively limit each ODE to run for at most time ζp x1 x2
x01 = − − x2 , x02 = 2x1 −
as prescribed for the switched system. | 8 {z 8}
Proposition 8. A state is reachable by hybrid program A (solid blue)
αfast iff it is reachable in finite time by a switched system x2
x1 x2
x0 = fp (x) for p ∈ {1, . . . , m} following the switching x1 = − − 2x2 , x02 = x1 −
0
signal σ that periodically switches in the order 1, . . . , m | 8 {z 8}
according to the times ζ1 , ζ2 , . . . , ζm respectively. B (dashed red) x1
A subtlety occurs in αfast and Proposition 8 when one of Stability can be achieved by a state-dependent switching
the constituent ODEs exhibits finite time blowup before design with domains: A x1 x2 ≤ 0 and B x1 x2 ≥ 0. The
reaching its switching time, e.g., consider switching be-
tween ODEs x0 = 1 and x0 = x2 with times ζ1 = ζ2 = 1 2 All examples are formalized in KeYmaera X 4.9.2 at:
starting from a state where x = 0; the latter ODE blows https://github.com/LS-Lab/KeYmaeraX-projects/blob/master/
up in the first cycle. Mathematically, the switching signal stability/switchedsystems.kyx.resulting system modeled by αstate has the common Lya- constraints (Platzer, 2010); iii) developing practical proof
punov function v = x21 +x22 . The proof uses a loop invariant automation for switched systems in KeYmaera X, e.g.,
similar to Example 9 and, crucially, checks the arithmetical automated synthesis and verification of invariants and
Lyapunov function conditions for the derivative of v only Lyapunov functions for various switching mechanisms.
on the respective domains for each ODE.
Example 11. The example ODEs A , B can also be
stabilized by sufficiently slow switching in αslow with Acknowledgments. We thank the ADHS’21 anonymous
minimum dwell time τ = 3 (the value of τ can be further reviewers for their helpful feedback on this paper.
optimized). Here, two different Lyapunov functions are
used: A 2x21 +x22 and B x21 +2x22 . The key proof idea is to REFERENCES
bound both Lyapunov functions by decaying exponentials,
and show that the dwell time τ is sufficiently large to Chicone, C. (2006). Ordinary Differential Equations with
ensure that both Lyapunov functions have decayed by an Applications. Springer, New York, second edition.
appropriate fraction when a switch occurs at time t ≥ τ . doi:10.1007/0-387-35794-7.
Fulton, N., Mitsch, S., Quesel, J., Völp, M., and Platzer,
The minimum dwell time principle can be used more gen-
A. (2015). KeYmaera X: an axiomatic tactical theorem
erally to stabilize any family of stable linear ODEs (Liber-
prover for hybrid systems. In A.P. Felty and A. Mid-
zon, 2003). For example, the ODE C x01 = −x1 , x02 = −x2 deldorp (eds.), CADE, volume 9195 of LNCS, 527–538.
is also stable and has the Lyapunov function x21 + x22 . All Springer, Cham. doi:10.1007/978-3-319-21401-6 36.
three ODEs A , B , C can be stabilized with the same Goebel, R., Sanfelice, R.G., and Teel, A.R. (2009). Hybrid
dwell time τ = 3. The KeYmaera X proof required minimal dynamical systems. IEEE Control Systems Magazine,
changes, e.g., the loop invariants were updated to account 29(2), 28–93. doi:10.1109/MCS.2008.931718.
for the new ODE C and its Lyapunov function. Goebel, R., Sanfelice, R.G., and Teel, A.R. (2012). Hybrid
Dynamical Systems: Modeling, Stability, and Robust-
6. RELATED WORK ness. Princeton University Press.
Haddad, W.M., Chellaboina, V., and Nersesov, S.G.
There are numerous hybrid system formalisms in the (2006). Impulsive and Hybrid Dynamical Systems: Sta-
literature (Haddad et al., 2006; Liberzon, 2003; Sun and bility, Dissipativity, and Control. Princeton University
Ge, 2011; Goebel et al., 2009, 2012; Henzinger, 1996; Press.
Rönkkö et al., 2003; Liu et al., 2010; Platzer, 2010, 2018); Henzinger, T.A. (1996). The theory of hybrid au-
see the cited articles and textbooks for further references. tomata. In LICS, 278–292. IEEE Computer Society.
doi:10.1109/LICS.1996.561342.
Connections between several formalisms have been ex- Liapounoff, A. (1907). Probléme général de la stabilité
amined in prior work. Platzer (2010) shows how hybrid du mouvement. Annales de la Faculté des sciences de
automata can be embedded into hybrid programs for Toulouse : Mathématiques, 9, 203–474.
their safety verification; the book also generalizes dL with Liberzon, D. (2003). Switching in Systems and Con-
(disjunctive) differential-algebraic constraints that can be trol. Systems & Control: Foundations & Applications.
used to model and verify continuous dynamics with state- Birkhäuser. doi:10.1007/978-1-4612-0017-8.
dependent switching (Platzer, 2010, Chapter 3). This pa- Liu, J., Lv, J., Quan, Z., Zhan, N., Zhao, H., Zhou, C., and
per instead models switching with discrete program opera- Zou, L. (2010). A calculus for hybrid CSP. In K. Ueda
tors which enables compositional reasoning for the hybrid (ed.), APLAS, volume 6461 of LNCS, 1–15. Springer.
dynamics in switched systems. Sogokon et al. (2017) study doi:10.1007/978-3-642-17164-2 1.
hybrid automata models for ODEs with piecewise contin- Platzer, A. (2010). Logical Analysis of Hybrid Systems
uous right-hand sides and highlight various subtleties in - Proving Theorems for Complex Dynamics. Springer.
the resulting models; similar subtleties for state-dependent doi:10.1007/978-3-642-14509-4.
switching models are presented in Section 3.3. Goebel et al. Platzer, A. (2017). A complete uniform substitution calcu-
(2009, 2012) show how impulsive differential equations, lus for differential dynamic logic. J. Autom. Reasoning,
hybrid automata, and switched systems can all be under- 59(2), 219–265. doi:10.1007/s10817-016-9385-1.
stood as hybrid time models, and derive their properties Platzer, A. (2018). Logical Foundations of Cyber-Physical
using this connection; Theorems 4 and 7 are proved for Systems. Springer. doi:10.1007/978-3-319-63588-0.
switched systems using their hybrid program models. Platzer, A. and Tan, Y.K. (2020). Differential equation
invariance axiomatization. J. ACM, 67(1), 6:1–6:66.
7. CONCLUSION doi:10.1145/3380825.
Rönkkö, M., Ravn, A.P., and Sere, K. (2003). Hybrid
This paper provides a blueprint for developing and veri- action systems. Theor. Comput. Sci., 290(1), 937–973.
fying hybrid program models of switched systems. These doi:10.1016/S0304-3975(02)00547-9.
contributions enable several future directions, includ- Sogokon, A., Ghorbal, K., and Johnson, T.T. (2017). Op-
ing: i) formalizing asymptotic stability for switched sys- erational models for piecewise-smooth systems. ACM
tems (Liberzon, 2003; Sun and Ge, 2011), i.e., the sys- Trans. Embed. Comput. Syst., 16(5s), 185:1–185:19.
tems are stable (Section 5) and their trajectories tend doi:10.1145/3126506.
to the origin over time; ii) modeling switched systems Sun, Z. and Ge, S.S. (2011). Stability Theory of Switched
under more general continuous dynamics, e.g., differential Dynamical Systems. Communications and Control En-
inclusions (Goebel et al., 2012) or differential-algebraic gineering. Springer. doi:10.1007/978-0-85729-256-8.Tan, Y.K. and Platzer, A. (2021). An axiomatic approach Otherwise, ζi > τi − τi−1 , then define ϕ(τi−1 + t) = ψi (t)
to existence and liveness for differential equations. For- on the time interval t ∈ [0, τi − τi−1 ]. This inductive
mal Aspects Comput. doi:10.1007/s00165-020-00525-0. construction uniquely defines a solution ϕ : [0, ζ) → Rn
Tarski, A. (1951). A Decision Method for Elementary associated with ω and σ for (right-maximal) time ζ > 0.
Algebra and Geometry. RAND Corporation, Santa Mon-
ica, CA. Prepared for publication with the assistance of The switched system reaches ϕ(t) at time t ∈ [0, ζ). When
J.C.C. McKinsey. the system is associated with a family of domains Qp ,
Tokarzewski, J. (1987). Stability of periodically switched p ∈ P, the switched system reaches ϕ(t) while obeying
linear systems and the switching frequency. Inter- the domains iff for all i ≥ 1 and time γ ∈ [τi−1 , τi ] ∩ [0, t],
national Journal of Systems Science, 18(4), 697–726. the state ϕ(γ) satisfies Qpi .
doi:10.1080/00207728708964001. The dL proof calculus used in the proofs of Lemma 3
Zhang, J., Johansson, K.H., Lygeros, J., and Sastry, S. and Theorem 7 is briefly recalled here, a more compre-
(2001). Zeno hybrid systems. Int. J. Robust Nonlinear hensive introduction is available elsewhere (Platzer, 2017,
Control., 11(5), 435–451. doi:10.1002/rnc.592. 2018). All derivations are presented in a classical sequent
calculus with the usual rules for manipulating logical con-
Appendix A. PROOFS nectives and sequents such as ∧L, ∀R. TheVsemantics of
sequent Γ ` φ is equivalent to the formula ( ψ∈Γ ψ) → φ
This appendix provides full definitions and proofs for the and a sequent is valid iff its corresponding formula is valid.
results presented in the main paper. Additional back- Completed branches in a sequent proof are marked with ∗.
ground material elided from Section 2 is provided below An axiom (schema) is sound iff all of its instances are valid.
for use in the proofs. A proof rule is sound iff validity of all premises (above the
rule bar) entails validity of the conclusion (below the rule
A dL state ω : V → R assigns a real value to each variable bar). Axioms and proof rules are derivable if they can be
in V. The set of all variables V consists of the variables deduced from sound dL axioms and proof rules. Soundness
x = (x1 , . . . , xn ) used to model the continuously evolving of the dL axiomatization ensures that derived axioms and
state of a switched system, and additional variables V \{x} proof rules are sound (Platzer, 2017, 2018). The following
used as program auxiliaries in models, e.g., variables u axioms and proof rules of dL are used in the proofs.
and t in αctrl . This paper focuses on the projection of dL
states on the variables x so the (projected) dL states ω are [:=] [x := e]P (x) ↔ P (e) (e free for x in P )
equivalently treated as points in Rn . Accordingly, the set of
states where formula Q is true is the set [[Q]] ⊆ Rn , and the [?] [?Q]P ↔ (Q → P ) [∪] [α ∪ β]P ↔ [α]P ∧ [β]P
transition relation for hybrid program α is [[α]] ⊆ Rn × Rn
where (ω, ν) ∈ [[α]] iff state ν ∈ Rn is reachable from [;] [α; β]P ↔ [α][β]P [∗ ] [α∗ ]P ↔ P ∧ [α][α∗ ]P
state ω ∈ Rn by following α. The semantics of program
P ` [α]P `P R`P Γ ` [α]R
auxiliaries is as usual (Platzer, 2018). loop G M[·]
P ` [α∗ ]P Γ ` [α]P Γ ` [α]P
Switching signals σ : [0, ∞) → P are assumed to be well-
DGt [x0 =f (x) & Q(x)]P (x) ↔ [x0 =f (x), t0 =1 & Q(x)]P (x)
defined, i.e., σ has finitely many discontinuities on each
finite time interval in its domain [0, ∞). For finite P, this
means σ is a piecewise constant function with finitely many Axioms [:=], [?], [;], [∪], [∗ ] unfold box modalities of their
pieces on each finite time interval; intuitively, σ prescribes respective hybrid programs according to their semantics.
a switching choice p ∈ P on each piece. For simplicity, σ is Rule loop is the loop induction rule, rule G is Gödel gen-
also assumed to be right-continuous (Goebel et al., 2012). eralization, and rule M[·] is the derived monotonicity rule
With these assumptions, switching signals are equivalently for box modality postconditions; antecedents that have no
defined by a sequence of switching times 0 = τ0 < τ1 < free variables bound in α are soundly kept across uses of
τ2 < . . . with τi → ∞ and a sequence p1 , p2 , · · · ∈ P which rules loop, G, M[·] (Platzer, 2017, 2018). Axiom DGt is an
specifies the values taken by σ on each time interval: instance of the more general differential ghosts axiom of
dL, which adds (or removes) a fresh linear system of ODEs
p1 if τ0 ≤ t < τ1
to an ODE x0 = f (x) for the sake of the proof.
p2 if τ1 ≤ t < τ2
σ(t) = (A.1)
··· Proof of Proposition 1. This follows from Proposition 2
pi if τi−1 ≤ t < τi with Qp ≡ true for all p ∈ P. 2
For a switching signal σ and initial state ω ∈ Rn , the Proof of Proposition 2. Both directions of the proposi-
solution ϕ of the switched system is the function generated tion are proved separately for an initial state ω ∈ Rn .
inductively on the sequences τi and pi as follows. Define “⇒”. Suppose (ω, ν) ∈ [[αstate ]]. By the semantics of dL
ϕ(0) = ω. For switching time τi with i ≥ 1, if ϕ is loops, there is a sequence of states ω = ω0 , ω1 , . . . , ωn = ν
defined at time τi−1 , then the definition of ϕ is extended by for some n ≥ 0 and for each 1 ≤ S i ≤ n, the states transi-
considering the unique, right-maximal solution to the ODE tion according to (ωi−1 , ωi ) ∈ [[ p∈P x0 = fp (x) & Qp ]]. In
x0 = fpi (x) starting from ϕ(τi−1 ) (Chicone, 2006), i.e., particular, for each 1 ≤ i ≤ n, there is a choice pi where
ψi : [0, ζi ) → Rn with ψi (0) = ϕ(τi−1 ), dψdt
i (t)
= fpi (ψi (t)), state ωi−1 reaches ωi by evolving according to the ODE
and 0 < ζi ≤ ∞. If ζi ≤ τi − τi−1 , then the system blows x0 = fpi (x) for some time ζi ≥ 0 and staying within the
up before reaching the next switching time τi , so define domain Qpi for all times 0 ≤ t ≤ ζi during its evolution.
ϕ(τi−1 +t) = ψi (t) on the bounded time interval t ∈ [0, ζi ).The finite sequences (ω0 , ω1 , . . . , ωn ), (ζ1 , . . . , ζn ) and derivation starts by logical unfolding, with abbrevi-
(p1 , . . . , pn ) correspond to a well-defined switching sig- ated antecedent Γ ≡ ∀x (I → [αstate ]I); the resulting
nal as follows. First, remove from all sequences the in- premises are indexed by p ∈ P below.
dexes 1 ≤ i ≤ n with ζi = 0. This yields new se- [αstate ]I ` [x0 = fp (x) & Qp ]I
quences (ω̃0 , ω̃1 , . . . , ω̃m ), (ζ̃1 , . . . , ζ̃m ), and (p̃1 , . . . , p̃m ) ∀L, →L
Γ, I ` [x 0
^ = fp (x) & Qp ]I
where ζ̃i > 0. Consider the switching signal σ with switch- ∧R, ∀R, →R
Γ` ∀x (I → [x0 = fp (x) & Qp ]I)
Pi
ing times τi = j=1 ζ̃j for 1 ≤ i < m and τi = τi−1 + 1 for p∈P
i ≥ m, so τ1 < τ2 < . . . and τi → ∞. Furthermore, extend ∗
the sequence of switching choices with p̃i = p̃m for i > m. Next, axiom [ ] unfolds the loop in the antecedent
By construction using Equation A.1, σ is well-defined and before axiom [∪] chooses the branch corresponding to
the p ∈ P in the loopSbody. The loop body in αstate is
Pmsolution ϕ associated with σ from ω reaches ν at time abbreviated αl ≡ p∈P x0 = fp (x) & Qp below.
j=1 ζ̃j and obeys the domains Qp̃i until that time.
∗
“⇐”. Let σ be a switching signal and ϕ : [0, ζ) → Rn be [∗ ], ∧L
the associated switched system solution from ω. Suppose [αstate ]I ` I
that the switched system reaches ϕ(t) for t ∈ [0, ζ) while
M[·]
[x0 = fp (x) & Qp ][αstate ]I ` [x0 = fp (x) & Qp ]I
[∪], ∧L
obeying the domains Qp . To show (ω, ϕ(t)) ∈ [[αstate ]], [αl ][αstate ]I ` [x0 = fp (x) & Qp ]I
by the semantics of dL loops, it suffices to construct a [∗ ], ∧L
[αstate ]I ` [x0 = fp (x) & Qp ]I
sequence of states ω = ω0 , ω1 , . . . S
, ωn for some finite n,
with ωn = ϕ(t), and (ωi−1 , ωi ) ∈ [[ p∈P x0 = fp (x) & Qp ]] The derivation is completed using rule M[·] to mono-
for 1 ≤ i ≤ n. tonically strengthen the postcondition, then unfold-
ing the resulting antecedent with axiom [∗ ]. 2
By Equation A.1, σ is equivalently defined by a sequence
of switching times τ0 < τ1 < τ2 < . . . and a sequence of Proof of Theorem 4. Recall for input ODE x0 = f (x)
switching choices p1 , p2 , . . . , where pi ∈ P. Let τn be the and formula of real arithmetic Q, there is a computable
.
first switching time such that t ≤ τn ; the index n exists (∗)
formula of real arithmetic (Q)f characterizing the states
since τi → ∞. Define the state sequence ωi = ϕ(τi ) for from which x0 = f (x) locally progresses into Q (similarly,
0 ≤ i < n and ωn = ϕ(t). Note that ω0 = ω by definition .
(∗)
of ϕ(0). It suffices to show (ωi−1 , ωi ) ∈ [[x0 = fpi (x) & Qpi ]] formula (Q)−f characterizes local exit from Q). Unlike the
for 1 ≤ i ≤ n, but this follows by construction of ϕ because earlier presentation (Platzer and Tan, 2020), this paper
.
ωi is reached from ωi−1 by following the solution to ODE explicitly indicates the ODE dependency in formula (Q)f
(∗)
x0 = fpi (x), and, by assumption, ϕ(γ) satisfies Qpi for
for notational clarity when considering switched systems
γ ∈ [τi−1 , τi ] ∩ [0, t]. 2
involving multiple different ODEs.
Proof of Lemma 3. The following axiom is syntactically By Platzer and Tan (2020, Theorem B.5), the following
derived in dL. It syntactically expresses that invariance for axiom is derivable in dL for polynomial ODEs x0 = f (x)
αstate (left-hand side) is equivalent to invariance for all of and real arithmetic formulas P, Q.
its constituent ODEs (right-hand side).
∀x (P → [x0 = f (x) & Q]P )
∀x (I → [αstate ]I) .
(∗)
.
(∗)
!
Invstate ↔
^
∀x (I → [x0 = fp (x) & Qp ]I) SAI& ∀x P ∧ Q ∧ (Q)f → (P )f ∧
↔ .
(∗)
.
(∗)
p∈P ∀x ¬P ∧ Q ∧ (Q)−f → (¬P )−f
Both directions of axiom Invstate are derived separately.
Chaining the equivalence Invstate from Lemma 3 and SAI&
“←” The (easier) “←” direction uses rule loop to prove syntactically derives the following equivalence in dL:
that I is a loop invariant of αstate . The antecedent is
abbreviated Γ ≡ p∈P ∀x (I → [x0 = fp (x) & Qp ]I);
V ∀x (I → [αstate ]I)
. .
^ ∀x I ∧ Qp ∧ (Qp )(∗) → (I)(∗) ∧
!
Γ is constant for αstate , so it is soundly kept across SAIstate fp fp
the use of rule loop. The subsequent [∪], ∧R step ↔ .
(∗)
.
(∗)
p∈P ∀x ¬I ∧ Qp ∧ (Qp )−fp → (¬I)−fp
unfolds the nondeterministic choice in αstate ’s loop
body, yielding a premise for each ODE in P. These
premises are indexed by p ∈ P below and are all Derived axiom SAIstate equivalently characterizes invari-
proved propositionally from Γ. ance of formula I for αstate by a decidable formula of
first-order real arithmetic (Tarski, 1951) on its right-hand
∗ side. Therefore, invariance for state-dependent switched
∧L, ∀L, →L 0
Γ, I ` [x[ = fp (x) & Qp ]I systems is decidable. 2
[∪], ∧R
Γ, I ` [ x0 = fp (x) & Qp ]I
p∈P
Proof of Theorem 5. Local progress is specified using dL
loop
Γ, I ` [αstate ]I in Platzer and Tan (2020, Section 5) and characterized by
∀R, →R a provably equivalent formula of real arithmetic in Platzer
Γ ` ∀x (I → [αstate ]I) and Tan (2020, Theorem 6.6). 2
“→” The “→” direction shows that a run of ODE
x0 = fp (x) & Qp , p ∈ P must also be a run of αstate , Proof of Proposition 6. The proof is similar to Propo-
so if formula I is true for all runs of αstate , it must sition 2 but with fresh auxiliary variables t, u used to
also be true for all runs of the constituent ODEs. The control the switching signal. Let τ > 0 be the dwell timeconstraint of the system. Both directions of the proposition iom Invstate but with S additional steps to unfold the pro-
are proved separately for an initial state ω ∈ Rn . gram αr ≡ t := 0; p∈P u := p and to handle the fresh
“⇒”. Suppose (ω, ν) ∈ [[αslow ]]. The program αr resets variables u, t it uses. S
The loop body in αslow is abbreviated
αl ≡ if(t ≥ τ ){αr }; p∈P ?u = p; x0 = fp (x), t0 = 1 .
the clock t to 0 and sets the value of flag u to p ∈
P, but leaves the state variables x unchanged. By the “←” The (easier) “←” direction uses rule loop to prove
semantics of dL programs, there is a sequence of states ω = that I is a loop invariant of αslow . The antecedent
ω0 , ω1 , . . . , ωn = ν for some n ≥ 0 and for each 1 ≤ i ≤ n, is abbreviated Γ ≡ p∈P ∀x (I → [x0 = fp (x)]I). The
V
there is a choice pi where state ωi−1 reaches ωi by following derivation is identical to the “←” direction of Invstate
the ODE x0 = fpi (x) for some time ζi ≥ 0. Extract except the use of axiom [;] and rule G to soundly
compacted sequences from (ω0 , ω1 , . . . , ωn ), (ζ1 , . . . , ζn ) skip over the discrete programs that set variables
and (p1 , . . . , pn ) as follows: while there is an index i ≥ 1 u, t. Intuitively, [;] and G are used because invariance
such that pi = pi+1 , replace ζi with ζi + ζi+1 , ωi with ωi+1 for αslow is independent of which (nondeterministic)
and delete the index i + 1 from all sequences. Intuitively, choice of ODE is followed. The antecedents Γ, I are
this compaction repeatedly combines adjacent runs of the soundly kept across uses of rule G because they do
loop body of αslow from the same ODE, yielding the not mention variables u, t. In the penultimate step,
sequences (ω̃0 , ω̃1 , . . . , ω̃m ), (ζ̃1 , . . . , ζ̃m ), and (p̃1 , . . . , p̃m ) axiom DGt removes the clock ODE t0 = 1 and the
where ω̃0 = ω, ω̃m = ωn = ν and for i ≥ 1, ω̃i−1 reaches derivation is completed with ∧L, ∀L, →L. Premises
ω̃i following the ODE x0 = fp̃i (x) by uniqueness of ODE are indexed by p ∈ P after the [∪], ∧R step.
solutions (Chicone, 2006). Furthermore, p̃i 6= p̃i−1 for i ≥ 1
∗
and ζ̃i ≥ τ > 0 for 1 ≤ i < m because the guard t ≥ τ ∧L, ∀L, →L
in the loop body of αslow allows switching only when the Γ, I ` [x0 = fp (x)]I
dwell time τ has elapsed.
DGt
Γ, I ` [x0 = fp (x), t0 = 1]I
[;], G 0 0
Γ, I ` [?u
[= p; x = fp (x), t = 1]I
Consider the switching signal σ with switching times τi = [∪], ∧R
Pi Γ, I ` [ ?u = p; x = fp (x), t0 = 1 ]I
0
j=1 ζ̃j for 1 ≤ i < m and τi = τi−1 + τ for i ≥ m, so
p∈P
τi → ∞. Note τi − τi−1 = ζ̃i ≥ τ for i ≥ 1. Furthermore, [;], G
Γ, I ` [αl ]I
extend the sequence of switching choices with p̃i = p̃m
for i > m. By construction using Equation A.1, σ is well-
loop
Γ, I ` [αl∗ ]I
[;], G
defined, spends at least time τ between its switching times, Γ, I ` [αslow ]I
∀R, →R
and the
Pmsolution ϕ associated with σ from ω reaches ν at Γ ` ∀x (I → [αslow ]I)
time j=1 ζ̃j . “→” The “→” direction shows that a run of ODE
x0 = fp (x), p ∈ P must also be a run of αslow , so
“⇐”. Let σ be a switching signal that spends at least time
if formula I is true for all runs of αslow , it must also
τ between its switching times and ϕ : [0, ζ) → Rn be
be true for all runs of the constituent ODEs. The
the associated switched system solution from ω. Suppose
derivation starts by logical unfolding, with abbrevi-
the switched system reaches ϕ(t) for t ∈ [0, ζ). To show
ated antecedent Γ ≡ ∀x (I → [αslow ]I). Premises are
(ω, ϕ(t)) ∈ [[αslow ]], by the semantics of dL programs, it
indexed by p ∈ P.
suffices to construct a sequence of states ω = ω0 , ω1 , . . . , ωn
for some finite n, with ωn = ϕ(t) and ωi−1 reaches ωi by [αslow ]I ` [x0 = fp (x)]I
following the loop body of αslow for 1 ≤ i ≤ n. ∀L, →L 0
Γ, I ` [x^ = fp (x)]I
∧R, ∀R, →R
By Equation A.1, σ is equivalently defined by a sequence Γ` ∀x (I → [x0 = fp (x)]I)
of switching times τ0 , τ1 , . . . with τi − τi−1 ≥ τ > 0 for p∈P
i ≥ 1 and a sequence of switching choices p1 , p2 , . . . , where Next, axioms [;], [:=], [∪] unfolds program αr in αslow ,
pi ∈ P. Let τn be the first switching time such that t ≤ τn ; setting t = 0 and choosing p for the value of flag u.
the index n exists since τi → ∞. Define the state sequence Axiom [∗ ] unfolds the loop in the antecedents and
ωi = ϕ(τi ) for 0 ≤ i < n and ωn = ϕ(t). Note that ω0 = ω the if program in αl is skipped using axioms [∪], [?]
by definition of ϕ(0). By construction of ϕ, ωi is reached because its guard formula t ≥ τ contradicts the
from ωi−1 by following the solution to ODE x0 = fpi (x). antecedent
Moreover, since the switching times satisfy τi − τi−1 ≥ τ S t = 0. This leaves the choice abbreviated
αc ≡ p∈P ?u = p; x0 = fp (x), t0 = 1, which is un-
for 1 ≤ i < n, the guard t ≥ τ is satisfied for each run of folded with axioms [∪], [;], [?] according to the chosen
the loop body of αslow . 2 value of flag u. Axiom DGt then removes the clock
Proof of Theorem 7. Similar to Lemma 3, the following ODE t0 = 1 from the antecedent box modality.
axiom will be syntactically derived in dL, assuming the ∗
dwell time τ > 0 is a positive constant. [∗ ], ∧L
[αl ∗ ]I ` I
M[·]
[x = fp (x)][αl ∗ ]I
0
[x0
^
Invslow ∀x (I → [αslow ]I) ↔ ∀x (I → [x0 = fp (x)]I) ` = fp (x)]I
p∈P
DGt
[x0 = fp (x), t0 = 1][αl ∗ ]I ` [x0 = fp (x)]I
[∪], [;], [?]
u = p, [αc ][αl ∗ ]I ` [x0 = fp (x)]I
Axiom Invslow says that invariance of formula I for a slow [∪], [?]
t = 0, u = p, [αl ][αl ∗ ]I ` [x0 = fp (x)]I
switching system is equivalent to invariance of I for each of ∗
[ ], ∧L
its constituent ODEs. The two directions of axiom Invslow t = 0, u = p, [αl ∗ ]I ` [x0 = fp (x)]I
are derived separately similar to the derivation of ax- [;], [:=], [∪]
[αslow ]I ` [x0 = fp (x)]IThe derivation is completed using rule M[·] to mono-
tonically strengthen the postcondition, then unfold-
ing the resulting antecedent with axiom [∗ ].
Chaining the equivalence Invslow and SAI& (with formula
Q ≡ true) derives the following equivalence in dL:
.
^ ∀x I → (I)(∗) ∧
!
fp
SAIslow ∀x (I → [αslow ]I) ↔ .
(∗)
p∈P ∀x ¬I → (¬I)−fp
Derived axiom SAIslow characterizes invariance for slow
switching by a decidable formula of first-order real arith-
metic (Tarski, 1951). Thus, invariance for slow switching
systems is decidable. 2
Proof of Proposition 8. The proof is similar to Propo-
sitions 2 and 6 with auxiliary fresh variables t, u used to
control the switching signal. Let P ≡ {1, . . . , m} with the
switching order 1, . . . , m, and where the periodic signal is
required to follow the i-th ODE for exactly time ζi > 0
for i = 1, . . . , m. Abbreviate [i]m = ((i − 1) mod m) + 1
for i ≥ 1. Both directions of the proposition are proved
separately for an initial state ω ∈ Rn .
“⇒”. Suppose (ω, ν) ∈ [[αfast ]]. Like the proof of Propo-
sition 6, by dL semantics, there are compacted sequences
(ω̃0 , ω̃1 , . . . , ω̃n ), (ζ̃1 , . . . , ζ̃n ), and (p̃1 , . . . , p̃n ) such that
ω̃0 = ω, ω̃n = ν, and ω̃i−1 reaches ω̃i following the ODE
x0 = fp̃i (x) for i ≥ 1. Furthermore, p̃i 6= p̃i−1 for i ≥ 1.
By definition of the controller αu and domain constraints
in αfast , p̃i = [i]m for i ≥ 1, ζ̃i = ζ[i]m for 1 ≤ i < n,
and ζ̃n ≤ ζ[n]m . Consider the periodic switching signal σ
Pi
with switching times τi = j=1 ζ[j]m and the sequence
of switching choices pi = [i]m for i ≥ 1. By construction
using Equation A.1, σ is well-defined with the specified
periodic switching times, and the Pnsolution ϕ associated
with σ from ω reaches ν at time j=1 ζ̃j .
“⇐”. Let σ be the periodic switching signal with switching
Pi
times τi = j=1 ζ[j]m and the sequence of switching
choices pi = [i]m for i ≥ 1, and ϕ : [0, ζ) → Rn be the
associated switched system solution from ω. Suppose the
switched system reaches ϕ(t) for t ∈ [0, ζ). Let τn be the
first switching time such that t ≤ τn ; the index n exists
since τi → ∞. Define the state sequence ωi = ϕ(τi ) for
0 ≤ i < n and ωn = ϕ(t). Note that ω0 = ω by definition
of ϕ(0). By construction of ϕ, ωi is reached from ωi−1 by
following the solution to ODE x0 = fpi (x) for exactly time
ζ[i]m for 1 ≤ i < n so switching is allowed by the controller
αu and domain constraints in αfast . 2You can also read
