Flexible Computational Pipelines for Robust Abstraction-Based Control Synthesis

Successfully synthesizing controllers for complex dynamical systems and specifications often requires leveraging domain knowledge as well as making difficult computational or mathematical tradeoffs. This paper presents a flexible and extensible framework for constructing robust control synthesis algorithms and applies this to the traditional abstraction-based control synthesis pipeline. It is grounded in the theory of relational interfaces and provides a principled methodology to seamlessly combine different techniques (such as dynamic precision grids, refining abstractions while synthesizing, or decomposed control predecessors) or create custom procedures to exploit an application's intrinsic structural properties. A Dubins vehicle is used as a motivating example to showcase memory and runtime improvements.


Introduction
A control synthesizer's high level goal is to automatically construct control software that enables a closed loop system to satisfy a desired specification. A vast and rich literature contains results that mathematically characterize solutions to different classes of problems and specifications, such as the Hamilton-Jacobi-Isaacs PDE for differential games [2], Lyapunov theory for stabilization [8], and fixed-points for temporal logic specifications [17] [11]. While many control synthesis problems have elegant mathematical solutions, there is often a gap between a solution's theoretical characterization and the algorithms used to compute it. What data structures are used to represent the dynamics and constraints? What operations should those data structures support? How should the control synthesis algorithm be structured? Implementing solutions to the questions above can require substantial time. This problem is especially critical for computationally challenging problems, where it is often necessary to let the user rapidly identify and exploit structure through analysis or experimentation.

Bottlenecks in Abstraction-based Control Synthesis
This paper's goal is to enable a framework to develop extensible tools for robust controller synthesis. It was inspired in part by computational bottlenecks Fig. 1: By expressing many different techniques within a common framework, users are able to rapidly develop methods to exploit system structure in controller synthesis. encountered in control synthesizers that construct finite abstractions of continuous systems, which we use as a target use case. A traditional abstraction-based control synthesis pipeline consists of three distinct stages: 1. Abstracting the continuous state system into a finite automaton whose underlying transitions faithfully mimic the original dynamics [21], [23]. 2. Synthesizing a discrete controller by leveraging data structures and symbolic reasoning algorithms to mitigate combinatorial state explosion. 3. Refining the discrete controller into a continuous one. Feasibility of this step is ensured through the abstraction step.
This pipeline appears in tools PESSOA [12] and SCOTS [19], which can exhibit acute computational bottlenecks for high dimensional and nonlinear system dynamics. A common method to mitigate these bottlenecks is to exploit a specific dynamical system's topological and algebraic properties. In MASCOT [7] and CoSyMA [14], multi-scale grids and hierarchical models capture notions of statespace locality. One could incrementally construct an abstraction of the system dynamics while performing the control synthesis step [15] [10] as implemented in tools ROCS [9] and ARCS [4]. The abstraction overhead can also be reduced by representing systems as a collection of components composed in parallel [13] [6]. These have been developed in isolation and were not previously interoperable.

Methodology
Figure 1 depicts this paper's methodology and organization. The existing control synthesis formalism does not readily lend itself to algorithmic modifications that reflect and exploit structural properties in the system and specification. We use the theory of relational interfaces [22] as a foundation and augment it to express control synthesis pipelines. Interfaces are used to represent both system models and constraints. A small collection of atomic operators manipulates interfaces and is powerful enough to reconstruct many existing control synthesis pipelines. One may also add new composite operators to encode desirable heuristics that exploit structural properties in the system and specifications. The last three sections encode the techniques for abstraction-based control synthesis from Section 1.1 within the relational interfaces framework. By deliberately deconstructing those techniques, then reconstructing them within a compositional frame-work it was possible to identify implicit or unnecessary assumptions then generalize or remove them. It also makes the aforementioned techniques interoperable amongst themselves as well as future techniques.
Interfaces come equipped with a refinement partial order that formalizes when one interface abstracts another. This paper focuses on preserving the refinement relation and sufficient conditions to refine discrete controllers back to concrete ones. Additional guarantees regarding completeness, termination, precision, or decomposability can be encoded, but impose additional requirements on the control synthesis algorithm and are beyond the scope of this paper.

Contributions
To our knowledge, the application of relational interfaces to robust abstractionbased control synthesis is new. The framework's building blocks consist of a collection of small, well understood operators that are nonetheless powerful enough to express many prior techniques. Encoding these techniques as relational interface operations forced us to simplify, formalize, or remove implicit assumptions in existing tools. The framework also exhibits numerous desirable features.
1. It enables compositional tools for control synthesis by leveraging a theoretical foundation with compositionality built into it. This paper showcases a principled methodology to seamlessly combine the methods in Section 1.1, as well as construct new techniques. 2. It enables a declarative approach to control synthesis by enforcing a strict separation between the high level algorithm from its low level implementation. We rely on the availability of an underlying data structure to encode and manipulate predicates. Low level predicate operations, while powerful, make it easy to inadvertently violate the refinement property. Conforming to the relational interface operations minimizes this danger.
This paper's first half is domain agnostic and applicable to general robust control synthesis problems. The second half applies those insights to the finite abstraction approach to control synthesis. A smaller Dubins vehicle example is used to showcase and evaluate different techniques and their computational gains, compared to the unoptimized problem. A 6D lunar lander example is included in the appendix which leverages all of the techniques in this paper collectively.

Notation
Let = be an assertion that two objects are mathematically equivalent; as a special case '≡' is used when those two objects are sets. In contrast, the operator '==' checks whether two objects are equivalent, returning true if they are and false otherwise. A special instance of '==' is logical equivalence '⇔'. Variables are denoted by lower case letters. Each variable v is associated with a domain of values D(v) that is analogous to the variable's type. A composite variable is a set of variables and is analogous to a bundle of wrapped wires. From a collection of variables v 1 , . . . , v M a composite variable v can be constructed by taking the union Note that the variables v 1 , . . . , v M above may themselves be composite. As an example if v is associated with a M -dimensional Euclidean space R M , then it is a composite variable that can be broken apart into a collection of atomic variables v 1 , . . . , v M where D(v i ) ≡ R for all i ∈ {1, . . . , M }. The technical results herein do not distinguish between composite and atomic variables.
Predicates are functions that map variable assignments to a Boolean value. Predicates that stand in for expressions/formulas are denoted with capital letters. Predicates P and Q are logically equivalent (denoted by P ⇔ Q) if and only if P ⇒ Q and Q ⇒ P are true for all variable assignments. The universal and existential quantifiers ∀ and ∃ eliminate variables and yield new predicates. Predicates ∃wP and ∀wP do not depend on w. If w is a composite variable w ≡ w 1 ∪ . . . ∪ w N then ∃wP is simply a shorthand for ∃w 1 . . . ∃w N P .

Control Synthesis for a Motivating Example
As a simple, instructive example consider a planar Dubins vehicle that is tasked with reaching a desired location. Let x = {p x , p y , θ} be the collection of state variables, u = {v, ω} be a collection input variables to be controlled, x + = {p + x , p + y , θ + } represent state variables at a subsequent time step, and L = 1.4 be a constant representing the vehicle length. The constraints , encoding that the vehicle's position must reach a square with any orientation. Let Z be a predicate that depends on variable x + that encodes a collection of states at a future time step. Equation (1) characterizes the robust controlled predecessor, which takes Z and computes the set of states from which there exists a non-blocking assignment to u that guarantees x + will satisfy Z, despite any non-determinism contained in F . The term ∃x + F prevents state-control pairs from blocking, while ∀x + (F ⇒ Z) encodes the state-control pairs that guarantee satisfaction of Z.
cpre(F, Z) = ∃u(∃x + F ∧ ∀x + (F ⇒ Z)). (1) The controlled predecessor is used to solve safety and reach games. We can solve for a region for which the target T (respectively, safe set S) can be reached (made invariant) via an iteration of an appropriate reach (safe) operator. Both iterations are given by: Safety Iter: The above iterations are not guaranteed to reach a fixed point in a finite number of iterations, except under certain technical conditions [21].  It is written in python 3.6 and uses the dd package as an interface to CUDD [20], a library in C/C++ for constructing and manipulating binary decision diagrams (BDD). All experiments were run on a single core of a 2013 Macbook Pro with 2.4GHz Intel Core i7 and 8GB of RAM.
The following section uses relational interfaces to represent the controlled predecessor cpre(·) and iterations (2) and (3) as a computational pipeline. Subsequent sections show how modifying this pipeline leads to favorable theoretical properties and computational gains.

Relational Interfaces
Relational interfaces are predicates augmented with annotations about each variable's role as an input or output 1 . They abstract away a component's internal implementation and only encode an input-output relation.
Definition 1 (Relational Interface [22]). An interface M (i, o) consists of a predicate M over a set of input variables i and output variables o.
For an interface M (i, o), we call (i, o) its input-output signature. An interface is a sink if it contains no outputs and has signature like (i, ∅), and a source if it contains no inputs like (∅, o). Sinks and source interfaces can be interpreted as sets whereas input-output interfaces are relations. Interfaces encode relations through their predicates and can capture features such as non-deterministic outputs or blocking (i.e., disallowed, error) inputs. A system blocks for an input assignment if there does not exist a corresponding output assignment that satisfies the interface relation. Blocking is a critical property used to declare requirements; sink interfaces impose constraints by modeling constrain violations as blocking inputs. Outputs on the other hand exhibit non-determinism, which is treated as an adversary. When one interface's outputs are connected to another's inputs, the outputs seek to cause blocking whenever possible.

Atomic and Composite Operators
Operators are used to manipulate interfaces by taking interfaces and variables as inputs and yielding another interface. We will show how the controlled predecessor cpre(·) in (1) can be constructed by composing operators appearing in [22] and one additional one. The first, output hiding, removes interface outputs.
Definition 2 (Output Hiding [22]). Output hiding operator ohide(w, F ) over interface F (i, o) and outputs w yields an interface with signature (i, o \ w).
Existentially quantifying out w ensures that the input-output behavior over the unhidden variables is still consistent with potential assignments to w. The operator nb(·) is a special variant of ohide(·) that hides all outputs, yielding a sink encoding all non-blocking inputs to the original interface.

Definition 3 (Nonblocking Inputs Sink). Given an interface
The interface composition operator takes multiple interfaces and "collapses" them into a single input-output interface. It can be viewed as a generalization of function composition in the special case where each interface encodes a total function (i.e., deterministic output and inputs never block).
Definition 4 (Interface Composition [22]). Let F 1 (i 1 , o 1 ) and F 2 (i 2 , o 2 ) be interfaces with disjoint output variables o 1 ∩ o 2 ≡ ∅ and i 1 ∩ o 2 ≡ ∅ which signifies that F 2 's outputs may not be fed back into F 1 's inputs. Define new composite variables Composition comp(F 1 , F 2 ) is an interface with signature (i 12 , o 12 ) and predicate Interface subscripts may be swapped if instead F 2 's outputs are fed into F 1 .
Interfaces F 1 and F 2 are composed in parallel if io 21 ≡ ∅ holds in addition to io 12 ≡ ∅. Equation (8) under parallel composition reduces to F 1 ∧ F 2 (Lemma 6.4 in [22]) and comp(·) is commutative and associative. If io 12 ≡ ∅, then they are composed in series and the composition operator is only associative. Any acyclic interconnection can be composed into a single interface by systematically applying Definition 4's binary composition operator. Non-deterministic outputs are interpreted to be adversarial. Series composition of interfaces has a built-in notion of robustness to account for F 1 's non-deterministic outputs and blocking inputs to F 2 over the shared variables io 12 . The term ∀o 12 (F 1 ⇒ nb(F 2 )) in Equation (8) is a predicate over the composition's input set i 12 . It ensures that if a potential output of F 1 may cause F 2 to block, then comp(F 1 , F 2 ) must preemptively block.
The final atomic operator is input hiding, which may only be applied to sinks. If the sink is viewed as a constraint, an input variable is "hidden" by an angelic environment that chooses an input assignment to satisfy the constraint. This operator is analogous to projecting a set into a lower dimensional space.
Definition 5 (Hiding Sink Inputs). Input hiding operator ihide(w, F ) over sink interface F (i, ∅) and inputs w yields an interface with signature (i \ w, ∅).
Unlike the composition and output hiding operators, this operator is not included in the standard theory of relational interfaces [22] and was added to encode a controller predecessor introduced subsequently in Equation (10).

Constructing Control Synthesis Pipelines
The robust controlled predecessor (1) can be expressed through operator composition.
Proposition 1. The controlled predecessor operator (10) yields a sink interface with signature (x, ∅) and predicate equivalent to the predicate in (1).
Proof. Applying the definitions of comp, ihide, and ohide yields the expression One can safely move the ∃x + inside the parenthesis because ∀x + (F ⇒ Z) is a predicate that is independent of x + , yielding To show equivalence of the above expressions with Equation (1), we simply need to show equivalence of the following two predicates that depend on x and u: It is easy to see that (13) implies (14) because ∃x + (F ∧ Z) implies ∃x + F . To show the reverse, suppose (14) is satisfied for a pair x and u. Any x + chosen to satisfy ∃x + F must also satisfy the constraint imposed by the sink Z. Otherwise, the clause ∀x + (F ⇒ Z) would be violated, contradicting satisfaction of (14). Therefore, (13) and (14) are equivalent which completes the proof.
Proposition 1 signifies that controlled predecessors can be interpreted as an instance of robust composition of interfaces, followed by variable hiding. It can be shown that safe(F, Z, S) = comp(cpre(F, Z), S) because S(x, ∅) and cpre(F, Z) would be composed in parallel. 2 Figure 3 shows a visualization of the safety game's fixed point iteration from the point of view of relational interfaces. Starting from the right-most sink interface S (equivalent to Z 0 ) the iteration (3) constructs a sequence of sink interfaces Z 1 , Z 2 , ... encoding relevant subsets of the state space. The numerous S(x, ∅) interfaces impose constraints and can be interpreted as monitors that raise errors if the safety constraint is violated.

Modifying the Control Synthesis Pipeline
Equation (10)'s definition of cpre(·) is oblivious to the domains of variables x, u, and x + . This generality is useful for describing a problem and serving as a blank template. Whenever problem structure exists, pipeline modifications refine the general algorithm into a form that reflects the specific problem instance. They also allow a user to inject implicit preferences into a problem and reduce computational bottlenecks or to refine a solution. The subsequent sections apply this philosophy to the abstraction-based control techniques from Section 1.1: -Section 4: Coarsening interfaces reduces the computational complexity of a problem by throwing away fine grain information. The synthesis result is conservative but the degree of conservatism can be modified. -Section 5: Refining interfaces decreases result conservatism. Refinement in combination with coarsening allows one to dynamically modulate the com-plexity of the problem as a function of multiple criteria such as the result granularity or minimizing computational resources. -Section 6: If the dynamics or specifications are decomposable then the control predecessor operator can be broken apart to refect that decomposition.
These sections do more than simply reconstruct existing techniques in the language of relational interfaces. They uncover some implicit assumptions in existing tools and either remove them or make them explicit. Minimizing the number of assumptions ensures applicability to a diverse collection of systems and specifications and compatibility with future algorithmic modifications.

Interface Abstraction via Quantization
A key motivator behind abstraction-based control synthesis is that computing the game iterations from Equation (2) and Equation (3) exactly is often intractable for high-dimensional nonlinear dynamics. Termination is also not guaranteed. Quantizing (or "abstracting") continuous interfaces into a finite counterpart ensures that each predicate operation of the game terminates in finite time but at the cost of the solution's precision. Finer quantization incurs a smaller loss of precision but can cause the memory and computational requirements to store and manipulate the symbolic representation to exceed machine resources. This section first introduces the notion of interface abstraction as a refinement relation. We define the notion of a quantizer and show how it is a simple generalization of many existing quantizers in the abstraction-based control literature. Finally, we show how one can inject these quantizers anywhere in the control synthesis pipeline to reduce computational bottlenecks.

Theory of Abstract Interfaces
While a controller synthesis algorithm can analyze a simpler model of the dynamics, the results have no meaning unless they can be extrapolated back to the original system dynamics. The following interface refinement condition formalizes a condition when this extrapolation can occur.
Definition 6 (Interface Refinement [22]). Let F (i, o) andF (î,ô) be interfaces.F is an abstraction of F if and only if i ≡î, o ≡ô, and are valid formulas. This relationship is denoted byF F .
Definition 6 imposes two main requirements between a concrete and abstract interface. Equation (15) encodes the condition where ifF accepts an input, then F must also accept it; that is, the abstract component is more aggressive with rejecting invalid inputs. Second, if both systems accept the input then the abstract output set is a superset of the concrete function's output set. The abstract interface is a conservative representation of the concrete interface because the abstraction accepts fewer inputs and exhibits more non-deterministic outputs. If both the interfaces are sink interfaces, thenF F reduces down toF ⊆ F when F,F are interpreted as sets. If both are source interfaces then the set containment direction is flipped andF F reduces down to F ⊆F .
The refinement relation satisfies the required reflexivity, transitivity, and antisymmetry properties to be a partial order [22] and is depicted in Figure 4. This order has a bottom element ⊥ which is a universal abstraction. Conveniently, the bottom element ⊥ signifies both boolean false and the bottom of the partial order. This interface blocks for every potential input. In contrast, Boolean plays no special role in the partial order. While exhibits totally non-deterministic outputs, it also accepts inputs. A blocking input is considered "worse" than non-deterministic outputs in the refinement order. The refinement Fig. 4: Example depiction of the refinement partial order. Each small plot on the depicts input-output pairs that satisfy an interface's predicate. Inputs (outputs) vary along the horizontal (vertical) axis. Because B blocks on some inputs but A accepts all inputs B A. Interface C exhibits more output non-determinism than A so C A. Similarly D B, D C , C, etc. Note that B and C are incomparable because C exhibits more output non-determinism and B blocks for more inputs. The false interface ⊥ is a universal abstraction, while is incomparable with B and D.
relation encodes a direction of conservatism such that any reasoning done over the abstract models is sound and can be generalized to the concrete model.
Theorem 1 (Informal Substitutability Result [22]). For any input that is allowed for the abstract model, the output behaviors exhibited by an abstract model contains the output behaviors exhibited by the concrete model.
If a property on outputs has been established for an abstract interface, then it still holds if the abstract interface is replaced with the concrete one. Informally, the abstract interface is more conservative so if a property holds with the abstraction then it must also hold for the true system. All aforementioned interface operators preserve the properties of the refinement relation of Definition 6, in the sense that they are monotone with respect to the refinement partial order.
Theorem 4 (Input Hiding Preserves Refinement). If A, B are both sink interfaces and A B, then ihide(w, A) ihide(w, B) for any variable w.
Proofs for Theorems 2 and 3 are provided in [22]. Theorem 4's proof is simple and is omitted. One can think of using interface composition and variable hiding to horizontally (with respect to the refinement order) navigate the space of all interfaces. The synthesis pipeline encodes one navigated path and monotonicity of these operators yields guarantees about the path's end point. Composite operators such as cpre(·) chain together multiple incremental steps. Furthermore since the composition of monotone operators is itself a monotone operator, any composite constructed from these parts is also monotone. In contrast, the coarsening and refinement operators introduced later in Definition 8 and 10 respectively are used to move vertically and construct abstractions. The "direction" of new composite operators can easily be established through simple reasoning about the cumulative directions of their constituent operators.

Dynamically Coarsening Interfaces
In practice, the sequence of interfaces Z i generated during synthesis grows in complexity. This occurs even if the dynamics F and the target/safe sets have compact representations (i.e., fewer nodes if using BDDs). Coarsening F and Z i combats this growth in complexity by effectively reducing the amount of information sent between iterations of the fixed point procedure.
Spatial discretization or coarsening is achieved by use of a quantizer interface that implicitly aggregates points in a space into a partition or cover.

Definition 7. A quantizer Q(i, o) is any interface that abstracts the identity interface (i == o) associated with the signature (i, o).
Quantizers decrease the complexity of the system representation and make synthesis more computationally tractable. A coarsening operator abstracts an interface by connecting it in series with a quantizer. Coarsening reduces the number of non-blocking inputs and increases the output non-determinism.   The corollary below shows that quantizers can be seamlessly integrated into the synthesis pipeline while preserving the refinement order. It readily follows from Theorem 2, Theorem 3, and the quantizer definition. (17) and (18) are monotone operations with respect to the interface refinement order .

Corollary 1. Input and output coarsening operations
It is difficult to know a priori where a specific problem instance lies along the spectrum between mathematical precision and computational efficiency. It is then desirable to coarsen dynamically in response to runtime conditions rather than statically beforehand. Coarsening heuristics for reach games include: -Downsampling with progress [7]: Initially use coarser system dynamics to rapidly identify a coarse reach basin. Finer dynamics are used to construct a more granular set whenever the coarse iteration "stalls". In [7] only the Z i are coarsened during synthesis. We enable the dynamics F to be as well. -Greedy quantization: Selectively coarsening along certain dimensions by checking at runtime which dimension, when coarsened, would cause Z i to shrink the least. This reward function can be leveraged in practice because coarsening is computationally cheaper than composition. For BDDs, the winning region can be coarsened until the number of nodes reduces below a desired threshold. Figure 6 shows this heuristic being applied to reduce memory usage at the expense of answer fidelity. A fixed point is not guaranteed as long as quantizers can be dynamically inserted into the synthesis pipeline, but is once quantizers are always inserted at a fixed precision.
The most common quantizer in the literature never blocks and only increases non-determinism (such quantizers are called "strict" in [18] [19]). If a quantizer is interpreted as a partition or cover, this requirement means that the union must be equal to an entire space. Definition 7 relaxes that requirement so the union can be a subset instead. It also hints at other variants such as interfaces that don't increase output non-determinism but instead block for more inputs.

Refining System Dynamics
Shared refinement [22] is an operation that takes two interfaces and merges them into a single interface. In contrast to coarsening, it makes interfaces more precise. Many tools construct system abstractions by starting from the universal abstraction ⊥, then iteratively refining it with a collection of smaller interfaces that represent input-output samples. This approach is especially useful if the canonical concrete system is a black box function, Simulink model, or source code file. These representations do not readily lend themselves to the predicate operations or be coarsened directly. We will describe later how other tools implement a restrictive form of refinement that introduces unnecessary dependencies.
Interfaces can be successfully merged whenever they do not contain contradictory information. The shared refinability condition below formalizes when such a contradiction does not exist.
Definition 9 (Shared Refinability [22]). Interfaces F 1 (i, o) and F 2 (i, o) with identical signatures are shared refinable if For any inputs that do not block for all interfaces, the corresponding output sets must have a non-empty intersection. If multiple shared refinable interfaces, then they can be combined into a single one that encapsulates all of their information.
Definition 10 (Shared Refinement Operation [22]). The shared refinement operation combines two shared refinable interfaces F 1 and F 2 , yielding a new identical signature interface corresponding to the predicate The left term expands the set of accepted inputs. The right term signifies that if an input was accepted by multiple interfaces, the output must be consistent with each of them. The shared refinement operation reduces to disjunction for sink interfaces and to conjunction for source interfaces. Shared refinement's effect is to move up the refinement order by combining interfaces. Given a collection of shared refinable interfaces, the shared refinement operation yields the least upper bound with respect to the refinement partial order in Definition 6. Violation of (19) can be detected if the interfaces fed into refine(·) are not abstractions of the resulting interface.

Constructing Finite Interfaces through Shared Refinement
A common method to construct finite abstractions is through simulation and overapproximation of forward reachable sets. This technique appears in tools such as PESSOA [12], SCOTS [19], MASCOT [7], ROCS [9] and ARCS [4]. By covering a sufficiently large portion of the interface input space, one can construct larger composite interfaces from smaller ones via shared refinement. F (x ∪ u, x + ). The I andÎ interfaces encode the same predicate, but play different roles as sink and source. (Right) Visualization of finite abstraction as traversing the refinement partial order. Nodes represent interfaces and edges signify data dependencies for interface manipulation operators. Multiple refine edges point to a single node because refinement combines multiple interfaces. Input-output (IO) sample and coarsening are unary operations so the resulting nodes only have one incoming edge. The concrete interface F refines all others, and the final result is an abstractionF .
Smaller interfaces are constructed by sampling regions of the input space and constructing an input-output pair. In Figure 7's left half, a sink interface I(x ∪ u, ∅) acts as a filter. The source interfaceÎ(∅, x ∪ u) composed with F (x ∪ u, x + ) prunes any information that is outside the relevant input region. The original interface refines any sampled interface. To make samples finite, interface inputs and outputs are coarsened. An individual sampled abstraction is not useful for synthesis because it is restricted to a local portion of the interface input space. After sampling many finite interfaces are merged through shared refinement. The assumptionÎ i ⇒ nb(F ) encodes that the dynamics won't raise an error when simulated and is often made implicitly. Figure 7's right half depicts the sample, coarsen, and refine operations as methods to vertically traverse the interface refinement order.
Critically, refine(·) can be called within the synthesis pipeline and does not assume that the sampled interfaces are disjoint. Figure 8 shows the results from refining the dynamics with a collection of state-control hyper-rectangles that are randomly generated via uniformly sampling their widths and offsets along each dimension. These hyper-rectangles may overlap. If the same collection of hyper-rectangles were used in MASCOT, SCOTS, ARCS, or ROCS then this would yield a much more conservative abstraction of the dynamics because their implementations are not robust to overlapping or misaligned samples. PES-SOA and SCOTS circumvent this issue altogether by enforcing disjointness with an exhaustive traversal of the state-control space, at the cost of unnecessarily coupling the refinement and sampling procedures. The lunar lander contained in Section 8.2 of the appendix embraces overlapping and uses two mis-aligned grids to construct a grid partition with p N elements with only p N ( 1 2 ) N −1 samples (where p is the number of bins along each dimension and N is the interface input dimension). This technique introduces a small degree of conservatism but its computational savings typically outweigh this cost.

Decomposed Control Predecessor
A decomposed control predecessor is available whenever the system state space consists of a Cartesian product and the dynamics are decomposed componentwise such as F x , F y , and F θ for the Dubins vehicle. This property is common for continuous control systems over Euclidean spaces. While one may construct F directly via the abstraction sampling approach, it is often intractable for larger dimensional systems. A more sophisticated approach abstracts the lower dimensional components F x , F y , and F θ individually, computes F = comp(F x , F y , F θ ), then feeds it to the monolithic cpre(·) from Proposition 1. This section's approach is to avoid computing F at all and decompose the monolithic cpre(·). It operates by breaking apart the term ohide(x + , comp(F, Z)) in such a way that it respects the decomposition structure. For the Dubins vehicle example ohide(x + , comp(F, Z)) is replaced with yielding a sink interface with inputs p x , p y , v, θ, and ω. This representation and the original ohide(x + , comp(F, Z)) are equivalent because comp(·) is associative and interfaces do not share outputs x + ≡ {p + x , p + y , θ + }. Figure 9 shows multiple variants of cpre(·) and improved runtimes when one avoids preemptively constructing the monolithic interface. The decomposed cpre(·) resembles techniques to exploit partitioned transition relations in symbolic model checking [5].
No tools from Section 1.1 natively support decomposed control predecessors. We've shown a decomposed abstraction for components composed in parallel but this can also be generalized to series composition to capture, for example, a system where multiple components have different temporal sampling periods.

Conclusion
Tackling difficult control synthesis problems will require exploiting all available structure in a system with tools that can flexibly adapt to an individual problem's idiosyncrasies. This paper lays a foundation for developing an extensible suite of interoperable techniques and demonstrates the potential computational gains in an application to controller synthesis with finite abstractions. Adhering to a simple yet powerful set of well-understood primitives also constitutes a disciplined methodology for algorithm development, which is especially necessary if one wants to develop concurrent or distributed algorithms for synthesis.

Dynamic Precision Quantization
Certain data structures like trees or binary decision diagrams are natural candidates for encoding hierarchical decompositions of spaces. A sequence of bits can be used to traverse that data structure to arrive at a subset of that space. More bits allow one to specify finer granularity sets. As an illustrative example, consider an interval [0, 1] that is to be covered. Let N represent a number of bits to construct a cover of [0, 1], and assign a unique bit sequence to identify each set in the cover. Figure 10 depicts for varying N how an interval can be covered by a collection of small intervals, while minimizing overlaps. A greater N signifies that the cover can be constructed with finer intervals. A bit vector of length N can be used to specify an interval of width 2 −N . If N = ∞, then any value in [0, 1] can be encoded via the infinite weighted sum ∞ k=1 2 −k o k . For N = 0, the interval is [0, 1] itself. Figure 10 implicitly appends don't care terms − to the end of bit vectors. This allows finite length bit vectors (intervals) to be identical to the disjunction (union) of longer bit vectors (smaller intervals) with a common prefix.
A quantizer acts by truncating a bit vector to a specified finite number of bits and outputting the result. The effect of truncating bits is to implicitly widen or coarsen that interval. A quantizer Q N (o,ô) that only retains the first N bits satisfies the following formula and is depicted in Figure 10 Q The quantizer implicitly receives and emits infinite bit sequences but only depends on the most significant bits. It ignores higher precision input bits and non-deterministically assigns values to higher precision output bits. The input and output domains have identical cardinality but the quantizer is not a function due to the non-deterministic output. It is easy to see that for two quantizers Q N , Q M with precisions N, M ∈ N ∪ {∞} and N ≤ M the relation Q N Q M holds. A collection of quantizers composed in series also yields a single quantizer with the minimum precision.
Applying the quantizer definition above to the output coarsening and input coarsening operations yield insightful results.

Example 1 (Output Quantizer). Consider an interface
The last predicate has signature (i,ô msb ) and is equivalent to the predicate ∃o lsb F after the o bit are replaced with their respectiveô bits. In other words, the output non-determinism is increased.
The input quantizer is more complicated than output quantization.
Example 2 (Input Quantizer). Consider an interface F (i, o) where i ≡ i 1 ∪i 2 ∪. . . is a composite variable representing an infinite bit vector. Let i msb = i 1 ∪ . . . i N be the most significant bits and i lsb = i N +1 ∪ . . . be the least significant bits. The input coarsening operator yields the following equivalent prediates.
The last predicate has signature (î msb , o) and is equivalent to the predicate ∃i lsb F ∧ ∀i lsb (nb(F )) after all i bits are replaced with their respectiveî bits. The ∃i lsb F term increases output non-determinism by taking a union of outputs generated by different lower significant bit assignments. Term ∀i lsb (nb(F )) imposes that if some input assignments can block, then all other input assignments with identical most significant bits are also blocked.
Remark 1. A multi-dimensional quantizer simply consists of multiple scalar quantizers. The encoding for the interval [0, 1] can be rescaled to an interval [a, b].
Additional care needs to be taken for non-powers of two, and overflow bits can be added to extend to R.

Lunar Lander
We consider the lunar lander from OpenAI gym [3], a python simulation environment for reinforcement learning research. The lander is set up within a physics simulation engine and has six continuous state dimensions and two continuous input dimensions. After some minor modifications 3 , we identified the following discrete time dynamics v + y = v y + .0359u 1 cos(θ) + .00707u 2 sin(θ) − .0267 (36) While one could construct interfaces associated with each equation (33)-(38), the positional components p + x and p + y would require finer grids than those above to capture a changing state over the short time horizon. Instead of using the one-step dynamics above, we instead use a sampled system with a period of 9 time steps. We refer to the interfaces associated with the unrolled dynamics with the names shown in Table 1. The time to construct all six interfaces was 430.5 seconds. A reach objective with a target region T is specified by which corresponds to 73 million states of the full dimensional space. We iterate a custom reach operator 20 iterations to construct a winning set with 344.6 million states. Trajectories reaching the target are depicted in Figure 11. The control synthesis runtime was 4194 seconds but a small portion of that includes applying the coarsening operation as detailed later. We applied the aforementioned decomposed predecessor and greedy coarsening heuristic and gradually increase the complexity threshhold from 10 5 BDD nodes until a cap of 10 6 nodes. For the lunar lander problem, many computers would run out of memory before the game solver reaches a fixed point. These abstraction and synthesis runtime numbers were achieved using additional techniques outlined below.
Abstraction with Heterogeneous Grids: While sampling over a longer time horizon lets us use a coarser grid, it comes at the cost of increasing the number of interface inputs. States θ and ω at time t = 0 can influence state p x at future time steps through their effect on v x . While p x can depend on θ and ω over time, its sensitivity to those values is small over short horizons. Heterogeneous grids exploit this insight and allow small perturbations of θ and ω to be ignored. Table 1 shows how interface F px allocates less bits to those variables than interfaces F θ and F ω , which are much more sensitive to the same perturbations over the same time horizon. Curiously, F px assigns zero bits to ω. This signifies that it only assumes that ω ∈ [−.6, .6] but does not otherwise care what the specific value is due to the low sensitivity.
Abstraction with Coarse Shifted Grids: Some interfaces can have up to a half million inputs with the granularity provided in Table 1. Instead of exhaustively iterating over all of them, we use the overlapping property of shared refinement to reduce the number of iterations while still inducing a grid of the desired granularity. Figure 12 depicts a simple two dimensional version of the iteration procedure where a higher granularity grid is constructed by two coarser grids that are offset from one another. This technique generally yields a more conservative abstraction than the one obtained by a full granularity traversal, but leads to a reduction in abstraction runtime. An overapproximation of a forward reachable set was represented as a hyper-rectangle. Simple interval analysis techniques could be applied for the one-step dynamics, and iterated over 9 time steps. This technique is not implemented in prior tools. Fig. 12: A 8 × 8 partition induced by overlaying a 4 × 4 partition and a 5 × 5 partition. Note that 4 2 + 5 2 < 8 2 . For grids of dimension N , this technique reduces the number of iterations by a factor of roughly 2 N −1 . An initial factor of roughly 2 N is achieved by doubling the cell width along each dimension, but iterating over two grids reduces this factor to 2 N −1 .
Example 3 illustrates the key idea behind how one can leverage overlapping input sets to implicitly create more discrete states than the number of loop iterations.
Example 3. For j ∈ {1, 2}, let I j be a sink and O j be a source. Composing these in parallel yields two input-output interfaces I 1 ∧ O 1 and I 2 ∧ O 2 . These sink and source interfaces represent the ones from Figure 7's left. The shared refinement interface outputted by refine(·) has a predicate that is logically equivalent to If I 1 and I 2 correspond to disjoint sets, then this simplifies to a disjunction because I 1 ∧ I 2 ⇔ ⊥, I 1 ⇒ ¬I 2 and I 2 ⇒ ¬I 1 . Disjointness is imposed by assumption in PESSOA and SCOTS, which iterate over a partition of the space.
If I 1 and I 2 are not disjoint, then (40) can be viewed as three reach set overapproximations O 1 ∧ O 2 , O 1 and O 2 for three respective disjoint input sets I 1 ∧ I 2 , ¬I 1 ∧ I 2 , and I 1 ∧ ¬I 2 . By leveraging overlapping input domains, refine(·) has generated three discrete states despite only being provided two interfaces I 1 ∧O 1 and I 2 ∧ O 2 .