HYBRID POSSIBILISTIC SYSTEMS WITH NONDETERMINISTIC CONTINUOUS EVOLUTIONS AND SWITCHINGS

We propose a new class of hybrid (discrete-continuous) dynamical system models with nondeterministic continuous evolutions and switching between discrete modes. Formally, this class is rather similar to the class of stochastic hybrid systems, but it is based on possibility theory. This approach has an advantage over stochastic models when available statistical information is not sufﬁcient for constructing a reliable stochastic model. For example, it may be useful for modeling human-machine-environment systems, because, as it has been argued in the literature, possibility theory describes many aspects of human behavior better than probability theory. In this work we present a motivating example, give a deﬁnition and semantics of our systems, consider reachability problems for large subclasses of them, and propose methods to tackle these problems.


INTRODUCTION
Hybrid systems [1][2][3] are dynamical systems with interacting continuous-time and discrete-event dynamics.Continuous-time dynamics is usually modeled by differential equations and discrete-event dynamics is usually modeled by automata.These systems have a wide range of applications including automation, process control, communication, mechatronics, transportation systems, robotics, real-time software and other fields.In many applications, a hybrid system represents a continuous plant and a discrete controller that switches between modes of the plant.As a mathematical model, a hybrid system is often considered as idealization of a real cyber-physical system.But the adequacy of such modeling may become questionable, because switching conditions and differential equations may describe dynamics imprecisely, values of some parameters may be unknown, etc.Therefore, extensions of a hybrid system model which allow uncertainties can be useful.Researchers have proposed several different ways to incorporate uncertainty into hybrid systems [2][3][4][5]: nondeterministic and stochastic hybrid systems, systems with random structure, etc.Most approaches can be classified according to the chosen place of uncertainty in a hybrid system (continuous dynamics, occurrence of discrete events, jumps in continuous states after discrete events) and the kind of an underling uncertainty theory.Many of them are based on probability theory, but this is not the only available choice.
In this paper we propose a new class of hybrid systems with uncertain switching, which is based on the possibility theory [6][7][8][9] .We argue that this class is well-suited for modeling human-machine systems, e.g. a driver-vehicle system.Also, we study basic properties and the reachability problem for large subclasses of our models.
The paper is organized in the following way: in section 2 we consider the problem of modeling driver-vehicle system and propose a possibilistic model of hybrid system for this problem (on informal level); in section 3 we recall necessary notions of possibility theory; in section 4 we for-mally define a simple subclass of possibilistic systems with uncertain switching and investigate basic properties and the reachability problem for systems of this class; in section 5 we define a more general class of hybrid possibilistic systems with uncertain switching and investigate its properties and the reachability problem.

MOTIVATING EXAMPLE
Consider the problem of modeling human behavior in a driver-vehicle-environment system [11][12][13].Interest in this problem comes from applications in safety analysis (driver behavior is known to be the dominant factor in traffic safety), intelligent driver assistance systems, etc. [13].The history of driver's behavior modeling can be traced back to theoretical studies of driving by J. Gibson, L. Crooks (1938) [14].The problem proved to be difficult, and approaches originating from different fields (psychology, control theory, etc.) and with different aims were proposed [11].But it is generally accepted that driving task can be considered at strategic, tactical and operational levels [15], and that comprehensive driving models should take into account these levels.Driver's behavior can be represented by rules which describe actions which the driver takes in response to a driving situation (collection of external factors, e.g.road and weather condition, distances to other vehicles) to achieve the purpose of the trip.The strategic behavior is responsible for the trip route, preferred travel lane, etc.The tactical behavior determines maneuvering actions, e.g.lane changing for danger avoidance.The operational behavior consists in a (mostly continuous) lateral control and longitudinal speed control (gas/break).
We consider an example of a driver's behavior model of tactical/operational level [16].Suppose that the driver of a running vehicle behaves rationally and tries to avoid crashes and keep safe distances to other vehicles.Under these assumptions [16] the driver's procedural knowledge can be modeled by a set of IF/THEN rules.Consider a simplified subset of such rules (where a safe following distance can be determined using a so-called "three seconds rule" [16]): • IF the distance to the preceding vehicle is less than the safe following distance THEN decelerate and maintain the safe following distance.
• IF the distance to the preceding vehicle is equal to the safe following distance THEN maintain distance.
• IF the preceding vehicle's braking light flashes AND distance to the preceding vehicle is equal to safe following distance THEN brake and decelerate rapidly.
• IF the preceding vehicle's braking light flashes AND the distance to the preceding vehicle is less than the safe following distance AND the vehicle behind is not too close THEN brake.
This set of rules is given for illustration only.Suppose that we want to apply such rules to construct a mathematical model of a driver-vehicle-environment system.Suppose that a vehicle-environment model is already available and it outputs a (dynamically changing) value y obs which represents elements of the vehicle-environment model which can be observed by the driver (e.g. the distance to the preceding vehicle).For the purpose of a highlevel modeling, it is reasonable to ignore details of driver's perception (like in many control-theoretic and stochastic driver behavior models).In this case we can model driver's behavior as a decision procedure based on driving rules, and accept that driver's decisions depend directly on y obs .However, the vagueness of the driving rules (e.g.meaning of the conditions like "too close") implies that decisions depend on y obs non-deterministically.We have to apply some uncertainty theory to describe them.
In the literature [10] it is argued that the possibility theory is well suited for representing subjective estimations of satisfaction and acceptability (vague threshold values), perception and quantities based on memory (e.g.travel time, distance, appearance), descriptive conditions (e.g.traffic congestion, comfort), imprecise values which are hard to measure and summarize (e.g.sight distance, reaction time).
In our case, we deal with notions of subjective perception and acceptability, so we can apply possibility theory for modeling uncertainty in driver's decisions.The proposed model of driver's behavior (Fig. 1) has a form of an oriented graph of "driving modes".Fig. 1 A model of driver's behavior The arcs ("transitions between modes") are labeled with real-valued functions ψ i, j which represent uncertain switching conditions.These conditions may depend on the time t and the vehicle's observable state y obs .For each t and y obs the meaning of ψ i, j (t, y obs ) ∈ [0, 1] is a level of (conditional) possibility of transition from the mode i to the mode j, if the current mode is i, the time is t, and the observable state is y obs .Note that if ψ i, j are constant functions, we get a model similar to possibilistic Markov chains [17][18][19].
For example, we can interpret the "Mode 1" in Fig. 1 as "Normal (constant-speed) driving', "Mode 2" as "Decelerate" and y obs as the distance to the preceding car.Then we can represent the uncertain switching condition "Preceding car is too close" as a specific function ψ 1,2 .
To define semantics of our model of driver's behavior, we have to link it with vehicle-environment model.Usually, a vehicle-environment dynamics corresponding to a given driving mode can be modeled by a system of differential equations (possibly with disturbances and uncertainties) [11].However, in this paper we do not consider disturbances and uncertainties in differential equations.The resulting driver-vehicle-environment model has a form shown in Fig. 2, where y all ∈ R d denotes the vehicle-environment state and y obs ∈ R d is the observable state (the relation between y obs and y all is given by projection-like functions g i ).We call the obtained driver-vehicle-environment model a hybrid system with uncertain switching.In some aspects it is similar to the notion of a hybrid automaton [1,2], but the mode switching is uncertain and is modeled in possibilistic framework.Now we explain informally semantics of such a system.Denote by G a labeled graph shown in Fig 2 .Let I be a finite set of modes (nodes of G).Firstly, let us ignore arc labels ψ i, j in this graph and define an execution of the system as a triple ( q, ȳall , ȳobs ) consisting of a piecewiseconstant function q : R → I (a "mode trace"), a piecewisecontinuous function ȳall : R → R d (a "state trace") and a function ȳobs : R → R d (an "observable state trace") such that ( q(0), ȳall (0)) ∈ A 0 (where 0 is the initial time moment and A 0 is a chosen set of initial modes/states), and there exists a finite or infinite sequence of pairs of time moments and modes (t 0 , q 0 ), (t 1 , q 1 ), (t 2 , q 2 ), ..., of length N ≥ 1 (N = +∞, if the sequence is infinite) such that • ( q(0), q 0 ) is an arc in G, and (q k−1 , q k ) is an arc in G for each k = 1, 2, ..., N − 1 • for each k < N the functions q, ȳall , ȳobs satisfy equations q(t) = q k , ȳall (t) = z k (t), ȳobs (t) = g q k ( ȳall (t)) on the set Note that because of the specifics of application domain (and unlike semantics of hybrid automata), this definition excludes multiple mode switchings at one time moment and Zeno-like behaviors [1].
Let Tr be the set of all executions.Semantics of a hybrid system with uncertain switching is a possibility distribution on executions, i.e. a (total) function π : Tr → [0, 1] which estimates possibility level of each execution.If we knew this distribution, we would be able to compute the following quantities: ϕ i j (t, y) = sup{π(( q, ȳall , ȳobs ))| ( q, ȳall , ȳobs ) ∈ Tr and q(t) = i, q(t+) = j, ȳobs (t) = y } for each i, j ∈ I, t ≥ 0 and y ∈ R d (where q(t+) denotes the right limit).In the possibility theory the value ϕ i j (t, y) can be interpreted as the possibility level of the event "the system switches from i to j at time t, and the observable state at time t is y".Now recall that ψ i j (t, y) (informally) means the conditional possibility of the same event, but with additional condition that the system is in the mode i at time t.Intuitively, ϕ i j (t, y) ≤ ψ i j (t, y), because to make a transition from i to j at time t, the system should reach i at time t, but this can be implausible or even impossible.
For this reason, we postulate the inequality ϕ i j (t, y) ≤ ψ i j (t, y) for all i, j,t, y and propose to use it as a defining property of π.In general case it has no unique solution (if we consider π an unknown).However, we can choose the (pointwise) maximal solution as the semantics of the system (principle of minimum specificity [7]).Informally, this solution gives the best estimate of the possibilities of executions under the chosen assumptions.
It is easy to see that the quantities ϕ i j (t, y) express important safety properties of the system, e.g.we can use them to obtain upper bounds for possibility levels of some unwanted actions (mode switchings) or states.Therefore, to be able to solve safety analysis problems, we should obtain a method for computing the values ϕ i j (t, y) from the given functions ψ i j .Note that if we (pointwise) increase π, then the values ϕ i j (t, y) also increase for each fixed i, j,t, y.Hence ϕ i j (t, y) are solutions of the following optimization problem (where π is a variable distribution): 1. ϕ i j (t, y) → max (for each i, j,t, y) 2. ϕ i j (t, y) ≤ ψ i j (t, y) for all i, j,t, y 3. ϕ i j (t, y) = sup{π(( q, ȳall , ȳobs )) | ( q, ȳall , ȳobs ) ∈ Tr and q(t) = i, q(t+) = j, ȳobs (t) = y } Then we can try to solve it using iterative approximation methods.
We have outlined the general idea of a hybrid system with uncertain switching.In the rest of the paper we will give a rigorous definition and semantics of such systems and study their properties.

Markov-like processes
We use the following framework of (quantitative) possibility theory [6][7][8][9].Let X be a space of atomic events.

Π(
for any family {A k } k of subsets of X (events), and let N : 2 X → [0, 1] be a necessity measure, i.e.
for any family {A k } k .We assume that Let T be a timeline -either a set of non-negative integers N ∪ {0} (discrete time), or a set of non-negative real numbers [0, +∞) (continuous timeline).
Let Y be a non-empty set (of states).We will use the following conventions: if pred is some predicate on X, then Π{x : pred(x)} denotes Π({x ∈ X : pred(x)}); a variable t denotes time and ranges over T .
Under our assumption of totality of measures we will use the following terminology: • a process is an arbitrary total function T × X → Y ; • a trajectory of a process p : T × X → Y is a function t → p(t, x) for an arbitrary fixed x; • the distribution of a process p : where for all q : T → Y , i.e.F p (q) is a possibility of a function q to be a trajectory of p; • The distribution F p is called binary if F p (q) ∈ {0, 1} for each q.
• an α-trajectory of p (where α ∈ [0, 1)) is a function q : T → Y such that F p (q) > α, i.e. q is a trajectory of p with possibility greater than α.
To define rigorously our possibilistic model we need a possibilistic counterpart of a (stochastic) Markov process.In the context of possibility theory Markov processes and related notions have been investigated in several works, e.g.[17][18][19][20][21].However, these notions are not well suited for our purposes, so we introduce a new notion of possibilistic Markov process, which we call a Markov-like process to avoid confusion.
Let q 1 , q 2 be trajectories of a process p such that q 1 (t * ) = q 2 (t * ).Definition 3.1.The crossover trajectories of q 1 and q 2 at t * are functions q1 , q2 : Informally, q1 and q2 are obtained by gluing together parts of q 1 and q 2 before and after t * .Definition 3.2.A process p has the Markov-like property, if for each α-trajectories q 1 , q 2 of p and t * ∈ T such that q 1 (t * ) = q 2 (t * ), the crossover trajectories of q 1 and q 2 at t * are α-trajectories of p.
The Markov-like property means that the possibility distribution on continuations of a trajectory q after a time moment t * does not depend on the values of q before t * .
But the definition of a Markov-like process does not guarantee that the possibility of a trajectory q is uniquely determined by possibilities of its finite-time prefixes (i.e.values Π{x : ∀t ≤ t * p(t, x) = q(t)} for all t * ∈ T ).Definition 3.3.A Markov-like process p is called finitary, if for each trajectory q of p: Π{x : ∀t ≤ t * p(t, x) = q(t)} Definition 3.4.A (finitary) Markov-like distribution is a distribution of some (finitary) Markov-like process.
Finitary Markov-like processes/distributions are rather closely related to state transition systems.
Let Q be a non-empty set and C Q be the class of all labeled transition systems (Q, N ∪ {0}, →), where the set of states is Q, transition labels are non-negative integers, and the transition relation is An infinite execution of T S ∈ C Q is a sequence (ω-word) q 1 q 2 q 3 ... such that q 1 → 0 q 1 → 1 q 2 → 2 .... Basically, the systems in C Q work like time-labeled transition systems: a label can be interpreted as a time moment at which the system can make a transition between the given states.
The proof can be easily obtained from definitions.This lemma shows that the binary finitary Markovlike distributions are in one-to-one correspondence with ωlanguages of transition systems T S ∈ C Q .Hence, finitary Markov-like properties generalize such ω-languages in two ways: non-binary possibility and non-discrete timeline.

Markov-like jump processes
In the rest of the article we will assume that we have a continuous timeline T = [0, +∞).We will denote the left/right limit of a function f : R → R d at a point t as f (t−) and f (t+) correspondingly (if these limits exist).Definition 3.5.A Markov-like jump process is a finitary Markov-like process p such that each trajectory of p is piecewise constant and left-continuous.Definition 3.6.An unconditional transition distribution of a Markov-like jump process p : T × X → I (where I is a non-empty state space) is an indexed family (ϕ i, j ) i, j∈I of functions defined as follows: This means that ϕ i, j (t) is the possibility of transition from i to j at time t.
The following lemma shows that a distribution of a Markov-like jump process is uniquely determined by its unconditional transition distribution: Lemma 3.2.If p is a Markov-like jump process, then F p (q) = Π{x : ∀t p(t, x) = q(t)} = inf t∈T ϕ q(t),q(t+) (t), for each piecewise constant left-continuous q : T → Y .
Proof.The "only if" part can be easily proven using Lemma 3.2.To show the "if" part, let us define a mapping F : (T → I) → [0, 1] as follows: From (1) we have sup{F(q) | q : T → I} = 1.Let X = T → I be a set of elementary events.Let us define Π : 2 X → [0, 1] as follows: Let p : T × X → I be a process such that p(t, q) = q(t).Then it is not difficult to show that p is a Markov-like jump process and (ϕ i, j ) i, j∈I is its unconditional transition distribution.
Usually (as in our motivating example), we do not have an unconditional transition distribution as a part of process specification.Instead, we have conditional possibilities i.e. a possibility of a transition from i to j at time t, if the process is in the mode i.
However, we have the following problem: there is no universally accepted formal definition of conditional possibility.Several authors have proposed different approaches to conditional possibility [8].We overcome this problem using the following observation: we are dealing with conditional possibilities of the form Π(A|B), where A⊆B.In this case most definitions of conditional possibility imply the natural inequality Π(A|B) ≥ Π(A).We take the implication A⊆B ⇒ Π(A | B) ≥ Π(A) as an axiomatic definition of conditional possibility.Note that Π(A|B) and Π(A) do not determine each other uniquely.
We propose the following specification mechanism for Markov-like jump processes.Suppose that we know (informal) conditional possibilities of transitions (ψ i, j ) i, j∈I .Our aim is to construct a Markov-like jump process distribution using this knowledge.
To do this, we try to find an unconditional transition distribution (ϕ i, j ) i, j∈I from the following conditions: 1. ϕ i, j (t) ≤ ψ i, j (t), i.e. conditional possibilities are upper bounds for unconditional possibilities; 2. (ϕ i, j ) i, j∈I is the greatest (least specific) among all unconditional transition distributions (ϕ i, j ) i, j∈I satisfying ϕ i, j (t) ≤ ψ i, j (t).
Then (ϕ i, j ) i, j∈I determines the distribution of a Markov-like jump process.
Definition 3.7.An upper transition distribution is an indexed family (ψ i, j ) i, j∈I (where ψ i, j : T → [0, 1]) such that there exists an unconditional transition distribution (ϕ i, j ) i, j∈I such that ϕ i, j (t) ≤ ψ i, j (t) for all i, j ∈ I, t ∈ T .
I.e. an upper transition distribution is an upper bound for some unconditional transition distribution.In particular, a family of conditional transition possibilities (in our axiomatic definition) forms an upper transition distribution.Lemma 3.4.A family (ψ i, j ) i, j∈I is an upper transition distribution if and only if sup { inf t∈T ψ q(t),q(t+) (t) | a function q : T → I is piecewise constant and left-continuous } = 1.
Proof.The "only if" part can be easily proven using Lemma 3.2.To show the "if" part, let us define a family of functions (ϕ i, j ) i, j∈I such that ϕ i, j (t 0 ) = sup { inf t∈T ψ q(t),q(t+) (t) | a function q : T → I is piecewise constant, left-continuous and q(t 0 ) = i, q(t 0 +) = j} for each i, j ∈ I and t 0 ∈ T .It is not difficult to check that they satisfy conditions of Lemma 3.3 and ϕ i, j (t) ≤ ψ i, j (t) for all i, j ∈ I, t ∈ T .Thus (ψ i, j ) i, j∈I is an upper transition distribution.
Corollary 3.1.(A sufficient condition for an upper transition distribution).If max j∈I ψ i, j (t) = 1 for all i ∈ I and t ∈ T , then (ψ i, j ) i, j∈I is an upper transition distribution.Definition 3.8.An unconditional transition distribution (ϕ i, j ) i, j∈I is generated by an upper transition distribution (ψ i, j ) i, j∈I , if the following conditions are satisfied: 1. ϕ i, j (t) ≤ ψ i, j (t), i, j ∈ I, t ∈ T ; 2. ϕ i, j (t) ≤ ϕ i, j (t), i, j ∈ I, t ∈ T for each unconditional transition distribution (ϕ i, j ) i, j∈I such that ϕ i, j (t) ≤ ψ i, j (t), i, j ∈ I, t ∈ T .
Proof.Let us prove that (ϕ i, j ) i, j∈I satisfies condition 2 of Lemma 3.3.It is easy to check that for each piecewiseconstant left-continuous q and t 0 ∈ T , ϕ q(t 0 ),q(t 0 +) (t 0 ) ≥ inf t∈T ψ q(t),q(t+) (t).Then sup { inf t∈T ϕ q(t),q(t+) (t) | a function q : T → I is piecewise constant, left-continuous, q(t 0 ) = i, q(t 0 +) = j} ≥ ϕ i, j (t 0 ) for each i, j.On the other hand, ϕ i, j (t 0 ) ≤ ψ i, j (t 0 ) follows from the definition of ϕ i, j (t 0 ).Because i, j,t 0 are arbitrary, inf t∈T ϕ q(t),q(t+) (t) ≤ inf t∈T ψ q(t),q(t+) (t) for each q.Then using the definition ϕ i, j , we conclude that condition 2 of Lemma 3.3 is satisfied.It is easy to see that Lemma 3.4 implies that condition 1 of Lemma 3.3 is also satisfied.Hence (ϕ i, j ) i, j∈I is an unconditional transition distribution.Moreover, ϕ i, j (t) ≤ ψ i, j (t) for all i, j ∈ I, t ∈ T .Then (ϕ i, j ) i, j∈I satisfied condition 1 of Definition 3.8.The condition 2 of this definition can be easily shown using Lemma 3.3.Thus (ϕ i, j ) i, j∈I is an unconditional transition distribution generated by (ψ i, j ) i, j∈I .
This theorem implies that one can specify any Markovlike jump process (up to distribution) in the following way: specify an upper transition distribution and find a generated unconditional transition distribution from it.
The main property of this specification mechanism is that if we fix some definition of conditional possibility (such that Π(A|B) ≥ Π(A) whenever A⊆B) and define an upper transition distribution as a family of conditional possibilities of transitions of some Markov-like jump process p, then the generated unconditional transition distribution gives an upper estimate for the unconditional transition distribution of the process p.

Computation of the generated upper transition distribution
Consider the problem of computing the generated distribution from a given upper transition distribution.We propose a solution in the case when the upper transition distribution belongs to a special class described below.This class is definitely sufficient for most practical purposes.
We call a function f : T → [0, 1] piecewise-monotone, if for each t 0 ∈ T there exists a relatively open (in T ) neighborhood O of t 0 such that f is monotone on the set O∩[0,t 0 ) (if it is non-empty) and O ∩ (t 0 , +∞).Definition 3.9.An upper transition distribution (ψ i, j ) i, j∈I is piecewise-monotone, if the set I is finite and each function ψ i, j is piecewise-monotone.
The following theorem gives a monotone iterative method for computing generated unconditional transition distributions.
Theorem 3.2.Let (ψ 0 i, j ) i, j∈I be a piecewise-monotone upper transition distribution and (ϕ i, j ) i, j∈I be the corresponding generated unconditional transition distribution.Let (ψ n i, j ) i, j∈I , n = 1, 2, 3, ... be a sequence of families of functions defined by the following equations: t+), n ≥ 0, i = j (here we assume that ψ i,i (0−) = 1; 0 is the initial time moment) where ∨ and ∧ denote binary maximum and minimum operations on the segment [0,1].
Then (ϕ i, j ) i, j∈I is piecewise-monotone, and for each i, j, the sequence ψ n i, j , n ≥ 0 converges to ϕ i, j uniformly on each bounded set A ⊆ T .
The proof of this theorem consists of three main steps: represent the sequence Ψ n = (ψ n i, j ) i, j∈I as iterations of a monotone operator on a lattice of indexed families of piecewisemonotone functions (let us denote it by R f ), show that Ψ n converges to a fixed point of R f , and show that this fixed point is the required distribution.
Let us fix a finite set I (finiteness follows from assumptions of Theorem 3.2, because (ψ 0 i, j ) i, j∈I is a piecewisemonotone).Let D be the set of all indexed families (ψ i, j ) i, j∈I of functions ψ i, j : T → [0, 1], and D m be the set of all (ψ i, j ) i, j∈I ∈ D, where each ψ i. j is piecewise-monotone.
Let ≤ be a "per-index pointwise" partial order on D, i.e. (ψ i, j ) i, j∈I ≤ (ψ i, j ) i, j∈I iff ψ i, j (t) ≤ ψ i, j (t) for all i, j,t.
It is easy to see that the poset (D, ≤) is a complete lattice.We will denote by inf D and sup D the least upper bound and the greatest lower bound of a set or a sequence of elements of D. We assume that sup D / 0 and inf D / 0 are indexed families of functions which are constantly equal to 0 and 1.
The left and right limits exist, because ψ i, j , i, j ∈ I are piecewise-monotone (by the assumption (ψ i, j ) i, j∈I ∈ D m ).
Lemma 3.5.R f maps D m it itself.
Proof.Let (ψ i, j ) i, j∈I = R f ((ψ i, j ) i, j∈I ).It is not difficult to prove that if each ψ i, j , i, j ∈ I is monotone on a nonempty interval (a, b) ⊂ T , then there exist a ∈ (a, b) and b ∈ (a, b) such that each ψ i, j , i, j ∈ I is monotone on (a , b) and (a, b ).Then it is straightforward to show that each ψ i, j is piecewise monotone.
The proof follows immediately from the definition of R f .

Denote by
We will denote as f | A the restriction of a function on a set.It is easy to see that if For any functions f , g : A → [0, 1] we will denote by f ≤ g, f ∨ g, and f ∧ g the pointwise comparison, maximum, and minimum respectively.
For each f ∈ PwM(O) denote by LC( f ) a function g such that g(t) = f (t−), if t = 0, and Denote by RC( f ) a function g such that g(t) = f (t+).The left and right limits exist, because f ∈ PwM(O).
For each F ⊆ PwM(O) let The proof can be easily obtained from the definitions.
Let F be a set of functions f : A → [0, 1], where A is a set.Let L m (F) be the (carrier of) lattice of functions (with pointwise operations ∨, ∧) generated by F ∪Cst(A), where Cst(A) is the set of all constant functions c : , because constant functions are piecewise-monotone.Lemma 3.8.( [22]) If F is finite and g 1 , g 2 , ..., g s are all elements of the set { ∧ The proof follows from distributivity of the lattice of functions (A → [0, 1], ∨, ∧).For details see [22, p. 126].The proof can be obtained using lemmas 3.8 and 3.7.
We will say that a set of functions S ⊆ T → [0, 1] is locally finitely generated, if for each t ∈ T there exists a relatively open neighborhood O ⊆ T of t and a finite set Proof.By Lemma 3.5 the sequence (ψ n i, j ) i, j∈I , n ≥ 0 is well defined.Let us fix a time moment t ∈ T .Let F T = LR({0} ∪ {ψ 0 i, j |i, j ∈ I}), where 0 is constant zero function on T , and Using lemmas 3.7, 3.8, 3.9 it is not difficult to prove by induction on n that for all i, j and n ≥ 0, where , where χ t is the characteristic function of the set {t}.This concludes the proof.Lemma 3.11.Let F be a finite set of functions A → [0, 1], and f n ∈ L m (F), n ≥ 1 be a pointwise monotone sequence.Then f n , n ≥ 1 converges uniformly on A.
Proof.The Lemma 3.8 implies that there exist g 1 , g 2 , ..., g s : which hold all real x, y, x , y , it follows that if h n , h n , n ≥ 1 are uniformly convergent (on A) sequences of real-valued functions, then h n ∨ h n and h n ∧ h n , n ≥ 1 also converge uniformly on A. Then it is easy to see that f n k , k ≥ 1 converges uniformly on A. Then f n , n ≥ 1 converges uniformly on A, because it is pointwise monotone.Lemma 3.12.A pointwise-monotone sequence f n : T → [0, 1], n ≥ 1 such that { f n |n ≥ 1} is locally finitely generated converges uniformly on each bounded set A ⊆ T .

Proof. By definition of a locally generated set, there exists a collection of open sets
Proof.For each i, j ∈ I the sequence ψ n i, j , n ≥ 1 is pointwise monotone.Let ψ i, j be its pointwise limit.Then (ψ i, j ) i, j∈I = inf D n≥1 Ψ n .Moreover, it is easy to see that {ψ n i, j |n ≥ 1} (for fixed i, j) is locally finitely generated.By Lemma 3.12, ψ n i, j , n ≥ 1 converges uniformly on each bounded set A ⊆ T .Then it is not difficult to prove that R f Proof.By Lemma 3.5, Ψ n ∈ D m for n ≥ 1.Also, Ψ n , n ≥ 1 is non-increasing by Lemma 3.6 (1).By lemmas 3.10 and 3.13, inf The proof by contradiction can be easily obtained using the definition of R f and Lemma 3.3(2).Lemma 3.16.If (ϕ i, j ) i, j∈I is an upper transition distribution and a fixed point of R f , then (ϕ i, j ) i, j∈I is an unconditional transition distribution.
Using these properties it is easy to show that the condition 2 of Lemma 3.3 is satisfied.Moreover, sup i, j∈I ϕ i, j (t) = 1 for all t ∈ T , because otherwise we have a contradiction with Lemma 3.4.Thus (ϕ i, j ) i, j∈I is an unconditional transition distribution by Lemma 3.3.Lemma 3.17.If (ϕ i, j ) i, j∈I is generated by an upper transition distribution (ψ i, j ) i, j∈I ∈ D m , then (ϕ i, j ) i, j∈I ∈ D m .
Proof.Using Theorem 3.1 it is not difficult to prove that for each non-empty interval (a, b) ⊆ T , if all functions ψ i, j , i, j ∈ I are monotone on (a, b), then all functions ϕ i, j , i, j ∈ I are monotone on (a, b).Then it is straightforward to show that (ϕ i, j ) i, j∈I ∈ D m using finiteness of I. Now we are able to prove Theorem 3.2.Let Ψ n = (ψ n i, j ) i, j∈I for each n ≥ 1.By Lemmas 3.5 and 3.6, the sequence Ψ n , n ≥ 1 is well-defined and monotone.Then for each i, j the sequence ψ n i, j , n ≥ 1 has a pointwise limit ψ i, j .Lemma 3.14 implies that Ψ = (ψ i, j ) i, j∈I is a fixed point of R f , Ψ ≤ Ψ 0 , and Ψ ≤ Ψ for each fixed point Ψ of R f such that Ψ ≤ Ψ 0 .Let Ψ = (ϕ i, j ) i, j∈I .By Lemma 3.17, Φ ∈ D m .Then by Lemma 3.15, Φ is a fixed point of R f .Moreover, Φ ≤ Ψ 0 .Hence Φ ≤ Ψ.Then Ψ is an upper transition distribution.By Lemma 3.16, Ψ is an unconditional transition distribution.Because Φ is generated by Ψ 0 and Φ ≤ Ψ ≤ Ψ 0 , we conclude that Φ = Ψ.Then Lemmas 55 and 3.12 imply that for each i, j, the sequence ψ n i, j , n ≥ 0 converges to ϕ i, j uniformly on each bounded A ⊆ T .Let I be a non-empty finite set of states, T = [0, +∞).Let f i : T ×R d → R d for i ∈ I and ψ i, j : T → [0, 1] for i, j ∈ I. Definition 4.1.A simple system with uncertain switching (SSUS) is a pair (F, Ψ) of indexed families of functions F = ( f i ) i∈I and Ψ = (ψ i, j ) i, j∈I .
Let Σ = (F, Ψ) be a SSUS, F = ( f i ) i∈I , Ψ = (ψ i, j ) i, j∈I .Definition 4.2.A SSUS Σ is well-formed, if Ψ is an upper transition distribution.Definition 4.3.A semantic model of Σ is an equation where p : T × X → I is a Markov-like jump process such that Ψ is an upper transition distribution which generates the unconditional transition distribution of p.
Hence, SSUS is well-formed iff it has a semantic model.Let us denote X + = {x ∈ X | Π{x} > 0}, i.e. the set of atomic events which have a positive possibility level.Definition 4.4.A solution of the equation ( 5) is a process y : T × X → R d such that for any fixed x ∈ X + the trajectory t → y(t, x) satisfies equation ( 5) in sense of Caratheodory, i.e. is absolutely continuous on each compact segment in T and satisfies (5) almost everywhere (with respect to Lebesgue's measure).Definition 4.5.An α-trajectory (where α ∈ [0, 1)) of SSUS Σ is an α-trajectory of some solution of some semantic model of Σ. Definition 4.6.An α-execution (where α ∈ [0, 1)) of SSUS Σ is a pair (q, ȳ) such that there exists a semantic model ẏ(t, x) = f p(t,x) (t, y(t, x)) of Σ, a solution y * : T × X → R d of this model and x * ∈ X such that Π{x * } > α and q(t) = p(t, x * ) and ȳ(t) = y * (t, x * ) for all t ∈ T .
Note that sets of α-trajectories of solutions of any two semantic models of the same SSUS coincide.Lemma 4.1.ȳ is an α-trajectory of Σ iff there exists q such that (q, ȳ) is an α-execution of Σ.
The proof follows immediately from the definitions.
An α-execution represents a dynamic behavior of SSUS (larger α corresponds to a higher possibility level).An αtrajectory represents a continuous part of this behavior.
A SSUS can be considered as a formalization of the model shown in Fig. 2 in the case when the state does not influence driver's decisions (g i are constant functions, ψ i, j depend only on time).
Consider the initial condition We say that the problem ( 5)-( 6) has a unique solution (up to trajectories of possibility zero) if every two solutions of (5) which satisfy (6) coincide on the set T × X + .
Theorem 4.1.Suppose that the following conditions are satisfied (where .denotes the Euclidean norm): (1) for each i ∈ I and t ∈ T , the function y → f i (t, y) is defined and continuous on R d , and for each y ∈ R d , the function t → f i (t, y) is measurable; (2) for each i ∈ I there exists a function h i : T → R + , which is bounded on every compact segment in R, such that for each i ∈ I there exists a function L i : T → R + (Lipschitz constant), which is bounded on every compact segment in R, such that Then for each y 0 ∈ R d the problem ( 5)-( 6) has a unique solution.
The proof reduces to Caratheodory's existence theorem [23] by taking into account that trajectories of the process p are piecewise-constant.
Let (ϕ i, j ) i, j∈I be an unconditional transition distribution of a Markov-like jump process p : T × X → I. Theorem 4.2.Suppose that conditions of Theorem 4.1 are satisfied.Then a function ȳ : T → R d is an α-trajectory of some solution of (5) if and only if there exists a piecewise constant and left-continuous function q : T → I such that inf t∈T ϕ q(t),q(t+) (t) > α and ȳ satisfies equation ẏ(t) = f q(t) (t, y(t)) on T in sense of Caratheodory.
The proof follows from Theorem 4.1 and Lemma 3.2.

Reachability analysis
One of the basic analysis problems for SSUS is the reachability problem: find states which can be reached with (at least) a given level of possibility.
Let Σ = (( f i ) i∈I , (ψ i, j ) i, j∈I ) be a well-formed SSUS such that ( f i ) i∈I satisfy conditions of Theorem 4.1 and (ψ i, j ) i, j∈I is piecewise-monotone.For any set Y 0 ⊆ R d and t ∈ T let us define a closure of an α-reachable set: is a closure of the set of points which can be reached by α-trajectories of Σ at the moment of time t from the set Y 0 .
Note that although in general case the proof of Lemma 4.2 is not constructive, for some concrete representations of piecewise-monotone transition distributions (e.g.finite collections of lattice terms) τ i can be computed effectively.
Let (ϕ i, j ) i, j∈I be a piecewise-monotone unconditional transition distribution generated by (ψ i, j ) i, j∈I (it is described in Theorem 3.2).
Also, let us define an indexed family of sets: 1. Y 0 i, j = Y 0 , if i = j and Y 0 i, j = / 0, if i = j; 2. for each i, j ∈ I and k ≥ 1: Assume that t > 0 and 0 = τ 0 < τ 1 < ... < τ n = t be a sequence of moments given in Lemma 4.2 for (ϕ i, j ) i, j∈I , α and t.The theorem given below allows one to find αreachable points of the phase space for SSUS.More specifically, it reduces the problem of computation of reachable sets for SSUS to the similar problem for ordinary (nonpossibilistic) switched systems [1] (the set reach).
with uncertain switching.For a large subclass of this class (well-formed systems with specific assumptions on flows and transition distributions) we formulated and studied the reachability problem.The results may be useful for modeling and analysis of safety of human-machine systems.
We plan to investigate new classes of hybrid possibilistic systems and new problems in forthcoming papers.

Fig. 2 A
Fig. 2 A driver-vehicle-environment model

Lemma 3 . 1 .
Let L Q be the class of all ω-languages of transition systems T S ∈ C Q .
PwM(O) the set of all piecewise monotone functions on a relatively open set O ⊆ T , i.e. functions f : O → [0, 1] such that for each t 0 ∈ O there exists a relatively open

) Lemma 3 . 7 . ( 1 )
The set PwM(O) together with pointwise operations ∨, ∧ forms a lattice (2) LC and RC are endomorphisms of this lattice (3) LR is a closure operator on the power set of PwM(O)

Lemma 3 . 9 .
Let F ⊆ PwM(O) be a finite set which includes a zero constant function.If LR(F) = F, then LR(L m (F)) = L m (F).

1 .
Definition, sematic models, solutionsBefore we consider general hybrid systems with uncertain switching, let us study a simpler notion.