Safe & Robust Reachability Analysis of Hybrid Systems

Hybrid systems—more precisely, their mathematical models—can exhibit behaviors, like Zeno behaviors , that are absent in purely discrete or purely continuous systems. First, we observe that, in this context, the usual deﬁnition of reachability —namely, the reﬂexive and transitive closure of a transition relation—can be unsafe , ie, it may compute a proper subset of the set of states reachable in ﬁnite time from a set of initial states. Therefore, we propose safe reachability , which always computes a superset of the set of reachable states. Second, in safety analysis of hybrid and continuous systems, it is important to ensure that a reachability analysis is also robust wrt small perturbations to the set of initial states and to the system itself, since discrepancies between a system and its mathematical models are unavoidable. We show that, under certain conditions, the best Scott continuous approximation of an analysis A is also its best robust approximation. Finally, we exemplify the gap between the set of reachable states and the supersets computed by safe reachability and its best robust approximation.


Introduction
In a transition system-ie, a binary relation → on a set of states-reachability is a clearly defined notion, namely, the reflexive and transitive closure → * of →. Reachability analysis plays an important role in computer-assisted verification and analysis [ACH + 95], since safety (a key system requirement) is usually formalized in terms of reachability, namely: state s is safe ⇐⇒ it is not possible to reach a bad state from s. 1 Research partially supported by the Swedish Knowledge Foundation. 2 Work done while the author was a PhD student at Halmstad University. 3 Research partially supported by US NSF award #1736754 "A CPS Approach to Robot Design" and the Swedish Knowledge Foundation project "AstaMoCA: Model-based Communications Architecture for the AstaZero Automotive Safety Facility". For a hybrid system one can define a transition relation → on a continuous and uncountable state space, but → * captures only the states reachable in finitely many transitions, and they can be a proper subset of those reachable in finite time! Hybrid systems with Zeno behaviors-where infinitely many events occur in finite time-are among the systems in which the two notions of reachability differ. Zeno behaviors arise naturally when modeling rigid body dynamics with impacts, as illustrated by the system consisting of a bouncing ball (Example 2.8), whose Zeno behavior is due to the modeling of impacts as discrete events.

Contributions
The first contribution of this paper is the notion of safe reachability (Def 3.6), which gives an over-approximation-ie, a superset-of the states reachable in finite time, including the case where the hybrid system has Zeno behaviors. Mathematical models are always simplifications, through abstractions and approximations, of real systems. Simplifications are essential to making analyses manageable. In safety analysis, over-approximations are acceptable, since they can only lead to false negatives, ie, the analysis may wrongly conclude that (a state s of) the system in unsafe, because the over-approximation includes some unreachable bad states.
The second contribution is to show, under certain assumptions, that the best Scott continuous approximation of safe reachability coincides with its best robust approximation. In safety analysis robust over-approximations are important, because inaccuracies in the modeling of a cyber-physical system (as well as in its building and testing) are unavoidable, as convincingly argued in [Frä99].

Related Work
Reachability maps are arrows in the category of complete lattices and monotonic maps, which is the standard setting for defining and comparing abstract interpretations [CC92]. We build directly on the following papers.
• [GST09] is an excellent tutorial on hybrid systems, from which we borrow the definition of hybrid system (Def 2.1), but avoid the use of hybrid arcs, since they cannot reach nor go beyond Zeno points.
• [Eda95] is one among several papers, where Edalat recasts mainstream mathematics in Domain Theory, and shows what is gained by doing so. In this context Domain Theory becomes particularly relevant when the Scott and Upper Vietoris topologies on certain hyperspaces coincide.
• [Frä99,GKC13] show that proving δ-safety, ie, safety of a hybrid system subject to some noise bounded by δ, can make the verification task easier, besides excluding systems that are safe only under unrealistic assumptions.

Summary
The rest of the paper is organized as follows: • Sec 2 recalls the definition of a hybrid system from [GST09], defines the corresponding transition relation (Def 2.3), and gives some examples.
• Sec 3 introduces two reachability maps Rf and Rs (Def 3.1 and 3.6, respectively), establishes their properties and how they relate to each other.
• Sec 4 uses the poset-enriched category of complete lattices and monotonic maps (see Def 4.4) as a framework to discuss approximations and relate reachability maps defined on different complete lattices. We also give a systematic way to turn a monotonic map f between complete lattices into a Scott continuous map f ✷ (see Prop 4.14).
• Sec 5 introduces the notion of robustness (see Def 5.1) and says when robustness and Scott continuity coincide (see Thm 5.7).
• Sec 6 analyses (with the aid of pictures) the differences between the underapproximation Rf and several over-approximations (from Rs to Rs ✷ ) of sets of reachable states, for the hybrid systems introduced in Sec 2.
Appendix A contains some proofs that were too long to inline into the text.

Mathematical preliminaries
We assume familiarity with the notions of Banach, metric, and topological spaces, and the definitions of open, closed, and compact subsets of a topological space (see, eg, [Con90,Kel75]). The three notions of space are related as follows: • Every Banach space is a Cauchy complete metric space whose distance is d(x, y) △ = |y − x|, where |x| is the norm of x; • Every metric space is a topological space whose open subsets are given by unions of open balls B(x, δ) Throughout the paper, for the sake of simplicity, one may replace Banach spaces with Euclidean spaces R n . For membership we may write x:X instead of x ∈ X, and we use the following notations: • R is the Euclidean space of the real numbers; • N and ω denote the natural numbers with the usual linear order; • P(S) is the set of subsets of a set S (we use the same notation also when S is a set with additional structure, eg, a Banach or topological space); • O(S) is the set of open subsets of a topological space S, and C(S) is the set of closed subsets (we use the same notation also when S is a set with additional structure that induces a topology, eg, a Banach or metric space); • Set is the category of sets and (total) maps; • Set p is the category of sets and partial maps; • Top is the category of topological spaces and continuous maps.
Finally, we recall some definitions and their basic properties: The limits of a sequence form a closed subset of S. In a metric space a sequence has at most one limit. The accumulation points of a sequence form a closed subset of S, every limit is also an accumulation point, and every accumulation point is a limit of a sub-sequence (x f (n) |n:ω) for some strictly increasing f :Set(ω, ω), ie, ∀n.f (n) < f (n + 1). In a metric space, if a sequence has a limit, then the limit is the only accumulation point.
• The derivativeḟ :Set p (R, S) of a partial map f : is included in the domain of f , and for any sequence (x n |n:ω) in B(x, δ) − {x}, if x is the limit of (x n |n:ω) in R, then v is the limit of ( f (xn)−f (x) xn−x |n:ω) in S.
Ifḟ (x) is defined, then f must be continuous at x. A stronger requirement is thatḟ is defined and continuous in B(x, δ), in this case f is called continuously differentiable in B(x, δ).

Hybrid Systems and Topological Transition Systems
In this section, we define what is a hybrid system (cf. [GST09]), namely, a mathematical model suitable for describing cyber-physical systems; what is a topological timed transition system (cf. [CR04]), namely, an abstraction of hybrid systems useful for defining various reachability maps; and, finally, we introduce some example hybrid systems that will be used throughout the paper. • the derivativeḟ of f is defined and continuous in (0, d); In this case we say that f realizes the transition.
Remark 2.4. The Banach space structure is just what is needed to define derivatives. Hybrid arcs (cf. [GST09]) could be defined in term of a transition relation where the labels d > 0 are replaced by their realizer maps f . In [GST09] the requirements on f are more relaxed than ours, namely: f must be absolutely continuous (which, in our case, is implied by the continuity ofḟ ), and the flow relation must hold almost everywhere in (0, d). However, the safe evolution and safe reachability maps (see Def 3.6) are insensitive to these changes. Thus, we have adopted the requirements on f that are mathematically simpler to express.
In [Dur16] the requirements on f are stricter than ours, namely:ḟ must extend continuously to [0, d], and the flow relation must hold also at the endpoints. For instance, the map f (t) = √ t is continuous in [0, d], its derivativė f (t) = 1 2 * √ t is continuous in (0, d), but it cannot be extended continuously to 0. The main rationale for the stricter requirements is that a transition s d ✲ s ′ with d > 0 can only start from a state in the domain of the flow relation F . Notation 2.5. Given a first-order language with an interpretation in a Banach space S, a HS on S can be described by two formulas, a flow formula F (x,ẋ) and a jump formula G(x, x + ), with two free variables each: x denotes the current state,ẋ denotes the derivative of a trajectory flowing through x, and x + denotes a state reachable from x with one jump.
Similarly, given a two sorted language, with one sort interpreted in R and the other in a topological space S, a timed transition relation can be described by a formula T (x, d, x ′ ) with three free variables: x denotes the starting state, d:R the duration of the transition, and x ′ the final state.
We introduce some hybrid systems, and give explicit descriptions of their timed transition relations (see also the Figures in Sec 6). Example 2.6 (Expand). H E is a HS on R describing the expansion of a quantity m until it reaches a threshold M > 0. The flow and jump relations are: It has two kinds of trajectories depending on the start state m 0 (see Fig 1).
It has two kinds of trajectories, depending on the start state m 0 (see Example 2.8 (Bouncing ball). The hybrid system H B on R 2 describes a bouncing ball with height h ≥ 0 and velocity v, which is kicked when it stops, ie, when h = v = 0. We assume the force of gravity to be −1 (for the sake of simplicity), a coefficient of restitution b (we do not restrict its value, but b:[−1, 0] would be the obvious restriction), and a velocity V > 0 given to the ball when it is kicked. Formally: It has seven kinds of trajectories starting from (h = 0, v > 0), depending on the value of b (see Fig 3).
1. When b < −1, the ball never stops (its energy increases at each bounce). 2. When b = −1, the ball never stops (its energy remains constant). 3. When b:(−1, 0), the ball stops in finite time, but after infinitely many bounces (this is a Zeno behavior), then it is kicked, ie, (h = 0, v = V ). 4. When b = 0, the ball stops as it hits the ground, then it is kicked. 5. When b:(0, 1), as the ball hits the ground, it stops after infinitely many instantaneous slowdowns 0 > b n * v → 0 (this is a chattering Zeno behavior), then it is kicked. 6. When b = 1, as the ball hits the ground, the trajectory cannot progress further in time. 7. When b > 1, as the ball hits the ground, its velocity drifts to −∞ after an infinite sequence of instantaneous accelerations 0 > b n * v → −∞, and the trajectory cannot progress further in time.
The following construction adds a clock to a HS to record the passing of time.
Definition 2.9. Given a HS H = (F, G) on S, the derived HS t(H) = (F ′ , G ′ ) on R × S adds a clock to H, namely: Proof. Only the case d > 0 is non-trivial.
, and moreover this f

Evolution and Reachability
Transition systems (TS for short) provide the main formalism for modeling discrete systems. The formalism does not mention time explicitly, but it assumes that time is discrete, and each transition takes one time unit (or alternatively, it abstracts from time and describes only the order of discrete state changes).
Given a TS (S, →), ie, a binary relation → on a set S (aka a directed graph), we identify the discrete time line with the set N of natural numbers and define the following notions related to the TS.
• A trajectory is a map f :Set([0, n], S) such that ∀i < n.f (i) → f (i + 1) for some n:N, or equivalently, a path f :S + in the graph. The length of f is n and f (0) is its starting state.
• The evolution map Ef : or equivalently the union of (the graphs of) all trajectories starting from the set I of initial states. Therefore, Ef (I) says at what time a state is reached, but forgets the trajectories used to reach it. However, when → is deterministic, there is at most one trajectory of length n from s to s ′ , which can be recovered from Ef ({s}).
• The reachability map Rf : Therefore, Rf (I) says whether a state is reachable from I, but forgets at which time instances it is reached.
For TTTS (and HS) one would like to reuse as much as possible the theory available for TS. The main point of this section is that naive reuse can result under-approximating what is reachable in finite time. To address this problem, we present a solution that computes an over-approximation (see Sec 3.1). This solution exploits the topological structure of the state space S and the continuous time line T.
We choose to cast analyses (eg reachability) as monotonic maps (like Rf ) rather than as relations (like → * ). This becomes essential in Def 3.6 and for defining approximability (Sec 4) and robustness (Sec 5) of an analysis.
Definition 3.1. The evolution map Ef :P(S) → P(T×S) and the reachability map Rf :P(S) → P(S) for a TTTS (S, ✲ ) are: We denote with Ef H and Rf H the evolution and reachability maps for the TTTS induced by the HS H.
Remark 3.2. The "f" in Ef and Rf stands for "finite", because these maps consider only states that are reachable in finitely many transitions. There is an important difference between discrete systems and continuous/hybrid systems. In a discrete (time) system the transition relation suffices to define trajectories, the evolution, and the reachability maps. In a continuous (time) system: to define trajectories, the structure of a HS is needed; to define the evolution map, the timed transition relation suffices; and to define the reachability map, the transition relation suffices.

If H is a HS on S, then ∀I:P(S).Ef
(t n |n:ω) is a strictly increasing sequence with t 0 = 0 and sup n:ω t n = d.
The accumulation points of (s n |n:ω) in the topological space S are called the Zeno points, and d is called the Zeno time, since it is the time needed to reach a Zeno point from s 0 .
H B of Example 2.8 is the classical case of a HS with Zeno behavior. When b is in the interval (−1, 0), the stop state s = (0, 0) is reached in finite time from s 0 = (0, v) with v < 0, but after infinitely many bounces (see Fig 3 in Sec 6). When b is in the interval (0, 1), H B has a chattering Zeno behaviour, ie, the stop state is reached after infinitely many instantaneous slowdowns. On the other hand, Prop 3.5 shows that the stop state is not in Rf HB ({s 0 }) when b = 0.
Proof. We prove that S is closed wrt the transition relation HB ✲ by case analysis. There are three cases: We propose a key change to Def 3.1 that exploits the topology on S and T by considering reachable also a state that is arbitrarily close to reachable states. We denote with Es H and Rs H the safe evolution and safe reachability maps for the TTTS induced by the HS H, respectively. In fact, the sequence (s n |n:ω) is included in S, and all its accumulation points must be in S, because S is closed. The set S also includes asymptotically reachable points-ie, accumulation points of a sequence (s n |n:ω) such that ∀n.s n dn H ✲ s n+1 and n:ω d n = +∞-that may not be reachable in finite time.
The safe maps include other points that should be considered reachable in finite time, but are not reachable in a finite number of transitions. For instance, consider a HS H = (F, ∅) on R n that can only flow-thus, it cannot have Zeno behaviors-and a continuous map f :Top([0, d), R n ) such that: • the derivativeḟ of f is defined and continuous in (0, d), • there is no way to extend f to a continuous map on [0, d].
If f (0):I, then Es H (I) includes {(t, f (t))|t < d} and also the pairs (d, There is an analogue of Thm 3.3 for the safe maps, but with weaker properties, mainly because the set of closed subsets is closed only wrt finite unions.
Theorem 3.8. The following properties hold: 1. Es is monotonic and preserves finite unions. 2. Rs is monotonic, preserves finite unions, is a closure, and π(Es(I)) ⊆ Rs(I). Here, S:C(S) is the closure of S:P(S), ie, the smallest S ′ :C(S) such that S ⊆ S ′ .
Proof. See Appendix A.

Summary of inclusion relations
We provide a summary of the inclusion relations among the sets computed by the four maps defined in this section. Given a hybrid system H on S and a subset I:P(S) of initial states, there are two subsets E:P(T × S) and R:P(S) informally defined as: • E: the set of (t, s) such that s is reached at time t, ie, there is a trajectory of H starting from a state in I and reaching s at time t.
• R: the set of states reachable (from I) in finite time, ie, R = π(E).
The monotonic maps in Def 3.1 and 3.6 allow to define four subsets: • Ef H (I): the set of (t, s) such that s is reached at time t in finitely many transitions.
• Rf H (I): the set of states reachable in finitely many transitions, ie, π(Ef H (I)).
• Es H (I):C(T × S) a closed over-approximation of E.
• Rs H (I):C(S) a closed over-approximation of R.
When I:C(S), the inclusion relations among these six subsets are:

A Framework for Approximability
All maps introduced in Sec 3 (see Def 3.1 and 3.6) are monotonic maps between complete lattices. Thus, they live in the poset-enriched category Po of complete lattices (more generally of posets) and monotonic maps. In fact, one can stay within Po, by defining a complete lattice of hybrid systems on S (this can be done also for timed transition relations), by exploiting its cartesian closed structure, and by using the order relation to express when something is an overor under-approximation of something else. Po is also the natural setting for defining and comparing abstract interpretations [CC92], with adjunctions giving a systematic way to relate more concrete to more abstract interpretations.
Therefore, Po will be used as a framework in which to place and compare the reachability (and evolution) maps introduced so far, as well as their variants.
Definition 4.1. A poset-enriched category A (see [Kel82]) consists of: • a class of objects, notation X:A; • a poset A(X, Y ) of arrows from X to Y , notation X f ✲ Y and f 1 ≤ f 2 ; • identities X idX ✲ X and composition X g•f ✲ Z of composable arrows X f ✲ Y g ✲ Z satisfying the usual equations and monotonicity, ie, If A has a terminal object 1 and h:A(X, X), then: Any notion in A has a dual notion in A op and a co-notion in A co , in particular: The following facts are instances of more general results valid in 2-categories. 1. If f ⊣ g, then g is uniquely determined by f , and when g exists it is denoted by f R , and called the right adjoint to f . 2. If f :X → Y is an isomorphism, then f ⊣ f −1 .
Definition 4.4. The poset-enriched category Po is defined as follows: • Objects X:Po are complete lattices, ie, posets (|X|, ≤ X ) such that every subset S of |X| has a sup, denoted as S. In paricular, ∅ is the least element ⊥ X of X.
Remark 4.5. Po is cartesian closed in the enriched sense, ie, it has a terminal object and the following poset isomorphisms natural in Z: , where X × Y is the cartesian product of the complete lattices X and Y .
Moreover, f ⊣ g in Po exactly when f and g form a Galois connection, ie: Restricting the objects of Po to complete lattices allows to characterize the arrows f :Po(X, Y ) that have right adjoints, and implies that every h:Po(X, X) has an initial algebra and a final co-algebra (the proofs of Thm 3.3 and 3.8 make systematic use of the universal property of initial algebras).
Proposition 4.6. Given a map f :Po(X, Y ) the following are equivalent: For a HS on S, the complete lattices X of interest should have as underlying set a subset of P(S), but there are two choices for ≤ X : inclusion ⊆; and reverse inclusion ⊇. When ≤ X is an information order, the correct choice is reverse inclusion, since a smaller over-approximation is more informative. Given a complete lattice X and x:|X|, the complete lattice X ↑ x is the set {x ′ |x ≤ X x ′ } ordered by ≤ X . When X is one of the complete lattices from Def 4.7, instead of X ↑ x, we write x in place of S, eg, P(S) stands for P(S) ↑ S when S:P(S), and H(H) stands for H(S) ↑ H when H:H(S).
Given C:C(S), equivalently, a closed subspace of S, (1) below is a commuting diagram in Po of sup-preserving maps, and (2) is the commuting diagram of right adjoints to the maps in (1), where g(U ) = U ∩ C, and f R (U ) = U .
Proof. By definition of sum S = i:I.S i of topological spaces, a subset A of S is closed exactly when each A i = {a|(i, a):A} is a closed subset of S i .
The set C(S) of closed subsets of a topological space S is closed wrt intersections computed in P(S), thus the inclusion f preserves sups. Since C is closed, g(U ) = U ∩ C is closed when U is closed. ✷ Definition 4.9. Given a Banach space S, we define the following maps in Po:

Proof. See Appendix A.
Given an adjunction Y f ✲ ⊥ ✛ g X in Po such that g • f = id Y , one can identify Y with its image in X. Then, the right adjoint g maps every x:X to its best approximation in Y , ie, ∀y:Y.y ≤ x ⇐⇒ y ≤ g(x). Clearly a smaller Y means that the g(x) are less accurate. In static analysis it is customary to take as Y a finite lattice, in order to get decidablility. In the case of safe reachability we take Y = C(S) in place of X = P(S). Also in this case there is a reduction in cardinality: when S is a Banach space with the cardinality of the continuum, C(S) has the cardinality of the continuuum, while P(S) has a bigger cardinality.
It is quite easy to establish the following basic properties.
Requirements can be combined, eg, by defining the strict D-continuous maps.
Proposition 4.14. The best D-continuous approximation f ✷ of f satisfies the properties: id Proof. Like any best approximation ✷ F (−) on Po(X, Y ), − ✷ is monotonic and satisfies (f ✷ ) ✷ = f ✷ ≤ f . The D-continuous maps form a sub-category of Po, ie, they include identities and are closed wrt composition, thus id ✷

Best Approximations on Continuous Lattices
Thm 4.20 gives a simple way to compute f ✷ of f :Po(X, Y ) when X is a continuous lattice. Moreover, all continuous lattices for which we want to compute f ✷ have a countable base, which implies that D-and ω-continuous maps over these lattices coincide. Remark 4.15. [Eda95] advocates the use of Domain Theory for the study of dynamical systems. In this context, the complete lattice C(S) becomes relevant when S is a compact metric space. In fact, under this assumption, C(S) is a continuous lattice with a countable base (see [Eda95,Prop 3.4]). 4 Thus, one can address computability issues, and the Scott topology coincides with the Upper topology (see [Eda95,Prop 3.2 and 3.3]).
We recall some basic notions and facts on continuous lattices. For more details, the reader is referred to [GHK + 03,AJ94].
Definition 4.16. Given two complete lattices X and Y , define: • the way-below relation: Proposition 4.17. For any complete lattices X and Y , the following hold: Proposition 4.19. Given a continuous lattice X and a complete lattice Y : Proof. The following theorem says that f ✷ :Po(X, Y ) is the sup of step maps when X is a continuous lattice, and more specifically,  4 There are some minor differences between our work and that of [Eda95], namely, in [Eda95], U X is a hyperspace on the set of non-empty compact subsets of X, while our C(S) is a complete lattice on the closed subsets of S. However, for compact Hausdorff spaces, the only difference is given by the empty subset.

Proof. As X is a continuous lattice, the maps [b, f (b)] and f ′
] are D-continuous. We prove that for any given D-continuous map g ≤ f , we have g ≤ f ′ ≤ f . For x:X, the subset B(x) △ = B∩↓ ↓ x is directed and x = B(x). Therefore:

Robustness
The safe reachability maps introduced in Def 3.6 and 4.9 are of the form A:Po(C(S 1 ), C(S 2 )), with S 1 and S 2 metric spaces. We say that such an A is robust at C when small extensions to C cause small extensions to A(C). For discrete systems, robustness is not an issue (when the metric space S 1 is discrete every monotonic map is robust), while robustness of safe reachability Rs H :Po(C(S), C(S)) for a HS H on S is very sensitive to the HS, and restricting to purely continuous systems does not help either (see Example 5.9).

Definition 5.1 (Robustness). Given two metric spaces (S
The main result of this section is that robustness and D-continuity coincide when the S i are compact metric spaces. In this case, an analysis A becomes robust when replaced by its best D-continuous approximation. Remarkable instances of A, for which the main result applies, are safe reachability maps Rs:Po(H c (H 0 ) × C(S 0 ), C(S 0 )), where H 0 is a compact HS on S with support S 0 and H c (H 0 ) is the complete lattice of closed hybrid systems that refine H 0 , ie, H ≥ H 0 :H c (S).
In order to relate different properties of monotonic maps in Po(X, Y ), it is conceptually useful to move to the category Top of topological spaces, by considering suitable topologies on the underlying sets |X| and |Y |. For a complete lattice X, one can define two topologies on |X|: Alexandrov topology O A (X), and Scott topology O S (X) ⊆ O A (X). The partial order ≤ X can be recovered as the specialization order of the two topologies. Thus, topologies are more informative than partial orders: the Alexandrov continuous maps, ie, the maps in Top(O A (X), O A (Y )), are the monotonic maps from X to Y , while the Scott continuous maps Top(O S (X), O S (Y )) are the D-continuous maps from X to Y . Furthermore, for robustness one can identify a suitable topology on C(S). Proof. We exploit the following facts, which are valid in any metric space: Since O n ⊆ C n :U and U is upward closed, then ↑ O n ⊆ U . Theorem 5.4. Given two metric spaces (S i , d i ), and a map A:Set(C(S 1 ), C(S 2 )), the following properties are equivalent:

1.
A is monotonic and robust in the sense of Def 5.1.

A is continuous wrt the Robust topologies.
Proof. See Appendix A.
Lemma 5.5. We have the following inclusions among topologies on C(S): 1. The Upper topology is included in the Scott topology, when S is compact.
2. The Alexandrov topology is included in the Robust topology, when S is a discrete metric space (eg, d(x, y) = 1 when x = y).
Proof. When S is a compact topological space, any closed subset of S is compact.
closed subsets whose intersection is ∅. Since compact subsets (therefore, also the closed subsets) have the finite intersection property and D ′ is directed, some K ′ i must be ∅, or equivalently, K i : ↑ O.
If ( In finite dimensional Banach spaces like R n , the compact subsets are exactly the closed subsets C that are bounded, ie, C ⊂ B(0, δ) for some δ > 0. On the contrary, in infinite dimensional Banach spaces (under the strong topology) they form a proper subset of the closed bounded ones. For instance, neither the closure nor the boundary of a ball B(0, δ) is compact.
Theorem 5.7. Given a map A:Po(C(S 1 ), C(S 2 )), with S 1 and S 2 metric spaces: To define S r one must restrict Rs H to a map in Po(C(S 0 ), C(S 0 )), where S 0 is a sufficiently large compact subset of S. When H is compact, the canonical choice for S 0 is S(H). • red -S r − S s , there is no analogue for a trajectory starting from s 0 .

Expand
H E of Example 2.6 is a compact deterministic HS on R, whose behavior is depicted in Fig 1. The canonical choice for S 0 is the interval [0, M ]. For H 0 we take F 0 = S 0 × [−M, M ] and G 0 = ∅, whose support is still S 0 .
We now explain why making the set of reachable states robust wrt perturbations to H does not make a difference in the case 0 < m 0 ≤ M . To approximate S R we take a small δ > 0 and define I δ ≪ I in C(S 0 ) and H δ ≪ H in H c (H 0 ). Let

Decay
H D of Example 2.7 is a deterministic HS on R, whose behavior is depicted in Fig 2. Its closure is compact but it is no longer deterministic. The canonical choice for S 0 is the interval S s = S r = S R = S 0 , because S s = S 0 and these subsets cannot be bigger than the support of H 0 . This result does not change, when H 0 is replaced with a HS with a bigger support, but the proof is not as simple (see Sec 6.1).

Bouncing Ball
H B of Example 2.8 is a deterministic HS on R 2 , its behavior depends on the coefficient of restitution b (see Fig 3). The closure of H B is not compact and its support is the closed subset {(h, v)|0 ≥ h}. However, compactness is irrelevant to define and compare S f and S s . Let s 0 = (0, v 0 ) with 0 < v 0 < V and S(u) 2 is exactly E(0, u), then the sets S f and S s are (see Fig 4): To make H B compact, the simplest is to put an upper bound to the energy of the system, say E 0 = E(0, V 0 ) with V 0 > V , and allow only b st |b| ≤ 1, so that the energy cannot increase when the ball bounces. So we replace H B with the following compact HS H, whose support is To define S R we fix a compact HS H 0 with support S 0 . The simplest choice is to take F 0 = F and replace G with a G 0 independent from b, namely The relations among S s , S r and S R , when |b| ≤ 1 and 0 < v 0 < V < V 0 , are There is an informal explanation for S R in the case b = −1 (elastic bounce).
After each bounce the ball may lose a bit of energy, thus after sufficiently many bounces it may stop (minimum energy). After a kick the energy will reach the maximum value allowed, and then it may decrease again after each bounce. Thus any level of energy in [0, E(0, V )] is reachable, assuming 0 < v 0 < V .
More formally we define H δ ≪ H in H c (H 0 ) st H δ → H when δ → 0. Since H 0 allows only perturbations in G, we define G δ (for δ > 0) as has the same support of H 0 , but H ′ 0 < H 0 , because after a bounce the ball can increase its energy as far as it stays below the upper bound E(0, V 0 ). This change results in a bigger subset S R when |b| = 1, namely ie any state in the support of H is reachable because of the more permissive perturbations

Conclusions and Future Work
The main contributions of this paper concern reachability analysis in the context of hybrid (and continuous) systems.
Firstly, we have proposed safe reachability Rs H (I), which computes an overapproximation of the set of states reachable in finite time from the set I of initial states by the hybrid system H, and compared it with the more naive reachability Rf H (I), which computes only an under-approximation.
Secondly, and more importantly, we have addressed the issue of robustness of an analysis A cast as a monotonic map A:Po(X, Y ) between complete lattices X and Y of a particular form (ie, hyperspaces of metric spaces). Robustness of A means that A(x δ ) → A(x) as δ → 0, where x δ is a small perturbation of x depending on a δ > 0, which measures the level of inaccuracy. In some cases (ie, when the metric spaces are compact) robustness amounts to Scott continuity, and one can exploit the following facts: • Every monotonic map A:Po(X, Y ) between complete lattices has a best Scott continuous approximation A ✷ ≤ A:Po(X, Y ).
• When X is a continuous lattice, A ✷ (x) is the sup of {A(b)|b ≪ X x}, ie, it is computed by applying A to way-below approximations of x.
While the importance of safe/sound analyses is widely recognized, the issue of robustness is mostly overlooked (one reason being that for discrete systems it is not an issue). In our view, robustness has at least two immediate implications: Modeling languages. There should be syntactic support to distinguish between hard and soft constraints on a hybrid system H. Hard constraints must be satisfied also by small perturbations H δ . Thus, they identify the complete lattice (hyperspace) X where H is placed, while soft constraints provide the additional information to identify H uniquely within X. The distinction would be needed by tools that implement a robust analysis and can be ignored by other tools. In [GKC13] there is no explicit annotation for soft constraints, instead there is a re-interpretation of logical formula, which injects δ-noise in specific sub-formulas.
Finite model checking. Counterexample-guided Abstraction & Refinement (CEGAR) is a general way of analyzing a system H with an infinite state space by leveraging finite model checking tools (see [CGJ + 00, CFH + 03]).
In the setting of abstract interpretation, CEGAR amounts to approximating an analysis A:Po(X, X) with finite analyses A ′ :Po(X f , X f ), ie: Whenever X f is fixed, there is a best approximation A f :Po(X f , X f ) of A given by A f If H is a HS on S = R n and its support is included in a compact subset K, then there are three reachability analyses Rs ✷ H ≤ Rs H ≤ Rf H :Po(X, X), where X = C(K) is a continuous lattice with a countable base, but uncountably many elements (unless K is finite). One may wonder whether replacing X with a finite sub-lattice X f would make the three analyses indistinguishable: the answer is no (counterexamples can be given using H E and H D in Examples 2.6 and 2.7).
However, there is a way to turn a finite approximation A ′ :Po(X f , X f ) of A:Po(X, X) into a finite approximation A ′′ of A ✷ , provided that X is a continuous lattice, namely, A ′′ (x) As future work we plan to address computability issues. More specifically, given a compact HS H 0 on S with support S 0 , is Rs ✷ :Po(H c (H 0 )×C(S 0 ), C(S 0 )) computable? When S has a countable dense subset, all continuous lattices involved have a countable base, and the question can be formulated in a wellestablished setting. In [EP07] the authors study computability of the evolution map for a compact and continuous flow automaton (ccFA for short). In our setting, a ccFA is a tuple (C, f, G, I), with C a compact subset of R n called invariant, f :Top(C, R n ) the flow function, G:C(C × C) the jump relation, and I:C(C) the set of initial states. The graph of f is flow relation f :C(C × V ), with V = f (C). Therefore, (f, G) is a compact HS on R n with support included in the compact subset K = C ∪ V .
Most of the steps in defining the denotational semantics of a ccFA use Scott continuous maps, but for the lack of a continuous lattice/domain of ccFA. It would be interesting to see if their denotational semantics extends to compact HS, giving a Scott continuous computable map [[−]]:Po(H c (H 0 ) × C(S 0 ), C(S 0 )), and then compare it with the map Rs ✷ between the same lattices.