Safe Reachability Verification of Nonlinear Switched Systems via a Barrier Density

We study temporal properties of dynamical systems; specifically, we strive to determine a set of initial states that leads the solutions to reach desired states avoiding a predetermined unsafe set. This property, which we call safe reachability, has been studied in literature for autonomous systems using barrier function and Barrier densities [1]. In this paper, we generalize a sufficient condition for safe reachability of autonomous system to switched systems under arbitrary switching signals. The condition relies upon the existence of a common Barrier density function for each subsystem. We apply the condition using the sum of squares method together with Putinar Positivstellensatz.


I. INTRODUCTION
In many control applications, one needs to ensure that a system with an initial state reaches to a desired state (reachability) avoiding some undesired states (safety). One of the widely used method for the verification of the safety and the reachability is the application of barrier functions which allows to analyze a system without knowing explicitly the solutions as done in the analysis with Lyapunov functions. To mention a few applications, barrier functions have been used for safety verification of unmanned aerial system to perform high speed in an environment with multiple obstacles [2], for model invalidation, i.e., checking the inconsistency of the measured data with the model [3], for detecting the faults in a system [4], for verification of safety and reachability of nonlinear autonomous systems and systems with disturbances [1], and for the computation of the reachable sets [5] (for more applications see [1], [4], [6], [7], [8], [9], [10], [11] and the references therein). As mentioned in the paper [1], one may not be able to find a barrier function to certify safety and reachability due to the fact that the solution trajectory for some initial state, which is in a negligible set -a set with measure zero, may enter an undesired set or may not reach a desired set. In [1], notions of "weak safety" and "weak reachability" are defined to indicate that the safety and reachability properties are satisfied except the set of (Lebesgue) measure zero. In the light of this, weak safe reachibility can be defined as follows: There exists a time such that for almost every initial state the solution enters a desired region without entering an undesired region. In [1], to certify the weak safety of nonlinear autonomous system Barrier density is utilized. Density functions are also used This work has been supported by the Independent Research Fund Denmark (DeBaTe) *Corresponding author. 1 Department of Electronic Systems, Automation and Control, Aalborg University, Fredrik Bajers Vej 7 C, 9220 Aalborg East, Denmark ayk@es.aau.dk, ozk@es.aau.dk, raf@es.aau.dk for stability analysis [12], [13], [14], [15], [16], [17], [18], [19], [20], [21]. Leaning upon the results of [1], our main goal in this paper is to obtain a sufficient condition for the weak safe reachibility of nonlinear switched system under arbitrary switching.
Nonlinear switched systems appear in various applications (for instance [22] and the references therein). In particular, nonlinear switched systems with time dependent switching can be used to model switched control systems where switching is generated by an external system [23] (for more applications, see the references in [22], [23], [24]). Recently, using common and multiple Lyapunov densities, we have obtained sufficient conditions for the almost global stability of switched systems [25]. In [26], safety verification of nonlinear switched systems is studied by utilizing barrier functions and Barrier densities. In contrast to [26], here, we have considered the safe reachability problem of nonlinear switched system via a common Barrier density which can be seen as a generalization of the result of the paper [26].
Inspired by the common Lyapunov density approach in [25] and the dual Lyapunov analysis of weak safety and reachability in [1], we analyze the safe reachability of a nonlinear switched system. Leaning upon the existence of a common Barrier density, we present a sufficient condition for weak safe reachability under arbitrary switching.
The paper is structured as follows: In Section II, we present preliminaries about nonlinear switched systems under arbitrary switching. In Section III, we define safe reachability and weak safe reachability of a system and present a sufficient condition for the weak safe reachability of nonlinear switched systems with time-varying switching. In Section IV, we present an example by using the sum of squares algorithm to illustrate theoretical part of our paper and we present a brief summary about the usage of Sum of Squares (SoS) technique together with Putinar Positivstellensatz.
Notation. The following notations will be used in the remaining part of the paper.
• m denotes the Lebesgue measure on R n , and µ ρ (A) = A · µ(x) denotes Lebesgue integral with respect to measure µ, here we will define Lebesgue integral with respect to Lebesgue measure m as · dx. • For a function f : R n → R n , and ∇ · f denotes the divergence of f and for a function g : R n → R, ∇g denotes the gradient of g. indicate that the given property is satisfied everywhere except for a set with Lebesgue measure zero.

II. PRELIMINARIES
We have extended Corollary 3.11 [1] (rewritten as Proposition 1 below) to the nonlinear switched systems under arbitrary switching signals. In the next section, the conditions of the proposition will be generalized to nonlinear switched systems and reformulated. In [1], they have analyzed safety and reachability of the given sets by applying a bisection algorithm on the set of initial states, X 0 and SoS programming which is not computationally efficient since it requires to verify safety and reachability by solving SoS algorithm for each partition of X 0 . In this paper, we will propose another method to verify the safely reachability which leans upon searching common Barrier density via the sum of squares (SoS) programming together with Putinar positivstellensatz [27]. Specifically, SoS programming is used for determining whether a polynomial can be represented as a combination of sum of squares of polynomials. SoS programming together with Putinar positivstellensatz is applied to determine whether a polynomial is non-negative on a compact set which is defined semi-algebraically, i.e, the set is defined via polynomial inequalities.
For the sake of the completeness, let us restate Corollary 3.11 given in [1].
where f is a continuously differentiable function on R n . Let X be a bounded subset of R n , and X 0 ⊆ X be a set with positive Lebesgue measure. Assume that a desired set X r ⊆ X and an unsafe set X u ⊆ X are given. If there exists a continuously differentiable function ρ(x) ∈ R n satisfying then the weak safe reachability property holds; i.e. for almost every initial states x 0 ∈ X 0 , the solution x(t) starting at Consider a continuous-time nonlinear switched system of the following forṁ where σ is the switching signal. The switching signal, σ(t) : [0, ∞) → {1, 2, . . . , N }, is assumed to be a right continuous piece-wise constant function. The largest set for admissible switching signal is a set of switching signals which have finite number of discontinuities in a finite time interval and denoted by S nonchatt . Each system given byẋ(t) = f p (x(t)), p = 1, 2, . . . , N is called the subsystem of the system (2).
Assume that each subsystem f p : R n → R n , i = 1, 2, . . . , N, is continuously differentiable on R n . Denote the constant value of the switching signal σ(t) for t ∈ [t i−1 , t i ) as p i . By using these values, switching signal can be defined as σ(t) = {(∆t 1 , p 1 ), (∆t 2 , p 2 ), . . .}, where ∆t i is the operation time of the subsystem f pi . Assume that solutions of (2) with S nonchatt exist for all t ∈ R. Denote a solution of system (2) for the switching signal σ ∈ S nonchatt and for the initial state x as φ σ t (x). Remark 1: Since f p , p = 1, 2 . . . , N are continuously differentiable and σ ∈ S nonchatt , the existence of solutions of (2) can be guaranteed under some specific conditions [25]. However, the verification of the existence and uniqueness of solutions is not the concern of this paper for this reason, we skip the discussion on the existence and uniqueness of solutions. For more details on the existence and uniqueness of solutions of autonomous differential equations, see [28] and references therein, since once the existence and uniqueness of each subsystem of (2) are guaranteed, the existence and uniqueness of solutions of (2) are guaranteed by verifying the existence and uniqueness of each subsystem between each consecutive switching instants.

III. MAIN RESULT
The idea of the paper [1] about the safety and reachability verification by means of a Barrier density is extended to the nonlinear switched systems under arbitrary switching signals and Proposition 1 is reformulated. Moreover, in the sequel, we have also mentioned that under which conditions weak safe reachibility results can be used to certify safe reachability of nonlinear switched system. Now, let us define safe reachability and weak safe reachability.
Definition 1: ((Weak) safe reachability) We say that the system (2) is (weakly) safely reachable on a domain X from an initial set X 0 to a desired set X r avoiding an unsafe set X u if, for each switching signal σ ∈ S nonchatt , there exists a T (x) > 0 for (almost) every initial state x ∈ X 0 such that where φ σ t (x) denotes the solution of (2) for the switching signal σ ∈ S nonchatt and for the initial state x.
(Weak) safe reachability from X 0 to X r avoiding X u is denoted as X 0 X u X r . (a.e.) The following lemma is needed for the proof of Lemma 2, which is used to certify the change of volume with the change of density along the solutions of a system.
Lemma 2: [32] Assume that a set D ⊂ R n is open, φ t (x) is a solution of the systemẋ = f (x) with an initial state x, and f (x), ρ(x) are continuously differentiable in D, and for a measurable set Next, we will give a way for verification of safe reachability properties of nonlinear switched systems with the aid of a Barrier density which is common for each subsystem (a common Barrier density).
Theorem 1: Let X ⊂ R n be bounded and X 0 be a set with positive Lebesgue measure. Assume that for the system (2), the sets X 0 ⊆ X, X u ⊆ X and X r ⊆ X, are given and there exists a differentiable function ρ in R n satisfying the following properties (5c) Then, system (2) is weakly safely reachable, a.e Proof: Take an arbitrary switching signal σ ∈ S nonchatt . Let φ σ t (x) denotes the solution of (2) for the switching signal σ ∈ S nonchatt . Let φ σ t (A) = {φ σ t (x)|x ∈ A} for t ≥ 0 be the set of solutions starting from an arbitrary set A ⊂ X 0 with positive measure. Assume that for some T (x) > 0 φ σ T (x) (A) ⊂ X u and φ σ t (A) ⊂ X r and φ σ t (A) ⊂ X for all t ∈ [0, T (x)]. Utilizing Lemma 2 between each consecutive switching instants and considering condition (5a), we obtain µ ρ (φ σ T (x) (A)) > µ ρ (A) > 0. Therefore, there exists no set A ⊂ X 0 with positive measure such that for some for all t > 0. By considering Lemma 2 together with Z ⊂ X 0 from 0 to t, we get µ ρ (φ σ t (Z)) > µ ρ (Z), for a fixed t > 0. The measure of all trajectories staring from Z and lying in X \ X r can be computed as . Applying the condition (5b) together with Lemma 1 between each switching instants, we get µ ρ (φ σ ti (Z)) > µ ρ (φ σ ti−1 (Z)), i ∈ Z >0 . Applying this iteratively together with condition (5a), it is obtained that Combining the previous sum with (6), we get µ ρ (φ σ t (Z)) > ∞ i=1 µ ρ (Z). If µ ρ (Z) > 0 , we have µ ρ (φ σ t (Z)) = ∞, which contradicts to the assumption of the integrability of ρ on X. Thus, the set Z is included in a set with measure zero. Any solution which stays inside of the region X \ X r for all t ≥ 0 is included in a set with measure zero. For almost every initial state, the solution φ σ t (x) leaves the region X \X r , i.e., either it leaves the domain X or it enters the region X r . From above discussion on safety, the set of solutions whose initial states are included in a set with positive measure cannot leave X since ρ is negative in X c , so it reaches the set X r in a finite time. To conclude, there exists a time T (x) > 0, for almost every initial state x in the set X 0 solution satisfy If there exists a continuously differentiable function ρ(x) on R n satisfying the conditions (5a)-(5c) of Theorem 1, then we will call it a common Barrier density.
When the set of initial states and the set of undesired states satisfy a certain topological properties, weak safe reachability implies safe reachability as shown in the next corollary.
Corollary 1: Let X ⊂ R n be bounded and X 0 be a set with positive Lebesgue measure. Assume that the sets X 0 and X u satisfy the following property Int(X 0 ) = X 0 and Int(X u ) = X u . If there exists a differentiable function ρ in R n satisfying the conditions (5a)-(5c) for a system (2) with the given sets X 0 ⊆ X, X u ⊆ X, and X r ⊆ X, then system Proof: Recall that if a non-empty set A satisfies Int(A) = A, then for an arbitrary element a ∈ A, the intersection of any neighbourhood of a with A contains a non-empty open set. The conditions of (5a)-(5c) of Theorem 1 are satisfied with the given sets. Thus, (2) is weakly safely reachable. Let us assume that the system is not safely reachable, namely, for an arbitrary switching signal σ ∈ S nonchatt , (2) has a solution φ σ t (x) starting with an initial state x from the set X 0 that reaches a pointx := φ σ T1(x) (x) ∈ X u . Then, there exists a sufficiently small neighbourhood Ux of x and a non-empty open set W such that W ⊂ Ux ∩X u . Due to Int(X 0 ) = X 0 and continuity of the flow map φ σ t (x), we can say that there exists a non-empty open set V such that V ⊂ φ σ T1(x) −1 (W )∩X 0 and µ ρ (V ) > 0, which contradicts to the weak safety. Thus, for the given sets X 0 and X u the system is safe. Due to the fact that system is weak reachable, for almost every initial state x in X 0 the solution of (2) reaches the set X r in a finite time. We can conclude that all solutions starting from the set X 0 reach the set X r due to continuous dependence of solutions with the initial state. Thus, system is safely reachable.
Remark 2: If there is a stable fixed point of the system in X, it should be removed from the domain. Otherwise, ∇ · (f p ρ) > 0 on X implies that ρ is not integrable on X.
Remark 3: If the condition (5b) is given as ∇ · (f p ρ) ≥ 0, for all p = 1, 2, . . . , N, the safety property will be still valid since the solutions starting from X 0 will not reach the set X u since positivity of ρ along the solutions starting in X 0 is still preserved. However, in this case, we cannot guarantee the reachability since under this condition the measure of the set either increases or stays constant. To ensure reachability, one should show that the measure of a set is strictly increasing along the solutions.

IV. APPLICATION OF THE SUM OF SQUARES PROGRAMMING TO THE VERIFICATION OF SAFE REACHIBILITY
In this section, we will illustrate the theoretical results obtained in the previous section with the aid of an example, and we will give a brief summary of SoS programming with Putinar positivstellensatz. The Putinar positivstellensatz can be interpreted as follows: On a compact semi algebraically defined set K = {x ∈ R n |p 1 (x) ≥ 0, p 2 (x) ≥ 0, . . . , p n (x) ≥ 0} to certify the non-negativity of a polynomial q is same as finding a sum of representation of q in the form q = s 0 + s 1 p 1 + s 2 p 2 + . . . + s n p n for some sum of square polynomials s 0 , s 1 , . . . , s n . Then, we can guarantee that the polynomial q is non-negative on the given sets. For this reason, in the example, we will use SoS together with Putinar Positivstellensatz [27] to search for a common Barrier density satisfying some non-negativity and non-positivity properties on the given sets since the given sets are semi algebraically defined and the vector fields are polynomials. The main advantage of using SoS with Putinar positivstellensatz is that it provides an algebraic formulation that is linear in unknown SOS polynomials. In other words, to certify if a polynomial is non-negative boils down to finding a solution of a certain semi-definite programming problem.
In the example, the search of a Barrier density is done by means of SOSTOOLS, a sum of squares programming solver and SDPT3, a semi-definite programming solver.
Example 1: (Example for a common Barrier density) Let us consider a nonlinear switched system (2) with the following subsystems: A set of initial state, a set of undesired states (unsafe set), a set of desired states (reachable set) and a domain can be defined as respectively. To ensure that almost every solution starting from X 0 doesn't leave X without entering X r , the following set is needed. In the sequel, it will be discussed in details. Moreover, the set X d \ X can be implemented to the conditions of Theorem 1 as a set of undesired states; i.e., by replacing the set X c in condition (5b) with X d \ X.
Considering the above given sets, the conditions (5a)-(5c) of Theorem 1 can be converted to the following form: The problem of finding such a function ρ as a polynomial can be interpreted as looking for an SoS representation by using Putinar positivstellensatz on the semi algebraically defined given sets with the polynomial vector fields.
By searching ρ, as a polynomial and using SoS algorithm together with Putinar Positivstellensatz, we will verify the safe reachability of the system by using common Barrier density. The conditions (5a)-(5c) of Theorem 1 can be converted to SoS algorithm with the Putinar positivstellensatz as: where s i , i = 1, 2, . . . , 8 are sum of square polynomials and ε is a sufficiently small positive number. We have obtained a tenth degree polynomial ρ by applying the above SOS algorithm with a tolerance ε = 0.005. We use such tolerance to guarantee that the density, ρ, is positive on X 0 and ∇ · (f p ρ) > 0 on X \ X r . Thus, the existence of Barrier density proves that the system is weakly safely reachable from X 0 to X r avoiding X u . Additionally, given sets X 0 and X u satisfy the condition Int (X 0 ) = X 0 and Int (X u ) = X u of Corollary 1, then we can say that the system is safely reachable from X 0 to X r avoiding X u . Figure 1 is obtained by using the given subsystems with a periodic switching signal {(0.4, 1), (0.3, 2)}. The dashed curve in Figure 1 is drawn to indicate the places where ρ = 0. In the inside of the dashed curve where the measure of the set of solutions starting from X 0 is positive, i.e. the density takes positive values and at the outside of the curve where the undesired states present, the density ρ takes negative values. The undesired set, X u , is taken as close as possible to ρ(x) = 0 by checking feasibility of the SoS algorithm given above.

V. CONCLUSION
We have extended the idea of verification of safe reachability to switched nonlinear systems with time dependent switching via a common Barrier density. We have shown that X u X r X 0 X \ X X d Fig. 1. A set of solutions of the system (2) with a periodic switching signal {(0.4, 1), (0.3, 2)} defined by subsystems given in Example 1 which start from the boundary of the set of initial states X 0 and reach Xr without arriving the unsafe set Xu is depicted. The conditions of Theorem 1 and Corollary 1 are satisfied. Thus, the system is safely reachable for each switching signal σ ∈ S nonchat . In the region between purple circle and yellow circle, X d \ X, ρ is taken to be negative to ensure that no solution starting from X 0 leave the region X before entering Xr.
the safely reachability analysis can be carried out by means of SoS programming together with Putinar positivstellensatz.
As a further work, the proposed method for the verification of the safe reachability of nonlinear switched systems can be extended for switched systems with state dependent switching. Furthermore, common Barrier density approach can be used for model invalidation and for detection of the faults in a nonlinear switched system.