is unknown or only partially specified. The work in [ 22 ] shows how to transform a sigmoid-based neural network into an equivalent hybrid automaton, allowing state-of-the-art reachability tools to be used to verify safety properties of closed-loop systems where the controller is a neural network.

The computation of the reachable set, i.e., the set of all states that can be reached under the dynamical evolution starting from a given initial state set, is thus of particular importance in the formal verification of hybrid automata. Many approximation techniques and tools to estimate the reachable set have been proposed in the literature (see [ 28 ] for a comprehensive analysis). We recently proposed a development environment for the verification of nonlinear compositional hybrid systems, called Ariadne [ 7 ], which differs from existing tools by being based on the theory of computable analysis [ 12 ]. Such theory provides a rigorous mathematical semantics for the numerical analysis of dynamical systems, suitable for implementing formal verification algorithms. The tool has been applied mainly to the safety verification of robotic surgery tasks [ 8 ]. It also has been successfully used for dominance checking of controllers [ 6 ] and even for correct-by-construction code generation [ 9 ].

This paper discusses the ongoing work aimed at extending the dynamical model used in Ariadne to differential inclusions, based on the work of [ 33 ], in order to perform reachability analysis in the presence of noisy inputs. While the most straightforward application of differential inclusions is for modeling system uncertainty, it is worth remarking that they can be used also to support contract-based design [ 28 ]: given a complex system, we can replace the actual input of a component with an input having partially defined behaviour. The resulting decoupling of components ultimately allows to analyse subsystems in isolation, thus trading-off system complexity for precision.

Unfortunately, the introduction of differential inclusions into a nonlinear system represents a challenge in terms of controlling the quality of the computed reachable sets. Such control can be exercised using a number of precision parameters, which should be tuned dynamically for maximum effectiveness. In other words, the successful verification of a noisy system cannot disregard a thorough analysis of such precision parameters and the identification of a proper set of policies for their automated control. 2

In this Section some insight on the approach used in Ariadne is provided, in order to understand the impact of the introduction of differential inclusions. Detailed technical information on the framework can be found in [ 13 ] about functional calculus and [ 6 ] regarding the reachability routines.

Suppose we wish to verify that a safety property ϕ holds for a hybrid automaton H; i.e., that ϕ remains true for all possible executions starting from a set X0 of initial states, allowing to answer if a system operates within safe operating conditions expressed as a set. If this objective is cast as a reachability analysis problem, then it is necessary to prove that ReachSetH (X0) ⊆ Sat(ϕ), where ReachSetH (X0) is the set of states reached by H (also called the reachable set) and Sat(ϕ) is the set of states where ϕ is true. Unfortunately, the reachability problem is not decidable in general [ 3 ]. Nevertheless, formal verification methods can be applied to hybrid automata: suppose we can compute an outer approximation S¯ such that S ⊇ ReachSetH (X0). If S¯ ⊆ Sat(ϕ) holds, then also ReachSetH (X0) ⊆ Sat(ϕ) holds, i.e., the automaton ¯ H respects the property, or in other terms we proved the property. Conversely, if we can compute an inner approximation S such that S ⊆ ReachSetH (X0) that turns out to contain at least one point outside Sat(ϕ), we have proved that H does not respect the safety property ϕ, i.e., we disproved the property.

Clearly, any approximation to the reachable set is bound to the numerical precision used, hence a given quality of approximation may not allow to prove or disprove the property. Computable analysis defines the conditions to construct approximations such that if the precision is progressively increased, a sequence of approximations converging to the reachable set is obtained.

For a given precision, an approximation is obtained by identifying the reached region resulting from the evolution of the system over time. Such evolution is obtained through a sequence of continuous and discrete steps. A continuous step represents time advancement and relies on the integration of a vector field x˙ = f (x) for a chosen step size h, where f is nonlinear in general. A discrete step represents a transition, which changes the hybrid state, i.e., the pairing of the continuous state and the discrete state, without any time advancement.

Does evolution return results similar to those of simulative tools like MathWorks Simulink R ? No, because Ariadne is designed to include all the possible behaviours that result from evolving sets rather than single points. The underlying engine relies on results from interval analysis, which supports the definition of constants over intervals (among other things). Analysing a system in this case is equivalent to the simultaneous analysis of the set of singleton instances of the system, each corresponding to a distinct valuation of all constants. In particular, if a given constant represents a design parameter, parametric analysis [ 17 ] is able to identify subintervals where the constant yields optimal behaviour of the system with respect to some metrics.

Since intervals only model a set of constant behaviours, differential inclusions represent the most natural extension of the tool: by using them it is possible to analyse a system in which arbitrary variations of quantities within bounded intervals occur. The resulting over-approximation of behaviours covered by the noisy model can consequently compensate for an inaccurate system definition, which is a common problem when modelling real systems. 3

Differential inclusions (DIs) are dynamic systems of the form x˙ ∈ F (x), where F (·) is a function that gives the set of possible values for the derivatives of x. DIs generalise differential equations by having multivalued right-hand sides [ 4, 32 ]. They model systems with (bounded, non-stochastic) uncertainties. DIs can be viewed as systems with input (control or noise) in the form x˙ = f (x, v), v ∈ V ⊂ Rm, where v(·) is a measurable function [ 20 ]. If the set V of inputs is compact and separable, and f (x, V ) is continuous in x and convex for all x, the solution sets of the two systems are equivalent [ 4 ].

DIs arise in applications in engineering (e.g., robotics), physical and biological sciences in a variety of ways. They are used to model differential equations with discontinuities, by taking the closed convex hull of the right-hand side [ 15 ]. They can also be used to model systems with uncertain time-varying parameters, by replacing them with the whole set to which they could belong, as in [ 10, 30 ]. However, the most important use cases arise from the analysis of complex systems. One approach to analysis is to apply model-reduction techniques to replace a high-order system of differential equations x˙ = f (x) by a low-order system of the form z˙ = g(z) + e, where |e| ≤ represents the error introduced in simplifying the model (see [ 16 ]). Another way to analyse complex systems is to analyse separately their components. When the components depend on one another, we can decouple them by replacing an input from another component by noise varying over the range of possible values, again resulting in smaller but uncertain systems (see [ 11 ]). Note that stochastic models are not appropriate in these cases since inputs are not random.

To analyse reliably the behaviour and properties of a system, notably safety, uncertainties in the system must be taken into account when modelling, and rigorous numerical methods are necessary in order to provide guaranteed correct solutions. Designing numerical algorithms for computing solutions of DIs rigorously, efficiently and with high precision remains a point of current research. Different techniques and various types of numerical methods have been proposed in the literature. Some of the recent algorithms include ellipsoidal methods in [ 25 ], an interval Taylor-model approach in [ 26 ] and [ 10 ], Lohner-type algorithms in [ 30 ], optimal control in [ 5 ], set-based approximations to the Peano-Baker series in [ 2 ], hybrid bounding methods in [ 29 ], and a set-oriented method in [ 14 ]. However, none of these algorithms give both validated enclosures and guaranteed convergence with high-order precision for nonlinear DIs and thus are not of direct interest for comparison. We mention some closely related algorithms implemented by publicly available tools: [ 11 ] implemented within the tool Flow*, [ 31 ] implemented on top of CORA 2015, [ 21 ] implemented on top of CVODE and finally CORA 2018 (see [ 1 ]).

Our algorithm, whose initial version was presented in [ 33 ], considers a system with dynamics x˙ (t) = f (x(t), v(t)) , x(t) ∈ Rn , v(t) ∈ V ⊂ Rm (1) where f : Rn × Rm → Rn is a smooth function, V is a compact set and v(t) is a measurable function known as the disturbance input. In particular, [ 33 ] discusses how to compute the reachable set for nonlinear control systems which are input-affine, i.e., affine with respect to noisy inputs. Also, a reasonable assumption in practice is that noisy inputs are elements of a box whose vector components are intervals.

The numerical approach focuses on (a) using an auxiliary function system to account for the input during a continuous step of evolution, then (b) adding the high-order theoretical error between the given system and the auxiliary one. Such approach is formally correct since it yields an over-approximation of the reachable set. However, the higher the order desired, the greater the number of parameters for the auxiliary system required for each continuous step, which clearly affects the efficiency of the algorithm. The question remains if the auxiliary system approach yields the best trade-off between precision and efficiency for computing reachable sets. The answer is not straightforward and most likely depends on the system itself.

The work presented in [ 18 ] illustrates how we implemented the algorithm from [ 33 ] in Ariadne, by analysing a benchmark of ten systems, whose results are then compared with Flow* and CORA 2018. The paper shows the importance of higher-order methods as more accuracy was achieved with two-parameter approximations on nine out of ten systems considered. Moreover, we found that Ariadne yields tighter set bounds, as the nonlinearity increases, compared with the other tools. Although no analysis of the order of the method is given in [ 10 ], we believe that Flow* has a local error O(h2), where h is the integration step size, so the global error is intrinsically first-order. Hence a higher quality is to be expected from Ariadne, since the proposed methodology is able to achieve third-order local errors. On the other hand, our approach introduces extra parameters at each step in the representation of the evolved set, causing a growth in complexity, whereas Flow* and CORA have a fixed complexity. As a result, the computational cost increases with both the noise level and the total number of steps taken. A comparison with the state-of-the-art using a common time budget indeed suggests that Ariadne currently provides better bounds for highly nonlinear systems. 4

The presence of differential inclusions introduces additional issues and opportunities in the analysis of continuous and hybrid systems, for which we are working on several improvements and extensions to the framework: • Improve reconditioning of the set. The addition of parameters on each continuous step ultimately requires to simplify the set in order to keep the computation time reasonable. This operation necessarily introduces an additional over-approximation error which should be controlled in order to return a trajectory with acceptable quality. At the same time, adding new parameters from the uniform error allows to improve the computation of the flow set. Therefore an interesting open problem in the literature is the identification of the conditions that guarantee a given order of convergence with respect to the reconditioning policy. • Automation of accuracy parameter. A manual, fixed tuning phase at the beginning of the reachability routine has a very limited capability to identify a (sub)optimal strategy for evolution. Instead, we are exploring a reasonable approach relying on a pre-analysis of the system by point-based simulation. In this case, we drop the guarantees given by set-based evolution, in order to gain valuable local information on the system evolution in a significantly shorter verification time vs. manual refinement through multiple analyses varying the accuracy parameters. The resulting information necessarily comes with no guarantees of correctness, meaning that the obtained evolution may include spurious transitions or miss some transitions. Still, for sufficiently well-behaved dynamics this approach is able to identify reached regions where evolution is numerically critical. Given such pre-analysis of the system, preemptive policies can be enacted that tune locally numerical parameters, with the goal to trade-off precision vs. verification time. • Extension to non-input-affine inclusions and more expressive input bounds. The ability to decompose a system into several subsystems implies that we should be able to replace any variable of a differential equation with an input. Such operation may return a non-input-affine inclusion, which needs to be handled on an ad-hoc basis under our theoretical framework. Additionally, when a set of inputs represents the reachable set from another subsystem, its representation using a box introduces an excessive over-approximation. To address this issue, we are exploring the extension to polytope/zonotope bounds with nonlinear constraints.

Summarising, dealing with noisy nonlinear systems requires both local and global strategies in order to allow evolution to progress with bounded over-approximation error and reasonable efficiency of computation. Future work will focus on improving such strategies and on extending the tool to handle more general differential inclusions, with the overall objective of providing an automated way of analysing large-scale hybrid systems.