Safe Schedulability of Bounded-Rate Multi-Mode Systems
Rajeev Alur, Vojtech Forejt, Salar Moarref, Ashutosh Trivedi
aa r X i v : . [ c s . L O ] F e b Safe Schedulability of Bounded-Rate Multi-Mode Systems
Rajeev Alur
University of Pennsylvania,Philadelphia, USA [email protected] Vojt ˇech Forejt
Dept. of Computer Science,University of Oxford, UK [email protected] Salar Moarref
University of Pennsylvania,Philadelphia, USA [email protected] Trivedi
Indian Institute of Technology,Bombay [email protected]
ABSTRACT
Bounded-rate multi-mode systems (
BMS ) are hybrid sys-tems that can switch freely among a finite set of modes, andwhose dynamics is specified by a finite number of real-valuedvariables with mode-dependent rates that can vary withingiven bounded sets. The schedulability problem for
BMS is defined as an infinite-round game between two players—the scheduler and the environment—where in each round thescheduler proposes a time and a mode while the environmentchooses an allowable rate for that mode, and the state of thesystem changes linearly in the direction of the rate vector.The goal of the scheduler is to keep the state of the systemwithin a pre-specified safe set using a non-Zeno schedule,while the goal of the environment is the opposite. Greenscheduling under uncertainty is a paradigmatic example of
BMS where a winning strategy of the scheduler correspondsto a robust energy-optimal policy. We present an algorithmto decide whether the scheduler has a winning strategy froman arbitrary starting state, and give an algorithm to com-pute such a winning strategy, if it exists. We show that theschedulability problem for
BMS is co-NP complete in gen-eral, but for two variables it is in PTIME. We also studythe discrete schedulability problem where the environmenthas only finitely many choices of rate vectors in each modeand the scheduler can make decisions only at multiples of agiven clock period, and show it to be EXPTIME-complete.
Categories and Subject Descriptors
I.2.8 [
Problem Solving, Control Methods, and Search ]:Scheduling; B.5.2 [
Design Aids ]: Verification, Optimiza-tion; D.4.7 [
Organization and Design ]: Real-time sys-tems and embedded systems
General Terms
Theory, Verification
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$10.00.
Keywords
Multi-Mode Systems, Hybrid Automata, Game Theory, GreenScheduling, Cyber-Physical Systems
1. INTRODUCTION
There is a growing trend towards multi-mode composi-tional design frameworks [8, 13, 9] for the synthesis of cyber-physical systems where the desired system is built by com-posing various modes, subsystems, or motion primitives—with well-understood performance characteristics—so as tosatisfy certain higher level control objectives. A notable ex-ample of such an approach is green scheduling proposed byNghiem et al. [11, 12] where the goal is to compose differentmodes of heating, ventilation, and air-conditioning (HVAC)installations in a building so as to keep the temperaturesurrounding each installation in a given comfort zone whilekeeping the peak energy consumption under a given bud-get. Under the assumption that the state of the systemgrows linearly in each mode, Nghiem et al. gave a polyno-mial algorithm to decide the green schedulability problem.Alur, Trivedi, and Wojtczak [1] studied general constant-rate multi-mode systems and showed, among others, thatthe result of Nghiem et al. holds for arbitrary multi-modesystems with constant rate dynamics as long as the schedulercan switch freely among the finite set of modes.In this paper we present bounded-rate multi-mode systems that generalize constant-rate multi-mode systems by allow-ing non-constant mode-dependent rates that are given asbounded polytopes. Our motivations to study bounded-ratemulti-mode schedulability are twofold. First, it allows one tomodel a conservative approximation of green schedulabilityproblem in presence of more complex inter-mode dynamics.Second motivation is theoretical and it stems from the de-sire to characterize decidable problems in context of designand analysis of cyber-physical systems. In particular, weview a bounded-rate multi-mode system as a two-player ex-tension of constant-rate multi-mode system, and show thedecidability of schedulability game for such systems.Before discussing bounded-rate multi-mode system (
BMS )in any further detail, let us review the definition, relevantresults, and limitations of constant-rate multi-mode system(
CMS ). A
CMS is specified as a finite set of variables whosedynamics in a finite set of modes is given as mode-dependentconstant rate vector. The schedulability problem for a
CMS and a bounded convex safety set of states is to decide whetherthere exists an infinite sequence (schedule) of modes and m m εm ε m εm ε Figure 1: Multi-mode systems with uncertain rates time durations such that choosing modes for correspondingtime durations in that sequence keeps the system within thesafety set forever. Moreover such schedule is also requiredto be physically implementable, i.e. the sum of time dura-tions must diverge (the standard non-Zeno requirement [6]).Alur et al. [1] showed that, for the starting states in the inte-rior of the safety set, the necessary and sufficient conditionfor safe schedulability is the existence of an assignment ofdwell times to modes such that the sum of rate vectors ofvarious modes scaled by corresponding dwell time is zero.Intuitively, if it is possible using the modes to loop back tothe starting state, i.e. to go to some state other than thestarting state and then to return to the starting state, thenthe same schedule can be scaled appropriately and repeatedforever to form a periodic schedule that keeps the systeminside the interior of any convex safety set while ensuringtime divergence. On the other hand, if no such assignmentexists then Farkas’ lemma implies the existence of a vectorsuch that choosing any mode the system makes a positiveprogress in the direction of that vector, and hence for anynon-Zeno schedule the system will leave any bounded safetyset in a finite amount of time. Also, due to constant-ratedynamics such condition can be modeled as a linear programfeasibility problem, yielding a polynomial-time algorithm.
Example Consider the 2-dimensional
CMS shown inFigure 1 (left) with two modes m and m with rates of thevariables as ~r = (0 , in mode m and ~r = (0 , − inmode m . It is easy to see that the system is schedulablefor any starting state ( x , y ) in the interior of any boundedconvex set S as ~r + ~r = (0 , . The safe schedule consists ofthe periodic schedule ( m , t ) , ( m , t ) for a carefully selected t ∈ R > such that ( x , y ) + ~r t stays inside S . However, the schedules constructed in this manner are notrobust as an arbitrarily small change in the rate can makethe schedule unsafe as shown in the following example.
Example Consider a multi-mode system where someenvironment related fluctuations [6] cause the rate vectors inmodes m and m to differ from those in Example 1 by anarbitrarily small ε > as shown in Figure 1 (middle). Here, m can have rate-vectors from { (0+ δ,
1) : − ε ≤ δ ≤ ε } , whilerate-vectors of m are from { (0+ δ, −
1) : − ε ≤ δ ≤ ε } . Firstwe show that the periodic schedule ( m , t ) , ( m , t ) proposedin Example 1 is not safe for any t . Consider the case whenthe rate vector in modes m and m are fixed to ( ε, and ( ε, − . Starting from the state ( x , y ) and following theperiodic schedule ( m , t ) , ( m , t ) for k steps the state of thesystem will be ( x + ktε, y ) after k steps. Hence it is easyto see that for any bounded safety set the state of the systemwill leave the safety set after finitely many steps. In fact, forthis choice of rate vectors no non-Zeno safe schedule existsat all, since by choosing any mode for a positive time thesystem makes a positive progress along the X axis. We formalize modeling of such multi-mode system under un- certainty as bounded-rate multi-mode systems (
BMS ). BMS scan also approximate [3] the effect of more complex non-linear, and even time-varying, mode dynamics over a boundedsafety set. Formally, a
BMS is specified as a finite set of vari-ables whose dynamics in a finite set of modes is given as amode-dependent bounded convex polytopes of rate vectors.We present the schedulability problem on
BMS as an infinite-round zero-sum game between two players, the scheduler and the environment ; at each round scheduler chooses a modeand a time duration, the environment chooses a rate vectorfrom the allowable set of rates for that mode, and the stateof the system is evolved accordingly. The recipe for select-ing their choices, or moves , is formalized in the form of astrategy that is a function of the history of the game so farto a move of the player. A strategy is called positional if ita function only of the current state. We say that the sched-uler wins the schedulability game, or has a winning strategy,from a given starting state if there is a scheduler strategysuch that irrespective of the strategies of the environmentthe state of the system stays within the safety set and timedoes not converge to any real number. Similarly, we say thatthe environment has a winning strategy if she has a strat-egy such that for any strategy of the scheduler the systemleaves the safety set in a finite amount of time, or the timeconverges to some real number. One of the central resultsof this paper is that the schedulability games on
BMS are determined , i.e. for each starting state exactly one of theplayer has a winning strategy. Note that the determinacyof these games could be proved using more general resultson determinacy, e.g. [10], however our proof is direct andshows the existence of positional winning strategies.We distinguish between two kind of strategies of scheduler–the static strategies , where scheduler can not observe thedecisions of the environment, and the dynamic strategies ,where scheduler can observe the decisions of the environ-ment so far before choosing a mode and a time. Staticstrategies correspond precisely to schedules, and we oftenuse these two terms interchangeably. A key challenge in theschedulability analysis of
BMS is that static strategies arenot sufficient as is clear from the following example.
Example Consider the
BMS of Figure 1 (right) wherethe rates in mode m and m lie in { (0 , δ ) : 0 ≤ δ ≤ ε } and { (0 , − (1 + δ )) : 0 ≤ δ ≤ ε } , respectively. We hint thatthere is no static winning strategy of scheduler in this BMS (the formal conditions on where the static winning strat-egy exists will be analyzed later in the paper). Let us as-sume, for example, that σ = ( m , t ) , ( m , t ) , . . . is a staticnon-Zeno winning strategy of the scheduler. Moreover con-sider two strategies π and π ′ of the environment that dif-fer only in mode m where they propose rates (1 , and (1+ ε, respectively. Let ̺ and ̺ ′ be the sequences of systemstates and player’s choices—what we subsequently refer to asruns—as the game progresses from a starting state ( x , y ) where the environment uses strategy π and π ′ , respectively,against scheduler’s strategy σ . Let T ( i ) and T ( i ) be thetime spent in mode m and m , resp., till the i -th roundin runs ̺ and ̺ ′ , while T and T be total time spent inmode m and m , resp. The state of the system in the runs ̺ and ̺ ′ after i rounds will be ( x , y + T ( i ) − T ( i )) and ( x , y + T ( i ) − T ( i ) + T ( i ) ε ) . Hence the distance T ( i ) ε between states reached after i -rounds in runs ̺ and ̺ ′ tendsto T ε as i tends to ∞ . It is easy to see that if σ is a winningstrategy then T = ∞ ; since if T < ∞ and T = ∞ then the sys-em will move in the direction of rates of mode m , while ifboth T and T are finite then the strategy is not non-Zeno.Hence system will eventually leave any bounded safety set,contradicting our assumption on σ being a winning strategy. The techniques used for schedulability analysis and sched-ule construction for
CMS cannot be generalized to
BMS sincein a
BMS , the scheduler may not have a strategy to loopback to the starting state. In fact, in general scheduler doesnot have a strategy to revisit any state as is clear from Fig-ure 1 (right)—here the environment can always choose a ratevector in both mode m and m to avoid any previously vis-ited state. However, from our results on BMS it follows thatif the scheduler has a winning strategy then he has a strat-egy to restrict the future states of the system to a ball ofarbitrary diameter centered around the starting state.In order to solve schedulability game for
BMS we exploitthe following observation: the scheduler has a winning strat-egy, from all the starting states in the interior of the safetyset S , if and only if there is a polytope P ⊆ S , such thatfor every vertex v of P there is a mode m ( v ) and time t ( v )such that choosing mode m ( v ) for time t ( v ) from the ver-tex v , the line v + ~rt ( v ) stays within polytope P for allallowable rates ~r of m ( v ). In other words, for any vertexof P there is a mode and a time duration such that if thesystem evolves with any rate vector of that mode for suchamount of time, the system stays in P . For a BMS H wecall such a polytope H -closed . The H -closed polytope issimilar to controlled invariant set in control theory litera-ture (see [2] for a comprehensive review). We show howsuch a polytope can be constructed for a BMS based on itscharacteristics. We also analyze the complexity of such aconstruction. The existence of an H -closed polytope imme-diately provides a non-Zeno safe dynamic strategy for thescheduler for any starting state in P : find the convex coef-ficient ( λ , λ , . . . , λ k ) of the current state x with respect tothe finite set of vertices ( x , x , . . . , x k ) of P and choose themode m ( x i ) for time t ( x i ) λ i that maximizes t ( x i ) λ i . Then,for some choice ~r of the environment for m ( x i ) the systemwill progress to x ′ = x + t ( x i ) λ i ~r . One can repeat this dy-namic strategy from the next state x ′ as the current state.We prove that such strategy is both non-Zeno and safe.An extreme-rate CMS of a
BMS H is obtained by preserv-ing the set of modes, and for each mode assigning a ratewhich is a vertex of the available rate-set of that mode. Themain result of the paper is that an H -closed polytope existsfor a BMS H iff all extreme-rate CMS s of H are schedula-ble. The “only if” direction of the above characterization isimmediate as if some extreme-rate CMS is not schedulablethen the environment can fix those rate vectors and win theschedulability game in the
BMS . We show the “if” directionby explicitly constructing the H -closed polytope. Example Consider the
BMS H from Figure 1 (right)with ε = 0 . . The safety set is given as a shaded areain Figure 2 (left) and ¯ x = ( − , − . is the initial state.Observe that all extreme-rate combinations are schedulableand hence we show a winning strategy. An H -closed poly-tope for this BMS is the line-segment between the points (0 , . and (0 , − . (we explain the construction of suchpolytope in Section 3). After translating this line-segment to x and scaling it to fit inside the safety set, we will get theline-segment connecting ¯ x = ( − , to ¯ x = ( − , − , asshown in Figure 2 (left). At vertices ¯ x and ¯ x modes m ( − ,
2) (1 , − , − − , − m m x x x ( − , − . m , ( − , ) .. .. ( − , m , ) ( m , − , − ) ( − , − )( − , .. ( − , − ) Figure 2: H -closed polytope and dynamic strategy and m , respectively, can be used for time unit. A win-ning strategy of scheduler is to keep the system’s state alongthe line segment. Our strategy observes the current state x and finds the mode to choose by computing convex coeffi-cient λ ∈ [0 , s.t. x = λx +(1 − λ ) x . For instance, at state ¯ x = ¯ x + ¯ x the scheduler can choose any of the modes for time units. Assume that it chooses m . Based on en-vironment’s choice the state of system after time unitswill be in the set {− , . δ : 0 ≤ δ ≤ . } . The sched-uler observes this new state after time-unit, and choosesmode and time accordingly. For example, if the environmentchooses (0 , . and so the next state is ¯ x = ( − , .
75) = ¯ x + ¯ x , scheduler can choose mode m for time units.In Figure 2 (right) we show first two rounds of the game.Since, for any point on our line segment scheduler can choosea mode for at least . time unit and stay on the line seg-ment, such strategy is both safe and non-Zeno. We also extend the above result to decide the winnerstarting from arbitrary states, i.e. including those statesthat lie on the boundary of the safety set. Here we showthat the existence of a safe scheduler implies the existenceof a safe scheduler which only allows to move from lower-dimensional faces to higher-dimensional ones and not theother way around; this allows us to use an algorithm whichtraverses the face lattice of the safety set and analyses eachface one by one. We also prove co-NP completeness of theschedulability problem, showing the hardness by giving a re-duction from 3-SAT to the non-schedulability problem. Ona positive note, we show that if the number of variables istwo, then the schedulability game can be decided in polyno-mial time. This is because in such a case we can prove thatthere is only polynomially many candidates for falsifiers weneed to consider, and hence we can check each of them oneby one. Finally, we study a discrete version of schedulabil-ity games where scheduler can choose time delays only atmultiples of a given clock period, while the environment canchoose rate vectors from a finite set. We show that discreteschedulability games on
BMS are EXPTIME-complete, andthat the maximal clock period for which scheduler has a win-ning strategy can be computed in exponential time. If thesystem is a
CMS , we get a PSPACE algorithm, improvingthe result of [1] where only an approximation of the maximalclock period for
CMS was studied.We refer to [12, 11] and [1] for a review of related work on
CMS and green scheduling. Heymann et al. [6] consideredscheduling problem on
BMS where rate-vectors are given asupper and lower rate matrices and the safety set as the en-tire non-negative orthant. They showed that the schedulerwins if he wins in the
CMS of the lower rate matrix, andwins only if he wins in the
CMS of the upper rate matrix.We study more general
BMS and safety sets, and character-ize necessary and sufficient condition for schedulability. Toomplete the picture, we remark that games on hybrid au-tomata [5, 4], that corresponds to
BMS with local invariantsand guards, have undecidable schedulability problem.
2. PROBLEM DEFINITION
Points and Vectors.
Let R be the set of real numbers.We represent the states in our system as points in R n thatis equipped with the standard Euclidean norm k · k . Wedenote points in this state space by x, y , vectors by ~r, ~v , andthe i -th coordinate of point x and vector ~r by x ( i ) and ~r ( i ),respectively. We write ~ k x, y k between points x and y is defined as k x − y k .For two vectors ~v , ~v ∈ R n , we write ~v · ~v to denote theirdot product defined as P ni =1 ~v ( i ) · ~v ( i ). Boundedness and Interior.
We denote a closed ball ofradius d ∈ R ≥ centered at x as B d ( x )= { y ∈ R n : k x, y k ≤ d } .We say that a set S ⊆ R n is bounded if there exists d ∈ R ≥ such that for all x, y ∈ S we have k x, y k ≤ d . The interior of a set S , int( S ), is the set of all points x ∈ S for whichthere exists d > B d ( x ) ⊆ S . Convexity.
A point x is a convex combination of a finiteset of points X = { x , x , . . . , x k } if there are λ , λ , . . . , λ k ∈ [0 ,
1] such that P ki =1 λ i = 1 and x = P ki =1 λ i · x i . The convexhull of X is then the set of all points that are convex com-binations of points in X . We say that S ⊆ R n is convex ifffor all x, y ∈ S and all λ ∈ [0 ,
1] we have λx + (1 − λ ) y ∈ S and moreover, S is a convex polytope if it is bounded andthere exists k ∈ N , a matrix A of size k × n and a vector ~b ∈ R k such that x ∈ S iff Ax ≤ ~b . We write rows ( M ) forthe number of rows in a matrix M , here rows ( A ) = k .A point x is a vertex of a convex polytope P if it is not aconvex combination of two distinct (other than x ) points in P . For a convex polytope P we write vert ( P ) for the finiteset of points that correspond to the vertices of P . Eachpoint in P can be written as a convex combination of thepoints in vert ( P ), or in other words, P is the convex hull of vert ( P ). From standard properties of polytopes, it followsthat for every convex polytope P and every vertex c of P ,there exists a vector ~v such that ~v · c = d and ~v · x > d for all x ∈ P \ { c } for some d . We call such a vector ~v a supportinghyperplane of the polytope P at c . A multi-mode system is a hybrid system equipped withfinitely many modes and finitely many real-valued variables .A configuration is described by values of the variables, whichchange, as the time elapses, at the rates determined by themodes being used. The choice of rates is nondeterministic,which introduces a notion of adversarial behavior. Formally,
Definition 1 (Multi-Mode Systems).
A multi-modesystem is a tuple H = ( M, n, R ) where: M is the finitenonempty set of modes , n is the number of continuous vari-ables, and R : M → R n is the rate-set function that, foreach mode m ∈ M , gives a set of vectors. We often write ~r ∈ m for ~r ∈ R ( m ) when R is clearfrom the context. A finite run of a multi-mode system H is a finite sequence of states, timed moves and rate vectorchoices ̺ = h x , ( m , t ) , ~r , x , . . . , ( m k , t k ) , ~r k , x k i s.t. forall 1 ≤ i ≤ k we have ~r i ∈ R ( m i ) and x i = x i − + t i · ~r i . Forsuch a run ̺ we say that x is the starting state , while x k is its last state . An infinite run is defined in a similar manner.We write Runs and
FRuns for the set of infinite and finiteruns of H , while Runs ( x ) and FRuns ( x ) for the set of infiniteand finite runs starting from x .An infinite run h x , ( m , t ) , ~r , x , ( m , t ) , ~r , . . . i is Zeno if P ∞ i =1 t i < ∞ . Given a set S ⊆ R n of safe states, we saythat a run h x , ( m , t ) , ~r , x , ( m , t ) , ~r , . . . i is S -safe if forall i ≥ x i ∈ S and x i + t · ~r i +1 ∈ S for all t ∈ [0 , t i +1 ], assuming t = 0. Notice that if S is a convexset and x i ∈ S for all i ≥
0, then for all i ≥ t ∈ [0 , t i +1 ] we have that x i + t · ~r i +1 ∈ S . The conceptof S -safety for finite runs is defined in a similar manner.Sometimes we simply call a run safe when the safety set andthe starting state is clear from the context.We formally give the semantics of a multi-mode system H as a turn-based two-player game between the players, sched-uler and environment , who choose their moves to constructa run of the system. The system starts in a given startingstate x ∈ R n and at each turn scheduler chooses a timedmove, a pair ( m, t ) ∈ M × R > consisting of a mode anda time duration, and the environment chooses a rate vec-tor ~r ∈ R ( m ) and as a result the system changes its statefrom x to the state x = x + t · ~r in t time units followingthe linear trajectory according to the rate vector ~r . Fromthe next state x the scheduler again chooses a timed moveand the environment an allowable rate vector, and the gamecontinues forever in this fashion. The focus of this paper ison safe- schedulability game , where the goal of the scheduleris to keep the states of the system within a given safety set S , while ensuring that the time diverges (non-Zenoness re-quirement). The goal of the environment is the opposite,i.e. to visit a state out of the safety set or make the timeconverge to some finite number.Given a bounded and convex safety set S , we define (safe)schedulability objective W S Safe as the set of S -safe and non-Zeno runs of H . In a schedulability game the winning ob-jective of the scheduler is to make sure that the constructedrun of a system belongs to W S Safe , while the goal of the envi-ronment is the opposite. The choice selection mechanism ofthe players is typically defined as strategies. A strategy σ ofscheduler is function σ : FRuns → M × R ≥ that gives a timedmove for every history of the game. A strategy π of the en-vironment is a function π : FRuns × ( M × R ≥ ) → R n thatchooses an allowable rate for a given history of the game andchoice of the scheduler. We say that a strategy is positional if it suggests the same action for all runs with common laststate. We write Σ and Π for the set of strategies of thescheduler and the environment, respectively.Given a starting state x and a strategy pair ( σ, π ) ∈ Σ × Πwe define the unique run
Run ( x , σ, π ) starting from x as Run ( x , σ, π ) = h x , ( m , t ) , ~r , x , ( m , t ) , ~r , . . . i where for all i ≥
1, ( m i , t i ) = σ ( h x , ( m , t ) , ~r , x , . . . , x i − i )and ~r i = π ( h x , ( m , t ) , ~r , x , . . . , x i − , m i , t i i ) and x i = x i − + t i · ~r i . The scheduler wins the game if there is σ ∈ Σsuch that for all π ∈ Π we get
Run ( x , σ, π ) ∈ W S Safe . Sucha strategy σ is winning . Similarly, the environment winsthe game if there is π ∈ Π such that for all σ ∈ Σ we have
Run ( x , σ, π )
6∈ W S Safe . Again, π is called winning in thiscase. If a winning strategy for scheduler exists, we say that H is schedulable for S and x (or simply schedulable if S and x are clear from the context). The following is the mainalgorithmic problem studied in this paper. efinition 2 (Schedulability). Given a multi-modesystem H , a safety set S , and a starting state x ∈ S , the(safe) schedulability problem is to decide whether there ex-ists a winning strategy of the scheduler. To algorithmically decide schedulability problem, we needto restrict the range of R and the domain of safety set S ina schedulability game on a multi-mode system. The mostgeneral model that we consider is the bounded-rate multi-mode systems ( BMS ) that are multi-mode systems (
M, n, R )such that R ( m ) is a convex polytope for every m ∈ M . Wealso assume that the safety set S is specified as a convexpolytope. In our proofs we often refer to another variant ofmulti-mode systems in which there are only a fixed numberof different rates in each mode (i.e. R ( m ) is finite for all m ∈ M ). We call such a multi-mode system multi-rate multi-mode systems ( MMS ). Finally, a special form of
MMS are constant-rate multi-mode systems ( CMS ) [1] in which R ( m )is a singleton for all m ∈ M . We sometimes use R ( m ) torefer to the unique element of the set R ( m ) in a CMS . Theconcepts for the schedulability games for
BMS and
MMS arealready defined for multi-mode systems. Similar conceptsalso hold for
CMS but note that the environment has noreal choice in this case. For this reason, we can refer to aschedulability game on
CMS as a one-player game.The prime [1] practical motivation for studying
CMS wasto generalize results on green scheduling problem by Nghiemet al. [12]. We argue that
BMS are a suitable abstraction tostudy green scheduling problem when various rates of tem-perature change are either uncertain or follow a complex andtime-varying dynamics, as shown in the following example.
Example 5 (Green Scheduling).
Consider a build-ing with two rooms A and B . HVAC units in each zone canbe in one of the two modes (OFF) and (ON). We writethe mode of the combined system as m i,j to represent the factthat rooms A and B are in mode i ∈ { , } and j ∈ { , } ,respectively. The rate of temperature change and the energyusage for each room is given below.Zones ON OFFA (temp. change rate/ usage) -2/2 2/1B (temp. change/ usage) -2/2 2/1Following [1] we assume that the energy cost is equal to en-ergy usage if peak energy usage at any given point in timeis less than or equal to units, otherwise energy cost is times of that standard rate. It follows that to minimize en-ergy cost the peak usage, if possible, must not be higher than units at any given time. We can model the system as a CMS with modes m , , m , , and m , , because these arethe only ones that have peak usage at most . The vari-ables of the CMS are the temperature of the rooms, while thesafety set is the constraint that temperature of both zonesshould be between o F to o F . The existence of a win-ning strategy in CMS implies the existence of a switchingschedule with energy peak demand less than or equal to units. In Figure 3.(a) we show a graphical representationof such CMS with three modes m , , m , and m , and twovariables (corresponding to the two axes). The rate of thevariables in mode m , is (2 , , in mode m , is (2 , − , andin mode m , is ( − , .Now assume that the rate of temperature change in a modeis not constant and can vary within a given margin ε > . m , m , m , ( a ) Constant-Rate m , m , m , ( b ) Bounded-Rate m , m , m , ( c ) Multi-Rate Figure 3: Restricted Multi-mode Systems
Schedulability problem for such system can best be modeledas a
BMS as shown in Figure 3.(b) where the polytope ofpossible rate vectors is shown as a shaded region. In Fig-ure 3.(c) we show a
MMS where variables can only changewith the extreme rates of the
BMS in Figure 3.(b).
We say that a
CMS H = ( M, n, R ) is an instance of amulti-mode system H = ( M, n, R ) if for every m ∈ M wehave that R ( m ) ∈ R ( m ). For example, the CMS shownin Figure 3.(a) is an instance of
BMS in Figure 3.(b). Wedenote the set of instances of a multi-mode system H by J H K . Notice that for a BMS H the set J H K of its instancesis uncountably infinite, while for a MMS H the set J H K isfinite whose size is exponential in the size of H . We saythat a MMS ( M, n, R ′ ) is the extreme-rate MMS of a
BMS ( M, n, R ) if R ′ ( m ) = vert ( R ( m )). The MMS in Figure 3.(c)is the extreme-rate
MMS for the
BMS in Figure 3.(b) Wewrite
Ext ( H ) for the extreme-rate MMS of the
BMS H .Notice that for every starting state and winning objectiveat most one player can have a winning strategy. We saythat a game is not determined if no player has a winningstrategy for some starting state. In the next section wegive an algorithm to decide the winner in a schedulabilitygame for an arbitrary starting state. Since for every startingstate we can decide the winner, it gives a direct proof ofdeterminacy of schedulability games on BMS . Moreover, itfollows from our results that whenever a player has a winningstrategy, he has a positional such strategy. These two resultstogether yield the first key results of this paper.
Theorem 1 (Determinacy).
Schedulability games on
BMS with convex safety polytopes are positionally determined.
In Section 4 we analyze the complexity of deciding thewinner in a schedulability game. Using a reduction fromSAT problem to non-schedulability for a
MMS , we provethe following main contribution of the paper.
Theorem Schedulability problems for
BMS and
MMS are co-NP complete.
On a positive note, we also show that schedulability gamescan be solved in polynomial time for
BMS and
MMS withtwo variables.
3. SOLVING SCHEDULABILITY GAMES
In this section we discuss the decidability of the schedu-lability problem for
BMS . We first present a solution for thecase when the starting state is in the interior of a safety set,and generalize it to arbitrary starting states in Section 3.2.
Alur et al. [1] presented a polynomial-time algorithm todecide if the scheduler has a winning strategy in a schedu-lability game on a
CMS for an arbitrary starting state. Inarticular, for starting states in the interior of the safety set,they characterized a necessary and sufficient condition.
Theorem 3 ([1]).
The scheduler has a winning strat-egy in a
CMS ( M, n, R ) , with convex safety set S and startingstate x in the interior of S , iff there is ~t ∈ R | M |≥ satisfying: | M | X i =1 R ( i )( j ) · ~t ( i ) = 0 for ≤ j ≤ n and | M | X i =1 ~t ( i ) = 1 . (1)We call a CMS safe if it satisfies (1) and we call H un-safe otherwise. The intuition behind Theorem 3 is that thescheduler has a winning strategy if and only if it is possi-ble to return to the starting state in strictly positive timeunits. From the results of [1] it also follows that whenever awinning strategy exists, there is a strategy which does notlook at a history or even the current state, but only uses abounded counter of size ℓ ≤ | M | − k makes a decision only based on the number k modulo ℓ . Such strategies are called periodic .It is natural to ask whether the approach of [1] can begeneralized to BMS . Unfortunately, Example 3 shows thatin a
BMS although a winning strategy may exist, it may notbe possible to return to the initial state, or indeed visit anystate twice. Another natural question to ask is whether asuitable generalization of periodic strategies suffice for
BMS . Static strategies are
BMS analog of periodic strategies thatbehave in the same manner irrespective of the choices of theenvironment, i.e. for a static strategy σ we have that σ ( ρ ) = σ ( ρ ′ ) for all runs ρ = h x , ( m , t ) , ~r , x , . . . , ( m k , t k ) , ~r k , x k i and ρ ′ = h x , ( m , t ) , ~r ′ , x ′ , . . . , ( m k , t k ) , ~r ′ k ) , x ′ k i . Staticstrategies are often desirable in the settings where schedulercan not observe the state of the system. However, as weshow in Appendix A, except for the degenerate cases whenthe BMS contains a subset of modes which induce a safe
CMS , scheduler can never win a game on
BMS using staticstrategies. We saw an example of this phenomenon in theIntroductory section as Figure 1.(c).This negative observations imply that to solve the schedu-lability games for
BMS one needs to take a different ap-proach. In the rest of this section, we define the notion of H -closed polytope and show that if such a polytope exists,then for any convex set S we can construct a winning dy-namic strategy which takes its decisions only based on thelast state. We also extend the notion of safety of a CMS to BMS . We say that a
BMS H is safe if all instances of itsextreme-rate MMS
Ext ( H ) are safe i.e. all H ∈ J Ext ( H ) K satisfy (1). Finally, we connect (Lemmas 5 and 6) the exis-tence of H -closed polytope with the safety of the BMS . Dynamic Scheduling Algorithm.
For a
BMS H wecall a convex polytope P H -closed , if for every vertex of P there exists a mode m such that all the rate vectors of m keep the system in P , i.e. for all c ∈ vert ( P ) there exists m ∈ M and τ ∈ R > such that for all ~r ∈ R ( m ) we havethat c + ~r · t ∈ P for all t ∈ [0 , τ ]. An example of a H -closedpolytope is given in the Example 4.Assume that for any γ > x we are able to com-pute a H -closed polytope which is fully contained in B γ ( x )and contains x . If this is the case, we can use Algorithm 1to compute a dynamic scheduling strategy. The idea of thealgorithm is to build a H -closed polytope which containsthe initial state and is fully contained within S , and thenconstruct the strategy based on the modes safe at the ver- Algorithm 1:
Dynamic scheduling algorithm
Input : BMMS H , starting state x Output : non-Terminating Scheduling Algorithm γ := the shortest distance of x from borders of S ; P := H -closed polytope s.t. P ⊆ B γ ( x ) and x ∈ P ; foreach c ∈ vert ( P ) do foreach mode m ∈ M do foreach extreme rate vector ~r ∈ m do t ~r = max { t : c + ~r · t ∈ P } ; δ m = min ~r ∈ m t ~r ; m ∗ = arg max m ∈ M δ m ; ∆ c = δ m ∗ ; m c = m ∗ ; while true do Store current state as x ; Find ( λ c ≥ c ∈ vert ( P ) where x = P c ∈ vert ( P ) λ c · c ; Find c ∗ = arg max c ∈ vert ( P ) λ c · ∆ c ; Schedule mode m c ∗ for λ c ∗ · ∆ c ∗ ;tices of the polytope. The correctness of the algorithm isestablished by the following proposition. Proposition If there exists an H -closed polytope andit can be effectively computed then Algorithm 1 implementsa winning dynamic strategy for the scheduler. Proof.
Assume that there exists an H -closed polytopeand we have an algorithm to compute it. Observe that thestrategy is non-Zeno, because λ c ∗ · ∆ c ∗ on line 13 is boundedfrom below by | vert ( P ) | · min c ∈ vert ( P ) ∆ c for any point of P ,and ∆ c are positive by their construction and the definitionof the H -closed polytope. Next, we need to show that underthe computed strategy we never leave the convex polytope P . For a state x which is of the form P c ∈ vert ( P ) λ c · c , thesuccessor state will be x ′ = ( P c ∈ vert ( P ) λ c · c ) + λ c ∗ · ∆ c ∗ · ~r where ~r is the rate picked by the environment. We canrewrite x ′ as ( P c ∈ vert ( P ) \{ c ∗ } λ c · c )+ λ c ∗ · ( c ∗ + ~r · ∆ c ∗ ). Since c ∗ + ~r · ∆ c ∗ ∈ P , we get that x ′ is a convex combination ofpoints in P and hence lies in P . Constructing H -Closed Polytope. We will next showhow to implement line 2 of Algorithm 1. We give necessaryand sufficient conditions for existence of H -closed polytopesin the following two lemmas. The first lemma shows that an H -closed polytope exists if and only if for any hyperplane(given by its normal vector ~v ) there exists a mode m suchthat all its rates stay at one side of the hyperplane. Lemma For a
BMS H , a state x and γ > , there is a H -closed polytope P ⊆ B γ ( x ) with x ∈ P if and only if forevery ~v there is a mode m such that ~v · ~r ≥ for all ~r ∈ m . Proof.
Let us fix a
BMS H = ( M, n, R ). The proof is intwo parts. For ⇒ , assume that the system is schedulable butthere exists a vector ~v such that for all modes m ∈ M thereis a rate ~r m ∈ m where ~v · ~r m <
0. It implies that if theadversary fixes the rates ~r m whenever the scheduler chooses m , then the system moves in the direction of vector − ~v (i.e.for all d a state x will be reached such that ~v · x < d ), andhence for any bounded safety set and non-Zeno strategy sys-tem will leave the safety set. This contradicts with existenceof H -closed polytope implying winning scheduler strategy.To prove the other direction, let R = { ~r , . . . , ~r N } be theset of rates occurring in modes of the extreme-rate MMS of m m ( a ) ( b ) ( c ) ( d ) Figure 4: Constructing closed convex polytope H , i.e. R = {R ′ ( m ) : ( M, n, R ′ ) ∈ J Ext ( H ) K , m ∈ M } . Weclaim the following to be the H -closed polytope: P := { x + D · N X i =1 ~r i · p i | p i ∈ [0 , } , (2)where D = γ/ P Ni =1 k ~r i k . Notice that P is a convex polytopesince it is a convex hull of points x + D · P Ni =1 ~r i · p i where p i ∈ { , } . Also, due to our choice of D , P ⊆ B γ ( x ), and x ∈ P . For the sake of contradiction we assume that forevery ~v there is a mode m such that all rates ~r of m satisfy ~v · ~r ≥
0, but at least one corner c of P does not satisfy thedefining condition of H -closed polytope, i.e. for all modes i there is a rate vector ~r i satisfying c + t · ~r i P for all t > c . By the supporting hyperplane the-orem there is a vector ~v such that, for some d : ~v · c = d (4) ~v · x > d, for all x ∈ P \ { c } (5)i.e. ~v is supporting P on c . Let us fix some mode m suchthat for all rates ~r of m we have ~v · ~r ≥
0. Notice that thisexists by the assumption. Let ~r i be a rate of m satisfying (3).By the definition of P the point c , a corner of P , is ofthe form x + D · P Nj =1 ~r j · p j for some p j ∈ [0 ,
1] where1 ≤ j ≤ N and ~r j ∈ R . We necessarily have p i = 1, becauseif p i = 1 − δ for some δ >
0, then c + D · ε · ~r i ∈ P forany ε ≤ δ and that will contradict with (3). Notice that forall k ∈ [0 ,
1] the points y k = x + D · P Nj =1 p kj · ~r j , where p kj = p j if j = i and p kj = k otherwise, are all in P . Alsonotice that point y = c and for each k ∈ [0 ,
1] we have that y k = y + D · k · ~r i . In particular, c = y = y + D · ~r i . Itfollows that c − D · ~r i = y ∈ P . W.l.o.g. we assume ~r i = ~ ~v · ( c − D · ~r i ) > d . By rearrangingwe get ~v · c − D · ~v · ~r i > d , and because ~v · c = d , we get D · ~v · ~r i < ~v · ~r i ≥ H -closed polytopefrom (2) for the BMS in Figure 4.(a), while Figure 4.(d)shows that for every corner of the constructed polytope thereis a mode that keeps the system inside the polytope.The following lemma finally gives an algorithmically check-able characterization of existence of H -closed polytope. Lemma Let H = ( M, n, R ) be a BMS . We have thatfor every ~v there is a mode m such that ~v · ~r ≥ for all ~r ∈ m if and only if H is safe. Proof.
In one direction, let us assume that (
M, n, R ) ∈ J Ext ( H ) K is not safe, and let Q = { R ( m ) | m ∈ M } . Then Algorithm 2:
Schedulability Problem for Interior Start-ing States.
Input : BMS H , x ∈ R n and γ > Output : H -closed polytope P contained in B γ ( x ) s.t. x ∈ P , No if there is no H -closed polytope. foreach CMS H = ( M, n, R ) of J Ext ( H ) K do Check if there is a satisfying assignment for: P m ∈ M R ( m ) · t m = ~ P m ∈ M t m = 1 (6) t m ≥ m ∈ M . if no satisfying assignment exists then return NO R := { ~r , ~r , ..., ~r N } be the set of rate vectors of J Ext ( H ) K ; return the polytope given as convex hull of the points x + γ P Ni =1 k ~r i k · P Ni =1 · p i ~r i where p i ∈ { , } ; ~ Q , and so bysupporting hyperplane theorem applied to ~ Q there is ~v and d > ~v · R ( m ) ≥ d forall m ∈ M . Since R ( m ) ∈ R ( m ), this direction of the proofis finished. In the other direction, let ~v be such that thereis ~r ∈ R ( m ) for all m ∈ M such that ~v · ~r <
0. Then byconvexity of R ( m ) there is ~r m ∈ vert ( R ( m )) with the sameproperties, and we can create a CMS ( M, n, R ) ∈ J Ext ( H ) K by putting R ( m ) = ~r m . This CMS is not safe, because forany strategy, for a sufficiently large time bound a point x will be reached such that ( − ~v ) · x is arbitrarily large, andhence any convex polytope will be left eventually.Combining Proposition 4 with Lemmas 5 and 6 we get thefollowing main result. Theorem For every
BMS H and the starting state inthe interior of a convex and bounded safety set we have thatscheduler has a winning strategy if and only if H is safe. Theorem 7 allows us to devise Algorithm 2 and at the sametime give its correctness. The reader may have noticed thatTheorem 7 bears a striking resemblance to Theorem 3 for
CMS , since the former boils down to checking safety of ex-ponentially many
CMS instances. Note, however, that theproof here is much more delicate. While in the case of
CMS satisfiability of (1) gives immediately a periodic winningstrategy, for
BMS this is not the case: even when every in-stance in J Ext ( H ) K is safe, we cannot immediately see whichmodes should be used by the winning strategy; this requiresthe introduction of H -closed polytopes. lgorithm 3: Schedulability Problem For ArbitraryStarting State
Input : BMS H , a safety set S given by inequalities A~x ≤ ~b , and a starting state x . Output : Yes, if the scheduler wins, No otherwise. Compute the sequence I = h I , I , . . . , I ℓ i ; Schedulable = ∅ , UnSchedulable = ∅ ; foreach I in I do if I ′ ⊆ I and I ′ ∈ UnSchedulable then UnSchedulable := UnSchedulable ∪ { I } ; if ∃ m ∈ M with only internal rates then Schedulable := Schedulable ∪ { ( I, ⊥ ) } ; else Construct H I ; if H I is safe and P I is H I -closed polytope then Schedulable := Schedulable ∪ { ( I, P I ) } ; else UnSchedulable := UnSchedulable ∪{ I } ; if ∃ I ∈ Schedulable and x | = S | I then return Yes; else return No;In this section we present Algorithm 3 that analyses schedu-lability of arbitrary starting states in S . Notice that a start-ing state on the boundary of the safety polytope may lieon various faces (planes, edges etc.) of different dimensions.The scheduler may have a winning strategy using modes thatlet the system stay on some lower dimension face, or theremay exists a winning strategy where scheduler first reaches aface of higher dimension where it may have a winning strat-egy. Before we describe steps of our algorithm, we need toformalize a notion of (open) faces of a convex polytope, aconcept critical in Algorithm 3.Let Ax ≤ b be the linear constraints specifying a con-vex polytope S . We specify a face of S by a set I ⊆{ , . . . , rows ( A ) } . We write x | = S | I , and we say that x satisfies S | I , if and only if A ,j x (1) + · · · A n,j x ( n ) = b j forall j ∈ I , and A ,j x (1) + · · · A n,j x ( n ) < b j for all j I ,i.e. exactly the inequalities indexed by numbers from I aresatisfied tightly. Note that every point of S satisfies S | I forexactly one I . Although there are potentially uncountablymany states in every face of S the following Lemma impliesthat it is sufficient to analyze only one state in every face. Lemma For a
BMS , a convex polytope S , and for allfaces I of S , either none or all states satisfying S | I areschedulable. Moreover, if I ′ ⊆ I and no point satisfying S | I ′ is schedulable, then no point satisfying S | I is schedulable. Let I = h I , I , . . . i be the sequence of all faces such that S | I i is satisfied by some state, ordered such that if I i ⊆ I j ,then i ≤ j . We call a mode m unusable for I if there is x | = S | I and ~r ∈ R ( m ) such that x + ~r · δ S for all δ > ~r satisfying this condition is called external . Arate ~r is called internal if for any x such that x | = S | I thereis δ > j such that I j ⊆ I and x + ~r · ε | = S | I j forall 0 < ε ≤ δ . For a BMS H and face I we define a BMS H I = ( M ′ , n, R ′ ) where M ′ contains all modes of M whichare not unusable for I , and R ′ ( m ) is the set of non-internalrates of R ( m ). Theorem For every
BMS H , a convex polytope safetyset S , and a starting state x ∈ S , Algorithm 3 decides schedulability problem for H . Moreover, one can constructa dynamic winning strategy using the set Schedulable . Proof. (Sketch.) Let h I , I , . . . i be all sets such that S | I i is satisfied by some state, ordered such that if I i ⊆ I j ,then i ≤ j . Algorithm 3 analyzes the sets I i , determiningwhether the points satisfying S | I i are schedulable (in whichcase we call I i schedulable), or not. Let us assume that I is the first element of the sequence h I , I . . . i which has notbeen analyzed yet. If there is I ′ such that I ′ ⊆ I and I ′ isalready marked as not schedulable, then by Lemma 8 onecan immediately mark I as non-schedulable. If all modesare unusable, then no point x such that S | I is schedulable.Notice that if there exists an internal rate to face I j then itmust necessarily be the case that I j is schedulable. If thereis a mode m which only has internal rates, there is a winningstrategy σ for the scheduler which starts by picking m anda sufficiently small time interval t . This will make sure thatafter one step a point is reached which is already known tobe schedulable and scheduler has a winning strategy.If none of the previous cases match, the algorithm createsa BMS H I and applies Theorem 7 to the system H I . If thereis a H I -closed polyhedron P , we know that I is schedula-ble and give a winning scheduler’s strategy σ x for any point x | = S | I as follows. Let d > y | = I j where j > i we have k x, y k > d , i.e. d is cho-sen so that all points of S contained in B d ( y ) satisfy S | I ′ for I ′ ⊆ I (this follows from the properties of the sequence I , I , . . . and because S is a convex polytope). The strat-egy σ x works as follows. If all points in the history satisfy S | I , σ x mimics σ H I ,x,d . Otherwise, once a point y = S | I isreached, the strategy σ x starts mimicking σ y . Note that thestrategy σ y is indeed defined by our choice of d and poly-topes stored in Schedulable set. Although the strategy weobtain in this way may potentially be non-positional, it is amere technicality to turn it into a positional one.If H I is not schedulable for any set and any point, thenit is easy to see that for no point satisfying S | I there is aschedulable strategy. Indeed, for any strategy σ , as longas σ picks the modes from M ′ , the environment can play acounter-strategy showing that H I is not schedulable. Whenany mode from m ∈ M \ M ′ is used by σ , we have that m isunusable and so the environment can pick a rate witnessing m ’s unusability: this will ensure reaching a point outside S .Hence, we can mark I as unschedulable.
4. COMPLEXITY
In this section we analyze complexity of the schedulabilityproblem for
BMS . We begin by showing that in general itis co-NP-complete, however it can be solved in polynomialtime if the system has only two variables.
Proposition
The schedulability problem for
BMS andconvex polytope safety sets is in co-NP.
Proof (Sketch).
We show that when the answer to theproblem of schedulability of a point x is No, there is a falsifierthat consists of two components: − a set I ⊆{ , . . . , rows ( A ) } s.t. x | = S | I ′ for I ′ ⊇ I , and − a rate combination ( ~r m ) m ∈ M such that there is a set ofmodes External ⊆ M where every ~r m for m ∈ External p ~p ~p ~n ~n ~n ~p ~p ~p ~p ~n Figure 5: An example from proof of Proposition 11 is external for I ; and the rates ~r m for m External areneither external, nor internal, and there is a vector ~v such that ~v · ~r m > m External .Let us first show that the existence of this falsifier impliesthat the answer to the problem is No. Indeed, as long as astrategy of a scheduler keeps using modes m External , theenvironment can pick the rates ~r m , and a point outside of S will be reached under any non-Zeno strategy, because S isbounded. If the strategy of a scheduler picks any mode m ∈ External , the environment can win immediately by pickingthe external rate ~r m and getting outside of S .On the other hand, let us suppose that the answer to theproblem is No, and let I ′ be such that x | = S | I ′ . Thenconsider any minimal non-schedulable I ⊆ I ′ . We put to External all modes which are unusable, and for every suchmode, we pick a rate that witnesses it. Further, there is notany mode with only internal modes and the
BMS H I mustbe non-schedulable (otherwise I would be schedulable, orwould not be minimal non-schedulable). By Proposition 7there is an unsafe instance H = ( M ′ , n, R ) ∈ J Ext ( H I ) K .Since M ′ contains all the modes whose indices are not in External , we can pick the rate from this unsafe instance andwe are finished.
Proposition 11 (co-NP hardness).
The schedulabil-ity problem for
MMS is co-NP hard.
Proof (Sketch).
The proof for co-NP hardness uses areduction from the classical NP-complete problem 3-SAT.For a SAT instance φ we construct a MMS H φ such that φ issatisfiable if and only if H φ is not schedulable for any start-ing state and bounded convex safety set. We only sketchthe construction of H φ here and formally prove the cor-rectness of the construction in Appendix B.2. Consider aSAT instance φ with k clauses and n variables denoted as x , . . . , x n . The corresponding MMS H φ = ( M, n, R ) is suchthat its set of modes M = { m , . . . , m k } corresponds to theclauses in φ , and variables are such that variable i corre-sponds to variable x i of φ . For each variable x i we definevectors ~p i and ~n i such that ~p i ( i ) = 1, ~n i ( i ) = −
1, and ~p i ( j ) = ~n i ( j ) = 0 if i = j . The rate-vector function R is de-fined such that for each mode m j and for each SAT variable x i we have that ~p i ∈ R ( m j ) if x i occurs positively in clause j , and ~n i ∈ R ( m j ) if the variable x i occurs negatively inclause j . The crucial property here is that there is no vectorthat can have a positive dot product with both ~p i and ~n i ,which allows us to map unsafe rate combinations to satisfy-ing valuations and vice versa. Figure 5 shows an exampleof the reduction for two different formulas. On the left, wehave a satisfiable formula ( x ∨ x ∨ x ) ∧ ( ¬ x ∨ ¬ x ∨ ¬ x )which gives rise to a MMS with two modes: { ~p , ~p , ~p } ∈ m and { ~n , ~n , ~n } ∈ m . The system has unsafe combina-tion ~p , ~n . In Figure 5 (right) an unsatisfiable formula Algorithm 4:
Decide if a two dimension
BMS is safe.
Input : BMS H with two variables. Output : Return Yes, if H is safe and No otherwise. Set R to the set of extreme rate vectors of H ; foreach ~r ⊥ ∈ R do Set ~u to be a perpendicular vectors to ~r ⊥ ; foreach ~v ∈ { ~u, − ~u } do if for each m ∈ M there is ~r ∈ m s.t. ~v · ~r > or there is p > s.t. ~r = p~r ⊥ then return No; return Yes( x ∨ x ∨ x ) ∧ ( ¬ x ∨ ¬ x ∨ ¬ x ) ∧ ( x ∨ x ∨ x ) is re-duced to a MMS with three modes: { ~p } ∈ m , { ~n } ∈ m ,and { ~p , ~p , ~p } ∈ m . All combinations are safe.The proof of the following easy corollary is postponed toAppendix B.3. Corollary 12 (co-NP hardness result for
BMS ). The schedulability problem for
BMS is co-NP hard.
BMS with two variables
For a special case of
BMS which only have two variables,we show the following result.
Theorem
Schedulability problems for
BMS with con-vex polytope safety sets are in P for systems with variables. The rest of the section is devoted to the proof of this the-orem. The following lemma shows that to check whether aset of rate vectors R = { ~r , ..., ~r k } is unsafe it is sufficient tocheck properties of vectors ~u perpendicular to some vectorof R . This observation yields a polynomial time algorithm. Lemma
Let R be a set of vectors. There is ~v suchthat ~v · ~r > for all ~r ∈ R if and only if there are ~u and ~r ⊥ ∈ R satisfying ~u · ~r ⊥ = 0 and for all ~r ∈ R either ~u · ~r > or ~r = p · ~r ⊥ for some p > . Proof (Sketch).
To obtain ~v we keep changing ~v untilit becomes perpendicular to some vector in R . On the otherhand, ~v is obtained from ~u by making a sufficiently smallchange to ~u . A formal proof is given in Appendix B.4.Consider an unsafe set of rate vectors R = { ~r , ~r , ~r , ~r } shown in Figure 6 (left). All the rate vectors are on theright side of line y = 0 and vector ~v has strictly positive dotproduct with all of them. As it can be seen in the figure,all the rate vectors are on right-hand side of the line passingthrough ~r and there exists ~u perpendicular to ~r such that ~v ′ · ~r i ≥ ~r i ∈ R . Observe that adding a rate vector ~r = − ~r to R makes this set of rate vectors safe, and none ~r ~r ~v ~u~r ~r ~r ~r ~r Figure 6: Examples for Lemma 14 f rate vectors would satisfy the conditions of Lemma 14.Figure 6 (right) shows a safe set of rate vectors. As one cansee none of rate vectors has the others on one side of itself.The following corollary implies that we can use Lemma 14to check the safety of a
BMS . Corollary A BMS H with two variables is not safeif and only if there exists a rate vector ~r ⊥ in one of the modesof system and vector ~v perpendicular to it, such that for allmodes m ∈ H : (i) there exists ~r ∈ m such that ~v · ~r > ; or(ii) ~v · ~r = 0 and ~r = p · ~r ⊥ for some p > . Algorithm 4 checks whether all the combinations are safein polynomial time; it chooses a rate vector ~r ⊥ at each stepand tries to find an unsafe combination using the resultof Corollary 15. Note that for any non-zero vector ~r ⊥ intwo dimensions there are only two vectors which we need tocheck. Although there are infinitely many vectors ~v whichmight satisfy conditions of Corollary 15, the conditions weare checking are preserved if we multiply ~v by a positivescalar.
5. DISCRETE SCHEDULABILITY
In this section we discuss the discrete schedulability prob-lem , in which a scheduler can only make decisions at integermultiplies of a specified clock period ∆ and the environmenthas finitely many choices of rates. Formally, given a
MMS H , a closed convex polytope S as safety set, an initial state x ∈ S , the discrete schedulability problem is to decide ifthere exists a winning strategy of the scheduler where thetime delays are multiples of ∆. Theorem
Discrete schedulability problem is EXPTIME-complete.
Proof.
EXPTIME-membership of the problems is shownvia discretization of the state space of H . Since the set S isgiven as a bounded polytope, the size of the discretizationcan be shown to be at most exponential in the size of H and∆, and since the safety games on a finite graph can be solvedin P, EXPTIME membership follows. The hardness can beproved by a reduction from the countdown games [7]. Forspace constraints we give the proof in Appendix B.5.We turn the discrete schedulability problem to an opti-mization problem, by asking to find supremum of all ∆ forwhich the answer to the discrete schedulability problem isyes. We prove the following, which also improves a resultof [1] where only an approximation algorithm was given. Theorem
Given a
MMS H , a closed convex polytope S and an initial state x , there is an exponential time al-gorithm which outputs the maximal ∆ for which the answerto the discrete schedulability problem is Yes. For a CMS thealgorithm can be made to run in polynomial space.
Proof (Sketch).
We exploit the fact that as the clockperiod ∆ increases, all the points of the discretization movecontinuously towards infinity, except for the initial point.This further implies that for ∆ to be maximal, there mustbe a point of the discretization which lies on the boundary of S , since otherwise we could increase ∆ by some small num-ber, while preserving the existence of a safe scheduler. Byusing a lower bound on ∆ from Section 3 (obtained as a by-product of the construction of a dynamic strategy), there are only exponentially many candidates for such points, whichgives us exponentially many candidates for maximal ∆ toconsider, and we can check each one by Theorem 16. Forthe PSPACE bound we don’t enumerate the points, butguess them nondeterministically in polynomial space, andutilize [1, Theorem 10] instead of Theorem 16. Full detailsof the proof are given in Appendix B.6.
6. CONCLUSION
We investigated systems that comprise finitely many real-valued variables whose values evolve linearly based on a ratevector determined by strategies of the scheduler and the en-vironment. We studied an important schedulability prob-lem for these systems, with application to energy scheduling,that asks whether scheduler can make sure that the valuesof the variables never leave a given safety set. We showedthat when the safety set is a closed convex polytope, ex-istence of non-Zeno winning strategy for scheduler is decid-able for any arbitrary starting state. We also showed how toconstruct such a winning strategy. On complexity side, weshowed that the schedulability problem is co-NP completein general, but for the special case where the system hasonly two variables, the problem can be decided in polyno-mial time. Directions for future research include investiga-tion of schedulability problem with respect to more expres-sive higher-level control objectives including temporal-logicbased specification and bounded-rate multi-mode systemswith reward functions.
7. REFERENCES [1] R. Alur, A. Trivedi, and D. Wojtczak. Optimalscheduling for constant-rate mulit-mode systems. In
HSCC , 2012.[2] F. Blanchini. Set invariance in control.
Automatica ,35(11):1747 – 1767, 1999.[3] T. A. Henzinger. The theory of hybrid automata. In
LICS 96 , 1996.[4] T. A. Henzinger, B. Horowitz, and R. Majumdar.Rectangular hybrid games. In
CONCUR 99 , pages320–335. Springer, 1999.[5] T. A. Henzinger and P. W. Kopke. Discrete-timecontrol for rectangular hybrid automata.
TCS ,221(1-2):369–392, 1999.[6] M. Heymann, L. Feng, G. Meyer, and S. Resmerita.Analysis of zeno behaviors in a class of hybrid systems.
IEEE Trans. on Auto. Ctrl. , 50:376–383, 2005.[7] M. Jurdzi´nski, J. Sproston, and F. Laroussinie. Modelchecking probabilistic timed automata with one or twoclocks.
LMCS , 4(3):12, 2008.[8] J. Le Ny and G. J. Pappas. Sequential composition ofrobust controller specifications. In
ICRA , 2012.[9] J. Liu, N. Ozay, U. Topcu, and R. Murray. Switchingprotocol synthesis for temporal logic specifications. In
American Control Conference , 2012.[10] A. Maitra and W. Sudderth. Finitely additivestochastic games with borel measurable payoffs.
International Journal of Game Theory , 27(2), 1998.[11] T. X. Nghiem, M. Behl, R. Mangharam, and G. J.Pappas. Green scheduling of control systems for peakdemand reduction. In
IEEE CDC , December 2011.[12] T. X. Nghiem, M. Behl, G. J. Pappas, andR. Mangharam. Green scheduling: Scheduling ofontrol systems for peak power reduction. , July 2011.[13] L. T. X. Phan, I. Lee, and O. Sokolsky. Compositionalanalysis of multi-mode systems. In
ECRTS , 2010.
APPENDIXA. ABSENCE OF STATIC STRATEGIES
Proposition
For a given starting state in the inte-rior of the safety set S , the scheduler has a static winningstrategy in a BMS H = ( M, n, R ) iff there is M ′ ⊆ M such that |R ( m ) | = 1 for all m ∈ M ′ , and the CMS H =( M ′ , n, R ) is safe, where R ( m ) is the unique rate of R ( m ) . Proof.
The “if” direction is trivial. To show the “only if”direction we show that if there is no
CMS subsystem of H forwhich there is a safe and non-Zeno schedule, then there isno static winning schedule for schedulability objective. Let σ = ( m , t ) , ( m , t ) , . . . be a static scheduler.Assume there is m ∈ M with two different rates ~r a and ~r b such that P i : m i = m t i = ∞ . We then define two strategiesfor the environment, π a and π b which for a mode m alwayspick a rate ~r a and ~r b , respectively. After the first k steps,the point reached under σ b is equal to x b = x a + ( ~r b − ~r a ) · X i ≤ k : m i = m t i Hence, the points x a and x b will be arbitrarily far apart forlarge enough k , since the safety set is bounded, one of thestrategies π a and π b must ensure that a point outside is lefteventually.On the other hand, assume all modes m which have twodifferent rates satisfy that P i : m i = m t i is finite. Let M ′ beall such modes, and let d := k ~r k · P i : m i ∈ M ′ t i ≤ ∞ where ~r is the rate with the maximal Euclidean norm which occursin H . Intuitively, d is the upper bound on the change of thevalues of variables caused by using the modes of M ′ . Let d be the diametre of S , and let p be the Euclidean distanceof the initial point x from the boundary of S . We define astrategy σ ′ = ( m ′ , t ′ · pd + d ) , ( m ′ , t ′ pd + d ) , . . . where ( m ′ , t ′ ) , ( m ′ , t ) , . . . is the sequence ( m , t ) , ( m , t ) . . . from which we omit all the tuples which have a mode from M ′ in the first component. The strategy σ ′ is safe for S andfurther shows that there is a safe CMS subsystem, which isa contradiction.
B. OMITTED PROOFSB.1 Proof of Lemma 8
Let x and y be points satisfying S | I . Assume x is safe witha strategy σ , and let σ d be a strategy for a controller definedas follows: Let ̺ = h y , ( m , t ) , ~r , y , . . . y k i where y i = y + y ′ i for some y ′ i , be a history, and let ( ~r, t ) be a decisionof σ on ( x , m , t ′ , ~r , x , . . . x k ), where x i = x + y ′ i · d and t ′ i = t i · d . The strategy σ d chooses ( ~r, t/d ) in π . Intuitively, σ d mimics the decision of σ , but it assumes the startingpoint is y rather than x , and it scales the time intervalsdown by d , hence making sure that only points closer to y can be reached. For this reason it suffices to take largeenough d to make sure that σ d is safe. For example, we canput d = (sup x ′ | = S | I k x, x ′ k ) / (inf y ′ | = S | I ′ ,I ⊆ I ′ k y, y ′ k ).Similar arguments can be made for the second part of thelemma, i.e. any strategy safe for a point satisfying S | I ′ canbe scaled to a strategy safe for a point satisfying S | I ′ . .2 Proof of Proposition 11 (correctness of con-struction) We show that the construction proposed in the proof ofProposition 11 in the main body is correct. We show thatthere is a satisfying assignment for ϕ iff there exists an unsafeinstance of H φ . − Now let us suppose that there is an unsafe combina-tion { ~r i | ~r i ∈ m i , ≤ i ≤ | M |} . Then for every rate ~r i which contains 1 at i -th position assign true to the vari-able x i , and for every rate ~r i which contains − i -thposition assign false to the variable x i . Note that novariable would be assigned both true and false since iftwo vectors ~r ′ and ~r ′′ are chosen which go to the oppo-site direction, then every ~v which satisfies ~v · r ′ > ~v · r ′′ <
0, and vice versa, which means thatthe combination is not unsafe. Further, observe thatthe assignment is satisfying, because for every clause c j we have that if ~r j contains 1 at i -th position, then c j contains the literal x i which is satisfied, and if ~r j contains − i -th position, then c j contains the lit-eral ¬ x i which is satisfied. Hence there is at least onetrue literal in each clause and thus the formula φ issatisfiable. − To prove the other direction, assume that there is asatisfying assignment to φ , then choose one true literalfrom each clause and consider the corresponding ratevector for each mode. Note that there would be no twovectors along one axis with different directions since ¬ x i and x i can not be true at the same time. There-fore we have k vectors along 1 ≤ d ≤ n axises whereeach two vectors are either same or perpendicular. Thisset of rate vectors will be unsafe since there exists a ~v with strictly positive dot product with all of them: Webuild vector ~v such that each i -th entry of vector ~v is 1(resp. − i -th entryis 1 (resp. − v with any vector from the combination is equal to 1,and hence greater than zero. B.3 Proof of Corollary 12
To prove this corollary we show that if there is an unsafeinstance of
BMS H then there is an unsafe instance of corre-sponding extreme-rate MMS
Ext ( H ). With this observation,the corollary then follows from Proposition 11. Assume m is a mode in the bounded-rate multi-mode system H withextreme rate vectors { r ∗ , ..., r ∗ k } . First we show that if thereis a rate vector r ∈ m and a rate vector v such that their dotproduct is positive, i.e. v.r >
0, then there exists at leastone extreme rate vector r ∗ i which makes angle less than 90with v , i.e. v.r ∗ i >
0. We can write r = P λ i r ∗ i where P λ i = 1. Assume vector v has positive dot product with r , v.r >
0. Assume for the purpose of contradiction that ∀ i v.r ∗ i ≤
0, which is a contradiction because then we have v.λ i r ∗ i ≤ → P v.λ i r ∗ i ≤ → v. P λ i r ∗ i = v.r ≤
0. Thusif there is an unsafe instance of
BMS , for each mode we canchoose a extreme rate such that the corresponding extreme-rate instance is unsafe.
B.4 Proof of Lemma 14 If | R | ≤
1, then the claim is immediate. Assume R con-tains at least two rates.Let us start with ⇒ . Intuitively, we keep changing ~v until it becomes perpendicular to some vector in R , and thenwe show that the vector obtained in this way satisfies thedesired properties. Formally, pick a vector ~w such that ~w · ~r = 0. Find a maximal α ∈ [0 ,
1) such that for the vector ~v α := α · ~v +(1 − α ) · ~w there is a vector in R perpendicular to ~v α . Such α must exists, since at least for ~v = ~w we have ~r perpendicular. We claim ~v α is our vector ~u , and we put ~r ⊥ any vector of R perpendicular to it. First, observe that thereis no ~r ∈ R such that ~u · ~r <
0. If this was the case, then α · ~v · ~r + (1 − α ) · ~w · ~r < ~v · ~r is positive, we couldhave picked α ′ > α for which ~v α ′ · ~r = α ′ · ~v · ~r +(1 − α ′ ) · ~w · ~r = 0(for the same ~r as before), contradicting the maximality of α . Now for any vector ~r ∈ R such that ~u · ~r = 0, if ~r = p~r ⊥ forany p >
0, then ~r = p~r ⊥ for some p <
0. But since ~r ⊥ · ~v > ~r · ~v = p · ( ~r ⊥ · ~v ) <
0, which is a contradiction withproperties of ~v .In the other direction, if there are no ~r ∈ R such that ~u · ~r >
0, we can just put ~v to be an arbitrary element of R .Otherwise, we show that we can obtain ~v if we make a smallenough change to ~u . Fix some ~r ⊥ where ~u · ~r ⊥ = 0. Let τ := min ~r ∈ R : ~u · ~r> ~u · ~r be the minimal positive dot productof ~u with vectors of R , and let κ := min ~r ∈ R ~r ⊥ · ~r be theminimal (possibly negative) dot product of ~r ⊥ with vectorsof R . Set ~v = ~u + τ · ( | κ | +1) ~r ⊥ . For every ~r ∈ R , we have ~v · ~r = ~u · ~r + τ · ( | κ | +1) ~r ⊥ · ~r which is positive, because: (i) if the leftsummand is 0, then the right summand is positive because ~r ⊥ · ~r >
0, and (ii) if the left summand is positive, then it isat least τ and the right summand is at least τ · ( | κ | +1) κ ≥ − τ ,and so the sum is positive. B.5 Proof of Theorem 16 (the hardness part)
A countdown game is a tuple G = ( N, T, n , B ) where − N = { n , n , . . . , n d } is a finite set of nodes; − T ⊆ N × N > × N is a set of transition; and − ( n , B ) ∈ N × N > is the initial configuration.From any configuration ( n, B ) ∈ N × N > , first player 1chooses a number k ∈ N > , such that k ≤ B and there existssome ( n, k, n ′ ) ∈ T , and then player 2 chooses a transition( n, k, n ′′ ) ∈ T labeled with that number. Note that therecan be more than one such transition. The new configura-tion then transitions to ( n ′′ , B − k ). Player 1 wins a play ofthe game when a configuration ( n,
0) is reached, and loses(i.e., player 2 wins) when a configuration ( n, B ) is reached inwhich player 1 is stuck, i.e., for all transitions ( n, k, n ′ ) ∈ T ,we have k > B .For a countdown game ( N, T, n , B ) we define a BMS H ,a safety set S and an initial state x such that there is asafe scheduler in Σ ∆ for ∆ = 1 iff player 1 has a winningstrategy in the countdown game. W.l.o.g we assume thatwhen ( n, k, n ′ ) ∈ T , then n = n ′ , and also we assume thatthe initial state is ( n , B ) and there is no node n and k suchthat ( n, k, n ) ∈ T .The BMS H has d + 1 variables. The intuition is that thevalue of the first variable corresponds to the value of thecounter, while ( i + 1)th variable is equal to 1 if the game isin node n i , and 0 otherwise.For all n, k ∈ N × N > such that there is ( n, k, n ′ ) ∈ T forsome n ′ , we add a mode ( n, k ) to H . For all ( n i , k, n j ) ∈ T ,we add the rate r to the mode ( n i , k ) such that the firstcomponent of r is − k , the ( i + 1)th component is − j + 1)th component is 1. All other components of r arezero. We further add modes m i for 3 ≤ i ≤ d + 1 whichontain the unique rate with B in the first component, 1 inthe second component, and − i -th component. All othercomponents of this rate are zero.The safety set S is defined so that the only points withinteger values are exactly ( i , . . . , i d +1 ), where 0 ≤ i ≤ B ,and exactly one of i , . . . , i d +1 is 1, while the others are 0.Such safety set can be defined using equations x ≤ B P d +1 i =2 x i ≤ x i ≥ ≤ i ≤ d + 1Now we claim that the system is schedulable from the point( B , , , , . . . ,
0) iff player 1 has a winning strategy in thecountdown game. The intuition is that the winning strategyfor player 1 in the countdown game directly gives a strategyfor the scheduler in H such that a point is reached which haszero in the first component, and zeros everywhere else exceptfor some i -th component. Then the scheduler uses the mode m i , which leads back to the initial state and then he canrepeat the same strategy. On the other hand, if player 2 hasa winning strategy in the countdown game, this strategy canbe used to get to a state from which the scheduler has nochance but to leave the safety set (which corresponds to nothaving any choices in the countdown game). B.6 Proof of Theorem 17
In this section we show how to solve the following problem:given a
MMS H = ( M, n, R ), a convex polytope S and aninitial state x ∈ S , find the maximal number ∆ max such thatthere is a winning strategy for the scheduler which only takesdecisions at times i · ∆ max where i ∈ N . Formally, let Σ ∆ denote the set of strategies for the scheduler which schedulein multiples of ∆. Then we wish to find a supremum, overall ∆, such that there is a safe scheduler in Σ ∆ .Let R be the set of all possible rate vectors of H . Notethat since H is a MMS , the set R is finite.Let discr (∆) be the points reachable from x when using ascheduler from Σ ∆ . All such points are equal to x + P ~r ∈ R i ~r · ∆ · ~r for some i ~r ∈ N . This implies that the set discr (∆) ∩ S is finite.The intuition of our algorithm is the following. Everystrategy from Σ ∆ can be seen as a function which ratherthan observing and choosing time delays observes and choosesthe number of time periods (multiples of ∆) elapsed. Usingthis abstracted view of strategies, every strategy in Σ ∆ cor-responds to a strategy in Σ ′ ∆ which differs only in the lengthof the time period. It can be shown that there is a correspon-dence of points reachable under these two strategies. Seeingthe points of discr (∆) as a “grid”, the points of discr (∆ ′ ) areobtained by stretching (if ∆ ′ > ∆) or squeezing (if ∆ ′ < ∆)this grid. It follows that for a ∆ to be maximal, there mustbe a point in discr (∆) which lies on the boundary of S ,since otherwise the grid discr (∆) can be stretched to some discr (∆ ′ ) where ∆ ′ > ∆, preserving the existence of a safescheduler. Exploiting this property together with the factthat we already know a lower bound on ∆ max , we get onlyfinitely many candidates for maximal ∆, and we can checkin each of them whether a safe scheduler exists using Theo-rem 16. Our algorithm is presented as Algorithm 5.Let us now prove the correctness of the algorithm. Clearlythe algorithm terminates in exponential time since the “fore-ach” loop is executed only exponentially many times at most,and each of the respective lines can be executed in expo- Algorithm 5: algorithm computing ∆ max
Input : schedulable H , safety set S given as Ax ≤ b ,point x ∈ S Output : ∆ max Let Γ be the lower bound on ∆ max ; Compute discr (Γ) ∩ S ; ∆ max := Γ; foreach y = x + P ~r ∈ R i ~r ∆ · ~r ∈ discr (Γ) ∩ S do maximise ∆ subject to A · ( x + P ~r ∈ R i ~r ∆ · ~r ) ≤ b if Σ ∆ contains a safe scheduler and ∆ > ∆ max then ∆ max := ∆ return ∆ max nential time. Hence, we only need to show that the resultreturned by the algorithm is correct.We first introduce some technical notation to capture theintuition of correspondence between points of different dis-cretisations. Define a bijection g ∆ , ∆ ′ between discr (∆) and discr (∆ ′ ) that to a point x + ∆ · P ~r ∈ R i ~r · ~r where i ~r ∈ N assigns the point x + ∆ ′ · P r ∈ R i ~r · ~r . Intuitively, this func-tion pairs the corresponding points on the “grids” given by discr (∆) and discr (∆ ′ ). Note that g ∆ , ∆ ′ is well defined anddoes not depend on the choice of i ~r ∈ N which represent thepoint and can be non-unique. Indeed, if x + ∆ · X ~r ∈ R i ~r · ~r = x + ∆ · X ~r ∈ R i ′ ~r · ~r for some i ~r , i ′ ~r ∈ N , then P ~r ∈ R i ~r · ~r = P ~r ∈ R i ′ ~r · ~r and hencealso x + ∆ ′ · P ~r ∈ R i ~r · ~r = x + ∆ ′ · P ~r ∈ R i ′ ~r · ~r .The following lemma essentially says that when we en-large the length of a time period, the set of points on thecorresponding grid that are within S can only get smaller. Lemma
Let ∆ ≥ ∆ ′ . Then g ∆ ′ , ∆ ( discr (∆ ′ ) ∩ S ) ⊇ discr (∆) ∩ S . Proof.
Follows because S is closed, convex and contains x . The following lemma intuitively says when we can in-crease the time period while preserving the existence of asafe scheduler. Lemma
Let ∆ ≥ ∆ ′ be such thatdiscr (∆) ∩ S = g ∆ ′ , ∆ ( discr (∆ ′ ) ∩ S ) and assume that there is a safe scheduler in Σ ∆ ′ . Then thereis a safe scheduler in Σ ∆ . Proof.
Using g ∆ ′ , ∆ , we can define a function h ∆ ′ , ∆ fromΣ ∆ ′ to Σ ∆ to capture our intuition of strategies that differonly on the length of a time period as follows. Given σ ∈ Σ ∆ ′ and a history h x , ( m , i · ∆ ′ ) , r , . . . x k i we put h ∆ ′ , ∆ ( σ )( h g ∆ ′ , ∆ ( x ) , ( m , i · ∆) , r , . . . g ∆ ′ , ∆ ( x k ) i )= σ ( h x , ( m , i · ∆ ′ ) , r , . . . x k i )Now it is easy to prove by induction that if the set of pointsthat are reachable under σ ∈ Σ ∆ ′ is X , then the set of pointsreachable by h ∆ ′ , ∆ ( σ ) ∈ Σ ∆ is equal to g ∆ ′ , ∆ ( X ).ow we are ready to proceed with the proof of the cor-rectness of the algorithm. Let ∆ max be the actual solu-tion, and let ¯∆ max be the returned number. We know that¯∆ max ≤ ∆ max , since the algorithm ensures that there is asafe scheduler in Σ ¯∆ max . To prove ¯∆ max ≥ ∆ max , it sufficesto show that there is a safe scheduler in Σ ∆ max , and that∆ max is found for some y at line 4 of Algorithm 5.To show that there is a safe scheduler in Σ ∆ max , let X := \ ∆ < ∆ max g ∆ , ∆ max ( discr (∆) ∩ S ) . We have X = discr (∆ max ) ∩ S . The inclusion ⊇ followsby Lemma 19; the inclusion ⊆ follows by the fact that S isclosed and the fact that as ∆ gets arbitrary close to ∆ max ,the points y ∈ discr (∆) get arbitrary close to g ∆ , ∆ max ( y ).By Lemma 19 and because discr (∆) ∩ S is finite for all Γ ≤ ∆ < ∆ max , there is ∆ < ∆ max such that g ∆ , ∆ max ( discr (∆) ∩ S ) = X , and by definition of ∆ max there is a safe schedulerin Σ ∆ . Finally by Lemma 20 there must be a safe scheduler σ ∈ Σ ∆ max .Now suppose that ∆ max is not a solution to any of the lin-ear programs executed on line 4. For each y ∈ discr (Γ) ∩ S ,let ∆ y be the solution to the linear program for y . Let P be the set of all y ∈ discr (Γ) ∩ S satisfying g Γ , ∆ max ( y ) ∈ discr (∆ max ) ∩ S . Define ∆ = min y ∈ P ∆ y . We have ∆ > ∆ max , since if ∆ = ∆ max then ∆ max would be the solutionto the linear program for the point y which realises the mini-mum, and if ∆ < ∆ max then g Γ , ∆ max ( y ) discr (∆ max ) ∩ S .In addition, g ∆ max , ∆ ( discr (∆ max ) ∩ S ) = discr (∆) ∩ S whichby Lemma 20 implies that there is a safe scheduler in Σ ∆ ,contradicting the maximality of ∆ maxmax