Safety Controller Synthesis on Multi-scale Abstractions

We have illustrate the use of multiscale abstractions for synthesizing safety and sub-optimal reachability controllers in [66, 65, 217]. These problems were considered in [208, 130] based on the use of uniform discrete abstractions. We extend the synthesis algorithms to multiscale abstractions that are computed on-the-fly, so as to provide a scalable trade-off between precision and cost, while guaranteeing, for reachability, a lower bound on the performance of the closed-loop system.

Let us consider a system T = (Q, L, - , O, H, I). For simplicity, we assume that T is deterministic. This is satisfied by the transition systems T_τN(Σ) and T_τ,ηN(Σ) defined in the previous section.

In the following, we consider deterministic static state-feedback controllers. However, we just use the term controller for brevity.

Definition 6.13 A controller for T is a map S : Q → 2L _{such that for all q ∈ Q,}

S(q) ⊆ enab(q) and ∀l ∈ S(q), S succl(q)
6= ∅ (deadend freedom).

The system T controlled by S is the system T /S = (Q, L,

S . , O, H, I) where the

transition relation is given by q l S. q 0 _⇐⇒ h_{(l ∈ S(q)) ∧ (q} l - q0) i .

S(q) = ∅ means that the controller is not defined at q. Since we assumed that T is deterministic, the system T /S is deterministic as well.

Problem formulation

Definition 6.14 A state q of T is controllable with respect to a safety specifications QS if

q ∈ QS and there exists an infinite sequence of transitions of T starting in q and remaining

in QS. We denote the set of controllable states by cont(QS).

Definition 6.15 A safety controller for T = (Q, L, - , O, H, I) with respect to a safety specification QS ⊆ Q is a controller S for T (see Definition 6.13 such that QS is invariant

Given the set of controllable states cont(QS), we can define a safety controller S∗ as

follows: for all q /∈ cont(QS), S∗(q) = ∅ and for all q ∈ cont(QS),

S∗(q) = {l ∈ enab(q) | succl(q) ∈ cont(QS)}.

This safety controller is maximal in the sense that any other safety controller S satisfies S(q) ⊆ S∗_{(q), for all q ∈ Q. The set cont(Q}

S) and thus S∗ are computable for our

discrete abstractions. However, the larger the number of states, the more expensive the computation. For that reason, we want to exploit multi-scale abstractions to propose a more efficient algorithm for the synthesis of safety controllers.

Let us consider that the set of labels of T is L = P × ΘN

τ as defined in the previous

section. The lazy safety synthesis problem consists in controlling a system so as to keep any trajectory starting from some initial state in I within the safe subset of states, while applying in each state a transition of the longest possible duration for which safety can be guaranteed. For that purpose we define priority relations on the set of labels giving priority to transitions of longer duration: for l, l0 ∈ L with l = (p, δ), l0_{= (p}0_{, δ}0_{), l  l}0 _iff

δ ≤ δ0, l ≺ l0 iff δ < δ0 and l ∼= l0 iff δ = δ0. Given a subset of labels L0⊆ L, we define max(L0) = {l0 ∈ L0| ∀l ∈ L0, l  l0}.

Definition 6.16 A maximal lazy safety controller for T = (Q, L, - , O, H, I) and Q_S is a safety controller S with respect to QS such that for all controllable initial states in

q ∈ I ∩ cont(QS), S(q) 6= ∅, and for all states q ∈ Q with S(q) 6= ∅, q is reachable in T /S

and the following conditions hold:

1. if l ∈ S(q), then for any l ≺ l0_{, succ}

l0(q) /∈ cont(Q_S) (laziness);

2. if l ∈ S(q), then for any l ∼= l0, l0 ∈ S(q) iff succl0(q) ∈ cont(Q_S) (maximality).

The controller S represents a trade-off between maximal permissiveness and efficiency, in the sense that it contains the same initial states as the maximal safety controller; on the other hand, in each state, the enabled transitions are those of maximal duration for which controllability is preserved.

Theorem 6.6 There exists a unique maximal lazy safety controller. Discrete controller synthesis for multiscale abstractions

Our algorithm for synthesizing the maximal lazy safety controller is based on a depth first search exploration of the trajectories, starting from initial states and exploring transitions of longer duration first. The multi-scale abstraction is computed on-the-fly during the synthesis algorithm.

More precisely, the maximal lazy safety controller is computed by Algorithm 1 which calls the function explore (Algorithm 2) for each initial state q ∈ I; the second argument of the function is the set of states already visited by the current trajectory. The global variables are K, U , and C for the sets of controllable and uncontrollable states and the controller, respectively. Function explore(q, V ) returns whether q is controllable, where V is the set of states already visited. explore recursively explores the paths starting from q until either a controllable or an uncontrollable state is reached. If a state already visited by the current trajectory is reached, then a circular path within the set of safe states and containing q has been found, and therefore the state q is controllable. The outer loop explores increasingly short transitions as long as no safe successor of q has been found.

In Algorithm 1, each transition initiating from a state in QS is explored at most once.

Hence, termination of Algorithm 1 is guaranteed if the sets of labels L, and of safe sets QS

are finite: this is the case for our multi-scale abstractions TN

τ,η(Σ) when the safe set is given

by QS = H−1(OS) with OS a compact subset of Rn. In the worst case (when all states

in QS are reachable but none is controllable), all the transitions initiating from a state in

QS need to be explored. This provides us with a worst-case (time and space) complexity

given by |QS| × |L|. However, in practice this upper-bound is not reached.

Algorithm 1: Maximal lazy safety controller synthesis.

Input: Transition system (Q, L, →, O, H, I), priority  ⊆ L × L, safe states QS⊆ Q

Output: maximal lazy safety controller C : Q → 2L

Data: controllable states K ⊆ Q, uncontrollable states U ⊆ Q begin

(K, U, C) := (∅, Q \ QS, ∅) ;

for q ∈ I ∩ QS do

explore (q, ∅) ;

Algorithm 2: explore(q, V )

Input: state q ∈ Q, visited states V ⊆ Q Output: true iff q is controllable

Data: unexplored labels Lu⊆ L

begin if q ∈ U then return false if q ∈ K then return true if q ∈ V then K := K ∪ {q} ; return true Lu:= L ; while Lu6= ∅ do foundSucc := false ; for l ∈ max(Lu) do

if explore (succ(q, l), V ∪ {q}) then C(q) := C(q) ∪ {l} ; foundSucc := true ; if foundSucc then K := K ∪ {q} ; return true Lu:= Lu\ max(Lu) ; U := U ∪ {q} ; return false

Controller synthesis for reachability. In [66, 217] we have discussed the special cases of time-optimal and time-bounded reachability.