Contract-Based Model Predictive Control

We adopt a distributed model predictive control (MPC) approach to solve the controller syn- thesis problem with temporal logic constraints, as solving the MPC problem for the entire network N in real time is computationally intractable. A distributed controller synthesis approach is enabled by having each sub-network concurrently compute an optimal control trajectory independently. Each sub-network is unaware of adjacent network states during this computation, yet they interact via sending and receiving vehicles to and from adja- cent networks. Coordination is enforced by introducing assume-guarantee contracts between networks into each sub-network’s MPC problem, ensuring that a sub-network does not in- advertently violate an adjacent sub-network’s assumptions and that the distributed control synthesis procedure is sound.

Optimization Objective and Constraints

The MPC algorithm executes at each time step t, and aims to minimize the total delay over a horizon T :

J = T +t−1 X τ =t X l∈L xl[τ ] − fl[τ ]
(7.11)

by computing a control sequence u[t, t + T ) given the current state x[t]. Above, xl_{[τ ] − f}l_{[τ ]} is the number of vehicles that are forced to remain in l at time τ . Cost (7.11) is a monotone function with respect to state if the evolution is restricted to the congestion-free region [82]. Both the network dynamics and MTL specification φi _{can be encoded as mixed integer} constraints. The piecewise affine dynamics are encoded using the scheme by Mayne and Rakovi´c [59] where integer variables are used to detect membership within a set of state space polytopes. Boolean variables that capture predicate satisfaction at different moments in time [91, 74] allow one to encode satisfaction of bounded specification φi with a finite number of mixed integer constraints, given a sufficiently long MPC horizon.

Assumption 1. Each sub-network Ni _{has a common MPC horizon T that is greater than} the longest specification horizon. That is, T > maxih(φi).

Specification φ requires that φi _{be satisfied infinitely often. Unlike the optimization} procedure which executes with a receding horizon, the constraint φi can be enforced period- ically at times kT where k ∈ N. Periodic enforcement of φi _{for every kT translates to sets} of constraints over disjoint intervals [kT, kT + h(φi_{)) each associated with a k ∈ N. A MPC} iteration executing at kT will plan a trajectory over [k, (k + 1)T ], k ∈ N that satisfies φi. A subsequent MPC iteration executing within that time interval t ∈ [kT + 1, (k + 1)T ) takes into account a state trajectory over [kT, t] and input trajectories over [kT, t) and can main- tain satisfaction of φi at time kT simply by either i) Executing the input trajectory proposed by the iteration at time kT ii) Computing at time t an input trajectory with lower cost that still satisfies φi _{at time kT . While the first option is sufficient to enforce the specification,} computing a lower cost trajectory at time t permits the MPC controller to react to incoming vehicles from adjacent sub-networks.

Interconnections and Contracts

The distributed MPC scheme contains a circular dependency because each sub-network is unaware of neighboring networks’ planned actions. Each sub-network needs to promise neighboring sub-networks that they will satisfy each other’s assumptions, but the feasibility of such a promise depends on the actions of one’s neighbors. Assume-guarantee contracts are MPC constraints that break this dependency.

Definition 29 (Assume-Guarantee Contract (for distributed traffic control)). Network Ni’s assume-guarantee contract Ci _{along time interval [kT, (k + 1)T ] consists of}

• Assumption φi

a(xi∗[kT ], di∗[kT, (k + 1)T )) on the incoming demand and vehicles initially in the network:

^ l∈Li xl[(k + 1)T ] ≤ xl_∗[(k + 1)T ]
(7.14) ∧ (k+1)T ^ t=kT ^ l∈Li out yl[t] ≤ y_∗l[t]
 (7.15)

The contract Ci _{is characterized by a set of parameters: the initial state x}

∗[kT ], external demand d∗[kT, (k + 1)T ), terminal state x∗[(k + 1)T ], and output trajectory y∗[kT, (k + 1)T ]) over output links. Sub-network Ni’s assumption component states conditions over local and incoming links Li _{and L}i

in. The output guarantee is viewed as a signal y∗[kT + 1, (k + 1)T ]) that upper bounds output trajectories of y[kT + 1, (k + 1)T ]) on links in Li

out.

Definition 30 (Contract Satisfaction). A sub-network satisfies an assume-guarantee con- tract at time kT if for all x[kT ] and d[kT, (k + 1)T ) satisfying eq. (7.12) and eq. (7.13) respectively, a control sequence u[kT, (k + 1)T ) exists such that Ni remains in the local freeflow region ψi_{, and both the guarantee φ}i

g and MTL requirement φi are satisfied at kT . Contract satisfaction for all assumption satisfying scenarios x[kT ] and d[kT, (k + 1)T ) is difficult to certify for general non-linear dynamics. However, within the congestion free region ψ the dynamics exhibit a monotonicity property, where a partial ordering with respect to state trajectories is preserved, and the initial state x∗[kT ] and demand di∗[kT, (k + 1)T ) jointly yield the most adversarial environment. An environment that satisfies φi

a cannot violate the guarantee if x∗[kT ] and di∗[kT, (k +1)T ) do not violate the assumption [50]. Thus, synthesizing a satisfying control sequence ui

∗[kT, (k + 1)T ) for environmental scenario x∗[kT ] and d∗[kT, (k+1)T ) such that the system satisfies the guarantees and remains congestion free also ensures that the control sequence will be satisfactory under more benign scenarios [81]. A set of contracts is consistent if all sub-network assumptions are implied by the guarantees. Definition 31 (Assume-Guarantee Parameter Consistency). A set of contracts C1_{, . . . , C}4 are consistent if if for all Ni_{, input links l ∈ L}i

in and times t ∈ [kT, (k + 1)T ) X

k∈Ll up

x[·]

d[·]

y[·]

u[·]

t =

0

1

2

3

4

5

6

k =

0

1

Figure 7.2: Three rows show different signals of the MPC algorithm over two MPC horizons where T = 3. Arrow indicate the flow of dependencies amongst signals over time. The shaded regions correspond to a network’s assumptions about its initial state (red) and incoming demand (blue). The green patterned region is the guarantee over an output trajectory (recall that output y is a function of state and input) and a terminal state. At time t = 3, the assume-guarantee contract is reset, and the overlap at x[3] between the initial state assumption and the state trajectory guaratee ensures that recursive feasibility is maintained.

Recursive Feasibility with Fixed Contracts

Recursive feasibility can be viewed as a network making a promise to its future self that all future constraints will remain feasible. Recursive feasibility has two components, corre- sponding to the specification φi_g constraint and the contract constraint eq. (7.15). Feasibility of the φi

g constraint at the kT -th time step has already been established via the initial state condition eq. (7.12).

Let contract Ci is be periodically every T steps with fixed parameters. Consider two different MPC executions at times kT and (k + 1)T . The guarantee constraint φi

g along the interval [(k + 1)T, (k + 2)T ) is feasible when eq. (7.12) is satisfied at time (k + 1)T . The MPC algorithm executing at time kT imposes the terminal state guarantee x[(k + 1)T ] ≤ x∗[(k + 1)T ], which implies that the initial state assumption at (k + 1)T with identical contract Ci _{is satisfied if:}

^

l∈Li

xl_∗[(k + 1)T ] ≤ xl_∗[(k + 1)T ]. (7.17)

If Ci _{satisfies eq. (7.17) then it is said to be a recursively feasible contract. The final MPC} problem for each sub-network requires enforcing the following constraints.

Dynamics constraint eq. (7.4) Assumption φi_a is encoded in the constraint eq. (7.4).

Proposition 8 (Infinite Horizon Spec. Satisfaction). If each network Nisatisfies its assume- guarantee contract, each assume-guarantee contract Ci _{is recursively feasible, and the global} initial state x[0] satisfies each initial state eq. (7.12) assumption, then the distributed MPC algorithm satisfies the global specification eq. (7.9).