Compositionality of Lyapunov functions via assume-guarantee reasoning

Abstract: Assume-guarantee reasoning is a technique for compositional model checking in which system specifications are checked under certain assumptions on system parameters or inputs, and provide guarantees on observations of system state. We present a categorical framework for assume-guarantee reasoning for safety problems by viewing systems as lenses, following our earlier work on the compositionality of generalized Moore machines. Generalized Moore machines include ordinary Moore machines, partially observable Markov (decision) processes, and systems of parameterized ODEs (control systems); our framework gives assume-guarantee reasoning specially adapted to each of these cases. In particular, we give a novel formulation of assume-guarantee reasoning for (local) input-to-state stability ((L)ISS) Lyapunov functions on systems of parameterized ODEs. Our framework is categorically natural and straightforwardly compositional. A flavor of generalized Moore machine is determined by a tangency: a fibration with a section. We show that symmetric monoidal loose right modules of assume-guarantee certified generalized Moore machines over symmetric monoidal double categories of certified wiring diagrams can be constructed 2-functorially from fibrations internal to the 2-category of tangencies.

• The paper establishes a category-theoretic framework using lenses and double categories for compositional assume-guarantee reasoning in system stability verification.
• It formalizes Lyapunov functions to capture both qualitative and quantitative properties, extending classical ISS and LISS conditions through certified lenses.
• The framework supports modular verification across diverse systems—including ODEs, Moore machines, and POMDPs—while ensuring compositional certification.

Compositional Reasoning of Lyapunov Functions via Category-Theoretic Lenses

Overview and Motivation

This paper establishes a category-theoretic foundation for assume-guarantee reasoning in compositional model checking, with a particular focus on Lyapunov functions for system stability. Utilizing the formalism of lenses and double categories, it generalizes verification techniques to a broad class of dynamical systems—including ordinary and generalized Moore machines, parameterized ODEs, and partially observable Markov (decision) processes (POMDP/MDPs).

The principal achievement is the construction of a compositional, categorical algebra for reasoning about system safety and stability, applicable to both qualitative (predicate-based) and quantitative (Lyapunov/stability) specifications. It systematically extends the semantics of modular verification to complex interconnected systems, supporting both synchronous and interactive couplings.

Categorical Framework for Assume-Guarantee Reasoning

The paper models dynamical systems as generalized Moore machines represented categorically as lenses. Interfaces are abstracted as pairs $\lens{A_o}{o:O}$, where $A_o$ is a set (or bundle) of available actions conditioned on observations $o$ from $O$. The evolution and observation maps, $u$ and $v$, respectively, define the state-transition and output mechanisms.

Certification of systems—i.e., proofs of safety properties—is formalized via predicates on states, actions, and outputs. Assume-guarantee constructs are cast as predicates $\alpha$ (inputs), $\varphi$ (state), and $\gamma$ (outputs), and verification conditions involve compositional implications:

• If a state satisfies $\varphi$ and an action satisfies $A_o$0, then the post-transition state also satisfies $A_o$1.
• If a state satisfies $A_o$2, the output satisfies $A_o$3.

These conditions are captured via morphisms in categories of sets with predicates, and via certified lenses in double categories, enabling the encoding of compositional and modular verification rules.

A key categorical insight is that the compositional structure of wiring diagrams (and corresponding system connectives) can be synthesized as lenses, and that the algebraic properties of their composition ensure preservation and propagation of certifications. The paper proves that certified systems and certified wiring diagrams form a symmetric monoidal loose right module (a 2-algebra), and that these modules are fibered over their uncertified analogues.

Tangencies, Fibrations, and Generalized Moore Machines

A central construct is the notion of a tangency, defined as a fibration with a section over a base category of state spaces. The general framework models interfaces, actions, and possible state changes as objects in fibered categories, and upgrades generalized Moore machines to objects internal to a chosen tangency.

This categorical layering facilitates a 2-functorial translation between frameworks for different system models (e.g., deterministic, nondeterministic, stochastic, continuous) and their certifications. The categorical machinery ensures that proofs and verification procedures are preserved under system composition and abstraction (i.e., simulations and coarse grainings).

Certified Lyapunov Methods for (L)ISS Open ODEs

A substantial portion of the paper is devoted to quantitative verification of stability for open systems of ODEs using Lyapunov functions. It provides a categorical interpretation of input-to-state stability (ISS/LISS), showing how standard Lyapunov certificates (local storage functions, $A_o$4 functions) can be encoded as exercises of certified lenses and predicates.

• The local ISS (LISS) property, which ensures trajectories starting near an equilibrium do not stray far and eventually return, is precisely characterized using local storage functions and comparison functions ($A_o$5, $A_o$6).
• The Lyapunov condition—existence of a differentiable storage function $A_o$7 and comparison functions $A_o$8 such that $A_o$9 for all $o$0—is reconstructed as a certification condition in the double category of certified lenses.

The categorical formalization captures both the classical implication rules for Lyapunov proof (dissipative characterization) and the propagation of stability certificates through system interconnections by leveraging the functorial and fibered structure of the certified module.

A novel aspect is the quantitative version of certified lenses, where compositional rules not only require implication but allow for quantitative slacks via $o$1 functions, making the framework robust in the presence of system perturbations and parameter variations.

Numerical and Formal Guarantees

The implications of the framework include:

• Closure under Composition and Substitution: The compositional algebra ensures that assume-guarantee certificates are preserved under system interconnection (via wiring diagrams) and under abstraction (simulation/coarse-graining maps).
• Fibrancy for Interfaces: The fibered nature of the categorical structures guarantees that guarantees/assumptions are stable under interface morphisms, e.g., change of variables or abstraction/refinement of system interfaces.
• Quantitative Control of Certification Slack: In quantitative settings (e.g., for Lyapunov certificates), the system tracks and bounds cumulative "slack" in compositional reasoning through explicit addition of $o$2 functions, ensuring that stability conditions remain valid.

The formal algebraic conditions are shown to reproduce known compositional stability results for ISS systems (see, e.g., compositional ISS in [sontagInputStateStability2008]) and can accommodate both local and global properties.

Theoretical and Practical Implications

The paper's categorical approach abstracts away from specifics of implementation and provides a blueprint for systematic, modular construction of correct-by-construction verification tools for complex systems. The techniques are applicable to:

• Modular and hierarchical system verification, especially where open, interacting subsystems are prevalent.
• Automatic synthesis of Lyapunov functions in compositional verification pipelines.
• Extension to probabilistic/stochastic domains (POMDPs, MDPs) and other hybrid systems via adjustment of the base tangency and endofunctorial structure.

It sets the stage for further generalizations—such as handling $o$3-regular and trace-based properties using supermartingale certificates, and integration with automata-theoretic verification via compositional coupling with Büchi or Streett automata.

Future Directions

The authors indicate plans to:

• Develop practical model-checking implementations leveraging the compositional algebraic framework.
• Expand the theoretical treatment to supermartingale certificates for quantitative $o$4-regular properties, thus addressing non-safety specifications in a compositional style.
• Integrate more advanced state-predicate and trace-specification techniques for probabilistic and hybrid system models.

Conclusion

This paper presents a comprehensive, category-theoretic methodology for compositional assume-guarantee reasoning, particularly as it pertains to Lyapunov-based verification of dynamical and control systems. By abstracting system composition, certification, and verification into the language of lenses, double categories, and fibered modules, it captures both qualitative and quantitative verification procedures within a robust algebraic structure. The framework's implications are considerable for the theory and practice of formal verification, especially as system complexity and heterogeneity increase.