Restructuring Dynamical Systems for Inductive Verification

Inductive approaches to deductive verification has gained widespread adoption in the control and verification of safety-critical dynamical systems. The practical success of barrier certificates attests to their effectiveness and ongoing theoretical and practical refinement. However, when verification conditions are non-inductive, various strategies are employed to address this issue. One strategy is to strengthen the property until they arrive at an inductive proof. However, it is not always obvious how one must strengthen a property. Notions of strenghtening are particularly non-obvious when the properties of interest are more expressive than safety or reachability. An alternative technique is to instead consider structural changes. These structural changes may either be to consider novel notions of induction such as $k$-induction, or to encode additional information similar to dimension lifting. We posit that reformulating or restructuring of the system is fundamental to inductive approaches. This position article provides an overview of barrier certificate based verification approaches and their connection to system restructuring. We discuss the opportunities, challenges, and open problems in this emerging field, paving the way for future research in the verification of safety-critical dynamical systems. The framework of restructuring of a system holds promise for advancing deductive verification, enhancing system safety, and promoting design insights.


I. INTRODUCTION
Advancements in both control theory and computational algorithms have empowered cyber-physical systems (CPS) with substantial autonomy and decision-making capabilities. However, given their critical roles in safety-critical areas, a failure of these systems can have catastrophic consequences, including loss of life. Therefore, there is an escalating need to provide formal guarantees of correctness for CPS. Ensuring their reliability and safety through rigorous verification and validation is paramount to build trust in their operation.
Deductive verification approaches aimed at establishing inductive invariants [1] have found widespread adoption in the control and verification of CPS. Examples of practical success include techniques such as barrier and Lyapunov certificates. There are some common strategies for verification when a property is not trivially inductive. One such strategy is to strengthen the conditions, seeking to transform them into inductive ones. This is analogous to selecting a higher-degree barrier certificates when a lower-degree one fails to establish the desired property. Another strategy involves applying alternative forms of induction, such as k-induction or double induction, to establish the invariant. Recent explorations of t-barrier [2] and k-barrier certificates [3], [4] fall within this proof strategy. Sometimes, control theorists and computer scientists need to invent entirely new induction principles to prove complex properties. For practical applications of deductive verification, we argue that the search for novel induction principles must be automated.
To motivate the idea of restructuring a system, consider an alternative viewpoint on the relationship between mathematical induction and natural numbers. Peano's axioms precisely define the natural numbers by axiomatizing the principle of induction. Bertrand Russell captures this viewpoint in Principia Mathematica [5] by stating, "we define the natural numbers as those to which proofs by mathematical induction can be applied, i.e., as those that possess all inductive properties." With this perspective, we propose that when traditional induction does not serve our purpose, an equally viable choice can be to redefine the set of natural numbers, or in our case, restructure the dynamical system. We emphasise that by restructuring we mean restructuring the dynamical model and not that of the physical system itself. Some examples of such changes may be coordinate transformation or dimension lifting. By restructuring the system model without changing its functional properties, we can make it more amenable to classical barrier certificates, potentially using lower-degree certificates. When properties are not inductive on an original system, it may be the case that these properties are inductive on a restructured system.
There are several reasons why system restructuring may be preferable to other proof strategies. Restructuring the system can simplify the barrier templates required for verification compared to the original system, making the verification process more efficient. Moreover, an inductive proof of correctness may exist for the original system, it may lack interpretability. However, proofs in the restructured system may be more easily understood and explained. This grants program or control designers greater freedom in comprehending the proof of correctness, leading to improved design insights. By automating the search for novel induction principles, we can advance the field of deductive verification and enhance the safety of dynamical systems.
While arguments considering reformulation have been explored in program verification [6], [7], their broader application in the context of system restructuring and more general dynamical systems remains an open area. We present an overview of barrier certificate-based verification approaches and highlights their connection to system restructuring. We discuss the opportunities, challenges, and open problems in this promising field, setting the stage for future research in the verification of dynamical systems.

A. RELATED WORKS
The formal study and proofs of correctness of hybrid systems have been a key area of study since the 1990s [8], [9], [10]. Existing approaches that tackle these questions can broadly be classified into two categories: they either adopt a discretization-based or a discretization-free approach. Discretization-based approaches typically rely on building sound finite-state abstractions of the systems under study and then make use of model checking techniques on these finite-state abstractions to provide guarantees of correctness [11], [12], [13]. These approaches have also been adopted to synthesize or automatically design controllers to satisfy high-level specifications such as safety, reachability, or more general logic-based properties [14], [15], [16], [17]. To build a finite-state abstraction, we first partitioning the state, and input set into finitely many cover elements [15]. Then we computes overapproximations of reachable cover elements from each other using techniques such as growth bounds [18]. As the system is now a finite-state one, we can makes use of existing model checking techniques [12], [13] to verify it against properties such as safety or reachability. Unfortunately, all discretization-based approaches suffer from the curse of dimensionality-the size of the finite state abstraction of a system grows exponentially with respect to its dimension. Furthermore, while abstraction techniques preserve some logic-based properties such as those specified in linear temporal logic (LTL) [19], one cannot carry over the same guarantees for properties specified in computational tree logic (CTL) [20] or security properties [21] such as opacity [22]. Instead of constructing a sound finite-state abstraction, it becomes necessary to depend on the creation of bisimilar finite-state abstractions [22], [23] in order to establish formal guarantees. Regrettably, the process of developing bisimilar finite abstractions demands certain stability properties concerning the original control systems, specifically their incremental stability.
While discretization-free approaches hold promise in this regard, one must consider ways to address outstanding challenges. One of the existing techniques to verify reachability or safety is to overapproximate the set of reachable states [24], [25], [26]. These techniques are quite successful for linear systems, as well as some nonlinear systems, however, their computation is often expensive or provide coarse overapproximations. Deductive approaches, in particular, have seen widespread adoption to find scalable and automatic verification techniques for programs [27]. The promise of deductive approaches is that they rely on shallow reachability analysis based on the underlying transition structure, rather than the need for deep reachability analysis. These approaches find broad applicability in proving important temporal properties such as safety and liveness as illustrated in [28]: "Proving that a program satisfies a safety property involves an invariance argument while proving that a program satisfies a liveness property involves a well-foundedness argument." Indeed, a prominent approach for the verification of dynamical systems is to make use of barrier certificates [29], [30] as guarantees of invariance. Similarly, notions of liveness have been used in program termination via Lyapunov (or ranking) functions [31], [32]. Automatic approaches to find these functions rely on optimization techniques such as sum-of-squares (SOS) [33], or on satisfiability modulo theory (SMT) solvers [34], [35].
Though the principle of induction [1] forms the backbone for deductive verification, it is often the case that a property of interest may not be inductive. In such a case, one is often required to change the property under consideration until one successfully finds an inductive guarantee. Thus, one must rely on incremental modifications to strengthen a property till one arrives at a valid inductive argument [1], [36], [37].

II. MOTIVATING EXAMPLE
Let us define the set of natural numbers, including zero and denoted N, following Peano's axioms using the constant 0, and the successor function +1 : N → N as follows: To prove a property P parameterized over natural numbers, we are required to show that P is true for the two cases of constructing such a number. That is, we first show P(0) is true, and then show that P(n + 1) is true if P(n) is true. This is the well-known case of mathematical induction and one typically makes use of such arguments to show for example that n i=0 i = n(n+1) 2 . Consider S 1 (n) = n i=0 (−1) n , and suppose that we wish to show that S 1 (n) ≤ 1 for all n ∈ N. Observe that the base case holds, that is for n = 0, we have S 1 (0) = 1 ≤ 1. Now we wish to show that this holds for n + 1, given that it holds for n. If n is even, then n + 1 is odd, and so we have S 1 (n + 1) = S 1 (n) + (−1) ≤ 1. Instead consider n to be odd, and assume S 1 (n) ≤ 1. Then we have S 1 (n + 1) ≤ S 1 (n) + 1 ≤ 1, but rather S 1 (n + 1) ≤ 2. Thus, we failed to prove this property to be true via standard induction.
To prove this property, let us instead define the set of natural numbers N as follows: We shall now try to prove the previous property, i.e., S 1 (n) ≤ 1, on this new definition of N. First, observe that this holds for 0, and (0 + 1) trivially. Now, let us try to show that this is true for (n + 1) + 1, assuming it is true for (n + 1) and n. We have S 1 ((n + 1) + 1) = S 1 (n) + ((−1) n + (−1) n+1 )). Thus, S 1 ((n + 1) + 1) = S 1 (n) + (−1) n (1 − 1) = S 1 (n). As we assumed S 1 (n) ≤ 1, we infer that S 1 ((n + 1) + 1) = S 1 (n) ≤ 1 and, hence, we have proved the property for all n ∈ N. Observe that while we failed to prove the property via a direct inductive argument over N, we were able to prove it by changing the inductive definition of N. In other words, the restructuring of the set N allowed us to more easily form an inductive argument to prove the property. In light of this observation, can we find new ways of restructuring dynamical systems to lend themselves to inductive proofs?

III. NOTATION
We use N and R to denote the set of natural (including zero), and real numbers respectively. Given a real number a ∈ R, we use R ≥a to denote the interval [a, ∞), and R >a to denote the interval ]a, ∞). Similarly, we use N ≥a for all natural numbers greater than or equal to the number a ∈ N. For set A, and a function f : A → 2 A , we usef to extend its use to a set of values, i.e., we considerf : 2 A → 2 A , asf ({a 0 , . . . , a n }) = 0≤i≤n f (a i ). Given f : A → 2 A , and n ∈ N, we define f n (a) recursively as f 0 (a) = {a}, and f n (a) =f ( f n−1 (a)). We say f : A → R is bounded if there exist l, u ∈ R such that l ≤ f (a) and f (a) ≤ u for all a ∈ A. We use ∧, ∨, and ⇒ for logical conjunction, disjunction and implication, respectively.
Given a set A, we denote the set of all finite sequences of elements in A as the set A * . An element of A * is a finite sequence (a 0 , a 1 , . . . , a n ) ∈ A * , where a i ∈ A for all 0 ≤ i ≤ n and for some n ∈ N. Similarly, we use A ω to denote the set of all countably-infinite sequences of elements in A, and denote an infinite sequence as a 0 , a 1 , . . . , ∈ A ω .

IV. SYSTEM MODELLING
We focus our attention on discrete-time dynamical systems and the properties of interest to be temporal in nature.
A discrete-time dynamical system (simply, a system) S is a tuple (X , X 0 , f ), where X denotes a set of states, X 0 ⊆ X a set of initial states, and f : X → 2 X a transition relation. A state sequence of the system is an infinite se- Such systems may also be equipped with an output set Y, as well as an output function h : X → Y, such that given a state x ∈ X , an external observer may observe the value h(x). Thus, given a state sequence x 0 , x 1 . . . , ∈ X ω , an external observer observes the sequence h(x 0 ), h(x 1 ), . . . , ∈ Y ω . These are particularly important when reasoning about security properties such as opacity [38]. To reason about high-level specifications, we often make use of a labeling function L : X → , that maps each state of the system to a letter σ ∈ from a finite alphabet set .
Our key verification objective is to determine whether a system satisfies the property of safety or not. We say that a system S = (X , X 0 , f ) is safe with respect to a set of unsafe states X u , if there exists no state sequence x 0 , x 1 , . . . , such that x i ∈ X u for all i ∈ N. Similarly, we say that a system S reaches a set of target states X R , if for all state sequences x 0 , x 1 , . . . , , there exists some state x i ∈ X R for some i ∈ N. While we do not explicitly provide descriptions of richer specifications, such as those specified in LTL, or by automata, many of the existing questions raised in our article also find applicability in these contexts.

V. BARRIER CERTIFICATES AS INDUCTIVE INVARIANTS
Similar to how standard induction applies to natural numbers, one may make use of a structural induction argument to prove properties about a system. An example of such an inductive argument is that of barrier certificates [29] that act as proofs of safety. These are analogous to notions of inductive invariants used in safety verification of programs.
Definition 5.1 (Barrier Certificates): A function B : X → R is a barrier certificate for a system S = (X , X 0 , f ) with respect to a set of unsafe states X u if: Theorem 1 (Barriers imply safety [29]): Consider a system S = (X , X 0 , f ), with a set of unsafe states X u . The existence of a function B : X → R satisfying conditions (1)-(3) implies that the system is safe.
Observe that barrier certificates act as inductive proofs of safety. First, as a base case we have B(x) ≤ 0 for all x ∈ X 0 from condition (1). Second, as the inductive case, assuming B(x) ≤ 0, for some x ∈ X , we have B(x ) ≤ 0 for all x ∈ f (x) from condition (3). Hence, it holds inductively that for all reachable states x ∈ X , we have B(x) ≤ 0.
The benefit of barrier certificate based approaches are that they provide an automatic technique in proving the safety of a system. Fixing the template of the function B allows one to make use of optimization techniques such as sumof-squares [30], [33] or satisfiability modulo theory solvers (SMT) [39] to automatically search for such a function. However, these approaches are sound: the existence of a barrier certificate of a certain template is not necessary for safety. Thus, the question arises as to what one should do when one fails to find barrier certificates of a given template. Secondly, while barrier certificate approaches provide significant utility for safety or reachability verification [40], how does one make use of similar inductive techniques for more complex temporal properties?

VI. RESTRUCTURING FOR BARRIER CERTIFICATES
We explore some key modifications to the structure, enabling the utilization of inductive proofs for broader sets of specifications. Additionally, these structural changes permit functions to serve as innovative forms of inductive proofs in cases where conventional inductive proofs are inadequate.

A. k-INDUCTIVE BARRIER CERTIFICATES
Observe that barrier certificates are a structural induction approach for safety verification. Similar to the case of software verification, one may instead make use of k-induction [6] to allow for larger class of functions to act as proofs of safety or reachability. The notion of k-induction considers a restructuring of the system in the following way: we consider as a base case, all the states that are reachable from the initial state in k-steps as a base case. If a k-length sequence of states are reachable in that order, then we consider the consequent state to also be reachable as the inductive case. These approaches have been used in [2], [3], [4] to show how one may use barriers of lower complexity (polynomials of lower degrees) to arrive at guarantees of safety.
To illustrate this idea, consider the finite state system S = (X , X 0 , f ) in Fig. 1, with the set of states X = {1, 4, 5, 6, 7}, the initial set of states X 0 = {2}, and the transition relation f as shown by the edges in the graph. Let the set of unsafe states X u = {6}. Observe that this system is trivially safe. To prove this system is safe, let us try to find a linear barrier certificate, i.e., B(x) = ax + b. To satisfy condition (3), we must have B (3) ≤ B(2), and B(1) ≤ B(3). This results in the following inequalities a ≤ 0, and 2a ≥ 0. The only way to satisfy both is to set a = 0, however doing so, would mean that B(x) = b FIGURE 1. A finite state system S with the initial state in green and unsafe state in red. While we cannot find a linear barrier certificate to demonstrate safety, we are able to find a linear k-inductive barrier certificate.
is a constant function and so we cannot satisfy conditions (1) and (2).
The standard approach to strengthen the invariant, is to consider a more expressive template, for example a polynomial of a higher degree. However, this change to a more expressive template often causes computational overhead [33], [41], [42]. Instead of changing the template, let us rethink our notion of induction in an analogous fashion to k-induction. In particular, let us try to find a linear k-inductive barrier certificate as in [3, Definition 3.1], whose definition is repeated here for completeness.

Definition 6.1 (k-inductive barrier certificates):
We say that B : X → R is a k-inductive barrier certificate for the system S = (X , X 0 , f ) with respect to a set of unsafe states X u ⊆ X , if there exist k ∈ N ≥1 , and values ∈ R ≥0 , and d > k such that following conditions hold: Theorem 2 (k-inductive barriers imply safety [3]): Consider a system S = (X , X 0 , f ), with a set of unsafe states X u . The existence of a function B : X → R satisfying conditions (4)-(7) implies that the system is safe.
Returning to the finite state system from Fig. 1, let us consider a k-inductive barrier certificate B(x) = x − 2, with k = 2, and values = 1, d = 3. We observe that such a function satisfies conditions (4)- (7) and, hence, acts as a k-inductive barrier certificate. Instead of having to change the template of the barrier function, we instead chose to change the inductive definition by considering transitions in terms of k-steps. A key question for future work, would be to determine other notions of induction that hold promise to find simpler templates of barrier certificates.

B. BARRIER CERTIFICATES OVER TRANSITIONS
Similar to how barrier certificates act as inductive proofs over the states of the system, one can instead make use of closure certificates [43] that act as inductive proofs over the transitions of the system. The idea of forming an inductive argument over transitions rather than states was initially studied in [44], VOLUME 2, 2023 203 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. with the goal of verifying program termination. This idea also finds applicability in broader contexts of verifying safety, or proving more general properties.
To illustrate why inductive arguments over transitions are sometimes preferable to those over the states of the system, we consider the following example. Consider a finite state system S = (X , X 0 , f ) in Fig. 2, with the set of states X = {0, 1, 2, 3, 4, 5}, the initial set of states X 0 = {1, 3, 5}, and unsafe set of states X u = {2, 4}. This system has no barrier certificate of degree 2. We refer the interested reader to [43, Theorem 3] for more details. We now show form an inductive argument on the transitions. This allows us to find a linear closure certificate as in [43,Definition 2]. We include the definition here for completeness: Definition 6.2 (Closure Certificates): A bounded function T : X ×X →R is a Closure Certificate (CC) for a system S = (X , X 0 , f ) with set of unsafe states X u if there exists a value δ ∈ R >0 such that: for all x ∈ X , x ∈ f (x), and (9) T (x 0 , x u ) ≤ −δ, for all x 0 ∈ X 0 , and x u ∈ X u . (10) Theorem 3 (Closure certificate imply safety [43]): Consider a system S = (X , X 0 , f ) with a set of unsafe states X u . The existence of a function T : X × X → R that satisfies conditions (8)-(10) implies that the system is safe.
Returning to the finite state system in Fig. 2, consider the closure certificate T (x, y) = −y. Observe that this function satisfies conditions (8)-(10) and thus demonstrates the system to be safe. We should add that one may also make use of closure certificates to verify systems against more complex properties such as those specified in LTL. We refer the interested readers to [43, Section III-C].

C. BARRIER CERTIFICATES FOR OPACITY
In the previous subsections, we showed how to find barrier certificates of simpler templates by considering different structures of the system. We now show how one may adopt barrier certificate-based approaches for more general properties such as opacity [38].
To reason about the opacity of a system, we additionally consider a system S to be equipped with an output function h : X → Y that maps every state x ∈ X to some output value in an output set Y. We say that a system is opaque with respect to a set of secret states X s , if for every state sequence x 0 , x 1 , . . . , , starting from a secret state x 0 ∈ X 0 ∩ X s , there exists some state sequence x 0 , x 1 , . . . , starting from a non- Weaker notions such as approximate opacity have also been considered [45]. An inductive approach to verify opacity is to consider a barrier certificate over pairs of system states rather than just the state set of the system itself [45]. The existence of such an augmented barrier certificate acts as a proof that the system is opaque. We define this notion of augmented barrier certificate next.

Definition 6.3 (Augmented Barrier Certificate):
We say that B : X × X → R is an augmented barrier certificate for a system S = (X , X 0 , f ), with a set of secret states X s , if: for all x ∈ f (x), and there exists z ∈ f (z). (13) Theorem 4 (Augmented Barriers imply opacity [45]): Consider a system S = (X , X 0 , f ), with output set Y, secret set X s , and output function h : X → Y. The existence of a function B : X × X → R that satisfies conditions (11)- (13) implies that the system is opaque.

VII. OPEN PROBLEMS
The previous section described three main types of structural changes. The first adopts new notions of induction to allow for simpler templates to act as proofs, while the second uses an inductive argument over the structure of the transitions of the system. Lastly, we considered an inductive argument on the product of the system with itself to provide guarantees for more complex properties. In all cases, structural changes (or restructuring the system) allowed for natural inductive proofs to act as guarantees of complex properties or aid in finding simpler proofs. Following this direction, we consider some open problems as natural questions that arise when thinking of restructuring systems.

A. AUTOMATIC RESTRUCTURING FOR INDUCTIVE GUARANTEES
One of the key questions we would like to consider is to determine whether there exist automatic ways to find novel restructuring of systems which lend themselves to induction when one fails to show that a property is inductive.
In Section VI, we considered different structural modifications when one failed to show a property to be inductive. When one fails to find barrier certificates of a given template, we considered different notions of induction, either in the form of k-induction or induction over the transitions. Similarly, when trying to verify LTL properties, we may consider inductive notions on the transitions of the system as illustrated in [43], [44]. Lastly, for the case of security properties like opacity, we considered barrier certificates over pairs of systems states. All of the above changes to structure lent themselves to proving different properties. Observe that the instances of restructuring in Section VI are all manual. Discovering these relied on the ingenuity of the users to find new notions of structural changes based on the property that needed to be verified as well as the template considered.
In order to develop automatic techniques for property verification, there is a need to mechanize the search for such restructurings guided by the properties of interest. A well studied paradigm of automatic restructuring-instantiated by, among others, the kernel trick paradigm [46]-is to add a set of auxiliary state variables to the system. These variables can be considered as linear combinations of some user-defined basis functions of the state variables. Such a system may allow for simpler templates of barrier certificates to act as guarantees of safety, even if they were not sufficient for the original system. Another promising paradigm for system restructuring can be adapted from approaches to strengthening inductive properties [36], [37]. In these techniques, one may learn new inductive invariants starting from the weakest (the assumption that everything except the unsafe states are inductively safe) in a property guided manner. These approaches hold promise for improved scalability and automation in the search for barrier certificates or Lyapunov functions. For finite state systems the above approaches [36], [37] for simple properties are complete, i.e., the above search procedure is guaranteed to terminate. An important foundational question is to explore sub-classes of dynamical systems for which such guarantees can be obtained.

B. VERIFYING RICHER PROPERTIES
While inductive approaches have seen use in verifying more complex properties such as those in LTL [43], [47], [48], there is still an open question as to how one applies them to more expresive logics. In particular, while finite-state abstractions and discretization approaches are useful for verifying properties specified in LTL, abstractions alone are not enough to preserve properties specified by more complex logics such as Computation Tree Logic (CTL) [20].
To illustrate why this is the case, let us consider a finite system S = (X , X 0 , f ) in Fig. 3(a), where the set of states X = {1, 2, 3}, the initial state set X 0 = {1}, and the transition relation is depicted by the edges in Fig. 3(a) and a finite alphabet = {a, b}. We assign a labeling function L : X → , such that L(x) = a for all states x ∈ X . We then consider the FIGURE 3. A finite state system S in Fig. 3(a) followed by system S in Fig. 3(b), with the initial states in green. System S is an abstraction of system S.
property which asks if "there exists some path where b is always true". This can be specified in CTL [12]. Observe that no state sequence of the system satisfies this property. Instead, let us consider the System S = (X , X 0 , f ) in Fig. 3(b), where the set of states X = {1, 2, 3, 4}, the initial set of states X 0 = {1, 4}, and the transition relation f is specifed by the edges in the graph. We consider a labeling function L : X → such that L(x) = b if x = 4, and L(x) = a, otherwise. This system S is a sound abstraction of system S, i.e., there is a simulation relation from S to S [13]. However, if we consider the same CTL property, we observe that this is true for system S as the state sequence 4, 4, . . . , satisfies this property.
To preserve CTL properties one must instead make use of bisimulation relations and bisimilar abstractions [12], [13]. However, existing work [23], [49] that deals with constructing bisimilar abstractions require the dynamical systems under study to be incrementally-stable. This unfortunately restricts their application to systems that are incrementally stable. We believe that one must adopt inductive approaches similar to the case of program verification [50] to serve as a discretization-free approach for verifying CTL properties as well as for properties in more expressive logics.
Similar issues arise when reasoning about properties specified in Hyperlogics [21], [51]. While there exists work on reasoning about these hyperproperties for dynamical systems [52], this area of research is still relatively unexplored.

VIII. CONCLUSION
Notions of induction and proofs built on them are fundamental to the verification of dynamical systems. As important properties of interest do not lend themselves to a simple inductive proofs, it is imperative to consider new techniques or changes to verification that allow for scalable analysis of these systems. We believe that exploring novel notions of restructuring lend themselves not just in terms of scalability but also in the verification of broader properties of interest. As such we contend that the broad investigation of fundamental theory that can shed new light on the automatic restructuring of systems for inductive verification of their properties.