# Verification and Control of Hybrid Systems: A Symbolic Approach

## Abstract

Hybrid systems describe the interaction of software, modeled by finite-state systems such as finite-state machines, with the physical world, described by infinite-state systems such as differential equations. Verification and Control of Hybrid Systems provides a unique systematic exposition of several classes of hybrid systems, admitting symbolic models along with the relationships between them. The text outlines several key verification and control synthesis results for hybrid systems, guided by the concept of bisimulation, and illustrated by numerous examples. The book is divided into four parts: Part I presents basic concepts centered on a notion of system that is general enough to describe finite-state, infinite-state, and hybrid systems. Part II discusses the ways in which systems relate to other systems, such as behavioral inclusion/equivalence and simulation/bisimulation, using these relationships to study verification and control synthesis problems for finite-state systems. Part III draws inspiration from timed automata to present several classes of hybrid systems, with richer continuous dynamics, that can be related to finite-state symbolic systems. Once such relationships are established, verification and control synthesis problems for these hybrid systems can be immediately solved by resorting to the techniques described in Part II for finite-state systems. Part IV follows the same strategy by generalizing simulation/bisimulation relationships to approximate simulation/bisimulation relationships that can be used for a wider class of hybrid systems. This comprehensive treatment will appeal to researchers, engineers, computer scientists, and graduate students in the areas of formal methods, verification, model checking, and control and will undoubtedly inspire further study of the specialized literature. © Springer Science+Business Media, LLC 2009. All rights reserved.

## Chapters (11)

The word system is used in this book as a synonym for mathematical model of a dynamical phenomenon. Since different problems may require different models of the same phenomenon, we need a versatile notion of system that can be equipped with relationships explaining how different systems can be related. The purpose of this chapter is to provide one such notion and to illustrate its use in di_erent contexts.

Systems are mathematical models of dynamical phenomena that allow for rigorous analysis. In this chapter we describe the two kinds of verification problems that are considered in this book.

Formal models and techniques can be used, not only for the verification of systems, but also for its design. In this book we consider design problems for equivalence and pre-order relations.

The verification problem for a system S
a
and a model of desired behavior S
b
, asks the fundamental question of whether S
a
is either equivalent to the desired system \((S_a \cong S_b)\) or contained in the desired system \((S_a \preceq S_b)\). The answer to such questions will always depend on what we mean by system equivalence and system containment. In this chapter, we give various precise de_nitions for such relationships between two systems.

Verification problems can be formulated using behavioral and similarity relationships. We discuss both versions in this chapter and show how to convert verification problems using behavioral relationships into verification problems using similarity relationships. The later kind can be solved by computing fixed-points of conveniently defined operators.

Whenever a system S
a
fails to conform to its specification S
b
, in the sense that \(S_a \npreceq S_b\), we may ask if there exists another system S
c
, the controller, such that \(S_c \times_I S_b \preceq\) or even \(S_c \times_I S_a \cong S_b\). In this chapter we discuss these control problems in the behavioral and similarity contexts. We show how to reduce controller synthesis problems from the behavioral context to the similarity context and we solve the later by computing _xed-points of suitably de_ned operators. In addition to these general control problems we also present _xed-point solutions specialized for safety and reachability control problems that frequently arise in applications.

The evolution of physical quantities such as position, temperature, humidity, etc, is usually described by differential equations with solutions evolving on \({\mathbb R}^n\) or appropriate subsets. The infinite cardinality of \({\mathbb R}^n\) prevents a direct application of the verification methods described in Chapter 5. However, verification algorithms are still applicable whenever suitable finite-state abstractions of these infinite-state systems can be constructed. In recent years, several methods have been proposed for the construction of these abstractions based on a very interesting blend of different mathematical techniques. We present several of these methods starting with timed automata to illustrate the general principles of the abstraction process. Most of the abstraction techniques described in this chapter require linear differential equations. For this reason, we discuss as a special topic how to transform a class of nonlinear differential equations into linear di_erential equations in larger state spaces.

The prevalent role that software plays in modern complex engineering systems creates new control problems combining requirements of finite-state and of infinite-state nature. The existence of symbolic models for control systems suggests that we can use these abstractions to synthesize controllers enforcing finite-state requirements while accounting for the infinite-state dynamics. In this chapter, we discuss two classes of control systems admitting finite-state abstractions and how these can be used for control. Although the starting point is an infinite-state control system, the synthesized controllers are hybrid since they enforce finite-state and infinite-state requirements.

The similarity relationships introduced in Chapter 4 provided the framework upon which most of the abstraction techniques in Part III relied. In this chapter, we take an important conceptual step forward by abandoning the exact nature of these relationships.

The abstraction techniques presented in Chapter 7 and Chapter 8 were based on the construction of quotient systems. In generalizing exact to approximate similarity relationships, we abandon quotient based abstractions to focus on a different abstraction technique introduced in this chapter for affine dynamical systems. Similar results for nonlinear dynamical systems are presented as special topics. The results in Chapter 11 further enlarge the class of approximate symbolic models for verification by considering the effect of adversarial inputs.

This chapter continues the generalization from exact to approximate similarity, now in the context of symbolic models for control. We discuss approximate feedback composition and refinement, and show how the techniques developed in Chapter 10 can be suitably extended to control systems and switched affine systems. Nonlinear extensions of these results are presented as special topics.

... Since finite abstractions are finite, one can algorithmically solves controller synthesis problems by resorting to automata-theoretic approaches [3,4]. In general, there exist two types of finite abstractions: sound ones whose behaviors (approximately) contain those of the concrete systems and complete ones whose behaviors are (approximately) equivalent to those of the concrete systems [5]. ...

... The next result shows that the existence of an alternating simulation function for transition systems without internal inputs implies the existence of an approximate alternating simulation relation between them as defined in [5]. is anε-approximate alternating simulation relation, defined in [5], fromT (Σ) to T (Σ) withε =α −1 (ε). ...

... The next result shows that the existence of an alternating simulation function for transition systems without internal inputs implies the existence of an approximate alternating simulation relation between them as defined in [5]. is anε-approximate alternating simulation relation, defined in [5], fromT (Σ) to T (Σ) withε =α −1 (ε). ...

In this paper, we introduce a compositional method for the construction of finite abstractions of interconnected discrete-time switched systems. Particularly, we use a notion of so-called alternating simulation function as a relation between each switched subsystem and its finite abstraction. Based on some small-gain type conditions, we use those alternating simulation functions to construct compositionally an overall alternating simulation function as a relation between an interconnection of finite abstractions and that of switched subsystems. This overall alternating simulation function allows one to quantify the mismatch between the output behavior of the interconnection of switched subsystems and that of their finite abstractions. Additionally, we provide an approach to construct finite abstractions together with their corresponding alternating simulation functions for discrete-time switched subsystems under standard assumptions ensuring incremental input-to-state stability of a switched subsystem. Finally, we apply our results to a model of road traffic by constructing compositionally a finite abstraction of the network containing $50$ cells of $1000$ meters each. We use the constructed finite abstractions as substitutes to design controllers compositionally keeping the density of traffic lower than $30$ vehicles per cell.

... To achieve complex behaviors with strong guarantees, formal synthesis for control systems have been well-studied in recent years [3]- [5]. These methods use expressive formal languages such as linear temporal logic (LTL) [6] to specify complex behaviors, and apply rigorous techniques to abstract the dynamics to finite (Kripke) models. ...

... We derive an efficient and scalable procedure for the computation of the bounds in (4). Recall that the discretization procedure described above enables to write transition kernel T a as a product of error functions in (3). Hence, the optimization problems in (4) can be performed on (3), i.e., for q , q ∈ Q s to bound T a (q|x), we can optimize g(z) over z ∈ P ost(q, T , a). ...

... Define H as in Proposition 1 and construct rect(conv(H)). 3 Find grouping G(q) as described in Appendix I-C.1. 4 for g ∈ G(q) do 5 Pick an element q ref from g. 6 Find z max that upper-bounds T a (q ref |x) for x ∈ q as in Theorem 1. ...

Neural networks (NNs) are emerging as powerful tools to represent the dynamics of control systems with complicated physics or black-box components. Due to complexity of NNs, however, existing methods are unable to synthesize complex behaviors with guarantees for NN dynamic models (NNDMs). This work introduces a control synthesis framework for stochastic NNDMs with performance guarantees. The focus is on specifications expressed in linear temporal logic interpreted over finite traces (LTLf), and the approach is based on finite abstraction. Specifically, we leverage recent techniques for convex relaxation of NNs to formally abstract a NNDM into an interval Markov decision process (IMDP). Then, a strategy that maximizes the probability of satisfying a given LTLf specification is synthesized over the IMDP and mapped back to the underlying NNDM. We show that the process of abstracting NNDMs to IMDPs reduces to a set of convex optimization problems, hence guaranteeing efficiency. We also present an adaptive refinement procedure that makes the framework scalable. On several case studies, we illustrate the efficacy of the framework in providing non-trivial guarantees of correctness for NNDMs with architectures of up to 5 hidden layers and hundreds of neurons per layer.

... Despite providing very interesting insights, the results are limited to two-dimensional state spaces, and do not provide the quantitative information that we consider crucial. The second category uses symbolic abstractions [10,11], following on the extensive work on state-space partitioning and aggregation for abstractions, see [12]. In [10] and [11], the prediction of ISTs is focused on the scheduling problem: in this context, a scheduler can use finite-state traffic models to request sensor data before events are triggered in order to prevent collisions. ...

... The more general results rely on a behavioral interpretation of dynamical systems [14] and the associated abstraction methods [15,16]. The specialized results for PETC SAIST are based on a combination of quotient-based abstractions [12] and a behavioral-based analysis. Overall, our new results help consolidating the methodology proposed in [7], equipping engineers with a tool to formally estimate the benefits of ETC applications. ...

... When working with abstractions, we refer to the original system as the concrete system. In this paper, we work with finite-state abstractions using the framework of [12] and its transition systems. Later, we equip these systems with weights following [19], which allows us to derive metrics such as the SAIST. ...

Event-triggered control (ETC) is a major recent development in cyber-physical systems due to its capability of reducing resource utilization in networked devices. However, while most of the ETC literature reports simulations indicating massive reductions in the sampling required for control, no method so far has been capable of quantifying these results. In this work, we propose an approach through finite-state abstractions to do formal quantification of the traffic generated by ETC of linear systems, in particular aiming at computing its smallest average inter-sample time (SAIST). The method involves abstracting the traffic model through $l$-complete abstractions, finding the cycle of minimum average length in the graph associated to it, and verifying whether this cycle is an infinitely recurring traffic pattern. The method is proven to be robust to sufficiently small model uncertainties, which allows its application to compute the SAIST of ETC of nonlinear systems.

... A natural generalization is to consider hybrid systems that combine continuous-time and discrete-time elements [37], [38]. In fact, as seen below, some RTA mechanisms are naturally interpreted as inducing a hybrid system in closed-loop, even when the open-loop system is of the form (1). ...

... Example: Consider the system given by (38) and the constraint set where ω max ∈ R + represents the maximum allowable angular speed. It can be shown that this set is not itself forward invariant in general. ...

... with k d ≥ 0 is bounded to [−1, 1] and stabilizes system (38) to the origin. Furthermore, it can be shown that The trajectory is colored blue where u des = u act and red where the RTA mechanism is active. ...

Run Time Assurance (RTA) Systems are online verification mechanisms that filter an unverified primary controller output to ensure system safety. The primary control may come from a human operator, an advanced control approach, or an autonomous control approach that cannot be verified to the same level as simpler control systems designs. The critical feature of RTA systems is their ability to alter unsafe control inputs explicitly to assure safety. In many cases, RTA systems can functionally be described as containing a monitor that watches the state of the system and output of a primary controller, and a backup controller that replaces or modifies control input when necessary to assure safety. An important quality of an RTA system is that the assurance mechanism is constructed in a way that is entirely agnostic to the underlying structure of the primary controller. By effectively decoupling the enforcement of safety constraints from performance-related objectives, RTA offers a number of useful advantages over traditional (offline) verification. This article provides a tutorial on developing RTA systems.

... A powerful approach to control design with assurances is formal synthesis, e.g., [1]- [5]. In this approach, the system specification is expressed in a formal language such as linear temporal logic (LTL) [6], and the system evolution is abstracted to a finite model-called abstractionwith a simulation relation. ...

... With an abuse of notation, we use L(ω k x ) to denote the trace of ω k x . We use a temporal logic to express desired properties of Process (1). Classical temporal logics such as LTL specifications [6], however, are interpreted over infinite behaviors (traces), and given the high levels of uncertainty of Process (1) (unknown dynamics as well as noise), its infinite behaviors have trivial probabilities. ...

... We use interval Markov decision process (IMDPs) as the abstraction model for Process (1). IMDPs generalize Markov decision processes (MDPs) by allowing an interval of values for transition probabilities [30]. ...

Autonomous systems often have complex and possibly unknown dynamics due to, e.g., black-box components. This leads to unpredictable behaviors and makes control design with performance guarantees a major challenge. This paper presents a data-driven control synthesis framework for such systems subject to linear temporal logic on finite traces (LTLf) specifications. The framework combines a baseline (offline) controller with a novel online controller and refinement procedure that improves the baseline guarantees as new data is collected. The baseline controller is computed offline on an uncertain abstraction constructed using Gaussian process (GP) regression on a given dataset. The offline controller provides a lower bound on the probability of satisfying the LTLf specification, which may be far from optimal due to both discretization and regression errors. The synergy arises from the online controller using the offline abstraction along with the current state and new data to choose the next best action. The online controller may improve the baseline guarantees since it avoids the discretization error and reduces regression error as new data is collected. The new data are also used to refine the abstraction and offline controller using local GP regression, which significantly reduces the computation overhead. Evaluations show the efficacy of the proposed offline-online framework, especially when compared against the offline controller.

... Moreover, the terminal set is constructed by computing a contractive set [27]. We in particular apply a symbolic abstraction technique (see, e.g., [28]), which is a method to approximate or abstract behaviors of the control system with a finite transition system. The contractive set is constructed by solving a safety game as one of the algorithmic techniques from supervisory control [28]. ...

... We in particular apply a symbolic abstraction technique (see, e.g., [28]), which is a method to approximate or abstract behaviors of the control system with a finite transition system. The contractive set is constructed by solving a safety game as one of the algorithmic techniques from supervisory control [28]. The approach to finding a controlled invariant set by the symbolic abstraction for the unknown system has been recently studied in [25]. ...

... More specifically, if ( , ) ∈ ( ), every transition of Σ is approximately simulated by those of Σ according to (C.1) -(C.3) in Definition 2. Note that as for ( -)ASR is composed of the set of , i.e., = { } =1 , corresponding to a metric d (⋅, ⋅) in order to allocate the metric d (⋅, ⋅) to the kernel metric (⋅, ⋅) for all ∈ ℕ 1∶ for constructing an abstract system of the original system (4) in Section 7.2. The concept of an -ASR is useful to synthesize a controller for a concrete system by refining a controller synthesized for the abstract system with the alternating simulation relation by algorithmic techniques from discrete event systems, e.g., [28]. ...

Event-triggered control strategy is capable of significantly reducing the number of control task executions without sacrificing control performance. In this paper, we propose a novel learning-based approach towards an event-triggered model predictive control (MPC) for nonlinear control systems whose dynamics are unknown apriori. In particular, the optimal control problems (OCPs) are formulated based on predictive states learned by Gaussian process (GP) regression under a terminal constraint constructed by a symbolic abstraction. The event-triggered condition proposed in this paper is derived from the recursive feasibility so that the OCPs are solved only when an error between the predictive and the actual states exceeds a certain threshold. Based on the event-triggered condition, we analyze the stability of the closed-loop system and show that the finite-time convergence to the terminal set is achieved as the uncertainty of the GP model becomes smaller. Moreover, in order to reduce the uncertainty of the GP model and increase efficiency to find the optimal solution, we provide an overall learning-based event-triggered MPC algorithm based on an iterative task. Finally, we demonstrate the proposed approach through a tracking control problem.

... Formal synthesis of control systems has received significant attention in the past few years [1] due to increasing demand for correct-by-construction controllers in many safety-critical real-life applications, such as autonomous vehicles and unmanned aerial vehicles. These synthesis problems become more challenging while handling high-level logic properties, e.g., those expressed as linear temporal logic (LTL) formulae [2]. ...

... ( P-collection) A P-collection U is a finite collection of polytopes in R n , i.e., U = ∪ Nc a=1 P a , where N c ∈ N, and P a = {x ∈ R n |P a x ≤ p a } are polytopes, with a ∈ [1, N c ], P a ∈ R np,a×n , and p a ∈ R np,a . Additionally, for a P-collection U, we define larg(U) := max a∈ [1,Nc] numh(P a ), (2.8) and num(U) := N c , (2.9) with numh(·) as in (2.7). ...

... 27) num(pre(U 1 )) ≤ num(U 1 ), (A. 28) in which larg(·) and num(·) are defined in (2.8) and (2.9), respectively; pre(·) is as in (3.15), with exogenous disturbance set W = {0 n };g S (·) is as in (5.2), and p = max a∈ [1,Nc] numh(P a ), with U 1 = ∪ Nc a=1 (P a ). ...

In this paper, we present how to synthesize controllers to enforce $\omega$-regular properties over linear control systems affected by bounded disturbances. In particular, these controllers are synthesized based on so-called hybrid controlled invariant (HCI) sets. To compute these sets, we first construct a product system using the linear control system and the deterministic Rabin automata (DRA) modeling the negation of the desired property. Then, we compute the maximal HCI set over the state set of the product system by leveraging a set-based approach. To ensure termination of the computation of the HCI sets within a finite number of iterations, we also propose two iterative schemes to compute approximations of the maximal HCI set. Finally, we show the effectiveness of our approach on two case studies.

... Le principe de ces méthodes est de créer une abstraction purement discrète du système original que l'on représentera sous la forme d'un système de transitions fini et non-déterministe pour lequel un contrôleur est plus facile à synthétiser grâce aux méthodes du domaine du contrôle discret. Si une relation comportementale (simulation, bisimulation, leurs versions alternées et approchées ou une relation de raffinement de rétroaciii tion [Tabuada, 2009, Reissig et al., 2017) entre l'abstraction et le modèle original peut être prouvée, cela signifie que tous comportements du système original peuvent être reproduits dans l'abstraction. La relation de simulation alternée implique également qu'un contrôleur discret synthétisé sur l'abstraction peut être transformé en un contrôleur du modèle original satisfaisant les mêmes spécifications. ...

... L'idée principale des approches paresseuses pour surpasser l'algorithme de synthèse classique [Tabuada, 2009] est de restreindre les calculs à l'essentiel pour la partie synthèse [Girard et al., 2016, Hussien and Tabuada, 2018, Hsu et al., 2019, Nilson et al., 2017, Rungger and Stursberg, 2012. Dans de telles approches, les abstractions sont calculées à la volée, parallèlement à la procédure de synthèse, et la partie inexplorée du modèle symbolique reste non calculée. ...

... States contoured with colors belong to Bas(Dom(C) \ Q U ). States contoured with blue and yellow are controllable by inputs u 1 and u 2 correspondingly (i.e. belong to Q C [Tabuada, 2009], the classical fixed point algorithm with sparse abstractions [Kim et al., 2017] and the lazy algorithm from [Hussien and Tabuada, 2018], respectively. . . . . 89 5.3 Runtime comparison when varying the number of inputs. ...

This thesis focuses on the development of efficient abstraction-based controller synthesis approaches for cyber-physical systems (CPS). While abstraction-based methods for CPS design have been the subject of intensive research over the last decades, the scalability of these techniques remains an issue. This thesis focus on developing lazy synthesis algorithms for safety specifications. Safety specifications consist in maintaining the trajectory of the system inside a given safe set. This specification is of the utmost importance in many engineering problems, often prioritized over other performance requirements. Lazy approaches outperform the classical synthesis algorithm [Tabuada, 2009] by avoiding computations, which are non-essential for synthesis goals. Chapter 1 motivates the thesis and discusses the state of the art. Chapter 2 structures the existing lazy synthesis approaches and emphasizes three sources of efficiency: information about a priori controllable states, priorities on inputs, and non-reachable from initial set states. Chapter 3 proposes an algorithm, which iteratively explores states on the boundary of controllable domain while avoiding exploration of internal states, supposing that they are safely controllable a priory. A closed-loop safety controller for the original problem is then defined as follows: we use the abstract controller to push the system from a boundary state back towards the interior, while for inner states, any admissible input is valid. Chapter 4 presents an algorithm that restricts the controller synthesis computations to reachable states only while prioritizing longer-duration transitions. The original system is abstracted by a symbolic model with an adaptive grid. Moreover, a novel type of time sampling is also considered. Instead of using transitions of predetermined duration, the duration of the transitions is constrained by state intervals that must contain the reachable set. Chapter 5 is dedicated to monotone transition systems. The introduced lazy synthesis approach benefits from a monotone property of transition systems and the ordered structure of the state (input) space, and the fact that directed safety specifications are considered. The considered class of specifications is then enriched by intersections of upper and lower-closed safety requirements. Chapter 6 concludes the discussion and raises new issues for future research.

... Since the mismatch between original systems and their finite abstractions exists within a guaranteed error bound, one can ensure that original systems also fulfill the same property of interest as finite abstractions. Two different types of symbolic abstractions have been proposed in the relevant literature: (i) sound abstractions whose behavior embraces that of concrete systems and (ii) complete abstractions whose behavior is identical to that of original systems [1]. In particular, constructing complete abstractions provides a sufficient and necessary guarantee: there exists a controller satisfying a desired property of interest over symbolic abstractions if and only if there exists a controller fulfilling the same property in the concrete domain. ...

... There has been a comprehensive literature on the abstraction-based analysis of deterministic control systems. Construction of (in)finite abstractions, for different classes of deterministic models, has been broadly studied in [1], [2], [3], [4], [5], to name a few. In order to deal with the curse of dimensionality problem as the main challenge in the construction of finite abstractions, compositional abstractionbased techniques have been proposed in the past few years in [6], [7], [8], [9], [10], to name a few. ...

... is an˜ -approximate alternating bisimulation relation [1] be-tweenΥ and Υ with˜ ...

In this work, we propose a data-driven approach for the construction of finite abstractions (a.k.a., symbolic models) for discrete-time deterministic control systems with unknown dynamics. We leverage notions of so-called alternating bisimulation functions (ABF), as a relation between each unknown system and its symbolic model, to quantify the mismatch between state behaviors of two systems. Accordingly, one can employ our proposed results to perform formal verification and synthesis over symbolic models and then carry the results back over unknown original systems. In our data-driven setting, we first cast the required conditions for constructing ABF as a robust optimization program (ROP). Solving the provided ROP is not tractable due to the existence of unknown models in the constraints of ROP. To tackle this difficulty, we collect finite numbers of data from trajectories of unknown systems and propose a scenario optimization program (SOP) corresponding to the original ROP. By establishing a probabilistic relation between optimal values of SOP and ROP, we formally construct ABF between unknown systems and their symbolic models based on the number of data and a required confidence level. We verify the effectiveness of our data-driven results over two physical case studies with unknown models including (i) a DC motor and (ii) a nonlinear jet engine compressor. We construct symbolic models from data as appropriate substitutes of original systems and synthesize policies maintaining states of unknown systems in a safe set within infinite time horizons with some guaranteed confidence levels.

... Only recently, effort has been conducted to model ETC's generated traffic, which we split here into two categories. 1 The first is aimed at qualitative understanding of asymptotic properties of inter-event times of ETC [10], [11]; in both papers, the studies are dedicated to two-dimensional linear time-invariant (LTI) systems, and some conditions are given to show when traffic converges to periodic sampling or oscillatory patterns. The second aims at taming the highly variable inter-event times of ETC for scheduling purposes, and for that it relies on traffic models using finite-state abstractions under the framework of [12]: such models have been developed for continuous ETC for LTI systems in [13], [14], for PETC in [15], [16], and nonlinear systems in [17], [18], while only in [19] longer-term traffic predictions are addressed. Based on this second category, we have recently developed tools to compute the worst-case average inter-event time of an LTI system under PETC [20], [21], by using weighted automata [22] as abstractions. ...

... In this section, we shift from the nonlinear analysis tools used in Sec. IV to symbolic tools in the spirit of [12]. We focus on PETC, whose discrete-output nature facilitates the construction of finite-state models [16]. ...

... In [12], Tabuada gives a generalized notion of transition system: Definition 11 (Transition System [12]) A system S is a tuple (X , X 0 , E, Y, H) where: ...

A major recent development in control theory, event-triggered control (ETC) is claimed to provide enormous reductions in sampling frequency when compared to periodic sampling. However, little is formally known about its generated traffic. This work shows that ETC can exhibit very complex traffic, sometimes even chaotic, especially when the triggering condition is aggressive in reducing communications. First, we characterize limit traffic patterns by observing invariant lines and planes through the origin, as well as their attractivity. Then, we present methods to compute limit metrics, such as limit average and limit inferior inter-sample time (IST), with considerations to the robustness of such metrics. In particular, for periodic ETC (PETC) the methods are based on symbolic abstractions and can obtain rigorous bounds for these metrics, sometimes the exact values, as well as metrics that measure chaos in the traffic patterns. The developed analyses and techniques allow us to show that, if PETC stabilizes a periodic sampling pattern, than this pattern globally stabilizes the system; in addition, we show a case of PETC with chaotic sampling whose limit average IST is higher than what can be attained with periodic sampling, proving for the first time ETC's superiority over periodic sampling.

... The ETC traffic models built by the ETCetera tool can be encapsulated as generalized transition systems, following the definition from Tabuada in [41]: Definition 1 (Transition system). A system S is a tuple (X, X 0 , U, E, Y, ) where: ...

... The associated formal notions are, respectively, (bi)simulations and alternating (bi)simulations. See [41] for the formal definitions and associated methods. In this work, ETC systems and their sampling behaviors are abstracted by finite transition systems or timed automata; in this way, the constructed abstractions are used either to verify properties (verification) of a given ETC system's behavior or to synthesize traffic schedulers (control synthesis) that avoid packet collisions in networks shared by multiple ETC loops. ...

... Creating a controller that is able to avoid these states can be done effectively for finite transition systems by solving a safety game (c.f. Chapter 6 of [41]). In this safety game, the maximal fixed point of the operator ...

We present ETCetera, a Python library developed for the analysis and synthesis of the sampling behaviour of event triggered control (ETC) systems. In particular, the tool constructs abstractions of the sampling behaviour of given ETC systems, in the form of timed automata (TA) or finite-state transition systems (FSTSs). When the abstraction is an FSTS, ETCetera provides diverse manipulation tools for analysis of ETC's sampling performance, synthesis of communication traffic schedulers (when networks shared by multiple ETC loops are considered), and optimization of sampling strategies. Additionally, the TA models may be exported to UPPAAL for analysis and synthesis of schedulers. Several examples of the tool's application for analysis and synthesis problems with different types of dynamics and event-triggered implementations are provided.

... Supervisory control, as it is often also referred to, has many applications in e.g. automation of manufacturing plants, traffic control, scheduling and planning, and control of dynamical and hybrid systems [2,3]. The clearest advantage of using finite transition systems to model a control problem is that a large class of control problems in finite transition systems are decidable, meaning that the controller can be obtained automatically through an algorithm, or that a definitive answer that no controller can enforce the specifications is obtained. ...

... Finite LTSs represent dynamical systems that evolve in discrete state spaces upon the occurrence of actions or events in . They can represent computer programs, machines or factories, but also infinite dynamical systems through the method of abstractions, see [3]. The problem of control design in finite LTSs is to design a controller or strategy that chooses the action in at any point of the run of the system such that a given specification is satisfied. ...

... It was later simplified by Tabuada for a two-player game, where the controller chooses actions in to meet some specification against an antagonist environment that chooses the transitions. The following definition is an adaptation of Tabuada's [3]: Definition 2.1 (Alternating simulation (AS)). Consider two systems S ( , 0 , , , , ) and S = ( , 0 , , , , , ). ...

This paper studies the reduction (abstraction) of finite-state transition systems for control synthesis problems. We revisit the notion of alternating simulation equivalence (ASE), a more relaxed condition than alternating bisimulations, to relate systems and their abstractions. As with alternating bisimulations, ASE preserves the property that the existence of a controller for the abstraction is necessary and sufficient for a controller to exist for the original system. Moreover, being a less stringent condition, ASE can reduce systems further to produce smaller abstractions. We provide an algorithm that produces minimal AS equivalent abstractions. The theoretical results are then applied to obtain (un)schedulability certificates of periodic event-triggered control systems sharing a communication channel. A numerical example illustrates the results.

... Formal-methods based approach to system design [189,22] recommends rigorous requirement specification in every stage of the system development. Formal verification [17] and controller synthesis [189,22] are two leading approaches to provide correctness guarantees with respect to such requirements. ...

... Formal-methods based approach to system design [189,22] recommends rigorous requirement specification in every stage of the system development. Formal verification [17] and controller synthesis [189,22] are two leading approaches to provide correctness guarantees with respect to such requirements. While formal verification aims at providing a proof of correctness with respect to the given specifications, the goal of the controller synthesis approach is more ambitious: it takes a control system together with the specification, and produces a controller such that the resulting closed-loop satisfies the specification. ...

... While formal verification aims at providing a proof of correctness with respect to the given specifications, the goal of the controller synthesis approach is more ambitious: it takes a control system together with the specification, and produces a controller such that the resulting closed-loop satisfies the specification. The automated controller synthesis approach from formal requirements is referred to as correct-by-construction controller synthesis scheme [189,22,101]. While the controller synthesis approach has been well understood for safety, the secrecy requirements in CPS are often verified after the design of controllers. ...

Correct-by-construction synthesis is a cornerstone of the confluence of formal methods and control theory towards designing safety-critical systems. Instead of following the time-tested, albeit laborious (re)design-verify-validate loop, correct-by-construction methodology advocates the use of continual refinements of formal requirements -- connected by chains of formal proofs -- to build a system that assures the correctness by design. A remarkable progress has been made in scaling the scope of applicability of correct-by-construction synthesis -- with a focus on cyber-physical systems that tie discrete-event control with continuous environment -- to enlarge control systems by combining symbolic approaches with principled state-space reduction techniques. Unfortunately, in the security-critical control systems, the security properties are verified ex post facto the design process in a way that undermines the correct-by-construction paradigm. We posit that, to truly realize the dream of correct-by-construction synthesis for security-critical systems, security considerations must take center-stage with the safety considerations. Moreover, catalyzed by the recent progress on the opacity sub-classes of security properties and the notion of hyperproperties capable of combining security with safety properties, we believe that the time is ripe for the research community to holistically target the challenge of secure-by-construction synthesis. This paper details our vision by highlighting the recent progress and open challenges that may serve as bricks for providing a solid foundation for secure-by-construction synthesis of cyber-physical systems.

... To address the emerging challenges in dealing with modern CPSs, various approaches [2]- [4] have been developed to formally verify or synthesize certifiable controllers against rich specifications given by temporal logic formulae, such as linear temporal logics (LTL). Despite considerable development and progress in this field, when encountering large-scale CPSs, existing methods suffer severely from the curse of dimensionality, which limits their applications to systems of moderate size. ...

... Both types of The work is supported in part by the German Research Foundation (DFG) under grant ZA 873/7-1, the H2020 ERC Starting Grant AutoCPS (grant agreement No. 804639), the ERC LEAFHOUND Project, the Swedish Research Council (VR), and the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg (KAW) Foundation. 1 Department of Electrical and Computer Engineering, Technical University of Munich, Germany. 2 Computer Science Department, LMU Munich, Germany. 3 Laboratoire des Signaux et Systèmes, CentraleSupélec, Univ. Paris Saclay, Gif sur Yvette, France. 4 Robert Bosch Center for Cyber-Physical Systems in Indian Institute of Science, Bangalore, India. ...

... Then, we show that based on our compositionality result proposed in the last section, the global STL task for the network is satisfied by applying the derived local controllers to subsystems individually. 2 Note that the decomposition of a global STL formula is out of the scope of this paper. In this paper, we use a natural decomposition of the specification, where the assumptions of a component coincide with the guarantees of its neighbours. ...

In this paper, we focus on the problem of compositional synthesis of controllers enforcing signal temporal logic (STL) tasks over a class of continuous-time nonlinear interconnected systems. By leveraging the idea of funnel-based control, we show that a fragment of STL specifications can be formulated as assume-guarantee contracts. A new concept of contract satisfaction is then defined to establish our compositionality result, which allows us to guarantee the satisfaction of a global contract by the interconnected system when all subsystems satisfy their local contracts. Based on this compositional framework, we then design closed-form continuous-time feedback controllers to enforce local contracts over subsystems in a decentralized manner. Finally, we demonstrate the effectiveness of our results on two numerical examples.

... These systems can be represented as control systems with continuous state spaces. Within these continuous spaces, it is challenging to leverage automated control synthesis methods that provide satisfaction guarantees for high-level specifications, such as those expressed in Linear Temporal Logic [2], [4], [32], [13]. ...

... A common approach to tackle the continuous nature of the state space is to use abstraction-based controller design (ABCD) schemes [32], [4], [21], [29]. The first step in the ABCD scheme is to compute a finite abstraction by discretising the state and action spaces. ...

... Finite abstractions are con-*This work is supported by the the EPSRC New Investigator Award CodeCPS (EP/V043676/1) and by the DFG project 389792660 TRR 248-CPEC. 1 School of Computing, Newcastle University, United Kingdom 2 MPI-SWS, Kaiserslautern, Germany nected to the original system via an appropriate behavioural relation such as feedback refinement relations or alternating bisimulation relations [25], [32]. Under such behavioural relations, trajectories of the abstraction are related to the ones of the original system. ...

This paper studies formal synthesis of controllers for continuous-space systems with unknown dynamics to satisfy requirements expressed as linear temporal logic formulas. Formal abstraction-based synthesis schemes rely on a precise mathematical model of the system to build a finite abstract model, which is then used to design a controller. The abstraction-based schemes are not applicable when the dynamics of the system are unknown. We propose a data-driven approach that computes the growth bound of the system using a finite number of trajectories. The growth bound together with the sampled trajectories are then used to construct the abstraction and synthesise a controller. Our approach casts the computation of the growth bound as a robust convex optimisation program (RCP). Since the unknown dynamics appear in the optimisation, we formulate a scenario convex program (SCP) corresponding to the RCP using a finite number of sampled trajectories. We establish a sample complexity result that gives a lower bound for the number of sampled trajectories to guarantee the correctness of the growth bound computed from the SCP with a given confidence. We also provide a sample complexity result for the satisfaction of the specification on the system in closed loop with the designed controller for a given confidence. Our results are founded on estimating a bound on the Lipschitz constant of the system and provide guarantees on satisfaction of both finite and infinite-horizon specifications. We show that our data-driven approach can be readily used as a model-free abstraction refinement scheme by modifying the formulation of the growth bound and providing similar sample complexity results. The performance of our approach is shown on three case studies.

... Over the last years, by leveraging formal verification methods, symbolic control techniques have provided a powerful framework for the control of complex systems under logic specifications (see the books [1] and [2] for surveys on this topic). The study of cyber-physical systems under this perspective is motivated by the increasing complexity of such dynamical systems, which intertwine more and more aspects of digital devices with real-world tasks. ...

... We define ψ(x(k)) as the index of the part that contains x(k) at instant k. For each i ∈ I p , the set of matrices (A i , B i , g i ) defines a nominal system within the i-th part whereas the set Ω i ⊂ R n , with 0 ∈ Ω i , characterizes both the exogenous input w(k) and the uncertainties generated when representing the nonlinear system (1) by the PWA system (2). As shown, for instance, in [24,Theorem 4.6], the system (2) can be built in a way that every solution to (1) is also a solution to (2). ...

... For each i ∈ I p , the set of matrices (A i , B i , g i ) defines a nominal system within the i-th part whereas the set Ω i ⊂ R n , with 0 ∈ Ω i , characterizes both the exogenous input w(k) and the uncertainties generated when representing the nonlinear system (1) by the PWA system (2). As shown, for instance, in [24,Theorem 4.6], the system (2) can be built in a way that every solution to (1) is also a solution to (2). Moreover, the methods in [24] and [25] allow the construction of (2) under either data-based or model-based approaches, i.e., when the non-linear model is unknown but some set of sampled trajectories are available or when the model is known and can be simulated offline. ...

In this manuscript, we investigate symbolic abstractions that capture the behavior of piecewise-affine systems under input constraints and bounded external noise. This is accomplished by considering local affine feedback controllers that are jointly designed with the symbolic model, which ensures that an alternating simulation relation between the system and the abstraction holds. The resulting symbolic system is called a state-feedback abstraction and we show that it can be deterministic even when the original piecewise-affine system is unstable and non-deterministic. One benefit of this approach is the fact that the input space need not be discretized and the symbolic-input space is reduced to a finite set of controllers. When ellipsoidal cells and affine controllers are considered, we present necessary and sufficient conditions written as a semi-definite program for the existence of a transition and a robust upper bound on the transition cost. Two examples illustrate particular aspects of the theory and its applicability.

... Formal-methods based approach to system design (Belta, Yordanov, & Göl, 2017;Tabuada, 2009) recommends rigorous requirement specification in every stage of the system development. Formal verification (Baier & Katoen, 2008) and controller synthesis (Belta et al., 2017;Tabuada, 2009) are two leading approaches to provide correctness guarantees with respect to such requirements. ...

... Formal-methods based approach to system design (Belta, Yordanov, & Göl, 2017;Tabuada, 2009) recommends rigorous requirement specification in every stage of the system development. Formal verification (Baier & Katoen, 2008) and controller synthesis (Belta et al., 2017;Tabuada, 2009) are two leading approaches to provide correctness guarantees with respect to such requirements. While formal verification aims at providing a proof of correctness with respect to the given specifications, the goal of the controller synthesis approach is more ambitious: it takes a control system together with the specification, and produces a controller such that the resulting closed-loop satisfies the specification. ...

... While formal verification aims at providing a proof of correctness with respect to the given specifications, the goal of the controller synthesis approach is more ambitious: it takes a control system together with the specification, and produces a controller such that the resulting closed-loop satisfies the specification. The automated controller synthesis approach from formal requirements is referred to as correct-by-construction controller synthesis scheme (Belta et al., 2017;Lee & Seshia, 2017;Tabuada, 2009). While the controller synthesis approach has been well understood for safety, the secrecy requirements in CPS are often verified after the design of controllers. ...

Correct-by-construction synthesis is a cornerstone of the confluence of formal methods and control theory towards designing safety-critical systems. Instead of following the time-tested, albeit laborious (re)design-verify-validate loop, correct-by-construction methodology advocates the use of continual refinements of formal requirements – connected by chains of formal proofs – to build a system that assures the correctness by design. A remarkable progress has been made in scaling the scope of applicability of correct-by-construction synthesis – with a focus on cyber-physical systems that tie discrete-event control with continuous environment – to enlarge control systems by combining symbolic approaches with principled state-space reduction techniques.
Unfortunately, in the security-critical control systems, the security properties are verified ex post facto the design process in a way that undermines the correct-by-construction paradigm. We posit that, to truly realize the dream of correct-by-construction synthesis for security-critical systems, security considerations must take center-stage with the safety considerations. Moreover, catalyzed by the recent progress on the opacity sub-classes of security properties and the notion of hyperproperties capable of combining security with safety properties, we believe that the time is ripe for the research community to holistically target the challenge of secure-by-construction synthesis. This paper details our vision by highlighting the recent progress and open challenges that may serve as bricks for providing a solid foundation for secure-by-construction synthesis of cyber-physical systems.

... Abstraction-based synthesis techniques have been an ongoing research area in the last decade (see e.g., [1,2] and the references therein). They consist in creating a finitestate abstraction (or a symbolic model) for a continuous or a hybrid system and refining the controller synthesized for the abstraction to a controller for the original system. ...

... Intuitively, Pre(A, V, B) contains all the states that are initially in x ∈ A and for which all the successors can be steered in B by selecting inputs from V . The Pre operator is a fundamental tool for reachability analysis, which is commonly used for controller synthesis of transition systems [1]. Let us give some characterizations for the Pre operator for LSM transition systems and lowerclosed sets. ...

... To find the maximal safety controller one can use the classical safety game [1], which consists of two steps. First, the domain of the maximal safety controller dom(C * ) is computed based on a fixed-point algorithm (see Algorithm 2). ...

... Switching linear systems are an important family of hybrid systems which often arise in Cyber-Physical systems (see [12]). Stability analysis of switching linear systems is challenging due to the hybrid behaviour caused by the switches. ...

... In Equation(12), I −1 (y; a, b) is the inversed regularized incomplete beta function (see[22]). Its ouput is x > 0 such that I(x; a, b) = y, where I is defined asI(·; a, b) : R >0 → R >0 : x → I(x; a, b) = x 0 t a−1 (1 − t) b−1 dt 1 0 t a−1 (1 − t) b−1 dt(11) ...

We present a framework based on multiple Lyapunov functions to find probabilistic data-driven guarantees on the stability of unknown constrained switching linear systems (CSLS), which are switching linear systems whose switching signal is constrained by an automaton. The stability of a CSLS is characterized by its constrained joint spectral radius (CJSR). Inspired by the scenario approach and previous work on unconstrained switching systems, we characterize the number of observations needed to find sufficient conditions on the (in-)stability of a CSLS using the notion of CJSR. More precisely, our contribution is the following: we derive a probabilistic upper bound on the CJSR of an unknown CSLS from a finite number of observations. We also derive a deterministic lower bound on the CJSR. From this we obtain a probabilistic method to characterize the stability of an unknown CSLS.

... FSMs represent the discrete behaviour of plant systems well and provide a formal structure to reason and trace the behaviour of a system, hence making them suitable to represent plant DTs. We use the definition of transition systems [10] to describe the FSM. A detailed discussion on the definition and representation of transition systems is given in the next subsection. ...

... To define a formal control system model we refer transition systems [10]. Transition systems serve as the formal theory for FSMs and provide semantics to define a machine with the desired behavior. ...

... Toward temporal logic specifications, a general approach is to construct a symbolic abstraction for the considered system such that formal methods like automata-theoretic and graph-searching methods can be applied to design a discrete controller to ensure the satisfaction of LTL specifications [3]- [6]. However, the abstraction-based control design may have huge computational complexity [7], which increases with system dimension and specification complexity, and is based on backward search techniques [8], which may be not available when time constraints are involved, e.g., in Signal Temporal Logic (STL). ...

... With the decomposition of the STL formula, we next design the controller such that the STL formula is satisfied by the system (4). The proposed controller is given below (8) where u f is the feedforward controller to generate the reference trajectory x f in the disturbance-free case, and u b is the feedback controller to track the reference trajectory in the disturbance case. The feedforward controller is related to the initial state which is bounded in certain region, and the feedback controller is related to x f due to the tracking requirement. ...

In this paper, we investigate the controller design problem for linear disturbed systems under signal temporal logic (STL) specifications imposing both spatial and temporal constraints on system behavior. We first implement zonotope-based techniques to partition the state space into finite cells, then propose an evaluation mechanism to rearrange the time constraints of the STL specification, and finally decompose the global STL formula into finite local STL formulas. In this way, each cell has a local control design problem, which is further formulated into a local optimization problem. To deal with each local optimization problem, we take advantage of the properties of zonotopes and reachability analysis to design local controller consisting of feedforward and feedback parts. By solving all local optimization problems, all local controllers are combined to guarantee the global STL specification. Finally, a numerical example is presented to illustrate the derived results.

... Abstraction-based control synthesis techniques have gained considerable attention in the past decade. These techniques provide tools for automated, correct-by-construction controller synthesis from complex specifications, typically given in the form of a Linear Temporal Logic (LTL) formulae [15]. It is then unsurprising the vast amount of developed software tools that can handle a wide variety of nonlinear control systems including Pessoa [8], CoSyMa [9], SCOTS [12], QUEST [6], FAUST [14], StocHy [3], and AMYTISS [7]. ...

... This difference (short programs versus finite-state controller) manifests itself in all the framework steps, particularly the NN training, projection, and lifting. We confine our focus on synthesizing finite-state controllers due to the extensive literature on analyzing such controllers in tandem with the controlled physical systems [15]. ...

In the last decade, abstraction-based controller synthesis techniques have gained considerable attention due to their ability to synthesize correct-by-design feedback controllers from high-level specifications. Nevertheless, a significant drawback of these techniques is the need to explore large spaces of quantized state and input spaces to find a controller that satisfies the specification. On the contrary, recent advances in machine learning, in particular imitation learning and reinforcement learning, paved the way to several techniques to design controllers (or policies) for highly nonlinear systems with large state and input spaces, albeit their lack of rigorous correctness guarantees. This motivates the question of how to use machine learning techniques to guide the synthesis of abstraction-based controllers. In this paper, we introduce NNSynth, a novel tool for abstraction-based controller synthesis. Unique to NNSynth is the use of machine learning techniques to guide the search over the space of controllers to find candidate Neural Network (NN)-based controllers. Next, these NNs are "projected" and the control actions that are close to the NN outputs are used to construct a "local" abstraction for the system. An abstraction-based controller is then synthesized from such a "local" abstract model. If a controller that satisfies the specifications is not found, then the best found controller is "lifted" to a neural network controller for additional training. Our experiments show that this neural network-guided synthesis leads to more than 50x or even 100x speedup in high dimensional systems compared to the state-of-the-art.

... It is known [14] that, there exists a maximal safety controller C * for control system Σ and safe set X containing all safety controllers, i.e., C(x) ⊆ C * (x) for all x ∈ R n . This maximal safety controller can be computed theoretically using the well-known fixed-point algorithm [15]. ...

... The method is targeted at controllable linear systems of the form of ξ(t) ∈ Aξ(t) + Bυ(t) + W with compact constraint sets X and U . The computation of outer invariant approximation is based on set iteration (13) and stopping criterion (14) as follows ...

In this work, we present a compositional safety controller synthesis approach for the class of discrete-time linear control systems. Here, we leverage a state-of-the-art result on the computation of robust controlled invariant sets. To tackle the complexity of controller synthesis over complex interconnected systems, this paper introduces a decentralized controller synthesis scheme. Rather than treating the interconnected system as a whole, we first design local safety controllers for each subsystem separately to enforce local safety properties, with polytopic state and input constraints as well as bounded disturbance set. Then, by composing the local controllers, the interconnected system is guaranteed to satisfy the overall safety specification. Finally, we provide a vehicular platooning example to illustrate the effectiveness of the proposed approach by solving the overall safety controller synthesis problem by computing less complex local safety controllers for subsystems and then composing them.

... The use of formal abstractions for PETC models has been preparatory in this sense, see e.g. [3], [4]. More recently, the work [5] provides a characterisation in terms of traffic abstractions: a finite-state automaton considering the intersample times (ISTs) sequences of a PETC system. ...

... Definition 1 (Weighted Transition System (adapted from [4], [17])): ...

We employ the scenario approach to compute probably approximately correct (PAC) bounds on the average inter-sample time (AIST) generated by an unknown PETC system, based on a finite number of samples. We extend the scenario approach to multiclass SVM algorithms in order to construct a PAC map between the concrete, unknown state-space and the inter-sample times. We then build a traffic model applying an $\ell$-complete relation and find, in the underlying graph, the cycles of minimum and maximum average weight: these provide lower and upper bounds on the AIST. Numerical benchmarks show the practical applicability of our method, which is compared against model-based state-of-the-art tools.

... Several approaches based on finite abstraction have been widely used to solve such synthesis problems. Existing techniques include policy synthesis enforcing linear temporal logic specifications for non-stochastic systems [2,3] and for stochastic ones [4,5,6]. When dealing with large systems, these approaches suffer severely from the curse of dimensionality (i.e., computational complexity grows exponentially with the dimension of the state set). ...

... We consider a nonlinear Moore-Greitzer jet engine model in no-stall mode [26] as a partially observed jumpdiffusion systems by adding noise and jump terms which is given by: [2,4], and X 3 = X \ (X 0 ∪ X 1 ∪ X 2 ). The set of atomic propositions is given by Π = {p 0 , p 1 , p 2 , p 3 } with labeling function L(x j ) = p j for all x j ∈ X j , j ∈ {0, 1, 2, 3}. ...

In this paper, we study formal synthesis of control policies for partially observed jump-diffusion systems against complex logic specifications. Given a state estimator, we utilize a discretization-free approach for formal synthesis of control policies by using a notation of control barrier functions without requiring any knowledge of the estimation accuracy. Our goal is to synthesize an offline control policy providing (potentially maximizing) a lower bound on the probability that the trajectories of the partially observed jump-diffusion system satisfy some complex specifications expressed by deterministic finite automata. Finally, we illustrate the effectiveness of the proposed results by synthesizing a policy for a jet engine example.

... However, the optimal solution to a cost-minimization problem is not always reliable and applicable in the real world, especially in safety-critical scenarios. Guaranteed-safe control actions have attracted researchers' interest, both in controller design [30], [31], and in verification [32], [33]. Control barrier functions (CBFs) have been proposed as a powerful tool to enforce safe behavior of system states by introducing extra constraints on the control inputs [34]. ...

... Once the component problem safe optimal control action is obtained, a weighted mixture on the primitives specified by (31) can be taken to achieve the composite safe optimal control action, and a further constrained optimization step according to (32) will ensure that the resulting optimal control action is safe-guaranteed. The execution trajectories of the UAV team using the composite safe control action to solve a new problem are shown in Fig. 10, where the red solid circle demonstrates an allowable error range. ...

We propose a unified framework to fast generate a safe optimal control action for a new task from existing controllers on Multi-Agent Systems (MASs). The control action composition is achieved by taking a weighted mixture of the existing controllers according to the contribution of each component task. Instead of sophisticatedly tuning the cost parameters and other hyper-parameters for safe and reliable behavior in the optimal control framework, the safety of each single task solution is guaranteed using the control barrier functions (CBFs) for high-degree stochastic systems, which constrains the system state within a known safe operation region where it originates from. Linearity of CBF constraints in control enables the control action composition. The discussed framework can immediately provide reliable solutions to new tasks by taking a weighted mixture of solved component-task actions and filtering on some CBF constraints, instead of performing an extensive sampling to achieve a new controller. Our results are verified and demonstrated on both a single UAV and two cooperative UAV teams in an environment with obstacles.

... First, the transition systems formalism is introduced to model discrete-time dynamics [32]. ...

... By (32), (33), (34), ((Ψ l (1) ...

We consider the problem of coordinating a collection of switched subsystems under both local and global constraints for safe operation of the system. Although an invariant set can be leveraged to construct a safety-guaranteed controller for this kind of problem, computing an invariant set is not scalable to high-dimensional systems. In this paper, we introduce a strategy to obtain an implicit representation of a controlled invariant set for a collection of switched subsystems, and construct a safety-guaranteed controller to coordinate the subsystems using the representation. Specifically, we incorporate the invariant set into a model predictive controller to guarantee safety and recursive feasibility. Since the amount of computations is independent of the number of subsystems, this approach scales to large collections of switched subsystems. We use our approach to safely control a collection of thermostatically controlled loads to provide grid balancing services. The problem includes constraints on each load's temperature and duration it must remain in a mode after a switch, and also on aggregate power consumption to ensure network safety. Numerical simulations show that the proposed approach outperforms benchmark strategies in terms of safety and recursive feasibility.

... GR(1) was introduced as an efficient fragment for synthesis problems in the presence of weak fairness assumptions; in particular, show a 3-nested fixpoint algorithm . Over the years, the GR(1) fragment has been extensively used as a useful logical fragment of LTL for reactive synthesis, especially in the cyber-physical and robotics domains [Alur et al. 2013;Kress-Gazit et al. 2007, 2009Maoz and Ringert 2015;Svoreňová et al. 2017]. In fact, there are several reactive synthesis tools which only support the GR(1) fragment for its tractability [Ehlers and Raman 2016;Finucane et al. 2010;Wongpiromsarn et al. 2011]. ...

... 6.2.2 Controller Synthesis for Stochastically Perturbed Dynamical Systems. Synthesizing verified symbolic controllers for continuous dynamical systems is an active area in cyber-physical systems research [Tabuada 2009]. Recently, it was shown by Majumdar et al. [2021], that the symbolic controller synthesis problem for stochastic continuous dynamical systems can be approximated using a strategy synthesis problem over a (finite) 2 1 /2-player game graph. ...

We consider fixpoint algorithms for two-player games on graphs with $\omega$-regular winning conditions, where the environment is constrained by a strong transition fairness assumption. Strong transition fairness is a widely occurring special case of strong fairness, which requires that any execution is strongly fair with respect to a specified set of live edges: whenever the source vertex of a live edge is visited infinitely often along a play, the edge itself is traversed infinitely often along the play as well. We show that, surprisingly, strong transition fairness retains the algorithmic characteristics of the fixpoint algorithms for $\omega$-regular games -- the new algorithms can be obtained simply by replacing certain occurrences of the controllable predecessor by a new almost sure predecessor operator. For Rabin games with $k$ pairs, the complexity of the new algorithm is $O(n^{k+2}k!)$ symbolic steps, which is independent of the number of live edges in the strong transition fairness assumption. Further, we show that GR(1) specifications with strong transition fairness assumptions can be solved with a 3-nested fixpoint algorithm, same as the usual algorithm. In contrast, strong fairness necessarily requires increasing the alternation depth depending on the number of fairness assumptions. We get symbolic algorithms for (generalized) Rabin, parity and GR(1) objectives under strong transition fairness assumptions as well as a direct symbolic algorithm for qualitative winning in stochastic $\omega$-regular games that runs in $O(n^{k+2}k!)$ symbolic steps, improving the state of the art. Finally, we have implemented a BDD-based synthesis engine based on our algorithm. We show on a set of synthetic and real benchmarks that our algorithm is scalable, parallelizable, and outperforms previous algorithms by orders of magnitude.

... Over the years, various attempts were made to apply the framework of model checking for finite transition systems to verify specifications for control systems with continuous (and infinite) state space. The main tools used in all of them are abstraction and simulation, which are notions connecting control systems with continuous state-spaces and finite transition systems [4], [5]. Namely, verification for a continuous control system is achieved by (1) abstracting it by a finite transition system, and (2) applying the model checking framework to this finite abstraction. ...

... where the vectors w, v depend on the matrices E, F and the sets P, R, each containing a single element. Throughout this section, we fix such a system, governed by (4). Moreover, we fix matrices {A r , G r } m r=0 and vectors a 0 , g 0 defining an LTI contract C of depth m via (3). ...

Verifying specifications for large-scale control systems is of utmost importance, but can be hard in practice as most formal verification methods can not handle high-dimensional dynamics. Contract theory has been proposed as a modular alternative to formal verification in which specifications are defined by assumptions on the inputs to a component and guarantees on its outputs. In this paper, we present linear-programming-based tools for verifying contracts for control systems. We first consider the problem of verifying contracts defined by time-invariant inequalities for unperturbed systems. We use $k$-induction to show that contract verification can be achieved by considering a collection of implications between inequalities, which are then recast as linear programs. We then move our attention to perturbed systems. We present a comparison-based framework, verifying that a perturbed system satisfies a contract by checking that the corresponding unperturbed system satisfies a robustified (and $\epsilon$-approximated) contract. In both cases, we present explicit algorithms for contract verification, proving their correctness and analyzing their complexity. We also demonstrate the verification process for two case studies, one considering a two-vehicle autonomous driving scenario, and one considering formation control of a multi-agent system.

... Based on the local symbolic abstraction, a standard algorithm can be applied to determine the control inputs such that the manipulator moves to the local specification. Here, we use the common fixed-point algorithm [62]. ...

Efficiently coordinating different types of robots is an important enabler for many commercial and industrial automation tasks. Here, we present a distributed framework that enables a team of heterogeneous robots to dynamically generate actions from a common, user-defined goal specification. In particular, we discuss the integration of various robotic capabilities into a common task allocation and planning formalism, as well as the specification of expressive, temporally-extended goals by non-expert users. Models for task allocation and execution both consider non-deterministic outcomes of actions and thus, are suitable for a wide range of real-world tasks including formally specified reactions to online observations. One main focus of our paper is to evaluate the framework and its integration of software modules through a number of experiments. These experiments comprise industry-inspired scenarios as motivated by future real-world applications. Finally, we discuss the results and learnings for motivating practically relevant, future research questions.

... For example, the cruise control system enforces the car (environment) to maintain a desired speed (desired property). In this context, classical reactive synthesis methods provide means to synthesize controllers that correctly assure a desired property expressed in formal logic [39,37,11,42,4]. In other words, the correct-by-construction controller guarantees this desired property. ...

Control systems should enforce a desired property for both expected modeled situations as well as unexpected unmodeled environmental situations. Existing methods focus on designing controllers to enforce the desired property only when the environment behaves as expected. However, these methods lack discussion on how the system behaves when the environment is perturbed. In this paper, we propose an approach for analyzing control systems with respect to their tolerance against environmental perturbations. A control system tolerates certain environmental perturbations when it remains capable of guaranteeing the desired property despite the perturbations. Each controller inherently has a level of tolerance against environmental perturbations. We formally define this notion of tolerance and describe a general technique to compute it, for any given regular property. We also present a more efficient method to compute tolerance with respect to invariance properties. Moreover, we introduce a new controller synthesis problem based on our notion of tolerance. We demonstrate the application of our framework on an autonomous surveillance example.

... We focus on the integration between the symbolic-level discrete task planner and the continuous motion planner. This top-down planning approach significantly reduces the computational complexity compared to bottom-up approaches [Liu et al. (2013); Tabuada (2009) ;Belta et al. (2017); Liu and Ozay (2016)]. The correctness of our top-down hierarchy is guaranteed via a correct-by-construction synthesis at the task planner level and a reachability control synthesis at the motion planner level. ...

Contact-based decision and planning methods are becoming increasingly important to endow higher levels of autonomy for legged robots. Formal synthesis methods derived from symbolic systems have great potential for reasoning about high-level locomotion decisions and achieving complex maneuvering behaviors with correctness guarantees. This study takes a first step toward formally devising an architecture composed of task planning and control of whole-body dynamic locomotion behaviors in constrained and dynamically changing environments. At the high level, we formulate a two-player temporal logic game between the multi-limb locomotion planner and its dynamic environment to synthesize a winning strategy that delivers symbolic locomotion actions. These locomotion actions satisfy the desired high-level task specifications expressed in a fragment of temporal logic. Those actions are sent to a robust finite transition system that synthesizes a locomotion controller that fulfills state reachability constraints. This controller is further executed via a low-level motion planner that generates feasible locomotion trajectories. We construct a set of dynamic locomotion models for legged robots to serve as a template library for handling diverse environmental events. We devise a replanning strategy that takes into consideration sudden environmental changes or large state disturbances to increase the robustness of the resulting locomotion behaviors. We formally prove the correctness of the layered locomotion framework guaranteeing a robust implementation by the motion planning layer. Simulations of reactive locomotion behaviors in diverse environments indicate that our framework has the potential to serve as a theoretical foundation for intelligent locomotion behaviors.

... [51] provides a recent surveys on the topic in the context of robotics. [52] and [53] provide further depth in verifying the software and hybrid nature of real control system implementations, respectively. ...

Learning-based methods could provide solutions to many of the long-standing challenges in control. However, the neural networks (NNs) commonly used in modern learning approaches present substantial challenges for analyzing the resulting control systems' safety properties. Fortunately, a new body of literature could provide tractable methods for analysis and verification of these high dimensional, highly nonlinear representations. This tutorial first introduces and unifies recent techniques (many of which originated in the computer vision and machine learning communities) for verifying robustness properties of NNs. The techniques are then extended to provide formal guarantees of neural feedback loops (e.g., closed-loop system with NN control policy). The provided tools are shown to enable closed-loop reachability analysis and robust deep reinforcement learning.

... Complex requirements for such real-life practical systems can be expressed as linear temporal logic formulae [1]. Modelbased approaches for satisfying such requirements have been studied extensively in the literature [2,3,4,5]. In the setting of formal approaches for stochastic systems, a number of abstraction-based methods has been developed for the verification and synthesis of dynamical systems in order to either verify the desired specifications or synthesize controllers enforcing these systems to satisfy such specifications [6,7,8,9,10]. ...

In this work, we study verification and synthesis problems for safety specifications over unknown discrete-time stochastic systems. When a model of the system is available, barrier certificates have been successfully applied for ensuring the satisfaction of safety specifications. In this work, we formulate the computation of barrier certificates as a robust convex program (RCP). Solving the acquired RCP is hard in general because the model of the system that appears in one of the constraints of the RCP is unknown. We propose a data-driven approach that replaces the uncountable number of constraints in the RCP with a finite number of constraints by taking finitely many random samples from the trajectories of the system. We thus replace the original RCP with a scenario convex program (SCP) and show how to relate their optimizers. We guarantee that the solution of the SCP is a solution of the RCP with a priori guaranteed confidence when the number of samples is larger than a pre-computed value. This provides a lower bound on the safety probability of the original unknown system together with a controller in the case of synthesis. We also discuss an extension of our verification approach to a case where the associated robust program is non-convex and show how a similar methodology can be applied. Finally, the applicability of our proposed approach is illustrated through three case studies.

... While the latter represent specifications that are typically static, e.g., static supply rates and invariant sets, the contracts in this paper are used to specify dynamic behaviour. Furthermore, the contracts in this paper express specifications directly in the continuous domain, unlike formal methods in control [5], ...

Motivated by the growing requirements on the operation of complex engineering systems, we present contracts as specifications for continuous-time linear dynamical systems with inputs and outputs. A contract is defined as a pair of assumptions and guarantees, both characterized in a behavioural framework. The assumptions encapsulate the available information about the dynamic behaviour of the environment in which the system is supposed to operate, while the guarantees express the desired dynamic behaviour of the system when interconnected with relevant environments. In addition to defining contracts, we characterize contract implementation, and we find necessary conditions for the existence of an implementation. We also characterize contract refinement, which is used to characterize contract conjunction in two special cases. These concepts are then illustrated by an example of a vehicle following system.

... In this paradigm, specifications are described by means of another transition system that encodes the specification; the original system then satisfies the specification if it is simulated by the (transition system) encoding of the specification. Importantly, it is well known that a diverse array of specifications can be captured in this context, among them LTL formula satisfaction [32] and stability. Secondly, the sample period τ constitutes an additional degree of freedom in the specification relative to the original continuous-time system (or a proscribed fixed sampleperiod embedding); this extra degree of freedom will facilitate the development of assured NN architectures. ...

In this paper, we consider the problem of automatically designing a Rectified Linear Unit (ReLU) Neural Network (NN) architecture (number of layers and number of neurons per layer) with the assurance that it is sufficiently parametrized to control a nonlinear system; i.e. control the system to satisfy a given formal specification. This is unlike current techniques, which provide no assurances on the resultant architecture. Moreover, our approach requires only limited knowledge of the underlying nonlinear system and specification. We assume only that the specification can be satisfied by a Lipschitz-continuous controller with a known bound on its Lipschitz constant; the specific controller need not be known. From this assumption, we bound the number of affine functions needed to construct a Continuous Piecewise Affine (CPWA) function that can approximate any Lipschitz-continuous controller that satisfies the specification. Then we connect this CPWA to a NN architecture using the authors' recent results on the Two-Level Lattice (TLL) NN architecture; the TLL architecture was shown to be parameterized by the number of affine functions present in the CPWA function it realizes.

... Formal verification of continuous control systems has been widely studied, e.g., [48,7,17,30,43,32,33]. These methods are typically based on model checking algorithms [15,4], Portions of this paper were presented in [26]. ...

Leveraging autonomous systems in safety-critical scenarios requires verifying their behaviors in the presence of uncertainties and black-box components that influence the system dynamics. In this article, we develop a framework for verifying partially-observable, discrete-time dynamical systems with unmodelled dynamics against temporal logic specifications from a given input-output dataset. The verification framework employs Gaussian process (GP) regression to learn the unknown dynamics from the dataset and abstract the continuous-space system as a finite-state, uncertain Markov decision process (MDP). This abstraction relies on space discretization and transition probability intervals that capture the uncertainty due to the error in GP regression by using reproducible kernel Hilbert space analysis as well as the uncertainty induced by discretization. The framework utilizes existing model checking tools for verification of the uncertain MDP abstraction against a given temporal logic specification. We establish the correctness of extending the verification results on the abstraction to the underlying partially-observable system. We show that the computational complexity of the framework is polynomial in the size of the dataset and discrete abstraction. The complexity analysis illustrates a trade-off between the quality of the verification results and the computational burden to handle larger datasets and finer abstractions. Finally, we demonstrate the efficacy of our learning and verification framework on several case studies with linear, nonlinear, and switched dynamical systems.

... Switching linear systems are an important family of hybrid systems which often arise in Cyber-Physical systems (see Tabuada (2009)). Indeed, the interaction between continuous and discrete dynamics causes hybrid behaviors which makes the stability analysis challenging. ...

We consider stability analysis of constrained switching linear systems in which the dynamics are unknown and whose switching signal is constrained by an automaton. We propose a data-driven Lyapunov framework for providing probabilistic stability guarantees based on data harvested from observations of the system. By generalizing previous results on arbitrary switching linear systems, we show that, by sampling a finite number of observations, we are able to construct an approximate Lyapunov function for the underlying system. Moreover, we show that the entropy of the language accepted by the automaton allows to bound the number of samples needed in order to reach some pre-specified accuracy.

... Formal verification of dynamical systems against complex specifications has attracted significant attention in the past few years [1]. The verification problem becomes very challenging for the continuous-time continuous-space dynamical systems with noise and discrete dynamics. ...

The paper presents a methodology for temporal logic verification of continuous-time switched stochastic systems. Our goal is to find the lower bound on the probability that a complex temporal property is satisfied over a finite time horizon. The required temporal properties of the system are expressed using a fragment of linear temporal logic, called safe-LTL with respect to finite traces. Our approach combines automata-based verification and the use of barrier certificates. It relies on decomposing the automaton associated with the negation of specification into a sequence of simpler reachability tasks and compute upper bounds for these reachability probabilities by means of common or multiple barrier certificates. Theoretical results are illustrated by applying a counter-example guided inductive synthesis framework to find barrier certificates.

... A specific type of invariant set will be considered: the positive invariant set, which is an important concept in control [5], fault detection [6], safety [7], verification [8,9], or reachability [10]. ...

In this paper, we show that a basic fixed point method used to enclose the greatest fixed point in a Kleene algebra will allow us to compute inner and outer approximations of invariant-based sets for continuous-time nonlinear dynamical systems. Our contribution is to provide the definitions and theorems that will allow us to make the link between the theory of invariant sets and the Kleene algebra. This link has never be done before and will allow us to compute rigorously sets that can be defined as a combination of positive invariant sets. Some illustrating examples show the nice properties of the approach.

... In particular, condition (3.2) ensures that S is a c-martingale process [Kus67] ensuring the probability bound in Theorem 3.4. These types of conditions are stochastic counterparts of the ones in the notions of (bi)simulation relations [Tab09]. ...

This paper is concerned with a data-driven technique for constructing finite Markov decision processes (MDPs) as finite abstractions of discrete-time stochastic control systems with unknown dynamics while providing formal closeness guarantees. The proposed scheme is based on notions of stochastic bisimulation functions (SBF) to capture the probabilistic distance between state trajectories of an unknown stochastic system and those of finite MDP. In our proposed setting, we first reformulate corresponding conditions of SBF as a robust convex program (RCP). We then propose a scenario convex program (SCP) associated to the original RCP by collecting a finite number of data from trajectories of the system. We ultimately construct an SBF between the data-driven finite MDP and the unknown stochastic system with a given confidence level by establishing a probabilistic relation between optimal values of the SCP and the RCP. We also propose two different approaches for the construction of finite MDPs from data. We illustrate the efficacy of our results over a nonlinear jet engine compressor with unknown dynamics. We construct a data-driven finite MDP as a suitable substitute of the original system to synthesize controllers maintaining the system in a safe set with some probability of satisfaction and a desirable confidence level.

So far, we have presented and discussed basic results for the modeling, verification, stability, and optimal control of hybrid systems. These results have been introduced by both the computer science and control engineering communities. The computer science community has been primarily interested in verifying the correctness of embedded codes in the face of real-time constraints and interactions with the physical world; while the control engineering community has been mainly focusing on the effects of discontinuities (such as switching of dynamics and jumping of states) caused by the use of digital processors and communication networks that are increasingly becoming ubiquitous.

The operation of large wind turbines requires an efficient control system in order to have a stable and optimal behaviour for all operational states. The control system consists, in general, of several control loops with multiple controllers, which have to be managed by a supervisor depending on the current operational state of the machine. The present chapter describes the implementation of a supervisory control system by using a hybrid automaton, whose function is to switch control loops and controllers according to the current operational state of the machine.

Modularity is a central principle throughout the design process for cyber-physical systems. Modularity reduces complexity and increases reuse of behavior. In this paper we pose and answer the following question: how can we identify independent ‘modules’ within the structure of reactive control architectures? To this end, we propose a graph-structured control architecture we call a decision structure , and show how it generalises some reactive control architectures which are popular in Artificial Intelligence (AI) and robotics, specifically Teleo-Reactive programs (TRs), Decision Trees (DTs), Behavior Trees (BTs) and Generalised Behavior Trees ( k -BTs). Inspired by the definition of a module in graph theory [16] we define modules in decision structures and show how each decision structure possesses a canonical decomposition into its modules, which can be found in polynomial time. We establish intuitive connections between our proposed modularity and modularity in structured programming. In BTs, k -BTs and DTs the modules we propose are in a one-to-one correspondence with their subtrees. We show we can naturally characterise each of the BTs, k -BTs, DTs and TRs by properties of their module decomposition. This allows us to recognise which decision structures are equivalent to each of these architectures in quadratic time. Following McCabe [26] we define a complexity measure called essential complexity on decision structures which measures the degree to which they can be decomposed into simpler modules. We characterise the k -BTs as the decision structures of unit essential complexity. Our proposed concept of modules extends to formal verification, under any verification scheme capable of verifying a decision structure. Namely, we prove that a modification to a module within a decision structure has no greater flow-on effects than a modification to an individual action within that structure. This enables verification on modules to be done locally and hierarchically, where structures can be verified and then repeatedly locally modified, with modules replaced by modules while preserving correctness. To illustrate the findings, we present an example of a solar-powered drone completing a reconnaissance-based mission using a decision structure. We use a Linear Temporal Logic-based verification scheme to verify the correctness of this structure, and then show how one can repeatedly modify modules while preserving its correctness, and this can be verified by considered only those modules which have been modified.

Smart grid control and management is a growing research area that affects the global goals of net-zero emissions, increased renewable energy generation, and efficient energy management. Active buildings are the building blocks of the smart grid of the future. Their passive role as energy consumer buildings is replaced in the new paradigm as active components, which are not only the energy consumers but also provide energy services to the net- work or neighbouring areas in time of need. This chapter puts a spotlight on the control of a community of active buildings and considers high-level smart grid control approaches that use active buildings; aggregation, frequency and voltage regulation as well as security considerations. The chapter also provides a detailed case study that considers demand-side frequency regulation, power tracking and formal control synthesis methods using energy storage systems (ESSs) and thermostatically controlled loads (TCLs).

A central theoretical question surrounding abstraction-based control of continuous nonlinear systems is whether one can decide through algorithmic procedures the existence of a controller to render the system to satisfy a given specification (e.g., safety, reachability, or more generally a temporal logic formula). Known algorithms are mostly sound but not complete in the sense that they return a correct controller upon termination, but do not offer guarantees of finding a controller if one exists. Completeness of abstraction-based nonlinear control in the general setting, therefore, remains an open question. This paper investigates this theoretical question and presents two sets of main results. First, we prove that sampled-data control of nonlinear systems with temporal logic specifications is robustly decidable in the sense that, given a continuous-time nonlinear control system and a temporal logic formula, one can algorithmically decide whether there exists a robust sampled-data control strategy to realize this specification when the right-hand side of the system is slightly perturbed by a small disturbance. Second, we show that under the assumption of local nonlinear controllability of the nominal system around an arbitrary trajectory that realizes a given specification, we can always construct a (robust) sampled-data control strategy via a sufficiently fine discrete abstraction. In a sense, this shows that temporal logic control for controllable nonlinear systems is decidable.

This paper describes several applications of locally finite and locally nilpotent derivations; we recover the main results from the theory of polynomial flows, give a new inversion formula for polynomial automorphisms, reformulate the Eulerian conjecture for ordinary systems of differential equations in terms of locally nilpotent derivations, and give an algorithm to compute the invariant ring of a ^,-action on affine /i-space (if this ring is finitely generated).

We introduce a fixedpoint algorithm for verifying safety properties of hybrid systems with differential equations whose right-hand
sides are polynomials in the state variables. In order to verify nontrivial systems without solving their differential equations
and without numerical errors, we use a continuous generalization of induction, for which our algorithm computes the required
differential invariants. As a means for combining local differential invariants into global system invariants in a sound way, our fixedpoint algorithm
works with a compositional verification logic for hybrid systems. To improve the verification power, we further introduce
a saturation procedure that refines the system dynamics successively with differential invariants until safety becomes provable. By complementing
our symbolic verification algorithm with a robust version of numerical falsification, we obtain a fast and sound verification
procedure. We verify roundabout maneuvers in air traffic management and collision avoidance in train control.

In this paper, a novel methodology for analysis of piecewise linear hybrid systems based on discrete abstractions of the continuous dynamics is presented. An important characteristic of the approach is that the available control inputs are taken into consideration in order to simplify the continuous dynamics. Control specications such as safety and reachability specications are formulated in terms of partitions of the state space of the system. The approach provides a convenient general framework not only for analysis, but also for controller synthesis of hybrid systems. The research contributions of this paper impact the areas of analysis, verication, and synthesis of piecewise linear hybrid systems.

The use of algorithmic verification and synthesis tools for hybrid systems is currently limited to systems exhibiting simple continuous dynamics such as timed automata or rectangular hybrid systems. In this paper we enlarge the class of systems amenable to algorithmic analysis and synthesis by showing decidability of model checking Linear Temporal Logic (LTL) formulas over discrete time, controllable, linear systems. This result follows from the construction of a language equivalent, finite abstraction of a control system based on a set of finite observations which correspond to the atomic propositions appearing in a given LTL formula. Furthermore, the size of this abstraction is shown to be polynomial in the dimension of the control system and the number of observations. These results open the doors for verification and synthesis of continuous and hybrid control systems from LTL specifications.

A methodology for safety verification of continuous and hybrid systems using barrier certificates has been proposed recently. Conditions that must be satisfied by a barrier certificate can be formulated as a convex program, and the feasibility of the program implies system safety in the sense that there is no trajectory starting from a given set of initial states that reaches a given unsafe region. The dual of this problem, i.e., the reachability problem, concerns proving the existence of a trajectory starting from the initial set that reaches another given set. Using insights from the linear programming duality appearing in the discrete shortest path problem, we show in this paper that reachability of continuous systems can also be verified through convex programming. Several convex programs for verifying safety and reachability, as well as other temporal properties such as eventuality, avoidance, and their combinations, are formulated. Some examples are provided to illustrate the application of the proposed methods. Finally, we exploit the convexity of our methods to derive a converse theorem for safety verification using barrier certificates.

The notion of exact bisimulation equivalence for nondeterministic discrete systems has recently resulted in notions of exact bisimulation equivalence for continuous and hybrid systems. In this paper, we establish the more robust notion of approximate bisimulation equivalence for nondeterministic nonlinear systems. This is achieved by requiring that a distance between system observations starts and remains, close, in the presence of nondeterministic system evolution. We show that approximate bisimulation relations can be characterized using a class of functions called bisimulation functions. For nondeterministic nonlinear systems, we show that conditions for the existence of bisimulation functions can be expressed in terms of Lyapunov-like inequalities, which for deterministic systems can be computed using recent sum-of-squares techniques. Our framework is illustrated on a safety verification example.

This note provides new necessary and sufficient conditions for an n-dimensional linear affine system with n-1 inputs to reach an exit facet (or set of exit facets) of a simplex. The conditions reduce the original NP-hard necessary and sufficient conditions to a set of at most n LP problems

Partial Labeled Markov Chains are simultaneously generalizations of process algebra and of traditional Markov chains. They provide a foundation for interacting discrete probabilistic systems, the interaction being synchronization on labels as in process algebra. Existing notions of process equivalence are too sensitive to the exact probabilities of various transitions. This paper addresses contextual reasoning principles for reasoning about more robust notions of "approximate" equivalence between concurrent interacting probabilistic systems. ffl We develop a family of metrics between partial labeled Markov chains to formalize the notion of distance between processes. ffl We show that processes at distance zero are bisimilar. ffl We describe a decision procedure to compute the distance between two processes. ffl We show that reasoning about approximate equivalence can be done compositionally by showing that process combinators do not increase distance. ffl We introduce an asymptoti...

In many complex control processes, the problem of determining optimal control policies can be considerably simplified from the stand-points of computation and implementation, if the mathematical model can be adequately described by a finite-state sequential system, i.e. a discrete-time system whose input (control) and state spaces are finite-state. However, in physical situations, one usually formulates the mathematical models in the form of a set of ordinary differential equations resulting from certain physical laws. Therefore, it is desirable to have systematic methods far approximating such mathematical models by finite-state systems.This paper describes a simple method for approximating a finite set of first-order ordinary differential equations by the finite-state system. The validity and application of the method are discussed and illustrated by examples. Also, the main problem associated with the implementation of control systems using finite-state models will be discussed briefly.

For a Lipschitz differential inclusion x f(x), we give a method to compute an arbitrarily close approimation of Reach
f(X0, t) — the set of states reached after time t starting from an initial set X0. For a differential inclusion x f(x), and any >0, we define a finite sample graph A
. Every trajectory of the differential inclusion x f(x) is also a trajectory in A
. And every trajectory of A
has the property that dist((t), f((t))) . Using this, we can compute the invariant sets of the differential inclusion — the sets that remain invariant under -perturbations in f.

We study the problem of synthesizing controllers for discrete event systems in a branching time framework. We use a class of labelled transition systems to model both plants and specifications. We use first simulations and later bisimulations to capture the role of a controller; the controlled behaviour of the plant should be related via a simulation (bisimulation) to the specification. For both simulations and bisimulations we show that the problem of checking if a pair of finite transition systems – one modelling the plant and the other the specification – admits a controller is decidable in polynomial time. We also show that the size of the controller, if one exists, can be bounded by a polynomial in the sizes of the plant and the specification and can be effectively constructed in polynomial time. Finally, we prove that in the case of simulations, the problem of checking for the existence of a controller is undecidable in a natural concurrent setting.

This paper is driven by a general motto: bisimulate a hybrid system by a finite symbolic dynamical system. In the case of o-minimal hybrid systems, the continuous and discrete components can be decoupled, and hence, the problem reduces in building a finite symbolic dynamical system for the continuous dynamics of each location. We show that this can be done for a quite general class of hybrid systems defined on o-minimal structures. In particular, we recover the main result of a paper by G. Lafferriere, G.J. Pappas, and S. Sastry, on o-minimal hybrid systems. We also provide an analysis and extension of results on decidability and complexity of problems and constructions related to o-minimal hybrid systems.

The objective of this paper is to solve the controller synthesis problem for bisimulation equivalence in a wide variety of scenarios including discrete-event systems, nonlinear control systems, behavioral systems, hybrid systems and many others. This will be accomplished by showing that the arguments underlying proofs of existence and the methods for the construction of controllers are extraneous to the particular class of systems being considered and thus can be presented in greater generality.

Nonlinear deterministic and stochastic systems which can be immersed into linear observable ones are identified by necessary and sufficient conditions. Those systems are shown to admit observers in the deterministic case and exact finite-dimensional filters in the stochastic case: the sufficient conditions obtained generalize earlier results in both cases.

The use of bisimilar finite abstractions of continuous and hybrid systems, greatly simplifies complex computational tasks such as verification or control synthesis. Unfortunately, because of the strong requirements of bisimulation relations, such abstractions exist only for quite restrictive classes of systems. Recently, the notion of approximate bisimulation relations has been introduced, allowing the definition of less rigid relationships between systems. This relaxed notion should certainly allow us to build approximately bisimilar finite abstractions for more general classes of continuous and hybrid systems. In this paper, we show that for the class of stable discrete-time linear systems with constrained inputs, there exists an approximately bisimilar finite state system of any desired precision. We describe an effective procedure for the construction of this abstraction, based on compositional reasoning and samples of the set of initial states and inputs. Finally, we briefly show how our finite abstractions can be used for verification or control synthesis.

This paper presents a new solution approach to the optimal control problem of fixed frequency switch-mode DC-DC converters using hybrid systems methodologies. In particular, the notion of the N -step model is introduced to capture the hybrid nature of these systems, and an optimal control problem is formulated and solved online, which allows one to easily incorporate in the controller design safety constraints such as current limiting. Simulation results are provided that demonstrate the prospect of this approach.

A necessary and sufficient condition for the reachability of a piecewise-linear hybrid system is formulated in terms of reachability of a finite-state discrete-event system and of a finite family of affine systems on a polyhedral set. As a subproblem, the reachability of an affine system on a polytope is considered, with the control objective of reaching a particular facet of the polytope. If the polytope is a simplex, necessary and sufficient conditions for the solvability of this problem by affine state feedback are described. If the polytope is a multi-dimensional rectangle, then a solution is obtained using continuous piecewise-affine state feedback.

Finite automata and regular languages have been useful in a wide variety of problems in computing, communication and control,
including formal modeling and verification. Traditional automata do not admit an explicit modeling of time, and consequently,
timed automata [2] were introduced as a formal notation to model the behavior of real-time systems. Timed automata accept timed languages consisting of sequences of events tagged with their occurrence times. Over the years, the formalism has been extensively
studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing
verification algorithms, heuristics, and tools. This paper provides a survey of the theoretical results concerning decision
problems of reachability, language inclusion and language equivalence for timed automata and its variants, with some new proofs
and comparisons. We conclude with a discussion of some open problems.

We dene quantitative similarity functions between timed transition systems that measure the degree of closeness of two systems as a real, in contrast to the traditional boolean yes/no approach to timed simulation and language inclusion. Two systems are close if for each timed trace of one system, there exists a corresponding timed trace in the other system with the same sequence of events and closely corresponding event timings. We show that timed CTL is robust with respect to our quantitative version of bisimilarity, in particular, if a system satises a formula, then every close system satises a close formula. We also dene a discounted version of CTL over timed systems, which assigns to every CTL formula a real value that is obtained by discounting real time. We prove the robustness of discounted CTL by establishing that close states in the bisimilarity metric have close values for all discounted CTL formulas.

The factorisation problem is to construct the specification of a submoduleX when the specifications of the system and all submodules butX are given. It is usually described by the equation
where P and X are submodules of system Q, ¦ is a composition operator, and
is the equivalence criterion. In this paper we use a finite state machine (FSM) model consistent with CCS and study two factorisation problems:P |||P ∼Q andP |||P ≈Q, where ||| is a derived CCS composition operator, ∼ and ≈ represent strong and observational equivalences. Algorithms are presented and proved correct to find the most general specification of submoduleX forP |||P ∼Q withQ τ-deterministic and forP |||P ≈Q withQ deterministic. Conditions on the submachines of the most general solutions that remain solutions toP |||P ∼Q(P |||P ≈Q) are given. This paper extends and is based on the work of M. W. Shields.

This paper presents an approach to the control of continuous systems through the use of symbolic models describing the system behavior only at a finite number of points in the state space. These symbolic models can be seen as abstract representations of the continuous dynamics enabling the use of algorithmic controller design methods. We identify a class of linear control systems for which the loss of information incurred by working with symbolic sub-systems can be compensated by feedback. We also show how to transform symbolic controllers designed for a symbolic sub-system into controllers for the original system. The resulting controllers combine symbolic controller dynamics with continuous feedback control laws and can thus be seen as hybrid systems. Furthermore, if the symbolic controller already accounts for software/hardware requirements, the hybrid controller is guaranteed to enforce the desired specifications by construction thereby reducing the need for formal verification.

This paper describes an approach to the control of continuous systems through the use of symbolic models describing the system behavior only at a finite number of points in the state space. These symbolic models can be seen as abstract representations of the continuous dynamics enabling the use of algorithmic controller design methods. We identify a class of linear control systems for which the loss of information incurred by working with symbolic subsystems can be compensated by feedback. We also show how to transform symbolic controllers designed for a symbolic subsystem into controllers for the original system. The resulting controllers combine symbolic controller dynamics with continuous feedback control laws and can thus be seen as hybrid systems. Furthermore, if the symbolic controller already accounts for software/hardware requirements, the hybrid controller is guaranteed to enforce the desired specifications by construction thereby reducing the need for formal verification.

This paper deals with computational methods for verifying
properties of labeled infinite-state transition systems using quotient
transition system (QTS). A QTS is a conservative approximation to the
infinite-state transition system based on a finite partition of the
infinite state space. For universal specifications, positive
verification for a QTS implies the specification is true for the
infinite-state transition system. We introduce the approximate QTS or
AQTS. The paper presents a sufficient condition for an AQTS to be a
bisimulation of the infinite state transition system. An AQTS
bisimulation is essentially equivalent to the infinite-state system for
the purposes of verification. It is well known, however, that
finite-state bisimulations do not exist for most hybrid systems of
practical interest. Therefore, the use of the AQTS for verification of
universal specifications is proposed and illustrated with an example.
This approach has been implemented in a tool for computer-aided
verification of a general class of hybrid systems

A procedure for the analysis of state spaces is called symbolic if it manipulates not individual states, but sets of states that are represented by constraints. Such a procedure can be used for the analysis of infinite state spaces, provided termination is guaranteed. We present symbolic procedures, and corresponding termination criteria, for the solution of infinite-state games, which occur in the control and modular verification of infinite-state systems. To characterize the termination of symbolic procedures for solving infinite-state games, we classify these game structures into four increasingly restrictive categories:
1
Class 1 consists of infinite-state structures for which all safety and reachability games can be solved.
2
Class 2 consists of infinite-state structures for which all ω-regular games can be solved.
3
Class 3 consists of infinite-state structures for which all nested positive boolean combinations of ω-regular games can be solved.
4
Class 4 consists of infinite-state structures for which all nested boolean combinations of ω-regular games can be solved.
We give a structural characterization for each class, using equivalence relations on the state spaces of games which range from game versions of trace equivalence to a game version of bisimilarity. We provide infinite-state examples for all four classes of games from control problems for hybrid systems. We conclude by presenting symbolic algorithms for the synthesis of winning strategies (“controller synthesis”) for infinitestate games with arbitrary ω-regular objectives, and prove termination over all class-2 structures. This settles, in particular, the symbolic controller synthesis problem for rectangular hybrid systems.

In this paper, a methodology for hybrid control design is presented. The hybrid systems of interest are characterized by a feedback architecture of a continuous nonlinear plant with a discrete-event controller. The natural invariants of the continuous dynamics are used to partition the state space into regions and to synthesize simple and e#cient control laws. The paper contains a complete description of the approach including a description of the hybrid control system modeling, of the invariant based approach for the design of the partition, and of the controller synthesis methodology illustrated by examples. The implementation and optimization of the approach are also discussed. The approach presented in this paper not only describes a viable methodology to hybrid design, but also addresses fundamental issues in hybrid system theory that arise in reachability analysis and verification approaches that are based on partitions of the continuous state space. Finally, the develop...