Content uploaded by Houssam Abbas
Author content
All content in this area was uploaded by Houssam Abbas on Apr 02, 2017
Content may be subject to copyright.
Functional Gradient Descent Method for Metric Temporal Logic
Specifications
Houssam Abbas, Andrew Winn, Georgios Fainekos and A. Agung Julius
Abstract— Metric Temporal Logic (MTL) specifications can
capture complex state and timing requirements. Given a nonlin-
ear dynamical system and an MTL specification for that system,
our goal is to find a trajectory that violates or satisfies the
specification. This trajectory can be used as a concrete feedback
to the system designer in the case of violation or as a trajectory
to be tracked in the case of satisfaction. The search for such
a trajectory is conducted over the space of initial conditions,
system parameters and input signals. We convert the trajectory
search problem into an optimization problem through MTL
robust semantics. Robustness quantifies how close the trajectory
is to violating or satisfying a specification. Starting from some
arbitrary initial condition and parameter and given an input
signal, we compute a descent direction in the search space,
which leads to a trajectory that optimizes the MTL robustness.
This process can be iterated to reach local optima (min or max).
We demonstrate the method on examples from the literature.
I. INTRODUCTION
The development of control laws for nonlinear systems
still remains a formidable challenge despite the wealth of re-
sults on nonlinear control. Many practitioners and researchers
still prefer to use classic optimal control [1] and Proportional-
Integral-Derivative (PID) control [2]. There are a number
of reasons for such a choice. The most important one is
that such methods are automatic or almost automatic and,
especially in industry, the control engineers might desire
to avoid complex mathematical derivations. In other cases,
PID control is sufficient to achieve the desired results [3] or
accurate mathematical models might not be available.
Usually, Model-Based Development (MBD) software
tools, like Simulink Design OptimizationTM, can search over
system parameters so that the system output satisfies certain
time and frequency domain specifications. S-TALIRO [4]
and BREACH [5] can be used for both falsification and
open loop control design for temporal logic specifications.
In particular, Metric Temporal Logic (MTL) [6] can capture
requirements on the correct sequencing of events, conditional
reachability, safety requirements and real-time constraints
between various events. In the MTL falsification problem
you are given a formal requirement in MTL and the goal
is to find system operating conditions and parameters that
generate behaviors which do not satisfy the requirements. In
[7], the robustness value of an MTL formula [8] with respect
This work was partially supported by the NSF awards CNS-1116136,
CNS-1218109, CNS-1319560 and by the Department of Defense SMART
Scholarship.
H. Abbas and G. Fainekos are with the Schools of Engineering at Arizona
State University, Tempe, AZ, E-mail: {hyabbas,fainekos}@asu.edu
A. Winn and A. A. Julius are with the Department of Electrical,
Computer, and Systems Engineering at Rensselaer Polytechnic Institute,
Troy, NY, E-mail: winna@rpi.edu, agung@ecse.rpi.edu
to a system simulation is considered as the cost function
for an optimization problem. By minimizing the robustness
value over the system simulations one can discover incorrect
or non-robust system behaviors, and by maximizing the
robustness value one can synthesize robust optimal control
trajectories with respect to the MTL specification, all within
the same framework.
All the aforementioned tools treat the system as a black-
box in order to handle systems of arbitrary complexity. They
need an accurate system simulator and, usually, as the fidelity
of the model increases so does the simulation time. Thus, the
total number of simulations needed before simulation-based
tools can provide an answer becomes critical.
In [9], the first steps were taken towards addressing the
problem of reducing the number of simulations for the MTL
falsification problem. That work dealt with deterministic
autonomous nonlinear systems where the search space was
the set of initial conditions (and any parameters) x0of
the system. If f(x0)denotes the MTL robustness value of
the trajectory starting from x0, then the goal of [9] was
to compute a vector dsuch that f(x0+d)< f(x0). In
this paper, the search space consists of the set of initial
conditions x0in RNand the set of square-integrable input
signals of duration T > 0. If a trajectory is computed starting
from an initial condition x0and under a given input signal
u(·)yields property robustness f(x0, u), then a descent
element (dx0, du)should be computed so that starting from
x0+dx0and under input u+du, the trajectory has robustness
f(x0+dx0, u +du)< f (x0, u).
Our solution combines the previous works in [9], [10]. In
brief, the work in [10] deals with the problem of optimizing
a differentiable integral cost function over the output trajec-
tories of the system starting from a given input signal. The
method is based on the calculus of variations, but it uses a
gradient descent based approach to solve the optimization
problem without formulating the optimality conditions given
by the Minimum Principle.
Contributions: In this paper, we present a method for the
computation of descent directions for reducing specification
robustness for nonlinear dynamical systems. In particular,
given an arbitrary MTL specification, we determine a crit-
ical point on the system trajectory which if changed, then
the MTL robustness will be changed as well. We derive
the equations which, given (x, u), will give a descent di-
rection (dx, du)that provably reduces robustness. Finally,
we demonstrate the applicability of our approach on some
nonlinear models from the literature.
2014 American Control Conference (ACC)
June 4-6, 2014. Portland, Oregon, USA
978-1-4799-3274-0/$31.00 ©2014 AACC 2312
II. PROB LEM FORMULATION
We consider a dynamical system with state x∈X⊂Rn
˙x=F(t, x, u)(1)
for a C1flow F:R×Rn×Rm→Rnwith initial conditions
x0∈X0, and control input signal u∈L2[0, T ]which takes
values in a bounded subset Uof Rm:u(t)∈U∀t.Tis
the trajectory duration, and is fixed throughout this paper, so
we may write L2without ambiguity. As explained earlier,
x0can include any system parameters (which are assumed
constant throughout a simulation). The letter wwill denote
an element w= (x0, u)of X0×L2. Standard assumptions
apply - see [9], [10].
Assumption 2.1: For every w= (x, u)∈X0×L2, there
exists a unique solution sw(·) :7→ Rnto the ODE (1). The
solution swis absolutely continuous. The flow Fis locally
bounded, that is, for all compact subsets S⊂[0, T ]×X0×U,
there exists m > 0such that F(S)⊂mB, where Bis the
unit ball centered at 0.
We formally capture specifications regarding the correct
system behavior using Metric Temporal Logic (MTL) for-
mulae [6]. An MTL formula is a formal logical statement
expressing some property that the system must satisfy. It is
built by combining atomic propositions using logical and
temporal operators. Logical operators are the conjunction
(∧), disjunction (∨), negation (¬), and implication (→).
The temporal operators include eventually (3I),always
(2I)and until (UI). For example, MTL can capture the
requirement that “all the trajectories swattain a value in the
set [10,+∞)” (3[0,∞)sw(t)≥10), or that “whenever the
value of swexceeds 10, then it should go below 7 within
5 sec and remain there for at least 10 sec” (2(sw(t)≥10 →
3[0,5]2[0,10] sw(t)≤7)).
If we associate a set O(p)with each atomic proposition
p∈AP such that pis true of the states in O(p), then the
above properties can be written as 3[0,∞)p1with O(p1) =
[10,+∞), and 2(¬p1→3[0,5]2[0,10] p2)with O(p2) =
(−∞,7]. We can quantify how robustly a system trajectory
sxsatisfies a specification φin MTL [8]. Namely, we define
a function of the trajectory, ρφ(sw), which takes positive
values if swsatisfies φand negative values otherwise.
Its magnitude |ρφ|quantifies how well the specification is
satisfied or falsified. The process of falsifying a specification
φ, i.e. detecting a system behavior that does not satisfy φ,
can thus be re-cast as the problem of finding trajectories
with negative ρφ-values. On the other hand, the optimal
control can be posed as the problem of maximizing the
positive robustness. Since the solutions to (1) are assumed
unique, the search can be performed over the initial states
x∈X0(including any system parameters) and control
signals u∈L2, and can be improved by computing local
descent directions for ρφ.
Problem 1: Given x∈X0,u∈L2, and a formula φ, find
a vector dx ∈Rnand signal du ∈L2such that there exists
an h > 0for which
ρφ(x+h·dx, u +h·du)< ρφ(x, u)∀h∈(0,h)
A general MTL formula will involve multiple propositions
piand their sets O(pi). The following proposition simplifies
our task:
Proposition 2.1: Consider an MTL formula φand a tra-
jectory swof (1) such that [[φ, O]](sw,0) >0. If assumption
2.1 holds, and for each p∈AP ,O(p)is a closed half-
space, then there exist a critical time tr∈[0, T ]and a
critical proposition p∈AP which appears in φsuch that
ρφ(w) = infz∈O(p)ksw(tr)−zk.
In this paper, we derive the descent vector relative to only one
O(p)at a time; this is the content of Problem 2. The choice of
which O(p)to descend towards at any given time is decided
by the following heuristic: the current target set is always
the set O(p)where pis the critical proposition defined in
Proposition 2.1. Other heuristics are possible. By focusing
on one O(p), the problem is reduced to falsification of a
safety formula, of the form: φ=(¬p)where O(p) = Uis
the set of ‘unsafe’ system states.
The robustness then reduces to:
ρφ(x, u) = f(x, u),min
0≤t≤TdU(s(x,u)(t)) (2)
where dU(y),infz∈U ky−zkis the distance of a point y
from U.
The function fis non-differentiable, and generally non-
convex. The special problem is then:
Problem 2: Given x∈X0,u∈L2,U ⊂ Rn, and f
defined in (2), find dx ∈Rnand du ∈L2such that there
exists an h > 0for which
f(x+h·dx, u +h·du)< f (x, u)∀h∈(0,h)
If we treat H,X×L2as a Hilbert space, then it can be
seen that dw = (dx, du)∈His a descent direction in H.
III. COMPUTING A DES CE N T DIRECTION
Recall that H=X0×L2is the Hilbert search space, and
let w∈Hbe an element of that space. For convenience we
define sw(t) = sx0(t;u).
Before continuing we will prove a result that will allow
us to calculate our descent direction using a convex differ-
entiable manifold.
Theorem 3.1: Let w1∈Hwith critical time tr,1as
defined in Proposition 2.1. Define
z(t;w) = argminz∈U k¯s(t;w)−zk,(3)
and
J(w) = k¯s(tr,1;w)−z(tr,1;w1)k.(4)
Suppose that there exists w2∈Hwith critical time tr,2such
that J(w2)< J(w1). Then the robustness of the trajectory
sw2(·)is smaller than that of sw1(·):f(w2)< f(w1).
Proof: By (2) we see that
f(w2) = min
0≤t≤Tinf
z∈Uksw2(t)−zk,
≤J(w2)< J(w1) = f(w1)
2313
Our goal is to minimize the robustness. To do so we
generate a sequence (wi)∈Hsuch that f(wi+1)< f (wi)
as follows: first, w0is given. Then, we iteratively generate
wi+1 from wiby identifying a critical time tr,i and the
corresponding closest unsafe point z(tr,i, wi). We define the
function
Ji(w),G(sw(tr,i)) ,kz(tr,i, wi)−sw(tr,i )k(5)
We then calculate a descent direction ˆw∈Hand set
wi+1 =wi+hˆw, where his the step-size. The step-size
is adapted on-line: increased if a descent is obtained, and
reduced if no descent is achieved. Note that with respect to
sw(tr,i)(5) is differentiable everywhere except for the origin,
at which point the trajectory has reached the unsafe set and
falsification has been shown.
We now adapt the results presented in [10] to find an
update direction ˆwfor wthat locally decreases Ji(w), which
in turn will decrease the robustness, as per Thm.3.1.
Let dJi(w; ˆw)be the Fr´
echet derivative of Ji(w)in the
direction ˆw, and let ˆx0and ˆube the projections of ˆwonto
X0and L2. This derivative can be written as a scalar valued
linear functional of ˆwas follows:
dJi(w; ˆw),hq, ˆwi,ZT
0
qu(τ)ˆu(τ) dτ+qT
x0ˆx0,(6)
where qx0and quare the projections of q∈Honto X0and
U. For brevity we shall use the following notations
∂G
∂x ,∂G
∂x
s(tr,i;x0,u)
∈R1×n,
∂F (t)
∂x ,∂F
∂x
(t,s(t;x0,u),u)
∈Rn×n,
∂F (t)
∂u ,∂F
∂u
(t,s(t;x0,u),u)
∈Rn×m.
Let dsw(t; ˆw)represent the functional derivative of sw(t)
in the direction ˆw. Using the Taylor series based approach
in [10] we see that
dJi(w, ˆw) = ∂G
∂x sw(tr,i ; ˆw),(7)
dsw(t; ˆw) =
Zt
0∂F (τ)
∂x dsw(τ; ˆw) + ∂F (τ)
∂u ˆu(τ)dτ (8)
Now suppose that
dsw(t; ˆw) = hp(t),ˆwi
=Zt
0
pu(t, τ )ˆu(τ)dτ +px0(t)Tˆx0.(9)
Plugging this equation into the right hand side of (8),
rearranging terms and swapping the order of integration and
equating terms with (9) yields
pu(t, τ ) = Zt
τ
∂F (ξ)
∂x pu(ξ , τ)dξ +∂ F (τ)
∂u
px0(t) = Zt
0
∂F (τ)
∂x px0(τ)dτ
We can solve for pu(t, τ )and px0(t)by solving the initial
value problem
d
dt pu(·, τ ) = ∂ F (t)
∂x pu(t, τ ),(10)
d
dt px0=∂F (t)
∂x px0(t),
pu(τ, τ ) = ∂F (τ)
∂u ,
px0(0) = In×n
By combining (7) with (9) and comparing to (6), we find
that
qu(τ) = ∂G
∂x pu(tr,i , τ )
qx0=∂G
∂x px0(tr,i )
Thus, to find a dJi(w; ˆw)that is negative, we can set ˆwin
the inner product (6) to be −q, that is
ˆu(τ) = −∂G
∂x pu(tr,i , τ ),(11)
ˆx0=−∂G
∂x px0(tr,i ).(12)
In order to calculate the update direction for a continuous
input on a digital computer, we represent the input function
by a linear combination of finitely many basis functions. In
each example presented in Section IV, we consider a basis of
either rectangular or triangular pulses that are evenly spaced
through time. Then we can calculate an exact update to the
input parameters using, for example, the sensitivity analysis
tools provided by SundialsTB toolbox [11].
Our approach is a local descent optimization; it can
easily be used within a multi-start scheme (where a local
optimization is performed from several initial points in the
search space), as illustrated in Example 3.
IV. EXP E RI MEN TS
Example 1: Our first example is a linear 81-dimensional
RLC circuit. The equations are given by
˙x(t) = Ax(t) + bu(t)
where Aand bhave appropriate dimensions. The sensitivity
ODE is then itself linear [9]. The safety specification requires
the output voltage to always be less than 1.5V:
φRLC =(x41 ≤1.5)
Starting from x0= [0,0] and a constant input of 0, the
descent converges to a falsifying trajectory with a near-step
input. 4
Example 2: This example is adapted from [7], given by
˙x(t) = x1(t)−x2(t) + u(t)
x2(t) cos(2πx2(t)) −x1(t) sin(2πx1(t)) + u(t)
with initial condition x0∈X0= [−1,1]×[−1,1], and spec-
ification 2¬p2with O(p2) = [−1.6,−1.4] ×[−0.9,−1.1].
2314
0 0.5 1 1.5 2 2.5
0.09
0.092
0.094
0.096
0.098
0.1
0.102
0.104
t
ufinal
Fig. 1: Example 2. Final input found by descent.
Starting from x0= [0,0] and a constant input of 0.1,
the descent converges to a falsifying trajectory.The falsifying
input is shown in Fig.1. 4
Example 3: The following example is 3-dimensional sys-
tem modeling the variation of glucose and insulin levels
in the blood, following a meal intake [12]. The model
was developed to help design insulin infusion schedules for
diabetes patients, e.g. as done in [13]. It is given by
˙x(t) =
−p1x1(t)−x2(t)(x1(t) + Gb) + Be−kt
−p2x2(t) + p3x3(t)
−n(x3(t) + Ib) + 1000
60VIu(t)
State x1represents the level of glucose in the blood
plasma above a given basal value Gb,x2is proportional
to the level of insulin that is effective in controlling blood
glucose level, and x3represents the level of insulin above
a given basal value Ib. The search space for [x1, x2, x3]is
[6,10] ×[0.05,0.1] ×[−0.1,0.1]. The input u(t)represents a
direct infusion of insulin meant to control the glucose level.
u(t)is therefore also referred to as an ‘infusion schedule’.
The pi,n,Band kare model parameters. We fix duration
T= 200. Consider first the following specification:
φ1=[0,20]x1∈[−2,10] ∧[20,200] x1∈[−1,1]
φ1specifies that glucose level should remain in the range
[−2,10] for the first 20 seconds, and should remain in the
range [−1,1] for the last 180 seconds. Our goal is to design
an infusion schedule such that the glucose level satisfies φ1.
This can be posed as the problem of falsifying ¬φ1. We
decided to search over the initial values of the ODE (1), the
input u, and the parameter p3:p3varies between diabetes
patients, and its estimated value for normal subjects is 1.3e-
5 [12]. Larger p3values imply that the insulin injection u(t)
will have a greater effect on the plasma glucose level x1(t).
The search range for p3is therefore fixed to [1e-5,1e-3]. Thus
the outcome of the optimization is a set of initial conditions
(patient’s state at meal time), a continuous infusion schedule,
and a class of patients (as described by the parameter p3) for
which the schedule is appropriate.
Starting from a constant input signal at 0.1, and
[x0, p3] =[8, 0.08, 0, 1.3e-5], the initial robustness is 1.5399.
0 50 100 150 200 250
−9
−8
−7
−6
−5
−4
−3
−2
−1
0
1
t
u(t)
Fig. 2: Example 3 (Insulin). Final input u(t)found by descent
algorithm, scaled to highlight the initial impulse.
0 20 40 60 80 100 120 140 160 180 200
0
0.5
1
1.5
2
2.5
3
t
(a) Final input obtained by descent.
0 20 40 60 80 100 120 140 160 180 200
−5
0
5
10
t
(b) Final trajectory returned by descent.
Fig. 3: Example 3 (Insulin). A profile obtained by multi-start.
The optimization returned a decision wwith robustness 0.678
in 12 iterations. The final p3value is 2.03e-5. It is interesting
to note that the final input shows an injection at the beginning
of time, followed by a constant infusion (Fig. 2). This is
the type of infusion schedule advocated as being optimal in
[12, Section III], under the nominal p3value and the cost
function C(u) = RT
0x2
1(t)dt. Our descent method produced
this schedule with relatively little computational effort, and
provides more information on the classes of patients for
which it is appropriate.
Consider next the following specification
φ2=(phg ∧X¬phg →3[0,10]([0,20] ¬phg ))
with O(phg) = {x|x1≥9.44}.φ2expresses that if
the glucose level rises above 9.44 mmol/L (meaning hyper-
glycemia), it should dip below 9.44 within 10secs and stay
there for at least 20secs. Starting from [6,0.05,0.1,0.0001],
the descent keeps the initial value of x1, since one way to
satisfy φ2is to never go above the dangerous level of 9.44. To
see how the schedule might need to be adapted for different
values of p3, we ran a random multi-start simulation, were
we uniformly sample the search space (we used 50 samples),
and from each sample we run a local descent. Fig.3a shows
a falsifying input profile significantly different from the one
in Fig.2, with p3=8e-4. Whether the shown input schedule
is practicable with today’s technology is not assessed, but
the point is that different classes of patients (and different
2315
initial states) might require different schedules. The resulting
glucose trajectory is shown in Fig.3b, demonstrating a quick
decrease towards safer levels of glucose. 4
Example 4: This example is a 6-dimensional system that
models a quadrotor moving through a vertical plane [10].
The system dynamics are given by:
¨
X=µ(wX−˙
X)−u1
msin θ
¨
Y=µ(wY−˙
Y)−g+u1
mcos θ
¨
θ=u2
Here mdenotes the object’s mass, gdenotes gravitational
acceleration, µis the coefficient of friction with the air, w·
is the wind velocity along each axis, and uiis the control
input. We define the XY coordinate of the object’s center of
mass as the system’s output.
For this example, we consider the task of verifying the
safety of controllers that drive the quadrotor from one side
of a hill over to the other side without hitting the hill or the
ground. On the other side is a desired goal region, which
the quadrotor must reach within 12 seconds and stay there
afterwards. This requirement can be represented by the MTL
specification,
φ=[12,∞]p1∧[0,12]¬p2∧[0,12] ¬p3,
Here, p1represents the goal set, p2represents the ground,
and p3represents the hill. The sets O(p1),O(p2),O(p3)used
in our experiments are shown graphically in Figure 4.
First, we designed a reference tracking feedback controller
by linearizing the system around a hovering operating point.
The system is assumed to be initially hovering at location
[x, y] = [−8,2] and that there is no wind during the sim-
ulation. Although this controller works well in the nominal
case, it is prudent to consider what happens if the system
does not begin at the expected initial state, or if there is any
wind disturbance. To this end, we treat the wind velocity
as an input to the system bounded by ±2m/s. We use the
algorithm presented in this paper to search over bounded sets
of initial conditions and horizonal wind profiles.
When the optimization was first run, the system was
falsified mainly by shifting the intial xposition to the left
and by having the wind blow the quadrotor to the left. The
updated initial condition and wind disturbance thus caused
the quadrotor to fly into the ground in a way that is not
expected for the nominal performance. This algorithm was
able to quickly find this major design flaw, as shown in
Figure 4.
After fixing the reference signal to maintain a height
of 2 for all points to the left of the starting location, the
optimization was rerun. After running for 7 iterations, the
algorithm found that the initial conditions [x, y, θ, ˙x, ˙y, ˙
θ] =
[0,0,0.005,0,0,0.098] and the wind profile shown in Fig-
ure 5 was able to falsify φ, specifically by slowing the
horizontal progression of the quadrotor so that it was not
in the goal set at time t= 12.
V. REL ATED WOR K
The work that appears in [14], [15] is the closest to the
results that we present here in terms of methods utilized. In
[15], sensitivity analysis is used to compute neighborhoods
of trajectories that always remain close enough and, thus,
perform coverage of the initial conditions. These results were
later extended in [14] to estimating parameter ranges and
initial conditions for the satisfaction of STL properties. Even
though our solution leads to sensitivity calculations, our ob-
jective is very different from the work in [14]. Our goal is to
develop the local search tools needed in order to improve the
performance of stochastic MTL falsification/optimal control
methods [7], [16]. Moreover, we can search simultaneously
over the initial conditions, parameters and the input sig-
nals. Finally, stochastic falsification methods avoid the state-
explosion problems that occur when attempting to cover a
high-dimensional set of parameters.
Different versions of the optimal control problem under
Linear Temporal Logic (LTL) specifications are presented
in [17], [18]. The authors in [17] take a mathematical
programming approach, while [18] develops an automata
based approach. Unlike MTL, LTL does not allow the speci-
fication of timing intervals for the Until operator UI(and by
extension, the Always and Eventually operators). This timing
interval is necessary for expressing real-time constraints on
the succession of events, which is important in many control
applications. The problem of optimal control for vehicle
routing for MTL specifications is addressed in [19]. However,
the results in [19] apply to specifications without nested
temporal operators and finite transition systems.
Our work in this paper can also be viewed as an optimal
control problem over hybrid systems. Since in our imple-
mentation we parameterize the input signals with a finite
number of parameters at specific points in time, we can
view the system as a parametric hybrid automaton where the
mode switches occur at specific time instants. Then the goal
is to compute the system parameters and initial conditions
such that the MTL robustness is minimized. However, we
Fig. 4: Falsification of Quadrotor with poor reference signal
2316
Fig. 5: Falsifying Wind Profile for Quadrotor System
remark that our theoretical results do not require the finite
parameterization of the input function space.
In terms of optimal control over hybrid systems, [20]
calculates numerically a descent direction for a class of
switched systems. First, we remark that our original cost
function is non-differentiable so it does not satisfy the
assumptions in [20]. In our current numerical implementation
each subproblem that we solve, i.e., descent to a specific set,
satisfies the assumptions in [20]. Thus, our solution could be
utilizing the results in [20] to solve more general problems
in the future. Similar remarks hold for the optimal control
problem formulated in [21]. Finally, in [22], we demonstrated
that in the case of linear hybrid systems improvements in
the convergence rate of stochastic search algorithms can be
achieved by adding a local search step.
VI. CONCLUSIONS
We have presented the derivation of the equations that
can be used for the computation of Metric Temporal Logic
(MTL) robustness descent vectors in the set of initial condi-
tions, parameter space and input function space for nonlinear
dynamical systems. These results are necessary for enabling
“gray box” MTL falsification and open loop control methods
for dynamical systems. One important advantage of the
proposed approach is that our framework can be readily used
for MTL falsification and/or optimal control methods within
any Model Based Development (MBD) tool that supports
sensitivity analysis. For instance, Simulink can provide such
functionality [23]. In the future, we will focus on extending
our new approach to hybrid systems using, for instance, the
decomposition method proposed in [24]. Also of interest is
the interplay between stochastic search methods [22] and
local gradient descent [25].
REFERENCES
[1] D. P. Bertsekas, Dynamic Programming and Optimal Control, Two
Volume Set, 2nd ed. Athena Scientific, 2000.
[2] K. Ogata, Modern Control Engineering, 4th ed. Prentice Hall, 2001.
[3] N. Michael, D. Mellinger, Q. Lindsey, and V. Kumar, “The GRASP
multiple micro uav testbed,” IEEE Robotics and Automation Magazine,
vol. 17, no. 3, pp. 56–65, 2010.
[4] Y. S. R. Annapureddy, C. Liu, G. E. Fainekos, and S. Sankara-
narayanan, “S-taliro: A tool for temporal logic falsification for hybrid
systems,” in Tools and algorithms for the construction and analysis
of systems, ser. LNCS, vol. 6605. Springer, 2011, pp. 254–257.
[5] A. Donze, “Breach, a toolbox for verification and parameter synthesis
of hybrid systems,” in Computer Aided Verification, ser. LNCS.
Springer, 2010, vol. 6174, pp. 167–170.
[6] R. Koymans, “Specifying real-time properties with metric temporal
logic.” Real-Time Systems, vol. 2, no. 4, pp. 255–299, 1990.
[7] H. Abbas, G. E. Fainekos, S. Sankaranarayanan, F. Ivancic, and
A. Gupta, “Probabilistic temporal logic falsification of cyber-physical
systems,” ACM Transactions on Embedded Computing Systems,
vol. 12, no. s2, May 2013.
[8] G. Fainekos and G. Pappas, “Robustness of temporal logic specifica-
tions for continuous-time signals,” Theoretical Computer Science, vol.
410, no. 42, pp. 4262–4291, September 2009.
[9] H. Abbas and G. Fainekos, “Computing descent direction of mtl
robustness for non-linear systems,” in American Control Conference,
2013.
[10] A. K. Winn and A. Julius, “Optimization of human generated trajecto-
ries for safety controller synthesis,” in American Control Conference
(ACC), 2013, 2013, pp. 4374–4379.
[11] R. Serban and A. Hindmarsh, “Cvodes: the sensitivity-enabled ode
solver in sundials,” in Proceedings of IDETC/CIE, 2005.
[12] M. Fisher, “A semiclosed-loop algorithm for the control of blood glu-
cose levels in diabetics,” Biomedical Engineering, IEEE Transactions
on, vol. 38, no. 1, pp. 57–61, 1991.
[13] S. Sankaranarayanan and G. Fainekos, “Falsification of temporal
properties of hybrid systems using the cross-entropy method,” in
ACM International Conference on Hybrid Systems: Computation and
Control, 2012.
[14] A. Donze, E. Fanchon, L. M. Gattepaille, O. Maler, and P. Tracqui,
“Robustness analysis and behavior discrimination in enzymatic reac-
tion networks,” PLoS ONE, vol. 6, no. 9, p. e24246, 09 2011.
[15] A. Donze and O. Maler, “Systematic simulation using sensitivity
analysis,” in Hybrid Systems: Computation and Control, ser. LNCS,
vol. 4416. Springer, 2007, pp. 174–189.
[16] T. Nghiem, S. Sankaranarayanan, G. Fainekos, F. Ivancic, A. Gupta,
and G. Pappas, “Monte-carlo techniques for falsification of temporal
properties of non-linear hybrid systems,” in Hybrid Systems: Compu-
tation and Control, 2010.
[17] S. Karaman, R. Sanfelice, and E. Frazzoli, “Optimal control of mixed
logical dynamical systems with linear temporal logic specifications,”
in IEEE Conf. on Decision and Control, 2008.
[18] E. A. Gol and C. Belta, “Time-constrained temporal logic control of
multi-affine systems,” Nonlinear Analysis: Hybrid Systems, vol. 10,
pp. 21–33, 2013.
[19] S. Karaman and E. Frazzoli, “Vehicle routing problem with metric
temporal logic specifications,” in IEEE Conference on Decision and
Control, Dec. 2008, pp. 3953 –3958.
[20] H. Gonzalez, R. Vasudevan, M. Kamgarpour, S. S. Sastry, R. Bajcsy,
and C. J. Tomlin, “A descent algorithm for the optimal control of con-
strained nonlinear switched dynamical systems,” in Proceedings of the
13th ACM international conference on Hybrid systems: computation
and control, ser. HSCC ’10. ACM, 2010, pp. 51–60.
[21] H. Axelsson, Y. Wardi, M. Egerstedt, and E. Verriest, “Gradient
descent approach to optimal mode scheduling in hybrid dynamical
systems,” Journal of Optimization Theory and Applications, vol. 136,
no. 2, pp. 167–186, 2008.
[22] H. Abbas and G. Fainekos, “Linear hybrid system falsification through
local search,” in Automated Technology for Verification and Analysis,
ser. LNCS, vol. 6996. Springer, 2011, pp. 503–510.
[23] Z. Han and P. J. Mosterman, “Towards sensitivity analysis of hybrid
systems using simulink,” in Proceedings of the 16th international
conference on Hybrid systems: computation and control. ACM, 2013,
pp. 95–100.
[24] A. Zutshi, S. Sankaranarayanan, J. V. Deshmukh, and J. Kapinski,
“A trajectory splicing approach to concretizing counterexamples for
hybrid systems,” in IEEE Conference on Decision and Control, 2013.
[25] D. Hristu and K. Morgansen, “Limited communication control,” Sys-
tems & Control Letters, vol. 37, pp. 193–205, 1999.
2317
