Fast and Guaranteed Safe Controller Synthesis for Nonlinear Vehicle Models

We address the problem of synthesizing a controller for nonlinear systems with reach-avoid requirements. Our controller consists of a reference controller and a tracking controller which drives the actual trajectory to follow the reference trajectory. We identify a type of reference trajectory such that the tracking error between the actual trajectory of the closed-loop system and the reference trajectory can be bounded. Moreover, such a bound on the tracking error is independent of the reference trajectory. Using such bounds on the tracking error, we propose a method that can find a reference trajectory by solving a satisfiability problem over linear constraints. Our overall algorithm guarantees that the resulting controller can make sure every trajectory from the initial set of the system satisfies the given reach-avoid requirement. We also implement our technique in a tool FACTEST. We show that FACTEST can find controllers for four vehicle models (3–6 dimensional state space and 2–4 dimensional input space) across eight scenarios (with up to 22 obstacles), all with running time at the sub-second range.


Introduction
Design automation and safety of autonomous systems is an important research area. Controller synthesis aims to provide correct-by-construction controllers that can guarantee that the system under control meets certain requirements. Controller synthesis is a type of program synthesis problem. The synthesized program or controller g has to meet the given requirement R, when it is run in (closed-loop) composition with a given physical process or plant A. Therefore, a synthesis algorithm has to account for the combined behavior of g and A.
Methods for designing controllers for asymptotic requirements like stability, robustness, and tracking, predate the algorithmic synthesis approaches for programs [3,16,30]. However, these classic control design methods normally do not provide formal guarantees in terms of handling bounded-horizon requirements like safety. Typical controller programs are small, well-structured, and at core, have a succinct logic ("bang-bang" control) or mathematical operations (PID control). This might suggest that controllers could be an attractive target for algorithmic synthesis for safety, temporal logic (TL), and bounded time requirements [1,9,18,34,38].
On the other hand, motion planning (MP), which is an instance of the controller synthesis for robots is notoriously difficult (see [21] Chapter 6.5). A typical MP requirement is to make a robot A track certain waypoints while meeting some constraints. A popular paradigm in MP, called sampling-based MP, gives practical, fully automatic, randomized, solutions to hard problem instances by only considering the geometry of the vehicle and the free space [14,15,20,21]. However, they do not ensure that the dynamic behavior of the vehicle will actually follow the planed path without running into obstacles. Ergo, MP continues to be a central problem in robotics 1 .
In this paper, we aim to achieve faster control synthesis with guarantees by exploiting a separation of concerns that exists in the problem: (A) how to drive a vehicle/plant to a given waypoint? and (B) Which waypoints to choose for achieving the ultimate goal? (A) can be solved using powerful control theoretic techniques-if not completely automatically, but at least in a principled fashion, with guarantees, for a broad class of A's. Given a solution for (A), we solve (B) algorithmically. A contribution of the paper is to identify characteristics of a solution of (A) that make solutions of (B) effective. Consider nonlinear control systems A : d dt x = f (x, u) and reach-avoid requirements defined by a goal set G that the trajectories should reach, and obstacles O the trajectories should avoid. The above separation leads to a two step process: (A) Find a state feedback tracking controller g trk that drives the actual trajectory of the closed-loop system ξ g to follow a reference trajectory ξ ref . (B) Design a reference controller g ref , which consists of a reference trajectory ξ ref and a reference input u ref . The distance between ξ g and ξ ref is called the tracking error e. If we can somehow know beforehand the value of e without knowing ξ ref , we can use such error to bloat O and shrink G, and then synthesize ξ ref such that it is e away from the obstacles (inside the goal set). For linear systems, this was the approach used in [7], but for nonlinear systems, the tracking error e will generally change with ξ ref , and the two steps get entangled.
For a general class of nonlinear vehicles (such as cars, drones, and underwater vehicles), the tracking controller g trk is always designed to minimize the tracking error. The convergence of the error can be proved by a Lyapunov function for certain types of ξ ref . We show how, under reasonable assumptions, we can use Lyapunov functions to bound the value of the tracking error even when the waypoints changes (Lemma 2). This error bound is independent of ξ ref so long as ξ ref satisfies the assumptions. For step (B) we introduce a SAT-based trajectory planning methods to find such ξ ref and u ref by solving a satisfiability (SAT) problem over quantifier free linear real arithmetic (Theorem 1). Moreover, the number of constraints in the SMT problem scales linearly to the increase of number of obstacles (and not with the vehicle model). Thus, our methods can scale to complex requirements and high dimensional systems.
Putting it all together, our final synthesis algorithm (Algorithm 2) guarantees that any trajectory following the synthesized reference trajectory will satisfy the reach-avoid requirements. The resulting tool FACTEST is tested with four nonlinear vehicle models and on eight different scenarios, taken from MP literature, which cover a wide range of 2D and 3D environments. Experiment results show that our tool scales very well: it can find the small covers {Θ j } j and the corresponding reference trajectories and control inputs satisfying the reach-avoid requirements most often in less than a second, even with up to 22 obstacles. We have also compared our SAT-based trajectory planner to a standard RRT planner, and the results show that our SAT-based method resoundingly outperforms RRT. To summarize, our main contributions are: 1. A method (Algorithm 2) for controller synthesis separating tracking controller g trk and search for reference controller g ref . 2. Sufficient conditions for tracking controller error performance that makes the decomposition work (Lemma 2 and Lemma 3). 3. An SMT-based effective method for synthesizing reference controller g ref . 4. The FACTEST implementation of the above and its evaluation showing very encouraging results in terms of finding controllers that make any trajectories of the closed-loop system satisfy reach-avoid requirements (Sect. 6).

Related Works. Model Predictive Control (MPC)
. MPC [4,25,45,49] has to solve a constrained, discrete-time, optimal control problem. MPC for controller synthesis typically requires model reduction for casting the optimization problem as an LP [4], QP [2,36], MILP [33,34,45]. However, when the plant model is nonlinear [8,22], it may be hard to balance speed and complex requirements as the optimization problem become nonconvex and nonlinear.
Safe Motion Planning. The idea of bounding the tracking error through precomputation has been used in several techniques: FastTrack [11] uses Hamilton-Jacobi reachability analysis to produce a "safety bubble" around planed paths.
Reachability based trajectory design for dynamical environments (RTD) [44] computes an offline forward reachable sets to guarantee that the robot is notat-fault in any collision. In [40], a technique based on convex optimization is used to compute tracking error bounds. Another technique [23,43] uses motion primitives expanded by safety funnels, which defines similar ideas of safety tubes.
Sampling Based Planning. Probabilistic Road Maps (PRM) [15], Rapidlyexploring Random Trees (RRT) [19], and fast marching tree (FMT) [12] are widely used in actual robotic platforms. They can generate feasible trajectories through known or partially known environments. Compared with the deterministic guarantees provided by our proposed method, these methods come with stochastic guarantees. Also, they are not designed to be robust to model uncertainty or disturbances. MoveIT [5] is a tool designed to implement and benchmark various motion planners on robots. The motion planners in MoveIT are from the open motion planning library (OMPL) [41], which implements motion planners abstractly.
Controlled Lyapunov Function (CLF). CLF have been used to guarantee that the overall closed-loop controlled system satisfies a reach-while-stay specification [35]. Instead of asking for a CLF for the overall closed-loop system, our method only needs a Lyapunov function for the tracking error, which is a weaker local requirement. CLF is often a difficult requirement to meet for nonlinear vehicle models.

Preliminaries and Problem Statement
Let us denote real numbers by R, non-negative real numbers by R ≥0 , and natural numbers by N. The n-dimensional Euclidean space is R n . For a vector x ∈ R n , x (i) is the i th entry of x and x 2 is the 2-norm of x. For any matrix A ∈ R n×m , A is its transpose; A (i) is the i th row of A. Given a r ≥ 0, an r-ball around x ∈ R n is defined as B r (x) = {x ∈ R n | ||x − x|| 2 ≤ r}. We call r the radius of the ball. Given a matrix H ∈ R r×n and a vector b ∈ R r , an (H, b)-polytope is denoted by P oly(H, b) = {x ∈ R n | Hx ≤ b}. Each row of the inequality  Fig. 1 for an example. Given a trajectory ξ : [0, T ] → X and a time t > 0, the time shift of ξ is a function (ξ + t) Strictly speaking, for t > 0, ξ + t is not a trajectory. The concatenation of two trajectories ξ 1 ξ 2 is a new trajectory in which ξ 1 is followed by ξ 2 . That is, for each t ∈ [0, ξ 1 .ltime+ξ 2 .ltime], (ξ 1 ξ 2 )(t) = ξ 1 (t) when t ≤ ξ 1 .ltime, and equals ξ 2 (t − ξ 1 .ltime) when t > ξ 1 .ltime. Trajectories are closed under concatenation, and many trajectories can be concatenated in the same way.

Nonlinear Control System
is the input space, and (iv) f : X × U → X is the dynamic function that is Lipschitz continuous with respect to the first argument.
A control system with no inputs (m = 0) is called a closed system.
Let us fix a time duration T > 0. An input trajectory u : [0, T ] → U, is a continuous trajectory over the input space U. We denote the set of all possible input trajectories to be U. Given an input signal u ∈ U and an initial state x 0 ∈ Θ, a solution of A is a continuous trajectory ξ u : [0, T ] → X that satisfies (i) ξ u (0) = x 0 and (ii) for any t ∈ [0, T ], the time derivative of ξ u at t satisfies the differential equation: For any x 0 ∈ Θ, u ∈ U, ξ u is a state trajectory and we call such a pair (ξ u , u) a state-input trajectory pair. A reference state trajectory (or reference trajectory for brevity) is a trajectory over X that the control system tries to follow. We denote reference trajectories by ξ ref . Similarly, a reference input trajectory (or reference input) is a trajectory over U and we denote them as u ref . Note these ξ ref and u ref are not necessarily solutions of (1). Figure 1 shows reference and actual solution trajectories.
We call a reference trajectory ξ ref and a reference input u ref together as a reference controller g ref . Given g ref , a tracking controller g trk is a function that is used to compute the inputs for A so that in the resulting closed system, the state trajectories try to follow ξ ref . At any time t, the tracking controller g trk takes in a current state of the system x, a reference trajectory state ξ ref (t), and a reference input u ref (t), and gives an input g trk (x, ξ ref (t), u ref (t)) ∈ U for A. The controller g for A is determined by both the reference controller g ref and the tracking controller g trk . The resulting trajectory ξ g of the closed control system (A closed with g ref and g trk ) satisfies: where D is the set of points in time where the second or third argument of g trk is discontinuous 2 .

Controller Synthesis Problem
are not required to be a state-input pair, but, for each initial state x 0 ∈ Θ j , the closed loop trajectory ξ g following ξ ref is a valid state trajectory with corresponding input u generated by g trk and g j,ref . In this paper, we will decompose the controller synthesis problem: Part (a) will be delivered by design engineers with knowledge of vehicle dynamics, and parts (b) and (c) will be automatically synthesized by our algorithm. The latter being the main contribution of the paper. Example 1. Consider a ground vehicle moving on a 2D workspace W ⊆ R 2 as shown in Fig. 1. This scenario is called Zigzag and it is adopted from [32]. The red polytopes are obstacles. The blue and green polytopes are the initial set Θ and the goal set G. There are also obstacles (not shown in the figure) defining the boundaries of the entire workspace. The black line is a projection of a reference trajectory to the workspace: ξ ref (t) ↓ p. This would not be a feasible state trajectory for a ground vehicle that cannot make sharp turns. The purple dashed curve is a real feasible state trajectory of the system starting from Θ with a tracking controller g trk , where g trk will be introduced in Example 2.
Consider the standard nonlinear bicycle model of a car [31]. The control system has 3 state variables: the position p x , p y , and the heading direction θ. Its motion is controlled by two inputs: linear velocity v and rotational velocity ω. The car's dynamics are given by:

Constructing Reference Trajectories from Waypoints
PWL reference trajectory. In W, a PWL curve can be determined by the endpoints of each line segment. We call such endpoints the waypoints of the PWL reference trajectory. In Fig. 1, the black points p 0 , · · · , p 6 are waypoints of Consider any vehicle on the plane 3 with state variables p x , p y , θ, v (x-position, y-position, heading direction, linear velocity) and input variables a, ω (acceleration and angular velocity). Once the waypoints andv using Algorithm 1. The semantics of ξ ref and u ref returned by Waypoints to Traj is that the reference trajectory requires the vehicle to move at a constant speedv along the lines connecting the waypoints can also be constructed using Waypoints to Traj moving v to input variables and dropping a. We

Proposition 1. Given a sequence of waypoints {p
Outline of Synthesis Approach. In this Section, we present an Algorithm Waypoints to Traj for constructing reference trajectories from arbitrary sequence of waypoints. In Sect. 4, we precisely characterize the type of vehicle tracking controller our method requires from designers. On our tool's webpage [27], we show with several extra examples that indeed developing such controllers is non-trivial, far from automatic, yet bread and butter of control engineers. In Sect. 5, we present the main synthesis algorithm, which uses the tracking error bounds from the previous section, to construct waypoints, for each initial state, which when passed through Waypoints to Traj provide the solutions to the synthesis problem.

Tracking Error and Lyapunov Functions
Given a reference controller g ref , a tracking controller g trk , and an initial state x 0 ∈ Θ, the resulting trajectory ξ g of the closed control system (A closed with g ref and g trk ) is a state trajectory that starts from x 0 and follows the ODE (2). In this setting, we define the tracking error at time t to be a continuous function: When ξ g (t) and ξ ref (t) are fixed, we also write e(t) = e(ξ g (t), ξ ref (t)) which makes it a function of time. One thing to remark here is that if ξ ref (t) is discontinuous, then e(t) is also discontinuous. In this case, the derivative of e(t) cannot be defined at the points of discontinuity. To start with, let us assume that is a valid state-input pair so ξ ref is a continuous state trajectory. Later we will see that the analysis can be extended to cases when ξ ref is discontinuous but a concatenation of continuous state trajectories. When is a valid state-input pair and e(t) satisfy an differential equation d dt e(t) = f e (e(t)), we use Lyapunov functions, which is a classic technique for proving stability of an equilibrium of an ODE, to bound the tracking error e(t). The Lie derivative ∂V ∂e f e (e) below captures the rate of change of the function V along the trajectories of e(t). [16]

Definition 4 (Lyapunov functions
, we define the tracking error in a coordinate frame fixed to the car [13]: With the reference controller function g defined as: it has been shown in [13] when .

Bounding Tracking Error Using Lyapunov Functions: Part 1
Consider a given closed control system, A with g ref and g trk , in this section, we will derive upper bounds on the tracking error e. Later in Sect. 5, we will develop techniques that take the tracking error into consideration for computing reference trajectories ξ ref .
To begin with, we consider state-input reference trajectory pairs (ξ ref , u ref ) where u ref is continuous, and therefore, ξ ref and ξ g are differentiable. Let us assume that the tracking error dynamics ( d dt e(t) = f e (e(t))) has a Lyapunov function V (e(t)). The following is a standard result that follows from the theory of Lyapunov functions for dynamical systems. From Eq. (4), it is easy to check that e 2

Bounding Tracking Error Using Lyapunov Functions: Part 2
Next, let us consider the case where ξ ref is discontinuous. Furthermore, let us assume that it is a concatenation of several continuous state trajectories ξ ref,1 · · · ξ ref,k . In this case, we call ξ ref a piece-wise reference trajectory. If we have a sequence of (ξ ref,i , u ref,i ), each is a valid state-input trajectory pair and the corresponding error e i (t) has a Lyapunov function V i (e i (t)), then we can use Lemma 1 to bound the error of e i (t) if we know the value of e i (0). However, the main challenge to glue these error bounds together is that e(t) would be discontinuous with respect to the entire piece-wise ξ ref (t).
Without loss of generality, let us assume that the Lyapunov functions V i (e i (t)) share the same format. That is, ∀i, V i (e i (t)) = V (e i (t)). Let t i be the concatenation time points when ξ ref (t) (and therefore e(t)) is discontinuous. We One insight we can get from Example 3 is that although e(t) is discontinuous at time t i s, some of the variables influencing e(t) are continuous. For example, e x (t) and e y (t) in Example 3, which represent the error of the positions, are continuous since both the actual and reference positions of the vehicle are continuous. If we can further bound the term in V (e(t)) that corresponds to the other variables, we could analyze the error bound for the entire piece-wise reference trajectory. With this in sight, let us write e(t) as [e p (t), e r (t)], where e p (t) = e(t) ↓ p is the projection to W and e r (t) is the remaining components.
Let us further assume that the Lyapunov function can be written in the form of V (e(t)) = α(e p (t)) + β(e r (t)). Indeed, on the tool's webpage [27] we show that four commonly used vehicle models (car, robot, underwater vehicle, and hovercraft) have Lyapunov functions for the tracking error e(t) of this form. If β(e r (t)) can be further bounded, then the tracking error for the entire trajectory can be bounded using the following lemma.  Proof. We prove this by induction on i. When i = 1, we know from Lemma 1 that if the initial tracking error is bounded by V (e(0)), then for any t ∈ [0, t 1 ), V (e(t)) ≤ V (e(0)) ≤ ε 0 = ε 1 , so the lemma holds. Fix Another observation we have on the four vehicle models used in this paper is that not only V (e(t)) can be written as α(e p (t)) + β(e r (t)) with β(e r (t)) being bounded, but also α(e p (t)) can be written as α(e p (t)) = ce p (t)e p (t) = c p(t) − p ref (t) 2 2 , where c ∈ R is a scalar constant; p(t) = ξ g (t) ↓ p and p ref (t) = ξ ref (t) ↓ p are the actual position and reference position of the vehicle. In this case, we can further bound the position of the vehicle p(t).

Lemma 3. In addition to the assumptions of Lemma 2, if
where ε i and b l are from Lemma 2, which implies that k2 is a Lyapunov function for each segment of the piecewise reference trajectory ξ ref (t). We also know that for any value of e θ , the term where t i are the concatenation time points, we have V (e(t)) ≤ V (e(0)) + 2(i−1) k2 Therefore, following Exam- k2 , and the position of the robot satisfies [p As seen in Fig. 2

Synthesizing the Reference Trajectories
In Sect. 4.3, we have seen that under certain conditions, the tracking error e(t) between an actual closed-loop trajectory ξ g (t) and a piece-wise reference ξ ref (t) can be bounded by a piece-wise constant value, which depends on the initial tracking error e(0) and the number of segments in ξ ref . We have also seen an example nonlinear vehicle model with PWL ξ ref for which the tracking error can be bounded.
In this section, we discuss how to utilize such bound on e(t) to help find a reference controller g ref consisting of a reference trajectory ξ ref (t) and a reference input u ref (t) such that closed-loop trajectories ξ g (t) from a neighborhood of ξ ref (0) that are trying to follow ξ ref (t) are guaranteed to satisfy the reach-avoid requirement. The idea of finding a g ref follows a classic approach in robot motion planning. The intuition is that if we know at any time t ∈ [0, ξ ref .ltime], ξ g (t) ↓ p − ξ ref (t) ↓ p 2 will be at most , then instead of requiring ξ ref (t) ↓ p to be at least away from the obstacles (inside the goal region), we will bloat the obstacles (shrink the goal set) by . Then the original problem is reduced to finding a ξ ref (t) such that ξ ref (t) ↓ p can avoid the bloated obstacles and reach the shrunk goal set. and each pair satisfies the system dynamics, is a nontrivial problem. If we were to encode the problem directly as a satisfiability or an optimization problem, the solver would have to search for over the space of continuous functions constrained by the above requirements, including the nonlinear differential constraints imposed by f . The standard tactic is to fix a reasonable template for ξ ref (t), u ref (t) and search for instantiations of this template.

Use PWL Reference Trajectories for Vehicle Models
From Example 4, we see that if ξ ref is a PWL reference trajectory constructed from waypoints in the workspace, the tracking error can be bounded using Lemma 2. A PWL reference trajectories connecting the waypoints in the workspace have the flexibility to satisfy the reach-avoid requirement. Therefore, in this section, we fix ξ ref and u ref to be the reference trajectory and reference input returned by the Waypoints to Traj(·, ·). In Sect. 5.2, we will see that the problem of finding such PWL ξ ref (t) can be reduced to a satisfiability problem over quantifier-free linear real arithmetic, which can be solved effectively by off-the-shelf SMT solvers (see Sect. 6 for empirical results). Let us start with one segment p(t) with t ∈ [t i−1 , t i ). To enforce that p(t) is i away from a polytope obstacle, a sufficient condition is to enforce both the endpoints of the line segment to lie out at least one surface of the polytope bloated by i .

Synthesizing Waypoints for a Linear Reference Trajectory
Proof. Fix any s such that (H (s) defines a convex half space. Therefore, if p i−1 ∈ S and p i ∈ S, then any point on the line segment connecting p i−1 and p i is in S. Therefore, for any t The distance between p ref (t) and the surface H Furthermore, Similarly, we can define the condition when p ref (ξ.ltime) = p k is inside the goal shrunk by k .

Lemma 5. Given a polytope goal set
Putting them all together, we want to solve the following satisfiability problem to ensure that each line segment between p i−1 and p i is at least i away from all the obstacles and p k is inside the goal set G with at least distance k to the surfaces of G. In this way, ξ g (t) starting from a neighborhood of ξ ref (0) can satisfy the reach-avoid requirement.
Notice that the constraints in φ waypoints are all linear over real arithmetic. Moreover, the number of constraints in φ waypoints is are a PWL reference trajectory and a reference input respectively constructed from the waypoints {p i } k i=0 , they satisfy Assumption (1). Moreover, V (e(ξ g (0), ξ ref (0))) ≤ ε 0 satisfies Assumption (2). Using Lemma 2 and Lemma 3, we know that for t Finally, since {p i } k i=0 satisfy the constraints in φ waypoints , using Lemma 4 and Lemma 5, we know that for any time t ∈ [0, t k ], ξ g (t) ↓ p / ∈ O and ξ g (t k ) ∈ G. Therefore the theorem holds.

Partitioning the Initial Set
Starting from the entire initial set Θ, fix ξ ref (0) ∈ Θ and an ε 0 such that ∀x ∈ Θ, V (e(x, ξ ref (0))) ≤ ε 0 , then we can use Lemma 2 and Lemma 3 to construct the error bounds { i } k i=1 for positions, and next use { i } k i=1 to solve φ waypoints and find the waypoints and construct the reference trajectory.
However, if the initial set Θ is too large, { i } k i=1 could be too conservative so φ waypoints is not satisfiable. In the first two figures on the top row of Fig. 3, we could see that if we bloat the obstacle polytopes using the largest i , then no reference trajectory is feasible. In this case, we partition the initial set Θ to several smaller covers Θ j and repeat the above steps from each smaller cover Θ j . In Lemma 2 and Lemma 3 we could see that the values of { i } k i=1 decrease if ε 0 decreases. Therefore, with the partition of Θ, we could possibly find a reference trajectory more and more easily. As shown in Fig. 3 bottom row, after several partitions, a reference trajectory for each Θ j could be found.

Overall Synthesis Algorithm
Taking partitioning into the overall algorithm, we have Algorithm 2 to solve the controller synthesis problem defined in Sect. 2.2. Algorithm 2 takes in as inputs (1) an (n, m)-dimensional control system A, (2) a tracking controller g trk , (3) Obstacles O, (4) a goal set G, (5) a Lyapunov function V (e(t)) for the tracking error e that satisfies the conditions in Lemma 2 and Lemma 3 for any PWL reference trajectory and input, (6) the maximum number of line segments allowed Seg max , (7) the maximum number of partitions allowed Part max , and (8) a constant velocityv. The algorithm returns a set RefTrajs, such that for each triple Θ j , ξ j,ref , u j,ref ∈ RefTrajs, we have ∀x 0 ∈ Θ j , the unique trajectory ξ g of the closed system (A closed with g trk (·, ξ j,ref , u j,ref )) starting from x 0 satisfies the reach-avoid requirement. The algorithm also returns Cover, None , which means that the algorithm fails to find controllers for the portion of the initial set in Cover within the maximum number of partitions Part max .
In Algorithm 2, Cover is the collection of covers in Θ that the corresponding ξ ref and u ref have not been discovered. Initially, Cover only contains Θ. The forloop from Line 2 will try to find a ξ ref and a u ref for each Θ ∈ Cover until the maximum allowed number for partitions is reached. At line 3, we fix the initial state of ξ ref (0) = ξ init to be the center of the current cover Θ. Then at Line 4, we get the initial error bounds ε 0 after fixing ξ init . Using ε 0 and the Lyapunov function V (e), we can construct the error bounds { i } k i=1 for the positions of the vehicle using Lemma 2 and Lemma 3 at Line 5. If the if condition at Line 7 holds with {p i } k i=0 being the waypoints that satisfy φ waypoints , then from Theorem 1 we know that the ξ ref , u ref constructed using {p i } k i=0 at Line 9 will be such that, the unique trajectory ξ g of the closed system (A closed with g trk (·, ξ ref , u ref )) starting from x 0 ∈ Θ satisfies the reachavoid requirement. Otherwise the algorithm will increase the number of segments k in the PWL reference trajectory (Line 15). When the maximum number of line segments allowed is reached but the algorithm still could not find ξ ref , u ref that can guarantee the satisfaction of reach-void requirement from the current cover Θ, we will partition the current Θ at Line 17 and add those partitions to Cover. At the same time, k will be reset to 1.  (1). Θ ⊆ ∪Θ j ∪Cover, and (2). for each triple Θ j , ξ j,ref , u j,ref , we have ∀x 0 ∈ Θ j , the unique trajectory ξ g of the closed system (A closed with g trk (·, ξ j,ref , u j,ref )) starting from x 0 satisfies the reach-avoid requirement.

Theorem 2 (Soundness). Suppose the inputs to Algorithm 2,
The theorem follows directly from the proof of Theorem 1.

Implementation and Evaluation
We have implemented our synthesis algorithm (Algorithm 2) in a prototype open source tool we call FACTEST 5 (FAst ConTrollEr SynThesis framework). Our implementation uses Pypoman 6 , Yices 2.2 [6], SciPy 7 and NumPy 8 libraries.
The inputs to FACTEST are the same as the inputs in Algorithm 2. FACTEST terminates in two ways. Either it finds a reference trajectory ξ j,ref and reference input u j,ref for every partition Θ j of Θ so that Theorem 2 guarantees they solved the controller synthesis problem. Otherwise, it terminates by failing to find reference trajectories for at least one subset of Θ after partitioning Θ up to the maximum specified depth.

Benchmark Scenarios: Vehicle Models and Workspaces
We will report on evaluating FACTEST in several 2D and 3D scenarios drawn from motion planning literature (see Figs. 4). Recall, the state space X dimension corresponds to the vehicle model, and is separate from the dimensionality of the workspace W. We will use four nonlinear vehicle models in these different scenarios: (a) the kinematic vehicle model (car) [31] introduced in Example 1, (b) a bijective mobile robot (robot) [13], (c) a hovering robot (hovercraft), and (d) an autonomous underwater vehicle (AUV) [29]. The dynamics and tracking controllers (g trk ) of the other three models are described on the FACTEST website [27]. Each of these controllers come with a Lyapunov function that meets the assumptions of Lemmas 2 and 3 so the tracking error bounds given by the lemmas { } k i=1 can be computed.
(a) Zigzag [32] (b) Maze [32] (c) SCOTS [38] (d) Barrier   Comparison with Other Motion Controller Synthesis Tools: A Challenge. Few controller synthesis tools for nonlinear models are available for direct comparisons. We had detailed discussions with the authors of FastTrack [11], but found it difficult to plug-in new vehicle models. RTD [44] is implemented in MatLab also for specific vehicle models. Pessoa [26] and SCOTS [38] are implemented as general purpose tools. However, they are based on construction of discrete abstractions, which requires several additional user inputs. Therefore, we were only able to compare FACTEST with SCOTS and Pessoa using the scenario SCOTS. This scenario was originally built in SCOTS and is using the same car model. The results for SCOTS and Pessoa can be found in [38]. The total runtime of SCOTS consists of the abstraction time t abs and the synthesis time t syn . The Pessoa tool has an abstraction time of t abs = 13509 s and a synthesis time of t syn = 535 s, which gives a total time of t tot = 14044 s. The SCOTS tool has a has an abstraction time of t abs = 100 s and a synthesis time of t syn = 413 s, which gives a total time of t tot = 513 s. FACTEST clearly outperforms both SCOTS and Pessoa with a total runtime of t tot = 1.541 s. This could be attributed to the fact that FACTEST does not have to perform any abstractions, but even by looking sole at t syn , FACTEST is significantly faster. However, we do note that the inputs of FACTEST and SCOTS are different. For example, SCOTS needs a growth bound function β for the dynamics but FACTEST requires Lyapunov functions for the tracking error.

RRT vs. SAT-Plan
To demonstrate the speed of our SAT-based reference trajectory synthesis algorithm (i.e. only the while-loop from Line 6 to Line 15 of Algorithm 2 which we call SAT-Plan), we compare it with Rapidly-exploring Random Trees (RRT) [20]. The running time, number of line segments, and number of iterations needed to find a path were compared. RRT was run using the Python Robotics library [39], which is not necessarily an optimized implementation. SAT-Plan was run using Yices 2.2. The scenarios are displayed in Fig. 4 and the results are in Fig. 5. Each planner was run 100 times. The colored bars represent the average runtime and average number of iterations. The error bars represent the range of minimum and maximum. The RRT path planner was given a maximum of 5000 iterations and a path resolution of 0.01. SAT-Plan was given a maximum of 100 line segments to find a path. RRT timed out for the SCOTS scenario, unable to find a trajectory within 5000 iterations. The maze scenario timed out about 10% of the time.
Overall SAT-Plan scales in time much better as the size of the unsafe set increases. Additionally, the maximum number of iterations that RRT had to perform was far greater than the average number of line segments needed to find a safe path. This means that the maximum number of iterations that RRT must go through must be sufficiently large, or else a safe path will not be found even if one exists. SAT-Plan does not have randomness and therefore will find a reference trajectory (with k segments) in the modified space (bloated obstacles and shrunk goal) if one (with k segments) exists. Various examples of solutions found by RRT and SAT-Plan can be found on the FACTEST's website [27].

Conclusion and Discussion
We introduced a technique for synthesizing correct-by-construction controllers for a nonlinear vehicle models, including ground, underwater, and aerial vehicles, for reach-avoid requirements. Our tool FACTEST implementing this technique shows very encouraging performance on various vehicle models in different 2D and 3D scenarios.
There are several directions for future investigations. (1) One could explore a broader class of reference trajectories to reduce the tracking error bounds. (2) It would also be useful to extend the technique so the synthesized controller can satisfy the actuation constraints automatically. (3) Currently we require user to provide the tracking controller g trk with the Lyapunov functions, it would be interesting to further automate this step.