Reachability with fairness - Compositional Synthesis and Most General Controllers

ad (b). Letd be an admissible decision function d that enforcesI. We have to show that [Q0]∗ ∈ W and that SCis a most general strategy enforcingI, i.e., that d is an instance

ofSC. We will show that all the vertices ind-plays are inW. This fact will then be used to

show thatd is an instance of SC.

Claim 2. All verticesv reachable by d-plays are in_W.

Proof of Claim 2.By contradiction, assume there is a partiald-play η = v0 ,→ v1 ,→ . . . ,→ v

for some observationσ such that v /∈ W. We first consider the case that v ∈ Vterm\ W.

Asd is admissible, v _{6= fail(s). If v = stop(s) or v = div(s), then s /}_{∈ I}A#. But then

Lemma 5.8 yields initiald-paths visiting state q = s_|A, whereq /∈ I, contradicting that all

d-paths satisfyI. Likewise, if v ∈ Vctr\ W, then v /∈ I, as W ⊆ IA#. Then, there exists

s ∈ v with s /∈ IA#. By Lemma 5.6, there exists an initiald-execution π ending in state

q = S_|A, withq /∈ I. It is clear that we can extend π to a d-path π0and that thenπ0 6|= I,

leading to a contradiction with the fact thatd enforcesI.

Ifv ∈ Venv\ W, there exists a v0 ∈ (Vctr∪ Vterm)\ W with v ,→ v0, as the vertices inVenv

are non-terminal. But then the arguments for vertices from_Vctr\ W and Vterm\ W again

lead to contradictions.

Claim 3. d is an instance of SC.

Proof of Claim 3. As in the proof for reachability objectives, w.l.o.g. we assume thatd schedules only schedulable observables and show thatd is a plain instance of SC.

To show thatd is a plain instance of SC, we have to show that conditions (I1) and (I2) of

Definition 3.2 hold. Condition (I2) holds trivially, as the fairness condition is empty. Condition (I1) requires thatd(σ)∈ ∆(µ∗_(m

0, σ)) for all finite d-schedulable observations.

Letσ = β1. . . βnbe such an observation and let

η = S0,→ hS0, d(ε)i β1

,_{→ . . .},β_{→ S}n n,→ hSn, d(σ)i

be the unique partiald-play for σ that ends in Venv. By Claim 2, all vertices in η are in

W and thus Sn = µ∗(m0, σ) by Lemma 6.2. AshSn, d(σ)i ∈ W, by the definition of the

controller,d(σ)∈ ∆(Sn) = ∆(µ∗(m0, σ)).

6.3 Reachability with fairness

We will now adapt our algorithm for the construction of a most general controller for reachability objectivesΦ = ♦F for a system with an empty fairness condition Fair[A] as pre- sented in Section 6.1 to the case whereFair[A] is non-empty. Recall that we require that Fair[_{A] is history-independent (Definition 5.1).}

Chapter 6. Safety and co-safety objectives 6.3. Reachability with fairness

LetΦ = ♦F with F ⊆ Q be a reachability objective and let Fair[A] = {F1, . . . , F`} be

the fairness condition of_{A. Let G = (V, ,→) be the complete-information game for A}#_F as in Section 6.1. Applying the algorithm for reachability objectives without fairness yields the winning regionWin(♦F). Assuming that [Q0]∗is inWin(♦F), we construct the plain

controllerC = (M, m0, ∆, µ, fair∪ fair0) as in Section 6.1, with fair as in Section 6.1 and

fair0 =_{F0

1, . . . , F0`} obtained from Fair[A] as follows.

The controller first uses the fairness conditionfair for the modes not in F to eventually reach the goal vertices_{F and thus enforce Φ. Afterwards, the modes of the controller stay} in_{F. For these modes, the decision function template allows all admissible choices and the} controller ensures the fairness conditionFair[A] by replicating the fairness requirements for these modes inF. For each Fj ∈ Fair[A] the corresponding F0j ∈ fair0is given by

F0_j =(m, O) : m∈ M ∩ F and O ∈ ∆(m)

and for eachβ _{∈ O there exists O}0 _{∈ F}j(m|A) with β ∈ O0 .

Due to the powerset construction in the game,m_|A = Post∗A(σ) for some σ ∈ Obs∗ and

thusFj(m|A) is uniquely defined (cf. Corollary 5.2). We rely here on the fact that Fair[A]

respects admissibility (cf. Chapter 4) and can thus be easily ensured by a controller that schedules all admissible choices (modulo unschedulable observables). It is thus not nec- essary to separately verify thatFair[A] can indeed be ensured by a decision function or controller that is restricted to admissible choices.

Theorem 6.5 (Soundness of controller for♦F (with fairness)).

(a) If [Q0]∗ ∈ Win(♦F ) then the plain strategy SC = (D, Fair) induced by the con-

trollerC constructed above enforces♦F.

(b) If there exists an admissible decision functiond that enforces♦F then [Q0]∗∈ Win(♦F ) and d is an instance of SC.

Hence, if♦F is enforceable then SCis a most general strategy enforcing♦F.

Proof.

ad (a). By Theorem 6.3, the strategySC enforces♦F for A when ignoring the fairness

conditionFair[_A].

It remains to show thatSC is admissible for (A, Fair[A]), i.e., that for all instances d of

SC all d- andA-schedulable observations are Fair[A]-schedulable. Let σ = β1β2. . . be

such an observation. As finite observations are triviallyFair[_{A]-schedulable, let σ be in-} finite. Leti0 be the smallest index such thatµ∗(m0, β1. . . βi0) ∈ F. The existence of i0

follows from Theorem 6.3. For1 6 j 6 `, let F_Aj ∈ Fair[A] be the fairness condition ofFair[_{A], let F}0_j _{∈ fair be the corresponding (mode-based) fairness condition in fair}0 of the controller and letF00

j ∈ Fair be the corresponding induced (observation-based) fairness

condition of the strategy. Assume by contradiction that σ is not F_Aj schedulable. Then there exists some positioni1 > i0such that there are infinitely many positionsi> i1 with

In document Compositional Synthesis and Most General Controllers (Page 76-78)