figure a

1 Introduction

Two-player \(\omega \)-regular games on finite graphs are an established modeling and solution formalism for many challenging problems in the context of correct-by-construction cyber-physical system (CPS) design [2, 7, 39]. Here, control software actuating a technical system “plays” against the physical environment. The winning strategy of the system player in this two-player game results in software which ensures that the controlled technical system fulfills a given temporal specification for any (possible) event or input sequence generated by the environment. Examples include warehouse robot coordination [36], reconfigurable manufacturing systems [26], and adaptive cruise control [33]. In these applications, the technical system under control, as well as its requirements, are developing and changing during the design process. It is therefore desirable to allow for maintainable and adaptable control software. This, in turn, requires solution algorithms for two-player \(\omega \)-regular games which allow for this adaptability.

This paper addresses this challenge by providing a new algorithm to efficiently compute permissive winning strategy templates in parity games which enable rich strategy adaptations. Given a game graph \(G=(V,E)\) and an objective \(\varPhi \) a winning strategy template \(\varPsi \) characterizes the winning region \(\mathcal {W}\subseteq V\) along with three types of local edge conditions – a safety, a co-live, and a live-group template. The conjunction of these basic templates allows us to capture infinitely many winning strategies over G w.r.t. \(\varPhi \) in a simple data structure that is both (i) easy to obtain during synthesis, and (ii) easy to adapt and compose.

We showcase the usefulness of permissive winning strategy templates in the context of CPS design by two application scenarios: (i) incremental synthesis, where strategies need to be adapted to newly arriving additional \(\omega \)-regular objectives \(\varPhi '\), and (ii) fault-tolerant control, where strategies need to be adapted to the occasional or persistent unavailability of actuators, i.e., system player edges.

We have implemented our algorithms in a prototype tool PeSTel and run it on more than 1400 benchmarks adapted from the SYNTCOMP benchmark suite [21]. These experiments show that our class of templates effectively avoids re-computations for the required strategy adaptations. For incremental synthesis, our experimental results are previewed in Fig. 1, where we compare PeSTel against the state-of-the-art solver GenZiel  [16] for generalized parity objectives, i.e., finite conjunction of parity objectives. We see that PeSTel is as efficient as GenZiel whenever all conjuncts of the objective are given up-front (Fig. 1(left)) - even outperforming it in more than 90% of the instances. Whenever conjuncts of the objective arrive one at a time, PeSTel outperforms the existing approaches significantly if the number of objectives increases (Fig. 1(right)). This shows the potential of PeSTel towards more adaptable and maintainable control software for CPS.

Fig. 1.
figure 1

Experimental results over 1400 generalized parity games comparing the performance of our tool PeSTel against the state-of-the-art generalized parity solver GenZiel [16]. Data points give the average execution time (in ms) over all instances with the same number of parity objectives. Left: all objectives are given upfront. Right: objectives are added one-by-one. See Sect. 6 for more details on those experiments.

Full size image

Illustrative Example. To appreciate the simplicity and easy adaptability of our strategy templates, consider the game graph in Fig. 2(left). The first winning condition \(\varPhi _1\) requires vertex f to never be seen along a play. This can be enforced by \(\text {Player}~0\) from vertices \(\mathcal {W}_0=\{a,b,c,d\}\) called the winning region. The safety template \(\varPsi _1\) ensures that the game always stays in \(\mathcal {W}_0\) by forcing the edge \(e_{de}\) to never be taken. It is easy to see that every \(\text {Player}~0\) strategy that follows this rule results in plays which are winning if they start in \(\mathcal {W}_0\). Now consider the second winning condition \(\varPhi _2\) which requires vertex c or d to be seen infinitely often. This induces the live-group template \(\varPsi _2\) which requires that whenever vertex a is seen infinitely often, either edge \(e_{ac}\) or edge \(e_{ad}\) needs to be taken infinitely often. It is easy to see that any strategy that complies with this edge-condition is winning for \(\text {Player}~0\) from every vertex and there are infinitely many such compliant winning strategies. Finally, we consider condition \(\varPhi _3\) requiring vertex b to be seen only finitely often. This induces the strategy template \(\varPsi _3\) which is a co-liveness template requiring that all edges from \(\text {Player}~0\) vertices which unavoidably lead to b (i.e., \(e_{ab}\), \(e_{bd}\), and \(e_{de}\)) are taken only finitely often. We can now combine all templates into a new template \(\varPsi '=\varPsi _1\wedge \varPsi _2\wedge \varPsi _3\) and observe that all strategies compliant with \(\varPsi '\) are winning for \(\varPhi '=\varPhi _1\wedge \varPhi _2\wedge \varPhi _3\).

Fig. 2.
figure 2

A two-player game graph with \(\text {Player}~1\) (squares) and \(\text {Player}~0\) (circles) vertices, different winning conditions \(\varPhi _i\), and corresponding winning strategy templates \(\varPsi _i\).

Full size image

In addition to their compositionality, strategy templates also allow for local strategy adaptations in case of edge unavailability faults. Consider again the game in Fig. 2 with the objective \( \varPhi _2 \). Suppose that \( \text {Player}~0\) follows the strategy \( \pi \): \( a\mapsto d \) and \( d\mapsto a \), which is compliant with \( \varPsi _2 \). If the edge \( e_{ad} \) becomes unavailable, we would need to re-solve the game for the modified game graph \(G'=(V,E\setminus \{e_{ad}\})\). However, given the strategy template \( \varPsi _2 \) we see that the strategy \( \pi ' \): \( a\mapsto c \) and \( d\mapsto a \) is actually compliant with \(\varPsi _2\) over \(G'\). This allows us to obtain a new strategy without re-solving the game.

While these examples demonstrate the potential of templates for strategy adaptation, there exist scenarios where conflicts between templates or graph modifications arise, which require re-computations. Our empirical results, however, show that such conflicts rarely appear in practical benchmarks. This suggests that our technique can handle a large problem class efficiently in practice.

Related Work. The class of templates we use was introduced in [4] and utilized to represent environment assumptions that enable a system to fulfill its specifications in a cooperative setting. Contrary to [4], this paper uses the same class of templates to represent the system’s winning strategies in a zero-sum setting.

While the computation of permissive strategies for the control of CPS is an established concept in the field of supervisory controlFootnote 1 [14, 42], it has also been addressed in reactive synthesis where the considered specification class is typically more expressive, e.g., Bernet et al. [8] introduce permissive strategies that encompass all the behaviors of positional strategies and Neider et al. [31] introduce permissiveness to subsume strategies that visit losing loops at most twice. Finally, Bouyer et al. [11] take a quantitative approach to measure the permissiveness of strategies, by minimizing the penalty of not being permissive. However, all these approaches are not optimized towards strategy adaptation and thereby typically fail to preserve enough behaviors to be able to effectively satisfy subsequent objectives. A notable exception is a work by Baier et al. [23]. While their strategy templates are more complicated and more costly to compute than ours, they are maximally permissive (i.e., capture all winning strategies in the game). However, when composing multiple objectives, they restrict templates substantially which eliminates many compositional solutions that our method retains. This results in higher computation times and lower result quality for incremental synthesis compared to our approach. As no implementation of their method is available, we could not compare both approaches empirically.

Even without the incremental aspect, synthesizing winning strategies for conjunctions of \( \omega \)-regular objectives is known to be a hard problem – Chatterjee et al. [16] prove that the conjunction of even two parity objectives makes the problem NP-complete. They provide a generalization of Zielonka’s algorithm, called GenZiel for generalized parity objectives (i.e., finite conjunction of parity objectives) which is compared to our tool PeSTel in Fig. 1. While PeSTel is (in contrast to GenZiel) not complete—i.e., there exist realizable synthesis problems for which PeSTel returns no solution—our prototype implementation returns the full winning region in all 1400 benchmark instances.

Fault-tolerant control is a well-established topic in control engineering [9], with recent emphasis on the logical control layer [19, 30]. While most of this work is conducted in the context of supervisory control, there are also some approaches in reactive synthesis. While [29, 32] considers the addition of “disturbance edges” and synthesizes a strategy that tolerates as many of them as possible, we look at the complementary problem, where edges, in particular system-player edges, disappear. To the best of our knowledge, the only algorithm that is able to tackle this problem without re-computation considers Büchi games [15]. In contrast, our method is applicable to the more expressive class of Parity games.

2 Preliminaries

Notation. We use \(\mathbb {N}\) to denote the set of natural numbers including zero. Given two natural numbers \(a,b\in \mathbb {N}\) with \(a<b\), we use [ab] to denote the set \(\left\{ n\in \mathbb {N} \mid a\le n\le b\right\} \). For any given set [ab], we write \(i\in _{\textrm{even}}[a;b]\) and \(i\in _{\textrm{odd}}[a;b]\) as shorthand for \(i\in [a;b]\cap \left\{ 0,2,4,\ldots \right\} \) and \(i\in [a;b]\cap \left\{ 1,3,5,\ldots \right\} \) respectively. Given two sets A and B, a relation \(R\subseteq A\times B\), and an element \(a\in A\), we write R(a) to denote the set \(\left\{ b\in B\mid (a,b)\in R\right\} \).

Languages. Let \(\varSigma \) be a finite alphabet. The notation \(\varSigma ^*\) and \(\varSigma ^\omega \) respectively denote the set of finite and infinite words over \(\varSigma \), and \(\varSigma ^\infty \) is equal to \(\varSigma ^*\cup \varSigma ^\omega \). For any word \(w\in \varSigma ^\infty \), \(w_i\) denotes the i-th symbol in w. Given two words \(u\in \varSigma ^*\) and \(v\in \varSigma ^\infty \), the concatenation of u and v is written as the word uv.

Game Graphs. A game graph is a tuple where (VE) is a finite directed graph with vertices V and edges E, and \( V^0, V^1\subseteq V\) form a partition of V. Without loss of generality, we assume that for every \(v\in V\) there exists \(v'\in V\) s.t. \((v,v')\in E\). A play originating at a vertex \(v_0\) is a finite or infinite sequence of vertices \(\rho =v_0v_1\ldots \in V^\infty \).

Winning Conditions/Objectives. Given a game graph \(G\), we consider winning conditions/objectives specified using a formula \(\varPhi \) in linear temporal logic (LTL) over the vertex set V, that is, we consider LTL formulas whose atomic propositions are sets of vertices V. In this case the set of desired infinite plays is given by the semantics of \(\varPhi \) which is an \(\omega \)-regular language \(\mathcal {L}(\varPhi )\subseteq V^\omega \). Every game graph with an arbitrary \(\omega \)-regular set of desired infinite plays can be reduced to a game graph (possibly with a different set of vertices) with an LTL winning condition, as above. The standard definitions of \(\omega \)-regular languages and LTL are omitted for brevity and can be found in standard textbooks [6]. To simplify notation we use \( e=(u,v) \) in LTL formulas as syntactic sugar for \( u\wedge \bigcirc v \), with \( \bigcirc \) as the LTL next operator. We further use a set of edges \(E' = \left\{ e_i\right\} _{i\in [0;k]}\) as atomic proposition to denote \(\bigvee _{i\in [0;k]} e_i\).

Games and Strategies. A two-player (turn-based) game is a pair \(\mathcal {G}=\left( G,\varPhi \right) \) where G is a game graph and \( \varPhi \) is a winning condition over \(G\). A strategy of \(\text {Player}~i,~i\in \{0,1\}\), is a function \(\pi ^i:V^*V^i\rightarrow V\) such that for every \(\rho v \in V^*V^i\) holds that \(\pi ^i(\rho v)\in E(v)\). Given a strategy \(\pi ^i\), we say that the play \(\rho =v_0v_1\ldots \) is compliant with \(\pi ^i\) if \(v_{k-1}\in V^i\) implies \(v_{k} = \pi ^i(v_0\ldots v_{k-1})\) for all k. We refer to a play compliant with \(\pi ^i\) and a play compliant with both \(\pi ^0\) and \(\pi ^1\) as a \( \pi ^i\)-play and a \( \pi ^0\pi ^1\)-play, respectively. We collect all plays originating in a set S and compliant with \(\pi ^i\), (and compliant with both \(\pi ^0\) and \(\pi ^1\)) in the sets \(\mathcal {L}(S,\pi ^i)\) (and \(\mathcal {L}(S,\pi ^0\pi ^1)\), respectively). When \( S=V \), we drop the mention of the set in the previous notation, and when S is singleton \( \{v\} \), we simply write \( \mathcal {L}(v,\pi ^i) \) (and \( \mathcal {L}(v,\pi ^0\pi ^1) \), respectively).

Winning. Given a game \(\mathcal {G}=(G,\varPhi )\), a play \( \rho \) in \( \mathcal {G}\) is winning for \( \text {Player}~0 \), if \( \rho \in \mathcal {L}(\varPhi ) \), and it is winning for \( \text {Player}~1 \), otherwise. A strategy \(\pi ^i\) for \(\text {Player}~i\) is winning from a vertex \( v\in V \) if all plays compliant with \( \pi ^i\) and originating from v are winning for \( \text {Player}~i \). We say that a vertex \(v\in V\) is winning for \(\text {Player}~i\), if there exists a winning strategy \(\pi ^i\) from v. We collect all winning vertices of \(\text {Player}~i\) in the \(\text {Player}~i\) winning region \(\mathcal {W}_i\subseteq V\). We always interpret winning w.r.t. \(\text {Player}~0\) if not stated otherwise.

Strategy Templates. Let \( \pi ^0\) be a \( \text {Player}~0 \) strategy and \( \varPhi \) be an LTL formula. Then we say \( \pi ^0\) follows \( \varPhi \), denoted \( \pi ^0\Vdash \varPhi \), if for all \( \pi ^0\)-plays \( \rho \), \( \rho \) belongs to \(\mathcal {L}(\varPhi ) \), i.e. \( \mathcal {L}(\pi ^0)\subseteq \mathcal {L}(\varPhi ) \). We refer to a set \( \varPsi =\left\{ \varPsi _1,\ldots , \varPsi _k\right\} \) of LTL formulas as strategy templates representing the set of strategies that follows \( \varPsi _1\wedge \ldots \wedge \varPsi _k \). We say a strategy template \(\varPsi \) is winning from a vertex v for a game \((G, \varPhi )\) if every \(\text {Player}~0\) strategy following the template \(\varPsi \) is winning from v. Moreover, we say a strategy template \(\varPsi \) is winning if it is winning from every vertex in \(\mathcal {W}_0\). In addition, we call \(\varPsi \) maximally permissive for \(\mathcal {G}\), if every \(\text {Player}~0\) strategy \(\pi \) which is winning in \(\mathcal {G}\) also follows \(\varPsi \). With slight abuse of notation, we use \( \varPsi \) for the set of formulas \( \left\{ \varPsi _1,\ldots , \varPsi _k\right\} \), and the formula \( \varPsi _1\wedge \ldots \wedge \varPsi _k \), interchangeably.

Set Transformers. Let be a game graph, \( U\subseteq V \) be a subset of vertices, and \( a\in \{0,1\} \) be the player index. Then

$$\begin{aligned} \textsf {upre}_{G}(U) =&\{v\in V\mid \forall (v,u)\in E.~u\in U \}\end{aligned}$$
(1)
$$\begin{aligned} \textsf {cpre}^a_{G}(U) =&\{v\in V^a\mid \exists (v,u)\in E.~u\in U \}\cup \{v\in V^{1-a}\mid u\in \textsf {upre}_{G}(U) \} \end{aligned}$$
(2)

The universal predecessor operator \( \textsf {upre}_{G}(U) \) computes the set of vertices with all the successors in U and the controllable predecessor operator \( \textsf {cpre}^a_{G}(U) \) the vertices from which \(\text {Player}~a \) can force visiting U in exactly one step. In the following, we introduce two types of attractor operators: \( \textsf {attr}^a_{G}(U) \) that computes the set of vertices from which \( \text {Player}~a\) can force at least a single visit to U in finitely many steps, and the universal attractor \( \textsf {uattr}_{G}(U) \) that computes the set of vertices from which both players are forced to visit U. For the following, let \( \textsf{pre}\in \{\textsf{upre}, \textsf{cpre}^a \} \)

$$\begin{aligned} \textsf{pre}_{G}^{1}{(U)} =&~\textsf {pre}_{G}(U)\cup U&\textsf{pre}_{G}^{i}{(U)}=&~\textsf{pre}_{G}{(\textsf{pre}_{G}^{i-1}{(U)})} \cup \textsf{pre}_{G}^{i-1}{(U)}\end{aligned}$$
(3)
$$\begin{aligned} \textsf {attr}^a_{G}(U) =&\cup _{i\ge 1}\textsf {cpre}^{a,i}_{G}(U)&\textsf {uattr}_{G}(U) =&\cup _{i\ge 1}\textsf{upre}_{G}^{i}{(U)} \end{aligned}$$
(4)

3 Computation of Winning Strategy Templates

Given a 2-player game \( \mathcal {G}\) with an objective \(\varPhi \), the goal of this section is to compute a strategy template that characterizes a large class of winning strategies of \( \text {Player}~0 \) from a set of vertices \( U\subseteq V \) in a local, permissive, and computationally efficient way. These templates are then utilized in Sect. 5.1 for computational synthesis. In particular, this section introduces three distinct template classes—safety templates (Sect. 3.1), live-group-templates (Sect. 3.2), and co-live-templates (Sect. 3.3) along with algorithms for their computation via safety, Büchi, and co-Büchi games, respectively. We then turn to general parity objectives which can be thought of as a sophisticated combination of Büchi and co-Büchi games. We show in Sect. 3.4 how the three introduced templates can be derived for a general parity objective by a suitable combination of the previously introduced algorithms for single templates. All presented algorithms have the same worst-case computation time as the standard algorithms solving the respective game. This shows that extracting strategy templates instead of ’normal’ strategies does not incur an additional computational cost. We prove the soundness of the algorithms and discuss the complexities in the full version [5, Appendix A].

3.1 Safety Templates

We start the construction of strategy templates by restricting ourselves to games with a safety objective—i.e., \(\mathcal {G}=(G,\varPhi )\) with \(\varPhi {:}{=}\square U\) for some \(U\subseteq V\). A winning play in a safety game never leaves \(U\subseteq V\). It is well known that such games allow capturing all winning strategies by a simple local template which essentially only allows \(\text {Player}~0\) moves from winning vertices to other winning vertices. This is formalized in our notation as a safety template as follows,

Theorem 1

([8, Fact 7]). Let \(\mathcal {G}=(G,\square U)\) be a safety game with winning region \(\mathcal {W}_0\) and \( S= \left.{(u,v)\in E\mid \left( u\in V^0\cap \mathcal {W}_0\right) \wedge \left( v \notin \mathcal {W}_0\right) }\right.\). Then

$$\begin{aligned} \textstyle \varPsi _{\textsc {unsafe}}(S) {:}{=}\square \bigwedge _{e\in S} \lnot e, \end{aligned}$$
(5)

is a winning strategy template for the game \(\mathcal {G}\) which is also maximally permissive.

It is easy to see that the computation of the safety template \(\varPsi _{\textsc {unsafe}}(S)\) reduces to computing the winning region \(\mathcal {W}_0\) in the safety game \((G,\square U)\) and extracting \(S\). We refer to the edges in \(S\) as unsafe edges and we call this algorithm computing the set \(S\) as \(\textsc {SafetyTemplate}(G,U)\). Note that it runs in \( \mathcal {O}(m) \) time, where \( m = |E| \), as safety games are solvable in \( \mathcal {O}(m) \) time.

3.2 Live-Group Templates

As the next step, we now move to simple liveness objectives which require a particular vertex set \(I\subseteq V\) to be seen infinitely often. Here, winning strategies need to stay in the winning region (as before) but in addition always eventually need to make progress towards the vertex set I. We capture this required progress by live-group templates—given a group of edges \(H\subseteq E\), we require that whenever a source vertex v of an edge in H is seen infinitely often, an edge \(e\in H\) (not necessarily starting at v) also needs to be taken infinitely often. This template ensures that compliant strategies always eventually make progress towards I, as illustrated by the following example.

Example 1

Consider the game graph in Fig. 2 where we require visiting \( \{c,d\} \) infinitely often. To satisfy this objective from vertex a, \( \text {Player}~0\) needs to not get stuck at a, and should not visit b always (since \( \text {Player}~1\) can force visiting a again, and stop \( \text {Player}~0\) from satisfying the objective). Hence, \( \text {Player}~0\) has to always eventually leave a and go to \( \{c,d\} \). This can be captured by the live-group \( \{e_{ac},e_{ad}\} \). Now if the play comes to a infinitely often, \( \text {Player}~0\) will go to either c or d infinitely often, hence satisfying the objective.

Formally, such games are called Büchi games, denoted by \(\mathcal {G}=(G=(V,E),\varPhi )\) with \(\varPhi {:}{=}\square \lozenge I\), for some \( I\subseteq V \). In addition, a live-group \(H= \left.{e_j}\right._{j\ge 0}\) is a set of edges \(e_j = (s_j,t_j)\) with source vertices \( src (H):=\left.{s_j}\right._{j\ge 0}\). Given a set of live-groups \(\mathcal {H}=\left\{ H_i\right\} _{i\ge 0}\) we define a live-group template as

$$\begin{aligned} \varPsi _{\textsc {live}}(\mathcal {H}) {:}{=}\bigwedge _{i\ge 0}\square \lozenge src(H_i)\implies \square \lozenge H_i. \end{aligned}$$
(6)

The live-group template says that if some vertex from the source of a live-group is visited infinitely often, then some edge from this group should be taken infinitely often by the following strategy.

Intuitively, winning strategy templates for Büchi games consist of a safety template conjuncted with a live-group template. While the former enforces all strategies to stay within the winning region \(\mathcal {W}\), the latter enforces progress w.r.t. the goal set I within \(\mathcal {W}\). Therefore, the computation of a winning strategy template for Büchi games reduces to the computation of the unsafe set S to define \(\varPsi _{\textsc {unsafe}}(S)\) in (5) and the live-group \(\mathcal {H}\) to define \(\varPsi _{\textsc {live}}(\mathcal {H})\) in (6). We denote by the algorithm computing the above as detailed in Algorithm 1. The algorithm uses some new notations that we define here. Here, the function Büchi solves a Büchi game and returns the winning region (e.g., using the standard algorithm from [17]), \( \textsc {Edges}(X, Y)= \{(u,v)\in E\mid u\in X, v\in Y\} \), is the set of edges between two subsets of vertices X and Y. s.t. \(U^0 {:}{=}V^0\cap U\), \(U^1 {:}{=}V^1\cap U\), and \(E'{:}{=}E\cap (U\times U)\) denotes the restriction of a game graph to a subset of its vertices \(U\subseteq V\). We have the following formal result.

Theorem 2

Given a Büchi game \(\mathcal {G}=(G, \square \lozenge I)\) for some \( I\subseteq V \), if then \(\varPsi =\left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {live}}(\mathcal {H})\right\} \) is a winning strategy template for the game \(\mathcal {G}\), computable in time \( \mathcal {O}(nm) \), where \( n=|V| \) and \( m=|E| \).

figure h

While live-group templates capture infinitely many winning strategies in Büchi games, they are not maximally permissive, as exemplified next.

Example 2

Consider the game graph in Fig. 2 restricted to the vertex set \( \{a,b,d\} \) with the Büchi objective \( \square \lozenge d \). Our algorithm outputs the live-group template \( \varPsi =\varPsi _{\textsc {live}}(\{e_{ad}\}) \). Now consider the winning strategy with memory that takes edge \( e_{da} \) from d, and takes \( e_{ab} \) for play suffix bda and \( e_{ad} \) for play suffix aba. This strategy does not follow the template—the play \( (abd)^{\omega } \) is in \( \mathcal {L}(\pi ^0) \) but not in \( \mathcal {L}(\varPsi ) \).

3.3 Co-live Templates

We now turn to yet another objective which is the dual of the one discussed before. The objective requires that eventually, only a particular subset of vertices I is seen. A winning strategy for this objective would try to restrict staying or going away from I after a finite amount of time. It is easy to notice that live-group templates can not ensure this, but it can be captured by co-live templates: given a set of edges, eventually these edges are not taken anymore. Intuitively, these are the edges that take or keep a play away from I.

Example 3

Consider the game graph in Fig. 2 where we require eventually stop visiting b, i.e. staying in \( I=\{a,c,d\} \). To satisfy this objective from vertex a, \( \text {Player}~0\) needs to stop getting out of I eventually. Hence, \( \text {Player}~0\) has to stop taking the edges \( \{e_{ab}, e_{db}, e_{de}\} \), which can be ensured by marking both edges co-live. Now since no edges are leading to b, the play eventually stays in I, satisfying the objective. We note that this can not be captured by live-groups \( \{e_{aa},e_{ac},e_{ad}\} \) and \(\{e_{da}\}\), since now the strategy that visits c and b alternatively from \(\text {Player}~0\)’s vertices, does not satisfy the objective, but follows the live-group.

Formally, a co-Büchi game is a game \(\mathcal {G}=(G,\varPhi )\) with co-Büchi winning condition \(\varPhi {:}{=}\lozenge \square I\), for some goal vertices \( I\subseteq V \). A play is winning for \( \text {Player}~0\) in such a co-Büchi game if it eventually stays in I forever. The co-live template is defined by a set of co-live edges \( D\) as follows,

$$\begin{aligned} \varPsi _{\textsc {colive}}(D) {:}{=}\bigwedge _{e\in D}\lozenge \square \lnot e. \end{aligned}$$

The intuition behind the winning template is that it forces staying in the winning region using the safety template, and ensures that the play does not go away from the vertex set I infinitely often using the co-live template. We provide the procedure in Algorithm 2 and its correctness in the following theorem. Here, is a standard algorithm solving the co-Büchi game with the goal vertices I, and outputs the winning regions for both players [17]. We also use the standard algorithm \( \textsc {Safety}(G, I) \) that solves the safety game with the objective to stay in A forever.

figure j

Theorem 3

Given a co-Büchi game \(\mathcal {G}=(G,\lozenge \square I)\) for some \( I\subseteq V \), if then \(\varPsi =\left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {colive}}(D)\right\} \) is a winning strategy template for \( \text {Player}~0\), computable in time \( \mathcal {O}(nm) \) with \( n=|V| \) and \( m=|E| \).

3.4 Parity Games

We now consider a more complex but canonical class of \( \omega \)-regular objectives. Parity objectives are of central importance in the study of synthesis problems as they are general enough to model a huge class of qualitative requirements of cyber-physical systems, while enjoying the properties like positional determinacy.

A parity game is a game \(\mathcal {G}=(G,\varPhi )\) with parity winning condition \(\varPhi = Parity (\mathbb {P})\), where

$$\begin{aligned} \textstyle Parity (\mathbb {P}){:}{=}\bigwedge _{i\in _{\textrm{odd}}[0;k]} \left( \square \lozenge P_i \implies \bigvee _{j\in _{\textrm{even}}[i+1;k]} \square \lozenge P_j\right) , \end{aligned}$$
(7)

with \( P_i=\{q\in Q\mid \mathbb {P}(q)=i \} \) for some priority function \( \mathbb {P}: V\rightarrow [0;d] \) that assigns each vertex a priority. A play is winning for \( \text {Player}~0\) in such a game if the maximum of priorities seen infinitely often is even.

Although parity objectives subsume previously described objectives, we can construct strategy templates for parity games using the combinations of previously defined templates. To this end, we give the following algorithm.

figure l

Theorem 4

Given a parity game \(\mathcal {G}=(G, Parity (\mathbb {P}))\) with priority function \( \mathbb {P}:V\rightarrow [0;d] \), if \(((\mathcal {W}_0, \mathcal {W}_1), \mathcal {H},D)=\textsc {ParityTemplate}(G, \mathbb {P})\), then \( \varPsi =\) \(\left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {live}}(\mathcal {H}), \varPsi _{\textsc {colive}}(D)\right\} \) is a winning strategy template for the game \(\mathcal {G}\), where \( S= \textsc {Edges}(\mathcal {W}_0,\mathcal {W}_1) \). Moreover, the algorithm terminates in time \( \mathcal {O}(n^{d+\mathcal {O}(1)}) \), which is same as that of Zielonka’s algorithm.

Fig. 3.
figure 3

A parity game, where a vertex with priority i has label \( p_i \). The dotted edge in is a co-live edge, while the dashed edges in are singleton live-groups. (Color figure online)

Full size image

We refer the readers to the full version [5, Appendix A.3] for the complete proofs, and here we provide the intuition behind the algorithm and the computation of the algorithm on the parity game in Fig. 3. The algorithm follows the divide-and-conquer approach of Zeilonka’s algorithm. Since the highest priority occurring is 6 which is even, we first find the vertices \( A=\{d,h\} \) from which \( \text {Player}~0\) can force visiting \( \{d\} \) (vertices with priority 6) in line 14. Then since \( A\not =V \), we find the winning strategy template in the rest of the graph \( G_1=G|_{V\backslash A} \). Then the highest priority 5 is odd, hence we compute the region \( \{c\} \) from which \( \text {Player}~1\) can ensure visiting 5. We again restrict our graph to \( G_2 =G|_{\{a,b,e,f,g\}} \). Again, the highest priority is even. We further compute the region \( A_2=\{a,b\} \) from which \( \text {Player}~0\) can ensure visiting the priority 4, giving us \( G_3=G|_{\{e,f,g\}} \). In \( G_3 \), \( \text {Player}~0\) can ensure visiting the highest priority 2, hence satisfying the condition in line 15. Then since in this small graph, \( \text {Player}~0\) needs to keep visiting priority 2 infinitely often, which gives us the live-groups \( \{e_{gf}\} \) and \( \{e_{ff}\} \) in line 15. Coming one recursive step back to \( G_2 \), since \( G_3 \) doesn’t have a winning vertex for \( \text {Player}~1\), the if condition in the line 18 is satisfied. Hence, for the vertices in \( A_2 \), it suffices to keep visiting priority 4 to win, which is ensured by the live-group \( \{e_{ab}\} \) added in the line 18. Now, again going one recursive step back to \( G_1 \), we have \( \mathcal {W}_0=\{a,b,e,f,g\} \). If \( \text {Player}~0\) can ensure reaching and staying in \( \mathcal {W}_0\) from the rest of the graph \( G_1 \), it can satisfy the parity condition. Since from the vertex c, \( \mathcal {W}_0\) will anyway be reached, we get a co-live edge \( e_{bc} \) in line 9 to eventually keep the play in \( \mathcal {W}_0\). Coming back to the initial recursive call, since now again \( G_1 \) was winning for \( \text {Player}~0\), they only need to be able to visit the priority 6 from every vertex in A, giving another live-group \( \{e_{hd}\} \).

4 Extracting Strategies from Strategy Templates

This section discusses how a strategy that follows a computed winning strategy template can be extracted from the template. As our templates are just particular LTL formulas, one can of course use automata-theoretic techniques for this. However, as the types of templates we presented put some local restrictions on strategies, we can extract a strategy much more efficiently. For instance, the game in Fig. 2 with strategy template \(\varPsi = \varPsi _{\textsc {live}}(\{e_{ac},e_{ad}\})\) allows the strategy that simply uses the edges \(e_{ac}\) and \(e_{ad}\) alternatively from vertex a.

However, strategy extraction is not as straightforward for every template, even if it only conjuncts the three template types we introduced in Sect. 3. For instance, consider again the game graph from Fig. 2 with a strategy template \(\varPsi =\left\{ \varPsi _{\textsc {unsafe}}(e_{ac}, e_{ad}), \varPsi _{\textsc {colive}}(e_{aa}, e_{ab})\right\} \). Here, non of the four choices of \(\text {Player}~0\) (i.e., outgoing edges) from vertex a can be taken infinitely often, and, hence, the only way a play satisfies \(\varPsi \) is to not visit vertex a infinitely often. On the other hand, given strategy template \(\varPsi ' =\{ \varPsi _{\textsc {colive}}(e_{ab}, e_{db}), \varPsi _{\textsc {live}}(\{e_{ab},e_{ac},e_{db}\})\}\), edge \(e_{db}\) is both live and co-live, which raises a conflict for vertex d. Hence, the only way a strategy can follow \(\varPsi '\) is again to ensure that d is not visited infinitely often. We call such situations conflicts. Interestingly, the methods we presented in Sect. 3 never create such conflicts and the computed templates are therefore conflict-free, as formalized next and proven in the full version [5, Appendix A.4].

Definition 1

A strategy template \(\varPsi = \left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {colive}}(D), \varPsi _{\textsc {live}}(\mathcal {H})\right\} \) in a game graph \(G= (V,E)\) is conflict-free if the following are true:

  1. (i)

    or every vertex v, there is an outgoing edge that is neither co-live nor unsafe, i.e., \(v\times E(v) \not \subseteq D \cup S\), and

  2. (ii)

    for every source vertex v in a live-group \(H\in \mathcal {H}\), there exists an outgoing edge in \(H\) which is neither co-live nor unsafe, i.e., \(v\times H(v) \not \subseteq D \cup S\).

Proposition 1

Algorithms 1, 2, and 3 always return conflict-free templates.

Due to the given conflict-freeness, winning strategies are indeed easy to extract from winning strategy templates, as formalized next.

Proposition 2

Given a game graph \(G= (V,E)\) with conflict-free winning strategy template \(\varPsi = \left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {colive}}(D), \varPsi _{\textsc {live}}(\mathcal {H})\right\} \), a winning strategy \(\pi _0\) that follows \(\varPsi \) can be extracted in time \( \mathcal {O}(m) \), where m is the number of edges.

The proof is straightforward by constructing the winning strategy as follows. We first remove all unsafe and co-live edges from G and then construct a strategy \(\pi _0\) that alternates between all remaining edges from every vertex in \(\mathcal {W}_0\). This strategy is well defined as condition (i) in Definition 1 ensures that after removing all the unsafe and co-live edges a choice from every vertex remains. Moreover, if the vertex is a source of a live-group edge, condition (ii) in Definition 1 ensures that there are outgoing edges satisfying every live-group. It is easy to see that the constructed strategy indeed follows \(\varPsi \) and is hence winning from vertices in \(\mathcal {W}_0\), as \(\varPsi \) was a winning strategy template. We call this procedure of strategy extraction \( \textsc {ExtractStrategy}(G, \varPsi ) \).

5 Applications of Strategy Templates

This section considers two concrete applications of strategy templates which utilize their structural simplicity and easy adaptability.

In the context of CPS control design problems, it is well known that the game graph of the resulting parity game used for strategy synthesis typically has a physical interpretation and results from behavioral constraints on the existing technical system that is subject to control. In particular, following the well-established paradigm of abstraction-based control design (ABCD) [2, 7, 39], an underlying (stochastic) disturbed non-linear dynamical system can be automatically abstracted into a two-player game graph using standard abstraction tools, e.g. SCOTS [35], ARCS [13], MASCOT [20], P-FACES [22], or ROCS [27].

In contrast to classical problems in reactive synthesis, it is very natural in this context to think about the game graph and the specification as two different objects. Here, specifications are naturally expressed via propositions that are defined over sets of states of this underlying game graph, without changing its structure. This separation is for example also present in the known LTL fragment GR(1) [10]. Arguably, this feature has contributed to the success of GR(1)-based synthesis for CPS applications, e.g. [1, 3, 24, 25, 38, 40, 41].

Given this insight, it is natural to define the incremental synthesis problem such that the game graph stays unchanged, while newly arriving specifications are modeled as new parity conditions over the same game graph. Formally, this results in a generalized parity game where the different objectives arrive one at a time. We show an incremental algorithm for synthesizing winning strategies for such games in Sect. 5.1. Similarly, fault-tolerant control requires the controller to adapt to unavailable actuators within the technical system under control. This naturally translates to the removal of \(\text {Player}~0\) edges within the game graph given its physical interpretation. We show how strategy templates can be used to adapt winning strategies to these game graph modifications in Sect. 5.2.

5.1 Incremental Synthesis via Strategy Templates

In this section we consider a 2-player game \(\mathcal {G}\) with a conjunction \(\varPhi =\bigwedge _{i=1}^k\varPhi _i\) of multiple parity objectives \(\varPhi _i\), also called a generalized parity objective. However, in comparison to existing work [12, 16], we consider the case that different objectives \(\varPhi _i\) might not arrive all at the same time. The intuition of our algorithm is to solve each parity game \((G,\varPhi _i)\) separately and then combine the resulting strategy templates \(\varPsi _i\) to a global template \(\varPsi =\bigwedge _{i=1}^k\varPsi _i\). This allows to easily incorporate newly arriving objectives \(\varPhi _{k+1}\). We only need to solve the parity game \((G,\varPhi _{k+1})\) and then combine the resulting template \(\varPsi _{k+1}\) with \(\varPsi \).

While Proposition 1 ensures that every individual template \(\varPsi _i\) is conflict-free, this does unfortunately not imply that their conjunction is also conflict-free. Intuitively, combinations of strategy templates can cause the condition (i) and (ii) in Definition 1 to not hold anymore, resulting in a conflict. As already discussed in Sect. 4, this requires source vertices \(U\subseteq V\) with such conflicts to eventually not be visited anymore. We therefore resolve such conflicts by adding the specification \(\lozenge \square \lnot U\) to every objective and recomputing the templates.

To efficiently formalize this objective change, we note that a parity objective \( Parity (\mathbb {P})\) with an additional specification \(\lozenge \square \lnot U\) for some \(U\subseteq V\) is equivalent to another parity objective \(Parity(\mathbb {P}')\), where priority function \(\mathbb {P}'\) can be obtained from \(\mathbb {P}:V\rightarrow [0;2d+1]\) just by modifying the priorities of vertices in U to \(2d+1\). Let us denote such a priority function by \(\mathbb {P}[U\rightarrow 2d+1]\). In particular, we have the following result:

Lemma 1

Given a game graph \(G\) and two parity objectives \(\varPhi = Parity (\mathbb {P})\), \(\varPhi ' = Parity(\mathbb {P}')\) such that \(\mathbb {P}:V\rightarrow [0;2d+1]\) and \(\mathbb {P}' = \mathbb {P}[U\rightarrow 2d+1]\) for some vertex set \(U\subseteq V\), it holds that \(\mathcal {L}(\varPhi ') = \mathcal {L}(\varPhi \wedge \lozenge \square \lnot U)\). Moreover, if a strategy template is winning from some vertex u in the game \(\mathcal {G}' = (G, \varPhi ')\), then it is also winning from u in the game \(\mathcal {G}= (G, \varPhi )\).

figure o

Using the above ideas, we present Algorithm 4 to solve generalized parity games (possibly incrementally). If no partial solution to the synthesis problem exists so far we have \(\ell =0\), otherwise the game \((G, \bigwedge _{i<\ell }\varPhi _i)\) was already solved and the respective winning region and templates are known. In both cases, the algorithm starts with computing a winning strategy template for each game \((G,\varPhi _i)\) for \(i\in \{\ell +1,k\}\) (line 1) and conjuncts them with the already computed ones (line 2). Then the algorithm checks for conflicts (line 3–4). If there is some conflict the algorithm modifies the objectives to ensure that the conflicted vertices are eventually not visited anymore (line 8), and then re-computes the templates in the game graph restricted to the intersection of winning regions for all objectives (line 9). If there is no conflict, then the algorithm returns the conjunction of the templates which is conflict-free, and hence, is winning from the intersection of winning regions for every objective (line 6). The latter is formalized in the following theorem. The proof can be found in the full version [5, Appendix B.2].

Theorem 5

Given a generalized parity game \(\mathcal {G}= (G, \bigwedge _{i\le k}\varPhi _i)\) with \(\varPhi _i = Parity (\mathbb {P}_i)\) and priority functions \(\mathbb {P}_i: V \rightarrow [0;2d_i+1]\), if \((\mathcal {W}_0, \mathcal {H}, D, (\varPhi '_i)_{i\le k}) = \textsc {ComposeTemplate}(G, \emptyset , (V, \emptyset , \emptyset ), (\varPhi _i)_{i\le k})\), then \(\varPsi =\{\varPsi _{\textsc {unsafe}}(S),\varPsi _{\textsc {live}}(\mathcal {H}), \varPsi _{\textsc {colive}}(D)\} \) is an conflict-free strategy template that is winning from \(\mathcal {W}_0\) in the game \(\mathcal {G}\), where \( S= \textsc {Edges}(\mathcal {W}_0,V\setminus \mathcal {W}_0). \) Further, \(\varPsi \) is computable in time \(\mathcal {O}(kn^{2d+3})\) time, where \(n = \left|V \right|\) and \(d = \max _{i\le k} d_i\).

Due to the conflict checks carried out within Algorithm 4 the returned modified objectives \(\varPhi '_i\) ensure that the conjunction \(\varPsi :=\bigwedge _{i=1}^k\varPsi '_i\) of winning strategy templates \(\varPsi '_i\) for the games \((G,\varPhi '_i)\) is indeed conflict-free. In particular, the conjuncted template \(\varPsi \) is actually returned by the algorithm. Hence, incrementally running Algorithm 4 is actually sound. This is an immediate consequence of Theorem 5 and stated as a corollary next.

Corollary 1

Given a generalized parity game \(\mathcal {G}= (G, \bigwedge _{i\le k}\varPhi _i)\) with \(\varPhi _i = Parity (\mathbb {P}_i)\) and priority functions \(\mathbb {P}_i: V \rightarrow [0;2d_i+1]\), s.t.

$$\begin{aligned} (\mathcal {W}_0', \mathcal {H}', D', (\varPhi '_i)_{i<\ell })&:= \textsc {ComposeTemplate}(G, (V, \emptyset , \emptyset , \emptyset ), (\varPhi _i)_{i<\ell }), \text { and}\\ (\mathcal {W}_0, \mathcal {H}, D, (\varPhi ''_i)_{i\le k})&:= \textsc {ComposeTemplate}(G, (\mathcal {W}_0', \mathcal {H}', D', (\varPhi '_i)_{i<\ell }), (\varPhi _i)_{\ell \le i\le k}) \end{aligned}$$

then \(\varPsi =\left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {live}}(\mathcal {H}), \varPsi _{\textsc {colive}}(D)\right\} \) is an conflict-free strategy template that is winning from \(\mathcal {W}_0\) in the game \(\mathcal {G}\), where \( S= \textsc {Edges}(\mathcal {W}_0,V\setminus \mathcal {W}_0). \) Further, \(\varPsi \) is computable in time \(\mathcal {O}(kn^{2d+3})\), where \(n = \left|V \right|\) and \(d = \max _{i\le k} d_i\).

We note that the generalized Zielonka algorithm [16] for solving generalized parity games has time complexity \(\mathcal {O}(mn^{\sum 2d_i}) {\sum {d_i} \atopwithdelims ()d_1,d_2,\ldots ,d_k}\) for a game with n vertices, m edges and k priority functions: \(\mathbb {P}_i\) with \(2d_i\) priorities for each i. Clearly, Algorithm 4 has a much better time complexity. However, it is not complete, i.e., it does not always return the complete winning region. This is due to templates being not maximally permissive and hence potentially raising conflicts which result in additional specifications that are not actually required. The next example shows such an incomplete instance for illustration. We however note that Algorithm 4 returned the full winning region on all benchmarks considered during evaluation, suggesting that such instances rarely occur in practice.

Example 4

Consider the game in Fig. 2 with objectives \(\varPhi _3 \wedge \varPhi _4\) with \(\varPhi _4 = Parity (\mathbb {P})\), where \(\mathbb {P}\) maps vertices abcdef to 0, 2, 1, 1, 1, 1, respectively. The winning strategy templates computed by \(\textsc {ParityTemplate}\) for objectives \(\varPhi _3\) and \(\varPhi _4\) are \(\varPsi _3 = \varPsi _{\textsc {colive}}(e_{ab},e_{db},e_{de})\) and \(\varPsi _4 = \varPsi _{\textsc {live}}(\{e_{ab},e_{db},e_{de}\})\), respectively. The conjunction of both templates marks all outgoing edges of vertex a and d in the live-group co-live. Hence, the algorithm would ensure that these conflicted vertices a and d are eventually not visited anymore. However, the only way to satisfy \(\varPhi _3\wedge \varPhi _4\) is by eventually looping on vertex a. But this solution was skipped by the strategy template \(\varPsi _4\) by putting edge \(e_{ab}\) in a live-group. Therefore, the algorithm returns the empty set as the winning region, whereas the actual winning region is the whole vertex set.

5.2 Fault-Tolerant Strategy Adaptation

figure p

In this section we consider a 2-player parity game \( \mathcal {G}=(G, Parity (\mathbb {P})) \) and a set of faulty \(\text {Player}~0\) edges \( F\subseteq E\cap (V^0\times V) \) which might become unavailable during runtime. Given a strategy template \(\varPsi \) for \(\mathcal {G}\), we can use \(\varPsi ' = \left\{ \varPsi , \varPsi _{\textsc {unsafe}}(F)\right\} \) for the (linear-time) extraction of a new strategy for the game, if \(\varPsi '\) is conflict-free for \(G\). In this case, no re-computation is needed. If \(\varPsi '\) is not conflict-free for \(G\), then we can remove the edges in \(F\) and compute a new winning strategy template using Algorithm 3. This is formalized in Algorithm 5, where we slightly abuse notation and assume that \( \textsc {ParityTemplate}\) only outputs strategy templates. The correctness of Algorithm 5 follows directly from Theorem 4.

Corollary 2

Given a 2-player parity game \( \mathcal {G}=(G, Parity (\mathbb {P})) \) with a strategy template \(\varPsi = \textsc {ParityTemplate}(G, \mathbb {P}) \) and faulty edge set \( F\subseteq E\cap (V^0\times V) \) it holds that \(\varPsi '\) obtained from Algorithm 5 is a winning strategy template for \( \mathcal {G}|_{E\setminus F} \).

Faulty edges introduce an additional safety specification for which our templates are maximally permissive. This implies that Algorithm 5 is sound and complete – if there exists a winning strategy for \((G|_{E\setminus F}, Parity (\mathbb {P}))\) Algorithm 5 finds one.

Let us now assume that \(F\) collects all edges controlling vulnerable actuators that might become unavailable. In this scenario, Algorithm 5 returns a conservative strategy that never uses vulnerable actuators. It might however be desirable to use actuators as long as they are available to obtain better performance. Formally, this application scenario can be defined via a time-dependent graph who’s edges change over time, i.e., \( E_t \) with \( E_0=E \) are the edges available at time \(t\in \mathbb {N}\) and \( F:=\{e\in E\mid e\not \in E_i, \text { for some } i\} \). Given the original parity game \( \mathcal {G}=(G, Parity (\mathbb {P})) \) with a winning strategy template \(\varPsi \) we can easily modify \(\textsc {ExtractStrategy}(\mathcal {G},\varPsi )\) to obtain a time-dependent strategy \( \pi _g \) which reacts to the unavailability of edges, i.e., at time t, \( \pi _g \) takes an edge \( e\in E_t\backslash (S\cup D) \) for all vertices without any live-group, and for the ones with live-groups, it alternates between the edges satisfying the live-groups whenever they are available, and an edge \( e\in E_t\backslash (S\cup D) \) when no live-group edge is available.

The online strategy \(\pi _g\) can be implemented even without knowing when edges are availableFootnote 2, i.e., without knowing the time dependent edge sequence \(\left\{ E_t\right\} _{t\in \mathbb {N}}\) up front. In this case \( \pi _g \) is obviously winning in \( \mathcal {G}=(G, Parity (\mathbb {P})) \) if \(\varPsi \) is conflict-free for \(\mathcal {G}|_{E\setminus F}\). If this is not the case, one needs to ensure that edges that cause conflicts are always eventually available again, as formalized next.

Definition 2

Given a parity game \( \mathcal {G}=(G, Parity (\mathbb {P})) \) we call the dynamic edge set \(\left\{ E_i\right\} _{i\ge 0}\) a guaranteed availability fault (GAF) if \( \forall \) plays \( \rho =v_0v_1\ldots \), \( \forall v\in V \), if \( v\in inf(\rho ) \), then \( \forall e=(v,w)\in F\), \(\exists \) infinitely many times \( t_0,t_1\ldots \) such that \( v_{t_j}=v \) and \( e\in E_{t_j} \), \( \forall j\ge 0 \).

Intuitively, guaranteed availability faults (GAF) ensure that a faulty edge is always eventually available when a play is in its source vertex. Under this fault, the following fault-correction result holds, which is proven in the full version [5, Appendix B.3].

Proposition 3

Given a game graph \(G\) with a parity objective \( \varPhi \), a strategy template \(\varPsi = \left\{ \varPsi _{\textsc {unsafe}}(S), \varPsi _{\textsc {live}}(\mathcal {H}), \varPsi _{\textsc {colive}}(D)\right\} \) computed by Algorithm 3 and a set \( F= \{e\in E\mid e\not \in E_i, \text { for some } i\} \) of faulty edges, the game with the objective is realizable under GAF if for every vertex \( v\in V^0 \), there is an outgoing edge which is not in \( S\cup D\cup F\).

This proposition allows a simple linear-time algorithm to check if the templates computed by Algorithm 3 are GAF-tolerant: check if every vertex in the winning region has an outgoing edge which is not in \( S\cup D\cup F\). If this is not the case, the recomputation is non-trivial and is out of scope of this paper. We can however collect the vertices which do not satisfy the above property and alert the system engineer that these vulnerable actuators require additional maintenance or protective hardware. Our experimental results in Sect. 6 show that conflicts arising from actuator faults are rare and very local. Our strategy templates allow to easily localize them, which supports their use for CPS applications.

6 Empirical Evaluation

We have developed a C++-based prototype tool PeSTelFootnote 3 (computing Pe rmissive S trategy Te mp l ates) that implements Algorithms 1–5. We have used PeSTel to show its superior performance on the two applications considered in Sect. 5, suggesting its practical relevance. All our experiments were performed on a computer equipped with Apple M1 Pro 8-core CPU and 16 GB RAM.

Incremental Synthesis. We used PeSTel to solve generalized parity games both in one shot and incremental. We compare our algorithm with existing algorithms, i.e., GenZiel from [16] and three partial solversFootnote 4 from [12], by executing them on a large set of benchmarks. We have generated two types of benchmarks from the games used for the Reactive Synthesis Competition (SYNTCOMP) [21]. Benchmark A was generated by converting parity games into Street games using standard methods, and as each Streett pair can be represented by a \(\{0,1,2\}\)-priority parity game, we represented the complete Streett objective as a conjunction of multiple \(\{0,1,2\}\)-priority parity objectives, resulting in a generalized parity game. Benchmark B was generated by adding randomlyFootnote 5 generated parity objectives to given parity games. We considered 200 examples in Benchmark A and more than 1400 examples in Benchmark B.

Table 1. Aggregated experimental results on generalize parity game benchmarks with objectives given up-front (top) and one-by-one (bottom). Subrows: 1st row (mean time) – average computation time (in ms); 2nd row (incomplete) – number of examples where the corresponding tool failed to compute the complete winning region; 3rd row (faster than) – number of examples where PeSTel is faster than the respective tool; 4th row (timeouts) – number of examples where the respective tool timed out (10000 ms).
Full size table

We summarize the complete set of results of the experiments inFootnote 6 Table 1 and Fig. 1. We performed two kinds of experiments. First, we solved every generalized parity game in Benchmark A and B in one shot using the different methods. The results are shown in Table 1(top) and Fig. 1(left). Although the average time taken by PeSTel is higher than GenZiel and one partial solver, it is fastest in more than 90% of the games in both benchmarks. Thus, it shows that PeSTel is as efficient as the other methods in most cases. Moreover, for every game in both benchmarks, PeSTel succeeded to compute the complete winning region, whereas the partial solvers failed to do so in some casesFootnote 7. We note that the instances which are hard for PeSTel are those where the winning region becomes empty, which is quickly detected by GenZiel but only seen by PeSTel after most objectives are (separately) considered.

Second, we solved the examples in Benchmark B by adding the objectives one-by-one, i.e., we solved the game with one objective, then we added one more objective and solved it again, and so on. The results are shown in Table 1(bottom) and Fig. 1(right). As PeSTel can use the pre-computed strategy templates if we add a new objective to a game, it outperforms all the other solvers significantly as they need to re-solve the game from scratch every time.

Fault-Tolerant Control. As discussed in Sect. 5.2, strategy templates can be used to implement a fault tolerant time-dependent strategy, if the set of faulty edges F does not cause conflicts with the strategy template. We have used PeSTel on over 200 examples of parity games from SYNTCOMP [21] to evaluate the relevance of such conflicts in practice. For this, we randomly selected different percentages of edges to be faulty and checked for conflicts with the given template. The results are summarized in Fig. 4. The left plot shows the number of instances for which a conflict occurs if a certain percentage of randomly selected edges is faulty. We see that the majority of the instances never faces a conflict even when \(30\%\) of the edges are faulty. Looking more closely into the instances with conflicts, Fig. 4(right) shows the average number of conflicting vertices in these benchmarks. Here we see that conflicts occur very locally at a very small number of vertices. Our strategy templates allow for a linear-time algorithm to localize them, allowing to mitigate them in practice by additional hardware.

Fig. 4.
figure 4

Experimental results for parity games with faulty edges. Left: percentage of instances with conflicts given a certain percentage of faulty edges. Right: average percentage of vertices that created conflicts given a certain percentage of faulty edges.

Full size image

Remark 1

We remark again that our results are directly applicable to CPS with continuous dynamics via the paradigm of abstraction-based control design (ABCD). In particular, standard abstraction tools such as SCOTS [35], ARCS [13], MASCOT [20], P-FACES [20], or ROCS [27] automatically compute a game graph from the (stochastic) continuous dynamics that can directly be used as an input to PeSTel. The winning strategy computed by PeSTel can further be refined into a correct-by-construction continuous feedback controller for the original dynamical system using standard methods from ABCD. We leave these tool integrations to future work.