Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety
Eric S. Kim, Murat Arcak, Sanjit A. Seshia, BaekGyu Kim, Shinichi Shiraishi
MM. Gleirscher, S. Kugele, S. Linker (Eds.): 2nd InternationalWorkshop on Safe Control of Autonomous Vehicles (SCAV 2018)EPTCS 269, 2018, pp. 3–16, doi:10.4204/EPTCS.269.2 c (cid:13)
E. Kim, M. Arcak, S. Seshia, B. Kim & S. ShiraishiThis work is licensed under theCreative Commons Attribution License.
Automatic Generation of Communication Requirements forEnforcing Multi-Agent Safety ∗ Eric S. Kim Murat Arcak Sanjit A Seshia
Department of Electrical Engineering and Computer SciencesUC BerkeleyBerkeley, CA { eskim, arcak, sseshia } @eecs.berkeley.edu BaekGyu Kim Shinichi Shiraishi
Toyota InfoTechnology Center, U.S.A.Mountain View, CA { bkim, sshiraishi } @us.toyota-itc.com Distributed controllers are often necessary for a multi-agent system to satisfy safety properties suchas collision avoidance. Communication and coordination are key requirements in the implementationof a distributed control protocol, but maintaining an all-to-all communication topology is unreason-able and not always necessary. Given a safety objective and a controller implementation, we considerthe problem of identifying when agents need to communicate with one another and coordinate theiractions to satisfy the safety constraint. We define a coordination-free controllable predecessor oper-ator that is used to derive a subset of the state space that allows agents to act independently, withoutconsulting other agents to double check that the action is safe. Applications are shown for identify-ing an upper bound on connection delays and a self-triggered coordination scheme. Examples areprovided which showcase the potential for designers to visually interpret a system’s ability to toleratedelays when initializing a network connection.
Interaction amongst agents can come in various forms such as coupled dynamics, coupling constraints,or a joint optimization objective. A common facet of multi-agent systems is the use of a distributedcontrol architecture, where each agent has authority over different sets of actuators, and an accompanyingcommunication network for agents to coordinate their actions. Communication and collective decisionmaking facilitate complex interactions amongst agents and enable them to reliably achieve collectivebehaviors that would otherwise be difficult to accomplish without some coordination protocol.In this paper, we consider the problem of satisfying a safety objective with a controller that is dis-tributed over multiple agents. We say that these agents are coordinating within a given time step ifthey communicate and collectively agree upon actions to execute. As a motivating example, considertwo fully autonomous vehicles equipped with vehicle-to-vehicle (V2V) communication and tasked withavoiding a collision. At one extreme are scenarios where no communication is necessary due to a suf-ficiently large distance between the vehicles, while at the other extreme are near miss scenarios wherecollisions are only avoided through precise timing, actuation, or luck. Preemptive cooperation enabledby V2V communication is designed to help the vehicles avoid these danger scenarios and for vehicles tonegotiate collision-free trajectories.How can one distinguish between these extremes and determine when multi-system coordinationis and is not necessary to maintain a safety objective? We present a method that takes a closed loopcontrol system and a safety requirement, then identifies a subset of the state space that is robustly safeagainst temporary communication losses. This subset naturally shrinks with time as the duration of thecommunication loss increases. At its core, our method iterates an appropriate operator which propagates ∗ This work was supported in part by NSF grant CNS-1545116, co-funded by the DOT.
Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety a coordination-free region and resembles fixed point algorithms in the literature on symbolic systemverification. This operator is defined such that it incorporates information about the system dynamics andthe controller architecture. These results are first used to consider a scenario when multiple agents wantto cooperate, but can only do so after some delay. We then develop a self-triggered coordination schemewhere agents can preemptively schedule when they would like to communicate, while still maintainingsafety guarantees.This paper tackles a new problem that has not, to the best of our knowledge, been addressed withinthe control theory literature and is motivated by applications to autonomous vehicle safety. Compared toother work, we do not assume a decomposition of the state space as in [5][4] nor is the objective assumedto be decomposable [4]. Instead we only consider a decomposition of the input space and can thus ac-commodate instances when there are complex coupling dynamics that are best handled monolithically.This work leverages compositional tools and techniques developed for formal controller synthesis. Thesemay involve constructing abstractions compositionally [13], decomposing the controller synthesis proce-dure [9][10], or decomposing the controller itself [15]. Assume-guarantee reasoning has also been usedfor compositional synthesis with multiple agents by abstracting out internal information that is irrelevantto reason about system interactions [11]. Our self-triggering communication scheme may be comparedto similar schemes in the self-triggered control literature [8], where often the objective is to minimizethe energy expended by sensors and actuators subjected to a stability constraint [2][6]. Our work insteadseeks to minimize the communication overhead incurred as multiple agents negotiate safe actions.
Given two sets A and B , let | A | , 2 A , and A × B respectively represent A ’s cardinality, A ’s power set(set of all subsets), and the Cartesian product between A and B . Let R , Z represent the real and integernumbers respectively, while R ≥ and Z ≥ = N are their non-negative counterparts. With an appropriateuniversal set Ω , A ’s complement A C is defined as Ω \ A . Given a Cartesian product of M sets ∏ Mi = A i and a subset L ⊆ ∏ Mi = A i , the projection operation π A j : ∏ Mi = A i → A j retains the coordinates associatedwith A j and is defined as: π A j ( L ) = { a j ∈ A j : ∃ ( a , . . . , a j − , a j + , . . . , a M ) such that ( a , . . . , a M ) ∈ L } . (1) An interval [ a , b ] where a , b ∈ Z includes both end points. Let [ a , b ) = [ a , b − ] and [ a ] = [ a , a ] . Givena space P , the space of trajectories evolving in P is P [ · ] . A trajectory p [ · ] over time interval I is amap p [ · ] : I → P . Let X and U represent a system’s state and input spaces respectively. Sets X [ · ] and U [ · ] are referred to as state and input trajectory sets. This paper deals with systems where the inputspace U consists of N components so that U = ∏ Ni = U i . Each of these N components is thought ofas an individual agent. The system’s discrete-time dynamics are given by a relation f ⊆ X × U × X ,which can also be viewed as a set-valued function f : X × U → X . Let U ( x ) = { u ∈ U : f ( x , u ) (cid:54) = /0 } denote the set of non-blocking control inputs at x .A memoryless controller for system f is a relation C ⊆ X × U . The set of states B = { x ∈ X : ( x , u ) (cid:54)∈ C for all u ∈ U } is the set of blocking states under controller C . A controller may also be viewed Some U i may be multi-dimensional so N is not necessarily the dimension of U . . Kim, M. Arcak, S. Seshia, B. Kim & S. Shiraishi C : X → U that maps states to sets of admissible inputs (states with no correspondingcontrol input map to an empty set). A controller C and system f can be interconnected into a closedloop system denoted as f ◦ C : X → X . The next state x [ k + ] satisfies x [ k + ] ∈ f ◦ C ( x [ k ])) if andonly if there exists a u [ k ] ∈ C ( x [ k ]) such that x [ k + ] ∈ f ( x [ k ] , u [ k ]) . All sequences x [ · ] that satisfy theaforementioned condition and x [ ] ∈ L are said to be generated by the closed loop system f ◦ C withinitial state set L ⊆ X . Safety is a common requirement for cyber-physical systems. We encapsulate this notion of safety as aregion of the state space S ⊆ X that should never be exited. For a vehicle, set S could represent acollision-free zone and a speed limit, while for a medical device S could represent safe blood sugarlevels. Definition 1.
Let S ⊆ X be a set of safe states. A control policy C : X → U and initial set L ⊆ S is said to satisfy safety constraint S if all trajectories generated by a closed loop system f ◦ C with anyinitial state x [ ] ∈ L never exit S . At each state x , there is a set of admissible control inputs C ( x ) ⊆ U . A controller is deterministic if | C ( x ) | = x ∈ X . Although determinism simplifies analysis of a closedloop system, deterministic controllers may be too restrictive if the system needs to satisfy additionalrequirements on top of safety. For instance if two vehicles want to avoid a collision, then a safe controllercan simply enforce that both vehicles have zero velocity but this prevents vehicles from reaching a desiredlocation. More permissive controllers can act as supervisors that restrict control actions only enough to ensuresafety. They are useful because they can be combined with other controllers that seek to achieve otherobjectives such as reaching a region. When a distributed controller is deployed on multiple systemswithout an underlying communication scheme, the non-determinism contained in permissive controllerscan lead to safety violations.If U = ∏ Ni = U i is decomposed into N inputs that are each under control from a different agent, theneach must concurrently select a single input u i such that ( u , . . . , u N ) ∈ C ( x ) . (2)It is this step where multiple agents concurrently select an input that leads to coordination hazards.Whenever | C ( x ) | > Example 1 (Illustrative Example) . Consider a scenario depicted in Figure 1 where two vehicles arefacing one another and a collision is imminent. Both vehicles can choose between staying in their laneor switching to the other lane and a collision is avoided only when one vehicle switches. Clearly it ispossible for a collision to be avoided as long as the two vehicles are able to communicate and negotiatewhich one changes lanes. On the other hand suppose that these vehicles are not equipped with V2V This notation was inspired by ◦ ’s usage as a function composition operator. However, it is not a composition in the strictestsense where f ( g ( x )) = ( f ◦ g )( x ) . Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety
Right Vehicle Right VehicleChange StayLeft Vehicle Change Collision No CollisionLeft Vehicle Stay No Collision Collision
Figure 1: Motivating Example
U U U π U ( C ( x )) π U ( C ( x )) Figure 2: For some fixed x ∈ X , the original safe control set C ( x ) (patterned region) is projected onto theaxes and yields π U ( C ( x )) and π U ( C ( x )) (thick lines). Combining the projections gives the coordination-free counterpart IND C ( x ) (darker regions) defined in Section 3. communications. If a collision does occur it is not possible to assign fault to solely one vehicle becausefrom both vehicles’ points of view its action was safe as long as the other vehicle responded with theappropriate action. Instead one can only attribute the fault to both agents’ failure to negotiate. To formalize the notion of coordination, we first define a minimal independent controller
IND C asso-ciated with C . The set of possible controller actions at x is IND C ( x ) and depicted in Figure 2. IND C ( x ) : = N ∏ i = π U i C ( x ) . (3)The projection π U i C ( x ) of this controller onto each agent i ’s individual component U i yields the setof all control inputs permitted at state x without any information about how other agents behave. Anyinput u i (cid:54)∈ π U i C ( x ) indicates that agent i is either reckless or malicious. If all agents pick a u i ∈ π U i C ( x ) then they have all reasonably attempted to satisfy the safety condition by selecting a point ( u , . . . , u N ) ∈ IND C ( x ) , but the joint condition ( u , . . . , u N ) ∈ C ( x ) is not necessarily satisfied because C ( x ) ⊆ IND C ( x ) .The independent controller IND C may also be viewed as the set of possible control actions that arereasonable in the undesirable situation where each agent believes itself to be the leader and relies on theother agents to be followers that respond to the leader’s choice. The set IND C ( x ) ⊆ U is the minimalindependent set that contains C ( x ) .Throughout the rest of this paper, we analyze properties of the new closed loop system f ◦ IND C ,which is derived from f ◦ C but exhibits additional behaviors due to the absence of coordination.Note that the set of trajectories that are exhibited under f ◦ C is a subset of those exhibited under f ◦ IND C . Thus, even though the original system f ◦ C may be safe, f ◦ IND C may exhibit unsafe trajectories. . Kim, M. Arcak, S. Seshia, B. Kim & S. Shiraishi Problem 1.
Given a set of dynamics f , a distributed controller
IND C , a safe region S , and coordination-free interval I = [ a , b ) identify a subset of the state space L such that all behaviors of f ◦ IND C withinitial state x [ a ] ∈ L remain in S within the interval I. V2V technology also enables the creation of ad hoc vehicular mesh networks which enables applicationsin cooperative cruise control, vehicular platoons, and congestion mitigation. Suppose each agent isrepresented by a vertex in an undirected graph and two agents with a V2V have their correspondingvertices connected by an edge. Such a graph can be grouped into equivalence classes corresponding toits connected components. We assume that agents in the same class can communicate instantly even ifthey are separated by more than one edge.
Assumption 1.
Each agent in an equivalence class can coordinate with all other agents in that classwithin each time step k.
In practice, Assumption 1 is a requirement that the time scale over which messages is passed in thenetwork are effectively instantaneous relative to the time scale of the physical dynamics. The indepen-dence definition of Equation (3) was stated under the assumption that each U i corresponded to one agentand that no agents cooperate. If agent cooperation occurs over a mesh network with P connected compo-nents, then the independence condition corresponds to the connected components of the graph. For eachof l = , . . . , P equivalence classes, let ˆ U l be the Cartesian product of the coordinates U i that belong tothat class. IND C ( x ) : = P ∏ l = π ˆ U l C ( x ) . (4)This formulation allows for a platoon to be treated as a single agent instead of a collection of vehicles.For notational simplicity, we simply assume that the decomposition into equivalence classes is given anduse Equation (3) throughout the rest of this paper. Given some controller C ⊆ X × U , we use the associated minimally restrictive independent controllerfrom Equation (3) as a formal characterization of all the possible actions with a distributed implementa-tion of C in the absence of coordination.The set of predecessor states which enforce membership within a region Z ⊆ X without coordinationis computed with the operator IPRE ( Z ) = { x : x ∈ π X ( IND C ) } ∩ { x : /0 (cid:54) = f ( x , u ) ⊆ Z for all u ∈ IND C ( x ) } . (5)The first set ensures that there is always a valid input because π X ( IND C ) is a state domain over whichthe controller produces admissible inputs. The second set takes into account the system dynamics andensures that all states are in Z . A state in IPRE ( Z ) is robust in the sense that all future possible next states f ( x , u ) are contained in Z despite uncertainty about which u ∈ IND C ( x ) is chosen.Operator SIPRE S below identifies states that can stay in Z and remain safely in S without coordi-nation SIPRE S ( Z ) = Z ∩ IPRE ( Z ) ∩ S . (6) Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety k times, we can identify a region of the state space that remains in S for k timesteps despite communication losses. Both operators are simple modifications on standard controllablepredecessor operators [16]. Set intersection, union, negation, and projection are the main operations that are required to computeEquation (5) and Equation (6) exactly. In a continuous domain, support for these algebraic operationsmay only be possible to encode for a specific set of system dynamics and constraints (consider for in-stance linear system dynamics and constraints given as unions of polyhedra). However in the scenariowhere state and inputs spaces are finite, binary decision diagrams (BDDs)[3] are an efficient data struc-ture that supports all of the aforementioned operations. Instead of imposing constraints on the system dy-namics and safety region, we opt for the finite case by using a grid to approximate a continuous domain.Moreover, there exists a rich theoretical literature of abstraction methods [16] [12] and accompanyingsoftware tools such as [14] which construct approximately similar finite systems such that Assumption 2is satisfied, even if the state and input spaces of system f are dense, continuous subsets of Euclideanspace. Assumption 2.
Both X and U are finite sets. We consider two applications. One is to characterize latency requirements for a wireless communicationsystem and the other is a design for a self-triggered coordination scheme.
Our first application involves N agents that seek to establish a wireless communication channel subjectto a maximum connection delay D ∈ N . Once a connection is established, it is assumed to be maintainedas in the left of Figure 3 where D =
5. If all agents attempt to initiate a connection starting at time k , thenthey are able to jointly choose a control input starting at time k + D . Definition 2.
A system in state x [ k ] at time k is robustly safe to connection initialization delays of lengthD if x [ k , ∞ ) ∈ S for all trajectories x [ k , ∞ ) generated by the time varying closed loop systemx [ k + ] ∈ f ◦ IND C ( x [ k ]) if k ∈ [ k , k + D ) (7) x [ k + ] ∈ f ◦ C ( x [ k ]) if k ∈ [ k + D , ∞ ) (8) where we adopt the convention [ k , k + D ) = /0 if D = . . Kim, M. Arcak, S. Seshia, B. Kim & S. Shiraishi D is as follows. We first identify an invariance set K where the system f ◦ C remains in S alongan infinite horizon [ k + D , ∞ ) once x [ k + D ] ∈ K . Invariance set K is distinct from safe set S because astate x [ k ] ∈ S \ K satisfies the safety condition at time k but is not guaranteed to do so along an infinitehorizon. With set K , we then iterate SIPRE S ( K ) D times to identify the states that are guaranteed toreach K at time k + D without exiting S within [ k , k + D ) .To identify K , we define operators that are analogous to IPRE and
SIPRE , except that
IND C isreplaced with C PRE ( Z ) = { x : x ∈ π X ( C ) } ∩ { x : /0 (cid:54) = f ( x , u ) ⊆ Z for all u ∈ C ( x ) } (9) SPRE S ( Z ) = Z ∩ PRE ( Z ) ∩ S (10) Lemma 1.
Let K : = lim i → ∞ SPRE i S ( X ) . Then all trajectories x [ k + D , ∞ ) such that x [ k + D ] ∈ K willnever intersect the unsafe set S C .Proof. The Tarski fixed point theorem [17] ensures that the limit on the right hand side exists and isunique if X is a finite set and SPRE S is a monotone operator. Assumption 2 ensures that X is finite,and monotonicity of SPRE S with respect to the set containment ordering can easily be verified. Note that S = SPRE S ( X ) . Membership of state x [ k ] in set SPRE S i + ( X ) ensures that both x [ k ] , x [ k + ] ∈ K .By induction, given x [ k + D ] ∈ SPRE i S ( X ) and i >
0, trajectories from system f ◦ C will remain in S along the interval [ k + D , k + D + i ) . Because the limit set exists, lim i → ∞ SPRE i S ( X ) is the set of pointsthat are safe along the interval [ k + D , ∞ ) .Building on the previous lemma, iterating SIPRE D times yields a region where all trajectories oflength D are safe without coordination. The closed loop system under IND C must never exit S withinthe interval [ k , k + D ) , and also must terminate at x [ k + D ] ∈ K so that the system under C can ensuresafety along the infinite horizon [ k + D , ∞ ) . Proposition 1.
Let K : = lim i → ∞ SPRE i S ( K ) . Then SIPRE k S ( K ) is the set of states that are safe under IND C for k − time steps.Proof. Suppose x [ ] ∈ SIPRE k K ( K ) . The set of possible states for x [ ] under controller IND C is uniquelydefined as SIPRE k − K ( K ) and is non-empty. By induction, a sequence x [ · ] = x [ ] . . . x [ k ] generatedby closed loop system f ◦ IND C must satisfy x [ j ] ∈ SIPRE k − j K ( K ) for all j ∈ [ , k ] . By definition SIPRE K ( K ) = K . It is also possible to design a scheduler for triggering communication amongst agents. Each agent main-tains a countdown for the latest time communications can be initiated. As the system executes, thistime is updated to provide a constantly changing upper bound on the latest time the agents need to com-municate. For clarity, we assume that the connection initialization delay as in the previous section is D = T : [ , F ] → X such that T ( k ) = (cid:26) SIPRE k S ( K ) \ SIPRE k + S ( K ) if k < F SIPRE k S ( K ) if k = F (11)0 Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety where F ∈ N is the first value where the sequence reaches a fixed point F = argmin i ∈ N ≥ SIPRE i + S ( K ) = SIPRE i S ( K ) . (12)A modified inverse function ˆ T − : X → [ , F ] is given by:ˆ T − ( x ) = { i ∈ [ , F ] : x ∈ T ( i ) } . (13)Because the collection T ( ) , . . . , T ( F ) consists of disjoint sets, ˆ T − ( x ) is well defined (i.e. a singletonset) for each x ∈ K . Because each agent has access to ˆ T and the state x , they can independently determinethe unique value for i such that x ∈ T ( i ) . A countdown with initial value i is then initialized for each agent.When that value reaches i = Definition 3.
The system with a self-triggered communication architecture satisfies the following dynam-ics. x [ k + ] = (cid:26) f ◦ IND C ( x [ k ]) if i [ k ] > f ◦ C ( x [ k ]) if i [ k ] = i [ k + ] = (cid:26) i [ k ] − if i [ k ] > T − ( x [ k + ]) if i [ k ] = Note that when i [ k ] = , the counter is reset to ˆ T − ( x [ k + ]) after the state transition from Equation (14) occurs. Proposition 2.
If x [ k ] ∈ K , then all trajectories x [ k , ∞ ) under the self-triggered communication systemfrom Definition 3 will remain inside S . In each of our examples, we use a modified version of the SCOTS symbolic controller synthesis tool-box [14], which takes a continuous control system and creates a finite state machine that serves as anabstract representation over which a controller is synthesized. In addition to modifications to computeEquation (4) and Equation (6), we exploit internal system dependencies to reduce the computation timeof the abstraction [7]. Creating the discrete abstraction depends on parameters such as the grid size andgranularity. Consider a set P = ∏ Ni = P i and a discretization parameter η ∈ R N > . Its correspondingdiscretization grid is [ P ] η : = ∏ Ni = [ P i ] η i where [ P i ] η i : = { a ∈ P i : a = k η i with k ∈ Z } is a grid overa single dimension. A full introduction to the underlying theory appears in [16] and is beyond the scopeof this paper. Two agents each have control over different axes and both need to remain within a circular region.˙ x = u ˙ x = u (16) . Kim, M. Arcak, S. Seshia, B. Kim & S. Shiraishi U = U x × U y U x U y Figure 4: Individual dots represent the synthesized safe control set from SCOTS under C ( x ) at point x = ( x , x ) = ( − . , − . ) . Without discretization, the true safe action space would be the shaded regionin red. The dashed box shows the possible coordination-free actions IND C ( x ) , which is not containedin the safe action space. Importantly, the synthesized safe inputs are a subset of the true set. Note that || x || ≈ . S .Let X = U = [ − , ] × [ − , ] . Although the dynamics are independent, the safety region is a circlewith a radius 0 . S = { ( x , x ) : x + x ≤ . } so both agents must coordinate with one another toavoid exiting S near the boundary. It is clear that the system can always enforce safety within S simplyby picking a control input ( u , u ) : = − ( x , x ) .A discretization of the system dynamics is constructed with a sampling period of t = .
01. The statespace grid [ X ] η is constructed with η = [ . , . ] and input space grid is [ U ] ε with ε = [ . , . ] .Figure 4 depicts all safe control inputs at ( x , x ) = ( − . , . ) which is near the boundary of S . Thestaircase shape of the boundary between the safe and unsafe inputs is due to the discretization of thedynamics. Inputs towards the upper right move the state to the interior of S , while safe inputs at thelower left hug the boundary between S and S C . If both systems jointly pick low values for u and u then a violation occurs, however both agents can pick u , u = − SIPRE operator in Section 3. Figure 5 shows that a system beginning at the origin can experience an uncoordi-nated collision is possible after 29 discrete time steps which under sampling period t = .
29 corresponds toan interval of length .29 in continuous time. However for the continuous system the worst case time stepis roughly twice as much . / √ ≈ . u , u ∈ {− , } and maintain constantvalues over time. This is mainly due to the discretization errors that arise when abstracting the continu-ous system to a discrete one. Note that the discretization error does not jeopardize the safety guarantee.Rather, the discrete case underestimates how much time is available for agents to avoid communication,thus providing a more conservative guarantee. Consider two vehicles that are approaching an intersection with no stop sign or a traffic signal. Theyare controlled independently but each are equipped with V2V radios and may communicate with oneanother. They also are equipped with enough sensors to identify the position and velocity of all vehicles2
Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety
Figure 5: Multiple snapshots at i = , ,
29 as the region K \ SPRE i S ( K ) grows. One can alternativelyvisualize SPRE i S ( K ) as a shrinking interior white region as the length of the communication-free inter-val grows. Red regions represent areas where the system will imminently exit S unless the two agentscoordinate their actions, while blue regions in the interior are only unsafe if the agents do not coordinatefor a prolonged period. A fixed point was reached at i = . Kim, M. Arcak, S. Seshia, B. Kim & S. Shiraishi p i = v i (17)˙ v i = u i − Kv (18)with some constant K = .
2. A higher value for k signifies higher air drag. Let P , P = [ − , ] and V , V = [ , ] . The state space is X : = ∏ i = ( P i × V i ) and U : = ∏ i = [ − , ] . The invariant regionis the region where at least one vehicle is outside the intersection and no collision has occurred and issuccinctly encoded as the set S : = { x : ( | p | ≥ ) ∨ ( | p | ≥ ) } . (19)We use the SCOTS toolbox to synthesize a supervisory controller C and compute its correspondinginvariance region K with the procedure in Section 4.1. The system dynamics discretization used asampling period of t = .
2, state space grid [ X ] η parameter η = [ . , . , . , . ] and input space grid [ U ] ε parameter ε = [ . , . ] .After synthesizing controller C , its decomposed counterpart IND C is analyzed. Within K C even acentralized controller is unable to guarantee that a collision will not occur. This unsafe region is to beavoided and communication is necessary to avoid it. Section 5.2 depicts the 3D projection of K C andthe evolution of the unsafe region ( SIPRE D S ( K )) C with no communication. Let there be N = i = , x i = u i ˙ x i = u i (20)4 Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety
Figure 7: (Left) Three dimensional projection of the four dimensional unsafe region K C for central-ized controller C with v = . ( SIPRE D S ( K )) C for the system f ◦ IND C ( x ) expand ascommunication delay D increases.The sets X i = [ − . , . ] × [ − . , . ] and U i = [ − , ] × [ − , ] for both i = ,
2. A collision has occurredbetween both agents in the region S C = { ( x , x ) ∈ X × X : max ( | x − x | , | x − x | ) < . } . (21)SCOTS is again used to synthesize a centralized controller for the system. The discrete abstractionwas constructed with sampling period τ = .
01, state space grid [ X ] η with parameter η = [ . , . , . , . ] ,and input space grid [ U ] ε with parameter ε = [ . , . , . , . ] . Figure 8 shows the trajectory of the systemwith the self-triggering implementation and how ˆ T − ( x [ k ]) as defined in Equation (13) varies with respectto time. We have presented a method to analyze when communication is necessary in order for a distributedcontroller to satisfy a safety requirement. While the current implementation deals with memorylesscontrollers future work will look into control policies with memory, time varying connectivity, and anapplication to richer specifications including those expressible in temporal logic.
References [1] Federal Aviation Administration (2017):
Code of Federal Regulations, Title 14 .[2] Florian D Brunner, TMP Gommans, WPMH Heemels & Frank Allg¨ower (2015):
Communication Schedulingin Robust Self-Triggered MPC for Linear Discrete-Time Systems . IFAC-PapersOnLine . Kim, M. Arcak, S. Seshia, B. Kim & S. Shiraishi T − ( x [ k ]) whichunderapproximates the actual time to when a collision is inevitable K C . Because Equation (20) is fullyactuated, the safe set K and the invariance region S are identical. [3] Randal E Bryant (1992): Symbolic Boolean manipulation with ordered binary-decision diagrams . ACMComputing Surveys (CSUR)
A general systemdecomposition method for computing reachable sets and tubes . IEEE Transactions on Automatic Control ,doi:10.1109/TAC.2018.2797194.[5] Eric Dallal & Paulo Tabuada:
Decomposing Controller Synthesis for Safety Specifications . In:
CDC2016 ,doi:10.1109/CDC.2016.7799148.[6] T.M.P. Gommans & W.P.M.H. Heemels (2015):
Resource-aware MPC for constrained nonlinearsystems: A self-triggered control approach . Systems and Control Letters
79, pp. 59 – 67,doi:10.1016/j.sysconle.2015.03.003. Available at .[7] Felix Gruber, Eric S Kim & Murat Arcak (2017):
Sparsity-Aware Finite Abstraction . In:
CDC2017 ,doi:10.1109/CDC.2017.8263995.[8] WPMH Heemels, Karl Henrik Johansson & Paulo Tabuada (2012):
An introduction to event-triggered andself-triggered control . In:
Decision and Control (CDC), 2012 IEEE 51st Annual Conference on , IEEE, pp.3270–3285, doi:10.1109/CDC.2012.6425820.[9] Eric S Kim, Murat Arcak & Sanjit A Seshia (2015):
Compositional controller synthesis for vehicular trafficnetworks . In:
Decision and Control (CDC), 2015 IEEE 54th Annual Conference on , IEEE, pp. 6165–6171,doi:10.1109/CDC.2015.7403189.[10] Pierre-Jean Meyer, Antoine Girard & Emmanuel Witrant (2017):
Compositional abstraction andsafety synthesis using overlapping symbolic models . IEEE Transactions on Automatic Control ,doi:10.1109/TAC.2017.2753039.[11] Pierluigi Nuzzo, Alberto L Sangiovanni-Vincentelli, Davide Bresolin, Luca Geretti & Tiziano Villa (2015):
Aplatform-based design methodology with contracts and related tools for the design of cyber-physical systems . Proceedings of the IEEE
Feedback refinement relations for thesynthesis of symbolic controllers . IEEE Transactions on Automatic Control Automatic Generation of Communication Requirements for Enforcing Multi-Agent Safety [13] Matthias Rungger & Majid Zamani (2016):
Compositional Construction of Approximate Abstrac-tions of Interconnected Control Systems . IEEE Transactions on Control of Network Systems ,doi:10.1109/TCNS.2016.2583063.[14] Matthias Rungger & Majid Zamani (2016):
SCOTS: A tool for the synthesis of symbolic controllers . In:
Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control , ACM, pp.99–104, doi:10.1145/2883817.2883834.[15] Sadra Sadraddini, J´anos Rudan & Calin Belta (2017):
Formal synthesis of distributed optimal traffic controlpolicies . In:
Proceedings of the 8th International Conference on Cyber-Physical Systems , ACM, pp. 15–24,doi:10.1145/3055004.3055011.[16] Paulo Tabuada (2009):
Verification and control of hybrid systems: a symbolic approach . Springer Science &Business Media, doi:10.1007/978-1-4419-0224-5.[17] Alfred Tarski (1955):