SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

arXiv:1401.6396v3 [math.OC] 16 Mar 2016

MAJID ZAMANI1 , MANUEL MAZO JR2 , AND ALESSANDRO ABATE3

Abstract. The last decade has witnessed significant attention on networked control systems (NCS) due to their ubiquitous presence in industrial applications, and, in the particular case of wireless NCS, because of their architectural flexibility and low installation and maintenance costs. In wireless NCS the communication between sensors, controllers, and actuators is supported by a communication channel that is likely to introduce variable communication delays, packet losses, limited bandwidth, and other practical non-idealities leading to numerous technical challenges. Although stability properties of NCS have been investigated extensively, in the literature results for NCS under more complex and general objectives, and in particular results dealing with verification or controller synthesis for logical specifications, are much more limited. This work investigates how to address such complex objectives by constructively deriving symbolic models of NCS, while encompassing the mentioned network non-idealities. The obtained abstracted (symbolic) models can then be employed to synthesize hybrid controllers enforcing rich logical specifications over the concrete NCS models. Examples of such general specifications include properties expressed as formulae in linear temporal logic (LTL) or as automata on infinite strings. We thus provide a general synthesis framework that can be flexibly adapted to a number of NCS setups.

1. Introduction Over the last decade the analysis and synthesis of networked control systems (NCS) have received significant attention. NCS are ubiquitous in most industrial applications due to their many advantages over traditional control systems, such as increased architectural flexibility and reduced installation and maintenance costs, particularly for wireless NCS. The numerous non-idealities of the network in an NCS introduce new challenges for the analysis of the behavior (such as the stability) of the plant, and for the synthesis of new control schemes. The various non-idealities of the network can be broadly categorized as follows: (i) quantization errors; (ii) packet dropouts; (iii) time-varying sampling/transmission intervals; (iv) time-varying communication delays; and (v) communication constraints (e.g. scheduling protocols). The limited bandwidth of the network does not require a separate classification as it is captured by a combination of quantization errors (i) and the communication delays (iv). As pointed out later in the paper, category (ii) can also be incorporated in category (iv), as long as the maximum number of subsequent dropouts over the network is bounded [14]. Recently, there have been many studies focused mostly on the stability properties of NCS: in [6] (iii)-(v) are simultaneously considered; in [10] (i), (ii), and (iv) are taken into account; [1] studies (ii) and (v); [4] focuses on (ii) and (iii); in [9, 24] (ii)-(iv) are considered; and finally in [17] (i), (iii), and (v) are taken into account. Despite all the progress on the stability analysis of NCS as reported in [6, 10, 1, 4, 9, 24, 17], there are no mature results in the literature dealing with more complex objectives, such as model verification or formal (controller) synthesis for richer properties expressed as temporal logic specifications [5]. Examples of those specifications include linear temporal logic (LTL) formulae or automata over infinite strings [5], which cannot be investigated with existing approaches for NCS. A promising direction to study these complex properties is the use of symbolic models [23]. A symbolic model is an abstract description of the original (concrete) dynamical model, where each abstract state (or symbol) corresponds to an aggregate of continuous states in the concrete model. When a finite symbolic model is obtained and is formally related to the original model (via the notions of (alternating) approximate (bi)simulations), one can leverage algorithmic machinery for controller synthesis of symbolic systems [16] to automatically synthesize hybrid controllers for the original, concrete model [23]. 1

2

M. ZAMANI, M. MAZO JR, AND A. ABATE

Related Work. To the best of our knowledge, the first and only results in the literature on the construction of symbolic models for NCS are [8, 7]: these results provide symbolic models for NCS obtained via gridding techniques (discretization of state and control sets); they simultaneously consider the network non-idealities (i), (ii), and (iv); the possibility of out-of-order packet arrivals is not considered; they exclusively consider static (i.e. memoryless) symbolic controllers; only specifications expressed in terms of specific types of nondeterministic automata can be addressed; and, furthermore, in order to apply standard algorithms for verification and synthesis to the obtained symbolic model often the given specification requires an additional reformulation over an extended state-space, which can lead to significant computation overheads. In this article we provide a general construction of symbolic models for NCS, which can directly employ available and well investigated symbolic models from the literature that are obtained exclusively for the plant (that is, without the need to encompass the presence of the network explicitly in the construction). As such, one can directly leverage existing results to obtain symbolic models for the plant, such as grid-based approaches in [13, 29], recent results in [30] that do not require state-space discretization but only input-set discretization, or formula-guided (non-grid-based) approaches in [25]. In this work we show that, having a symbolic model of the plant, one can then construct symbolic models for the overall NCS. As a consequence, as long as there exists some type of symbolic abstraction of the plant, one can always use the results provided in this article to construct symbolic models for the overall, complex NCS. As a relevant side result, the techniques discussed in this paper can also be used for models of stochastic plants, in view of recent literature providing symbolic models for such systems [30, 26, 27]. In this work, we explicitly consider the network non-idealities (i), (ii), and (iv) acting on the NCS simultaneously. We further consider possible out-of-order packet arrivals and message rejections, i.e. the effect of older data being neglected because more recent one is available. Let us also remark that this work is not limited to problems where the controller is static. As a result, without requiring any specific reformulation, we enable the study of large classes of logical specifications, such as those expressed as general LTL formulae or as automata on infinite strings, which are often shown to require dynamic (i.e. with memory) symbolic controllers [5]. This paper presents a detailed and mature description of the results announced in [28], including the proof of the main result, a detailed discussion on dealing with the quantized measurements, a detailed discussion on the space complexity, and case studies. Furthermore, we have added a section on related work and provided a detailed comparison with the results in [8, 7]. 2. Notations and Basic Concepts 2.1. Notations. The identity map on a set A is denoted by 1A . The symbols N, N0 , Z, R, R+ , and R+ 0 denote the set of natural, nonnegative integer, integer, real, positive, and nonnegative real numbers, respectively. Given a set A, define An+1 = A × An for any n ∈ N. Given a vector x ∈ Rn , we denote by xi the i-th element of x, and by kxk the infinity norm of x, namely, kxk = max{|x1 |, |x2 |, ..., |xn |}, where |xi | denotes the absolute value of xi . Given an interval [a, b] ⊆ R with a ≤ b, we denote by [a; b] the set [a, b] ∩ N. We denote by [Rn ]η = {a ∈ Rn | ai = ki η, ki ∈ Z, i = 1, . . . , n}.

n Given a measurable function f : R+ 0 → R , the (essential) supremum of f is denoted by kf k∞ , where kf k∞ := + (ess)sup{kf (t)k, t ≥ 0}. A continuous function γ : R+ 0 → R0 is said to belong to class K if it is strictly increasing and γ(0) = 0; γ is said to belong to class K∞ if γ ∈ K and γ(r) → ∞ as r → ∞. A continuous + + function β : R+ 0 × R0 → R0 is said to belong to class KL if, for each fixed s, the map β(r, s) belongs to class K with respect to r and, for each fixed nonzero r, the map β(r, s) is decreasing with respect to s and β(r, s) → 0 as s → ∞. We identify a relation R ⊆ A × B with the map R : A → 2B defined by b ∈ R(a) iff (a, b) ∈ R. Given a relation R ⊆ A × B, R−1 denotes the inverse relation defined by R−1 = {(b, a) ∈ B × A : (a, b) ∈ R}. When R is an equivalence relation1 on a set A, we denote by [a] the equivalence class corresponding to the element a ∈ A, by A/R the set of all equivalence classes (quotient set), and by πR : A → A/R the natural projection map taking a point a ∈ A to its equivalence class π(a) = [a] ∈ A/R. 1An equivalence relation R ⊆ X × X is a binary relation on a set X if it is reflexive, symmetric, and transitive.

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

3

2.2. Control systems. The class of control systems that we consider in this paper is formalized in the following definition. Definition 2.1. A control system is a tuple Σ = (Rn , U, U, f ), where: • Rn is the state space; • U ⊆ Rm is the bounded input set; • U is a subset of the set of all measurable functions of time, from intervals of the form ]a, b[⊆ R to U, with a < 0 and b > 0; • f : Rn × U → Rn is a continuous map satisfying the following Lipschitz assumption: for every compact set Q ⊂ Rn , there exists a constant Z ∈ R+ such that kf (x, u) − f (y, u)k ≤ Zkx − yk for all x, y ∈ Q and all u ∈ U. A locally absolutely continuous curve ξ :]a, b[→ Rn is said to be a trajectory of Σ if there exists υ ∈ U satisfying: ˙ = f (ξ(t), υ(t)) , ξ(t) for almost all t ∈ ]a, b[. Although we have defined trajectories over open domains, we shall as well refer to trajectories ξ :[0, t] → Rn defined on closed domains [0, t], t ∈ R+ , with the understanding of the existence of a trajectory ξ 0 :]a, b[→ Rn such that ξ = ξ 0 |[0,t] with a < 0 and b > t. We also write ξxυ (t) to denote the point reached at time t under the input υ from the initial condition x = ξxυ (0); the point ξxυ (t) is uniquely determined, since the assumptions on f ensure existence and uniqueness of trajectories [22]. A control system Σ is said to be forward complete if every trajectory is defined on an interval of the form ]a, ∞[. Standard sufficient and necessary conditions for a control system to be forward complete can be found in [3]. 2.3. Notions of stability and of completeness. Some of the existing results recalled in this paper require certain stability properties (or lack thereof) on Σ. First, we recall a stability property, introduced in [2], as defined next. Definition 2.2. A control system Σ is incrementally input-to-state stable (δ-ISS) if it is forward complete 0 n and if there exists a KL function β and a K∞ function γ such that for any t ∈ R+ 0 , any x, x ∈ R , and any 0 υ, υ ∈ U, the following condition is satisfied: kξxυ (t) − ξx0 υ0 (t)k ≤ β (kx − x0 k , t) + γ (kυ − υ 0 k∞ ) .

(2.1)

Next we recall a completeness property, introduced in [29], which can be satisfied by larger classes of (even unstable) control systems. Definition 2.3. A control system Σ is incrementally forward complete (δ-FC) if it is forward complete and + + + + + there exist continuous functions β : R+ 0 × R0 → R0 and γ : R0 × R0 → R0 such that for each fixed s, the 0 n functions β(r, s) and γ(r, s) belong to class K∞ with respect to r, and for any t ∈ R+ 0 , any x, x ∈ R , and any υ, υ 0 ∈ U, the following condition is satisfied: kξxυ (t) − ξx0 υ0 (t)k ≤ β (kx − x0 k , t) + γ (kυ − υ 0 k∞ , t) .

(2.2)

As explained in [29, Remark 2.3], δ-FC implies uniform continuity of the map φt : Rn × U → Rn defined by φt (x, υ) = ξxυ (t) for any fixed t ∈ R+ 0. We refer the interested readers to the results in [2] (resp. [29]) providing a characterization (resp. description) of δ-ISS (resp. δ-FC) in terms of the existence of so-called incremental Lyapunov functions. 3. Systems & Approximate Equivalence Notions We now recall the notion of system, as introduced in [23], that we later use to describe NCS as well as their symbolic abstractions.

4

M. ZAMANI, M. MAZO JR, AND A. ABATE

- , Y, H) consisting of: a (possibly infinite) set of Definition 3.1. A system S is a tuple S = (X, X0 , U, states X; a (possibly infinite) set of initial states X0 ⊆ X; a (possibly infinite) set of inputs U ; a transition - ⊆ X × U × X; a set of outputs Y ; and an output map H : X → Y . relation - is also denoted by x u- x0 . If x u- x0 , state x0 is called a u-successor of A transition (x, u, x0 ) ∈ state x. We denote by Postu (x) the set of all u-successors of a state x, and by U (x) the set of inputs u ∈ U for which Postu (x) is nonempty. We denote by T (U, Y ) the set of all systems associated to a set of inputs U and a set of outputs Y . A system S is said to be: • • • • •

metric, if the output set Y is equipped with a metric d : Y × Y → R+ 0; finite (or symbolic), if X and U are finite sets; countable, if X and U are countable sets; deterministic, if for any state x ∈ X and any input u ∈ U , |Postu (x)| ≤ 1; nondeterministic, if there exist a state x ∈ X and an input u ∈ U such that |Postu (x)| > 1;

- , Y, H), we denote by |S| the size of S, defined as |S| := | - |, which Given a system S = (X, X0 , U, is equal to the total number of transitions in S. Note that it is more reasonable to consider | - | as the size of S rather than |X| because in practice it is the transitions of S that are required to be stored rather than just the states of S. We recall the notions of (alternating) approximate (bi)simulation relation, introduced in [12, 19], which are useful to relate properties of NCS to those of their symbolic models. First we recall the notion of approximate (bi)simulation relation, introduced in [12]. - , Ya , Ha ) and Sb = (Xb , Xb0 , Ub , - , Yb , Hb ) be metric sysDefinition 3.2. Let Sa = (Xa , Xa0 , Ua , a

b

tems with the same output sets Ya = Yb and metric d. For ε ∈ R+ 0 , a relation R ⊆ Xa × Xb is said to be an ε-approximate simulation relation from Sa to Sb if the following three conditions are satisfied: (i) for every xa0 ∈ Xa0 , there exists xb0 ∈ Xb0 with (xa0 , xb0 ) ∈ R; (ii) for every (xa , xb ) ∈ R, we have d(Ha (xa ), Hb (xb )) ≤ ε; ua - x0a in Sa implies the existence of xb (iii) for every (xa , xb ) ∈ R, the existence of xa a

satisfying (x0a , x0b ) ∈ R.

ub

- x0 in Sb b

b

A relation R ⊆ Xa × Xb is said to be an ε-approximate bisimulation relation between Sa and Sb if R is an ε-approximate simulation relation from Sa to Sb and R−1 is an ε-approximate simulation relation from Sb to Sa . System Sa is ε-approximately simulated by Sb , or Sb ε-approximately simulates Sa , denoted by Sa εS Sb , if there exists an ε-approximate simulation relation from Sa to Sb . System Sa is ε-approximately bisimilar to Sb , denoted by Sa ∼ =εS Sb , if there exists an ε-approximate bisimulation relation between Sa and Sb . As explained in [19], for nondeterministic systems we need to consider relationships that explicitly capture the adversarial nature of nondeterminism. Furthermore, these types of relations become crucial to enable the refinement of symbolic controllers [23]. - , Ya , Ha ) and Sb = (Xb , Xb0 , Ub , - , Yb , Hb ) be metric sysDefinition 3.3. Let Sa = (Xa , Xa0 , Ua , a

b

tems with the same output sets Ya = Yb and metric d. For ε ∈ R+ 0 , a relation R ⊆ Xa × Xb is said to be an alternating ε-approximate simulation relation from Sa to Sb if conditions (i) and (ii) in Definition 3.2, as well as the following condition, are satisfied: (iii) for every (xa , xb ) ∈ R and for every ua ∈ Ua (xa ) there exists some ub ∈ Ub (xb ) such that for every x0b ∈ Postub (xb ) there exists x0a ∈ Postua (xa ) satisfying (x0a , x0b ) ∈ R. A relation R ⊆ Xa × Xb is said to be an alternating ε-approximate bisimulation relation between Sa and Sb if R is an alternating ε-approximate simulation relation from Sa to Sb and R−1 is an alternating ε-approximate

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

e ⌃

uk

5

⌧ ZOH

(t)

Plant ⌃ : ⇠˙ = f (⇠, )

⇠(t)

ca k

Sensor

xk

y1

sc k

Symbolic Controller

x bk

y2

e Figure 1. Schematics of a networked control system Σ. simulation relation from Sb to Sa . System Sa is alternatingly ε-approximately simulated by Sb , or Sb alternatingly ε-approximately simulates Sa , denoted by Sa εAS Sb , if there exists an alternating ε-approximate simulation relation from Sa to Sb . System Sa is alternatingly ε-approximately bisimilar to Sb , denoted by Sa ∼ =εAS Sb , if there exists an alternating εapproximate bisimulation relation between Sa and Sb . It can be readily seen that the notions of approximate (bi)simulation relation and of alternating approximate (bi)simulation relation coincide when the systems involved are deterministic, in the sense of Definition 3.1.

- , Yτ , Hτ ), which captures all the information Let us introduce a metric system Sτ (Σ) := (Xτ , Xτ 0 , Uτ , τ contained in the forward complete control system Σ at sampling times kτ , ∀k ∈ N0 : Xτ = Rn , Xτ 0 = Rn , Uτ = U, Yτ = Rn /Q for some given equivalence relation Q ⊆ Xτ × Xτ , Hτ = πQ , and • xτ

υτ

- x0τ if there exists a trajectory ξx υ : [0, τ ] → Rn of Σ satisfying ξx υ (τ ) = x0τ . τ τ τ τ

τ

Notice that the set of states and inputs of Sτ (Σ) are uncountable and that Sτ (Σ) is a deterministic system in the sense of Definition 3.1 since (cf. Subsection 2.2) the trajectory of Σ is uniquely determined. We also assume that the output set Yτ is equipped with a metric dYτ : Yτ × Yτ → R+ 0. We refer the interested readers to [13, 29, 30] proposing results on the existence of symbolic abstractions Sq (Σ) := (Xq , Xq0 , Uq , - , Yq , Hq ) for Sτ (Σ). In particular, the results in [13, 29] and [30] provide symbolic q abstractions Sq (Σ) for δ-ISS and δ-FC control systems Σ, respectively, such that Sq (Σ) ∼ =εS Sτ (Σ) (equivalently 2 ε ε ε ∼ Sq (Σ) =AS Sτ (Σ)) and Sq (Σ) AS Sτ (Σ) S Sq (Σ), respectively. The results in [13, 29] assume that Q is the identity relation in the definition of Sτ (Σ), implying that Yτ = Rn and πQ = 1Rn , U is the set of piecewise constant curves over intervals of length τ (cf. equation (4.3)), and the metric dYτ is the natural infinity norm metric. While the abstraction results in [13, 29] are based on state-space discretization, the ones in [30] do not require any state-space discretization, and are potentially more efficient than those in [13, 29] when dealing with high-dimensional plants. Remark 3.4. Consider a metric system Sτ (Σ) admitting an abstraction Sq (Σ). Since the plant Σ is forward complete, one can readily verify that given any state xτ ∈ Xτ , there always exists a υτ -successor of xτ , for any υτ ∈ Uτ . Hence, Uτ (xτ ) = Uτ for any xτ ∈ Xτ . Therefore, without loss of generality, one can also assume that Uq (xq ) = Uq for any xq ∈ Xq .

6

M. ZAMANI, M. MAZO JR, AND A. ABATE

4. Models of Networked Control Systems e as depicted schematically in Figure 1, and similar to those discussed in [9, Figure 1], [24, Consider a NCS Σ e includes a plant Σ, a time-driven sampler, and an event-driven zeroFigure 1], and [8, Figure 1]. The NCS Σ order-hold (ZOH), all of which are described in more detail later. The NCS consists of a forward complete plant Σ = (Rn , U, U, f ), which is connected to a symbolic controller, explained in more detail in the next subsection, over a communication network that induces delays (∆sc and ∆ca ). The state measurements of the plant are sampled by a time-driven sampler at times sk := kτ , k ∈ N0 , and we denote xk := ξ(sk ). The discrete-time control values computed by the symbolic controller at times sk are denoted by uk . Time-varying ca network-induced delays, i.e. the sensor-to-controller delay (∆sc k ) and the controller-to-actuator delay (∆k ), are included in the model. Moreover, packet dropouts in both channels of the network can be incorporated ca in the delays ∆sc k and ∆k (increasing them), as long as the maximum number of subsequent dropouts over the network is bounded [14]. Finally, the time-varying computation time needed to evaluate the symbolic controller is incorporated into ∆ca k . We assume that the time-varying delays are bounded and are integer sc sc sc sc ca ca multiples of the sampling time τ , i.e. ∆sc k := Nk τ , where Nk ∈ [Nmin ; Nmax ], and ∆k := Nk τ , where ca ca sc sc ca ca ca Nk ∈ [Nmin ; Nmax ], for some Nmin , Nmax , Nmin , Nmax ∈ N0 . Note that this assumption implies perfect clock synchronization in the network. Nonetheless, with current technologies this can be assumed to have a rather small effect that one could easily incorporate in the form of bounded sensor noise. Under these assumptions, there is no difference in assuming that both the controller and the actuator act in an event-driven fashion (i.e. they respond instantaneously to newly arrived data) or in a time-driven fashion (i.e. they respond to newly arrived data at the sampling instants sk ). Furthermore, we model the occurrence of message rejection, i.e. the effect of older data being neglected because more recent data is available before the older data arrival, as done in [9, 24]. The zero-order-hold (ZOH) function (see Figure 1) is placed before the plant Σ to transform the discrete-time control inputs uk , k ∈ N0 , to a continuous-time control input υ(t) = uk∗ (t) , where k ∗ (t) := max {k ∈ N0 | sk + ∆ca k ≤ t}. As argued in [9, 24], within the sampling interval [sk , sk+1 [, υ(t) can be explicitly described by ca [0; Nmax

ca Nmin ],

− where j∗ ∈ at the ZOH, is defined as:

ca , for t ∈ [sk , sk+1 [ , υ(t) = uk+j∗ −Nmax

(4.1)

the required time-indexing shift needed to determine the control input available   bN ca , N bN ca +1 , . . . , N bN ca , j∗ = λ N max min min

(4.2)

ca bk , for k ∈ [N ca ; Nmax ], is the delay suffered by the control packet sent k samples beforehand, and where N min ca ca bN ca −i = N ca ca − Nmin ], and namely N for any i ∈ [0; Nmax k−Nmax +i max

bN ca )}, bN ca , . . . , N bN ca ) := max{arg min κ(j, N bN ca , . . . , N λ(N max max min min j

where

bN ca , . . . , N bN ca ) := min κ(j, N max min

n

ca ca bN ca −j + j − Nmax bN ca −1−j + j − Nmax max{0, N }, max{0, N + 1}, . . . , max max o ca bN ca − Nmin max{0, N }, 1 , min

ca ca with j ∈ [0; Nmax − Nmin ]. Note that the expression for the continuous-time control input in (4.1) and (4.2) takes into account the possible out-of-order packet arrivals and message rejection. For example, in Figure 2, the time-delays in the controller-to-actuator branch of the network are allowed to take values in {τ, 2τ, 3τ }, resulting in a message rejection at time sk+2 . We refer the interested readers to [9, Lemma 1] to understand how the proposed choices for j∗ (4.2), λ, and κ, can take care of the possible out-of-order packet arrivals and message rejections. 2Recall that the notions of alternating approximate (bi)simulation and approximate (bi)simulation relation coincide when the systems involved are deterministic.

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS ca k 1

uk

uk uk

sk

1

1

7

Message rejected ca k+2

2 ca k+1

uk+2

uk+1

ca k

3

sk

sk+1

sk+2

sk+3

sk+4

Figure 2. Time-delays in the controller-to-actuator branch of the network with ∆ca k ∈ {τ, 2τ, 3τ }. 4.1. Architecture of the symbolic controller. A symbolic controller is a finite system that takes the observed states xk ∈ Rn as inputs and produces as outputs the actions uk ∈ U that need to be fed into the system Σ in order to satisfy a given complex logical specification. We refer the interested readers to [23] for the formal definition of symbolic controllers. Although for some LTL specifications (e.g. certain safety or reachability problems) it may be sufficient to consider only static controllers (i.e. without memory) [11], we do not limit our work by such an assumption. Since the network is in itself a memory system, in most NCS problems the controller requires memory to compensate for the network effects. The following approach is indeed applicable to general LTL specifications that require dynamic controllers (i.e. controllers with memory) [5]. Due to the presence of a ZOH, from now on we assume that the set U contains only curves that are constant over intervals of length τ ∈ R+ and take values in U, i.e.:  U = υ : R+ (4.3) 0 → U|υ(t) = υ((s − 1)τ ), t ∈ [(s − 1)τ, sτ [, s ∈ N . Correspondingly, one should update Uτ to U (4.3) in the definition of Sτ (Σ) (cf. Section 3).

Similar to what was assumed at the connection between controller and plant, we also consider possible occurrences of message rejection for the measurement data sent from the sensor to the symbolic controller. The symbolic controller uses x bk as an input at the sampling times sk := kτ , where where `∗ ∈

sc [0; Nmax

−

sc Nmin ]

sc , x bk = xk+`∗ −Nmax

is defined as:

eN sc , N eN sc +1 , . . . , N eN sc ), `∗ = λ(N max min min

(4.4)

(4.5)

sc ek , for k ∈ [N sc ; Nmax ], is the delay suffered by the measurement packet sent k samples ago, namely where N min sc sc sc e sc −i = N − Nmin ], and λ is the function appearing in (4.2). Note that NNmax for any i ∈ [0; Nmax sc k−Nmax +i the expression for the input of the controller in (4.4) and (4.5) takes into account the possible out-of-order packet arrivals and message rejections. We again refer the interested readers to [9, 24] for more details on the proposed choice for `∗ (4.5).

4.2. Describing NCS as metric systems. As emphasized earlier, one of the main objectives of this work is to provide symbolic models for the overall NCS using symbolic models of their plants component and of the network characteristics. Specifically, we need to define a map taking an (in)finite system describing the plant and the minimum and maximum delays suffered in both the controller-to-actuator and the sensor-to-controller branches of the network as its inputs and providing, correspondingly, an (in)finite system describing the overall NCS as its output. Consider the map L : T (U, Y ) × N40 → T (U, Y × Y )

(4.6)

emin , N emax ∈ N0 , where N emin ≤ N emax , ∀ N bmin , N bmax ∈ N0 , where N bmin ≤ defined as the following: ∀ N bmax , and ∀ Sa = (Xa , Xa0 , Ua , emin , N emax , N bmin , N bmax ) = Sb ∈ - , Ya , Ha ) ∈ T (Ua , Ya ), we have L(Sa , N N a T (Ua , Ya × Ya ), where Sb = (Xb , Xb0 , Ua , , Ya × Ya , Hb ) and b

• Xb = {Xa ∪ q}

emax N

b emin ; N emax ]Nemax × [N bmin ; N bmax ]Nbmax , where q is a dummy symbol; × UaNmax × [N

8

M. ZAMANI, M. MAZO JR, AND A. ABATE

emax , . . . , N emax , N bmax , . . . , N bmax ) | x0 ∈ Xa0 , u0 ∈ Ua }; • Xb0 = {(x0 , q, . . . , q, u0 , . . . , u0 , N e1 , . . . , N ee ,N b1 , . . . , N b b ) u- (x0 , x1 , . . . , x e • (x1 , . . . , x e , u1 , . . . , u b , N , u, u1 , . . . , Nmax

Nmax

Nmax

Nmax

b

Nmax −1

e, N e1 , . . . , N ee b b bb e ∈ [N emin ; N emax ] and all N b ∈ [N bmin ; N bmax ] uNbmax −1 , N ) for all N Nmax −1 , N , N1 , . . . , NN max −1 if there exists transition x1

uN c

bb ,...,N b b ), as defined in (4.2); - x0 in Sa where j∗ = λ(N Nmin Nmax

max −j∗

a

e1 , . . . , N ee ,N b1 , . . . , N b b ) = (Ha (x1 ), Ha (x e • Hb (x1 , . . . , xNemax , u1 , . . . , uNbmax , N Nmax Nmax Nmax −`∗ )) where `∗ = ee ,...,N e e ), defined in (4.5). With a slight abuse of notation, we assume that Ha (q) := q. λ(N Nmin

Nmax

It can be readily seen that the system Sb is (un)countable or symbolic if the system Sa is (un)countable or symbolic, respectively. Although Sa may be a deterministic system, Sb is in general a nondeterministic system emin < N emax or N bmin < N bmax ), since depending on the values of N e or N b , more than one u-successor of (if N any state of Sb may exist. We assume additionally that the output set Yb is equipped with the metric dYb induced by the metric dYa , as fole1 , . . . , N ee ,N b1 , . . . , N b b ) and x0 := (x0 , . . . , x0 lows: given any xb := (x1 , . . . , xNemax , u1 , . . . , uNbmax , N 1 b emax , Nmax Nmax N 0 0 0 0 0 0 b b e e ) in Xb , let ,N ,...,N ,N ,...,N u ,...,u 1

bmax N

1

dYb (Hb (xb ), Hb (x0b ))

emax N

1

bmax N

= dYb ((x1 , xk ), (x01 , x0k )) := max{dYa (Ha (x1 ), Ha (x01 )), dYa (Ha (xk ), Ha (x0k ))},

(4.7)

emin ; N emax ], where the metric dY is extended so that dY (Ha (x), Ha (q)) = +∞ for any for some given k ∈ [N a a x ∈ Rn and dYa (Ha (q), Ha (q)) = 0. Hence, two states of Sb are ε-close if both the first and second entries of their outputs are ε-close. e as a metric system. Given Sτ (Σ) and the NCS Σ, e We have now all the ingredients to describe the NCS Σ e , Y, H), capturing all the information contained in the consider the metric system S(Σ) := (X, X0 , U, ca ca sc e given as S(Σ) e = L(Sτ (Σ), N sc , Nmax , N , N NCS Σ, max ). min min

e allows us to keep track of an adequate number of measureNote that the choice of the state space X in S(Σ) ments and control packets and the corresponding delays suffered by them, which is necessary and sufficient in order to consider out-of-order packet arrivals and message rejections as explained in detail in [9, 24]. The choice of the set of initial state X0 keeps the initial input value u0 in the ZOH till new control input values arrive. Moreover, assigning the maximum delay suffered by the dummy symbols ensures that those symbols e will not take over an actual packet at the later iterations of the network. The transition relation of S(Σ) e based on all the captures in a nondeterministic fashion all the possible successors of a given state of S(Σ), possible ordering of measurements arriving to the controller, and of inputs arriving to the ZOH. Let us also e are uncountable. remark that the sets of states and inputs of S(Σ)

e is a pair: the first entry is the output of the Remark 4.1. Note that the output value of any state of S(Σ) plant available at the sensors at times sk := kτ , and the second one is the output of the plant available at the controller at equal times sk , taking into consideration the occurrence of message rejection (cf. see Figure 1 for the pair of outputs). With the output map defined as suggested, the synthesis of controllers may use the first entry of the output pairs to attain the satisfaction of properties, as specifications are usually expressed in terms of the outputs exhibited by the plant, i.e. what is available at the sensors before the network. However, the controller refinement (and any analysis of interconnections) may use the second entry of the output pair, as those are the actual outputs received by the controller. In the present paper we do not dive further into these issues, which are left as object of future research. 5. Symbolic Models for NCS This section contains the main contributions of the paper. We show the existence and construction of symbolic models for NCS by using an existing symbolic model for the plant Σ, namely Sq (Σ) := (Xq , Xq0 , Uq , - , Yq , Hq ). q

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

e S⇤ (⌃)

Sq (⌃)

⇠

Plant ⌃ : ⇠˙ = f (⇠, )

e ⌃

uk

⇠

9

⌧ ZOH

Plant

(t)

⇠(t)

⌃ : ⇠˙ = f (⇠, )

Sensor

ca k

Figure 3. The symbol ∼ represents any of the following relations:

xk

sc k

ε S ,

εAS , and ∼ =εAS .

e := (X∗ , X∗0 , U∗ , Given the metric system Sq (Σ), define the new metric system S∗ (Σ)

∗

- , Y∗ , H∗ ) as

e = L(Sq (Σ), N sc , N sc , N ca , N ca ), where the map L is defined in (4.6). System S∗ (Σ) e is constructed S∗ (Σ) max max min min e in the same way as S(Σ), but replacing continuous states, inputs, and the transition relation of Sτ (Σ), with the corresponding ones in Sq (Σ). We can now state the first pair of major technical results of this work, which are schematically represented in Figure 3. e and suppose that there exists an abstraction Sq (Σ) such that Sq (Σ) ε Theorem 5.1. Consider a NCS Σ AS e e ε S∗ (Σ). e ε S(Σ) Sτ (Σ) ε Sq (Σ). Then we have S∗ (Σ) AS

S

S

The proof of Theorem 5.1 is provided in the Appendix. e and suppose that there exists an abstraction Sq (Σ) such that Sq (Σ) ∼ Corollary 5.2. Consider a NCS Σ =εAS Sτ (Σ). e ∼ e Then we have S∗ (Σ) =ε S(Σ). AS

The proof of Corollary 5.2 is provided in the Appendix.

Remark 5.3. As mentioned earlier, our results do not depend on any assumptions on the controller. Hence, the provided abstractions are amenable to any available synthesis techniques and can be obtained by related software tools, such as SCOTS [21] and SPIN [15], whether resulting in static or dynamic controllers. One can also propose a synthesis algorithm where symbolic models can be computed on-the-fly during controller synthesis [18], thus allowing us to keep the number of generated symbolic states as low as possible. This approach has the potential to be more efficient for large systems and is left as object of future research. Remark 5.4. As discussed earlier, one of the main advantages of the results proposed here in comparison with the ones in [8, 7] is that one can construct symbolic models for NCS using symbolic models obtained exclusively for the plant. Therefore, one can readily extend the proposed results to other classes of control systems for the plants, e.g. stochastic control systems, as long as there exist techniques to construct the corresponding symbolic models. For example, one can leverage the recently developed results in [27], [30] (not requiring state-space gridding), and [26] to construct symbolic models for classes of stochastic plants embedded in NCS. 5.1. Limited bandwidth. Assume that an abstraction Sq (Σ) exists such that Sq (Σ) εAS Sτ (Σ) equipped with the alternating ε-approximate simulation relation R. From the formal definition of symbolic controllers in [23], one can readily verify the implicit presence of a static set-valued map (a.k.a quantizer map) ϕ : Xτ → 2Xq inside the symbolic controllers, associating to each xτ ∈ Xτ a set of symbols in Xq as the following: ϕ(xτ ) = {xq ∈ Xq | (xq , xτ ) ∈ R} .

Since the map ϕ is static, one can shift this map towards the sensor in the NCS, as shown in Figure 4, without affecting any of the presented results. This means that in general a set of symbols, rather than only a quantized one, needs to be sent over the sensor-to-controller branch of the network. Let us provide a simple example illustrating the problem that may raise if only one of the multiple possible symbols is sent instead of all of them.

10

M. ZAMANI, M. MAZO JR, AND A. ABATE

e ⌃

uk

⌧ ZOH

Plant

(t)

⇠(t)

⌃ : ⇠˙ = f (⇠, )

Sensor

ca k

xk

sc k

uq

Main Block

xq

'

Symbolic Controller

e ⌃

uk

⌧ ZOH

(t)

Plant ⌃ : ⇠˙ = f (⇠, )

⇠(t)

Sensor

xk '

ca k

sc k

uq

Main Block

xq

Symbolic Controller

Figure 4. Shifting functions ϕ and ψ for the symbolic controller to the other side of the communication network.

Example 5.5. Consider the pair of finite systems in Figure 5, where the initial states are shown as targets of sourceless arrows and the lower part of the states are labeled with their output values. One can readily verify that R = {(x1 , x1 ), (x2 , x2 ), (x3 , x2 )} is an alternating 0-approximate simulation relation from S to S. Therefore, ϕ(x1 ) = {x1 } and ϕ(x2 ) = {x2 , x3 } is the associated “quantization” map resulting from the relation R. Let us consider the new quantization map ϕ e providing only one state of S for each state of S: ϕ(x e 1 ) = {x1 } and ϕ(x e 2 ) = {x3 }. Consider the problem of synthesizing a controller enforcing the output of S to reach and stay at set {2}, namely a controller for the LTL specification 32{2}. There are infinitely many control sequences over S satisfying 32{2}, e.g. u1 u3 u3 · · · , u2 u2 u1 u3 u3 · · · , and u2 u2 u2 u2 u1 u3 u3 · · · . A possible “static” controller enforcing the desired property could thus be obtained by restricting the set of inputs that the controller offers at each state of the abstracted plant, e.g. a map offering at x ¯1 input u ¯1 , at x ¯3 input u ¯2 , and at x ¯2 input u ¯3 . Using the new quantizer map ϕ, e and a controller consisting solely of the map in the previous sentence, however, does not allow us to distinguish between x ¯2 and x ¯3 and the refined control sequences over S would result in u1 u2 u1 u2 u1 u2 · · · . Such controller would result in the system satisfying infinitely often reaching {2} on S, i.e. 23{2}, rather than satisfying the requested specification 32{2}. While this is a clearly concocted example for illustrative purposes, situations analogous to the one captured by this example arise in the construction of abstractions via notions of (alternating) approximate (bi)simulation (e.g. [29]) in which some concrete states may be associated to several abstract states. For more details on this potential problem we refer the interested readers to [20]. Remark 5.6. Unfortunately, the problem we just illustrated may arise in the constructions of [8, 7]. Based n on the proposed symbolic abstractions in those works, the set-valued quantizer map ϕ : Rn → 2[R ]η should be as follows: ϕ(x) = {xq ∈ [Rn ]η | kx − xq k ≤ ε} , for some given state-space quantization parameter η ∈ R+ and some precision ε ∈ R+ , where η < ε; see [8, equation (18)] and [7, equation (5)]. However, [8, 7] use the map ϕ e : x → [x]η , where [x]η ∈ [Rn ]η associates n n to every x ∈ R just one quantized state [x]η ∈ [R ]η , such that kx − [x]η k ≤ η/2.

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

S:

11

S: u1 x1

u1

1 u2

x2 2

u3

x1

x2

1

2

u3

u2

u2 x3 2

Figure 5. Finite systems S and S. Similarly, a quantization map ψ : Xq × Xτ × Uq → U is implicitly contained in the symbolic controllers, associating to each symbol uq ∈ Uq (xq ) generated by the controller an input u ∈ Uτ (xτ ) for some (xq , xτ ) ∈ R. Unfortunately, the quantization map ψ requires the knowledge of the state of the plant just before the controller. Therefore, one cannot easily shift this map towards the actuator (ZOH) in the NCS scheme. In order to solve this issue, one can simply assume that the set U is finite and Uq = U and adjust condition (iii) in Definition 3.3 as: (iii) for every (xq , xτ ) ∈ R, every uq ∈ Uq (xq ), and every x0τ ∈ Postuq (xτ ) there exists x0q ∈ Postuq (xq ) satisfying (x0q , x0τ ) ∈ R, so that only abstractions Sq (Σ) satisfying Sq (Σ) εAS Sτ (Σ) with the new condition (iii) are admitted in our scheme. These modifications simply imply that for each symbolic input uq in Sq (Σ) one should apply the same input to Sτ (Σ). Note that we abused notation by identifying uq with the constant input curve with domain [0, τ [ and value uq . With this adjustments, one has a new quantizer map ψ = 1Uq , which is static and can be shifted towards the actuator (ZOH) in the NCS, as shown in Figure 4. Note that the proposed abstractions in [13, 29, 30, 26, 27] satisfy this new condition in Definition 3.3 by simply taking Uq = U in those results. In general this is a rather natural assumption to be taken as in practice one usually considers a finite set of inputs available and constructs abstractions accordingly. 6. Space Complexity Analysis We compare the results provided here with those in [8, 7] in terms of the size of the obtained symbolic models. For the sake of a fair comparison, assume that we use also a grid-based symbolic abstraction for the plant Σ using the same sampling time and quantization parameters as the ones in [8, 7]. Note that the provided comparison may not be complete still, because we do not need any requirement on the symbolic controller while in [8, 7] it is assumed that the symbolic controllers are static. By assuming that we are only interested in the dynamics of Σ on a compact set D ⊂ Rn , the cardinality of the set of states of the symbolic models provided in [8, 7], is: i X |X? | = [D]η , i∈{{1}∪[Nmin ;Nmax ]}

ca sc ca sc + Nmin , Nmax = Nmax + Nmax , and [D]η = D ∩ [Rn ]η for some quantization parameters where Nmin = Nmin + η∈R .

Meanwhile, the size of the set of states for the abstractions provided by Theorem 5.1 and Corollary 5.2, is at most: sc ca Nmax  Nmax N sc N ca sc sc ca ca |X∗ | = [D]η + 1 · [U]µ · (Nmax − Nmin + 1) max · (Nmax − Nmin + 1) max ,

where [U]µ = U ∩ [Rm ]µ for some quantization parameters µ ∈ R+ . Note that there may exist some states of X∗ that are not reachable from any of the initial states x∗0 ∈ X∗0 due to the combination of the delays

M. ZAMANI, M. MAZO JR, AND A. ABATE

300

S

1

|S | & log

10

log

1

S2

10

2

|S |

12

200 100 0 7

6

5

4

log10 |S1| & log10 |S2|

log10|[U]µ| 300

S

3

2

1

0

20

15

10

5

0

log10|[D]η|

1

S2

200 100 0 7

6

5

4

3

log10|[U]µ|

2

1

0

5 ca

0

15

10

Nmax-Nca min

(or

Nsc -Nsc max min

)

e and S∗ (Σ) e for different values of | [D] | and | [U] |, Figure 6. Upper panel: sizes of S? (Σ) η µ ca sc ca sc e and S2 = S∗ (Σ). e Lower panel: where Nmax = Nmax = 6, Nmin = Nmin = 1, and S1 = S? (Σ) e and S∗ (Σ) e for different values of | [U] | and of N ca − N ca (or N sc − N sc ), sizes of S? (Σ) where | [D]η | = 107 .

max

µ

min

max

min

in both channels of the network and, hence, one can exclude them from the set of states X∗ without loss of generality. Therefore, the actual size of the state set X∗ may be less than the aforementioned computed ones such as the second example in Section 7. One can easily verify that the size of the symbolic models proposed  X e = K |X? | |[U]µ | (Nmax − Nmin + 1) = K S? (Σ)

in [8, 7] is at most: i  [D]η |[U]µ | (Nmax − Nmin + 1) , (6.1)

i∈{{1}∪[Nmin ;Nmax ]}

where K is the maximum number of u-successors of any state of the symbolic model Sq (Σ) for u ∈ [U]µ . Note that with the results proposed in [13] one has K = 1 because Sq (Σ) is a deterministic system, while with the ones proposed in [29] one has K ≥ 1 because Sq (Σ) is a nondeterministic system and the value of K depends on the functions β and γ in (2.2) – see [29] for more details. The size of the symbolic models provided in this paper is at most: sc sc ca ca e = K |X∗ | |[U]µ | (Nmax − Nmin + 1) (Nmax − Nmin + 1) S∗ (Σ) sc ca  Nmax Nmax +1 N sc +1 N ca +1 sc sc ca ca = K [D]η + 1 · [U]µ − Nmin + 1) max · (Nmax − Nmin + 1) max , (6.2) · (Nmax

e with the same K as in (6.1). The symbolic model S∗ (Σ) can have a smaller size for some large values of ca sc Nmax and for [D]η >> [U]µ , as depicted in Figure 6 (upper panel) by fixing Nmax = Nmax = 6 and sc ca e Nmin = Nmin = 1. On the other hand, the symbolic model S? (Σ) can have a smaller size for some large values ca ca sc sc of [U]µ and of Nmax − Nmin (or Nmax − Nmin ), as depicted in Figure 6 (lower panel) by fixing | [D]η | = 107 .

sc sc Note that in the special case when Nmax = Nmin = 1, the dummy symbol q is not necessary in the definition of X∗ , hence: ca Nmax N ca ca ca |X∗ | = [D]η [U]µ · (Nmax − Nmin + 1) max . (6.3)

Remark 6.1. In [8, Remark 5.2] the authors suggest a more concise representation for their proposed finite abstractions of NCS, in order to reduce the space complexity. However, this representation is only applicable if the plant Σ is δ-ISS. Hence, for general classes of plants Σ in the NCS, the approach proposed in this work

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

13

can be in terms of the size of the abstractions, particularly for large values of Nmax and for appropriate more [D]η >> [U]µ . 7. Example Here, we provide two case studies illustrating the proposed approach. The first case study illustrates one of the main advantages of our proposed techniques in comparison with the ones in [8, 7], namely, by not requiring a state space grid-based approach to construct the symbolic models of the NCS. The second case study illustrates the construction of the symbolic model of a NCS by using the symbolic model of the plant in it. 7.1. Case study 1. Consider a linear plant Σ, a non-stochastic version of the example in [30], described by: Σ : ξ˙ = Aξ + Bυ, where



   A=   

−20.73 0.45 −0.77 0.92 0.68 0.95 −22.41 −1.73 −0.14 0.47 0.57 −0.74 −23.57 0.37 0.58 −0.71 0.07 1.04 −21.41 −1 −0.95 0.47 0.96 −1.34 −23.96 1.72 0.37 −0.21 −0.43 0.89

1.28 0.77 0.57 0.14 0.11 −22.91



   T  ,B = 0   

0

0

0

0

100

T

.

We assume that U = [−1, 1] and that U contains curves taking values in [U]1 . We consider the dynamics of Σ over the subset D = [−4, 4]6 of R6 , a precision ε = 1, and a sampling time τ = 0.01. Assume that sc sc ca ca the delays in different parts of the network are as follows: Nmin = 1, Nmax = 1, Nmin = 2, and Nmax = 3. Using the abstraction technique in [30], the resulting cardinality of the set of states for an ε-approximately bisimilar symbolic model Sq (Σ) is |Xq | = 38 = 6561. Using the proposed results in Corollary 5.2 and equation ca N ca +1 ca +1 ca e = |Xq | · | [U] |Nmax − Nmin + 1) max = 6561 × 34 × 24 = 8504352 for (6.3), one obtains |S∗ (Σ)| · (Nmax µ the general symbolic controller. On the other hand, employing the results in [8], one obtains the quantization parameter η ≤ 0.18. Therefore,  the cardinality of the symbolic model, provided by the results in [8], is equal
6i P4 8 e to |S? (Σ)| = × 3 × 2 ≈ 1040 , which is clearly much higher than the one proposed here i=1,i6=2

0.18

while considering static symbolic controllers. Note that if we also use a grid-based symbolic abstraction for
6 ca N ca +1 8 +1 ca ca e = |[D]η | · | [U] |Nmax the plant Σ, we obtain |S∗ (Σ)| · (Nmax − Nmin + 1) max = 0.18 × 34 × 24 ≈ 1013 µ e which is still much lower than the size of S? (Σ).

7.2. Case study 2. Here we elucidate the results of the paper on the construction of the symbolic model of a e Assume that the plant Σ of a NCS Σ e admits a simple ε-approximate bisimilar symbolic model Sq (Σ) NCS Σ. with only two states as depicted in Figure 7, where the initial states are shown as targets of sourceless arrows. - = {(x, a, x), (x, b, y), (y, a, x), (y, b, y)}, One can readily verify that Xq = Xq0 = {x, y}, Uq = {a, b}, q

ca sc sc ca = 1 and Nmax = 2. Yq = {Z, W }, Hq (x) = Z, and Hq (y) = W . Here we assume that Nmin = Nmax = Nmin e of S(Σ) e is depicted in Figure 8. The initial states The resulting ε-approximate bisimilar symbolic model S∗ (Σ) e are also shown as targets of sourceless and thicker arrows in Figure 8. The output values of the states of S∗ (Σ) e are Z or W if the first elements of the states are x or y, respectively – these are not shown in Figure of S∗ (Σ) 8 for the sake of simplicity. One can readily see that the number of states of X∗ is 24, which is less than the computed one in (6.3) that equals to 32, since states (x, a, b, 1, 1), (y, a, a, 1, 1), (x, b, b, 2, 1), (y, b, a, 2, 1), (y, a, a, 2, 1), (y, b, a, 1, 1), (x, b, b, 1, 1), and (x, a, b, 2, 1) are not reachable from the initial states.

14

M. ZAMANI, M. MAZO JR, AND A. ABATE

b x Z

a

y

b

W

a

Figure 7. Finite system describing Sq (Σ). The lower part of the states are labeled with the outputs (Z and W ).

(x,a,a,2,2)

a a

(x,a,a,1,2) b

a a

a a

(x,a,a,1,1)

a a

b

(x,a,a,2,1)

b

b

(x,b,a,2,2)

a

a

a b b

(x,b,b,2,2)

(y,b,b,2,2) a

a

b a

bb

b

b

a

b

a

b

(y,a,b,1,2) b

(x,b,a,2,1)

b

b

b

(x,b,b,1,2)

b

b

a

a

a

a

b a

a

b

a

(y,a,b,1,1)

b

a

(x,b,a,1,1)

b

b

a

a b a

a

a

a

a

b

(y,a,a,2,2)

a

(y,a,b,2,1) b

b

a

b

b a

(x,b,a,1,2) a

a

b

b

a

a b

(y,b,b,1,2) b b

b

b

a

a a

b a

b

b

(x,a,b,2,2)

a

b

b

(y,a,b,2,2) b

b a

a

(y,b,a,2,2)

a

(y,b,b,2,1)

a

(x,a,b,1,2)

b a

b

(y,b,a,1,2) b

(y,a,a,1,2)

b

(y,b,b,1,1)

e of the NCS Σ. e Figure 8. The resulting bisimilar symbolic model S∗ (Σ) 8. Relationship to Adjacent Work

Both our work and the ones in [8, 7] explicitly consider the network non-idealities (i), (ii), and (iv) acting on the NCS simultaneously. The results in [8, 7] provide symbolic models obtained via gridding techniques (discretization of state and control sets), which practically are likely to severely suffer from the curse of

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

15

dimensionality. However, in our proposed framework one can directly employ available and well investigated symbolic models obtained exclusively for the plant, including full grid-based approaches [13, 29], or newer partial grid-based ones [30] as already leveraged in Case Study 1, and non-grid-based ones [25], and then construct symbolic models for the overall NCS. While the results in [8, 7] do not consider the possibility of out-of-order packet arrivals and message rejections, i.e. the effect of older data being neglected because more recent data is available, we consider them in this work. The results in [8, 7] only consider static (i.e. memoryless) symbolic controllers, whereas general temporal logic specifications often are shown to require dynamic (i.e. with memory) symbolic controllers [5], which are indeed allowed in our framework. While the results in [8, 7] can only address specifications expressed in terms of specific types of nondeterministic automata, our results enable the study of larger classes of logical specifications, such as those expressed as general LTL formulae or as automata on infinite strings. Besides these differences, the fundamental distinguishing feature of our work with respect to the recent contributions in [8, 7] is the nature of the triggering mechanism for message transmission: [8, 7] consider an event-triggered mechanism, in which new sensor measurements are transmitted only once the actuator is updated with the control input computed using the last transmitted measurement. While preventing measurements from arriving out of order, this restricts the applicability to systems in which sensors and actuators are co-located. In our approach, on the other hand, the sensors and controllers send new measurements/control updates in a periodic fashion. This forces dealing explicitly with out-of-order messages, but in exchange it removes any restriction on the location of sensors, controllers, or actuators. Note that additionally, our formulation still allows to capture implementations with transmissions of measurements/control updates triggered by the satisfaction of certain conditions (i.e. event-based control), by encoding such restrictions in the plant model. 9. Discussion and Conclusions In this paper we have provided a construction of symbolic models for NCS, subject to the following nonidealities: variable communication delays, quantization errors, packet losses, and limited bandwidth. This novel approach is practically relevant since it can leverage any existing symbolic model for the plant, and in particular is not limited to grid-based ones and extendible to work over stochastic plants – both features are current focus of active investigation elsewhere. Furthermore, this approach can be applied to treat any quantitative specification expressed as a formula in LTL or as an automaton on infinite strings, without requiring any additional re-formulation. Future work will concentrate on the following goals: 1) providing efficient implementations of the symbolic models, the existence of which has been shown in this work, on top of the recently developed synthesis toolbox SCOTS [21]; 2) the construction of symbolic models for NCS with explicit probabilistic structure over the transmission intervals, communication delays, and packet dropouts; 3) the construction of symbolic models for still more general NCS, by considering additional network non-idealities, in particular time-varying sampling and transmission intervals; and 4) the study of interconnections and synthesis employing the different outputs enabled by our abstractions at the sensor and controller side. 10. Acknowledgments The authors would like to thank Matthias Rungger for fruitful technical discussions over Subsection 5.1. References [1] R. Alur, A. D’Innocenzo, K. H. Johansson, G. J. Pappas, and G. Weiss. Compositional modeling and analysis of multi-hop control networks. IEEE Transactions on Automatic Control, 56(10):2345–2357, 2011. [2] D. Angeli. A Lyapunov approach to incremental stability properties. IEEE Transactions on Automatic Control, 47(3):410– 421, 2002.

16

M. ZAMANI, M. MAZO JR, AND A. ABATE

[3] D. Angeli and E. D. Sontag. Forward completeness, unboundedness observability, and their Lyapunov characterizations. Systems and Control Letters, 38:209–217, 1999. [4] D. Antunes, J. P. Hespanha, and C. Silvestre. Volterra integral approach to impulsive renewal systems: Application to networked control. IEEE Transactions on Automatic Control, 57(3):607–619, March 2012. [5] C. Baier and J. P. Katoen. Principles of model checking. The MIT Press, April 2008. [6] N. W. Bauer, P. J. H. Maas, and W. P. M. H. Heemels. Stability analysis of networked control systems: a sum of squares approach. Automatica, 48(8):1514–1524, 2012. [7] A. Borri, G. Pola, and M.D. Di Benedetto. Integrated symbolic design of unstable nonlinear networked control systems. in Proceedings of 51th IEEE Conference on Decision and Control, December 2012. [8] A. Borri, G. Pola, and M.D. Di Benedetto. A symbolic approach to the design of nonlinear networked control systems. in Proceedings of 15th International Conference on Hybrid Systems: Computation and Control, pages 255–264, April 2012. [9] M. B. G. Cloosterman, N. van de Wouw, W. P. M. H. Heemels, and H. Nijmeijer. Stability of networked control systems with uncertain time-varying delays. IEEE Transactions on Automatic Control, 54(7):1575–1580, July 2009. [10] H. Gao, T. Chen, and J. Lam. A new delay system approach to network-based control. Automatica, 44(1):39–52, 2008. [11] A. Girard. Synthesis using approximately bisimilar abstractions: state-feedback controllers for safety specifications. in Proceedings of 13th International Conference on Hybrid Systems: Computation and Control, pages 111–120, April 2010. [12] A. Girard and G. J. Pappas. Approximation metrics for discrete and continuous systems. IEEE Transactions on Automatic Control, 25(5):782–798, 2007. [13] A. Girard, G. Pola, and P. Tabuada. Approximately bisimilar symbolic models for incrementally stable switched systems. IEEE Transactions on Automatic Control, 55(1):116–126, 2009. [14] W. P. M. H. Heemels and N. van de Wouw. Stability and stabilization of networked control systems. In A. Bemporad, W. P. M. H. Heemels, and M. Johansson, editors, Networked Control Systems, volume 406 of Lecture Notes in Control and Information Sciences, pages 203–253. Springer London, 2010. [15] G. Holzmann. The SPIN model checker: Primer and reference manual. Addison-Wesley Professional, 1 edition edition, 2003. [16] O. Maler, A. Pnueli, and J. Sifakis. On the synthesis of discrete controllers for timed systems. in Proceedings of 12th Annual Symposium on Theoretical Aspects of Computer Science, 900:229–242, 1995. [17] D. Nesic and D. Liberzon. A unified framework for design and analysis of networked and quantized control systems. IEEE Transactions on Automatic Control, 54(4):732–747, 2009. [18] G. Pola, A. Borri, and M.D. Di Benedetto. Integrated design of symbolic controllers for nonlinear systems. IEEE Transaction on Automatic Control, 57(2):534–539, February 2012. [19] G. Pola and P. Tabuada. Symbolic models for nonlinear control systems: alternating approximate bisimulations. SIAM Journal on Control and Optimization, 48(2):719–733, 2009. [20] G. Reissig, A. Weber, and M. Rungger. Feedback refinement relations for the synthesis of symbolic controllers. arXiv: 1503.03715, March 2015. [21] M. Rungger and M. Zamani. SCOTS: A tool for the synthesis of symbolic controllers. In Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control. ACM New York, NY, USA, April 2016, to appear. [22] E. D. Sontag. Mathematical control theory: Deterministic finite dimensional systems, volume 6. Springer-Verlag, New York, 2nd edition, 1998. [23] P. Tabuada. Verification and Control of Hybrid Systems, A symbolic approach. Springer US, 2009. [24] N. van de Wouw, D. Nesic, and W. P. M. H. Heemels. A discrete-time framework for stability analysis of nonlinear networked control systems. Automatica, 48(6):1144–1153, June 2012. [25] B. Yordanov, J. Tumova, I. Cerna, J. Barnat, and C. Belta. Formal analysis of piecewise affine systems through fomula-guided refinement. Automatica, 49(1):261–266, January 2013. [26] M. Zamani, P. Mohajerin Esfahani, A. Abate, and J. Lygeros. Symbolic models for stochastic control systems without stability assumptions. In Proceedings of European Control Conference, pages 4257–4262, July 2013. [27] M. Zamani, P. Mohajerin Esfahani, R. Majumdar, A. Abate, and J. Lygeros. Symbolic control of stochastic systems via approximately bisimilar finite abstractions. IEEE Transactions on Automatic Control, Special Issue on Control of CyberPhysical Systems, 59(12):3135–3150, December 2014. [28] M. Zamani, M. Mazo Jr., and A. Abate. Finite abstractions of networked control systems. In Proceedings of the 53rd IEEE Conference on Decision and Control, pages 95–100, December 2014. [29] M. Zamani, G. Pola, M. Mazo Jr., and P. Tabuada. Symbolic models for nonlinear control systems without stability assumptions. IEEE Transactions on Automatic Control, 57(7):1804–1809, July 2012. [30] M. Zamani, I. Tkachev, and A. Abate. Bisimilar symbolic models for stochastic control systems without state-space discretization. In Proceedings of the 17th International Conference on Hybrid Systems: Computation and Control, pages 41–50. ACM New York, NY, USA, April 2014.

11. Appendix e ε S(Σ). e Since Sq (Σ) ε Sτ (Σ), there exists an alProof of Theorem 5.1. We start by proving S∗ (Σ) AS AS e ⊆ X∗ × X ternating ε-approximate simulation relation R from Sq (Σ) to Sτ (Σ). Consider the relation R

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

17

  e where x∗ = x∗1 , . . . , x∗N sc , u∗1 , . . . , u∗N ca , N e∗1 , . . . , N e∗N sc , N b∗1 , . . . , N b∗N ca defined by (x∗ , x) ∈ R, and max max max  max sc e1 , . . . , N eN sc , N b1 , . . . , N bN ca , if and only if N e∗i = N ei , ∀i ∈ [1; Nmax sc , υ1 , . . . , υN ca , N x = x1 , . . . , xNmax ], max max max ca sc b b N∗j = Nj , ∀j ∈ [1; Nmax ], (x∗k , xk ) ∈ R, ∀k ∈ [1; Nmax ], and for each u∗i and the corresponding υi there exists ca x0∗ ∈ Postu∗i (x∗ ) such that (x0∗ , ξxυi (τ )) ∈ R for any i ∈ [1; Nmax ] and any (x∗ , x) ∈ R. Note that if Uτ = Uq e is nothing more than requiring u∗i = υi for any and they are finite then the last condition of the relation R ca i ∈ [1; Nmax ].
sc sc ca ca Consider x∗0 := x∗0 , q, . . . , q, u∗0 , . . . , u∗0 , Nmax , . . . , Nmax , Nmax , . . . , Nmax ∈ X∗0 . Due to the relation R, there exist x0 ∈ Xτ 0 such that (x∗0 , x0 ) ∈ R and υ0 ∈ Uτ such that there exists x0∗ ∈ Postu∗0 (x∗ ) satisfying sc sc ca (x0∗ , ξxυ0 (τ )) ∈ R for any (x∗ , x) ∈ R. Hence, by choosing x0 := (x0 , q, . . . , q, υ0 , . . . , υ0 , Nmax , . . . , Nmax , Nmax , ca e . . . , Nmax ) ∈ X0 , one gets (x∗0 , x0 ) ∈ R and condition (i) in Definition 3.3 is satisfied.   e where x∗ = x∗1 , . . . , x∗N sc , u∗1 , . . . , u∗N ca , N e∗1 , . . . , N e∗N sc , N b∗1 , . . . , N b∗N ca Now consider any (x∗ , x) ∈ R, max max max   max sc e e b b e e sc , υ1 , . . . , υN ca , N1 , . . . , NN sc , N1 , . . . , NN ca and x = x1 , . . . , xNmax . Since N∗i = Ni , ∀i ∈ [1; Nmax ], and max max max ca b b e e one obtains H∗ (x∗ ) = (x∗1 , x∗k ) N∗j = Nj , ∀j ∈ [1; Nmax ], and using definitions of S∗ (Σ) and S(Σ), sc sc e and S(Σ)). e ] (cf. Definitions S∗ (Σ) Since (x∗i , xi ) ∈ and H (x) = (x1 , xk ), for some k ∈ [Nmin ; Nmax sc sc ]. Therefore, dY (H∗ (x∗ ), H(x)) = ], one gets dYτ (Hq (x∗i ) , Hτ (xi )) ≤ ε, ∀i ∈ [1; Nmax R, ∀i ∈ [1; Nmax max {dYτ (Hq (x∗1 ) , Hτ (x1 )) , dYτ (Hq (x∗k ) , Hτ (xk ))} ≤ ε and condition (ii) in Definition 3.3 is satisfied.  e where x∗ = x∗1 , . . . , Let us now show that condition (iii) in Definition 3.3 holds. Consider any (x∗ , x) ∈ R,   e∗1 , . . . , N e∗N sc , N b∗1 , . . . , N b∗N ca , x = x1 , . . . , xN sc , υ1 , . . . , υN ca , N e1 , . . . , N eN sc , sc , u∗1 , . . . , u∗N ca , N x∗Nmax max max max max max max  b1 , . . . , N bN ca . Consider any u∗ ∈ U∗ (x∗ ) = Uq . Using the relation R, there exist υ ∈ U (x) = Uτ and x N `∗ ∈ max  sc −1 , υ, υ1 , Postu∗ (x∗ ) such that (` x∗ , ξxυ (τ )) ∈ R for any (x∗ , x) ∈ R. Now consider any x0 = x0 , x1 , . . . , xNmax  sc b∈ e, N e1 , . . . , N eN sc −1 , N b, N b1 , . . . , N bN ca −1 ∈ Postυ (x) ⊆ X for some N e ∈ [N sc ; Nmax ca −1 , N ] and N . . . , υNmax min max max ca ca ca ca e [Nmin ; Nmax ] where x0 = ξx1 υk (τ ) for some given k ∈ [Nmin ; Nmax ] (cf. Definition S(Σ)). Because of the rela0 0 0 e one , x ) ∈ R. Hence, due to the definition S∗ (Σ), ∈ Post (x ) in S (Σ) such that (x tion R, there exists x u∗k ∗1 q ∗  ∗  0 0 e e e b b b sc −1) , u∗ , u∗1 , . . . , u∗(N ca −1) , N , N1 , . . . , NN sc −1 , N , N1 , . . . , NN ca −1 can choose x∗ = x∗ , x∗1 , . . . , x∗(Nmax ∈ max max max Postu∗ (x∗ ) ⊆ X∗ . Due to the relation R, one can verify that dYτ (Hq (x0∗ ), Hτ (x0 )) ≤ ε. Since ∀j ∈ sc [1; Nmax − 1], dYτ (Hq (x∗j ), Hτ (xj )) ≤ ε, one gets dY (H∗ (x0∗ ) , H (x0 )) = max{dYτ (Hq (x0∗ ) , Hτ (x0 )) , sc sc e and S(Σ)). e dYτ (Hq (x∗k ) , Hτ (xk ))} ≤ ε, for some given3 k ∈ [Nmin − 1] (cf. Definitions S∗ (Σ) − 1; Nmax 0 0 e Hence, (x∗ , x ) ∈ R implying that condition (iii) in Definition 3.3 holds.

e ε S∗ (Σ). e Now we prove S(Σ) Since Sτ (Σ) εS Sq (Σ), there exists an ε-approximate simulation relaS e ⊆ X × X∗ defined by (x, x∗ ) ∈ R, e where x = tion R from Sτ (Σ) to Sq (Σ). Consider the relation R    e1 , . . . , N eN sc , N b1 , . . . , N bN ca and x∗ = x∗1 , . . . , x∗N sc , u∗1 , . . . , u∗N ca , N e∗1 , sc , υ1 , . . . , υN ca , N x1 , . . . , xNmax max max max max max  sc ca e∗N sc , N b∗1 , . . . , N b∗N ca , if and only if N ei = N e∗i , ∀i ∈ [1; Nmax bj = N b∗j , ∀j ∈ [1; Nmax ...,N ], N ], (xk , x∗k ) ∈ R, max max

sc ∀k ∈ [1; Nmax ], and for each υi and the corresponding u∗i there exists a x0∗ ∈ Postu∗i (x∗ ) such that 0 ca (ξxυi (τ ), x∗ ) ∈ R for any i ∈ [1; Nmax ] and any (x, x∗ ) ∈ R. Note that if Uτ = Uq and they are finite ca e is nothing more than requiring u∗i = υi for any i ∈ [1; Nmax then the last condition of the relation R ].
sc sc ca ca Consider x0 := x0 , q, . . . , q, υ0 , . . . , υ0 , Nmax , . . . , Nmax , Nmax , . . . , Nmax ∈ X0 . Due to the relation R, there exist x∗0 ∈ X∗0 such that (x0 , x∗0 ) ∈ R and u∗0 ∈ Uq such that there exists x0∗ ∈ Postu∗0 (x∗ ) satisfying sc sc (ξxυ0 (τ ), x0∗ ) ∈ R for any (x, x∗ ) ∈ R. Hence, by choosing x∗0 := x∗0 , q, . . . , q, u∗0 , . . . , u∗0 , Nmax , . . . , Nmax ,
ca ca e and condition (i) in Definition 3.2 is satisfied. Nmax , . . . , Nmax ∈ X∗0 , one gets (x0 , x∗0 ) ∈ R 3Note that if N sc = 0, then x 0 0 ∗(−1) = x∗ and x−1 = x . min

18

M. ZAMANI, M. MAZO JR, AND A. ABATE

  e where x = x1 , . . . , xN sc , υ1 , . . . , υN ca , N e1 , . . . , N eN sc , N b1 , . . . , N bN ca Now consider any (x, x∗ ) ∈ R, and max max max max   sc e∗1 , . . . , N e∗N sc , N b∗1 , . . . , N b∗N ca . Since N ei = N e∗i , ∀i ∈ [1; Nmax sc , u∗1 , . . . , u∗N ca , N x∗ = x∗1 , . . . , x∗Nmax ], max max max ca b b e e and Nj = N∗j , ∀j ∈ [1; Nmax ], and using definitions of S(Σ) and S∗ (Σ), one obtains H (x) = (x1 , xk ) sc sc e and S(Σ)). e and H∗ (x) = (x∗1 , x∗k ), for some k ∈ [Nmin ; Nmax ] (cf. Definitions S∗ (Σ) Since (xi , x∗i ) ∈ sc sc R, ∀i ∈ [1; Nmax ], one gets dYτ (Hτ (xi ) , Hq (x∗i )) ≤ ε, ∀i ∈ [1; Nmax ]. Therefore, dY (H(x), H∗ (x∗ )) = max {dYτ (Hτ (x1 ) , Hq (x∗1 )) , dYτ (Hτ (xk ) , Hq (x∗k ))} ≤ ε and condition (ii) in Definition 3.2 is satisfied.  e where x = x1 , . . . , xN sc , Let us now show that condition (iii) in Definition 3.2 holds. Consider any (x, x∗ ) ∈ R, max   e1 , . . . , N eN sc , N b1 , . . . , N bN ca , x∗ = x∗1 , . . . , x∗N sc , u∗1 , . . . , u∗N ca , N e∗1 , . . . , N e∗N sc , N b∗1 , ca , N υ1 , . . . , υNmax max max max max max  b∗N ca . Consider any υ ∈ U (x) = Uτ . Using the relation R, there exist u∗ ∈ U∗ (x∗ ) = Uq and x ...,N `∗ ∈ max  sc −1 , υ, υ1 , Postu∗ (x∗ ) such that (ξxυ (τ ), x `∗ ) ∈ R for any (x, x∗ ) ∈ R. Now consider any x0 = x0 , x1 , . . . , xNmax  sc e, N e1 , . . . , N eN sc −1 , N b, N b1 . . . , N bN ca −1 ∈ Postυ (x) ⊆ X for some N e ∈ [N sc ; Nmax b ∈ ca −1 , N . . . , υNmax ] and N min max max ca ca ca ca e [Nmin ; Nmax ] where x0 = ξxυk (τ ) for some given k ∈ [Nmin ; Nmax ] (cf. Definition S(Σ)). Because of the relation 0 0 0 e one ) ∈ R. Hence, due to the definition S∗ (Σ), ∈ Post (x ) in S (Σ) such that (x , x R, there exists x u ∗1 q ∗ ∗ ∗k  e, N e1 , . . . , N eN sc −1 , N b, N b1 , . . . , N bN ca −1 ∈ sc −1) , u∗ , u∗1 , . . . , u∗(N ca −1) , N can choose x0∗ = x0∗ , x∗1 , . . . , x∗(Nmax max max max

Postu∗ (x∗ ) ⊆ X∗ . Because of the relation R, one can readily verify that dYτ (Hτ (x0 ), Hq (x0∗ )) ≤ ε. Since sc dYτ (Hτ (xj ), Hq (x∗j )) ≤ ε, ∀j ∈ [1; Nmax − 1], one gets dY (H (x0 ) , H∗ (x0∗ )) = max{dYτ (Hτ (x0 ) , Hq (x0∗ )) , sc sc e and S(Σ)). e dYτ (Hτ (xk ) , Hq (x∗k ))} ≤ ε, for some given3 k ∈ [Nmin − 1] (cf. Definitions S∗ (Σ) − 1; Nmax 0 0 e implying that condition (iii) in Definition 3.2 holds, which completes the proof.  Hence, (x , x∗ ) ∈ R

e ε S(Σ) e equipped Proof of Corollary 5.2. Using Theorem 5.1 one gets that Sq (Σ) εAS Sτ (Σ) implies S∗ (Σ) AS e with the alternating ε-approximate simulation relation R as defined in the proof of Theorem 5.1. In a sime equipped with the alternating εe ε S∗ (Σ) ilar way, one can show that Sτ (Σ) εAS Sq (Σ) implies S(Σ) AS −1 e approximate simulation relation R which completes the proof. 

1 Department

¨ t Mu ¨ nchen, D-80290 Munich, Germany. of Electrical and Computer Engineering, Technische Universita

E-mail address: [email protected] URL: http://www.hcs.ei.tum.de 2 Delft

Center for Systems and Control, Delft University of Technology, 2628 CD, Delft, The Netherlands.

E-mail address: [email protected] URL: http://www.dcsc.tudelft.nl/∼mmazo 3 Department

of Computer Science, University of Oxford, OX1 3QD, Oxford, United Kingdom.

E-mail address: [email protected] URL: http://www.cs.ox.ac.uk/people/alessandro.abate