Robust Controller Synthesis in Timed Büchi Automata: A Symbolic Approach

,


Introduction
Timed automata [1] extend finite-state automata with timing constraints, providing an automata-theoretic framework to design, model, verify and synthesise real-time systems.However, the semantics of timed automata is a mathematical idealisation: it assumes that clocks have infinite precision and instantaneous actions.Proving that a timed automaton satisfies a property does not ensure that a real implementation of it also does.This robustness issue is a challenging problem for embedded systems [12], and alternative semantics have been proposed, so as to ensure that the verified (or synthesised) behaviour remains correct in presence of small timing perturbations.
We are interested in a fundamental controller synthesis problem in timed automata equipped with a Büchi acceptance condition: it consists in determining whether there exists an accepting infinite execution.Thus, the role of the controller is to choose transitions and delays.This problem has been studied numerously in the exact setting [28,27,19,13,15,17,14].In the context of robustness, this strategy should be tolerant to small perturbations of the delays.This discards strategies suffering from weaknesses such as Zeno behaviours, or even non-Zeno behaviours requiring infinite precision, as exhibited in [6].
More formally, the semantics we consider is defined as a game that depends on some parameter δ representing an upper bound on the amplitude of the perturbation [7].In this game, the controller plays against an antagonistic environment that can perturb each delay using a value chosen in the interval [−δ, δ].The case of a fixed value of δ has been shown to be decidable in [7], and also for a related model in [18].However, these algorithms are based on regions, and as the value of δ may be very different from the constants appearing in the guards of the automaton, do not yield practical algorithms.Moreover, the maximal perturbation is not necessarily known in advance, and could be considered as part of the design process.
The problem we are interested in is qualitative: we want to determine whether there exists a positive value of δ such that the controller wins the game.It has been proven in [25] that this problem is in PSPACE (and even PSPACE-complete), thus no harder than in the exact setting with no perturbation allowed [1].However, the algorithm heavily relies on regions, and more precisely on an abstraction that refines the one of regions, namely folded orbit graphs.Hence, it is not at all amenable to implementation.
Our objective is to provide an efficient symbolic algorithm for solving this problem.To this end, we target the use of zones instead of regions, as they allow an on-demand partitioning of the state space.Moreover, the algorithm we develop explores the reachable state-space in a forward manner.This is known to lead to better performances, as witnessed by the successful tool UPPAAL TIGA based on forward algorithms for solving controller synthesis problems [5].
Our algorithm can be understood as an adaptation to the robustness setting of the standard algorithm for Büchi acceptance in timed automata [17].This algorithm looks for an accepting lasso using a double depth-first search.A major difficulty consists in checking whether a lasso can be robustly iterated, i.e. whether there exists δ > 0 such that the controller can follow the cycle for an infinite amount of steps while being tolerant to perturbations of amplitude at most δ.The key argument of [25] was the notion of aperiodic folded orbit graph of a path in the region automaton, thus tightly connected to regions.Lifting this notion to zones seems impossible as it makes an important use of the fact that valuations in regions are time-abstract bisimilar, which is not the case for zones.
Our contributions are threefold.First, we provide a polynomial time procedure to decide, given a lasso, whether it can be robustly iterated.This symbolic algorithm relies on a computation of the greatest fixpoint of the operator describing the set of controllable predecessors of a path.In order to provide an argument of termination for this computation, we resort to a new notion of branching constraint graphs, extending the approach used in [16,26] and based on constraint graphs (introduced in [8]) to check iterability of a cycle, without robustness requirements.Second, we show that when considering a lasso, not only can we decide robust iterability, but we can even compute the largest perturbation under which it is controllable.This problem was not known to be decidable before.Finally, we provide a termination criterion for the analysis of lassos.Focusing on zones is not complete: it can be the case that two cycles lead to the same zones, but one is robustly iterable while the other one is not.Robust iterability crucially depends on the real-time dynamics of the cycle and we prove that it actually only depends on the reachability relation of the path.We provide a polynomial-time algorithm for checking inclusion between reachability relations of paths in timed automata based on constraint graphs.It is worth noticing that all our procedures can be implemented using difference bound matrices, a very efficient data structure used for timed systems.These developments have been integrated in a tool, and we present a case study of a train regulation network illustrating its performances.
Integrating the robustness question in the verification of real-time systems has attracted attention in the community, and the recent works include, for instance, robust model checking for timed automata under clock drifts [23], Lipschitz robustness notions for timed systems [11], quantitative robust synthesis for timed automata [2].Stability analysis and synthesis of stabilizing controllers in hybrid systems are a closely related topic, see e.g.[21,20].

Timed automata: reachability and robustness
Let X = {x 1 , . . ., x n } be a finite set of clock variables.It is extended with a virtual clock x 0 , constantly equal to 0, and we denote by X 0 the set X ∪ {x 0 }.An atomic clock constraint on X is a formula x − y k, or x − y < k with x = y ∈ X 0 and k ∈ Q.A constraint is non-diagonal if one of the two clocks is x 0 .We denote by Guards(X) (respectively, Guards nd (X)) the set of (clock) constraints (respectively, non-diagonal clock constraints) built as conjunctions of atomic clock constraints (respectively, non-diagonal atomic clock constraints).
A clock valuation ν is an element of R X 0 .It is extended to R X0 0 by letting ν(x 0 ) = 0.For all d ∈ R >0 , we let ν + d be the valuation defined by (ν + d)(x) = ν(x) + d for all clocks x ∈ X .If Y ⊆ X , we also let ν[Y ← 0] be the valuation resetting clocks in Y to 0, without modifying values of other clocks.A valuation ν satisfies an atomic clock constraint x − y k (with ∈ { , <}) if ν(x) − ν(y) k.The satisfaction relation is then extended to clock constraints naturally: the satisfaction of constraint g by a valuation ν is denoted by ν |= g.The set of valuations satisfying a constraint g is denoted by g .
A timed automaton is a tuple A = (L, 0 , E, L t ) with L a finite set of locations, 0 ∈ L an initial location, E ⊆ L × Guards nd (X ) × 2 X × L is a finite set of edges, and L t is a set of accepting locations.
An example of timed automaton is depicted in Figure 1, where the reset of a clock x is denoted by x := 0. The semantics of the timed automaton A is defined as an infinite transition system A = (S, s 0 , →).The set S of states of A is We call path a possible finite sequence of edges in the timed automaton.The reachability relation of a path ρ, denoted by Reach(ρ) is the set of pairs (ν, ν ) such that there is a sequence of transitions of A starting from ( , ν), ending in ( , ν ) and that follows ρ in order as the edges of the timed automaton.A run of A is an infinite sequence of transitions of A starting from s 0 .We are interested in Büchi objectives.Therefore, a run is accepting if there exists a final location t ∈ L t that the run visits infinitely often.
As done classically, we assume that every clock is bounded in A by a constant M , that is we only consider the previous infinite transition system over the subset L × [0, M ] X of states.
We study the robustness problem introduced in [25], that is stated in terms of games where a controller fights against an environment.After a prefix of a run, the controller will have the capability to choose delays and transitions to fire, whereas the environment perturbs the delays chosen by the controller with a small parameter δ > 0. The aim of the controller will be to find a strategy so that, no matter how the environment plays, he is ensured to generate an infinite run satisfying the Büchi condition.Formally, given a timed automaton A = (L, 0 , E, L t ) and δ > 0, the perturbation game is a two-player turn-based game G δ (A) between a controller and an environment.Its state space is partitioned into S C S E where S C = L×R X 0 belongs to the controller, and S E = L×R X 0 × R >0 × E to the environment.The initial state is ( 0 , 0) ∈ S C .From each state ( , ν) ∈ S C , there is a transition to ( , ν, d, e) ∈ S E with e = ( , g, Y, ) ∈ E whenever d > δ, and ν + d + ε |= g for all ε ∈ [−δ, δ].Then, from each state ( , ν, d, ( , g, Y, )) ∈ S E , there is a transition to ( , where q 0 = ( 0 , 0) and t i is a transition from state q i−1 to q i , for all i > 0. It is said to be maximal if it is infinite or can not be extended with any transition.
A strategy for the controller is a function σ Con mapping each non-maximal play ending in some ( , ν) ∈ S C to a pair (d, e) where d > 0 and e ∈ E such that there is a transition from ( , ν) to ( , ν, d, e).A strategy for the environment is a function σ Env mapping each finite play ending in ( , ν, d, e) to a state ( , ν ) related by a transition.A play gives rise to a unique run of A by only keeping states in V C .For a pair of strategies (σ Con , σ Env ), we let play δ A (σ Con , σ Env ) denote the run associated with the unique maximal play of G δ (A) that follows the strategies.Controller's strategy σ Con is winning (with respect to the Büchi objective L t ) if for all strategies σ Env of the environment, play δ A (σ Con , σ Env ) is infinite and visits infinitely often some location of L t .The parametrised robust controller synthesis problem asks, given a timed automaton A, whether there exists δ > 0 such that the controller has a winning strategy in G δ (A).
Example 1.The controller has a winning strategy in G δ (A), with A the automaton of Figure 1, for all possible values of δ < 1/2.Indeed, he can follow the cycle 0 → 3 → 0 by always picking time delay 1/2 so that, when arriving in 3 (resp.0 ) after the perturbation of the environment, clock x 2 (resp.x 1 ) has a valuation in [1/2 − δ, 1/2 + δ].Therefore, he can play forever following this memoryless strategy.For δ ≥ 1/2, the environment can enforce reaching 3 with a value for x 2 at least equal to 1.The guard x 2 < 2 of the next transition to 0 cannot be guaranteed, and therefore the controller cannot win G δ (A).In [25], it is shown that the cycle around 2 does not provide a winning strategy for the controller for any value of δ > 0 since perturbations accumulate so that the controller can only play it a finite number of times in the worst case.
By [25], the parametrised robust controller synthesis problem is known to be PSPACE-complete.Their solution is based on the region automaton of A. We are seeking for a more practical solution using zones.A zone Z over X is a convex subset of R X 0 defined as the set of valuations satisfying a clock constraint g, i.e.Z = g .Zones can be encoded into difference-bound matrices (DBM), that are We adopt the following notation: for a DBM M , we write M = (M, ≺ M ), where M is the matrix made of the first components, with elements in R ∪ {∞}, while ≺ M is the matrix of the second components, with elements in {<, }.A DBM M naturally represents a zone (which we abusively write M as well), defined as the set of valuations ν such that, for all x, y ∈ X 0 , ν(x)−ν(y) ≺ M x,y M x,y (where ν(x 0 ) = 0).Coefficients of a DBM are thus pairs (≺, c).As usual, these can be compared: (≺, c) is less than (≺ , c ) (denoted by (≺, c) < (≺ , c )) whenever c < c or (c = c , ≺ = < and ≺ = ).Moreover, these coefficients can be added: DBMs were introduced in [4,10] for analyzing timed automata; we refer to [3] for details.Standard operations used to explore the state space of timed automata have been defined on DBMs: intersection is written M ∩ N , Pretime >t (M ) is the set of valuations such that a time delay of more than t time units leads to the zone M , Unreset R (M ) is the set of valuations that end in M when the clocks in R are reset.From a robustness perspective, we also consider the operator shrink [−δ,δ] (M ) defined as the set of valuations ν such that ν + [−δ, δ] ⊆ M introduced in [24].Given a DBM M and a rational number δ, all these operations can be effectively computed in time cubic in |X |.

Reachability relation of a path
Before treating the robustness issues, we start by designing a symbolic (i.e.zonebased) approach to describe and compare the reachability relations of paths in timed automata.This will be crucial subsequently to design a termination criterion in the state space exploration of our robustness-checking algorithm.Solving the inclusion of reachability relations in a symbolic manner has independent interest and can have other applications.
The reachability relation Reach(ρ) of a path ρ, is a subset of R X ∪X 0 where X are primed versions of the clocks, such that each (ν, ν ) ∈ Reach(ρ) iff there is a run from valuation ν to valuation ν following ρ.Unfortunately, reachability relations Reach(ρ) are not zones in general, that is, they cannot be represented using only difference constraints.In fact, we shall see shortly that constraints of the form x − y + z − u c also appear, as already observed in [22].We thus cannot rely directly on the traditional difference bound matrices (DBMs) used to represent zones.We instead rely on the constraint graphs that were introduced in [8], and explored in [16] for the parametric case (the latter work considers enlarged constraints, and not shrunk ones as we study here).Our contribution is to use these graphs to obtain a syntactic check of inclusion of the according reachability relations.
Constraint graphs.Rather than considering the values of the clocks in X , this data structure considers the date X i of the latest reset of the clock x i , and uses a new variable τ denoting the global timestamp.Note that the clock values can be recovered easily since X i = τ − x i .For the extra clock x 0 , we introduce variable X 0 equal to the global timestamp τ (since x 0 must remain equal to 0).A constraint graph defining a zone is a weighted graph whose nodes are X = {X 0 , X 1 , . . ., X n }.Constraints on clocks are represented by weights on edges in the graph: a constraint X − Y ≺ c is represented by an edge from X to Y weighted by (≺, c), with ≺ ∈ { , <} and c ∈ Q. Weights in the graph are thus pairs of the form (≺, c).Therefore, we can compute shortest weights between two vertices of a weighted graph.A cycle is said to be negative if it has weight at most (<, 0), i.e. (<, 0) or (≺, c) with c < 0.
Encoding paths.Constraint graphs can also encode tuples of valuations seen along a path.To encode a k-step computation, we make k + 1 copies of the nodes, that is, X i = {X i 0 , X i 1 , . . ., X i n } for i ∈ {1, . . ., k + 1}.These copies are also called layers.Let us first consider an example on the path ρ consisting of the edge from 1 to 2 , and the edge from 2 to 1 , in the timed automaton of Figure 1.The constraint graph G ρ is depicted in Figure 2: in our diagrams of constraint graphs, the absence of labels on an edge means ( , 0), and we depict with an edge with arrows on both ends the presence of an edge in both directions.The graph has five columns, each containing copies of the variables for that step: they represent the valuations before the first edge, after the first time elapse, after the first reset, after the second time elapse and after the second reset.In general now, each elementary operation can be described by a constraint graph with two layers (X i ) (before) and (X i ) (after).
-The operation Pretime >t is described by the constraint graph G >t time with edges X i → X 0 , X i ↔ X i for i > 0, and X 0 (<,−t) − −−− → X 0 .Figure 2 contains two occurrences of G >0 time : we always represent with dashed arrows edges that are labelled by (<, c), and plain arrows edges that are labelled with ( , c); the absence of an edge means that it is labelled with (<, ∞).
-The operation g ∩ Unreset Y (•), to test a guard g and reset the clocks in Y, is described by the constraint graph G g,Y edge with edges X 0 ↔ X 0 (meaning On the left, the constraint graph of the path 1 On the right, its normalised version: dashed edges have weight (<, .),plain edges have weight ( , .), black edges have weight (., 0), red edges have weight (., 2) and blue edges have weight (., −2).
that the time does not elapse), X i ↔ X i for i such that clock x i / ∈ Y, and X i ↔ X 0 for i such that clock x i ∈ Y, and for all clock constraint x i − x j ≺ c appearing in g, an edge from X j to X i labelled by (≺, c) (since it encodes the fact that (τ Constraint graphs can be stacked one after the other to obtain the constraint graph of an edge e, and then of a path ρ, that we denote by G ρ .In the resulting graph, there is one leftmost layer of vertices (X i ) i and one rightmost one (X r i ) i representing the situation before and after the firing of the path ρ.Once this graph is constructed, the intermediary levels can be eliminated after replacing each edge between the nodes of X ∪ X r by the shortest path in the graph.This phase is hereafter called normalisation of the constraint graph.The normalised version of the constraint graph of Figure 2 is depicted on its right.
From constraint graphs to reachability relations.From a logical point of view, the elimination of intermediary layers reflects an elimination of quantifiers in a formula of the first-order theory of real numbers.At the end, we obtain a set of constraints of the form X k i − X k j ≺ c with k, k ∈ { , r}.These constraints do not reflect uniquely the reachability relation Reach(ρ), in the sense that it is possible that Reach(ρ 1 ) = Reach(ρ 2 ) but the normalised versions of G ρ1 and G ρ2 are different.For example, if we consider the path ρ 2 obtained by repeating the cycle ρ between 1 and 2 , the reachability relation does not change (Reach(ρ 2 ) = Reach(ρ)), but the normalised constraint graph does (G ρ 2 = G ρ 1 ): all labels ( , 2) of the red dotted edges from the rightmost layer to the leftmost layer become ( , 4), and the labels ( , −2) of the dashed blue edges become ( , −4).
We solve this issue by jumping back from variables X k i to the clock valuations.Indeed, in terms of clock valuations ν and ν r before and after the path, the constraint , where τ is the global timestamp before firing ρ and τ r the one after.When k = k , variables τ and τ r disappear, leaving a constraint of the form We therefore obtain upper and lower bounds on the value of τ r − τ , allowing us to eliminate τ r − τ considered as a single variable.We therefore obtain in fine a formula mixing constraints of the form Thus, γ a,b,c,d is obtained as the minimum of the two constraints obtained in this manner.In other terms, in the constraint graph, this constraint is the minimal weight between the sum of the weights of the edges (X r d , X l a ) and (X l b , X r c ), and the sum of the weights of the edges (X l b , X l a ) and (X r d , X r c ).For example, in the path in Figure 2, we have γ 0,1,0,2 = ( , 0) since the two constraints are ( , 0) and (<, ∞), whereas γ 1,2,2,1 = ( , 0) because the two constraints are (<, 2) and ( , 0).
Let ϕ(G) be the conjunction of such constraints obtained from a constraint graph G once normalised: this is a quantifier-free formula of the additive theory of reals.We obtain the following property whose proof mimics the one for proving the normalisation of DBMs (and can be derived from the developments of [8]).
Lemma 1.Let ρ be a path in a timed automaton.If G ρ contains a negative cycle, then Reach(ρ) = ∅.Otherwise, Reach(ρ) is the set of pairs of valuations (ν , ν r ) that satisfy the formula ϕ(G ρ ).
Checking inclusion.For a path ρ, we regroup the pairs (γ l a,b ), (γ r a,b ) and (γ a,b,c,d ) above in a single vector Γ ρ .We extend the comparison relation < to these vectors by applying it componentwise.These vectors can be used to check equality or inclusion of reachability relations in time O(|X| 4 ): Theorem 1.Let ρ and ρ be paths in a timed automaton such that Reach(ρ) and Reach(ρ ) are non empty.Then Reach(ρ) ⊆ Reach(ρ ) if and only if Γ ρ Γ ρ .
Notice that we do not need to check equivalence or implication of formulas ϕ(G ρ ) and ϕ(G ρ ), but simply check syntactically constants appearing in these formulas.Moreover, these constants can be stored in usual DBMs on 2 × |X 0 | clocks, allowing for reusability of classical DBM libraries.For the constraint graph in Figure 2, we have seen that Computation of Pre and Post.By Lemma 1 and the construction of constraint graphs, one can easily compute Pre ρ (Z) = {ν | ∃ν ∈ Z (( , ν), ( , ν )) ∈ Reach(ρ)} for a given path ρ and zone Z (see [8,16]).In fact, consider the normalised constraint graph G ρ on nodes X ∪ X r .To compute Pre ρ (Z), one just needs to add the constraints of Z on X r .This is done by replacing each edge X r i w − → X r j by X r i min(Zj,i,w) −−−−−−−→ X r j where Z j,i = (≺, p) defines the constraint of Z on x j − x i .Then, the normalisation of the graph describes the reachability relation along path ρ ending in zone Z. Furthermore, projecting the constraints to X yields Pre ρ (Z): this can be obtained by gathering all constraints on pairs of nodes of X .A reachability relation can thus be seen as a function assigning to each zone Z its image by ρ.One can symmetrically compute the successor Post ρ (Z) = {ν | ∃ν ∈ Z (( , ν), ( , ν )) ∈ Reach(ρ)} by constraining the nodes X and projecting to X r .

Robust iterability of a lasso
In this section, we study the perturbation game G δ (A) between the two players (controller and environment), as defined in Section 2, when the timed automaton A is restricted to a fixed lasso ρ 1 ρ 2 , i.e. ρ 1 is a path from 0 to some accepting location t , and ρ 2 a cyclic path around t .This implies that the controller does not have the choice of the transitions, but only of the delays.We will consider different settings, in which δ is fixed or not.
Controllable predecessors and their greatest fixpoints.Consider an edge e = ( , g, R, ).For any set Z ⊆ R X 0 , we define the controllable predecessors of Z as follows: is the set of valuations from which the controller can ensure reaching Z in one step, following the edge e, no matter of the perturbations of amplitude at most δ of the environment.In fact, it can delay in shrink [−δ,δ] (g ∩ Unreset R (Z)) with a delay of at least δ, where under any perturbation in [−δ, δ], the valuation satisfies the guard, and it ends, after reset, in Z. Results of [24] show that this operator can be computed in cubic time with respect to the number of clocks.We extend this operator to a path ρ by composition, denoted it by CPre δ ρ .Note that CPre 0 ρ = Pre ρ is the usual predecessor operator without perturbation.This operator is monotone, hence its greatest fixpoint νX CPre δ ρ (X) is welldefined, equal to i 0 CPre δ ρ i ( ): it corresponds to the valuations from which the controller can guarantee to loop forever along the path ρ.By definition of the game G δ (A) where A is restricted to the lasso ρ 1 ρ 2 , the controller wins the game if and only if 0 ∈ CPre δ ρ1 (νX CPre δ ρ2 (X)).As a consequence, our problem reduces to the computation of this greatest fixpoint.Branching constraint graphs.We consider first a fixed (rational) value of the parameter δ, and are interested in the computation of the greatest fixpoint νX CPre δ ρ2 (X).In [16], constraints graphs were used to provide a termination criterion allowing to compute the greatest fixpoint of the classical predecessor operator CPre 0 ρ .We generalize this approach to deal with the operator CPre δ ρ and to this end, we need to generalize constraint graphs so as to encode it.Unfortunately, the operator shrink [−δ,δ] cannot be encoded in a constraint graph.Intuitively, this comes from the fact that a constraint graph represents a relation between valuations, while there is no such relation associated with the CPre δ ρ operator.Instead, we introduce branching constraint graphs, that will faithfully represent the CPre δ ρ operator: unlike constraint graphs introduced so far that have a left layer and a right layer of variables, a branching constraint graph has still a single left layer but several right layers.We first define a branching constraint graph G δ shrink associated with the operator shrink [−δ,δ] as follows.Its set of vertices is composed of three copies of the {X 0 , X 1 , . . ., X n }, denoted by primed, unprimed and doubly primed versions.Edges are defined so as to encode the following constraints : X i = X i and X i = X i for every i = 0, and X 0 = X 0 + δ and X 0 = X 0 − δ.An instance of this graph can be found in several occurrences in Figure 3.
Proposition 1.Let Z be a zone and G δ shrink (Z) be the graph obtained from G δ shrink by adding on primed and doubly primed vertices the constraints defining Z (as for Pre ρ (Z) in the end of Section 3).Then the constraint on unprimed vertices obtained from the shortest paths in Proof.Given a zone Z and a real number d, we define The result follows from the observation that taking two distinct copies of vertices, and considering shortest paths allows one to encode the intersection.
Then, for all edges e = ( , g, R, ), we define the branching constraint graph G δ e as the graph obtained by stacking (in this order) the branching constraint graph G >δ time , G δ shrink and G g,Y edge .Note that two copies of the graph G g,Y edge are needed, to be connected to the two sets of vertices that are on the right of the graph G δ shrink .This definition is extended in the expected way to a finite path ρ, yielding the graph G δ ρ .In this graph, there is a single set of vertices on the left, and 2 |ρ| sets of vertices on the right.As a direct consequence of the previous results on the constraint graphs for time elapse, shrinking and guard/reset, one obtains: Proposition 2. Let Z be a zone and ρ be a path.We let G δ ρ (Z) be the graph obtained from G δ ρ by adding on every set of right vertices the constraints defining Z. Then the constraint on the left layer of vertices obtained from the shortest paths in G δ ρ (Z) is equivalent to CPre δ ρ (Z).
An example of the graph G δ ρ (Z) for ρ = e 1 e 2 , edges considered in Figure 2, is depicted in Figure 3 (on the left).
We are now ready to prove the following result, generalisation of [16, Lemma 2], that will allow us to compute the greatest fixpoint of the operator CPre δ ρ : Proposition 3. Let ρ be a path and δ be a non-negative rational number.We let Proof.Assume CPre δ ρ 2N +1 ( ) CPre δ ρ 2N ( ) and consider the zones CPre δ ρ N +1 ( ) (represented by the DBM M 1 ) and CPre δ ρ N ( ) (represented by the DBM M 2 ).We have M 1 M 2 , as otherwise the fixpoint would have already been reached after N steps.By Proposition 2, the zone corresponding to M 1 is associated with shortest paths between vertices on the left in the graph G δ ρ N +1 .In the sequel, given a path r in this graph, w(r) denotes its weight.We distinguish two cases: On the left, the branching constraint graph G δ e 1 e 2 encoding the operator CPre δ e 1 e 2 , where e1 and e2 refer to edges considered in Figure 2. Dashed edges have weight (<, .),plain edges have weight ( , .).Black edges (resp.orange edges, pink edges, red edges, blue edges) are labelled by (., 0) (resp.(., −δ), (., δ), (., 2),(., −2)).On the right, a decomposition of a path in a branching constraint graph G δ ρ .
Case 1: M 1 M 2 because of the rational coefficients.Then, there exists an entry (x, y) ∈ X 2 0 such that M 1 [x, y] < M 2 [x, y].The value M 1 [x, y] is thus associated with a shortest path between vertices X and Y in G δ ρ N +1 .We fix a shortest path of minimal length, and denote it by r.As the entry is strictly smaller than in M 2 , this shortest path should reach the last copy of the graph G δ ρ .This path can be interpreted as a traversal of the binary tree of depth |X 0 | 2 + 1, reaching at least one leaf.We can prove that this entails that there exists a pair of clocks (u, v) ∈ X 2 0 appearing at two levels i < j of this tree, and a decomposition r = r 1 r 2 r 3 r 4 r 5 of the path, such that w(r 2 ) + w(r 4 ) = (≺, d) with d < 0 (Property ( †)).In addition, in this decomposition, r 3 is included in subgraphs of levels k ≥ j, and the pair of paths (r 2 , r 4 ) is called a return path, following the terminology of [16].This decomposition is depicted in Figure 3 (on the right).Intuitively, the property ( †) follows from the fact that as r 3 is included in subgraphs of levels k ≥ j, and because the final zone (on the right) is the zone which adds no edges, the concatenation r = r 1 r 3 r 5 is also a valid path from X to Y in G δ ρ N +1 , and is shorter than r.We conclude using the fact that r has been chosen as a shortest path of minimal weight.
Property ( †) allows us to prove that the greatest fixpoint is empty.Indeed, by considering iterations of ρ, one can repeat the return path associated with (r 2 , r 4 ) and obtain paths from X to Y whose weights diverge towards −∞.Case 2: M 1 M 2 because of the ordering coefficients.We claim that this case cannot occur.Indeed, one can show that the constants will not evolve anymore after the N th iteration of the fixpoint: the coefficients can only decrease by changing from a non-strict inequality (≤, c) to a strict one (<, c).This propagation of strict inequalities is performed in at most |X 0 | 2 additional steps, thus we have CPre δ ρ 2N +1 ( ) = CPre δ ρ 2N ( ), yielding a contradiction.Compared to the result of [16], the number of iterations needed before convergence grows from |X 0 | 2 to 2|X 0 | 2 : this is due to the presence of strict and non-strict inequalities, not considered in [16].With the help of branching constraint graphs, we have thus shown that the greatest fixpoint can be computed in finite time: this can then be done directly with computations on zones (and not on branching constraint graphs).
Proposition 4. Given a path ρ and a rational number δ, the greatest fixpoint νX CPre δ ρ (X) can be computed in time polynomial in |X | and |ρ|.As a consequence, one can decide whether the controller has a strategy along a lasso Solving the robust controller synthesis problem for a lasso.We have shown how to decide whether the controller has a winning strategy for a fixed rational value of δ.We now aim at deciding whether there exists a positive value of δ for which the controller wins the game G δ (A) (where A is restricted to a lasso ρ 1 ρ 2 ).To this end, we will use a parametrised extension of DBMs, namely shrunk DBMs, that were introduced in [24] in order to study the parametrised state space of timed automata.Intuitively, our goal is to express shrinkings of guards, e.g.sets of states satisfying constraints of the form g = 1 + δ < x < 2 − δ ∧ 2δ < y, where δ is a parameter to be chosen.Formally, a shrunk DBM is a pair (M, P ), where M is a DBM, and P is a nonnegative integer matrix called a shrinking matrix.This pair represents the set of valuations defined by the DBM M − δP , for any given δ > 0. Considering the example g, M is the guard g obtained by setting δ = 0, and P is made of the integer multipliers of δ.We adopt the following notation: when we write a statement involving a shrunk DBM (M, P ), we mean that for some δ 0 > 0, the statement holds for M − δP for all δ ∈ (0, δ 0 ].For instance, (M, P ) = Pretime >δ ((N, Q)) means that M − δP = Pretime >δ (N − δQ) for all small enough δ > 0. Shrunk DBMs are closed under standard operations on zones, and as a consequence, the CPre operator can be computed on shrunk DBMs: Lemma 2 ( [25]).Let e = ( , g, R, ) be an edge and (M, P ) be a shrunk DBM.Then, there exists a shrunk DBM (N, Q), that we can compute in polynomial time, such that (N, Q) = CPre δ e ((M, P )).Proposition 5. Given a path ρ, one can compute a shrunk DBM (M, P ) equal to the greatest fixpoint of the operator CPre δ ρ .As a consequence, one can solve the parametrised robust controller synthesis problem for a given lasso in time complexity polynomial in the number of clocks and in the length of the lasso.
Proof.The bound 2|X 0 | 2 identified previously does not depend on the value of δ.Hence the algorithm for computing a shrunk DBM representing the greatest fixpoint proceeds as follows.It computes symbolically, using shrunk DBMs, the suffices to state the Büchi condition only for one train, since its satisfaction of the condition necessarily implies that of all other trains.Let us present two representative instances and then comment the performance of the algorithm on a set of instances.Consider a network with two trains and m stations, with [ i , u i ] = [200, 400] for each station i, and the objective of both trains is the interval [250 • m, 350 • m], that is, an average travel time between stations that lies in [250,350].The algorithm finds an accepting lasso: intuitively, by choosing δ small enough so that mδ < 50, perturbations do not accumulate too much and the controller can always choose delays for both trains and satisfy the constraints.This case corresponds to scenario A in Figure 4. Consider now the same network but with two different objectives: [0, 300 • m] and [300 • m, ∞).Thus, one train needs to complete each cycle in at most 300•m time units, while the other one in at least 300 • m time units.A classical Büchi emptiness check reveals the existence of an accepting lasso: it suffices to move each train in exactly 300 time units between each station.This controller can even recover from perturbations for a bounded number of cycles: for instance, if a train arrives late at a station, the next travel time can be chosen smaller than 300.However, such corrections will cause the distance between the two trains to decrease and if such perturbations happen regularly, the system will eventually enter a deadlock.Our algorithm detects that there is no robust controller for the Büchi objective.This corresponds to the scenario B in Figure 4.
Figure 4 summarizes the outcome of our prototype implementation on other scenarios.The tool was run on a 3.2Ghz Intel i7 processor running Linux, with a 30 minute time out and 2GB of memory.The performance is sensitive to the number of clocks: on scenarios with 8 clocks the algorithm ran out of time.

Conclusion
Our case study illustrates the application of robust controller synthesis in small or moderate size problems.Our prototype relies on the DBM libraries that we use with twice as many clocks to store the constraints of the normalised constraint graphs.In order to scale to larger models, we plan to study extrapolation operators and their integration in the computation of reachability relations, which seems to be a challenging task.Different strategies can also be adopted for the double forward analysis, switching between the two modes using heuristics, a parallel implementation, etc.
r}, a = b, and we define γ k a,b = (≺, p); • ν (x a ) − ν (x b ) + ν r (x c ) − ν r (x d ) ≺ p, with a = b and c = d, and we define γ a,b,c,d = (≺, p).This constraint can appear in two ways: either from ν r (x c )−ν (x b )+p 1 ≺ 1 τ r −τ l ≺ 2 ν l (x a )−ν r (x d )+p 2 by eliminating τ r −τ l , or by adding the two constraints of the form ν Summary of experiments with different sizes.In each scenario, we assign a different objective to a subset of trains.The answer is yes if if a robust controller was found, no if none exists.TO stands for a timeout of 30 minutes.