SCOTS (0.

2) – USER MANUAL

MATTHIAS RUNGGER
MARCH 29, 2017

CONTENTS
1. About SCOTS v0.2 2
2. Quickstart 2
2.1. Invariance and Reachability 2
2.2. Customized Synthesis 2
2.3. A Priori Enclosure and Growth Bound 2
3. Installation Notes 3
3.1. Additional software 3

Part 1. THEORY BASICS 5

4. The Symbolic Approach 5
4.1. Control Problems 5
4.2. Supported Specifications 5
4.3. Auxiliary Control Problems 6
4.4. Closed Loop 6
5. Construction of Symbolic Models 7
5.1. Growth Bound and A Priori Enclosure 7
5.2. The Transition Function 8
6. Controller Synthesis 8
6.1. Invariance 9
6.2. Reachability 9
6.3. Reach-Avoid 10

Part 2. USAGE 11
7. Computation of Symbolic Models 11
8. Controller Synthesis 13
9. Controller Implementation 15
10. Binary Decision Diagrams 16

Part 3. CASE STUDIES 17

11. An Aircraft Landing Maneuver 17
12. A Vehicle in a Maze 17
13. A DC-DC Boost Converter 18

1
2 MATTHIAS RUNGGER MARCH 29, 2017

1. ABOUT SCOTS V0.2

SCOTS is an open source software tool (available at http://www.hcs.ei.tum.de) published
under the 3-Clause BSD License. It provides a basic implementation of the construction of symbolic
models, also known as discrete abstractions, of possibly perturbed, nonlinear control systems according
to [1] together with the implementation of two algorithms for the synthesis of symbolic controllers. It is
mainly implemented in C++ , but also provides a small MATLAB interface to access atomic propositions
and the synthesized controllers from the MATLAB workspace.
SCOTS natively supports invariance and reachability specifications. It can also be used in combi-
nation with the synthesis tool slugs [2] to account for general reactivity one (GR(1)) specifications.
Moreover, expert users have the possibility to write customized synthesis algorithms.
SCOTS is mainly intended to be used (and possibly extended) by researchers and lecturers in the area
of formal methods for cyber-physical systems. The implementation does not use validated numerics
or similar methods for rigorous implementations and such is prone to ODE solver inaccuracies and
rounding errors.
This manual gives an overview of SCOTS and contains installation notes, usage details and a brief
theoretical background. For implementation details please see the doxygen documentation in ./doc.
Although, there are no compelling reasons, why SCOTS should not work under Windows, we de-
veloped and tested the code only under Linux and macOS environments. As a result, the installation
notes apply to Linux/macOS systems only.
Bug reports and feature requests should be mailed to [email protected].

2. QUICKSTART
The best way to try SCOTS is to clone the source code from https://gitlab.lrz.de/matthias/
SCOTSv0.2 and run one of the examples. Each of the example directories contains a readme file that
provides some background information on the example itself and explains the compilation process.
Optionally, some examples contain an m-file for the simulation of the closed loop in MATLAB. See
http://www.mathworks.com for installation instructions.
2.1. Invariance and Reachability. The three most easy-to-compile examples are found in
./examples/dcdc /* invariance problem for a DCDC boost converter */
./examples/vehicle /* reach-avoid problem for a vehicle */
./examples/aircraft /* landing maneuver of an aircraft (requires 32GB memory) */
The examples can be run without any additional software and require only a C++ compiler with C++
11 support. See also the case studies in PART 3
2.2. Customized Synthesis. In the examples in
./examples/dcdc_bdd /* reach-and-stay spec for a DCDC boost converter */
./examples/vehicle_bdd /* currently reachability only (more complex spec is planned) */
we use customized controller synthesis algorithms to enforce more complex specifications. Customized
synthesis algorithms are supported only using binary decision diagrams (BDDs) as underlying data
structure. In order to run the examples, an installation of the CUDD library is required, see Section 3.1.
2.3. A Priori Enclosure and Growth Bound. The directory
./examples/aircraft/helper
contains various programs that use the interval-arithmetic based ODE solver vnode-lp to obtain: a)
an a priori enclosure and b) a growth bound.
 SCOTS (0.2) – USER MANUAL 3

3. INSTALLATION NOTES
SCOTS is implemented in “header-only” style and only a working C++ developer environment with
C++ 11 support is needed. In the basic variant it is possible to
(1) compute abstractions
(2) synthesize controllers with respect to invariance and reachability specifications
(3) simulate the closed loop in C++
For various reasons, one might consider to use additional software in combination with SCOTS.

3.1. Additional software.

(1) MATLAB: for closed loop simulation and visualization options.
See http://www.mathworks.com for installation instructions.
To access the controllers produced by SCOTS from the MATLAB workspace the mex file
mexStaticController.mex needs to be compiled:
(a) setup the mex compiler with the MATLAB command
>> mex -setup C++
(b) In a terminal, navigate to ./mfiles/mexfiles:
• edit the makefile and adjust the MATLABPATH
• run make sparse
To access the BDD files produced by SCOTS from the MATLAB workspace the mex file
mexSymbolicSet.mex needs to be compiled:
(a) install the CUDD library (see item 2)
(b) setup the mex compiler with the MATLAB command
>> mex -setup C++
(c) In a terminal, navigate to ./mfiles/mexfiles:
• edit the makefile and adjust the MATLABPATH and CUDDPATH
• run make bdd
(2) CUDD: a) to combine SCOTS with slugs, b) to save atomic propositions and transition rela-
tions as BDD to file and c) to write customized synthesis algorithms.
SCOTS uses CUDD with the following configuration options:
• the C++ object-oriented wrapper
• the dddmp library and
• the shared library
The package (available at http://vlsi.colorado.edu/~fabio/) follows the usual in-
stallation routine of configure, make and make install. We use cudd-3.0.0, with the con-
figuration
./configure --enable-shared --enable-obj --enable-dddmp --prefix=CUDDPATH
where CUDDPATH is the desired installation directory, e.g., ./external/cudd.
On some linux machines we experienced that the header files util.h and config.h were
missing in CUDDPATH and we manually copied them to CUDDPATH/include.
NOTE: The dddmp module of CUDD, which is used to store BDDs to file, is erroneous and
the following changes should be applied in CUDDROOT/dddmp/dddmpNodeBdd.c
232: + f->next = (DdNode *)(ptruint)(((ptruint)(f->next))|01ul);
232: - f->next = (DdNode *)(ptruint)((int)((ptruint)(f->next))|01);
256: + f->next = (DdNode *)(ptruint)(((ptruint)(f->next)) & (~01ul));
256: - f->next = (DdNode *)(ptruint)((int)((ptruint)(f->next)) & (~01));
409: + DddmpClearVisitedBdd (f);
409: - /*DddmpClearVisitedBdd (f);*/
410: + /*f->next = NULL;*/
410: - f->next = NULL;
4 MATTHIAS RUNGGER MARCH 29, 2017

(3) boost: to use advance ode solvers.

For Linux boost is usually distributed via the package management system. On macOS
MacPorts https://www.macports.org/ or Homebrew http://brew.sh/ provide an
easy way to install boost.
(4) vnode-lp: to compute a priori enclosures and growth bounds.
vnode-lp is an open source software tool to compute validated solutions of initial value
problems based on interval arithmetic. It is available at .
 SCOTS (0.2) – USER MANUAL 5

Part 1. THEORY BASICS

4. THE SYMBOLIC APPROACH
A detailed description of the symbolic approach to controller synthesis that is implemented in SCOTS
is presented in [1]. The article [1] contains also a detailed explanation of the notation that we use in
the following text.

4.1. Control Problems. SCOTS supports the computation of controllers for nonlinear control systems
of the form
ξ̇(t) ∈ f (ξ(t), u) + J−w, wK (1)
where f is given by f : R × U → R and U ⊆ R . The vector w = [w1 , . . . , w n ] ∈
n n m
R+n
is a perturbation
bound and J−w, wK denotes the hyper-interval [−w1 , w1 ]×. . .×[−w n , w n ]. Given a time horizon τ > 0,
we define a solution of (1) on [0, τ] under (constant) input u ∈ U as an absolutely continuous function
ξ: [0, τ] → Rn that satisfies (1) for almost every (a.e.) t ∈ [0, τ].
The desired behavior of the closed loop is defined with respect to the τ-sampled behavior of the
continuous-time systems (1). To this end, the sampled behavior of (1) is casted as simple system (with
initial states)
S1 := (X 1 , X 1,0 , U1 , F1 ) (2)
n
with the state alphabet X 1 := R , the set of initial states, the input alphabet U1 := U and the transition
function F1 : X 1 × U1 ⇒ X 1 defined by
F1 (x, u) := {x 0 | ∃ξ is a solution of (1) on [0, τ] under u : ξ(0) = x ∧ ξ(τ) = x 0 }. (3)
A specification Σ1 for a simple system (2) is simply a set
(U1 × X 1 )[0;T [
[
Σ1 ⊆ (U1 × X 1 )∞ := (4)
T ∈Z≥0 ∪{∞}

of possibly finite and infinite input-state sequences. A simple system S1 together with a specification
Σ1 constitute an control problem (S1 , Σ1 ).
The solution of a control problem (S1 , Σ1 ) is a system C = (X c , X c,0 , Uc , Vc , Yc , Fc , H c ) which is feedback
composable with S1 , see [1, Def. III.3], and satisfies
B(C × S1 ) ⊆ Σ1 .
In this context C and C × S1 are usually referred to as controller, respectively, closed loop. The symbol
B(C × S1 ) denotes the behavior of the closed loop C × S1 , see [1, Def. V.1]. We say that a control
problem (S1 , Σ1 ) is solvable iff there exists a system C that solves (S1 , Σ1 ).
A block diagram of the feedback composition of a controller synthesized with SCOTS and the system
S1 is illustrated in Fig. 1.

4.2. Supported Specifications. SCOTS natively supports

• invariance (often referred to as safety) specifications;
• reachability specifications;
• reach-avoid specifications.
An invariance specification for (2) associated with Z1 ⊆ X 1 is defined by
Σ1 := {(u, x) ∈ (U1 × X 1 )[0;∞[ | ∀ t∈[0;∞[ : x(t) ∈ Z1 }.
A reachability specification for (2) associated with Z1 ⊆ X 1 is defined by
Σ1 := {(u, x) ∈ (U1 × X 1 )∞ | ∃ t∈[0;∞[ : x(t) ∈ Z1 }.
A reach-avoid specification for (2) associated with A1 ⊆ X 1 and Z1 ⊆ X 1 is defined by
Σ1 := (u, x) ∈ (U1 × X 1 )∞ | ∃ t∈[0;∞[ : x(t) ∈ Z1 ∧ ∀ t 0 ∈[0;t[ : x(t 0 ) 6∈ A1 .


In the context of Linear Temporal Logic, the sets A1 and Z1 are often identified with atomic propositions.
In this sense, SCOTS allows to define arbitrary sets as atomic propositions.
6 MATTHIAS RUNGGER MARCH 29, 2017

4.3. Auxiliary Control Problems. Given a simple system (2) representing the τ-sampled behavior
of (1) and a specification Σ1 for (2), the control problem (S1 , Σ1 ) is not solved directly, but an auxiliary,
finite control problem (S2 , Σ2 ) is used in the synthesis process. Here,
S2 = (X 2 , X 2,0 , U2 , F2 ) (5)
is referred to as symbolic model or (discrete) abstraction of S1 and Σ2 is an abstract specification.
The state alphabet of X 2 is a cover of X 1 and the input alphabet U2 is a subset of U1 . The set X 2
contains a subset X̄ 2 , representing the “real” quantizer symbols, while the remaining symbols X 2 r X̄ 2
are interpreted as “overflow” symbols. The set of real quantizer symbols X̄ 2 are given by congruent
hyper-rectangles aligned on a uniform grid
ηZn = {c ∈ Rn | ∃k∈Zn ∀i∈[1;n] ci = ki ηi } (6)
with grid parameter η ∈ (R+ r {0}) . The elements of ηZ are called grid points. The real quantizer
n n

symbols are further parameterized by two vectors a, b ∈ Rn representing the lower-left and upper-right
corners of the hyper-interval Ja, bK confining the set X̄ 2 :
X̄ 2 := {x 2 | ∃c∈(ηZn ∩Ja,bK) x 2 = c + J−η/2, η/2K}. (7)
The elements of the real quantizer symbols are also referred to as cells. Each cell x 2 = c + J−η/2, η/2K
is associated with a center c ∈ Rn (which is also a grid point c ∈ ηZn ) and a radius r ∈ R≥0
n
. The initial
state alphabet X 2,0 is defined by the cells that are needed to cover X 1,0 , i.e.,
X 2,0 := {x 2 ∈ X 2 | x 2 ∩ X 1,0 6= ∅}. (8)
SCOTS computes symbolic models that are related via feedback refinement relations with the plant.
A feedback refinement relation from S1 to S2 is a strict relation Q ⊆ X 1 × X 2 that satisfies for all (x 1 , x 2 ) ∈
Q and u ∈ U2 the conditions
(1) x 1 ∈ X 1,0 implies x 2 ∈ X 2,0
(2) F2 (x 2 , u) 6= ∅ implies F1 (x 1 , u) 6= ∅ and Q(F1 (x 1 , u)) ⊆ F2 (x 2 , u).
In SCOTS, the feedback refinement relation Q is given by the set-membership relation
Q := {(x 1 , x 2 ) | x 1 ∈ x 2 }. (9)
Given an invariance (reachability) specification Σ1 for (2) associated with Z1 , then an abstract spec-
ification associated with S1 , S2 and Q is given by the invariance (reachability) specification for S2 =
(X 2 , X 2,0 , U2 , F2 ) associated with
Z2 = {x 2 ∈ X 2 | x 2 ⊆ Z1 }. (10)
An abstract reach-avoid specification from A1 , Z1 for S2 follows by
A2 = {x 2 ∈ X 2 | x 2 ∩ A1 6= ∅} (11)
and Z2 as defined in (10). The algorithms to solve the control problems (S2 , Σ2 ) implemented in SCOTS
are outlined in Section 6.
4.4. Closed Loop. The main statement facilitating the use of an auxiliary control problem reads as
follows [1, Thm. VI.3]:
Consider two control problems (Si , Σi ), i ∈ {1, 2}. Suppose that Q is a feedback refinement relation
from S1 to S2 and Σ2 is an abstract specification of Σ1 . If C solves the control problem (S2 , Σ2 ), then C ◦Q
solves the control problem (S1 , Σ1 ).
The controller C ◦ Q for S1 is given by the serial composition of the quantizer Q : X 1 ⇒ X 2 with
the controller C. The closed loop resulting from a simple system Σ1 which represents the τ-sampled
behavior of (1) and a controller C ◦ Q is illustrated in Fig. 1. At each k ∈ Z≥0 sampling time τ > 0,
the plant state x 1 = ξ(kτ) is measured and fed to the quantizer Q, which is used to determine a cell
x 2 ∈ X 2 that contains x 1 ∈ x 2 . Then x 2 is fed to the controller C to pick the input u ∈ U2 ⊆ U1 which
is applied to (1).
Additionally to the perturbations on the right-hand-side of (1), it is possible to account for measure-
ment errors modeled by a set-valued map P : Rn ⇒ Rn given by
P(x) := x + J−z, z K with z ∈ R+n . (12)
 SCOTS (0.2) – USER MANUAL 7

τ
ξ̇(t) ∈ f (ξ(t), u) + J−w, wK x1

ZOH Q

u x1 ∈ x2
C

FIGURE 1. Sample-and-hold implementation of a controller synthesized with SCOTS.

Please see [1, Sec. VI.B] and [3] for some background theory. The closed loop with measurement errors
is illustrated in Fig. 2.

τ x1
ξ̇ ∈ f (ξ, u) + J−w, wK P

x 10
ZOH
Q

u x 10 ∈ x 2
C

FIGURE 2. Closed loop with measurement errors modeled by the set-valued map x 10 ∈ P(x 1 ).

5. CONSTRUCTION OF SYMBOLIC MODELS

5.1. Growth Bound and A Priori Enclosure. The construction of a symbolic model S2 of S1 is based
on the over-approximation of attainable sets. In SCOTS, the over-approximation of the attainable sets
requires a so-called growth bound [1]. A growth bound of (1) is a function β : R+n × U 0 → R+n , which
is defined with respect to a sampling time τ > 0, a set K ⊆ Rn and a set U 0 ⊆ U. Basically, it provides
an upper bound on the deviation of solutions ξ of (1) from nominal solutions1 ϕ of (1), i.e., for every
solution ξ of (1) on [0, τ] with input u ∈ U 0 and ξ(0), p ∈ K we have
|ξ(τ) − ϕ(τ, p, u)| ≤ β(|ξ(0) − p|, u). (13)
n
Here, |x| for x ∈ R , denotes the component-wise absolute value. Essentially, a growth bound can be
obtained by bounding the Jacobian of f . Let L : U 0 → Rn×n satisfy
¨
D j f i (x, u) if i = j,
L i, j (u) ≥ (14)
|D j f i (x, u)| otherwise
for all x ∈ K 0 ⊆ Rn and u ∈ U 0 ⊆ U. Then
Z τ
β(r, u) = e L(u)τ
r+ e L(u)s w ds, (15)
0
is a growth bound on [0, τ], K, U 0 associated with (1). The set K 0 on which (14) needs to hold, is a
so-called a priori enclosure, i.e., K 0 is assumed to be convex and contain any solution ξ on [0, τ] of (1)
with u ∈ U 0 and ξ(0) ∈ K, see [1, Thm. VIII.5].
In order to use SCOTS, the user needs to provide a growth bound, which for nonlinear control
systems can be provided in terms of the parameterized matrix L(u) whose entries satisfy (14). A priori
enclosures as well as growth bounds can be computed automatically using interval arithmetic based
ODE solvers. See Section 7 for more details on how to automatically obtain a priori enclosures and
growth bounds.
1A nominal solution ϕ(·, p, u) of (1) is defined as solution of the initial value problem ẋ = f (x, u), x(0) = p.
8 MATTHIAS RUNGGER MARCH 29, 2017

5.2. The Transition Function. Recall that the state alphabet X 2 of the symbolic model (5) is composed
of the real quantizer symbols X̄ 2 , which are cells aligned on a uniform grid, and the overflow symbols
X 2 r X̄ 2 . For x 2 ∈ X 2 r X̄ 2 the transition function is defined for all u ∈ U2 by

F2 (x 2 , u) := ∅. (16)

In order to determine the successors x 20 ∈ F2 (x 2 , u) for x 2 = c + J−η/2, η/2K ∈ X̄ 2 and u ∈ U2 , we first

compute the hyper-interval

R := ϕ(τ, c, u) + J−β(η/2, u), β(η/2, u)K (17)

which is an over-approximation of the attainable set of (1) with respect to the set c + J−η/2, η/2K and
input u. If P is not covered by the real quantizer symbols, i.e., R 6⊆ ∪ x 2 ∈X̄ 2 x 2 , then we define

F2 (x 2 , u) := ∅. (18)

Otherwise, we define the successor cells function by

x 20 ∈ F2 (x 2 , u) : ⇐⇒ x 20 ∩ R 6= ∅. (19)

Using similar arguments as in [1, Thm. VIII.4], it is straightforward to show that Q is a feedback
refinement relation from S1 to S2 . Note that F2 satisfies

F2 (x 2 , u) ⊆ X̄ 2 . (20)

If we need to be robust against measurement errors P(x) = x + J−z, z K, we slightly modify the
computation of R to

R := ϕ(τ, c, u) + J−β(η/2 + z, u), β(η/2 + z, u)K (21)

and define the transition function to (instead of (19))

x 20 ∈ F2 (x 2 , u) : ⇐⇒ (x 20 + J−z, z K) ∩ R 6= ∅. (22)

As a result we obtain that Q ◦ P is a feedback refinement relation from S1 to S2 , see [4, Thm. III.5],
which enables the correct controller refinement under measurement errors [1, Sec. VI.B]. The use of
n
the perturbation parameter z ∈ R>0 in SCOTS is explained in detail in Section 7.
In the implementation of the computation of F2 in Abstraction.hh, we use a numerical ODE
solver to compute an approximation of ϕ(τ, c, u) as well as β(η/2, u).

6. CONTROLLER SYNTHESIS
In this section, we discuss the algorithms that are implemented in SCOTS to solve synthesis problems
for the finite symbolic model (5). Usually, synthesis algorithms are developed in the context of two-
player games on graphs. The player associated with the controller tries to enforce the specification
while the player associated with disturbances tries to violate the specification, e.g. [5].
Given a control problem (S2 , Σ2 ) with S2 given in (5), the construction of a controller to enforce a
specification Σ2 proceeds in two steps. First, a subset Y∞ of the state alphabet X 2 is computed, which
characterizes the largest set of initial states so that the control problem is solvable, i.e., (S2 , Σ2 ) is
solvable if and only if X 2,0 ⊆ Y∞ . The set Y∞ is referred to as winning domain (or set of winning states)
associated with (S2 , Σ2 ). In a second step, the controller C is derived form the set Y∞ and some other
information available in synthesis algorithm.
We use the following notation. The set of admissible inputs at x 2 ∈ X 2 is denoted by

US2 (x 2 ) := {u ∈ U2 | F2 (x 2 , u) 6= ∅}. (23)

We use the Weierstrass symbol ℘ to denote the power set and define pre : ℘(X 2 ) → ℘(X 2 ) by

pre(Y ) := {x 2 ∈ X 2 | ∃u∈US (x 2 ) : F2 (x 2 , u) ⊆ Y }. (24)

2
 SCOTS (0.2) – USER MANUAL 9

Algorithm 1 Controller synthesis for invariance specs associated Z2

Input: Z2 , S2 = (X 2 , U2 , F2 )
Require: F2 (X 2 , U2 ) ⊆ X̄ 2 and Z2 ⊆ X̄ 2
1: Q := ∅ . FIFO queue of bad states
2: E := ∅ . bookkeeping of the bad states
3: D := ∅ . valid state-input pairs
4: for all x 2 ∈ X̄ 2 do
5: if x 2 6∈ Z2 or U2 (x 2 ) = ∅ then . mark all states outside Z2 or blocking states as bad
6: Q := Q ∪ {x 2 }
7: else
8: D := D ∪ ({x 2 } × U2 (x 2 ))
9: E := Q
10: while Q 6= ∅ do
11: x 20 :∈ Q . remove oldest element
12: Q := Q r {x 20 }
13: for all (x 2 , u) ∈ F2−1 (x 20 ) do
14: D := D r {(x 2 , u)} . remove state-input pairs that lead to bad states
15: if x 2 6∈ D−1 (U2 ) and x 2 6∈ E then . no valid input left and not already marked bad
16: Q := Q ∪ {x 2 } . add to queue of bad states
17: E := E ∪ {x 2 }
Output: D

6.1. Invariance. Let Σ2 be an invariance specification associated with Z2 . We use Alg. 1, which is
implemented in the function solve_invariance_game in the file GameSolver.hh, to synthesize a
controller that solves the control problem (S2 , Σ2 ). Alg. 1 runs in O(m) time, where m is the number
of transitions, i.e., the number of triples (x 2 , u, x 20 ) with x 20 ∈ F2 (x 2 , u), since each state is added to the
queue of bad states Q at most once.
Let D ⊆ X 2 × U2 be the set of state-input pairs computed in Alg. 1. One can show that D−1 (U2 ) is
the maximal fixed point of the map G : ℘(X 2 ) → ℘(X 2 ) defined by
G(Y ) := Z2 ∩ pre(Y ). (25)
The maximal fixed point of (25) corresponds to the winning domain of (S2 , Σ2 ) and it follows that the
synthesis problem (S2 , Σ2 ) is solvable if and only if X 2,0 ⊆ D−1 (U2 ).
Suppose that X 2,0 ⊆ D−1 (U2 ) holds, then we obtain a controller C = ({q}, {q}, X 2 , X 2 , U2 , Fc , H c ) that
solves (S2 , Σ2 ) by
¨
D(x 2 ) × {x 2 } if x 2 ∈ D−1 (U2 )
H c (q, x 2 ) =
U2 × {x 2 } otherwise
¨ (26)
{q} if x 2 ∈ D (U2 )
−1
Fc (q, x 2 ) =
∅ otherwise.
The refined controller that solves (S1 , Σ1 ) is given by C ◦ Q. Note that the definition of the initial state
alphabet X 2,0 in (8) and the condition X 2,0 ⊆ D−1 (U2 ) imply that the initial state alphabet of S1 satisfies
X 1,0 ⊆ ∪ x 2 ∈D−1 (U2 ) x 2 . (27)
The controller C ◦ Q is implemented in SCOTS in the StaticController class. The details are
explained in Section 9.

6.2. Reachability. Let Σ2 be a reachability specification associated with Z2 ⊆ X̄ 2 . We use Alg. 2,

which is implemented in the function solve_reachability_game in the file GameSolver.hh, to
synthesize a controller that solves the control problem (S2 , Σ2 ). The algorithm is a variant of Dijkstra’s
shortest path algorithm for hyper-graphs taken from [6]. It runs in O(m) time, where m is the number
of transitions, i.e., the number of elements in X 2 × U2 × X 2 that satisfy x 20 ∈ F2 (x 2 , u).
10 MATTHIAS RUNGGER MARCH 29, 2017

Algorithm 2 Controller synthesis for reachability specs associated with Z2

Input: Z2 , S2 = (X 2 , U2 , F2 ), u0 ∈ U2
Require: Z2 ⊆ X̄ 2
1: Q := Z2 . FIFO queue
2: V := ∞ . value function
3: M := 0 . intermediate values
4: E := ∅ . bookkeeping of processed states
5: for all x 2 ∈ X̄ 2 do
6: D(x 2 ) := ∅ . keep track of optimal input
7: if x 2 ∈ Z2 then
8: V (x 2 ) := 0 . cost at target are zero
9: D(x 2 ) := {u0 }
10: while Q 6= ∅ do
11: x 20 :∈ Q . remove oldest element
12: Q := Q r {x 20 }
13: E := E ∪ {x 20 }
14: for all (x 2 , u) ∈ F2−1 (x 20 ) do
15: M (x 2 , u) := max{M (x 2 , u), V (x 20 )}
16: if F2 (x 2 , u) ⊆ E and V (x 2 ) > 1 + M (x 2 , u) then . if u leads to better cost update input
17: V (x 2 ) := 1 + M (x 2 , u)
18: Q := Q ∪ {x 2 }
19: D(x 2 ) := {u}
Output: D, V

Let D be the output of Alg. 2. The set D−1 (U2 ) is the minimal fixed point of the map G : ℘(X 2 ) →
℘(X 2 ) defined by
G(Y ) := Z2 ∪ pre(Y ). (28)
The minimal fixed point of (28) corresponds to the winning domain of (S2 , Σ2 ) and it follows that the
synthesis problem (S2 , Σ2 ) is solvable if and only if X 2,0 ⊆ D−1 (U2 ).
Given that X 2,0 ⊆ D−1 (U2 ) holds, a controller C = ({q}, {q}, X 2 , X 2 , U2 , Fc , H c ) that solves (S2 , Σ2 ) is
identical to the controller that solves the invariance problem, i.e., Fc and H c are given by (26).
Again, the refined controller C ◦ Q that is feedback composed with S1 is implemented in SCOTS in
the StaticController class. The details are explained in Section 9.
6.3. Reach-Avoid. Let Σ2 be a reach-avoid specification associated with A2 , Z2 ⊆ X̄ 2 . SCOTS provides
two alternatives to synthesize controllers to enforce reach-avoid specifications. In the first method, the
avoid set A2 is accounted for in the transition function, i.e.,
∀ x 2 ∈A2 : F2 (x 2 , u) := ∅. (29)
In this way we can reduce a reach-avoid problem to a reachability problem. Given that the transition
function satisfies (29), any controller that solves the control problem (S2 , Σ02 ), where Σ02 is the reach-
ability specification associated with Z2 , also solves the control problem (S2 , Σ2 ). In order to enforce
the equation (29) in the computation of the transition function F2 the user can optionally supply the
avoid set to the function Abstraction::compute_gb, see Section 7.
For the second method, the computation of the transition function is left unchanged, but Alg. 2 is
modified to account for the avoid set. To this end the condition in line 16 in Alg. 2 is modified to
F2 (x 2 , u) ⊆ E and V (x 2 ) > 1 + M (x 2 , u) and x 2 6∈ A2 . (30)
Again the user can optionally supply the avoid set to the function solve_reachability_game, see
Section 8.
 SCOTS (0.2) – USER MANUAL 11

Part 2. USAGE
7. COMPUTATION OF SYMBOLIC MODELS
Let S1 be a simple system that represents the τ-sampled behavior of the continuous-time system (1)
as defined in (2). In order to compute the transition function F2 of a symbolic model (5) of S1 in
SCOTS, the following ingredients are needed.
(1) The solution ϕ(τ, x, u) of the IVP ξ̇ = f (ξ, u), ξ(0) = x at time τ, which is provided in terms
of a lambda expression of the form
[](state_type& x, const input_type& u) -> void {}

The state solution of the IVP at time τ, i.e., ϕ(τ, x, u) is expected to be stored in the vari-
able x. The state_type and input_type are aliases for std::array<double,dim> in the
appropriate dimension.
(2) A growth bound β(r, u), which is provided by a lambda expression of the form
[](state_type& r, const state_type& c, const input_type& u) -> void {}

Again, the value of the growth bound r 0 = β(r, u) is assumed to be stored in the variable r. In
the implementation, the growth bound is allowed to depend the center of the cell c. See [4]
for details.
(3) The set of real quantizer symbols X̄ 2 as defined in (7), which is defined as instantiation of the
class with constructor
template<class grid_point_t>
scots::UniformGrid(const int dim,
const grid_point_t& lb,
const grid_point_t& ub,
const grid_point_t& eta)

where the variables dim, lb, ub and eta represent the state space dimension, the lower and
upper bound of the hyper-interval confining the set X̄ 2 , and the grid parameter, respectively.
Internally, each cell x 2 = c + J−η/2, η/2K ∈ X̄ 2 is represented as an unsigned integer of
type abs_type. In the default setting, abs_type is an alias set in UniformGrid.hh to
using abs_type=std::uint32_t;

which limits the size of X̄ 2 to 232 − 1. The template member functions

template<class grid_point_t>
scots::UniformGrid::itox(abs_type id, state_type& x)
template<class grid_point_t>
scots::UniformGrid::abs_type xtoi(const grid_point_t& x) const

are useful in mapping an abstract state c + J−η/2, η/2K ∈ X̄ 2 , represented by its unsinged
integer ID id, to its center c ∈ Rn aligned on the uniform grid (6). Similarly, xtoi can be
used to map a state x ∈ Rn to the id of the cell x 2 ∈ X̄ 2 containing it, i.e., x ∈ x 2 .
(4) The input alphabet U2 , which is again represented by an instance of a UniformGrid.
(5) Optionally, it is possible to provide a measurement error bound to account for measurement
errors as defined in (12) using the member function
scots::Abstraction::set_measurement_error_bound(const state_type& z)

We demonstrate the usage of SCOTS to compute a symbolic model of the sampled dynamics of
an aircraft used in [1, Sec. IX.B]. The system consists of three states x 1 , x 2 , x 3 , which respectively
correspond to the velocity, the flight path angle and the altitude of the aircraft. The input alphabet
is given by U = 0, 160 · 10 × [0 , 10◦ ] and represents the thrust of the engines (in Newton) and
3 ◦

the angle of attack. Additionally, we use the disturbance vectors w = (0.108, 0.002, 0)> in (1) and
z = (0.0125, 0.0025◦ , 0.05)> in (12) to model possible input disturbances, respectively, measurement
errors.
12 MATTHIAS RUNGGER MARCH 29, 2017

For the computation of the transition function, we begin with the aliases for the state_type and
input_type by
const int state_dim=3; /* state space dim */
const int input_dim=2; /* input space dim */
using state_type = std::array<double,state_dim>;
using input_type = std::array<double,input_dim>;

Afterwards, we define the lambda for the solution of the IVP for a sampling time of τ = 0.25 by
auto aircraft_post = [](state_type &x, const input_type &u) {
/* the ode describing the aircraft */
auto rhs = [](state_type& xx, const state_type &x, const input_type &u) {
double mg = 60000.0*9.81;
double mi = 1.0/60000;
double c=(1.25+4.2*u[1]);
xx[0] = mi*(u[0]*std::cos(u[1])-(2.7+3.08*c*c)*x[0]*x[0]-mg*std::sin(x[1]));
xx[1] = (mi/x[0])*(u[0]*std::sin(u[1])+68.6*c*x[0]*x[0]-mg*std::cos(x[1]));
xx[2] = x[0]*std::sin(x[1]);
};
/* use 10 intermediate steps */
scots::runge_kutta_fixed4(rhs,x,u,state_dim,tau,10);
};

where we use the fixed step-size ODE solver scots::runge_kutta_fixed4 that ships with SCOTS.
An implementation that uses a more advanced ODE solver like the adaptive step-size solvers with error
control implemented in boost can be found in ./examples/aircraft_boost.
We continue with the definition of the growth bound, for which we determine the matrix L(u)
in (14). First, we compute an a priori enclosure K 0 of (1) with respect to τ = 0.25, U 0 = U and the
hyper-interval P(K) where K = [58, 83]×[−3◦ , 0]×[0, 56] is the hyper-interval that confines the set of
real quantizer symbols. To this end, we employ the interval arithmetic based ODE solver implemented
in vnode-lp to obtain
K 0 = [57.55, 83.23] × [−4.29◦ , 1.22◦ ] × [−1.38, 56.28].
The implementation of the computation of the a priori enclosure can be found in the example directory
./examples/aircraft/helper/a_priori_enclosure. To obtain the matrix L(u), we maximize
the partial derivatives of f (·, u) over the set K 0 . The solution of the linear IVP ṙ(t) = L(u)r(t) + w,
r(0) = r0 , at time τ provides the growth bound (15) that we access through the lambda
auto radius_post = [](state_type &r, const state_type &, const input_type &u) {
/* the ode for the growth bound */
auto rhs =[](state_type& rr, const state_type &r, const input_type &) {
/* lipschitz matrix */
double L[3][2];
L[0][0]=-0.001919*(2.7+3.08*(1.25+4.2*u[1])*(1.25+4.2*u[1]));
L[0][1]=9.81;
L[1][0]=0.002933+0.004802*u[1];
L[1][1]=0.00361225;
L[2][0]=0.07483;
L[2][1]=83.22;
/* to account for input disturbances */
state_type w={{0.108,0.002,0}};
rr[0] = L[0][0]*r[0]+L[0][1]*r[1]+w[0];
rr[1] = L[1][0]*r[0]+L[1][1]*r[1]+w[1];
rr[2] = L[2][0]*r[0]+L[2][1]*r[1]+w[2];
};
/* use 10 intermediate steps */
scots::runge_kutta_fixed4(rhs,r,u,state_dim,tau,10);
};
 SCOTS (0.2) – USER MANUAL 13

The real quantizer symbols X̄ 2 and the input alphabet U2 are introduced as instances of the class
UniformGrid by
state_type s_lb={{58,-3*M_PI/180,0}};
state_type s_ub={{83,0,56}};
state_type s_eta={{25.0/362,3*M_PI/180/66,56.0/334}};
scots::UniformGrid ss(state_dim,s_lb,s_ub,s_eta);

input_type i_lb={{0,0}};
input_type i_ub={{32000,8*M_PI/180}};
input_type i_eta={{32000,8.0/9.0*M_PI/180}};
scots::UniformGrid is(input_dim,i_lb,i_ub,i_eta);

The grid parameter s_eta for the real quantizer symbols X̄ 2 has been determined according to the
optimization procedure in [4].
For the computation of the symbolic transition function F2 we instantiate the class Abstraction
and set the measurement error bound to z
scots::Abstraction<state_type,input_type> abs(ss,is);
state_type z={{0.0125,0.0025/180*M_PI,0.05}};
abs.set_measurement_error_bound(z);

The computation of F2 itself is invoked by

abs.compute_gb(tf,aircraft_post,radius_post);

Note that, due to the numerical errors in the computation of the solution of the IVP ϕ(τ, x, u) it
is possible that the computed transition function F2 does not satisfies the requirements in Sectin 5.2.
Similarly, the computation of the growth bound β(r, u) might be erroneous. Therefore, it is crucial to
pick adequate ODE solver parameters to obtain high confidence in the correctness of the computation.
We list the runtimes of the computation of F2 for two different solvers for various parameters in
Table 7. The implementations can be found in the directories ./exampels/aircraft_boost and
./examples/aircraft.

adaptive step size runge_kutta_dopri5 fixed step size runge_kutta_4

abs_tol/rel_tol # intermediate steps
10−10 /10−10 10−12 /10−12 10−16 /10−16 5 10
252 sec 370 sec 1036 sec 233 sec 335 sec
TABLE 1. Runtimes to compute a symbolic transition function of the aircraft dynamics
with varying ODE solvers and solver parameters. All computations resulted in an
identical transition function with 5.86 · 109 transitions.

8. CONTROLLER SYNTHESIS
Let Σ2 be an invariance or reachability specification associated with Z2 ⊆ X̄ 2 for (5). The algorithms
Alg. 1 and Alg. 2 to compute the winning domain D−1 (U2 ) associated with the control problem (S2 , Σ2 )
are implemented in the following functions.
(1) Alg. 1 is implemented solve_invariance_game with signature
template<class F>
WinningDomain solve_reachability_game(const TransitionFunction& tf, F& ap)

where the set Z2 is defined as lambda expression ap of the form

[](const scots::abs_type& abs_state) -> bool {}

ap(abs_state) returns true if and only if the abstract state x 2 ∈ X̄ 2 , represented by the ID
abs_state, is an element of the safe set Z2 .
14 MATTHIAS RUNGGER MARCH 29, 2017

(2) Alg. 2 is implemented in solve_reachability_game with signature

template<class F>
WinningDomain solve_reachability_game(const TransitionFunction& tf, F& ap)

where the target set Z2 is defined as lambda expression ap of the form

[](const scots::abs_type& abs_state) -> bool {}

ap(abs_state) returns true if and only if the abstract state x 2 ∈ X̄ 2 , represented by the ID
abs_state, is an element of the safe set Z2 . Additionally, a lambda expression as above can
be supplemented to solve_reachability_game to define the avoid set A2 .
(3) Optionally, the IDs of the cells contained in the set Z2 together with the uniform grid informa-
tion can be stored to a file using the function
template<class F>
bool write_to_file(const UniformGrid& g, F& ap, const std::string& filename)

The grid points associated with the stored IDs are accessible from the MATLAB workspace
using the command
>> p = GridPoints(’filename’);

In order to use this MATLAB command, the mex-file GridPoints.mex needs to be compiled.
Please see the installation notes for details.
We illustrate the usage of those functions again by the aircraft example studied in the previous
section. Let (2) represent the τ-sampled behavior of the aircraft dynamics and consider the reachability
specification Σ1 for S1 associated with the set
Z1 := ([63, 75] × [−3◦ , 0◦ ] × [0, 2.5]) ∩ {x ∈ R3 |x 1 sin x 2 ≥ −0.91}.
Consider the system (5), the quantizer (9) and the perturbation map (12). As outlined in Section 4.3,
an abstract specification associated with S1 , S2 and Q◦ P 2 is a reachability specification for S2 associated
with Z2 , where Z2 is required to be a subset of {x 2 ∈ X 2 | P(x 2 ) ⊆ Z1 }. We represent Z2 as lambda
target as follows
/* define target set */
state_type t_lb = {{63,-3*M_PI/180,0}};
state_type t_ub = {{75,0,2.5}};
state_type c_lb;
state_type c_ub;
state_type x;
auto target = [&](const scots::abs_type abs_state) {
/* compute the center of cell associated with abs_state */
ss.itox(abs_state,x);
/* hyper-interval of the quantizer symbol with perturbation */
for(int i=0; i<state_dim; i++) {
c_lb[i] = x[i]-s_eta[i]/2.0-z[i];
c_ub[i] = x[i]+s_eta[i]/2.0+z[i];
}
if( t_lb[0]<=c_lb[0] && c_ub[0]<=t_ub[0] &&
t_lb[1]<=c_lb[1] && c_ub[1]<=t_ub[1] &&
t_lb[2]<=c_lb[2] && c_ub[2]<=t_ub[2]) {
if(-0.91<=(x[0]*std::sin(x[1])-
s_eta[0]/2.0-z[0]-(c_ub[0])*(s_eta[1]/2.0-z[1]))) {
return true;
}
}
return false;
2In the computation of the abstraction specification, we replace Q with Q ◦ P to account for the measurement errors, see [1,
Sec. VI.B].
 SCOTS (0.2) – USER MANUAL 15

};
Once we have the lambda target representing the target set, we compute the winning domain of
(S2 , Σ2 ) by
WinningDomain win=solve_reachability_game(tf,target);
The number of states in the winning domain and the winning domain itself is obtainable by
abs_type domain = win.get_size();
std::vector<abs_type> domain = win.get_winning_domain();
It is possible to store the result as StaticController to a file. The syntax for storing the controller
to the file controller.scs is given by
write_to_file(StaticController(ss,is,std::move(win)),"controller");
For various reasons it might be helpful to visualize the target set. To this end, we write the IDs of the
grid points in the target set together with the uniform grid information to a file
write_to_file(ss,target,"target");
Subsequently, we access and plot the grid points in the MATLAB workspace by
>> p = GridPoints(’target’);
>> plot3(p(:,1),p(:,2),p(:,3),’.’);

9. CONTROLLER IMPLEMENTATION
Let C be the static controller defined in (26) that solves (S2 , Σ2 ). For the implementation of the
refined controller C ◦Q illustrated in Fig. 1 (or Fig. 2), SCOTS provides the class StaticController.
The class can be instantiated with two UniformGrids and a WinningDomain according to the con-
structor
scots::StaticController(const UniformGrid& state_grid,
const UniformGrid& input_grid,
WinningDomain&& winning_domain)
Alternatively, it is possible to instantiate the StaticController class with the default constructor
and subsequently read the content of the controller from file by
inline bool read_from_file(StaticController& sc, const std::string& filename)
To extract the control inputs associated with a state x ∈ X 1 SCOTS provides the member function
template<class state_type, class input_type>
std::vector<input_type> scots::StaticController::get_control(const state_type &x)
Internally, the mapping Q in Fig. 1 is implemented by the member function UniformGrid::xtoi,
which maps x to the ID abs_state of the nearest grid point c ∈ Rn . The cell that is associated with
that grid point c contains x, i.e., x ∈ c + J−η/2, η/2K. If x is not an element of the winning domain
∪ x 2 ∈D−1 (U2 ) x 2 , then Fc (q, Q(x)) = ∅ and no progress is possible. This is indicated by the error message
scots::StaticController: state <x> is out of winning domain: no progress possible.
For the aircraft example, we implemented a closed loop simulation in the file ./aircraft/simulate.cc.
We read the controller from file and simulate the system until the target is reached
/* read controller from file */
scots::StaticController con;
if(!read_from_file(con,"controller")) {
std::cout << "Could not read controller from controller.scs\n";
return 0;
}
/* initial state */
16 MATTHIAS RUNGGER MARCH 29, 2017

state_type x={{81, -1*M_PI/180, 55}};

while(1) {
std::vector<input_type> u = con.get_control<state_type,input_type>(x);
std::cout << x[0] << " " << x[1] << " " << x[2] << "\n";
aircraft_post(x,u[0]);
if(target(x))
break;
}
return 0;
In order to access the StaticController from the MATLAB workspace SCOTS provides the MAT-
LAB class StaticController. The data can be loaded by
>> con = StaticController(’controller’)

The inputs associated with a state x ∈ Rn and the center of cells in the winning domain D−1 (U2 ) are
accessed by
>> u = con.control(x);
>> Y = con.domain;
In order to be able to use those commands, you need to add the directory ./mfiles to your MATLAB
path. A demonstration of the usage of the StaticController from the MATLAB workspace can be
found in the various m-files in the example directories.

10. BINARY DECISION DIAGRAMS

SCOTS provides a number of classes and functions to obtain a binary decision diagram (BDD) rep-
resentation of symbolic models, controllers and atomic propositions.
Useful to
(1) save memory;
(2) use SCOTS in combination with other tools, such as slugs and SENSE;
(3) compactly save atomic propositions and controllers to a file;
(4) write customized synthesis algorithms;
For usage details have look in the examples
./examples/dcdc_bdd /* reach-and-stay */
./examples/vehicle_bdd /* reachability */
./examples/aircraft_bdd /* reachability */
and have a look in the class documentation in ./doc/html/ of
scots::SymbolicSet
scots::SymbolicModel
and the companion functions read_from_file and write_to_file.
 SCOTS (0.2) – USER MANUAL 17

Part 3. CASE STUDIES

11. AN AIRCRAFT LANDING MANEUVER
We consider an aircraft DC9-30. The dynamics (1) according to [7] are given by
1
ξ̇1 = m (u1 cos u2 − D(u2 , ξ1 ) − mg sin ξ2 )
1
ξ̇2 = mx 1 (u1 sin u2 + L(u2 , ξ1 ) − mg cos ξ2 )

ξ̇3 = ξ1 sin ξ2

where D(u2 , x 1 ) = (2.7 + 3.08 · (1.25 + 4.2 · u2 )2 ) · x 12 , L(u2 , x 1 ) = (68.6 · (1.25 + 4.2 · u2 )) · x 12 and
mg = 60 · 103 · 9.81 account for the drag, lift and gravity, respectively [7]. The state variables x 1 ,
x 2 and x 3 correspond ot the
 velocity, the flight path angle and the altitude of the aircraft. The input
alphabet is given by U = 0, 32 · 103 × [0◦ , 8◦ ] and represents the thrust of the engines (in Newton)
and the angle of attack. Following [1], we consider certain input disturbance, which we model in (1)
1
by w = (0.108, 0.002, 0)> and measurement errors of the form (12) with z = 20 (0.25, 0.05, 1)> .
The objective is to control the aircraft from a certain hight close to the ground. We cast this controller
problem as a reachability problem for which the target set is given by
Z1 := ([63, 75] × [−3◦ , 0◦ ] × [0, 2.5]) ∩ {x ∈ R3 | x 1 sin x 2 ≥ −0.91}.
For the computation of the symbolic model, we fix a sampling time of τ = 0.25 sec and restrict the
problem domain to Ja, bK with
a = (58, −3◦ , 0)> and b = (83, 0◦ , 56)>
and set η = (25.0/362, 3◦ /66, 56.0/334)> . The real quantizer symbols X̄ 2 are determined according
to (7). The set of inputs is given by the grid points U2 := µZ2 ∩ U with µ = (32 · 103 , (8/9)◦ )> . The
choice of discretization parameter leads to a successful solution of the reachability problem. The hight
of the controlled aircraft over time is illustrated in Fig. 3.

60

50

40
altitude

30

20

10

0
0 5 10 15 20
t [sec]

FIGURE 3. Trajectory of the controlled aircraft landing maneuver.

The configuration files for the computation in SCOTS can be found in ./examples/aircraft.

12. A VEHICLE IN A MAZE

In this case study we consider the vehicle illustrated in Fig. 4. We follow [8] and use the bicycle
dynamics to model the vehicle and obtain
ξ̇1 = u1 cos(α + ξ3 ) cos(α)−1
ξ̇2 = u1 sin(α + ξ3 ) cos(α)−1
ξ̇3 = u1 tan(u2 )
18 MATTHIAS RUNGGER MARCH 29, 2017

u1
δ

FIGURE 4. Vehicle illustration taken from [8].

where α = arctan(tan(u2 )/2). The states (x 1 , x 2 ) and x 3 correspond to the position, respectively,
orientation of the vehicle in the 2-dimensional plane. The inputs are given by the velocity u1 ∈ [−1, 1]
and the rate u2 ∈ [−1, 1] of the steering angle δ.
The specification is illustrated in Fig. 5. The goal is to synthesize a controller that steers the vehicle
through the maze, without hitting the blue obstacles until the target set (red box) is reached. The
synthesis problem is casted as a reach-avoid problem.

10

0 2 4 6 8 10

FIGURE 5. Trajectory of the controlled aircraft landing maneuver.

For the computation of the symbolic model, we fix the sampling time to τ = 0.3 sec and limit the
problem domain to Ja, bK with

a = (0, 0, −3.5)> and b = (10, 10, 3.5)>

and set η = (0.2, 0.2, 0.2)> . The real quantizer symbols X̄ 2 are determined according to (7). The set
of inputs is given by the grid points U2 := µZ2 ∩ U with µ = (0.3, 0.3)> . A trajectory of the closed loop
resulting from the controller synthesized with those choices of parameters is illustrated in Fig. 5.
The configuration files for the computation in SCOTS using the sparse matrix implementation and
the BDD based implementation can be found in ./examples/vehicle and ./examples/vehicle_bdd,
respectively.

13. A DC-DC B OOST CONVERTER

A DC-DC boost converter (illustrated in Fig. 6) is a step-up converter which is used to generate a
higher voltage on the load side compared to the source voltage. The converter operates in two modes.
When the switch is closed, electrical energy is stored in terms of a magnetic field in the inductor. When
the switch is open, the inductor acts as a second source and its voltage adds up to the source voltage
on the load side. DC-DC boost converters have been extensively studied in the literature, often from a
hybrid control perspective, and also in the context of abstraction-based controller design [9–11].
 5 Symbolic models for the boost DC-DC converter

In this section, we use our methodology to compute symbolic models of a concrete

switched system: the boost DC-DC converter (see Figure 1). This is an example
of electrical power convertor that has been studied from the point of view of
hybrid control in [12–15]. SCOTS (0.2) – USER MANUAL 19

rl xl il s2
s1
rc
vs r0 v0

vc xc

Fig. 1. boost DC-DC converter.

FIGURE 6. The DC-DC boost converter.

The state of the system is given by x(t) = [il (t), vc (t)]> where il (t) and vc (t) denote the current
The boost converter has two operation modes depending on the position of the
through the inductor and the voltage across the capacitor at time t, respectively. The dynamical be-
switch. The state of the system is x(t) = [il (t) vc (t)]T where il (t) is the inductor
havior is described by the switched linear system
current and vc (t) the capacitor voltage. The dynamics associated with both
modes are affine of the followingẋ(t) = A g(t) x(t) + b
form
with Ai ∈ R2×2 , i ∈ [1; 2] and b given by
 rl ẋ(t)
 = Apx(t)1 + b, prc= 1, 2
r r0 
− x l (rl + rc +r00 ) − x1l r0 +r
 vs 
− xl 0
with A1 = 0 , A2 = , b = xl .
c
1 r0
− x1c r0 +r
1
c x r +r − x
1
r
1
+r . 0
c 0 c c 0 c
 rl  1 
First, we synthesize
xl 0
a controller + rr00+r
(rl safety
to enforcexlthe
rc
specification
r0 rc
) x1l (rl + associated
r0 +rc ) with vxsl
A1 = 1 1 , A 2 = 1 r0
c
1 1 , b = .
0 xc r0 +rc Z1 := [1.15, 1.55]
xc r0 +r ×c [5.45, 5.85]. xc r0 +rc 0

In theItcomputation
is clear thatofthe
the boost
abstraction,
DC-DC weconverter
fix the sampling time to τof= switched
is an example 0.5 sec and pick a grid point
system.
distanceIn η = following,
of the (5·10−4 , 5·10 )
−4 >
. The winning domain together with a trajectory of
we use the numerical values from [13], that is, in the per unitthe closed loop is
illustrated
system xc = 70 p.u., xl = 3 p.u., rc = 0.005 p.u., rl = 0.05 p.u., r0 = 1 p.u. and the sparse
in Fig. 7. The implementation details are provided in ./examples/dcdc using
matrix representation.
vs = 1 p.u.. The goal of the boost DC-DC converter is to regulate the output
voltage across the load r0 . This control problem is usually reformulated as a
current reference5.85 scheme. Then, the goal is to keep the inductor current il (t)

around a reference5.8 value iref

l . This can be done, for instance, by synthesizing
a controller that keeps the state of the switched system in an invariant set I
5.75
centered around the reference value.
It can be shown
5.7 by solving a set of 2 linear matrix inequalities that the
subsystems associated
5.65 with the two operation modes are both incrementally
stable and that 5.6they share a common -GAS Lyapunov function of the form
q
5.55
V (x, y) = (x y)T M (x y),
5.5

5.45

1.15 1.2 1.25 1.3 1.35 1.4 1.45 1.5 1.55

FIGURE 7. The domain of the invariance controller together with a closed loop trajectory.

We continue with a demonstration on how to use the BDD representation together with the CUDD
Library to operate directly on the transition function and atomic propositions in order to create cus-
tomized synthesis algorithms. In particular, let us consider the reach-and-stay specification Σ1 associ-
ated with with Z1 ⊆ X 1 given by
Σ1 := (u, x) ∈ (U1 × X 1 )∞ | ∃ t∈[0;∞[ ∀ t 0 ∈[t;∞[ : x(t 0 ) ∈ Z1 .


The associated abstract specification Σ2 for the symbolic model S2 is given by the reach-and-stay spec-
ification associated with
Z2 := {x 2 ∈ X 2 | x 2 ⊆ Z1 }.
20 MATTHIAS RUNGGER MARCH 29, 2017

We can solve the control problem (S2 , Σ2 ) by the nested fixed point algorithm
µȲ .νY.(pre(Y ) ∩ Z2 ) ∪ pre(Ȳ ).
We implemented the fixed point computation in ./examples/bdd/dcdc_bdd by using the enforcible
predecessor computed in the class scots::Enf_Pre according to
/* set up enf_pre computation */
scots::EnfPre enf_pre(manager,TF,sym_model);
/* outer fp*/
BDD Z=manager.bddOne();
BDD ZZ=manager.bddZero();
/* inner fp*/
BDD Y=manager.bddZero();
BDD YY=manager.bddOne();
/* the controller */
BDD C=manager.bddZero();
/* helper */
BDD U=ss_input.get_cube(manager);
/* as long as not converged */
for(size_t i=1; ZZ != Z; i++) {
Z=ZZ;
BDD preZ=enf_pre(Z);
/* init inner fp */
YY = manager.bddOne();
for(size_t j=1; YY != Y; j++) {
Y=YY;
YY = ( enf_pre(Y) & S ) | preZ;
}
ZZ=YY;

/* only add (state/input) pairs whose state is not already in the * controller */
BDD N = ZZ & (!(C.ExistAbstract(U)));
C=C | N;
}

The resulting controller is stored in the BDD C. A closed loop trajectory of the system is illustrated
in Fig. 8. The trajectory is obtained by running the MATLAB file dcdc.m in the example directory
./examples/bdd/dcdc_bdd.

5.8

5.6

5.4

5.2

0.6 0.8 1 1.2 1.4 1.6

FIGURE 8. Closed loop trajectory of the DC-DC boost converter satisfying the reach-
and-stay specification associated with the red rectangle.
 REFERENCES 21

REFERENCES
[1] G. Reißig, A. Weber, and M. Rungger. “Feedback Refinement Relations for the Synthesis of Sym-
bolic Controllers”. In: IEEE Transactions on Automatic Control (2015). DOI: 10.1109/TAC.
2016.2593947.
[2] R. Ehlers and V. Raman. “Slugs: extensible GR(1) synthesis”. In: International Conference on
Computer Aided Verification. Springer. 2016, pp. 333–339.
[3] M. Rungger and M. Zamani. “SCOTS: A Tool for the Synthesis of Symbolic Controllers”. In:
HSCC. ACM, 2016.
[4] A. Weber, M. Rungger, and G. Reissig. “Optimized State Space Grids for Abstractions”. In: IEEE
Transactions on Automatic Control (2017). DOI: 10.1109/TAC.2016.2642794.
[5] R. Bloem et al. “Synthesis of reactive (1) designs”. In: Journal of Computer and System Sciences
78.3 (2012), pp. 911–938.
[6] G. Gallo et al. “Directed hypergraphs and applications”. In: Discrete Applied Mathematics 42
(1993), pp. 177–201.
[7] I. Mitchell, A. M. Bayen, and C. J. Tomlin. “Validating a Hamilton-Jacobi Approximation to
Hybrid System Reachable Sets”. In: Proc. 4th Intl. Conf. on Hybrid Systems: Computation and
Control. Springer, 2001, pp. 418–432.
[8] K. J. Aström and R. M. Murray. Feedback systems: an introduction for scientists and engineers.
Princeton University Press, 2010.
[9] A. Girard, G. Pola, and P. Tabuada. “Approximately bisimilar symbolic models for incrementally
stable switched systems”. In: IEEE TAC 55.1 (2010), pp. 116–126.
[10] A. Girard. “Controller synthesis for safety and reachability via approximate bisimulation”. In:
Automatica 48.5 (2012), pp. 947–953.
[11] G. Reißig and M. Rungger. “Abstraction-based Solution of Optimal Stopping Problems under
Uncertainty”. In: Proc. of the 52nd IEEE Conf. on Decision and Control. 2013, pp. 3190–3196.
DOI : 10.1109/CDC.2013.6760370.