We present a method to design controllers for safety specifications in hybrid systems. The hybrid system combines discrete event dynamics with nonlinear continuous dynamics: the discrete event dynamics model linguistic and qualitative information and naturally accommodate mode switching logic, and the continuous dynamics model the physical processes themselves, such as the continuous response of an aircraft to the forces of aileron and throttle. Input variables model both continuous and discrete control and disturbance parameters. We translate safety specifications into restrictions on the system’s reachable sets of states. Then, using analysis based on optimal control and game theory for automata and continuous dynamical systems, we derive Hamilton–Jacobi equations whose solutions describe the boundaries of reachable sets. These equations are the heart of our general controller synthesis technique for hybrid systems, in which we calculate feedback control laws for

. Motivated by an example from aircraft conflict resolution we seek a methodology for synthesizing controllers for nonlinear hybrid automata. We first show how game theoretic methodologies developed for this purpose for finite automata and continuous systems can be cast in a unified framework. We then present a conceptual algorithm for extending them to the hybrid setting. We conclude with a discussion of computational issues. 1 Introduction In the first part of this paper we show that verification of the safety of continuous nonlinear systems using the Hamilton-Jacobi equation may be considered as the continuous analog of infinite games on finite automata. In the second part we present a conceptual algorithm for calculating maximal controlled invariant sets for nonlinear hybrid systems and we present a motivating example: we describe an iteration process to calculate the maximal set of safe initial conditions for a two-aircraft maneuver. We conclude with a brief discussion of computa...

Abstract. We consider the problem of synthesizing digital designs from their LTL specification. In spite of the theoretical double exponential lower bound for the general case, we show that for many expressive specifications of hardware designs the problem can be solved in time N 3, where N is the size of the state space of the design. We describe the context of the problem, as part of the Prosyd European Project which aims to provide a property-based development flow for hardware designs. Within this project, synthesis plays an important role, first in order to check whether a given specification is realizable, and then for synthesizing part of the developed system. The class of LTL formulas considered is that of Generalized Reactivity(1) (generalized Streett(1)) formulas, i.e., formulas of the form: ( p1 ∧ · · · ∧ pm) → ( q1 ∧ · · · ∧ qn) where each pi, qi is a boolean combination of atomic propositions. We also consider the more general case in which each pi, qi is an arbitrary past LTL formula over atomic propositions. For this class of formulas, we present an N 3-time algorithm which checks whether such a formula is realizable, i.e., there exists a circuit which satisfies the formula under any set of inputs provided by the environment. In the case that the specification is realizable, the algorithm proceeds to construct an automaton which represents one of the possible implementing circuits. The automaton is computed and presented symbolically. 1

We introduce a new notion of decentralized observability for discrete-event systems, which we call joint observability. We prove that checking joint observability of a regular language w.r.t. one observer is decidable, whereas for two (or more) observers the problem becomes undecidable. Based on this result, we show that a related decentralized control problem is also undecidable. We finally provide an extensive study relating our work to existing work in the literature.

Mosel is a new tool-set for the analysis and verification in Monadic Second-order Logic. In this paper we concentrate on the system's design: Mosel is a tool-set to include a flexible set of decision procedures for several theories of the logic complemented byavariety of support components for input format translations, visualization, and interfaces to other logics and tools. The main distinguishing features of Mosel are its layered approach to the logic, based on a formal semantics for a minimal subset, its modular design, and its integration in a heterogeneous analysis and verification environment.

Knowing that a program has a bug is good, knowing its location is better, but a fix is best. We present a method to automatically locate and correct faults in a finite state system, either at the gate level or at the source level. We assume that the specification is given in Linear Temporal Logic, and state the correction problem as a game, in which the protagonist selects a faulty component and suggests alternative behavior. The basic approach is complete but as complex as synthesis. It also suffers from problems of readability: the correction may add state and logic to the system. We present two heuristics. The first avoids the doubly exponential blowup associated with synthesis by using nondeterministic automata. The second heuristic finds a memoryless strategy, which we show is an NP-complete problem. A memoryless strategy corresponds to a simple, local correction that does not add any state. The drawback of the two heuristics is that they are not complete unless the specification is an invariant. Our approach is general: the user can define what constitutes a component, and the suggested correction can be an arbitrary combinational function of the current state and the inputs. We show experimental results supporting the applicability of our approach.

We study the problem of synthesizing controllers for discrete event systems in a branching time framework. We use a class of labelled transition systems to model both plants and specifications. We use first simulations and later bisimulations to capture the role of a controller; the controlled behaviour of the plant should be related via a simulation (bisimulation) to the specification. For both simulations and bisimulations we show that the problem of checking if a pair of nite transition systems – one modelling the plant and the other the specification – admits a controller is decidable in polynomial time. We also show that the size of the controller, if one exists, can be bounded by a polynomial in the sizes of the plant and the specification and can be effectively constructed in polynomial time. Finally, we prove that in the case of simulations, the problem of checking for the existence of a controller is undecidable in a natural concurrent setting.

. We study the problem of synthesising controllers for discrete event systems. Traditionally this problem is tackled in a linear time setting. Moreover, the desired subset of the computations of the uncontrolled system (often called a plant) is specified by automata theoretic means. Here we formulate the problem in a branching time framework. We use a class of labelled transition systems to model both the plant and the specification. We deploy behaviour preserving morphisms to capture the role of a controller; the controlled behaviour of the plant should be related via a behaviour preserving morphism to the specification at the level of unfoldings. One must go over to unfoldings in order to let the controller use memory of the past to carry out its function. We show that the problem of checking if a pair of finite transition systems -- one modelling the plant and the other the specification -- admits a controller is decidable in polynomial time. We also show the size of the finite cont...

Hybrid system theory lies at the intersection of the fields of engineering control theory and computer science verification. It is defined as the modeling, analysis, and control of systems which involve the interaction of both discrete state systems, represented by finite automata, and continuous state dynamics, represented by differential equations. The embedded autopilot of a modern commercial jet is a prime example of a hybrid system: the autopilot modes correspond to the application of different control laws, and the logic of mode switching is determined by the continuous state dynamics of the aircraft, as well as through interaction with the pilot. Embedded

A problem of great interest in the control of hybrid systems is the design of least restrictive controllers for reachability specifications.