Petter Nilsson

Incremental synthesis of switching protocols via abstraction refinement

We consider the problem of synthesizing switching protocols that regulate the modes of a switched system in order to guarantee that the trajectories of the system satisfy certain high-level specifications. In particular, we develop a computational framework for incremental synthesis of switching protocols. Augmented finite transition systems are used as abstract representations of continuous dynamics. Inspired by counter-example guided abstraction refinement procedures for hybrid system verification, we start with a coarse abstraction and gradually refine it according to preorder relations on augmented finite transition systems. At each iteration, the proposed procedure can produce either a switching protocol that ensures the satisfaction of the specification, a certificate for nonexistence of such a protocol, or a refinement suggestion together with a partial solution to be used in the next iteration. Although the procedure is not guaranteed to terminate in general, we illustrate its practical applicability with two simple examples.

Preliminary results on correct-by-construction control software synthesis for adaptive cruise control

A plethora of driver convenience and safety automation systems are being introduced into production vehicles, such as electronic stability control, adaptive cruise control, lane keeping, and obstacle avoidance. Assuring the seamless and safe integration of each new automation function with existing control functions is a major challenge for vehicle manufacturers. This challenge is compounded by having different suppliers providing software modules for different control functionalities. In this paper, we report on our preliminary steps to address this problem through a fresh perspective combining formal methods, control theory, and correct-by-construction software synthesis. In particular, we begin the process of synthesizing the control software module for adaptive cruise control from formal specifications given in Linear Temporal Logic. In the longer run, we will endow each interacting software module with an assume-guarantee specification stating under which environment assumptions the module is guaranteed to meet its specifications. These assume-guarantee specifications will then be used to formally prove correctness of the cyber-physical system obtained when the integrated modules interact with the physical dynamics.

Correct-by-Construction Adaptive Cruise Control: Two Approaches

Motivated by the challenge of developing control software provably meeting specifications for real-world problems, this paper applies formal methods to adaptive cruise control (ACC). Starting from a linear temporal logic specification for ACC, obtained by interpreting relevant ACC standards, we discuss in this paper two different control software synthesis methods. Each method produces a controller that is correct-by-construction, meaning that trajectories of the closed-loop systems provably meet the specification. Both methods rely on fixed-point computations of certain set-valued mappings. However, one of the methods performs these computations on the continuous state space whereas the other method operates on a finite-state abstraction. While controller synthesis is based on a low-dimensional model, each controller is tested on CarSim, an industry-standard vehicle simulator. Our results demonstrate several advantages over classical control design techniques. First, a formal approach to control design removes potential ambiguity in textual specifications by translating them into precise mathematical requirements. Second, because the resulting closed-loop system is known a priori to satisfy the specification, testing can then focus on the validity of the models used in control design and whether the specification captures the intended requirements. Finally, the set from where the specification (e.g., safety) can be enforced is explicitly computed and thus conditions for passing control to an emergency controller are clearly defined.

Synthesis of separable controlled invariant sets for modular local control design

Many correct-by-construction control synthesis methods suffer from the curse of dimensionality. Motivated by this challenge, we seek to reduce a correct-by-construction control synthesis problem to subproblems of more modest dimension. As a step towards this goal, in this paper we consider the problem of synthesizing decoupled robustly controlled invariant sets for dynamically coupled linear subsystems with state and input constraints. Our approach, which gives sufficient conditions for decoupled invariance, is based on optimization over linear matrix inequalities which are obtained using slack variable identities. We illustrate the applicability of our method on several examples, including one where we solve local control synthesis problems in a compositional manner.

Control Synthesis for Large Collections of Systems with Mode-Counting Constraints

Given a large homogeneous collection of switched systems, we consider a novel class of safety constraints, called mode-counting constraints, that impose restrictions on the number of systems that are in a particular mode. We propose an approach for synthesizing correct-by-construction switching protocols to enforce such constraints over time. Our approach starts by constructing an approximately bisimilar abstraction of the individual system model. Then, we show that the aggregate behavior of the collection can be represented by a linear system, whose system matrices are induced by the transition graph of the abstraction. Finally, the control synthesis problem with mode-counting constraints is reduced to a cycle assignment problem on the transition graph. One salient feature of the proposed approach is its scalability; the computational complexity is independent of the number of systems involved. We illustrate this approach on the problem of coordinating a large collection of thermostatically controlled loads while ensuring a bound on the number of loads that are extracting power from the electricity grid at any given time.

Temporal logic control of switched affine systems with an application in fuel balancing

We consider the problem of synthesizing hierarchical controllers for discrete-time switched affine systems subject to exogenous disturbances that guarantee that the trajectories of the system satisfy a high-level specification expressed as a linear temporal logic formula. Our method builds upon recent results on temporal logic planning and embedded controller synthesis. First, the control problem is lifted to a discrete level by constructing a finite transition system that abstracts the behavior of the underlying switched system. At the discrete level, we recast the problem as a two player temporal logic game by treating the environment driven switches as adversaries. The solution strategy for the game (i.e. the discrete plan) is then implemented at the continuous level by solving finite-horizon optimal control problems that establish reachability between discrete states and that compensate the effects of continuous disturbances. We also extend the earlier work by making efficient use of propositions in the temporal logic formula to drive the abstraction procedure and to facilitate the computation of continuous input at implementation time. An aircraft fuel system example is formulated; and solved using the proposed method. This sample problem demonstrates the applicability of the abstraction procedure and correct-by-construction controllers to regulate the fuel levels in multiple tanks during interesting operations like aerial refueling.

Invariant sets of defocused switched systems

We consider affine switched systems as perturbations of linear ones, the equilibria playing the role of perturbation parameters. We study the stability properties of an affine switched system under arbitrary switching, assuming that the corresponding linear system is uniformly exponentially stable. It turns out that the affine system admits a minimal invariant set Ω, whose properties we investigate. In the two-dimensional bi-switched case when both subsystems have non-real eigenvalues we are able to characterize Ω completely and to prove that all trajectories of the system converge to Ω. We also explore the behavior of minimal-time trajectories in Ω by constructing optimal syntheses.

On a Class of Maximal Invariance Inducing Control Strategies for Large Collections of Switched Systems

Modern control synthesis methods that are capable of delivering safety guarantees typically rely on finding invariant sets. Computing and/or representing such sets becomes intractable for high-dimensional systems and often constitutes the main bottleneck of computational procedures. In this paper we instead analytically study a particular high-dimensional system and propose a control strategy that we prove renders a set invariant whenever it is possible to do so. The control problem---the mode-counting problem with two modes in one dimension---is inspired by scheduling of thermostatically controlled loads (TCLs) and exhibits a trade-off between local safety constraints and a global counting constraint. We improve upon a control strategy from the literature to handle heterogeneity and derive sufficient conditions for the strategy to solve the problem at hand. In addition, we show that the conditions are also necessary for the problem to have a solution, which implies a type of optimality of the proposed control strategy. We outline more general problem instances where the same control strategy can be implemented and we give sufficient (but not necessary) conditions for the closed-loop system to satisfy its specification. We illustrate our results on a TCL scheduling example.

Provably-correct coordination of large collections of agents with counting temporal logic constraints

In this paper, we consider the problem of coordinating a large collection of homogeneous agents subject to a novel class of constraints: counting temporal logic constraints. Counting constraints arise naturally in many multi-agent planning problems where the identity of the agents is not important for the task to be completed. We introduce a formal language to capture such tasks and present an optimization-based technique to synthesize plans for large collections of agents in a way to guarantee the satisfaction of tasks specified in this formalism.

Augmented finite transition systems as abstractions for control synthesis

This work is motivated by the problem of synthesizing switching protocols for continuous switched systems described by differential or difference equations, in a way that guarantees that the resulting closed-loop trajectories satisfy certain high-level specifications expressed in linear temporal logic. We introduce augmented finite transition systems as an abstract representation of the continuous dynamics; the augmentation consists in encodings of liveness properties that can be used to enforce progress in accordance with the underlying continuous dynamics. Abstraction and refinement relations that induce a preorder on this class of finite transition systems are established, and, by construction, this preorder respects the feasibility (i.e., realizability) of the synthesis problem. Hence, existence of a discrete strategy for one of these abstract finite transition systems guarantees the existence of a switching protocol for the continuous system that enforces the specification for all resulting trajectories. We show how abstractions and refinements can be computed for different classes of continuous systems through an incremental synthesis procedure that starts with a coarse abstraction and gradually refines it according to the established preorder relations. Finally, the incremental synthesis procedure is tailored to a class of temporal logic formulas by utilizing specific fixed point structures to enable localized updates in the refinement steps. The procedure is not guaranteed to terminate in general but we illustrate its practical applicability on numerical examples.