Inner and Outer Reachability for the Verification of Control Systems Eric Goubault LIX, Ecole Polytechnique, CNRS 91128 Palaiseau, France goubault@lix.polytechnique.fr Sylvie Putot LIX, Ecole Polytechnique, CNRS 91128 Palaiseau, France putot@lix.polytechnique.fr ABSTRACT We investigate the information and guarantees provided by diferent inner and outer approximated reachability analyses, for proving properties of dynamical systems. We explore the connection of these approximated sets with the maximal and minimal reachable sets of Mitchell [31], with an additional notion of robustness to disturbance. We demonstrate the practical use of a specifc computation of these approximated reachable sets. We revisit in particular the reach- avoid properties. KEYWORDS reachability analysis, inner-approximation, under-approximation, robustness, safety verifcation, abstractions, Taylor models ACM Reference Format: Eric Goubault and Sylvie Putot. 2019. Inner and Outer Reachability for the Verifcation of Control Systems. In 22nd ACM International Conference on Hybrid Systems: Computation and Control (HSCC ’19), April 16ś18, 2019, Montreal, QC, Canada. ACM, New York, NY, USA, 12 pages. https://doi.org/ 10.1145/3302504.3311794 1 INTRODUCTION Verifying properties of control systems usually involves rigorously proving that a dynamical system, subject to uncertain initial condi- tions, parameters, and environment, will eventually reach a region of the state-space, while avoiding some unsafe set of states. An- alytical verifcation of such properties is generally impossible, as well as computing exact reachable sets for nonlinear systems. Dif- ferent algorithms have been proposed to compute safe outer (or over) approximations of reachable states of the system. When the outer-approximations are tight enough, they are often sufcient to prove the property. However, when the property cannot be proved, we are facing the question of whether this is a false alarm, or the property is indeed not satisfed. Computing an inner (or under) ap- proximation of the reachable set is a possible though still very little explored way to prove that there exist executions of the system that are guaranteed to reach an unsafe state. For systems involving external disturbances, a stronger property is proving that some (unsafe) states are always reached, whatever these disturbances, for some control signal or input parameters. This is what we defne as robust inner-approximations, and we Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or afliate of a national govern- ment. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only. HSCC ’19, April 16ś18, 2019, Montreal, QC, Canada © 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-6282-5/19/04. . . $15.00 https://doi.org/10.1145/3302504.3311794 propose a general algorithm to compute them for non-linear dy- namical systems. This algorithm extends the approach of [19] in two ways. First, we introduce here the notion of robustness to a possible disturbance. Second, we allow the input signal to be time-dependent. Another contribution of this work is to relate the notions of inner-approximating reachable sets that we introduce, to the no- tions of minimal and maximal reachable sets of Mitchell [31]. This constitutes a starting point to demonstrate how the combination of inner and outer approximations of reachable sets can be used to prove or falsify reach-avoid properties, where regions to reach or avoid can be moving regions, and possibly in presence of a distur- bance in the system. We also demonstrate that we can prove some new properties, such as the sweep-avoid property, where the target region is proved to be fully covered by executions of the system. We illustrate these contributions using our prototype implementation. Related work. Reachability properties have been extensively studied for a wide number of system models, ODEs, DDEs, dis- crete systems, hybrid systems. As they are in general undecidable, numerous methods have been proposed to outer-approximate (or over-approximate) fowpipes and reachable sets. Fewer methods have been proposed for inner-approximations. These methods fol- low either a Lagrangian approach, which follows the fow of the system, or an Eulerian method, which models the dynamics of a system by looking at how it fows through fxed sets. Lagrangian methods are generally based on set-based methods, and are generally scalable. For linear ODEs, sub-polyhedral or ellip- soidal abstractions are generally used for outer-approximations [13, 14] and for inner-approximations [14, 26]. Several approaches exist for outer-approximations of non-linear ODEs [1, 5, 9, 33, 34]. For inner-approximations, both forward Taylor model based [19] and backward methods [6, 39] have been recently proposed. These meth- ods have also been extended to Delay Diferential Equations [20, 38], that appear naturally when modeling networked control systems, where delays are introduced in the feedback loop. Eulerian methods, generally based on Hamilton-Jacobi-Bellman’s equation [3] are known to be in general less tractable, but more expressive, solving generalized reachability problems, such as reach- avoid properties [11] and extensions to diferential games such as pursuit-evasion, reach-avoid-capture, and control/path-planning synthesis [40]. For polynomial systems of ODEs, computations of inner-approximations of the region of attraction [25] and of the reachable set [37], based on the formulation as solutions to the Hamilton-Jacobi partial diferential equations, have been proposed. Important verifcation properties also include stability or con- trollability, and the computation of invariants or viability kernels.