Suppose that we are given a dynamical system of the form , where is the state trajectory, and is a known vector field . Suppose further that we are given an initial set , and an unsafe set .
If there exists a state trajectory with initial condition such that for some , we say that the system is unsafe. An example of an unsafe system is depicted below
If there exists no state trajectory with initial condition such that for some , we say that the system is safe. Note that if , we can conclude immediately that the system is unsafe, as there exists an initial condition .
The safety verification problem can then be stated as follows:
Given a vector field , an initial set and an unsafe set , decide whether the dynamical system is safe.
To be more precise, safety is not a property of the dynamical system per se, but rather of the ordered triple .
How do we go about solving the safety verification problem? The most obvious approach would be to “propagate” the initial set forwards in time, i.e., to compute (forward) reachable sets. However, computing exact reachable sets is seldom possible, which forces us to compute approximations of reachable sets.
When performing safety verification, we are asking a binary question: is safe? Hence, computation of the reachable sets seems to provide more information than what we actually do need. This is a personal opinion, not a fact.
Probably inspired on Lyapunov stability theory , Stephen Prajna introduced a few years ago a new method for safety verification of continuous-time dynamical systems that relies on what he termed barrier certificates . A barrier certificate is a function of state that satisfies the following inequalities
Let us now introduce a function of time and fix the initial condition . Taking the derivative of with respect to time, we obtain
which follows from the non-positivity of the Lie derivative of along the flow of . From , we conclude that for all , i.e., we have that for all . Hence, the following sublevel set
is positively invariant . In other words, a solution starting in will remain in for all . Since for all , we conclude that for all . However, since for all , we can finally conclude that the safety of is guaranteed. Alternatively, one could argue that, since, by construction, , then safety is certified.
Pictorially, we start with the following level sets
and once we know that is a positively invariant set (from ), we conclude that the state trajectory must live in , which is painted in dark gray below
Please do recall that , and also note that the unsafe set is contained in the superlevel set .
So far we assumed that the initial condition was fixed. Henceforth, we shall make the initial condition free to take any values in the initial set . Let us define
so that we get an upper bound on , as follows
where we used the inequality for all to conclude that . This allows us to conclude that the sublevel set
is positively invariant. Since , safety of is guaranteed. Note that the sublevel set is the union of all possible sublevel sets, i.e.,
This new sublevel set is depicted below, painted in dark gray
Note that . Essentially, the zero level set of the barrier certificate separates an unsafe set, , from all system trajectories starting in the initial set , which are contained in , thus providing a proof of safety without requiring the computation of reachable sets. Personally, I like to think of this approach as a sophisticated generalization of the well-known separating hyperplane theorem.
At this point, you may be thinking that this framework is too good to be true. Instead of computing the flow or the reachable sets, all we need to do is find a function that satisfies three inequalities, and then (voilà!) infinite-time safety of is certified! As it usually happens, the devil is in the details…
If finding Lyapunov functions  for low-dimensional dynamical systems is often “hard”, why should we expect the hunt for barrier certificates to be an “easy” endeavor? Quel panache! Are we merely transferring the complexity of the problem from the computation of reachable sets to the satisfaction of three inequalities? Will we fail to find barrier certificates due to excessive conservativeness? Should we abandon all hope? Please be patient, dear reader, for we will address these issues and alleviate your doubts in future posts ;-)
Next installment will be devoted to an example. до скорой встречи!
 Hassan K. Khalil, Nonlinear Systems, 3rd edition, Prentice Hall.
 Stephen Prajna, Optimization-based methods for nonlinear and hybrid systems verification, Dissertation (Ph.D.), California Institute of Technology, 2005.