Compositional abstraction and safety synthesis using overlapping symbolic models
Pierre-Jean Meyer, Antoine Girard, Emmanuel Witrant

TL;DR
This paper introduces a compositional method for abstraction and safety synthesis of nonlinear systems using overlapping symbolic models, reducing complexity and conservatism compared to existing approaches.
Contribution
It develops a novel compositional safety synthesis technique leveraging overlapping symbolic subsystems for nonlinear systems.
Findings
Significant reduction in computational complexity.
Reduced conservatism compared to non-overlapping approaches.
Effective safety guarantees for complex nonlinear systems.
Abstract
In this paper, we develop a compositional approach to abstraction and safety synthesis for a general class of discrete time nonlinear systems. Our approach makes it possible to define a symbolic abstraction by composing a set of symbolic subsystems that are overlapping in the sense that they can share some common state variables. We develop compositional safety synthesis techniques using such overlapping symbolic subsystems. Comparisons, in terms of conservativeness and of computational complexity, between abstractions and controllers obtained from different system decompositions are provided. Numerical experiments show that the proposed approach for symbolic control synthesis enables a significant complexity reduction with respect to the centralized approach, while reducing the conservatism with respect to compositional approaches using non-overlapping subsystems.
Click any figure to enlarge with its caption.
Figure 1
Figure 2Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Compositional abstraction and safety synthesis
using overlapping symbolic models
Pierre-Jean Meyer, Antoine Girard, and Emmanuel Witrant P.-J. Meyer is with KTH Royal Institute of Technology, Department of Automatic Control, 10044 Stockholm, Sweden (email: [email protected]).A. Girard is with Laboratoire des signaux et systèmes (L2S), CNRS, CentraleSupélec, Université Paris-Sud, Université Paris-Saclay, 3, rue Joliot-Curie, 91192 Gif-sur-Yvette, cedex, France (email: [email protected]). His work was partially supported by the laboratory of excellence DigiCosme (CODECSYS project). E. Witrant is with Univ. Grenoble Alpes/CNRS, GIPSA-Lab, F-38000 Grenoble, France (email: [email protected]).
Abstract
In this paper, we develop a compositional approach to abstraction and safety synthesis for a general class of discrete time nonlinear systems. Our approach makes it possible to define a symbolic abstraction by composing a set of symbolic subsystems that are overlapping in the sense that they can share some common state variables. We develop compositional safety synthesis techniques using such overlapping symbolic subsystems. Comparisons, in terms of conservativeness and of computational complexity, between abstractions and controllers obtained from different system decompositions are provided. Numerical experiments show that the proposed approach for symbolic control synthesis enables a significant complexity reduction with respect to the centralized approach, while reducing the conservatism with respect to compositional approaches using non-overlapping subsystems.
I Introduction
Symbolic control deals with the use of discrete synthesis techniques for controlling complex continuous or hybrid systems [5, 26]. In such approaches, one relies on symbolic abstractions of the orignal system; i.e. dynamical systems with finitely many state and input values, each of which symbolizes sets of states and inputs of the concrete system [2]. This enables the use of discrete controller synthesis techniques, such as supervisory control [9] or algorithmic game theory [7], which allows us to address high-level specifications such as safety, reachability or more general properties specified by automata or temporal logic formula [4]. When the behaviors of the concrete system and of its abstraction are related by some formal inclusion relationship (such as alternating simulation [26] or feedback refinement relations [25]), the discrete controller of the abstraction can be refined to control the concrete system, with guarantees of correctness.
Several approaches exist for computing symbolic abstractions for a wide range of dynamical systems (see e.g. [27, 21, 31, 30, 10, 25]), based on partitions or discretizations of the state and input spaces. The numbers of symbolic states and inputs are then typically exponential in the dimension of the concrete state and input spaces, respectively. This limits the application of these approaches to low-dimensional systems. Several works have been done for improving the scalability of symbolic control. In [17, 29], an approach, which does not require state space discretization, has been presented for computing symbolic abstractions of incrementally stable systems. In [20, 13], algorithms combining discrete controller synthesis with on-the-fly computation of symbolic abstractions have been developed. Compositional approaches have also been explored in several papers [28, 24, 19, 8, 15, 11, 23, 22]. In such approaches, a system with a control specification is decomposed into subsystems with local control specifications. Then, for each subsystem, a symbolic abstraction can be computed and a local controller is synthesized while assuming that the other subsystems meet their local specifications. This approach, called assume-guarantee reasoning [14], enables the use of symbolic control techniques for higher dimensional systems.
In this paper, we develop a novel compositional approach for symbolic control synthesis for a general class of discrete time nonlinear systems. Our approach clearly differs from the previously mentioned works (and particularly from our previous work [19]) by the possibility for subsystems to share common state variables through the definition for each subsystem of locally modeled but uncontrolled variables, which are accessible to the local controller. Hence, this makes it possible for local controllers to share information on some of the states of the system. In this setting, we develop compositional approaches for computing symbolic abstractions and synthesizing controllers that maintain the state of the system in some specified safe set.
The paper is organized as follows. Section II introduces the class of systems, safety controllers and the abstraction framework considered in the paper. Section III presents a compositional approach for computing abstractions from symbolic subsystems with overlapping sets of states. Compositional controller synthesis is addressed in Section IV. Section V provides results to compare abstractions and controllers obtained from different system decompositions, and a discussion on the computational complexity of the approach. Numerical experiments are then reported in Section VI.
II Preliminaries
II-A System description
We consider a class of discrete time nonlinear control systems modeled by the difference inclusion:
[TABLE]
where , , denote the state and the control input, respectively, and the set-valued map . System (1) is discrete time; however, it encompasses sampled versions of continuous time systems, possibly subject to disturbances (see e.g. [19, 25]).
Throughout the paper, we assume, for simplicity, that for all , , . For a subset of states and inputs we denote
[TABLE]
Exact computation of may not always be possible, especially when (1) corresponds to the sampled dynamics of a continuous time system. Therefore, we will assume throughout the paper that we are able to compute, for all sets of states and of inputs , a set verifying
[TABLE]
Several methods exist for computing such over-approximations for linear [12, 16, 18] and nonlinear [6, 1, 10, 25] systems.
II-B Transition systems and safety controllers
A transition system is defined as a triple consisting of:
- •
a set of states ;
- •
a set of inputs ;
- •
a transition map .
A transition means that can evolve from state to state under input . denotes the set of enabled inputs at state : i.e. if and only if . A trajectory of is a finite or infinite sequence of transitions such that , for
In the following, we consider a safety synthesis problem for transition system : let be a subset of safe states, a safety controller for system and safe set is a map such that:
- •
for all , ;
- •
its domain ;
- •
for all and , .
Essentially, a safety controller makes it possible to generate infinite trajectories of , such that , for all as follows: , and , for all . It is known (see e.g. [26]) that there exists a maximal safety controller for system and safe sate such that for all safety controllers , for all , it holds .
II-C Feedback refinement relations
Complex transition systems motivate the use of abstractions, since finding a control strategy for an abstraction is generally simpler than for the original system. However, to derive a controller for the original system from that of the abstraction, the systems must satisfy a formal behavioral relationship such as alternating simulation [26]. In this paper, we will rely on the notion of feedback refinement relations [25], which form a special case of alternating simulation relations:
Definition 1** (Feedback refinement).**
Given two transition systems and , with , a map defines a feedback refinement relation from to if for all :
- •
;
- •
for all ,
We denote .
In the previous definition, represents a complex concrete system while is a simpler abstraction. From Definition 1, it follows that all abstract inputs of can also be used in such that all concrete transitions in are matched by an abstract transition in . As a result, controllers synthesized using the abstraction can be interfaced with the map to obtain a controller for the concrete system (see [25]). In particular, if is a safety controller for transition system and safe set , then , given by for all , is a safety controller for transition system and safe set .
III Compositional abstraction
System (1) can be described as a transition system where, , and ; let be a subset of states of interest. In this section, we present a compositional approach for computing symbolic abstractions of transition system .
In order to allow for system decomposition, we will make the following assumption on the structure of the state and input sets and :
Assumption 1**.**
The following equalities hold:
[TABLE]
States and inputs can thus be seen as vectors of elementary components: with for , and with for .
For , let be a finite partition of the set , then let be the finite partition of the safe set obtained from the partitions as follows:
[TABLE]
Similarly, for , let be a finite subset of , then let be the finite subset of given by the Cartesian product of the sets :
[TABLE]
III-A System decomposition
Let , with , let , the symbolic abstraction of is obtained by composition of symbolic subsystems , .
In the following, we use two types of indices:
- •
Latin letters , , refer to and the components of the state and input and of system .
- •
Greek letters refer to the -th symbolic subsystem, and denote the state and input of system respectively.
We will use and to denote the projections over components and , with , , respectively. For and , we denote and . Similarly, for subset of indices , , and denote the projections over the set of components and , respectively; we use the notation , , and .
For , subsystem can be described using the following sets of indices:
- •
, with , denotes the state components to be controlled in , is a partition of the state indices ;
- •
, with , denotes the state components modeled in ;
- •
, with , denotes the state components that are modeled but not controlled in ;
- •
, with , denotes the remaining state components that are unmodeled in ;
- •
, with , denotes the control input components modeled in , is a partition of the control input indices ;
- •
with , denotes the remaining control input components that are unmodeled in .
It is important to note that the subsystems may share common modeled state components (i.e. the sets of indices may overlap), though the sets of controlled state components and modeled control input components are necessarily disjoints. Intuitively, will be used to control state components using input components ; other state components will be controlled in other subsystems using input components . Though state components will be controlled in other subsystems, they are modeled in and thus information on their dynamics is available for the control of .
Let us remark that the sets of indices and may possibly be empty if and , respectively. If , there is only one subsystem and we encompass the usual centralized abstraction approach (see e.g. [26, 31, 10, 25]).
Remark 1**.**
In theory, the choice of the sets of indices can be made arbitrarily. However, if the considered system has some structure, i.e. if it consists of interconnected components, a natural decomposition is to associate to each component one subsystem where: the controlled states and the modeled control input are the states and control inputs of and the modeled but uncontrolled states are the states of other components that have the strongest interactions with .
III-B Symbolic subsystems
Let , the symbolic subsystem is an abstraction of , which models only state and input components and respectively. Formally, subsystem is defined as a transition system where:
- •
the set of states is a finite partition of , given by where and
[TABLE]
is a finite partition of ;
- •
the set of inputs is a finite subset of given by
[TABLE]
To define the transition relation of , let us first define the following map: given and , we define the set as follows:
[TABLE]
The set is therefore an over-approximation of successors of states with , for control inputs with . Then, we define the transition relation of as follows:
- •
for all ,
[TABLE]
- •
for all ,
[TABLE]
Remark 2**.**
The first condition in (5) holds if and only if there does not exist any transition defined by (4), because is a partition of . As a consequence, it follows that for all , and thus .
Remark 3**.**
According to (5), a transition to exists if is entirely outside (first condition and Figure 1.a); or if is not contained in (second condition and Figure 1.b). It should be noted that in the case where the reachable set is contained in but is not contained in as in Figure 1.c, no transition is created towards . Finally, if , (5) becomes equivalent to
[TABLE]
which is the condition used in [19], for compositional abstractions where the set of modeled state components do not overlap (i.e. , for all ).
III-C Composition
In this section, we show how the previous subsystems , with , can be composed in order to define a symbolic abstraction of the original system . The main result of the section is Theorem 3, which shows that there exists a feedback refinement relation from to .
The composition of the subsystems , , is given by the transition system where:
- •
the set of states is a finite partition of , given by where and is a finite partition of ;
- •
the set of inputs is a finite subset of .
Let us remark that by definition of and , we have that for all , its projection . Similarly, for all , its projection . The transition relation of can therefore be defined as follows:
- •
for all ,
[TABLE]
- •
for all ,
[TABLE]
Remark 4**.**
Because the sets of modeled state components are allowed to overlap, the transition relation of cannot simply be obtained as the Cartesian product of the transition relations of the subsystems , as in [19]. Indeed, for , it is possible that for all , there exists , such that . However, a transition to will exist in if and only if there exists such that , for all .
In view of the previous remark, it is legitimate to ask if the composition of the subsystems can lead to couples of states and inputs without a successor. The following proposition shows that this is not the case:
Proposition 2**.**
Under Assumption 1, for all we have , i.e. , for all .
Proof.
Let and . Then for all , , and by construction, (see Remark 2). If there exists a subsystem such that , then by definition of we have . Otherwise, we have that for all , which from the second condition of (5) implies that
[TABLE]
Remarking that and , the following inclusion follows from (2) and (3):
[TABLE]
Therefore, from (8) and (9) it follows
[TABLE]
This, together with Assumption 1 and the fact that is a partition of , implies that . Since is a partition of , there exists such that . Then, (9) gives , for all . Thus, for all , . It follows from (4) that for all , which gives, by (6), . ∎
We can now state the main result of the section:
Theorem 3**.**
Let the map be given by if and only if . Then, under Assumption 1, defines a feedback refinement relation from to : .
Proof.
Let , , , and . Since , we have . Then, let us consider the two possible cases:
- •
– We have by (9), , for all . Since , then , it follows from that , for all . Then, for all , and . From (4), , for all and by (6) we have .
- •
– Then, . Then, from Assumption 1 and the fact that is a partition of , it follows that there exists such that . From (9), we have . Then, from (5), , and from (7), . Since , .
The case trivially satisfies Definition 1 since by definition of . ∎
Note that the composed abstraction is only created in this section to prove the feedback refinement relationship but one should avoid computing it in practice since it would defeat the purpose of the compositional approach. We end the section by stating an instrumental result, which will be used in Section V when comparing abstractions obtained from different system decompositions.
Lemma 4**.**
Under Assumption 1, for all and , if and only if there exists such that .
Proof.
Sufficiency is straightforward from (5) and (7). As for necessity, if , then there exists a subsystem such that . From (5), either (in which case the property holds), or and . Then, by Assumption 1 and since , it follows that . Then, by (9), . Thus, it follows that . From Assumption 1, there exists , such that . Then, let such that , then . By (9), it follows that and the property holds. ∎
IV Compositional safety synthesis
In this section, we consider the problem of synthesizing a safety controller for transition system and safe set . Because of the feedback refinement relation from to , this can be done by solving the safety synthesis problem for transition system and safe set . We propose a compositional approach, which works on the symbolic subsystems and does not require computing the composed abstraction .
For , let be the maximal safety controller for transition system and safe set . Since has only finitely many states and inputs, can be computed in finite time using a fixed point algorithm [26]. Now, let the controller be defined by and
[TABLE]
Theorem 5**.**
Under Assumption 1, is a safety controller for transition system and safe set .
Proof.
From Proposition 2 and since , it is clear that for all , we have . also gives . Then, let , and . If , then and from (7), there exists , such that , which contradicts the fact that with safety controller for transition system and safe set . Hence, we necessarily have , and from (6), it follows that , for all . Moreover, gives that . Then for all , let . Since is a partition of , there exists such that for all . Then, by (10), and thus . It follows that is a safety controller for transition system and safe set . ∎
Remark 5**.**
Since the sets of modeled state components may overlap, it is in principle possible that while , for all . The reason is that an element of is obtained from states in , which coincide on their common modeled states, as shown in (10).
IV-A Particular case: non-overlapping state sets
Though is a maximal safety controller for all , the safety controller is generally not maximal. Maximality can be obtained when the set of modeled states , do not overlap (or equivalently when for all , ). In that case, the following result holds:
Proposition 6**.**
Under Assumption 1, let , for all . Then, is the maximal safety controller for transition system and safe set .
Proof.
Let be a safety controller for transition system and safe set . For , let the controllers be defined by and for all ,
[TABLE]
Let us show that is a safety controller for system and safe set . Following Remark 2, and since , it is clear that for all , we have . also gives . Then, let , and , let us prove that . By (11), there exists and such that and . Since is a safety controller, . Moreover, since the sets are not overlapping, it follows from (6) that there exists such that . Then, and (11) give that . Hence is a safety controller for system and safe set . Then, by maximality of , it follows that for all , . Finally, let and , then by (11), for all . By (10), , which shows the maximality of . ∎
V Comparisons
In this section, we provide theoretical comparisons between abstractions and controllers given by the previous approach using two different system decompositions.
In addition to the set of state and input indices defined in Section III-A, let us consider partitions and of the state and input indices and subsets of state indices with , for all . We define the same objects as before (i.e. subsystems, abstraction, controllers, etc.) for this system decomposition and denote them with hatted notations. We make the following assumption on the two system decompositions under consideration.
Assumption 2**.**
There exists a surjective map such that, for all and ,
[TABLE]
From the previous assumption, and since and are partitions of the state and input indices, we have that
[TABLE]
In addition, we will make the following mild assumption on the over-approximations of the reachable sets:
Assumption 3**.**
For all , , the following inclusion holds
[TABLE]
This assumption can be shown to be satisfied by most existing techniques for over-approximating the reachable set, and in particular by those mentioned in Section II-A. In addition, under Assumptions 2 and 3, it follows from (3), that for all and ,
[TABLE]
V-A Abstractions
We start by comparing the compositional abstractions and resulting from the two different decompositions:
Theorem 7**.**
Under Assumptions 1, 2 and 3, the identity map is a feedback refinement relation from to : .
Proof.
Let us first remark that , and . Then, from Proposition 2, for all , . Since , Definition 1 holds if , for all , .
Hence, let , and , then let us consider the two possible cases:
- •
[TABLE]
Then, from (13), follows that
[TABLE]
By Assumption 2, , for all and . Thus it follows that
[TABLE]
Then, from (4) and (6), we have .
- •
– From Lemma 4, we know that there exists , such that . Then, from Assumption 1, there exists such that . From (12), there exists , such that and . From (13), it follows that and . Then, from (5) and (7), we have .
∎
Note that the conditions in the previous Theorem are only sufficient conditions, since depending on the dynamics of the system, a feedback refinement relation could also exist between two unrelated decompositions (in terms of index set inclusion).
Remark 6**.**
Theorem 7 gives an indication on how one should modify the sets of indices to reduce the conservatism of the compositional symbolic abstraction. Firstly, one can keep the same number of subsystems and the same controlled states and modeled control input , while considering additional modeled but uncontrolled states in . Secondly, one can merge two or more subsystems by merging their controlled states, modeled control inputs and modeled but uncontrolled states.
V-B Controllers
We now compare the controllers obtained by the approach described in Section IV. The comparison of controllers is more delicate than the comparison of abstractions and we shall need the additional assumption that the sets of indices do not overlap (note that the sets may still overlap).
Corollary 8**.**
Under Assumptions 1, 2 and 3, let , for all . Then, for all , .
Proof.
From Theorem 5, is a safety controller for system and safe set . From Theorem 7, it follows that is also a safety controller for system and safe set . Then, by Proposition 6, the maximality of gives us for all , . ∎
Let us remark that the assumption that the sets of indices do not overlap is instrumental in the proof since it uses Proposition 6. The question whether similar results hold in the absence of such assumption is an open question, which is left as future research.
V-C Complexity
In this section, we discuss the computational complexity of the approach and show the advantage of using a compositional approach rather than a centralized one. Let denote the cardinality of a set.
The computation of symbolic subsystem requires a number of reachable set approximations equal to , each creating up to successors. This results in an overall time and space complexity of computing all symbolic subsystems , :
[TABLE]
The computation of the safety controller by a fixed point algorithm requires a number of iteration which is bounded by the number of states in the safe set : . The complexity order of computing an iteration can be bounded by the number of transitions in . This results in an overall time and space complexity of computing all safety controllers , :
[TABLE]
To illustrate the advantage of using a compositional approach, let us consider two extremal cases in the particular case where the number of state and input component are equal . The centralized case corresponds to , with . In that case the complexity of the overall approach is of order \mathcal{O}\Big{(}\prod_{i\in I}|\mathcal{P}_{i}|^{3}\times|\mathcal{V}_{i}|\Big{)}. The fully decentralized case corresponds to , with for all . In that case the complexity of the overall approach is of order \mathcal{O}\Big{(}\sum_{i\in I}|\mathcal{P}_{i}|^{3}\times|\mathcal{V}_{i}|\Big{)}. Hence, one can see that while the complexity of the centralized approach is exponential in the number of state and input components , it becomes linear with the fully decentralized approach. Intermediate decompositions enable to balance the computational complexity and the conservativeness of the approach, in view of the discussions in Sections V-A and V-B.
VI Numerical illustration
In this section, we illustrate the results of this paper on the temperature regulation in a circular building of rooms, each equipped with a heater. For each room , the variations of the temperature are described by the discrete-time model adapted from [22]:
[TABLE]
where and are the temperature of the neighbor rooms (with and ), is the outside temperature, is the heater temperature, is the control input for room and the conduction factors are given by , and . This model can be proved to be monotone as defined in [3], which allows us to use efficient algorithms for over-approximating the reachable sets [19, 10]. Moreover, the over-approximation scheme satisfies Assumption 3.
The safe set is given by a -dimensional interval (specified later) which is uniformly partitioned into intervals per component (for a total of symbols in ) and the control set is uniformly discretized into values per component (for a total of values in ). We consider possible system decompositions, which provides us with different abstractions:
- •
, the centralized case (i.e. ), with a single subsystem containing all states and controls, with ;
- •
, a general case from Section III with subsystems, and for all ;
- •
, a case with subsystems and non-overlapping state sets as in Section IV-A, with for all .
Both and have one subsystem per room, but subsystems of only focus on the state and control of the considered room, while subsystems of also model (but do not control) the temperatures of both neighbor rooms.
Since Assumption 2 holds for both pairs and , Theorem 7 immediately gives the feedback refinements . Corollary 8 also holds for the pair since , but it is not guaranteed to hold for the pair since . In the following, we report numerical results in two different conditions. The numerical implementation has been done using Matlab on a laptop with a GHz CPU and GB of RAM.
Case 1: , .
The abstractions and syntheses are generated in the cases corresponding to state partitions with and input discretizations with . Table I reports the cardinalities of the state partition , and of the domain of the safety controllers for each abstraction , and . Table II reports the computation times (in seconds) required to create the abstractions and synthesize safety controllers on all subsystems of , and .
We check numerically that Theorem 7 and Corollary 8 hold. In particular, in these conditions, the safety inclusion for all trivially holds due to , although Corollary 8 could not provide theoretical guarantees in this case.
Two main conclusions on the proposed compositional approach can be obtained from Tables I and II. Firstly, while the compositional case without state overlap (as in , Section IV-A and [19]) fails to synthesize safety controllers, the general case allowing state overlaps (as in and Section III) provides significantly better safety results for a relatively small addition to the computation time. Secondly, the compositional approach with state overlaps requires a negligible computation time compared to the large computational cost of the centralized approach (e.g. in the last row of Table II, we need less than seconds for and more than hours for ), while still obtaining similar safety results as long as the state partition is not too coarse.
In addition to having more information in each subsystem of compared to those in the non-overlapping case , the better safety results in can also be explained by the shapes that can be taken by the domain of the safety controllers with each approach. On the one hand, the safety domain in the non-overlapping case can only take the form of a hyper-rectangle in since it is obtained by the Cartesian product of the one-dimensional safety domains of its subsystems. On the other hand, the general case with state overlaps is more permissive since its subsystems have a three-dimensional state space, thus allowing more complicated shapes of their safety domains as displayed in Figure 2 for subsystem . thus has more chances finding a safety domain compatible with the considered system dynamics and control objective.
Case 2: , , , .
A second example is proposed to demonstrate the scalability of the compositional approach in a -room building. Note that the safe set is only chosen homogeneous in all rooms for convenience of notation, and the proposed approach is still applicable for other safe sets. Since this case is clearly out of reach from the centralized approach of , we focus on the compositional abstractions and with and without state overlaps, respectively.
For the non-overlapping case of , the total computation time is second and the resulting safety controller is empty (). For the case with state overlaps of , the total computation time is seconds and the resulting safety controller covers the whole safe set (). Therefore, in addition to the scalability of both these compositional approaches, this simulation also confirms the conclusions of the previous example that the method with state overlaps provides significantly better safety results at a reduced computational cost. We also obtain similarly low computation times while not having to rely on the homogeneity of the specifications as it is the case in [22].
VII Conclusion
In this paper, we presented a new compositional approach for symbolic controller synthesis. The dynamics are decomposed into subsystems that give a partial description of the global model. It is remarkable that the sets of states of subsystems can overlap. Symbolic abstractions can be computed for each subsystem, and a local safety controller can be synthesized such that the composition of the obtained controllers is proved to realize the global safety specification. Numerical experiments demonstrate the significant complexity reduction compared to centralized approaches and the advantages obtained from the introduction of state overlaps in the subsystems.
Future work will focus on extending the approach to other types of specifications such as reachability or more general properties specified by automata or temporal logic formula.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] M. Althoff and B. H. Krogh. Reachability analysis of nonlinear differential-algebraic systems. IEEE Transactions on Automatic Control , 59(2):371–383, 2014.
- 2[2] R. Alur, T. A. Henzinger, G. Lafferriere, and G. J. Pappas. Discrete abstractions of hybrid systems. Proceedings of the IEEE , 88(7):971–984, 2000.
- 3[3] D. Angeli and E. D. Sontag. Monotone control systems. IEEE Transactions on Automatic Control , 48(10):1684–1698, 2003.
- 4[4] C. Baier, J.-P. Katoen, and K. G. Larsen. Principles of model checking . MIT press, 2008.
- 5[5] C. Belta, A. Bicchi, M. Egerstedt, E. Frazzoli, E. Klavins, and G. J. Pappas. Symbolic planning and control of robot motion [grand challenges of robotics]. IEEE Robotics & Automation Magazine , 14(1):61–70, 2007.
- 6[6] M. A. Ben Sassi, R. Testylier, T. Dang, and A. Girard. Reachability analysis of polynomial systems using linear programming relaxations. In Automated Technology for Verification and Analysis , pages 137–151. 2012.
- 7[7] R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Sa’ar. Synthesis of reactive (1) designs. Journal of Computer and System Sciences , 78(3):911–938, 2012.
- 8[8] D. Boskos and D. V. Dimarogonas. Decentralized abstractions for feedback interconnected multi-agent systems. In IEEE Conference on Decision and Control , pages 282–287, 2015.
