Invariance objectives - Compositional Synthesis and Most General Controllers

η = S0,→ hS0, d(ε)i β1

,_{→ . . .},β_{→ S}n n,→ hSn, d(σ)i

be the unique partiald-play for σ ending in_Venv(cf. Lemma 5.6). By Claim 2, all vertices in

η are inW and thus Sn= µ∗(m0, σ) by Lemma 6.2. AshSn, d(σ)i ∈ W, by the definition

of the controller,d(σ)_{∈ ∆(S}n) = ∆(µ∗(m0, σ)).

It remains to show that condition (I2) holds, which requires thatd is Fair-fair. We therefore have to check, for all infinite d-schedulable observation σ = β1β2. . . ∈ Obsω, that the

fairness condition imposed byC is satisfied. Let η = S0,→ hS0, d(ε)i

β1

,_{→ S}1 ,→ hS1, d(β1)i β2

,_{→ . . .}

be thed-play for σ. Claim 2 yields that there exists a j such that Si ∈ F for all i > j. As

Si = µ∗(m0, β1. . . βi), µ∗(m0, β1. . . βi) ∈ F for all i > j. Note that then F(β1. . . βi) =

∅ for all i > j and all F ∈ Fair and thus condition (I2.1) in Definition 3.2 holds. Hence, d is in fact a plain instance of SC and thereforeSC is a most general strategy enforcing

♦F.

6.2 Invariance objectives

We now show how to construct a most general controller for invariance objectives of the form Φ = I, with I ⊆ Q for systems with an empty fairness condition Fair[A]. Let I_A# ={q, q# : q∈ I}. The safe vertices for the complete-information game G = (V, ,→)

for the game arenaA#_{are then defined as}

I =S _{∈ V}ctr : S ⊆ IA#

∪ stop(s), div(s) : s_{∈ I}_A#

We apply the standard fixed-point characterization of the set of winning regions ensuring an invariance and define

W(0) def

=I and W(i+1) def

=W(i)_{\ (Y}(i+1) ctr ∪ Y

(i+1) env )

Y_ctr(i+1) def= S_{∈ V}ctr∩ W(i) : S ,→ hS, Oi implies hS, Oi /∈ W(i)for allO ∈ Obs

Yenv(i+1)

def

= _{hS, Oi ∈ V}env∩ W(i) : hS, Oi ,→ v for some v ∈ V \ W(i)}.

The setY_ctr(i+1)contains the vertices where the first player is not able to choose anO while staying in the winning regionW(i)_{, and}_Y(i+1)

env contains the vertices where the environment

has a move that leads out of the winning regionW(i)_{. As}_{V is finite, there exists k ∈ N}

withW(0) _{⊃ W}(1) _{⊃ . . . ⊃ W}(k) ₌ _W(k+1) _{= . . .. Let Win(}_{I) denote the limit, i.e.,}

Win(I) = T

i>0W

(i) ₌_W(k)_.

If [Q0]∗ ∈ Win(I) then we extract from Win(I) a most general plain controller

C = (M, m0, ∆, µ, fair) enforcingI the same way as for reachability objectives, except

Chapter 6. Safety and co-safety objectives 6.2. Invariance objectives

Theorem 6.4 (Soundness of the constructed controller forI).

(a) If[Q0]∗ ∈ Win(I) then the strategy SC induced by the controllerC enforces ob-

jectiveI.

(b) If there exists an admissible decision functiond that enforcesI then [Q0]∗∈ Win(I) and d is an instance of SC.

Hence, ifI is enforceable, SCis a most general strategy enforcingI.

Proof.In the sequel, letW = Win(I).

ad (a). The admissibility of SC can be proven exactly as in the proof of Theorem 6.3.

Letπ be an initial SC-path in A and let πC be the corresponding initial path in C ./ A

(cf. Lemma 4.2): π = q0 α1 −→ q1 α2 −→ . . . πC = hS0, q0i α1 −→ hS1, q1i α2 −→ . . .

Asπ is an SC-path, it is ad-path for some instance of SC. Letπ# be the corresponding

execution in_A#. Then,

π#= s0 −→ sα1 1−→ . . . , where sα2 i|A= qifor alli6 |π|.

The one-to-one correspondence ofSC-paths inA and the paths in C ./ A allows us to argue

with the productC ./A. As the fairness condition of the controller is empty, all executions inC ./A are fair. We show that for all initial paths πC inC ./A we have:

πC |= W ∧ I

where we treat_{W as an atomic proposition that holds for all states hS, qi in C ./ A with} S_{∈ W and I as an atomic proposition that characterizes the states hS, qi where q ∈ I. We} prove the following stronger claim:

Claim 1. For alli6 |π|: Si ∈ W, si∈ Siandqi ∈ I.

Proof of Claim 1.AsW ⊆ I, si ∈ Si ⊆ I implies si ∈ IA# and consequentlyq_i ∈ I. So

it remains to show thatSi ∈ W and si ∈ Si for alli6 |π|. Clearly, S0 = [Q0]∗ ∈ W and

s0 = q0 ∈ Q0⊆ S0. We show thatSi+1∈ W and si+1∈ Si+1ifSi ∈ W and si ∈ Si.

• If αi ∈ Actvis, let β = obs(αi). Then β ∈ O for some O ∈ ∆(Si) and Si+1 =

µ(S, β) and there exist the edges

Si ,→ hSi, Oi β

,→ Si+1

in the gameG, with hSi, Oi ∈ W and Si+1 ∈ W. As si αi

−→# si+1, we havesi ∗β∗

=⇒ si+1and thereforesi+1∈ Si+1.

• If αi ∈ Act/ vis then Si+1 = Si ∈ W and, as si ∗

=_{⇒ s}i+1 and Si is closed under

In document Compositional Synthesis and Most General Controllers (Page 74-76)