Abstraction of Dynamical Systems by Timed Automata

ion of Dynamical Systems by Timed Automata Wisniewski, Rafal; Sloth, Christoffer Published in: Modeling, Identification and Control (Online Edition) DOI (link to publication from Publisher): 10.4173/mic.2011.2.3 Publication date: 2011 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation for published version (APA): Wisniewski, R., & Sloth, C. (2011). Abstraction of Dynamical Systems by Timed Automata. Modeling, Identification and Control (Online Edition), 32(2), 79-90. 10.4173/mic.2011.2.3 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. ? Users may download and print one copy of any publication from the public portal for the purpose of private study or research. ? You may not further distribute the material or use it for any profit-making activity or commercial gain ? You may freely distribute the URL identifying the publication in the public portal ? Take down policy If you believe that this document breaches copyright please contact us at vbn@aub.aau.dk providing details, and we will remove access to the work immediately and investigate your claim. Downloaded from vbn.aau.dk on: April 12, 2016 Modeling, Identification and Control, Vol. 31, No. 1, 2010, pp. 1–12, ISSN 1890–1328 Abstraction of Dynamical Systems by Timed Automata Rafael Wisniewski 1 Christoffer Sloth 2ion of Dynamical Systems by Timed Automata Rafael Wisniewski 1 Christoffer Sloth 2 1 Section of Automation & Control, Aalborg University, Denmark. E-mail: raf@es.aau.dk Department of Computer Science, Aalborg University, Denmark. E-mail: csloth@cs.aau.dk


Introduction
Verifying that a dynamical system satisfies a specification is a complicated, but inevitable part of designing a system. Frequently, it is not possible to conduct the verification by simulation, as an exhaustive simulation of all initial conditions, disturbances, etc., is not possible. However, formal verification methods can be applied to dynamical system if a finite combinatorial abstraction can be devised. Apart from the automatization of the verification process, formal verification methods provide answers to entirely new type of questions in control engineering. A few examples of these are: Do all solutions of the dynamical system, initialized in a subset X 0 of the state space, reach the set of goal states X goal ? Do all solutions of the dynamical system, initialized in X 0 , reach X goal within 5 s? Does there exist a solution of the dynamical system, initialized in X 0 that passes the unsafe states X unsafe ?
In particular, the verification of system properties such as safety is based on reachability calculation or its approximation. The exact reachable sets of contin-uous and hybrid systems are in general incomputable Asarin et al. (2006). Therefore, much research effort has been made on the approximation of reachable sets, specially, for continuous systems Guéguen et al. (2009). Yet, reachability is decidable for system models given by automata and timed automata; consequently, there exists a rich set of tools aimed at verifying properties of such systems, e.g., Uppaal, see Behrmann et al. (2004).
There are essentially two methods for verifying dynamical and hybrid systems Guéguen et al. (2009). The first method is to over-approximate the reachable states of a system by sets such as ellipsoids, cubes, and simplexes. This is accomplished in Kurzhanski and Vályi (1997) using ellipsoids, in Girard (2005) using zonotopes, and in Mitchell et al. (2005) using level sets of the Hamilton-Jacobi-Isaacs partial differential equation. The other method is to abstract a system by a model of reduced complexity, which preserves crucial dynamical properties of the original systems. This is accomplished in Maler and Batt (2008) for continuous systems, and in Tiwari (2008) for hybrid systems. Both methods rely on explicit calculation of reachable sets of the continuous dynamics, which is the main source of complexity in the verification procedure Guéguen et al. (2009).
In this paper, we provide a method for abstracting dynamical systems by timed automata. This method is based on partitioning the state space using level sets of Lyapunov functions; hence, the partitioning is conducted according to the dynamics of the system as in Tiwari (2008); Prajna (2006). This allows the resulting combinatorial model to be relatively small. Contrary to Tiwari (2008); Prajna (2006), we generate a timed model, which enables the verification of timed temporal-logic specifications Alur et al. (1990). Additionally, in contrast to Frehse (2005), the proposed abstraction-procedure does not use solutions to the system equations or any kind of simulation. Furthermore, the proposed method permits a parallel composition, which is vital for the verification of high-dimensional systems.
This paper is organized as follows. Section 2 recalls definitions from dynamical systems. The notion of timed automaton, the definition, and qualities are presented in Section 3. Section 4 presents the proposed abstraction procedure along with its properties. An example in Section 5 demonstrates this procedure. Finally, Section 6 comprises conclusions.

Dynamical Systems
Let E denote the Euclidean space R n with the standard scalar product x, y = x T y. Occasionally, we will indicate the dimension of E by writing E n . We address the verification problem of an autonomous dynamical system Γ = (X, ξ), where X ⊂ E is a state space, which will be specified later in this article, and ξ : E → E is a continuous locally Lipschitz vector field. We denote the set of critical point of ξ by Cr(ξ) ≡ {x ∈ E| ξ(x) = 0}. For an ordinary differential equatioṅ for all t ∈ [0, ]. In other words, Φ Γ (t, x) is the solution of (1) from an initial state x in a set of initial states X 0 ⊆ X and for time t ∈ [0, ]. Given a system Γ = (X, ξ), a set R ⊆ X is said to be positively invariant if for all x ∈ R and for all t ∈ R + (the set of nonnegative reals) In particular, the above definition implies that the Φ Γ is defined for all x ∈ R and for all nonnegative time t.
In this article, we will often use the following notation.
For a map f : A → B, and a subset C Invariant sets play a crucial role in this work. Indeed, we will use the observation that, if the set of initial conditions and the goal-sets are subsets of a positively invariant set, and the unsafe states are in its complement, then the system is safe. That is, there are no trajectories that enter the unsafe-set. This situation is illustrated in Figure 1. Init.

Unsafe
Goal Figure 1: The set of initial states and the goal-set are subsets of a positive invariant set; whereas, the unsafe states are in its complement.
Besides invariant, also reachable sets are instrumental for verification.
Definition 1 (Reachable set of Dyn. System) The reachable states of a system Γ from a set of initial states X 0 ⊆ X on the time interval [t 1 , t 2 ] is defined as Thus, the reachable set of X 0 on time interval [t 1 , t 2 ] consists of all those points p for which there exists a flow line (a trajectory) connecting the set X 0 with p, and it takes time t in the interval [t 1 , t 2 ].

Timed Automata
In the sequel, we will abstract dynamical systems by timed automata. A timed automaton consists of discrete locations, transitions between locations, which are labeled by actions and clocks which may be reset to zero whenever a transition takes place. A timed automaton is illustrated in Figure 2. The locations are denoted by p and q, where the initial location is p; The transition between the location p and q with the label α may take place whenever the clock d < 4 and must take place before the clock c ≥ 8. Once this transition occurs, the clock c resets to 0.
there are two clocks denoted by c and d, and actions designated by α, β, and γ. The transition between location p and q may take place whenever the clock d < 4 and must take place for the clock c ≥ 8. Once this transition occurs, the clock c resets to 0. We follow Alur and Dill (1994) and define a timed automata as follows. A set of diagonal-free clock constraints Ψ(C) for the set C of clocks contains all invariants and guards of the timed automaton. Consequently, it is described by the following grammar where c ∈ C, k ∈ R + , and ∈ {≤, <, =, >, ≥}.
Note that the clock constraint k should usually be a rational number, but in this paper, no effort is made to convert the clock constraints into rational numbers. However, any real number can be approximated by a rational number with an arbitrary small error > 0.
Definition 2 (Timed Automaton) A timed automaton A is a tuple (E, E 0 , C, Σ, I, ∆), where • E is a finite set of locations, and E 0 ⊆ E is the set of initial locations.
• C is a finite set of clocks.
• Σ is the input alphabet.
• I : E → Ψ(C) assigns invariants to locations, where Ψ(C) is the set of all clock constraints in (5).
• ∆ ⊆ E × Ψ(C) × Σ × 2 C × E is a finite set of transition relations. A transition relation is a tuple (e, G e→e , σ, R e→e , e ) which assigns an edge between two locations, where e is the source location, e is the destination location, G e→e ∈ Ψ(C) is the guard set, σ is a symbol in the alphabet Σ, and R e→e ⊆ C is a subset of clocks.
To define the semantics of a timed automaton, we adopt the notion of clock valuation Fahrenberg et al. (2010).
Definition 3 (Clock Valuation) A clock valuation on a set of clocks C is a mapping v : C → R + . The initial valuation v 0 is given by v 0 (c) = 0 for all c ∈ C. For a valuation v, d ∈ R + , and R ⊆ C, the valuations v + d and v[R] are defined as We shall denote the set of maps v : C → R + by R C + . This notation indicates that we identify a valuation v with C-tuples of nonnegative reals in R #C + , where #C is the number of elements in C. Notice also that this notion is consistent with 2 C denoting the set of subsets of C. Indeed, if 2 denotes the set consisting of two elements, say {0, 1}, then e ∈ 2 C is identified with e −1 (1) ⊆ C.

Definition 4 (Semantics of Clock Constraint)
For convenience we denote v ∈ ψ by v |= ψ.

Definition 5 (Semantics of Timed Automaton)
The semantics of a timed automaton A = (E, E 0 , C, Σ, I, ∆) is and T s ∪ T d is the union of the following sets of transitions Hence, the semantics of a timed automaton is a transition system that comprises of an infinite number of states: product of E and R C + and two types of transitions: the transition set T s between discrete states with possibly a reset of clocks belonging to a subset R e→e , and the transition set T d which corresponds to time passing within the invariant I(e).
The analog to the solution (2) of an autonomous differential equation (1) is a run of a timed automaton, which is define below.
Definition 6 (Run of Timed Automaton) A run of a timed automaton A (with semantics A ) is a possibly infinite sequence of alternations between time steps and discrete steps of the following form where d i ∈ R + and σ i ∈ Σ.
In Definition 6, by forcing alternation of time and discrete steps, the time step d i is the maximal time step between the discrete steps σ i−1 and σ i .
Example 1 This example clarifies the semantics of an automaton. A timed automaton with two locations and two clocks is illustrated in Figure 2. All runs of the timed automaton start in the location p, and the initial valuation of all clocks is zero. Furthermore, the time between an action α (a transition decorated by the label α) and an action β is 5 time units. There are infinitely many different runs of the timed automaton, and a few examples are A vital object for studying the behavior of any dynamical system is its trajectory. For this purpose, we have already defined a run of A in Definition 6; however, more convenient for the study of continuous behavior of a timed automaton is a trajectory, see Definition 7. At the outset, we bring in a concept of a time domain.
In the following, we denote sets of the form {a, . . , k}} corresponding to a time domain will be called a switching sequence.
We define two projections π 1 : • γ : T k → S is continuous and satisfies: We define a discrete counterpart of the flow map.

Definition 8 (Flow Map of Timed Automaton)
The flow map of a timed automaton A (with semantics A ) is a multivalued map It will be instrumental to define a discrete flow map which forgets the valuation of the clocks Example 2 (Continuation of Example 1) In this example, the time domain T k and trajectory of Run 1 in Example 1 are elucidated. The time domain is From the time domain it is seen that there are three discrete switches and the total time of the run is 6 time units. The trajectory of the run is shown in Figure 3. To visualize the trajectory, the valuation of the clock c is illustrated by a blue line and the valuation of clock d is illustrated by a red dashed line. Furthermore, the location, which the system is in at a given time, is indicated by its name.
As for a dynamical system, equipped with the notion of the discrete flow map, we define a reachable set.
Definition 9 (Reachable set of Timed Autom.) The reachable locations of a system A from a set of initial locations E 0 ⊆ E on the time interval [t 1 , t 2 ] is defined as Thus far, we have avoided any explanation of the role of labels in a timed automaton. In fact, the meaning of labeling first becomes apparent in a network of agents, where each agent is modeled as a timed automaton. Subsequently, the transitions of two automata with the same labels can be synchronized. We adopt the definition of the product of timed automata from Alur (1999). • ∆ ⊆ E × Ψ(C) × Σ × 2 C × E is defined by 1. For every σ ∈ Σ 1 ∪ Σ 2 , for every (e 1 , G 1 , σ, R 1 , f 1 ) ∈ ∆ 1 and for every (e 2 , G 2 , σ, R 2 , f 2 ) ∈ ∆ 2 ((e 1 , e 2 ), G 1 ∧ G 2 , σ, R 1 ∪ R 2 , (f 1 , f 2 )) ∈ ∆.
In Section 4, we will use the notion of an isomorphism of timed automata. We say that two automata are isomorphic if they differ merely by the names of their states. Our final remark is about the reachability problem of timed automata. For a given timed automaton A, a set of terminal locations F , and a time interval [t 1 , t 2 ], we ask the question if Φ A ([t 1 , t 2 ], E 0 ) ∩ F is nonempty. Nonetheless, to study reachability by combinatorial methods such as formal verification methods, the set of states of the semantics A of A is to be finite. At the same time, the choice of clock constraints indicates that it is only possible to determine if the clocks are equal, less or greater to each other. Consequently, Alur (1999) introduces the concept of region automaton. In this work, we explain this abstraction geometrically. In short, the set R C + is partitioned by a complex K consisting of all the faces of the Figure 4 illustrates the partitioning for two clocks.

Abstractions of Dynamical Systems
In this section, we develop a concept of an abstraction of the dynamical system Γ. It consists of a fine number To the partitioning E, we associate an abstraction function, which to each point in the state space associates the cells that this point belongs to.
Definition 12 (Abstraction Function) Let E ≡ {e λ | λ ∈ Λ} be a finite partition of the state space X ⊆ E. An abstraction function for E is the multivalued function defined by At last, we are able to formulate the objectives of this work rigorously. For a given dynamical system Γ, we want to simultaneously devise a partitioning E of the state space X and create a time automaton A with locations E such that 1. The abstraction is sound on an interval [t 1 , t 2 ]: 2. The abstraction is complete on an interval [t 1 , t 2 ]: Figure 5 illustrates the reachable set of a dynamical system, along with reachable sets of a sound abstraction (left) and a complete abstraction (right).

Partitioning the State Space
This subsection presents the proposed partitioning. The cells of the partition are generated by intersections of sublevel sets of functions. To generate sound and X 0 X 0 Figure 5: Reachable set of a dynamical system (shaded area), and reachable sets of automata (cells within bold lines). In the left figure, the reachable set of the automaton includes more cells than the ones reached by the dynamical system, i.e., the abstraction is sound. In the right figure, the reachable set of the automaton includes only the cells that are reached by the dynamical system, i.e., the abstraction is complete.
complete abstractions, we use functions, whose sublevel sets are positively invariant. We call such functions partitioning functions.
To this end, we define a slice as the set-difference of invariant sets.

Definition 13 (Slice) A nonempty set S is a slice if
there exist two open sets A 1 and A 2 such that 1. A 1 and A 2 are positively invariant, 2. A 1 is a proper subset of A 2 , and 3. S = cl(A 2 \A 1 ).
It is seen that since A 1 and A 2 are positively invariant sets, a trajectory initialized in S can propagate to A 1 , but a solution initialized in A 1 cannot propagate to S. This implies that, via these invariants, we can to some extend study the possible trajectories of a dynamical system. We will adopt the convention that ∅ is a positively invariant set of any dynamical systems.

Example 3 Consider two second order dynamical systems
Hence, A 1 and A 2 are positively invariant sets for Γ 1 . Therefore, S = cl(A 2 \A 1 ) = cl(D) is a slice. For Γ 2 , let A 1 = E\cl(D) and A 2 = E. In like fashion, A 1 and A 2 are positively invariant sets for Γ 2 , and S = cl(A 2 \A 1 ) = cl(D) is a slice.
To devise a partition of a state space, we need to define finite collections of slices. These collections are called slice-families.

Definition 14 (Slice-Family) Let
A 0 ⊂ A 1 ⊂ · · · ⊂ A k be a collection of positive invariant sets of a dynamical system Γ = (X, ξ) with X ⊆ A k . We say that the collection is a slice-family generated by the sets {A i | i = 1, . . . , k} or just a slice-family.
We associate a function to each slice-family S to provide a simple way of describing the boundary of a slice. Such a function is called a partitioning function.
Definition 15 (Partitioning Function) Let S be a slice-family generated by the sets {A i | i = 1, . . . , k}, then a continuous function ϕ : E → R smooth on E\Cr(ξ) is a partitioning function for S if there is a sequence We remark that by regular level set theorem, for a i ∈ R, the boundary ϕ −1 (a i ) of A i is an embedded smooth submanifold of E of co-dimension 1 Tu (2008).
As stated in the beginning of the section, we will create cells that cover the entire state space. They are obtained by intersecting slices. To ensure robustness of the partition, it is important that the slices intersect transversally. The robustness of a transversal intersection is readily seen from the definition of transversal intersection Hirsch (1976).

Definition 16 (Transversal Intersection)
Suppose that N 1 and N 2 are embedded submanifolds of M .
We say that N 1 intersects N 2 transversally if, whenever p ∈ N 1 ∩ N 2 , we have T p (N 1 ) + T p (N 2 ) = T p (M ). (The sum is not direct, just the set of sums of vectors, one from each of the two subspaces of the tangent space T p (M ).) The left subplot of Figure 6 illustrates level sets of two partitioning functions (hence two embedded submanifolds of E 2 ). They intersect at the point p, and their tangents (black lines) are identical. This implies that their tangent vectors only span one dimension at p, i.e., T p (N 1 )+T p (N 2 ) = T p (M ). Therefore, this intersection is not transversal. Note that with an arbitrary small perturbation, the intersection of the two level sets will be empty (This perturbation is given by a smooth map, x 1 Figure 6: The left subplot shows an intersection that is not transversal; whereas, the right subplot shows aa transversal intersection of two level sets. see Theorem 2.1 in Hirsch (1976)). Therefore, this partition is not robust. In the right subplot Figure 6, two level sets intersecting at point p are illustrated. Their tangent vectors (black lines) span E 2 , i.e., the level sets intersect transversally. Note that two manifolds that do not intersect are also transversal.
We define a transversal intersection of slices as follows.

Definition 17 (Transversal Intersection of Slices)
We say that the slices S 1 and S 2 intersect each other transversally and write if their boundaries, bd(S 1 ) and bd(S 2 ), intersect each other transversally.
Cells are generated via intersecting slices. We denote cardinality (number of elements) of a finite set S by |S|.
Definition 18 (Extended Cell) Let S = {S i |i ∈ {1, . . . , k}} be a collection of k slice-families and let G(S) ≡ {1, . . . , |S 1 |} × · · · × {1, . . . , |S k |} ⊂ N k . Denote the j th slice in S i by S i j and let g ∈ G(S). Then where g i is the i th component of the vector g. Any nonempty set e ex,g is called an extended cell of S.
The cells in (13) are denoted by extended cells, since the transversal intersection of slices may form multiple disjoint sets in the state space. It is desired to have cells, which are connected. Therefore, the following is defined.
Definition 19 (Cell) A cell of S is a connected component of an extended cell of S h e (g,h) = e ex,g , where e (g,h) ∩ e (g,h ) = ∅ ∀h = h .

(14b)
Example 4 This example illustrates the concepts of extended cells and cells. Figure 7 shows a partition of a two-dimensional state space generated by two slicefamilies. The intersection of a slice from each slicefamilies is an extended cell. The shaded area indicates an extended cell that consists of four connected components. Each connected component is a cell. The extended cell is generated by intersecting slices from two slice-families. The red lines are the boundaries of the slice from the first slice-family; accordingly, the green lines are the boundaries of the slice from the second slice-family.
A finite partition based on the transversal intersection of slices is defined in the following.
Definition 20 (Finite Partition) Let S be a collection of slice-families, S = {S i |i ∈ {1, . . . , k}}. We define a finite partition E(S) by if and only if e is a cell of S.
We propose to use Lyapunov functions as partitioning functions, to obtain robustness of the partition. The robustness is secured as the vector field is transversal to the boundaries of the cells. This implies that there exists an arbitrary small perturbation of the vector field, such that it is still transversal to the boundary of the cells. The following definition of Lyapunov function origin from Meyer (1968).
Definition 21 (Lyapunov Function) Let X be an open connected subset of E n . Suppose ξ : X → E n is continuous, and recall that Cr(ξ) denotes the set of critical points of ξ. Then a real non-degenerate (see (Matsumoto, 2002, p. 1)) differentiable function ϕ : X → R is said to be a Lyapunov function for ξ if p is a critical point of ξ ⇔ p is a critical point of φ and there exists α > 0 and an open neighborhood of each critical point p ∈ Cr(ξ), where Notice that we only require the vector field to be transversal to the level curves of a Lyapunov function ϕ, i.e.,φ(x) = ∇ϕ(x), ξ(x) < 0 for all x ∈ X\Cr(ξ), and does not use Lyapunov functions in the usual sense, where the existence of a Lyapunov function implies stability, but uses a more general notion from Meyer (1968). Assume that a Lyapunov function ϕ(x) is positive definite, then its sublevel sets are positively invariant. A partitioning function ϕ i for a slice-family S i that is Lyapunov will be called a Lyapunov function for S i .

Generation of Abstraction
This subsection explains how a timed automaton A is generated from a finite partition E(S) of the state space of a system Γ = (X, ξ).
This means that a location e (g,h) is identified with the cell e (g,h) = α −1 E(S) ({e (g,h) }) of the partition E(S), see Definition 12. • Invariants: In each location e (g,h) , we impose an invariant • Transition relations: If a pair of locations e (g,h) and e (g ,h ) satisfy the following two conditions 1. e (g,h) and e (g ,h ) are adjacent, that is e (g,h) ∩ e (g ,h ) = ∅, and 2. g i ≤ g i for all i ∈ {1, . . . , k}.
Then there is a transition relation Note that g i − g i = 1 whenever a transition labeled σ i is taken.
The semantics of (t i gi , t i gi ) ∈ T is the pair of a lowerand an upper-bound on the time for any trajectory to traverse the slice S i gi . If the set S is a singleton, i.e., S = {S 1 } then by slightly abusing the notation, we write A S 1 , (t, t) instead of A {S 1 }, {(t, t)} .
Definition 23 A timed automaton A ex (S, T ) has locations given by where a location e ex,g ∈ E ex (S) is associated with the extended cell e ex,g generated by the slice-family S; hence, e ex,g = α −1 Eex(S) ({e ex,g }).

Properties of the Abstraction
In this subsection, we present some compositionality results, which enables verification of high dimensional systems. Furthermore, sufficient conditions for soundness and completeness are presented. Proofs of the propositions presented in this subsection can be found in Sloth and Wisniewski (2011).
For a collection S = {S i | i ∈ {1, . . . , k}} of slicefamilies, a product of timed automata A(S i ) for i ∈ {1, . . . , k} is similar to the intersection of slices in the slice-families S i . Therefore, the intersection of slices should be nonempty to let the locations of the timed automaton A ex (S) be such a product, as stated in Proposition 1.
Then, A ex (S, T ) is isomorphic to the product of k timed automata, The property that A ex (S, T ) is isomorphic to the product of k timed automata is of paramount importance for computations, since it allows parallel verification of the k timed automata each with only one clock. Furthermore, it makes it possible to sequentially add slice-families to the abstraction, to replace, and to refine slice-families to improve the accuracy of the abstraction.
The product of timed automata also allows the sequential verification of the abstraction. We show this in terms of safety in the following.
Corollary 1 Suppose the premises of Proposition 1 hold. If the timed automaton is safe for some j ∈ {1, . . . , k}. Then, A ex (S, T ) is also safe.
Sufficient conditions for soundness and completeness of an abstraction are formulated in the following.
whereφ i (x) is defined as shown in (16a). Then a timed automaton A(S, T ) is a sound abstraction of the system Γ = (X, ξ).
The sufficient condition states that the abstraction is sound if t i gi is less than or equal to the time it takes to traverse S i gi maintaining a constant speed equal to the largest possible speed within S i gi . Similarly, t i gi is to be greater than or equal to the time it takes to traverse S i gi maintaining a constant speed equal to the smallest possible speed within S i gi .
Proposition 3 (Suff. Cond. for Completeness) Let S = {S i |i ∈ {1, . . . , k}} be a collection of slice-families, and let If the following two conditions are satisfied 1. for any g ∈ G(S), recall the definition of G(S) from Definition 18, with g i ≥ 2 there exists a time t i gi such that for all and , . . . , k}, g i ∈ {1, . . . , |S i |}} is a complete abstraction of Γ.
Equation (25) states that it takes the time t i gi for all trajectories of Γ to propagate from (ϕ i ) −1 (a i gi ) to (ϕ i ) −1 (a i gi−1 ) (i.e., t i gi is the time to traverse the slice S i gi ). If in addition, the time bounds for both the invariant and guard conditions are the same (i.e., t S i g i = t S i g i = t i gi ) then the abstraction is complete. Recall that t is used for invariants, while t is used for guard conditions. Proposition 3 is difficult to use for generating partitioning functions. Therefore, the following proposition gives a sufficient condition for satisfying (25), based on the partitioning functions themselves.

Illustrative Example
To illustrate the use of the developed abstraction method, an example is provided. It demonstrates what type of questions can be answered using the proposed abstraction.
In the example, we consider a simple dynamical system, but a quite complicated specification. The system is given by the following third order differential equationẋ Subsequently, we check if the system satisfies the following specification illustrated in Figure 8: Do all trajectories of the system (28) initialized in X 0 (blue box) • avoid the unsafe region (red box), • and reach the goal set (green box) within 10 s and stay there.
To verify this specification, we partition the state space using three quadratic Lyapunov functions ϕ i (x) = x T P i x, for i ∈ {1, 2, 3} and The figure does not show the partition, but both the requirements and some trajectories of (28) are depicted. The analysis of the resulting timed automaton has shown that the specifications are satisfied, as no trajectories reach the red box, and all trajectories reach the green box after 7.7 s. This also complies with the simulated trajectories shown in Figure 8.

Conclusions
We have presented a method for abstracting autonomous dynamical systems by timed automata. The method is based on partitioning the state space using positive invariant sets, which are generated by sublevel sets of a family of Lyapunov functions. The proposed method enables formal verification of reachability and timing requirements of a dynamical system. This is x 2 x 1 x 3 Figure 8: The blue box illustrates the initial states of the system, the red box illustrates the unsafe states, and the green box illustrates the goal states. A set of system trajectories are drawn with black lines.
done by model checking of the generated timed automaton. The abstraction method is compositional, in the sense that an abstraction of a high-dimensional system can be generated as a product of timed automata each having one clock. This improves the scalability of the method. Furthermore, sufficient conditions for sound and complete abstractions have been presented. These conditions indicate how well the behavior of the abstraction resembles the dynamical system. Finally, an example has been provided to illustrate a specification that is possible to verify using the proposed abstraction method.