IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 1

Controller synthesis for linear system withreach-avoid specifications

Chuchu Fan, Zengyi Qin, Umang Mathur, Qiang Ning, Sayan Mitra, and Mahesh Viswanathan

Abstract—We address the problem of synthesizing provablycorrect controllers for linear systems with reach-avoid specifica-tions. Discrete abstraction-based controller synthesis techniqueshave been developed for linear and nonlinear systems withvarious types of specifications. However, these methods typicallysuffer from the state space explosion problem. Our solutiondecomposes the overall synthesis problem into two smaller, andmore tractable problems: one synthesis problem for an open-loop controller which can produce a reference trajectory, and asecond for synthesizing a tracking controller, which can enforcethe other trajectories to follow the reference trajectory. As a keybuilding-block result, we show that, once a tracking controller isfixed, the reachable states from an initial neighborhood, subjectto any disturbance, can be over-approximated by a sequenceof ellipsoids, with shapes that are independent of the open-loopcontroller. Hence, the open-loop controller can be synthesizedindependently to meet the reach-avoid specification for an initialneighborhood. Moreover, we are able to reduce the problemof synthesizing open-loop controllers to satisfiability problemsover quantifier-free linear real arithmetic. The number of linearconstraints in the satisfiability problem is linear to the numberof hyperplanes as the surfaces of the polytopic obstacles andgoal sets. The overall synthesis algorithm, computes a trackingcontroller, and then iteratively covers the entire initial set to findopen-loop controllers for initial neighborhoods. The algorithm issound and, for a class of robust systems, is also complete. Weimplement this synthesis algorithm in a tool REALSYN VER 2.0and use it on several benchmarks with up to 20 dimensions.Experiment results are very promising: REALSYN VER 2.0 canfind controllers for most of the benchmarks in seconds.

Index Terms—Controller syntheis, linear system, reach-avoidspecification, disturbance

I. INTRODUCTION

THE controller synthesis question asks whether an inputcan be generated for a given system (or a plant) so that

it achieves a given specification. Algorithms for answeringthis question hold the promise of automating controller de-sign. They have the potential to yield high-assurance systemsthat are correct-by-construction, and even negative answersto the question can convey insights about unrealizability ofspecifications. This is neither a new nor a solved problem,

Chuchu Fan and Zengyi Qin are with the Department of Aeronautics andAstronautics, Massachusetts Institute of Technology, Cambridge, MA, 02139USA e-mail: chuchu, qinzy@mit.edu.

Qiang Ning is with Amazon, Inc., Boston, MA, 02111 USA e-mail:qiangning1990@gmail.com. This work was done while Qiang was at the AllenInstitute for AI.

Umang Mathur and Mahesh Viswanathan are with the Department ofComputer Science, University of Illinois at Urbana-Champaign, Champaign,IL, 61820 USA e-mail: umathur2, vmahesh@illinois.edu.

Sayan Mitra is with the Department of Electrical and Computer Engineer-ing, University of Illinois at Urbana-Champaign, Champaign, IL, 61820 USAe-mail: mitras@illinois.edu.

but there has been resurgence of interest with availabilityof powerful tools like convex optimizations and satisfiabilitymodulo theories (SMT) solvers, and compelling applicationssuch as path planning [1], motion control [2], [3], and circuitsdesign [4].

In this paper, we study the control synthesis problemfor linear, discrete-time, and time-varying plant models withbounded disturbance [5], [6]. We will consider reach-avoidspecifications which require that starting from any initial stateΘ, the controller has to drive the system to a target set G,while avoiding certain unsafe states or obstacles O. Reach-avoid specifications arise naturally in many domains suchas autonomous and assisted driving, multi-robot coordination,and spacecraft autonomy, and have been studied for linear,nonlinear, as well as stochastic models [7], [8], [9], [10], [11],[12].

Textbook control design methods address specifications likestability, disturbance rejection, and asymptotic convergence,but they do not directly provide formal guarantees about reach-avoid specifications. Receding horizon control and model pre-dictive control (MPC), have been broadly used on constrainedcontrol problems. Using MPC for reach-avoid specificationstypically solves a sequence of mixed integer linear program-ming (MILP) [13], [14] or general nonlinear optimizationproblems [15], [16]. Another approach is based on discreteabstractions, where a discrete, finite-state, abstraction of theoriginal control system is computed, and a discrete controlleris synthesized by solving a two-player game on the abstractedgame graph [17], [18]. Theoretically, these methods can beapplied to systems with nonlinear dynamics and they can syn-thesize controllers for a general class of linear temporal logic(LTL) specifications. However, in practice, the discretizationstep leads to state space explosion for higher dimensionalmodels. A detailed comparison between these methods andour proposed approach is provided in Section II.

In this paper, the synthesis algorithm follows a naturalparadigm for designing controllers. The approach is to separatethe controller into two parts: an open-loop controller and atracking controller, and synthesize them separately. An open-loop controller for a single initial state x0 ∈ Θ to meetthe reach-avoid specification. This is called the referencetrajectory. For the remaining states in the initial set, a trackingcontroller is added, that drives these other trajectories towardsthe reference trajectory that starts from x0. However, designingsuch a combined controller can be computationally expen-sive [19] because of the interdependency between the open-loop controller and the tracking controller (Section IV-A).Our approach to making this construction feasible, is to

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 2

demonstrate that the two controllers can be synthesized in adecoupled way as follows. We first design a tracking controllerusing a standard LQR (linear quadratic regulator) method [20].The crucial result (Lemma 1) that helps decouple the synthesisof the tracking and open-loop controller, is that for sucha combined controller, once the tracking controller is fixed,the set of states reached from the initial set is containedwithin a sequence of ellipsoidal sets [21] centered around thereference trajectory. The shape and size of these ellipsoidalsets are solely dependent on the tracking controller and thedisturbance, and are independent of the reference trajectoryor the open-loop controller. In fact, this is a special caseof constructing a Lyapunuv function for the error dynamicsbetween the actual trajectory of the system and the referencetrajectory [22]. Moreover, ellipsoids have been widely usedin reachability computation to solve verification [23], [24]and synthesis [25] problems. In this paper, we follow suchcontroller design paradigm and enjoy the benefit of usingellipsoidal reachable sets: The open-loop controller and theresulting reference trajectory can be chosen independent ofthe fixed tracking controller.

Based on this, the problem of synthesizing the open-loopcontroller can be completely decoupled from synthesizing thetracking controller. Our open-loop controller is synthesized byencoding the problem as an SMT problem. The straightforwardencoding of the synthesis problem is to find an open loopcontroller that can make sure all states in the reach setellipsoids satisfy the reach-avoid specification. Such encodingresults in a ∃∀ formula in the theory of linear arithmetic.Unfortunately, solving large instances of such formulas us-ing current SMT solvers is challenging. To overcome this,we exploit geometric properties of polytopes and ellipsoids,and reduce the original ∃∀-formula into the quantifier-freefragment of linear arithmetic (QF-LRA). Moreover, assumingthat the obstacles and goal set can be represented as polytopes,then the number of linear constraints in the QF-LRA formulasgrows linearly with time and the number of hyperplanes as thesurfaces in obstacles and the goal set (Lemmas 2 and 3). Inthis way, the proposed approach for synthesizing the combinedcontroller can scale to large dimensional systems.

Our overall algorithm (Algorithm 1), after computing aninitial tracking controller, iteratively synthesizes open-loopcontrollers by solving QF-LRA formulas for smaller subsetsthat cover the initial set. The algorithm will automaticallyidentify the set of initial states for which the combinedtracking+open-loop controller is guaranteed to work. Ouralgorithm is sound (Theorem 1), and for a class of robustlinear systems, it is also complete (Theorem 2).

We have implemented the new synthesis algorithm in thetool REALSYN VER 2.0, which was developed with [26]. Wecompare the performance of the new algorithm proposed inthis paper with the previous algorithm as in [26], and a state-of-the-art synthesis tool SMC [27], [28], on 10 benchmarkproblems. Here the obstacles are general polytopes insteadof only axis-aligned hyper-rectangles. In REALSYN VER 2.0,any SMT solver can be plugged in for solving the synthesisproblem. We report the results of using the Yices solver, asit outperformed other solvers in [26]. Results show that our

new approach can achieve a 2 to 150 × speedup for mostbenchmark models comparing with the previous algorithmREALSYN VER 1.0 as in [26], and a 2 to 80 × speedupcomparing with SMC. The proposed new algorithm alsoscales well for complex models — including a system with3 vehicles (12-dimensional) trying to reach a common goalwhile avoiding collision with the obstacles and each other,and another system with 10 vehicles (20 dimensional) trying tomaintain a platoon. For all the benchmark models, REALSYNVER 2.0 with the new algorithm finds a controller within 2minutes using the Yices solver, and for most benchmarks itfinds a controller within 10 seconds.

The major contributions of this paper is to explore anassembly of several techniques from control, geometry, SATsolving to develop a fast and formally guaranteed algorithmfor controller synthesis. To be more concrete: 1) We propose asynthesis algorithm to find correct-by-construction controllersfor linear time-varying systems with respect to reach-avoidspecifications. Our synthesis algorithm is sound, and is alsocomplete for a class of robust linear systems. 2) Our pro-posed algorithm achieves scalability by reducing the synthesisproblem to satisfiability over quantifier-free linear arithmeticand leveraging modern SMT solvers. We develop efficientencoding methods so that the number of constraints in theresulting SMT problem grows linearly with time and thecomplexity of the reach-avoid specification. 3) Our algorithmsignificantly improves the practical efficiency of control syn-thesis for large linear systems with disturbances. Empiricalresults show a significant improvement over state-of-the-artsynthesis methods.

II. RELATED WORKS

Controller synthesis techniques have been the center ofextensive investigation with numerous publications every yearlately. Here we briefly review related works based on differentplant models, specifications, and several major approaches.

a) Models and specifications for synthesis: In increasingorder of generality, the types of plant models that have beenconsidered for controller synthesis are double-integrator mod-els [2], linear dynamical models [29], [30], [31], [32], [33],[13], [34], piecewise affine models [8], [35], and nonlinear(possibly switched) models [36], [7], [17], [37], [16]. Thereis also a line of work on synthesis approaches for stochasticplants (see [38], and the references therein). For each of theclasses, both continuous and discrete-time models have beenaddressed with possibly different approaches.

There are several classes of specifications typically used forsynthesis: (1) stabilization for system with special properties,including positive systems [29] and systems with quantizedmeasurements [39], [40], (2) pure safety or invariance specifi-cations [17], [41], [42], (3) reach-avoid [9], [17], [41], [7], [8],and (4) general LTL, GR(1) [43], [30], [44] [31], [35], [45],Metric Temporal Logic [46], and Signal Temporal Logic [47],[14]. For each of these classes both bounded and unbounded-time variants have been considered.

In this work, we focus on linear, discrete-time, time-varyingsystems with reach-avoid specifications.

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 3

b) Model Predictive Control: MPC [48] utilizes an ex-plicit plant model to predict the plant state and computethe control input to the plant based on this prediction. Ateach control interval, an MPC algorithm attempts to solvea constrained, discrete-time, optimal control problem in anonline setting, with the objective of optimizing future plantbehavior based on current state. Without loss of generality,assume the current state of the system is x[0], MPC solves afinite horizon (N steps) optimal control problem defined by:

minu[0],...,u[N−1] Vf (x[N ]) +∑N−1i=0 `(x[i],u[i])

s.t.∧Ni=0 x[i] ∈ X,

∧N−1j=0 u[j] ∈ U,

(1)

where in the objective function Vf defines cost of the finalstate of the controlled system x[N ], ` defines the cost ofthe rest of the states and control inputs, and the controlledsystem is required to satisfy the state and control constraintsx[i] ∈ X,u[i] ∈ U , respectively. The implicit MPC law asksthat at the state x[0], the first control u[0] of the computedoptimal control sequence is applied, and the entire calculationis repeated at subsequent control intervals. When optimalcontrol problems admit an explicit offline solution, onlineoperations reduce to a simple function evaluation. Such ex-plicit MPC has been exploited in many applications includingmotion planing [33], [13], [34]. The idea of explicit MPC isto solve the optimization problem (1) offline for all x withina given set, and to make the dependence of u(t) on x(t)explicit. The resulting MPC control law is a piecewise affinefunction of the state x defined over a polyhedral partition ofthe feasible set Xf . For systems with large state and inputspaces, explicit MPC is not practical. Furthermore, it is hardto make explicit MPC handle cases where the system, costfunction, or constraints are time-varying [49].

Using MPC for controller synthesis typically requires modelreduction for casting the optimization problem (1) as a linearprogramming (LP) [33], quadratic programming (QP) [50],mixed integer linear programming (MILP) [13], [47], [14] orgeneral nonlinear optimization problems [15], [16].

In this paper, the obstacles at each step are specified bya collection of polytopes. Therefore, the safe region X , asthe complement of the obstacles, is usually non-convex. Toencode such avoidance condition x[i] ∈ X in the optimiza-tion problem (1) , one has to introduce disjunctions to theconstraints. In [16], the authors use Farkas’ lemma to changethe avoidance condition into its dual form that is compatiblefor MPC formulation. However, the extra variables introducedby Farkas’ lemma will lead to nonlinear constraints. In [13],the authors introduce extra Boolean variables to eliminate thedisjunctions, and make the original optimization problem (1)an MILP. Both the works use implicit MPC law. The maindrawback of implicit MPC is the need to solve a mathematicalprogram online or within the sampling time to compute thecontrol action. Therefore, it is hard to use on systems withlarge dimensionality [51] and when the sampling period isshort. Explicit MPC can help relieve the heavy computationload, especially when the optimization problem is a LP orQP. However, in this case, the explicit solution for nonlinearoptimization and MILP cannot be solved very efficiently in

practice [51].Compared with the above encoding for reach-avoid, our

proposed method benefits from the fact that the tracking con-troller can fix the shapes and sizes of the reach set ellipsoidsfrom an initial set. We further exploit special properties ofthe separation between ellipsoids and polytopes to make theconstraints quantifier-free over linear real arithmetics, whichcan be efficiently solved using state-of-the-art SMT solvers orMILP solvers.

The major differences between our approach and the MPC-based approaches include:

1) Our approach does not require the help of a cost function.Instead, we only need a feasible solution of the satisfia-bility problem and sacrificed optimality.

2) MPC can be used in scenarios when obstacles are con-structed dynamically when system evolves by solving theoptimization problem (1) iteratively, while our proposedapproach solves a one-shot SAT problem to find con-trollers that work for an initial set X0 when obstaclesare fixed. In Section IV-D, we discuss how to adjustour proposed encoding for the reach-avoid and inputconstraints to be used in MPC.c) Control Lyapunov and barrier functions: The idea

of control Lyapunov function (CLF) [52], [53], [54] is toassociate a Lyapunov function V (x) with its global minimumat the target state x∗ to the nonlinear system that needs to bestabilized. At each time step, find a control input u to forceV (x) to decrease to guarantee that the target state x∗ can bereached asymptotically.

Control barrier functions (CBF) [55] play a similar role toCLF in the study of liveness properties for nonlinear systems.CBF can ensure safety by enforcing invariance of a set. Thatis, CBF makes sure that that there exists a control input u suchthat the nonlinear system will not leave a safe set. In general,it is not easy to find a CLF for CBF for a given system.

d) Discrete abstractions: Controller synthesis based ondiscrete abstractions have received considerable attention [17],[41], [43], [30], [44], [30], [31], [32]. These techniquesinvolvee constructing a finite partition of the continuous statespace with respect to a set-valued map. Following thosemethods, it is possible to synthesize controllers for generalnonlinear systems to enforce complex temporal logic specifi-cations.

There is a growing set of controller synthesis tools andlibraries based on the discrete abstraction approach. Theseinclude tools like CoSyMA [56], Pessoa [4], LTLMop [57],[58], Tulip [44], [59], and SCOTS [36]. Compared with thesemethods, our proposed solution takes a different route by“designing” the shape of reach sets first with the trackingcontroller, then “placing” the reach sets using the open loopcontroller. The entire process does not involve any partitionof the state space, and therefore avoids the potential problemof exponentially growing partitions for large dimensionalsystems. Our trial with a 4-dimensional example on Tulip [44],[59] did not finish the discretization step in one hour. Recentmethods like feedback refinement [60] and multi-Layeredabstraction [61] have been introduced to address the issueof exponentially growing partitions. However, such methods

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 4

are yet to be available as synthesis tools. LTLMop [57], [58]handles GR(1) LTL specifications, which are more generalthan reach-avoid specifications considered in this paper, butit is designed for 2-dimensional robot models working inthe Euclidean plane. It generates a hybrid controller as acombination of discrete controllers and continuous controllersto meet the high-level specification under certain assumptionson the environment.

e) Sampling based path planning: Sampling based meth-ods such as Probabilistic Road Maps (PRMs) [62], Rapidly-exploring Random Trees (RRT) [63], and fast marching tree(FMT) [64] have offered the benefits of generating feasibletrajectories through known or partially known environments.Compared with the deterministic guarantees provided by syn-thesis methods discussed above, including ours, the samplingbased methods come with stochastic guarantees. Also, they arenot designed to be robust to model uncertainty or disturbances.

f) Satisfiability Modulo Convex Optimization::SMC [27], [28] solves satisfiability problems which arerepresented as Boolean combinations of convex constraintsover the real numbers. Unlike our approach that reducesthe reach-avoid problem to a pure SAT problem, SMC usesa combination of SAT solving and convex programmingto provide a satisfying assignment or determine that theformula is unsatisfiable. Therefore SMC enjoys both theefficiency of convex optimizations and the formal guaranteesof SAT solving, while our approach depends more on theefficiency of SMT solvers over quantifier-free linear realarithmetic. SMC can be used to solve robotic motion planningproblems and has been shown to be much more effective thansampling-based methods like RRT. In Section V, we compareour proposed algorithm with SMC by adapting the originalimplementation of SMC to handle our examples.

In addition to the above approaches, an alternative synthesistechnique generates mode switching sequences for switchedsystem models [65], [66], [67], [68], [69] to meet the spec-ifications. This line of work focuses on a finite input space,instead of the infinite input space we are considering in thispaper.

Abate et al. [42] use a controller template similar to theone considered in this paper for invariant specifications. Acounter-example guided inductive synthesis (CEGIS) approachis used to first find a feedback controller for stabilizing thesystem. Since this feedback controller may not be safe forall initial states of the system, a separate verification step isemployed to verify safety, or alternatively to find a counter-example. In the latter case, the process is repeated until a validcontroller is found. This is different from our approach, whereany controller found needs no further verification.

III. PRELIMINARIES AND PROBLEM STATEMENT

A. Notations

For a set S and a finite or infinite sequence σ of elementsfrom S, we denote the tth element of σ by σ[t]. In therest of the paper, we will use boldfaced letters (for example,A,B,x,d,u, etc.,) to denote a sequence of matrices orvectors. Given a vector x ∈ Rn, x(i) is the ith component

of x. Given a matrix A ∈ Rn×m, A(i) is the ith row of A.Given an invertible matrix M ∈ Rn×n and a vector x ∈ Rn,‖x‖M

∆=√x>M>Mx is called the M -norm of x.

Given a vector c ∈ Rn, an invertible matrix M , and a scalarvalue r ≥ 0, we define Er(c,M)

∆= x | ‖x − c‖M ≤ r to

be the ellipsoid centered at c with radius r and shape M .Br(c)

∆= Er(c, I) is the ball of radius r centered at c. For two

sets R,S ⊆ Rn, we define R⊕ S ∆= x+ y | x ∈ R, y ∈ S;

for a singleton set, we abuse notation and use v⊕S to denotev ⊕ S. For set S ⊆ Rn and matrix M ∈ Rn×n, we defineM ⊗S ∆

= Mx | x ∈ S. We say a set S ⊆ Rn is a polytopeif there is a matrix Ak×n and a vector b ∈ Rk such thatS = x | Ax ≤ b.

B. Discrete time linear control systems

An (n,m)-dimensional time-varying discrete-time linearsystem A is a 5-tuple 〈A,B,Θ, U,D〉, where (i) A is aninfinite sequence of Rn×n matrices, called dynamic matrices.(ii) B is an infinite sequence of Rn×m matrices, called inputmatrices, and at each time step t, the pair (A[t],B[t]) iscontrollable [6]. (iii) Θ ⊆ Rn is a set of initial states.(iv) U ⊆ Rm is the space of inputs. (v) D ⊆ Rn is thespace of disturbances.

A control sequence for an (n,m)-dimensional system Ais a (possibly infinite) sequence u = u[0],u[1], . . ., whereeach u[t] ∈ U . Similarly, a disturbance sequence for A is a(possibly infinite) sequence d = d[0],d[1], . . ., where eachd[t] ∈ D. Given control u and disturbance d, and an initialstate x[0] ∈ Θ, the execution of A is uniquely defined as the(possibly infinite) sequence of states x = x[0],x[1], . . . , wherefor each t > 0,

x[t+ 1] = A[t]x[t] + B[t]u[t] + d[t]. (2)

An open-loop control sequence (also called an open-loopcontroller) for a given single initial state x0 ∈ Θ is a controlsequence u such that the corresponding execution x withx[0] = x0 and 0 disturbance (i.e. ∀t ≥ 0,d[t] = 0) satisfiesthe reach-avoid constraints..

A (state feedback) controller for A is a function g : Θ ×Rn → Rm, that maps an intial state and a (current) state to aninput. That is, given an initial state x0 ∈ Θ and state x ∈ Rnat time t, the control input to the plant at time t is:

u[t] = g(x0, x). (3)

This controller is allowed to use the memory of some initialstate x0 (not necessarily the current execution’s initial state)for deciding the current state-dependent feedback. Thus, givenan initial state x[0], a disturbance d, and a state feedbackcontroller g, Equations (2) and (3) define a unique executionx of A. A state x is reachable at the tth-step if there exists anexecution x of A such that x[t] = x. The set of all reachablestates from some set S ⊆ Θ in exactly T steps using thecontroller g is denoted by ReachA,g(S, T ). When A and gare clear from the context, we simply write Reach(S, T ).

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 5

C. Bounded controller synthesis problem

Given an (n,m)-dimensional time-varying discrete-time lin-ear system A, a sequence O of obstacles or unsafe sets (withO[t] ⊆ Rn, for each t), a goal G ⊆ Rn, and a time bound T ,the bounded time controller synthesis problem is to find, a statefeedback controller g such that for every initial state θ ∈ Θand any disturbance sequence d ∈ DT of length T , the uniqueexecution x of A with g, starting from x[0] = θ, satisfies(i) for all t ≤ T , u[t] ∈ U , (ii) for all t ≤ T , x[t] 6∈ O[t], and(iii) x[T ] ∈ G. For the rest of the paper, we will assume thateach of the sets in O[t]t∈N, G and U are closed polytopes.

The controller synthesis problem requires one to find a statefeedback controller that ensures that the execution startingfrom any initial state in Θ will meet the reach-avoid specifica-tion. Since the set of initial states Θ will typically be an infiniteset, this requires the synthesized feedback controller g to havea finite representation. An “enumerative” representation, wherea (separate) open-loop control sequence is constructed for eachinitial state, is not feasible. We therefore need a useful templatethat will serve as the representation for the feedback controller.

Example 1. Consider a mobile robot that needs to reach thegreen area of an apartment starting from the entrance area,while avoiding the red areas (Figure 1). The robot’s dynamicsare described by a linear model (for example the navigationmodel from [70]). The obstacle sequence O (red rectanglesand outside of the figure region) here is static, that is, O[t] =O[0] for all t ≥ 0. Both Θ (light green) and G (dark green)are rectangles (which are also polytopes). Although these setsare depicted in 2D, the dynamics of the robot may involve ahigher dimensional state space.

Fig. 1. The settings for controller synthesis of a mobile robot withreach-avoid specification.

In this example, there is no disturbance, but a similarproblem can be formulated for a drone flying outdoors, inwhich case, the disturbance input could model the effect ofwind. Time-varying obstacle sets are useful for modeling safetyrequirements of multi-robot systems.

Suppose robot is asked to reach the target set in 40 steps.The dotted curves are two executions from Θ and the pinkellipsoids show the projection of the reachset on the robot’sposition with a synthesized controller.

IV. SYNTHESIS ALGORITHM

A. Algorithm overview

A natural controller design paradigm is to first find a refer-ence execution xref which uses an open-loop controller, thenadd a tracking controller which tries to force other executionsx starting from different initial states x[0] to get close to xrefby minimizing the distance between xref and x. This form ofcontroller combining open-loop control with tracking controlis also proposed in [19] for reach-avoid specifications. For thediscrete-time linear control system defined as Equation (2), thecombined controller is formally defined as follows:

Definition 1. Given a discrete-time linear system as Equa-tion (2), the combined controller g is a tuple 〈K,xref[0],uref〉such that the control input u[t] to the system is

u[t] = uref[t] + K[t](x[t]− xref[t]),with (4)

xref[t+ 1] = A[t]xref[t] + B[t]uref[t], (5)

where(1) uref is called the open-loop control sequence, which

determines the value of the reference execution xref[t] ateach time step t ∈ N once xref[0] is fixed, and

(2) K is called the tracking controller, which is a sequenceof matrices that determine the additive component of theinput based on the difference between the current stateand the reference execution.

Given the combined feedback controller g as the tuple〈K,xref[0],uref〉, we could rewrite the linear system in (4)as an augmented system x

xref

[t+ 1] =

A[t] + B[t]K[t] −B[t]K[t]

0 A[t]

x

xref

[t]

+

B[t] 0

0 B[t]

uref

uref

[t] +

d0

[t].

Observe that the above augmented system has the form

x[t+ 1] = A[t]x[t] + B[t]u[t] + d[t],

and its closed-form solution is given by

x[t] =( t−1∏i=0

A[i])x[0] +

t−1∑i=0

( t−1∏j=i+1

A[j])(B[i]u[i] + d[i]).

(6)To synthesize a controller g of this form, therefore, requiresfinding K,xref[0],uref such that the closed-form solutionmeets the reach-avoid specification. This is indeed the ap-proach followed in [19], albeit in the continuous time setting.Observe that in the closed-form solution, A[t], u, and x[0] alldepend on parameters that we need to synthesize. Therefore,solving such constraints involves polynomials whose degreesgrow with the time bound. This is very expensive, and unlikelyto scale to large dimensions and time bounds.

In this paper, to achieve scalability, we take a slightlydifferent approach than the one where K,xref[0], and uref

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 6

are simultaneously synthesized. We first synthesize a track-ing controller K, independent of xref[0] and uref, using thestandard LQR method. Once K is synthesized, we show that,no matter what xref[0] and uref are, the state of the system attime t starting from x0 is guaranteed to be contained withinan ellipsoid centered at xref[t] with shape and radius thatdepend only on K, the initial distance between x0 and xref[0],time t, and disturbance set D. Moreover, this radius is onlya linear function of the initial distance (Lemma 1). Thus, ifwe can synthesize an open-loop controller uref starting fromsome state xref[0], such that ellipsoids centered around xrefsatisfy the reach-avoid specification, we can conclude that thecombined controller will work correctly for all initial statesin some ball around the initial state xref[0]. The radius of theball around xref[0] for which the controller is guaranteed towork will depend on the radii of the ellipsoids around xref thatsatisfy the reach-avoid specification. This decoupled approachto synthesis is the first key idea in our algorithm.

Synthesizing the tracking controller K still leaves openthe problem of synthesizing an open-loop controller for aninitial state xref[0]. A straightforward encoding of the problemcould be to find an open-loop controller that works for allinitial states in some ball around xref[0]. That is, findinga satisfying solution for the formula ∃uref,∃r, such that∀x[0] ∈ Br(xref[0]),

∧Tt=0 x[t] /∈ O[t]∧x[T ] ∈ G. This results

in a ∃∀-formula in the theory of real arithmetic. Unfortunately,solving such formulas does not scale to large dimensionalsystems using current SMT solvers [71]. The next key ideain our algorithm is to simplify these constraints and make theformula quantifier free. We reduce the problem of decidingwhether an ellipsoid (the set of reachable states) is separatedfrom (or contained in) a polytope (the obstacles or the goal)to measuring the distances of the center of the ellipsoid tosurfaces of the polytopes in a linearly transformed coordinate.In this way we are able to reduce the original ∃∀-formulainto the quantifier-free fragment of linear real arithmetic (QF-LRA) [72], [73] (Section IV-D).

Putting it all together, the overall algorithm (Algorithm 1)works as follows. After computing an initial tracking con-troller K, it synthesizes open-loop controllers for differentinitial states by solving QF-LRA formulas. After each open-loop controller is synthesized, the algorithm identifies the setof initial states for which the combined tracking+open-loopcontroller is guaranteed to work, and removes this set fromΘ. In each new iteration, it picks a new initial state notcovered by previous combined controllers, and the processterminates when all of Θ is covered. Our algorithm is sound(Theorem 1)—whenever a controller is synthesized, it meetsthe specifications. Further, for robust systems (defined laterin the paper), our algorithm is guaranteed to terminate whenthe system has a combined controller for all initial states(Theorem 2).

B. Synthesizing the tracking controller K

Given any open-loop controller uref and the correspondingreference execution xref, by replacing in Equation (2) the

controller of Equation (4), we get:

x[t+ 1] = (A[t] + B[t]K[t])x[t]−B[t]K[t]xref[t]

+B[t]uref[t] + d[t].(7)

Subtracting xref[t + 1] from both sides, we have that forany execution x starting from the initial states x[0] and withdisturbance d, the distance between x and xref changes withtime as:

x[t+ 1]− xref[t+ 1] =

(A[t] + B[t]K[t]) (x[t]− xref[t]) + d[t].(8)

With Ac[t]∆= A[t] + B[t]K[t], y[t]

∆= x[t] − xref[t], Equa-

tion (8) becomes

y[t+ 1] = Ac[t]y[t] + d[t].

We want x[t] to be as close to xref[t] as possible, which meansK[t] should be designed to make |y[t]| converge. Equivalently,K[t] should be designed as a linear feedback controller suchthat the system y[t + 1] = Ac[t]y[t] is stable. Such a matrixK[t] can be computed using several methods. In this work,we compute K[t] as finding a linear state feedback controllerby solving the LQR problem [20], stated as follows.

Definition 2 (LQR). For a time-varying linear system A asdefined in Section III-B with 0 disturbance and a time boundT , the linear quadratic regulator (LQR) problem is the optimalcontrol problem of finding open loop control u[0], · · · ,u[T −1], such that the following objective function is minimized:

J(x[0],u, T )∆=

x[T ]>Q[T ]x[T ] +∑T−1t=0 (x[t]>Q[t]x[t] + u[t]>R[t]u[t]),

where Q and R are sequences of symmetric positive definitematrices.

The optimal control for LQR is given by ∀t = 0, · · · , T−1,u[t] = K[t]x[t] where

K[t]∆= −

(B[t]>P[t+ 1]B[t] + R[t]

)−1B[t]>P[t+ 1]A[t],

(9)and P[t] is computed by solving the discrete time Riccatidifference equation:

P[t] = A[t]>P[t+ 1]A[t] + Q[t]−A[t]>P[t+ 1]B[t](B[t]>P[t+ 1]B[t] + R[t])−1B[t]>P[t+ 1]A[t]

with boundary condition P[T ] = Q[T ] [74]. The matricesK in Equation (9) can be used as a tracking controller as inDefinition 1.

When T →∞ and ∀t ≥ 0,A[t] = A,B[t] = B,Q[t] = Q,and R[t] = R are all constant matrices, and K[t] computedusing Equation (9) will also become a constant matrix K.Furthermore, if the pair (A,B) is controllable (or stabilizable),the closed-loop system x[t+1] = (A+BK)x[t] is stable. Thatis, the eigenvalues of Ac = A+BK with K given by Equation(9) have magnitudes less than 1. Therefore, when T →∞, thetracking controller K computed using LQR can guarantee thatthe any execution x will converge to xref asymptotically whenthere is no disturbance.

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 7

For most of the experiments presented in Section V, wefix each Q[t] and R[t] to be identity matrices. Roughly, for agiven R, scaling up Q results in a K that makes an executionx converge faster to the reference execution xref but will alsoresult in larger values of u. In this paper, the detailed tradeoffsinvolved in the choices of Q[t] and R[t] will not be pursuedfurther.

With the synthesized K, we are able to compute the set ofreachable states for A with an arbitrary reference trajectoryxref, as shown in the following section.

C. Reachset over-approximation with tracking controller

In this section, we assume that the tracking controller, whichis a sequence of matrices K, computed as in Section IV-B, willmake A[t]+B[t]K[t] invertible for any time t. We do not needA[t] +B[t]K[t] to be stable for the analysis of the rest of thepaper. However, later on we will see that if K can make theother trajectories x converge to xref, the set of reachable stateswill also converge to its center xref, which is desirable for theoverall synthesis algorithm.

Once we fix K, we show that the reachable states ofthe system A with an open-loop controller uref (to be com-puted in Section IV-D) can be over-approximated using asequence of ellipsoids centered at the corresponding xref withshapes and radii depending on A,B,K, the initial set, andthe disturbances (Lemma 1). Moreover, for systems with 0disturbances (i.e., D = 0), Corollary 1 shows that the setof reachable states can be computed precisely (i.e., there is noover-approximation error).

Lemma 1. Consider a linear system A = 〈A,B,Θ, U,D〉with a controller defined as in Equation (4). Fix(1) a tracking controller K such that A[t] + B[t]K[t] is

invertible for each time t,(2) an open-loop controller uref with the corresponding ref-

erence execution xref, and(3) an ellipsoidal initial set S = Er[0](xref[0],M[0]) ⊆ Θ,

where r[0] and M[0] are the radius and shape of theellipsoid respectively. Then

Reach(S, t) ⊆ Er[t](xref[t],M[t]),∀ t ≤ T,where (10)

M[t] = M[0]

(t−1∏i=0

(A[i] + B[i]K[i])−1

),

r[t] = r[0] +

t−1∑i=0

δ[i], and

δ[i] is chosen such that ∀i ≥ 0, Eδ[i](0,M[i+ 1]) ⊇ D.

Proof. We prove this lemma by induction on t.Base case: When t = 0, from the condition (3)

of the Lemma we know that Reach(S, 0) = S =Er[0](xref[0],M[0]).

Induction step: Assume that at time step t we haveReach(S, t) ⊆ Er[t](xref[t],M[t]).

Let Ac[t] = A[t] + B[t]K[t]. At time step t + 1, fromEquation (8), we have that

x[t+ 1] = xref[t+ 1] + Ac[t](x[t]− xref[t]) + d[t].

∀x[t] ∈ Reach(S, t), we have x[t] − xref[t] ∈Er[t](0,M[t]). Moreover, since d[t] ∈ D, we have that

x[t+ 1] ∈ xref[t+ 1]⊕Ac[t]Er[t](0,M[t])⊕D. (11)

Recall that ⊕ is the addition of all elements of sets,and Ac[t]Er[t](0,M[t]) means multiplying each vector inEr[t](0,M[t]) with Ac[t].

The right-hand side of Equation (11) can be computed asfollows:

(1) The second item Ac[t]Er[t](0,M[t]), which contains allpossible values of Ac[t](x[t] − xref[t]), can be computedas:

Ac[t]Er[t](0,M[t]) = Ac[t]x | ‖x‖M[t] ≤ r[t]= Ac[t]x | ‖M[t]x‖2 ≤ r[t].

Letting y = Ac[t]x, then we have

Ac[t]Er[t](0,M[t]) = y | ‖M[t]A−1c [t]y‖2 ≤ r[t]= y | ‖y‖M[t]Ac[t]−1 ≤ r[t] = Er[t](0,M[t+ 1]).

(2) Then, since D ⊆ Eδ[t](0,M[t+1]), which means ∀d ∈ D,‖d‖M[t+1] ≤ δ[t]. Therefore, we have

Er[t](0,M[t+ 1])⊕D= x+ d | ‖x‖M[t+1] ≤ r[t], ‖d‖M[t+1] ≤ δ[t].

Using triangular inequality of the M [t+1] norm, we have

Er[t](0,M[t+ 1])⊕D⊆ y | ‖y‖M[t+1] ≤ r[t] + δ[t] = Er[t+1](0,M[t+ 1]).

(3) Finally, it is easy to see that

xref[t+ 1]⊕ Er[t+1](0,M[t+ 1])

= Er[t+1](xref[t+ 1],M[t+ 1]).

Therefore, we have

Reach(S, t+ 1) ⊆ Er[t+1](xref[t+ 1],M[t+ 1]).

In the above proof, the only over-approximation happenedin Step 2, as we over-approximate the disturbance D usingan ellipsoid with shape M[t+ 1]. This is because we want tokeep reach sets represented as ellipsoids all the time. If thereis no disturbance, i.e. D = 0, we do not need to conductStep 2, and Lemma 1 can give us exact reach sets:

Corollary 1. Consider a linear system A = 〈A,B,Θ, U,D =0〉 with a controller defined as in Equation (4). Fix

(1) a tracking controller K,(2) an open-loop controller uref with the corresponding ref-

erence execution xref, and(3) an ellipsoidal initial set S = Er[0](xref[0],M[0]) ⊆ Θ,

where r[0] and M[0] are the radius and shape of theellipsoid respectively. Then,

Reach(S, t) = Er[t](xref[t],M[t]),∀ t ≤ T, (12)

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 8

where M[t] = M[0](∏t−1

i=0(A[i] + B[i]K[i])−1)

.

In Lemma 1, r[0] and M[0] can be chosen arbitrarilyas long as the corresponding ellipsoid Er[0](xref[0],M[0])contains (or is equal to) the initial set S. It follows thatgiven any sequence of uref as the open-loop controller,which leads to a corresponding reference trajectory xref,the reachable states from S Reach(S, t) can be over-approximated by an ellipsoid centered at xref[t+1] with shapeM[t] = M[0]

(∏t−1i=0(A[i] + B[i]K[i])−1

)and radius r[0]

(when there is no disturbance) or r[0] plus an additive term∑t−1i=0 δ[i] which accounts for bounded disturbance. Note that

the shapes and radii of the ellipsoids are all independent ofthe open-loop controller uref and the reference trajectory xref.This is the key step to decouple the synthesis of the trackingcontroller K and rest of the parameters in the feedbackcontroller (uref, xref[0]). In the next section, we discuss a novelapproach to finding the latter two efficiently.

D. Synthesis of open-loop controller

In this section, we will discuss the synthesis of the open-loop controller uref and xref[0] in 〈K,xref[0],uref〉. From theprevious section, we know that given an initial set S, a trackingcontroller K, and an open-loop controller uref, the reachableset (under any disturbance) at time t is over-approximated byEr[t](xref[t],M[t]). Thus, once we fix K, the problem of syn-thesizing a controller reduces to the problem of synthesizingan appropriate uref and xref[0] such that the reachset over-approximations meet the reach-avoid specification. Indeed, forthe rest of the this section, we will assume fixed K.

For synthesizing uref and xref[0], we would like to formalizethe problem in terms of constraints that will allow us touse SMT solvers. As we have discussed in Section IV-A,the quantifier-free formulas are simpler than formulas withquantifier alternations [73]. In the following, we describe thedetails of how this problem can be formalized as a quantifier-free first-order formula over the theory of reals. We will thenlay out specific assumptions and/or simplifications required toreduce the problem to QF-LRA theory, which is implementedeffectively in existing state-of-the-art SMT solvers. Most SMTsolvers also provide the functionality of explicit model gener-ation, and the concrete controller values can be read-off fromthe models generated when the constraints are satisfiable.

1) Constraints for synthesizing uref: The uref synthesisproblem can be stated as finding satisfying solutions forthe formula φsynth, where the initial set of states is S =Br[0](xref[0]).

φsynth∆= ∃uref[0],uref[1], . . .uref[T−1], r[0]

∃xref[0],xref[1], . . .xref[T ],

φcontrol(uref) ∧ φexecution(uref,xref)

∧φavoid(r[0],uref,xref) ∧ φreach(r[0],uref,xref)

(13)

where φcontrol constrains the space of inputs, φexecution statesthat the sequence xref is a reference execution following

Equation (4), φavoid specifies the safety constraint, and φreachspecifies that the system reaches G:

φcontrol(uref)∆=T−1∧t=0

uref[t]⊕(K[t]⊗ Er[t](0,M[t])

)⊆ U

φexecution(uref,xref)∆=

T−1∧t=0

(xref[t+ 1] = A[t]xref[t] + B[t]uref[t])

φavoid(r[0],uref,xref)∆=

T∧t=0

Er[t](xref[t],M[t]) ∩O[t] = ∅

φreach(r[0],uref,xref)∆= Er[T ](xref[T ],M[T ]) ⊆ G.

(14)We make a few remarks about this formulation. First, each

of the formulas φcontrol, φavoid and φreach represent sufficientconditions to check for the existence of uref. Second, theconstraints stated above belong to the (decidable) theory ofreals. However, φcontrol, φavoid and φreach, and thus φsynth,are not quantifier free as they use subset and disjointnesschecks. This is because for sets S, T expressed as predicatesϕS(·) and ϕT (·), S ∩ T = ∅ corresponds to the formula∀x·¬(ϕS(x)∧ϕT (x)) and S ⊆ T (or equivalently S∩T c = ∅)corresponds to the formula ∀x · ϕS(x) =⇒ ϕT (x).

2) Reduction to QF-LRA: The central idea behind elim-inating the universal quantification in the disjointness pred-icates in φavoid, or in the inferred disjointness predicates inφreach and φcontrol, is to check whether an ellipsoid is disjointedor contained in a polytope. Lemmas 2 and 3 state that thedisjointness and containment checks can be done throughlinear constraints.

Lemma 2. For an ellipsoid Er[t](xref[t],M[t]) and a polytopex ∈ Rk | Ax ≤ b, if∨k

i=1

(A(i)xref[t] > b(i)

)∧(

A(i)xref[t]−b(i)‖A(i)‖2

> r[t] ∨ A(i)xref[t]−b(i)‖A(i)‖2

< −r[t]) (15)

where A = AM−1[t], then

Er[t](xref[t],M[t]) ∩ x | Ax ≤ b = ∅.

Proof. Take an affine coordinate transformation y = M[t]xand let xref[t] = M[t]xref[t]. Under the transformed coordi-nate, the ellipsoid Er[t](xref[t],M[t]) becomes a ball:

Er[t](M[t]xref[t], I) = Br[t](xref[t]),

and the polytope also becomes Ay ≤ b. Affine transformationpreserves the disjointness between objects. As long as theball Br[t](xref[t]) is disjointed from the polytope Ay ≤ b, theoriginal ellipsoid and polytope are disjointed.

Consider the ball Br[t](xref[t]) in the transformed coordi-nate, if the center xref[t] is outside the polytope Ay ≤ b and itsdistance to an surface of the polytope is greater than r[t], thenthe ball Br[t](xref[t]) is not intersecting with any surfaces ofthe polytope, and therefore is disjointed from the polytope (asshown in Figure 2). Equivalently, this means that there existsan i ≤ k, such that A(i)xref[t] > b(i), and the distance fromxref[t] to any surface, which is a hyperplane A(i)x = b(i), is

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 9

Fig. 2. Illustration of Br[t](xref[t]) being disjointed from the polytopey | Ay ≤ b.

greater than r[t]. Recall that A(i) and b(i) are the ith row ofA and b respectively.

The distance from xref[t] to a hyperplane A(i)x = b(i) is|A(i)xref[t]−b(i)|‖A(i)‖2

. Therefore, the ball Br[t](xref[t]) is disjointed

from the polytope y | Ay ≤ b if the following is true:

∨ki=1

(A(i)xref[t] > b(i)

)∧(

A(i)xref[t]−b(i)‖A(i)‖2

> r[t] ∨ A(i)xref[t]−b(i)‖A(i)‖2

< −r[t]),

which is equivalent to Equation (15).

In Lemma 2, to check whether an ellipsoid is disjointedfrom a polytope (obstacle) with k surfaces using Equation (15),the formula contains 3k linear inequalities with conjunctionsand disjunctions. In [26] the reach set over-approximationsare represented using hyper-rectangles. The hyber-rectangleis disjointed from the polytope if there is a surface of thepolytope such that the vertices of the hyber-rectangle lie onthe other side of the surface. Such a formula has 2nk linearinequalities, where n is the dimensionality of the state space.Compared with the methods used in [26], Lemma 2 reducesthe number of constraints in φavoid from 2nk to 3k, which isthe key fact that makes the proposed approach scale to systemswith large n. We will also see the same improvement in φreachand φcontrol.

Similar to Lemma 2, as long as the center of the ballBr[t](xref[t]) is inside the polytope Ay ≤ b, and the distancesfrom xref[t] to all surfaces of the polytope A(i)x = b(i) aregreater than the radius r[t], the ball is entirely contained inthe polytope:

Lemma 3. For any ellipsoid Er[t](xref[t],M[t]) and a poly-tope x ∈ Rk | Ax ≤ b, if∧k

i=1

(A(i)xref[t] ≤ b(i)

)∧(

A(i)xref[t]−b(i)‖A(i)‖2

≥ r[t] ∨ A(i)xref[t]−b(i)‖A(i)‖2

≤ −r[t]) (16)

where A = AM−1[t], then

Er[t](xref[t],M[t]) ⊆ x | Ax ≤ b.

With Lemma 2 and 3, we can rewrite φavoid and φreach inEquation 14 as:

φavoid(r[0],uref,xref)∆=

T∧t=0

∧x|Ax≤b∈O[t]

∨ki=1

(A(i)xref[t] > b(i)

)∧(

A(i)xref[t]−b(i)

‖A(i)‖2> r[t] ∨ A(i)xref[t]−b(i)

‖A(i)‖2< −r[t]

),

φreach(r[0],uref,xref)∆=∧k

i=1

(A

(i)G xref[T ] ≤ bG(i)

)∧(

AG(i)xref[T ]−bG(i)

‖AG(i)‖2

≥ r[T ] ∨ AG(i)xref[T ]−bG(i)

‖AG(i)‖2

≤ −r[T ]),

(17)where in φreach, the goal set G is represented as an el-lipsoid x|AGx ≤ bG. Once the tracking controller Kis fixed, the matrices A (or AG) are constants. Moreover,r[t] = r[0] +

∑t−1i=0 δ[i] and δ are also constants. There-

fore, φavoid and φreach are linear expressions of r[0],uref,xrefwith disjunctions. In the expression φcontrol of Equation 14,uref[t] ⊕

(K[t] ⊗ Er[t](0,M[t])

)is essentially also an ellip-

soid Er[t](uref[t],M[t]K−1[t]). Therefore, φcontrol can also berepresented as a linear expression of uref and r[0].

As discussed above, the constraints as in φcontrol, φexecution,φavoid, and φreach only give rise to linear constraints, donot have the ∀ quantification over states, and are soundtransformations of φsynth into QF-LRA. Moreover, the numberof linear inequality constraints in φsynth is only O(kT ), whereT is the number of time steps T , and k is the number ofsurfaces in obstacles and the goal set. In Section IV-E we willsee that as the reach sets are exact when the disturbance is 0(Corollary 1), these checks will also turn out to be sufficientto ensure that if there exists a controller, φsynth is satisfiable.

Lemma 4. If the formula φsynth is satisfiable, then there isa control sequence uref such that for every x ∈ Br[0](xref[0])and for every d ∈ DT , the unique execution x defined bythe controller 〈K,xref[0],uref〉 and d, starting at x, satisfiesx[T ] ∈ G ∧ ∀t ≤ T · x[t] 6∈ O[t].

We remark that a possible alternative for eliminating the ∀quantifier is the use of Farkas’ lemma, but this gives rise tononlinear constraints.1 Indeed, in our experimental evaluation,we observed the downside of resorting to Farkas’ lemma inthis problem.

We also remark that the SAT encoding as in Lemma 2 canbe formulated as mixed integer linear constraints using the“big-M” method to get rid of the disjunction operators ∨,by introducing extra auxiliary integer variables (see detailsin [75]). Then φsynth in Equation 13 can be solved throughsolving a MILP or MIQP problem. In this way, our encodingfor φcontrol, φexecution, and φavoid (as mixed integer linear for-mulae φ′control, φ

′execution, and φ′avoid using the “big-M” method

on the original formulae) can be used in dynamic and real-timecontrol using MPC, where the obstacles O[t] are constructeddynamically as system evolves, and Θ is a set instead of asingle point due to bounded localization errors:

1Farkas’ lemma introduces auxiliary variables that get multiplied withexisting variables xref[0], . . . ,xref[T ], leading to nonlinear constraints.

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 10

minuref[0],...uref[N−1],r[0],xref[0],...xref[N ]

Vf (xref[N ]) +∑N−1

i=0 `(xref[i],uref[i])

s.t. φ′control(uref) ∧ φ′execution(uref,xref)

∧φ′avoid(r[0],uref,xref) ∧ (xref[0] = center(Θ))

∧ (r[0] ≥ diameter(Θ)) .

(18)

We implemented both the SAT encoding as in Equation 17and the corresponding mixed integer linear encoding withthe objective function ‖xref[N ] − center(G)‖2 (using theGurobiTM solver), and observe that both the two encoding hasno major difference in terms of running time when N = T .Moreover, both SAT over QF-LRA and MIP problems areNP-hard [76].

E. Synthesis algorithm putting it all togetherSection IV-D describes how to formalize constraints to

generate a control sequence that works for S, which could bea subset of the initial set Θ. The overall synthesis procedure(Algorithm 1), first computes a tracking controller K, thengenerates open-loop control sequences and reference execu-tions in order to cover the entire set Θ.

Algorithm 1: Algorithm for Synthesizing CombinedController

input : A, T,O, G,Q,Routput : controllers =

(〈K,xref[0],uref〉, Br[0](xref[0]))initially: r∗ ← diameter(Θ)/2 ;K,M, δ ← ReachParams(A, T,Q,R) ;cover← ∅;controllers← ∅

1 while Θ 6⊆ cover do2 ψsynth ←

getConstraints(A, T,O, G,M, δ, r∗,cover) ;3 if CHECKSAT(ψsynth) = SAT then4 r[0],uref,xref ← model(ψsynth) ;5 cover← cover ∪Br[0](xref[0]);6 controllers← controllers ∪

( 〈K,xref[0],uref〉 , Br[0](xref[0]) ) ;7 else8 r∗ ← r∗/2 ;9 return controllers ;

The procedure ReachParams computes the tracking con-troller K, based on which it further computes a sequence ofshape matrices M and disturbance bounds δ using Lemma1, for the system A and time bound T with Q,R for theLQR method. Given any reference execution xref and initialset Br[0](xref[0]), the parameters computed by ReachParamscan be used to over-approximate Reach(Br[0](xref[0]), t) withthe ellipsoid Er[t](xref[t],M[t]), where r[t] = r[0]+

∑t−1i=0 δ[i].

The procedure getConstraints constructs the logical for-mula ψsynth such that whenever ψsynth holds, we can find an

initial radius r[0] that is above some threshold t∗, and centerxref[0] in the set Θ \ cover and a control sequence urefsuch that any controlled execution starting from Br[0](xref[0])satisfies the reach-avoid requirements.

ψsynth∆= φsynth ∧ xref[0] ∈ Θ ∧ xref[0] 6∈ cover ∧ r[0] > r∗

(19)Line 3 checks for the satisfiability of ψsynth. If satisfiable,

we extract the model generated to get the radius of the initialball, the control sequence uref and the reference executionxref in Line 4. The generated controller 〈K,xref[0],uref〉 isguaranteed to work for the ball Br[0](xref[0]), which can bemarked covered by adding it to the set cover. In orderto keep all the constraints linear, one can further under-approximate Br[0](xref[0]) with a hyper-cube x ∈ Rn | ∧ni=1

xref[0](i) − r[0](i)/√n ≤ x ≤ xref[0](i) + r[0](i)/

√n. If

ψsynth is unsatisfiable, then we reduce the minimum radius r∗

(Line 8) and continue to look for controllers, until we find thatΘ ⊆ cover.

The set controllers is the set of pairs(〈K,xref[0],uref〉, S), such that the controller 〈K,xref[0],uref〉drives the set S to meet the desired specification. Each time anew controller is found, it is added to the set controllerstogether with the initial set for which it works (Line 6).

The following theorem asserts the soundness of Algo-rithm 1, and it follows from Lemmas 1 and 4.

Theorem 1. If Algorithm 1 terminates, then the synthesizedcontroller is correct. That is, (a) for each x ∈ Θ, there isa (〈K,xref[0],uref〉, S) ∈ controllers, such that x ∈ S,and (b) for each (〈K,xref[0],uref〉, S) ∈ controllers, theunique controller 〈K,xref[0],uref〉 is such that for every x ∈S and for every d ∈ DT , the unique execution defined by〈K,xref[0],uref〉 and d (as in Equation (2) and (4)), startingat x, satisfies the reach-avoid specification.

Algorithm 1 ensures that, upon termination, every x ∈ Θis covered, i.e., one can construct a combined controller thatdrives x to G while avoiding O. However it may find multiplecontrollers for a point x ∈ Θ. This non-determinism can beeasily resolved by picking any controller assigned for x.

Below, we show that, under certain robustness assumptionson the system A, G and the sets O, and in the absence ofdisturbance, Algorithm 1 terminates.

Robustly controllable systems. A system A =〈A,B,Θ, U,D〉 is said to be ε-robustly controllable(ε > 0) with respect to the reach-avoid specification (O, G)and matrices K, if (a) D = 0, and (b) for every initialstate θ ∈ Θ there is an open loop-controller uref ∈ UT suchthat the unique execution starting from θ using the open-loop controller uref satisfies the reach-avoid specification.Moreover, with the controller 〈K, θ,uref〉 defined as inEquation (4), ∀x ∈ Bε(θ), the unique trajectory x defined bythe controller 〈K, θ,uref〉 starting from x also satisfies thereach avoid specification.

Theorem 2. If A is an ε-robust controllable system withrespect to the reach-avoid specification (O, G), the tracking

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 11

controller K, and an arbitrarily small ε > 0, then Algorithm 1terminates.

Proof. As seen in Corollary 1, when the system is robust,then (in the absence of any disturbance i.e., D = 0),the computed ellipsoids are exact reach sets starting fromBr[0](xref[0]). Moreover, as r∗ approaches 0, r[0] can also ap-proach 0. From Corollary 1 we know that ∀t ≥ 0, r[t] = r[0],so the radii of the reach sets ellipsoids all converge to 0. Withr[t]→ 0, Equation (15) and Equation (16) in Lemmas 2 and 3(therefore Equation (17)) also become satisfiable wheneverthere is a controller. The correctness of Theorem 2 then followsfrom the above observations.

We remark that an alternative approach to solve the boundedcontroller synthesis problem is to synthesize an open-loopcontrol sequence uref for a single initial condition xref[0] first,and then find the maximum cover such that there exists atracking controller K to make every execution starting fromthe cover also satisfy the reach-avoid specification. However,when implemented this approach, we observed that the syn-thesized reference trajectory xref always got very close to theobstacles. Therefore, the maximum initial cover for which thisreference trajectory works would be minuscule, and result ina very large number of partitions in the initial set. In contrast,Algorithm 1 asks the SMT solver to search for a referencethat works for an initial cover with the size of at least r∗ withany disturbance (and r∗ is adjusted iteratively), resulting in amuch smaller solution space.

V. REALSYN VER 2.0 IMPLEMENTATION AND EVALUATION

For experimental evaluation, we have implemented Algo-rithm 1 the tool REALSYN VER 2.0. The previous versionof the tool, REALSYN VER 1.0, appeared in our earlierpaper [26]. The key distinction in the new implementationis the encoding of the reach-avoid constraints as in Lemmas 2and 3. As a result, the final formulas for the reach-avoidconstraints (Equation (17)) for synthesizing the open-loopcontroller consist of O(k) linear constraints, with k being thenumber of hyperplanes of the obstacles and the goal set. Incontrast, in REALSYN VER 1.0, such formulas have O(2nk)linear constraints, where n is the dimensionality of the statespace.

For solving Equation (19), REALSYN VER 2.0 can useany SMT solver as a subroutine. For our results here weuse Yices [77], as it outperformed the other solvers in [26].We evaluate our approach on 10 example synthesis problems(from [26]) on a standard laptop with Intel® CoreTM i7 proces-sor, 16GB RAM. The results are reported in Table I. Overall,our results demonstrate the effectiveness of using our approachand the feasibility of scalable controller synthesis for high-dimensional systems and complex reach-avoid specifications.

Comparison with other tools: We considered other con-troller synthesis tools for possible comparison with REALSYNVER 2.0. In brief, CoSyMa [56], Pessoa [4], and SCOTS [36]do not explicitly support discrete-time sytems. LTLMop [57],[58] is designed to analyze models in the 2-dimensionalEuclidean plane, and therefore, is not suitable for most of our

examples. TuLiP [44], [59] comes closest to addressing thesame class of problems. TuLip relies on discretization of thestate space and a receding horizon approach for synthesizingcontrollers for more general GR(1) specifications. However,we found that TuLip succumbs to the state space explosionproblem when discretizing the state space, and it did not workon most of our examples. For instance, TuLiP was unable tosynthesize a controller for the 2-dimensional system ‘1-robot’(Table I), and returned unrealizable. On the benchmark‘2-robot’ (n = 4), TuLip did not return any answer within1 hour. SMC [27], [28] as discussed in Section II is theclosest to ours as in solving reach-avoid problems, and theonly one among the tools that can return comparable resultsto REALSYN VER 2.0. We adopt the implementation of SMCas in [78] to be used on our benchmarks and report results inTable I.

Benchmarks: Our benchmarks are mainly vehicle mo-tion planning problems with reach-avoid specifications. Bench-marks 1-2 model robots moving on the Euclidean plane,where each robot is a 2-dimensional system and admits a 1-dimensional input. Starting from some initial region on theplane, the robots are required to reach the common goal areawithin the given time steps, while avoiding certain obstacles.For ‘2-robot’, the robots are also required to maintain aminimum separation. Benchmarks 3-7 are discrete vehicularmodels adopted from [70]. Each vehicle is a 4-dimensional lin-ear system with 2-dimensional input. Benchmark 3 from [26]describes a mobile robot needs to accomplish a reach-avoidgoal in an apartment. Benchmark 4 describes a vehicle runningon a two-lane road, trying to overtake a vehicle in front of it.The second vehicle serves as the dynamic obstacle. Bench-marks 5-7 are similar to Benchmark 2 where the vehiclesare required to reach a common goal area while avoidingcollision with the obstacles and with each other (inspired bya merge). The velocities and accelerations of the vehicles arealso constrained in each of these benchmarks. Figure 3 showsthe setting for three vehicles trying to reach the green goal setwhile avoiding the red obstacle and maintaining a distance of> 0.5 (m) all the time. Figure 3 also shows the reachsets ofeach vehicle projected to the 2D plane of vehicles’ positions.We observe from Figure 3 that to make sure that all vehicles donot collide with each other, the synthesized controller forcesthe vehicles to arrive at the goal set at different time steps.

Benchmarks 8-10 model multiple vehicles trying to forma platoon by maintaining the safe relative distance betweenconsecutive vehicles. The models are adopted (and discretized)from [19]. Each vehicle is a 2-dimensional system with 1-dimensional input. For the 4-car platoon model, the runningtimes reported in Table I are much smaller than the time (5minutes) reported in [19]. This observation aligns with ouranalysis in Section IV-A. For the 10-car platoon case, Figure 4shows the positions of the cars along time with the synthesizedcontroller using REALSYN VER 2.0. As shown in Figure 4, allvehicles are maintaining a safe relative distance > 1(m) to itsneighbor vehicles even with disturbances.

Synthesis performance: In Table I, columns ‘n’ and ‘m’stand for the dimensions of the state space and input space.For each background solver, ‘#iter’ is the number of iterations

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 12

TABLE IRUN TIME PERFORMANCE COMPARISON OF CONTROLLER SYNTHESIS USING REALSYN VER 2.0 WITH THE ORIGINAL SYNTHESIS ALGORITHM REALSYN

VER 1.0 AS IN [26] AND SMC [27].

Model n m Algorithm 1 CAV Algorithm [26] SMC [27]#iter time(s) #iter time(s) #iter time(s)

1 1-robot 2 1 7 0.03 7 0.06 1 0.092 2-robot 4 2 1 0.04 183 2.26 1 1.693 running-example in [26] 4 2 1 104 1 319.97 1 227.864 1-car dynamic avoid 4 2 12 8.12 12 8.49 1 15.585 1-car navigation 4 2 15 1.14 17 6.73 1 5.376 2-car navigation 8 4 1 1.86 1 4.07 1 6.077 3-car navigation 12 6 1 4.70 1 741.73 1 372.488 4-car platoon 8 4 1 0.03 1 0.15 1 0.339 8-car platoon 16 8 1 0.10 1 0.62 1 0.94

10 10-car platoon 20 10 1 0.12 1 7.74 1 5.72

Fig. 3. Reachsets of three cars with synthesized controller for reach-avoid specification. Ellipsoids represent the projection of the reachseton the vehicle’s position on the 2D plane. Ellipsoids of the samecolor connected by the line of same color belong to the same vehicle.Reachsets of the same time step are connected using the black dottedline. Red polytope is the obstacle and green polytope is the goal set.Note that different vehicles arrive at the goal set at different time stepsso they do not collide with each other, although some ellipsoids (atdifferent time steps) appear to overlap.

Algorithm 1 required to synthesize a controller, and ‘time’ isthe respective running times. All benchmarks are synthesizedfor a specification with 10− 20 steps.

In general, the proposed algorithm improves the perfor-mance of REALSYN VER 2.0 with the running time 2 to150 times faster than REALSYN VER 1.0 as in [26], and 2to 80 times faster than SMC as in [78]. The only exceptionis Benchmark 4 where the running time stays almost thesame for REALSYN VER 1.0 and REALSYN VER 2.0. This isbecause in Benchmark 4, all obstacles, goal set, and reach setover-approximations in [26] were represented as axis-alignedhyper-rectangles. To check the disjointness and containment

Fig. 4. Ten cars are forming a platoon with synthesized controller.The x-axis is time and the y-axis is the position of each car.

of axis-aligned hyper-rectangles, [26] used a much simplermethod with O(n) linear inequalities, instead of enumeratingall the vertices of the hyper-rectangles, which introducesO(2n) linear inequalities. Therefore, the improvement of theproposed algorithm in this paper on Benchmark 4 is minorover REALSYN VER 1.0.

However, for the rest of the benchmarks where the ob-stacles are not axis-aligned hyper-rectangles, the proposednew algorithm can reduce the number of linear constraintsin the final SAT problem (Equation (19)) from O(2n) to O(1)with respect to the dimensionality of the system, comparingwith REALSYN VER 1.0. The results in Table I substantiateour analysis in Section IV. SMC needs to discretize thefreespace (complimentary of the obstacles) into convex regionsfor motion planning problems. Therefore the complexity ofthe SMC problem relies on the number of convex regions.We observe from Table I one that SMC performs comparableto our proposed method for lower dimensional problems andmuch slower on higher dimensional examples.

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 13

VI. CONCLUSION

In this paper, we proposed a novel technique for synthe-sizing controllers for systems with time-varying discrete-timelinear dynamics, operating under bounded disturbances, andfor reach-avoid specifications. Our approach relies on gener-ating controllers that combine an open-loop controller witha tracking controller, thereby allowing a decoupled approachfor synthesizing each component independently. Experimentalevaluation using our tool REALSYN VER 2.0 demonstrates thevalue of the approach when analyzing systems with complexdynamics and specifications.

ACKNOWLEDGMENT

The authors acknowledge support from the DARPA AssuredAutonomy under contract FA8750-19-C-0089, National Sci-ence Foundation under contracts CCF 1901069, CCF 2007428and FMITF 1918531, and Air Force Office of Scientific Re-search under contract FA9550-17-1-0236. The views, opinionsand/or findings expressed are those of the authors and shouldnot be interpreted as representing the official views or policiesof the Department of Defense or the U.S. Government.

REFERENCES

[1] G. E. Fainekos, H. Kress-Gazit, and G. J. Pappas, “Hybrid controllersfor path planning: A temporal logic approach,” in Decision and Control,2005 and 2005 European Control Conference. CDC-ECC’05. 44th IEEEConference on. IEEE, 2005, pp. 4885–4890.

[2] G. E. Fainekos, A. Girard, H. Kress-Gazit, and G. J. Pappas, “Temporallogic motion planning for dynamic robots,” Automatica, vol. 45, no. 2,pp. 343–352, 2009.

[3] H. Kress-Gazit, M. Lahijanian, and V. Raman, “Synthesis for robots:Guarantees and feedback for robot behavior,” Annual Review of Control,Robotics, and Autonomous Systems, vol. 1, no. 1, p. null, 2018.

[4] P. Roy, P. Tabuada, and R. Majumdar, “Pessoa 2.0: A controllersynthesis tool for cyber-physical systems,” in Proceedings of the 14thInternational Conference on Hybrid Systems: Computation and Control,ser. HSCC ’11. New York, NY, USA: ACM, 2011, pp. 315–316.

[5] J. P. Hespanha, Linear systems theory. Princeton university press, 2009.[6] P. J. Antsaklis and A. N. Michel, A linear systems primer. Birkhauser

Boston, 2007, vol. 1.[7] J. Ding and C. J. Tomlin, “Robust reach-avoid controller synthesis

for switched nonlinear systems,” in Proceedings of the 49th IEEEConference on Decision and Control, CDC 2010, December 15-17,2010, Atlanta, Georgia, USA, 2010, pp. 6481–6486.

[8] Z. Huang, Y. Wang, S. Mitra, G. E. Dullerud, and S. Chaudhuri,“Controller synthesis with inductive proofs for piecewise linear systems:An smt-based algorithm,” in 54th IEEE Conference on Decision andControl, CDC 2015, Osaka, Japan, December 15-18, 2015, 2015, pp.7434–7439.

[9] J. F. Fisac, M. Chen, C. J. Tomlin, and S. S. Sastry, “Reach-avoidproblems with time-varying dynamics, targets and constraints,” in Pro-ceedings of the 18th International Conference on Hybrid Systems:Computation and Control, HSCC’15, Seattle, WA, USA, April 14-16,2015, 2015, pp. 11–20.

[10] P. M. Esfahani, D. Chatterjee, and J. Lygeros, “The stochastic reach-avoid problem and set characterization for diffusions,” Automatica,vol. 70, pp. 43–56, 2016.

[11] S. L. Herbert, M. Chen, S. Han, S. Bansal, J. F. Fisac, and C. J. Tomlin,“FaSTrack: A modular framework for fast and guaranteed safe motionplanning,” in 2017 IEEE 56th Annual Conference on Decision andControl, CDC 2017, vol. 2018-Janua. IEEE, dec 2018, pp. 1517–1522.[Online]. Available: http://ieeexplore.ieee.org/document/8263867/

[12] S. Kousik, S. Vaskov, F. Bu, M. Johnson-Roberson, and R. Vasude-van, “Bridging the gap between safety and real-time performance inreceding-horizon trajectory design for mobile robots,” arXiv preprintarXiv:1809.06746, 2018.

[13] M. Vitus, V. Pradeep, G. Hoffmann, S. Waslander, and C. Tomlin,“Tunnel-milp: Path planning with sequential convex polytopes,” in AIAAguidance, navigation and control conference and exhibit, 2008, p. 7132.

[14] V. Raman, A. Donze, D. Sadigh, R. M. Murray, and S. A. Seshia, “Reac-tive synthesis from signal temporal logic specifications,” in Proceedingsof the 18th international conference on hybrid systems: Computationand control. ACM, 2015, pp. 239–248.

[15] J. M. Filho, E. Lucet, and D. Filliat, “Real-time distributed recedinghorizon motion planning and control for mobile multi-robot dynamicsystems,” in Proceedings - IEEE International Conference on Roboticsand Automation. IEEE, may 2017, pp. 657–663. [Online]. Available:http://ieeexplore.ieee.org/document/7989081/

[16] C. Liu, S. Lee, S. Varnhagen, and H. E. Tseng, “Path planning forautonomous vehicles using model predictive control,” in 2017 IEEEIntelligent Vehicles Symposium (IV). IEEE, jun 2017, pp. 174–179.[Online]. Available: http://ieeexplore.ieee.org/document/7995716/

[17] P. Tabuada, Verification and control of hybrid systems: a symbolicapproach. Springer Science & Business Media, 2009.

[18] C. Belta, B. Yordanov, and E. A. Gol, Formal methods for discrete-timedynamical systems. Springer, 2017, vol. 89.

[19] B. Schurmann and M. Althoff, “Optimal control of sets of solutionsto formally guarantee constraints of disturbed linear systems,” in 2017American Control Conference, ACC 2017, Seattle, WA, USA, May 24-26,2017, 2017, pp. 2522–2529.

[20] D. Liberzon, Calculus of variations and optimal control theory: aconcise introduction. Princeton University Press, 2011.

[21] A. A. Kurzhanskiy and P. Varaiya, “Ellipsoidal techniques for reacha-bility analysis of discrete-time linear systems,” IEEE Transactions onAutomatic Control, vol. 52, no. 1, pp. 26–38, 2007.

[22] B. Paden, M. Cap, S. Z. Yong, D. Yershov, and E. Frazzoli, “A survey ofmotion planning and control techniques for self-driving urban vehicles,”IEEE Transactions on intelligent vehicles, vol. 1, no. 1, pp. 33–55, 2016.

[23] A. A. Julius, G. E. Fainekos, M. Anand, I. Lee, and G. J. Pappas, “Robusttest generation and coverage for hybrid systems,” in InternationalWorkshop on Hybrid Systems: Computation and Control. Springer,2007, pp. 329–342.

[24] C. Fan, J. Kapinski, X. Jin, and S. Mitra, “Locally optimal reach set over-approximation for nonlinear systems,” in 2016 International Conferenceon Embedded Software (EMSOFT). IEEE, 2016, pp. 1–10.

[25] G. Pola, A. Girard, and P. Tabuada, “Approximately bisimilar symbolicmodels for nonlinear control systems,” Automatica, vol. 44, no. 10, pp.2508–2516, 2008.

[26] C. Fan, U. Mathur, S. Mitra, and M. Viswanathan, “Controllersynthesis made real: Reachavoid specifications and linear dynamics,” inComputer Aided Verification. Springer International Publishing, 2018,p. 347–366. [Online]. Available: https://link.springer.com/chapter/10.1007%2F978-3-319-96145-3 19

[27] Y. Shoukry, P. Nuzzo, A. L. Sangiovanni-Vincentelli, S. A. Seshia,G. J. Pappas, and P. Tabuada, “Smc: Satisfiability modulo convexoptimization,” in Proceedings of the 20th International Conference onHybrid Systems: Computation and Control, 2017, pp. 19–28.

[28] ——, “Smc: Satisfiability modulo convex programming,” Proceedingsof the IEEE, vol. 106, no. 9, pp. 1655–1679, 2018.

[29] M. A. Rami and F. Tadeo, “Controller synthesis for positive linearsystems with bounded controls,” IEEE Trans. on Circuits and Systems,vol. 54-II, no. 2, pp. 151–155, 2007.

[30] M. Kloetzer and C. Belta, “A fully automated framework for control oflinear systems from temporal logic specifications,” IEEE Trans. Automat.Contr., vol. 53, no. 1, pp. 287–297, 2008.

[31] T. Wongpiromsarn, U. Topcu, and R. M. Murray, “Receding horizontemporal logic planning,” IEEE Trans. Automat. Contr., vol. 57, no. 11,pp. 2817–2830, 2012.

[32] P. Tabuada and G. J. Pappas, “Linear time logic control of discrete-time linear systems,” IEEE Trans. Automat. Contr., vol. 51, no. 12, pp.1862–1877, 2006.

[33] A. Bemporad, F. Borrelli, and M. Morari, “Model predictivecontrol based on linear programming - The explicit solution,” IEEETransactions on Automatic Control, vol. 47, no. 12, pp. 1974–1985, dec2002. [Online]. Available: http://ieeexplore.ieee.org/document/1137550/

[34] M. N. Zeilinger, C. N. Jones, and M. Morari, “Real-time suboptimalmodel predictive control using a combination of explicit mpc and onlineoptimization,” IEEE Transactions on Automatic Control, vol. 56, no. 7,pp. 1524–1534, 2011.

[35] B. Yordanov, J. Tumova, I. Cerna, J. Barnat, and C. Belta, “Temporallogic control of discrete-time piecewise affine systems,” IEEE Trans.Automat. Contr., vol. 57, no. 6, pp. 1491–1504, 2012.

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 14

[36] M. Rungger and M. Zamani, “Scots: A tool for the synthesis of symboliccontrollers,” in Proceedings of the 19th International Conference onHybrid Systems: Computation and Control, ser. HSCC ’16. New York,NY, USA: ACM, 2016, pp. 99–104.

[37] J. Liu, N. Ozay, U. Topcu, and R. M. Murray, “Synthesis of reactiveswitching protocols from temporal logic specifications,” IEEE Trans.Automat. Contr., vol. 58, no. 7, pp. 1771–1785, 2013.

[38] A. Abate, S. Amin, M. Prandini, J. Lygeros, and S. Sastry, “Computa-tional approaches to reachability analysis of stochastic hybrid systems,”in Hybrid Systems: Computation and Control, 10th International Work-shop, HSCC 2007, Pisa, Italy, April 3-5, 2007, Proceedings, 2007, pp.4–17.

[39] R. W. Brockett and D. Liberzon, “Quantized feedback stabilization oflinear systems,” IEEE transactions on Automatic Control, vol. 45, no. 7,pp. 1279–1289, 2000.

[40] D. Liberzon, “Observer-based quantized output feedback control ofnonlinear systems,” IFAC Proceedings Volumes, vol. 41, no. 2, pp. 8039–8043, 2008.

[41] A. Girard, “Controller synthesis for safety and reachability via approx-imate bisimulation,” Automatica, vol. 48, no. 5, pp. 947–953, 2012.

[42] A. Abate, I. Bessa, D. Cattaruzza, L. C. Cordeiro, C. David, P. Kesseli,D. Kroening, and E. Polgreen, “Automated formal synthesis of digitalcontrollers for state-space physical plants,” in Computer Aided Verifica-tion - 29th International Conference, CAV 2017, Heidelberg, Germany,July 24-28, 2017, Proceedings, Part I, 2017, pp. 462–482.

[43] R. Majumdar, K. Mallik, and A. Schmuck, “Compositional synthesis offinite state abstractions,” CoRR, vol. abs/1612.08515, 2016.

[44] T. Wongpiromsarn, U. Topcu, N. Ozay, H. Xu, and R. M. Murray, “Tulip:A software toolbox for receding horizon temporal logic planning,” inProceedings of the 14th International Conference on Hybrid Systems:Computation and Control, ser. HSCC ’11. New York, NY, USA: ACM,2011, pp. 313–314.

[45] E. A. Gol, M. Lazar, and C. Belta, “Language-guided controller synthe-sis for linear systems,” IEEE Trans. Automat. Contr., vol. 59, no. 5, pp.1163–1176, 2014.

[46] P. Bouyer, L. Bozzelli, and F. Chevalier, “Controller synthesis for mtlspecifications,” in International Conference on Concurrency Theory.Springer, 2006, pp. 450–464.

[47] V. Raman, A. Donze, M. Maasoumy, R. M. Murray, A. Sangiovanni-Vincentelli, and S. A. Seshia, “Model predictive control with signaltemporal logic specifications,” in Decision and Control (CDC), 2014IEEE 53rd Annual Conference on. IEEE, 2014, pp. 81–87.

[48] D. Q. Mayne, “Model predictive control: Recent developments andfuture promise,” pp. 2967–2986, dec 2014. [Online]. Available:https://www.sciencedirect.com/science/article/pii/S0005109814005160

[49] Y. Wang and S. Boyd, “Fast model predictive control using onlineoptimization,” IEEE Transactions on control systems technology, vol. 18,no. 2, pp. 267–278, 2009.

[50] M. M. G. Ardakani, B. Olofsson, A. Robertsson, and R. Johansson,“Real-time trajectory generation using model predictive control,” inIEEE International Conference on Automation Science and Engineering,vol. 2015-Octob. IEEE, aug 2015, pp. 942–948. [Online]. Available:http://ieeexplore.ieee.org/document/7294220/

[51] A. Alessio and A. Bemporad, “A survey on explicit model predictivecontrol,” in Nonlinear Model Predictive Control: Towards NewChallenging Applications, vol. 384. Springer, Berlin, Heidelberg,2009, pp. 345–369. [Online]. Available: http://link.springer.com/10.1007/978-3-642-01094-1 29

[52] J. A. Primbs, V. Nevistic, and J. C. Doyle, “Nonlinear optimal control:A control lyapunov function and receding horizon perspective,” AsianJournal of Control, vol. 1, no. 1, pp. 14–24, 1999.

[53] P. Ogren, M. Egerstedt, and X. Hu, “A control lyapunov functionapproach to multi-agent coordination,” in Proceedings of the 40th IEEEConference on Decision and Control (Cat. No. 01CH37228), vol. 2.IEEE, 2001, pp. 1150–1155.

[54] R. Freeman and P. V. Kokotovic, Robust nonlinear control design: state-space and Lyapunov techniques. Springer Science & Business Media,2008.

[55] A. D. Ames, S. Coogan, M. Egerstedt, G. Notomista, K. Sreenath, andP. Tabuada, “Control barrier functions: Theory and applications,” in 201918th European Control Conference (ECC). IEEE, 2019, pp. 3420–3431.

[56] S. Mouelhi, A. Girard, and G. Gossler, “Cosyma: A tool for controllersynthesis using multi-scale abstractions,” in Proceedings of the 16thInternational Conference on Hybrid Systems: Computation and Control,ser. HSCC ’13. New York, NY, USA: ACM, 2013, pp. 83–88.

[57] K. W. Wong, C. Finucane, and H. Kress-Gazit, “Provably-correct robotcontrol with ltlmop, OMPL and ROS,” in 2013 IEEE/RSJ International

Conference on Intelligent Robots and Systems, Tokyo, Japan, November3-7, 2013, 2013, p. 2073.

[58] H. Kress-Gazit, G. E. Fainekos, and G. J. Pappas, “Temporal logic basedreactive mission and motion planning,” IEEE Transactions on Robotics,vol. 25, no. 6, p. 1370–1381, 2009.

[59] I. Filippidis, S. Dathathri, S. C. Livingston, N. Ozay, and R. M. Murray,“Control design for hybrid systems with tulip: The temporal logicplanning toolbox,” in 2016 IEEE Conference on Control Applications,CCA 2016, Buenos Aires, Argentina, September 19-22, 2016, 2016, pp.1030–1041.

[60] G. Reissig, A. Weber, and M. Rungger, “Feedback refinement relationsfor the synthesis of symbolic controllers,” IEEE Transactions on Auto-matic Control, vol. 62, no. 4, pp. 1781–1796, 2016.

[61] K. Hsu, R. Majumdar, K. Mallik, and A.-K. Schmuck, “Multi-layeredabstraction-based controller synthesis for continuous-time systems,” inProceedings of the 21st International Conference on Hybrid Systems:Computation and Control (part of CPS Week), 2018, pp. 120–129.

[62] L. Kavraki, P. Svestka, and M. H. Overmars, Probabilistic roadmapsfor path planning in high-dimensional configuration spaces. UnknownPublisher, 1994, vol. 1994.

[63] J. J. Kuffner and S. M. LaValle, “Rrt-connect: An efficient approachto single-query path planning,” in Robotics and Automation, 2000.Proceedings. ICRA’00. IEEE International Conference on, vol. 2. IEEE,2000, pp. 995–1001.

[64] L. Janson, E. Schmerling, A. Clark, and M. Pavone, “Fast marching tree:A fast marching sampling-based method for optimal motion planningin many dimensions,” The International journal of robotics research,vol. 34, no. 7, pp. 883–921, 2015.

[65] H. Ravanbakhsh and S. Sankaranarayanan, “Robust controller synthesisof switched systems using counterexample guided framework,” in Pro-ceedings of the 13th International Conference on Embedded Software,ser. EMSOFT ’16. New York, NY, USA: ACM, 2016, pp. 8:1–8:10.

[66] T. Koo, G. J. Pappas, and S. Sastry, “Mode switching synthesis for reach-ability specifications,” in Hybrid Systems: Computation and Control, 4thInternational Workshop, HSCC 2001, Rome, Italy, March 28-30, 2001,Proceedings, 2001, pp. 333–346.

[67] A. Taly, S. Gulwani, and A. Tiwari, “Synthesizing switching logic usingconstraint solving,” STTT, vol. 13, no. 6, pp. 519–535, 2011.

[68] S. Jha, S. A. Seshia, and A. Tiwari, “Synthesis of optimal switching logicfor hybrid systems,” in Proceedings of the 11th International Conferenceon Embedded Software, EMSOFT 2011, part of the Seventh EmbeddedSystems Week, ESWeek 2011, Taipei, Taiwan, October 9-14, 2011, 2011,pp. 107–116.

[69] H. Zhao, N. Zhan, and D. Kapur, “Synthesizing switching controllers forhybrid systems by generating invariants,” in Theories of Programmingand Formal Methods - Essays Dedicated to Jifeng He on the Occasionof His 70th Birthday, 2013, pp. 354–373.

[70] A. Fehnker and F. Ivancic, “Benchmarks for hybrid systems verification,”in Hybrid Systems: Computation and Control, R. Alur and G. J. Pappas,Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 326–341.

[71] T. Place and M. Zeitoun, “The tale of the quantifier alternation hierarchyof first-order logic over words,” ACM SIGLOG News, vol. 2, no. 3, pp.4–17, 2015.

[72] D. Monniaux, “A quantifier elimination algorithm for linear real arith-metic,” in International Conference on Logic for Programming ArtificialIntelligence and Reasoning. Springer, 2008, pp. 243–257.

[73] G. E. Collins and H. Hong, “Partial cylindrical algebraic decompositionfor quantifier elimination,” Journal of Symbolic Computation, vol. 12,no. 3, pp. 299–328, 1991.

[74] S. Bittanti, A. J. Laub, and J. C. Willems, The Riccati Equation.Springer Science & Business Media, 2012.

[75] A. Richards and J. How, “Mixed-integer programming for control,” inProceedings of the 2005, American Control Conference, 2005. IEEE,2005, pp. 2676–2683.

[76] C. H. Papadimitriou and M. Yannakakis, “The complexity of facets (andsome facets of complexity),” in Proceedings of the fourteenth annualACM symposium on Theory of computing, 1982, pp. 255–260.

[77] B. Dutertre, “Yices 2.2,” in Computer-Aided Verification (CAV’2014),ser. Lecture Notes in Computer Science, A. Biere and R. Bloem, Eds.,vol. 8559. Springer, July 2014, pp. 737–744.

[78] “SMC-LTL Github Repository.” [Online]. Available: https://github.com/rcpsl/SMC-LTL

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 0, NO. 0, MARCH 2020 15

Chuchu Fan is the Wilson assistant professor ofAeronautics and Astronautics at MIT. Prior to join-ing MIT in 2020, she was a postdoctoral researcherin the Department of Computing and MathematicalSciences at California Institute of Technology. Shereceived her Ph.D. in 2019 from the Department ofElectrical and Computer Engineering at the Univer-sity of Illinois at Urbana-Champaign. She receivedher Bachelor’s degree from Tsinghua University,Department of Automation in 2013. Her researchinterests are in the areas of formal methods and

control for safe autonomy. She is a recipient of multiple prestigious awardsincluding Young Researcher for Heidelberg Laureate Forum (2017), RisingStars in EECS (2016), EMSOFT’16 Best Paper finalist, and Robert BoschBest Verification Award in CPSWeek’15.

Zengyi Qin is a first year graduate student inthe Department of Aeronautics and Astronautics atMIT, advised by Prof. Chuchu Fan. He received theB.E. degree (with honor) in Electronic Engineeringat Tsinghua University, China. During his under-graduate study, he also spent 1 year at MicrosoftResearch Asia. His research interests include safetyautonomous systems and machine learning.

Umang Mathur is a fifth year Ph.D. student inthe Computer Science Department of the Universityof Illinois at Urbana-Champaign (UIUC). He iscurrently advised by Prof. Mahesh Viswanathan. Hegraduated from IIT Bombay in 2014 and spent ayear at WorldQuant Research (India) as a quantita-tive researcher prior to joining UIUC. He receivedthe 2019 Google PhD Fellowship for ProgrammingTechnology and Software Engineering. His researchinterests span Formal Methods and Logic and theirapplications to Programming Languages, Software

Engineering and Cyber-Physical Systems.

Qiang Ning is an applied scientist at Amazon.Before that, he worked as a research scientist onthe AllenNLP team at the Allen Institute for AI(AI2) from 2019 to 2020. Qiang received his Ph.D.in Dec. 2019 from the Department of Electricaland Computer Engineering at the University ofIllinois at Urbana-Champaign (UIUC). He obtainedhis master’s degree in biomedical imaging from thesame department in May 2016. Before coming tothe United States, Qiang obtained two bachelor’sdegrees from Tsinghua University in 2013, in Elec-

tronic Engineering and in Economics, respectively. His research interestsinclude natural language understanding and learning from indirect supervision.

Sayan Mitra is a Professor of Electrical and Com-puter Engineering at the University of Illinois atUrbana-Champaign. He obtained his bachelors de-gree in electrical engineering from Jadavpur Univer-sity in 1999, a master’s degree in computer sciencefrom the Indian Institute of Science in 2001, andhis doctorate from the Massachusetts Institute ofTechnology in 2007. His research interests includeformal methods, hybrid systems, and safe autonomy.His textbook on verification of cyber-physical sys-tems was published by MIT Press in 2021. He is a

recipient of National Science Foundation’s CAREER Award, Air Force Officeof Scientific Research Young Investigator Program Award, and several bestpaper awards.

Mahesh Viswanathan obtained his bachelor’s de-gree in computer science from the Indian Instituteof Technology at Kanpur in 1995, and his doctoratefrom the University of Pennsylvania in 2000. Hewas a post-doctoral fellow at DIMACS with a jointappointment at Telcordia Technologies in 2000-01.Since Fall 2001, he has been on the faculty atthe University of Illinois at Urbana-Champaign. Hisresearch interests are in the core areas of logic,automata theory, and algorithm design, with appli-cations to the algorithmic verification of systems.