Augmented finite transition systems as abstractions for control synthesis

Abstract

This work is motivated by the problem of synthesizing switching protocols for continuous switched systems described by differential or difference equations, in a way that guarantees that the resulting closed-loop trajectories satisfy certain high-level specifications expressed in linear temporal logic. We introduce augmented finite transition systems as an abstract representation of the continuous dynamics; the augmentation consists in encodings of liveness properties that can be used to enforce progress in accordance with the underlying continuous dynamics. Abstraction and refinement relations that induce a preorder on this class of finite transition systems are established, and, by construction, this preorder respects the feasibility (i.e., realizability) of the synthesis problem. Hence, existence of a discrete strategy for one of these abstract finite transition systems guarantees the existence of a switching protocol for the continuous system that enforces the specification for all resulting trajectories. We show how abstractions and refinements can be computed for different classes of continuous systems through an incremental synthesis procedure that starts with a coarse abstraction and gradually refines it according to the established preorder relations. Finally, the incremental synthesis procedure is tailored to a class of temporal logic formulas by utilizing specific fixed point structures to enable localized updates in the refinement steps. The procedure is not guaranteed to terminate in general but we illustrate its practical applicability on numerical examples.

Appendices

Appendix A: Synthesis-related proofs

Lemma 1

Algorithm (12) is sound and complete.

Proof

For soundness, we first show that a trajectory starting in q ∈ X _k+1 ∖ X _k can be steered to X _k in finite time while remaining in B. There are two cases. First, if \(q \in B \cap \text {Pre}_{\sharp , \forall }^{\mathcal T}(X_{k}) \setminus X_{k}\), then X _k can be reached in one time step by definition of \(\text {Pre}_{\sharp , \forall }^{\mathcal T}\). Secondly, if q ∈PGPre _♯,∀(X _k ,B) ∖ X _k then there exists (G,U) with \(G \in \mathcal G(U)\) such that X _k can be reached by keeping the state inside of \(G \cap B\) using actions in U until a transition to X _k occurs due to the progress property (if ♯ = ∀, then \(U = \mathcal U\) which enables progress for uncontrollable modes). This shows that \(X_{k+1} \subset \text {Win}_{\sharp , \forall }^{\mathcal T} (B \hspace {1mm} \textbf {U} \hspace {1mm} X_{k})\). By induction the soundness of the algorithm follows.

For completeness, we show that if a state q is not in \(X_{\infty }\), it is not in the (♯,∀)-winning set of B U Z. Assume by contradiction that q is in the (♯,∀)-winning set of B U Z; that is, from q there exists a control strategy such that Z is reached in finitely many steps during which B holds. This can happen in two different ways. First, there exists a bound K on the number of steps within which Z is guaranteed to be reached. In this case, q is in \(\tilde X_{K}\) for \(\tilde X_{0} = Z\), \(\tilde X_{k+1} = B \cap \text {Pre}_{\sharp , \forall }^{\mathcal T}(\tilde X_{k})\), which contradicts to the fact that \(X_{\infty }\) is a fixed point that does not contain q due to the \(B \cap \text {Pre}_{\sharp , \forall }^{\mathcal T}(X_{k})\) term in Eq. 12. Secondly, Z is guaranteed to be reached from q while remaining in B but no control strategy can guarantee a bound on the number of steps. In this case, the controlled trajectories are not guaranteed to avoid a progress group. Without loss of generality we can take q to be in the last progress group G for some action set U before reaching \(X_{\infty }\) as otherwise the prefix part can be handled by the arguments in the first case and inductively applying the arguments for the second case. But then \(q\in \text {Inv}^{U,G}_{\sharp , \forall } (X_{\infty },B) \subset \text {PGPre}_{\sharp , \forall }^{\mathcal G}\left (X_{\infty }, B \right )\), which again contradicts to the fact that \(X_{\infty }\) is a fixed point. □

Lemma 2

Algorithm (14) is sound and complete.

Proof

The following two LTL identities will be used below:

$$\begin{array}{@{}rcl@{}} \square \left(\psi_{1} \land \left(\bigwedge_{i \in I} \lozenge {\psi_{2}^{i}} \right) \right) &=& \square \psi_{1} \land \left(\bigwedge_{i \in I} \square \left(\texttt{True} \hspace{1mm} \textbf{U} \hspace{1mm} {\psi_{2}^{i}} \right) \right) \\&=& \square \left[ \bigwedge_{i \in I} \left[ \psi_{1} \hspace{1mm} \textbf{U} \hspace{1mm} \left(\psi_{1} \land {\psi_{2}^{i}} \right) \right] \right], \\ \left(\psi_{3} \hspace{1mm} \textbf{U} \hspace{1mm} \psi_{1} \right) \lor \left(\psi_{3} \hspace{1mm} \textbf{U} \hspace{1mm} \psi_{2} \right) &=& \psi_{3} \hspace{1mm} \textbf{U} \hspace{1mm} (\psi_{1} \lor \psi_{2}). \end{array} $$

(24) (25)

Denote the specification by φ ₁, i.e., \(\varphi _{1} := \left (B \hspace {1mm} \textbf {U} \hspace {1mm} Z \right ) \lor \square \left (B \land \left (\bigwedge _{i \in I} \lozenge C^{i} \right ) \right )\). We call a specification ψ ₁ stronger than ψ ₂ if for any word w, w⊧ψ ₁ ⇒ w⊧ψ ₂. If ψ ₁ is stronger than ψ ₂, then \(\text {Win}(\psi _{1}) \subset \text {Win}(\psi _{2})\).

To prove soundness, we remark that any fixed point \(\overline W\) of Eq. 14 satisfies

$$\overline W = \bigcap_{i \in I} \text{Win}_{\sharp, \forall}^{\mathcal T} \left(B \hspace{1mm} \textbf{U} \hspace{1mm} \left(Z \cup \left(B \cap C^{i} \cap \text{Pre}_{\sharp, \forall}^{\mathcal T} \left(\overline W \right) \right) \right) \right). $$

Consider \(q \in \overline W\), a trajectory starting in q can for each i be controlled to reach either Z or \(B \cap C^{i} \cap \text {Pre}_{\sharp , \forall }^{\mathcal T} \left (\overline W \right )\) while remaining in B. If the former occurs, B U Z, and thus φ ₁, is evidently satisfied by the trajectory. If the latter occurs, the set \(B \cap C^{i} \cap \text {Pre}_{\sharp , \forall }^{\mathcal T} \left (\overline W \right )\) is eventually reached. Because of the \(\text {Pre}_{\sharp , \forall }^{\mathcal T} \left (\overline W \right )\) term, the argument repeats which shows that either B U Z or \(\square \left (B \hspace {1mm} \textbf {U} \hspace {1mm} \left (B \cap C^{i} \cap \text {Pre}_{\sharp , \forall }^{\mathcal T} \left (\overline W \right ) \right ) \right ) = \square \left (B \land \lozenge \left (C^{i} \cap \text {Pre}_{\sharp , \forall }^{\mathcal T}(\overline W) \right ) \right )\) is satisfied by the trajectory (the equality follows from Eq. 24). This holds for any i, which is a stronger condition than φ ₁. Thus the algorithm is sound.

We prove completeness, which amounts to showing that \(\text {Win} \left (\varphi _{1} \right ) \subset W_{\infty }\). Consider the specification

$$\varphi_{2} := \bigwedge_{i \in I} \left[ B \hspace{1mm} \textbf{U} \hspace{1mm} \left(Z \cup \left(B \cap C^{i} \cap \text{Pre}_{\sharp, \forall}^{\mathcal T} \left(\text{Win}_{\sharp, \forall}^{\mathcal T} \left(\varphi_{1} \right) \right) \right) \right) \right]. $$

Since φ ₁ is a liveness specification, a trajectory satisfying φ ₁ must remain in \(\text {Win}_{\sharp , \forall }^{\mathcal T}(\varphi _{1})\). Therefore the winning set of φ ₁ is equal to the winning set of the specification

$$\left(B \hspace{1mm} \textbf{U} \hspace{1mm} Z \right) \lor \square \left(B \land \left(\bigwedge_{i \in I} \lozenge \left(C^{i} \cap \text{Win}_{\sharp, \forall}^{\mathcal T} \left(\varphi_{1} \right) \right) \right) \right). $$

Using Eq. 24 above, this is in turn equal to

$$\left(B \hspace{1mm} \textbf{U} \hspace{1mm} Z \right) \lor \square \left(\bigwedge_{i \in I} \left[ B \hspace{1mm} \textbf{U} \hspace{1mm} \left(B \cap C^{i} \cap \text{Win}_{\sharp, \forall}^{\mathcal T} \left(\varphi_{1} \right) \right) \right] \right), $$

which is stronger than

$$\begin{array}{lllll} \left(B \hspace{1mm} \textbf{U} \hspace{1mm} Z \right) & \lor \left(\bigwedge_{i \in I} \left[ B \hspace{1mm} \textbf{U} \hspace{1mm} \left(B \cap C^{i} \cap \text{Win}_{\sharp, \forall}^{\mathcal T} \left(\varphi_{1} \right) \right) \right] \right) \\ & = \bigwedge_{i \in I} \left[ \left(B \hspace{1mm} \textbf{U} \hspace{1mm} Z \right) \lor \left(B \hspace{1mm} \textbf{U} \hspace{1mm} \left(B \cap C^{i} \cap \text{Win}_{\sharp, \forall}^{\mathcal T} \left(\varphi_{1} \right) \right) \right) \right]. \end{array} $$

By Eq. 25 and since \(B \cap \text {Pre}_{\sharp , \forall }^{\mathcal T} \left (\text {Win}_{\sharp , \forall }^{\mathcal T}(\varphi _{1}) \right ) = B \cap \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{1} \right )\), this is stronger than φ ₂. Thus \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{1} \right ) \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{2} \right )\).

Take any set K such that \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{1} \right ) \subset K\). The specification φ ₂ is stronger than the specification

$$\varphi_{K} := \bigwedge_{i \in I} \left[ B \hspace{1mm} \textbf{U} \hspace{1mm} \left(Z \cup \left(B \cap C^{i} \cap \text{Pre}_{\sharp, \forall}^{\mathcal T} \left(K \right) \right) \right) \right], $$

which implies that \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{2} \right ) \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{K} \right )\). Furthermore, in general \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi _{1} \land \psi _{2} \right ) \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi _{1} \right ) \cap \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi _{2} \right )\), which implies

$$\text{Win}_{\sharp, \forall}^{\mathcal T} \left(\varphi_{K} \right) \subset T_{K} :=\bigcap_{i \in I} \text{Win}_{\sharp, \forall}^{\mathcal T} \left(B \hspace{1mm} \textbf{U} \hspace{1mm} \left(Z \cup \left(B \cap C^{i} \cap \text{Pre}_{\sharp, \forall}^{\mathcal T} \left(K \right) \right) \right) \right). $$

We recognize the right-hand side from Eq. 14 and conclude that if \(q \in \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{1} \right )\), then the inclusions \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{1} \right ) \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{2} \right ) \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{K} \right )\) imply that q is never excluded during the algorithm (14) since it consists of iterating the mapping K↦T _K . Thus, \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\varphi _{1} \right ) \subset W_{\infty }\), which proves completeness. □

Lemma 3

Algorithm (15) is sound and complete.

Proof

We first prove soundness and completeness for \(\square A = \texttt {True}\). Thus let \(\psi := \lozenge \square B \land \left (\bigwedge _{i \in I} \square \lozenge C^{i} \right )\). We first show that the algorithm is sound. The specification \(\square \left (B \land \left (\bigwedge _{i \in I} \lozenge C^{i} \right ) \right )\) is stronger than ψ, therefore it follows that \(V_{1} \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right )\). Consider V _k for k > 1. Starting anywhere in V _k , the state can either be controlled to satisfy \(B \hspace {1mm} \textbf {U} \hspace {1mm} \text {Pre}_{\sharp , \forall }^{\mathcal T, \mathcal U}(V_{k-1})\) or \(\square \left (B \land \left (\bigwedge _{i \in I} \lozenge C^{i} \right ) \right )\). If the former happens, the state can be controlled to V _k−1 and an induction argument over k completes the soundness proof.

For completeness, consider the set \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right ) \setminus V_{\infty }\), where \(V_{\infty }\) is the smallest fixed point of Eq. 15. From any \(q_{1} \in \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right ) \setminus V_{\infty }\), the state can not be controlled to \(V_{\infty }\), otherwise q ₁ would have been included in \(V_{\infty }\) by an argument analogous to the completeness proof of Lemma 1. By repeating the argument, we conclude that an infinite trajectory in \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right ) \setminus V_{\infty }\) can be generated that satisfies the specification ψ. By considering an appropriate suffix of such a trajectory, this implies the existence of \(q_{2} \in \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right ) \setminus V_{\infty }\) from where the specification \(\square \left (B \land \left (\bigwedge _{i \in I} \lozenge C^{i} \right ) \right )\) can be enforced. But this is a contradiction since such a q ₂ is in V ₁ and hence in \(V_{\infty }\).

We finally incorporate the \(\square A\) term and show necessity and sufficiency of the restriction to V _{i n v} . As established above, the algorithm is sound and complete for ψ. All fixed points are ultimately defined in terms of the winning set of B U Z, so amending \(\square A\) to the top level specification ψ propagates that term down to the “until” level. It is therefore necessary and sufficient to replace each computation of \(\text {Win}_{\sharp , \forall }^{\mathcal T}\left (B \hspace {1mm} \textbf {U} \hspace {1mm} Z \right )\) with \(\text {Win}_{\sharp , \forall }^{\mathcal T}\left (\square A \land (B \hspace {1mm} \textbf {U} \hspace {1mm} Z) \right )\). Since \(V_{inv} = \text {Win}_{\sharp , \forall }^{\mathcal T}(\square A)\), it follows that \(\text {Win}_{\sharp , \forall }^{\mathcal T}\left (\square A \land \left (B \hspace {1mm} \textbf {U} \hspace {1mm} Z \right ) \right ) = \text {Win}_{\sharp , \forall }^{\mathcal T}\left ((B \cap V_{inv}) \hspace {1mm} \textbf {U} \hspace {1mm} (Z \cap V_{inv}) \right )\) which shows the correctness of the restriction technique. □

Lemma 4

Algorithm (16) is sound and complete.

Proof

For soundness, consider a set of fixed points \(\overline X^{J}\) for J ∈ 2^I that satisfy

$$\overline X^{J} = Z \cup \left(\left(\bigcap_{i \in J} B^{i} \right) \cap \text{Pre}_{\sharp, \forall}^{\mathcal T, \mathcal U} \left(\bigcup_{K \in 2^{J}} \overline X^{K} \right) \right). $$

Let \(q \in \overline X^{J}\). If q ∈ Z the specification is evidently satisfied. Otherwise, \(q \in \left (\bigcap _{i \in J} B^{i} \right ) \cap \text {Pre}_{\sharp , \forall }^{\mathcal T, \mathcal U} \left (\bigcup _{K \in 2^{J}} \overline X^{K} \right )\) which implies that q can be controlled to \(\overline X^{K_{1}}\) for some \(K_{1} \subset J\). If Z is not reached, an induction argument results in a chain \(J \supset K_{1} \subset K_{2} \supset \ldots \) which necessarily converges to some non-empty subset \(K_{\infty }\) of J. Thus there is a strategy that eventually enforces \(\square B^{i}\) for some i ∈ J.

For completeness, remark that \(X_{1}^{\{ i \}} = Z \cup B^{i}\). We show that if \(q_{0} \not \in X_{k_{0}+1}^{J}\) but \(q_{0} \in X_{k_{0}}^{J}\), then nondeterminism can force a trajectory starting in q ₀ to avoid \(X_{1}^{\{ i \}}\) for all i ∈ I while also avoiding Z. To this end, assume that \(q_{0} \in X_{k_{0}}^{J} \setminus X_{k_{0}+1}^{J}\). Evidently, q ₀∉Z, which implies that \(q_{0} \in \bigcap _{i \in J} B^{i}\) and \(q_{0} \not \in \text {Pre}_{\sharp , \forall }^{\mathcal T, \mathcal U} \left (\bigcup _{K \in 2^{J}} X_{k_{0}}^{K} \right )\). The latter means that nondeterminism can prevent a transition to \(X_{k_{0}}^{K}\) for any \(K \subset J\). Assume a transition to q ₁ occurs and that q ₁ was excluded from \(\{ {X_{k}^{K}} \}\) for k = k ₁. Induction over time and set inclusion results in a strictly decreasing sequence k ₀ k ₁,… and a trajectory q ₀ q ₁… where \(q_{t} \not \in \bigcup _{K \in 2^{J}} X_{k_{t}}^{K}\). In particular, q _t ∉Z and there exists a finite T s.t. q _T ∉B ⁱ for any i ∈ J, which shows completeness of the algorithm. □

Lemma 5

Algorithm (17) is sound and complete.

Proof

For soundness, we remark that \(W_{1} = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\bigvee _{i \in I} \left [ \left (B^{i} \hspace {1mm} \textbf {U} \hspace {1mm} Z \right ) \lor \square B^{i} \right ] \right )\) which is contained in \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\lozenge Z \lor \left (\bigvee _{i \in I} \lozenge \square B^{i} \right ) \right )\). Starting in W _k for k > 1, a strategy exists that either results in \(\square B^{i}\) being fulfilled for some i, or such that W _k can be reached. An induction argument completes the soundness proof.

For completeness, assume that \(q \in \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\lozenge Z \lor \left (\bigvee _{i \in I} \lozenge \square B^{i} \right ) \right ) \setminus W_{\infty }\) where \(W_{\infty }\) is the smallest fixed point of Eq. 17. Since \(\text {Pre}_{\sharp , \forall }^{\mathcal T} \left (W_{\infty } \right ) \cup \text {PGPre}_{\sharp , \forall }^{\mathcal T} \left (W_{\infty }, Q \right ) \subset W_{\infty }\), it follows by the completeness argument in the proof of Lemma 1 that a transition to \(W_{\infty }\) can never be enforced for a trajectory starting in q. Since \(Z \subset W_{\infty }\), it follows that nondeterminism can generate a trajectory that never enters \(W_{\infty }\) and which satisfies \(\lozenge \square B^{i}\) for some i. Taking a suffix of such a trajectory, it follows that there exists \(\tilde q \in \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\lozenge Z \lor \left (\bigvee _{i \in I} \lozenge \square B^{i} \right ) \right ) \setminus W_{\infty }\) from where \(\bigvee _{i \in I} \square B^{i}\) can be enforced. But then \(\tilde q \in W_{1} \subset W_{\infty }\) which is a contradiction. Thus (17) is complete. □

Lemma 6

Algorithm (18) is sound and complete.

Proof

Let \(\psi := \lozenge A \lor \left (\bigvee _{i \in I} \lozenge \square B^{i} \right ) \lor \square \lozenge C\). For soundness, consider a fixed point \(\overline V\) of (18). It has the property

$$\overline V = \text{Win}_{\sharp, \forall} \left(\lozenge \left(A \cup \left(C \cap \text{Pre}_{\sharp,\forall}^{\mathcal T} \left(\overline V \right) \right) \right) \lor \left(\bigvee_{i \in I} \lozenge \square B^{i} \right) \right). $$

Starting in \(\overline V\), there is a strategy to ensure one of \(\psi _{1}: = \lozenge A\), \(\psi _{2}:= \bigvee _{i \in I} \lozenge \square B^{i}\), or \(\psi _{3}:=\lozenge \left (C \cap \text {Pre}_{\sharp , \forall }^{\mathcal T} \left (\overline V \right ) \right )\). If ψ ₁ or ψ ₂ occur, ψ is evidently satisfied. If ψ ₃ occurs, an induction argument shows that \(\psi _{1} \lor \psi _{2} \lor \square \psi _{3} = \psi \) holds.

For completeness, remark that any trajectory that enforces ψ must remain in \(\text {Win}_{\sharp , \forall }^{\mathcal T}(\psi )\) due to ψ being a liveness property. Furthermore, \(\text {Pre}_{\sharp , \forall }^{\mathcal T, \mathcal U} \left (\text {Win}_{\sharp , \forall }^{\mathcal T}(\psi ) \right ) = \text {Win}_{\sharp , \forall }^{\mathcal T}(\psi )\) since ψ can be enforced from its pre-image. Therefore,

$$\begin{array}{@{}rcl@{}} \text{Win}_{\sharp, \forall}^{\mathcal T} \left(\psi \right) &=& \text{Win}_{\sharp, \forall}^{\mathcal T} \left(\tilde \psi \right), \quad\text{for} \quad \tilde \psi := \lozenge A \lor \left(\bigvee_{i \in I} \lozenge \square B^{i} \right) \lor \square \lozenge\\&&\times \left(C \cap \text{Pre}_{\sharp, \forall}^{\mathcal T, \mathcal U} \left(\text{Win}_{\sharp, \forall}^{\mathcal T} \left(\psi \right) \right) \right). \end{array} $$

Take any \(K \supset \text {Win}_{\sharp , \forall }^{\mathcal T}(\psi )\) and let \(\psi _{K} := \lozenge A \lor \left (\bigvee _{i \in I} \lozenge \square B^{i} \right ) \lor \lozenge \left (C \cap \text {Pre}_{\sharp , \forall }^{\mathcal T, \mathcal U} \left (K \right ) \right )\). It can be seen that \(\tilde \psi \) is stronger than ψ _K , which implies the inclusion \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right ) \subset \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi _{K} \right )\). This shows that elements in \(\text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi \right )\) are never excluded in Eq. 18, which consist of iterations of the mapping \(K \mapsto \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\psi _{K} \right )\). □

Appendix : B: Candidate set derivation

Let us call an algorithm expanding or contracting if the sequence {V _k } _k≥1 of intermediate sets it computes is enlarging or shrinking, respectively. All fixed point algorithms considered in this paper are either contracting or expanding. Moreover, their output is monotone with respect to initial conditions (i.e., a larger initial set gives a larger fixed point w.r.t. set inclusion). We consider sets of type \(\text {Win}_{\sharp , \forall }^{\mathcal T}(\cdot )\) computed as the fixed point \(V_{\infty }\) of a sequence {V _k } _k≥1 and determine a candidate set C recursively according to the following rules:

• For an expanding algorithm with input V ₁ and fixed point \(V_{\infty }\):

  Addition::

  add \(\text {Pre}_{\sharp , \exists } \left (V_{\infty } \right ) \setminus V_{\infty }\) to the candidate set C.

  Recursion::

  if V ₁ is an output of another fixed point algorithm, add its candidate set to C.

• For a contracting algorithm with input V ₁ and fixed point \(V_{\infty }\):

  Addition::

  add \(V_{1} \setminus V_{\infty }\) to the candidate set C.

  Recursion::

  if V ₁ is an output of another fixed point algorithm, add its candidate set to C.

The rationales behind these rules are as follows. Firstly, the fixed point may always be enlarged by starting with a larger initial set, thus we pursue this objective in both cases. For an expanding algorithm, we also add states adjacent to its fixed point \(V_{\infty }\) in the hope that a refinement may reveal states that can enlarge it further. There is no need to consider smaller sets V _i since these are all contained in \(V_{\infty }\). For a contracting algorithm we add \(V_{1} \setminus V_{\infty }\) in the hope that refinement may reveal control options that allow the fixed point \(V_{\infty }\) to be enlarged.

There are ways to further tune the candidate sets that may be suitable for certain problems. Firstly, the progress group reachability operator PGPre is computed with a contracting algorithm whose candidate set could be added to the overall candidate set. Below we disregard this potential addition in the interest of keeping the notation relatively simple; the best way to implement candidate set computation algorithmically is to follow the recursive rules above. Secondly, it may be possible to exclude parts of the candidate set of a contracting algorithm in case there are states that will for sure be excluded by the algorithm even after refinement.

We now apply the rules above to the computation of the winning set (15) to obtain a candidate set of a specification of type \(\square A \land \lozenge \square B \land \left (\bigwedge _{i \in I} \square \lozenge C^{i} \right )\). The algorithm is expanding and produces an increasing set sequence {V _k } _k≥1. We therefore do the following:

• 1A Addition: add \(\text {Pre}_{\sharp , \exists }^{\mathcal T, \mathcal U} \left (V_{\infty } \right ) \setminus V_{\infty }\) to the candidate set,

• 1R Recursion: add candidate set of \(V_{1} = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\square \left (B \land \left (\bigwedge _{i \in I} \lozenge C^{i} \right ) \right ) \right )\) to the candidate set.

We recursively consider V ₁ which is computed from algorithm (14) as the stable point \(W_{\infty }\) of a contracting set sequence {W _k } _k≥1. Therefore we do the following

• 2A. Addition: add \(W_{1} \setminus W_{\infty } = W_{1} \setminus V_{1}\) to the candidate set,

• 2R. Recursion: add candidate set of \(W_{1} = \bigcap _{i \in I} W_{1,i}\) for \(W_{1,i} := \text {Win}_{\sharp , \forall }^{\mathcal T} \left (B \hspace {1mm} \textbf {U} \hspace {1mm} \left (B \cap C^{i} \right ) \right )\) to the candidate set.

Next we turn to the different W _1,i ’s which are each computed from Eq. 12 through an expanding set sequence {X _k,i } _k≥1. Since \(X_{1,i} = B \cap C^{i}\) is not itself a fixed point, the recursion stops here and we arrive at:

• 3A. Addition: add \(B \cap \left (\bigcup _{i \in I} \text {Pre}_{\sharp , \exists }^{\mathcal T, \mathcal U} \left (W_{1,i} \right ) \setminus W_{1,i} \right )\) to the candidate set. Here we have intersected with B since states in B ^C can not be candidates to \(B \hspace {1mm} \textbf {U} \hspace {1mm} (B \cap C^{i})\).

However, there is one final part of the overall candidate set, since the winning set computation is restricted to \(V_{inv} = \text {Win}_{\sharp , \forall }^{\mathcal T}(\square A)\). This set is computed using Eq. 14 as the convergence value of a contracting set sequence \(\{ \tilde W_{k} \}_{k \geq 1}\) with \(\tilde W_{1} = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (A \hspace {1mm} \textbf {U} \hspace {1mm} A\right ) = A\). Therefore we make a final addition to the candidate set:

• 4A. Addition: add A ∖ V _{i n v} to the candidate set.

Collecting the different pieces from above, we arrive at the following candidate set:

$$ \begin{array}{llll} C_{\sharp, \forall} & \left(\square A \land \lozenge \square B \land \left(\bigwedge_{i \in I} \square \lozenge C^{i} \right) \right) = \left(\text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(V_{\infty} \right) \setminus V_{\infty} \right) \cup \left(W_{1} \setminus V_{1} \right) \\ & \hspace{19mm} \cup \left(B \cap \left(\bigcup_{i \in I} \text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(W_{1,i} \right) \setminus W_{1,i} \right) \right) \cup \left(A \setminus V_{inv} \right). \end{array} $$

(26)

A candidate set for the dual algorithm (18) can be derived in a similar way. Let {V _k } _k≥1 be the contracting set sequence generated by Eq. 18.

• 1A. Addition: add \(V_{1} \setminus V_{\infty }\) to the candidate set,

• 1R. Recursion: add candidate set of \(V_{1} = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\lozenge \left (A \cup C \right ) \lor \left (\bigvee _{i \in I} \lozenge \square B^{i} \right ) \right )\) to the candidate set.

Proceeding with V ₁, it is equal to the fixed point value \(W_{\infty }\) of an expanding sequence {W _k } _k≥1 generated by Eq. 17.

• 2A. Addition: add \(\text {Pre}_{\sharp , \exists }^{\mathcal T, \mathcal U} \left (W_{\infty } \right ) \setminus W_{\infty } = \text {Pre}_{\sharp , \exists }^{\mathcal T, \mathcal U} \left (V_{1} \right ) \setminus V_{1}\) to the candidate set,

• 2R. Recursion: add candidate set of \(W_{1} = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\bigvee _{i \in I} \left [ \square B_{i} \lor \left (B_{i} \hspace {1mm} \textbf {U} \hspace {1mm} (A \cup C) \right ) \right ] \right )\) to the candidate set.

Finally, W ₁ is equal to the union over the set of fixed points \(X_{\infty }^{J}\) of the contracting algorithm (16). At the first iteration, \({X_{1}^{J}} = A \cup C \cup \left (\bigcap _{i \in J} B^{j} \right )\). We therefore get one final addition to the candidate set as:

• 2A. Addition: add \(\bigcup _{J \in 2^{I}} A \cup C \cup \left (\bigcap _{i \in J} B^{i} \right ) \setminus W_{1}\) to the candidate set. However, it holds that \(\bigcup _{J \in 2^{I}} \bigcap _{i \in J} B^{i} = \bigcup _{i \in I} B^{i}\) and furthermore \(A \cup C \in W_{1}\). Therefore the additional set simplifies to \(\bigcup _{i \in I} B^{i} \setminus W_{1}\).

Combined, we arrive at the following candidate set:

$$ \begin{array}{llll} C_{\sharp, \forall} \left(\lozenge A \bigvee_{i \in I} \lozenge \square B^{i} \lor \square \lozenge C \right) = \left(V_{1} \setminus V_{\infty} \right) \cup \left(\text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(V_{1} \right) \setminus V_{1} \right) \cup \left(\bigcup_{i} B^{i} \setminus W_{1} \right). \end{array} $$

(27)

For illustration purposes, we consider two notable special cases of Eq. 26. First, for a specification of the form \(\lozenge \square B\), the expression simplifies to

$$ C_{\sharp, \forall} \left(\lozenge \square B \right) = \left(\text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(V_{\infty} \right) \setminus V_{\infty} \right) \cup \left(B \setminus V_{1} \right), $$

(28)

for \(V_{\infty } = \text {Win}_{\sharp , \forall }^{\mathcal T}(\lozenge \square B)\) and \(V_{1} = \text {Win}_{\sharp , \forall }^{\mathcal T} (\square B)\). The same expression can also be obtained from Eq. 27.

Secondly, for a specification of the form \(\bigwedge _{i \in I} \square \lozenge C^{i}\), we obtain from Eq. 26 that

$$\begin{array}{@{}rcl@{}} C_{\sharp, \forall} \left(\bigwedge_{i \in I} \square \lozenge C^{i} \right) &=& \left(\text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(V_{\infty} \right) \setminus V_{\infty} \right) \cup \left(\bigcap_{i \in I} W_{1,i} \setminus V_{\infty} \right) \cup\\&&\times \left(\bigcup_{i \in I} \text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(W_{1,i} \right) \setminus W_{1,i} \right), \end{array} $$

where \(V_{\infty } = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\bigwedge _{i \in I} \square \lozenge C^{i} \right )\) and \(W_{1,i} = \text {Win}_{\sharp , \forall }^{\mathcal T} \left (\lozenge C^{i} \right )\). However, the expression can be simplified further since the first term is contained in the union of the last two:¹³

$$ C_{\sharp, \forall} \left(\bigwedge_{i \in I} \square \lozenge C^{i} \right) = \left(\bigcap_{i \in I} W_{1,i} \setminus V_{\infty} \right) \cup \left(\bigcup_{i \in I} \text{Pre}_{\sharp, \exists}^{\mathcal T, \mathcal U} \left(W_{1,i} \right) \setminus W_{1,i} \right). $$

(29)

Again, the same expression can be obtained from Eq. 27 for the special case I = {1}.