CLAUSULA DE EXCLUSION

In this chapter, we addressed the problem of synthesizing robust control strategies for con- tinuous two-player games using the CEGIS framework. We studied the shortcomings of the existing practical implementations of the CEGIS algorithm, and introduced two algorithms based on SMT which overcome these. Finally, we conclude the chapter with theoretical analysis and empirical results which shows the scalability of our framework.

Chapter 4

Specification Synthesis for Controller

Synthesis

4.1

Introduction

In Chapter 3 we studied how we can instantiate the CEGIS framework to synthesize robust control strategies that satisfy high-level safety specifications. A key challenge that arises during the design of safety-critical robotic systems, is quantifying or defining what one means by safety. Often a designer starts with a specification that they build from prior knowledge, and then refine it during subsequent cycles of the design process.

Techniques for automatic synthesis of controllers for safety-critical robotic systems from high-level specification languages promise to raise the level of abstraction for the designer while ensuring correctness of the resulting controller. In particular, several controller syn- thesis methods have been proposed for expressive temporal logics and a variety of system dynamics. However, a major challenge to the adoption of these methods in practice is the difficulty of writing or specifying the requisite formal specifications. Specifications that are poorly stated, incomplete, or inconsistent can produce synthesis problems that are unre- alizable (no controller exists for the provided specification), intractable (synthesis is com- putationally too hard), or lead to solutions that fail to capture the designer’s intent. In this chapter, we present an algorithmic approach to reduce the specification burden for con- troller synthesis from temporal logic specifications, focusing on the case where the original specification is unrealizable.

4.1.1

Diagnosis and Repair for Synthesis from Temporal Logic

Logical specifications can be provided in multiple ways. One approach is to provide mono- lithic specifications, combining within a single formula constraints on the environment with desired properties of the system under control. In many cases, a system specification can be conveniently provided as a contract, to distinguish the responsibilities of the system under control (guarantees) from the assumptions on the external, possibly adversarial environ-

tion is unrealizable, it could be either because the environment assumptions are too weak, or the requirements are too strong, or a combination of both. Finding the “problem” with the specification manually can be a tedious and time-consuming process, nullifying the benefits of automatic synthesis. Further, in the reactive setting, when the environment is adversarial, finding the right assumptions a priori can be difficult. Thus, given an unrealizable logical specification, there is a need for tools that localize the cause of unrealizability to (hopefully small) parts of the formula, and provide suggestions for repairing the formula in an “optimal” manner.

The problem of diagnosing and repairing formal requirements has received its share of attention in the formal methods community. The authors in [53] perform diagnosis on faulty executions of systems with specifications expressed in Linear Temporal Logic (LTL) and Met- ric Temporal Logic (MTL) [53]. They identify the cause of unsatisfiability of these properties in the form of prime implicants, which are conjunctions of literals, and map the failure of a specification to the failure of these prime implicants. Similar syntax-tree based definitions of unsatisfiable cores for LTL were presented in [133]. In the context of synthesis from LTL specifications, [126] addresses the problem of categorizing the causes of unrealizability, and how to detect them in high-level robot control specifications. The use of counter-strategies to debug unrealizable cores in a set of specifications or derive new environment assumptions for synthesis has also been explored [97, 89, 4, 98]. When a LTL specification in unrealiz- able, controller synthesis reduces to finding the path through an automaton composed of the system and the specification, that maximizes some reward function ([152, 93]). For automa- tons, repair reduces to finding the specification automaton closest to the original automaton ([86], [122]). However, these approaches suffer from computational blow up as the number of states increase. In [24] the authors use a sampling based technique to find a discrete state approximation of continuous system and define LTL properties of the system. The authors allow for controller synthesis for non adversarial environments by maximizing a cost function which maximizes some reward function. We provide corrections instead of finding the next best control in an adversarial environment.

In [88] and [81] the authors learn STL specifications from data collected from black box systems which best describe system. We consider white box systems where the dynamics and well known and provide corrections for controller synthesis.

Our approach, based on exploiting information already available from off-the-shelf opti- mization solvers, is similar to the one adopted by in [117] to extract unsatisfiable cores for Satisfiability Modulo Theories (SMT) solving.

In this chapter, we address the problem of diagnosing and repairing specifications for- malized in Signal Temporal Logic (STL) [104], a specification language that is well-suited for hybrid systems. Our work is conducted in the setting of automated synthesis from STL using optimization methods in a Model Predictive Control (MPC) framework [127, 128]. In this approach to synthesis, both the system dynamics and the STL requirements en- coded as mixed integer constraints on variables modeling the dynamics of the system and

its environment. Controller synthesis is then formulated as an optimization problem to be solved subject to these constraints [127]. In the reactive setting, this approach proceeds by iteratively solving a combination of optimization problems using a Counterexample-Guided Inductive Synthesis (CEGIS) scheme [128]. In this context, an unrealizable STL specifica- tion leads to an infeasible optimization problem. We leverage the ability of existing Mixed Integer Linear Programming (MILP) solvers to localize the cause of infeasibility to so-called Irreducibly Inconsistent Systems (IIS). Our algorithms use the IIS to localize the cause of unrealizability to the relevant parts of the STL specification. Additionally, we give a method for generating a minimal set of repairs to the STL specification such that, after applying those repairs, the resulting specification is realizable. The set of repairs is drawn from a suitably defined space that ensures that we rule out vacuous and other unreasonable adjust- ments to the specification. Specifically, in this paper, we focus on the numerical parameters in a formula, since their specification is often the most tedious and error-prone part. Our algorithms are sound and complete, i.e., they provide a correct diagnosis, and always ter- minate with a reasonable specification that is realizable using the chosen synthesis method, when such a repair exists in the space of possible repairs.

The problem of infeasibility in constrained predictive control schemes has also been widely addressed in the literature, e.g., by adopting robust MPC approaches, soft constraints, and penalty functions [85, 134, 15]. Rather than tackling general infeasibility issues in MPC, our focus is on providing tools to help debug the controller specification at design time. However, the deployment of robust or soft-constrained MPC approaches can also benefit from our techniques. Our use of MILP does not restrict our method to linear dynamical systems; indeed, we can handle constrained linear and piecewise affine systems, Mixed Logical Dynamical (MLD) systems [14], and certain differentially flat systems. The results in this chapter are adapted from [64].

4.2

Preliminaries

We consider discrete time hybrid dynamical systems defined by (2.2) in Section 2.2. Refer to Section 2.2 for the definition of system trajectories ξS(t; x0, u, e). In this chapter, we define

the safety specification in STL defined in 2.4.1

4.2.1

Model Predictive Control

We have already covered Model Predictive Control (MPC) and Receding Horizon Con- trol (RHC) in Section 3.2.1. In this chapter, we use STL to express temporal constraints on the environment and system runs for MPC. We then translate an STL specification into a set of mixed integer linear constraints, as further detailed below [127, 128]. Given a STL formula ϕ to be satisfied over a finite horizon H, the associated optimization problem has

u

subject to ρϕ(ξS(·; x0, u)) > 0

(4.1)

which extracts a finite horizon control strategy u that maximizes the satisfaction of the specification ϕ, ρϕ(ξS(·; x0, u)) over the finite-horizon trajectory ξS(·; x0, u), while satisfying

the STL formula ϕ at time step 0. In a closed-loop setting, we compute a fresh u at every time step i ∈ N, replacing x0 with xi in (4.1) [127, 128].

While (4.1) applies to systems without disturbance inputs, a more general formulation can be provided to account for an uncontrolled disturbance input e that can act, in general, adversarially. To provide this formulation, we assume that the specification is given in the form of an STL assume-guarantee (A/G) contract [118, 116] C = (V, ϕe, ϕ ≡ ϕe →

ϕs), where V is the set of variables, ϕe captures the assumptions (admitted behaviors)

over the (uncontrolled) environment inputs e, and ϕs describes the guarantees (promised

behaviors) over all the system variables. A game-theoretic formulation of the controller synthesis problem [128] can then be represented as a minimax optimization problem:

maximize

u minimizee∈Ee

ρϕ(ξS(·; x0, u))

subject to ∀e ∈ Ee ρϕ(ξS(·; x0, u)) > 0,

(4.2)

where we aim to find a strategy u that maximizes the the worst case satisfaction of ρϕ(ξS(·; x0, u))

over the finite horizon trajectory, under the assumption that the disturbance signal e acts ad- versarially. We use Eein (4.2) to denote the set of disturbances that satisfy the environment

specification ϕe, i.e., Ee= {e ∈ E |e |= ϕe} ⊆ E.

4.2.2

Mixed Integer Linear Program Formulation

To solve the control problems in (4.1) and (4.2) the STL formula ϕ can be translated into a set of mixed integer constraints, thus reducing the optimization problem to a Mixed Integer Program (MIP), as long as the system dynamics can also be translated into mixed integer constraints. Specifically, in this paper, we consider control problems that can be encoded as Mixed Integer Linear Programs (MILP). These problems encompass, for instance, Mixed Logical Dynamic (MLD) systems [14] with STL specifications that only include piecewise linear or affine predicates.

The MILP constraints are constructed recursively on the structure of the STL specifica- tion as in [127, 128], and express the robust satisfaction value of the specification. A first set of variables and constraints capture the robust satisfaction of the atomic predicates of the formula. To generate the remaining constraints, we traverse the parse tree of ϕ from the leaves (associated with the atomic predicates) to the root node (corresponding to the robustness satisfaction value of the overall formula ρϕ), adding variables and constraints that

Figure 4.1. Vehicles crossing an intersection. The red car is the ego vehicle, while the black car is part of the environment.

Recall from Section 2.4.1 that the robustness value of subformulae with temporal and Boolean operators is expressed as the min or max of the robustness values of the operands over time. We discuss here the encoding of the min operator as an example. To encode p = min(ρϕ1, . . . , ρϕn), we introduce Boolean variables z

ϕi _{for i ∈ {1, . . . , n} and MILP}

constraints: p ≤ ρϕi, X i=1...n zϕi _{≥ 1} ρϕi − (1 − z ϕi_{)M ≤ p ≤ ρ} ϕi+ (1 − z ϕi_)M