=Paper=
{{Paper
|id=Vol-3065/paper4_149
|storemode=property
|title=Automatic Synthesis of Stabilizing Controllers for Discrete Time Linear Hybrid Systems
|pdfUrl=https://ceur-ws.org/Vol-3065/paper4_149.pdf
|volume=Vol-3065
|authors=Leonardo Picchiami
|dblpUrl=https://dblp.org/rec/conf/aiia/Picchiami21
}}
==Automatic Synthesis of Stabilizing Controllers for Discrete Time Linear Hybrid Systems==
Automatic Synthesis of Stabilizing Controllers for Discrete Time Linear Hybrid Systems Leonardo Picchiami1 1 Computer Science Dept., Sapienza University of Rome, via Salaria 113, 00198, Italy Abstract Many Cyber-Physical Systems are either mission or safety critical, thus the controllers for such systems must be provably correct. To this aim, in the last decades many methodologies have been developed which are able to automatically generate correct-by-construction controllers for Cyber-Physical Sys- tems. In this paper, we focus on one of such methodologies, implemented in the QKS tool, which is able to explicitly take into account the specification of the discretization of the state space due to analog-to- digital conversion. Controllers output by QKS are able to drive any controllable state inside the system goal. However, such controllers may allow a goal state to go outside the goal region, in order to be able to bring it back into the goal region later. QKS does not provide any means to detect such behavior. Here we propose to modify QKS in order to provide an additional feature, which only outputs stabi- lizing controllers, i.e., controllers which never allow goal states to go outside the goal region. If this is not possible for the input system, an empty controller is returned. We prove the feasibility of our approach on well-known control theory case studies, namely the multi input buck DC-DC converter and the inverted pendulum. Our experimental results show that we are able to output stabilizing controllers using limited additional resources with respect to the original QKS. Keywords Automatic Controller Synthesis, Stabilizing Controllers, CPS 1. Introduction The development of correct-by-construction software controllers for Cyber-Physical Systems (CPSs) is a strong requirement in many safety/mission-critical contexts such as, for example, avionics [1, 2, 3, 4], smart grids [5, 6, 7, 8, 9], automotive [10, 11, 12, 13] or biological systems [14, 15, 16, 17, 18, 19, 20, 21, 22, 23]. In fact, many CPSs are Software-Based Control Systems (SBCSs), which are typically subdivided into two subsystems: plant and controller. The plant is a physical system (e.g., electric devices), whereas the controller is a software component running on a microcontroller. The controller, in a closed-loop system, interacts with the plant to satisfy formal specifications, i.e., functional requirements (liveness and safety) needed for correctness of the system. In our setting, we want the controller to drive the system towards a goal region (liveness), so that only safe states are traversed (safety). To this aim, the controller implements a IPS-RCRA 2021: 9th Italian Workshop on Planning and Scheduling and 28th International Workshop on Experimental Evaluation of Algorithms for Solving Problems with Combinatorial Explosion picchiami@di.uniroma1.it (L. Picchiami) 0000-0001-5477-6419 (L. Picchiami) ยฉ 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings http://ceur-ws.org ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org) control law ctrlLaw, which, by looking at the current state, decides which action must be taken to bring the system closer to the goal, while retaining safety. Such control law is guaranteed to correctly work when the current state is within its control region CtrlReg. The usual control-loop workflow is as follows: the plant sensors measure an input ๐ฅ. SBCS compute the Analog-to-Digital (AD) conversion getting a quantized value ๐ฅ ห . The controller checks if ๐ฅห belongs to the control region. If it is not in ctrlRegion, then the procedure of Fault Detection, Isolation and Recovery is triggered. Otherwise, the system carries out the Digital-to- Analog (DA) conversion and sends the command to the plant actuators. Designing a controller is an hard task [24]. In recent years, many articles have been published aiming at automatically synthesizing controllers, often basing on ideas borrowed from logics [25, 26, 27, 28, 29, 30] and model checking techniques [31, 32, 33, 34, 35, 36, 37, 38, 39, 40]. This has led to the introduction of many tools to automatically generate controllers, such as, e.g., PESSOA [41] and Synthia [42]. In this paper, we focus on the Quantized feedback Kontrol Synthesizer (QKS) tool [43]. QKS is a tool to automatically synthesize control software for an input system (plant) modeled as a Discrete-Time Linear Hybrid System (DTLHS), i.e., a system described by continuous as well as discrete variables. QKS also takes as input the liveness and safety specification, i.e., the goal region to be reached by the system, as well as how many bits ๐ are available for the AD and DA conversions. As an output, QKS returns the C code implementation of the control software, which is guaranteed to drive any system state in the control region to the goal in a finite number of steps, also taking into account the AD and DA conversion. The controller output by QKS is such that, once the system has reached the goal, it may also exit from the goal itself. If this happens, the controller is again able to bring the system back to the goal again. This may be undesired in some applications, where instead, it is required that the system stabilizes in the goal, so preventing the system from leaving it. A system is able to continuously meet properties that ensure the correctness and prevent errors as long as it remains in the goal. So, in safety/mission-critical contexts (e.g., medical devices, drugs or banking systems), we need controllers that implement the ๐-stability. Otherwise, we might obtain systems that can be dangerous, for example, for a human or a company. Note that, in this paper, we present a new notion of stabilizing controllers. In the literature, such a notion has often been used in a different unrelated setting, e.g., bounding fluctuations of controller trajectories [44, 45]. Here, instead, we focus on controllers which โtrapsโ a system on the goal, if possible. To overcome the undesired behavior outlined above, in this paper, we present an extension to QKS, which only outputs controllers which stabilize the system up ๐ โฅ 0 steps, being ๐ a further input for QKS. Other extensions of QKS have been presented in the literature with different objectives than the ones we have here. Examples are in [46] (performing an on-the-fly controller gener- ation), [47] (introducing a parallel algorithm for the controller synthesis) and [48] (aiming at reducing the size of control software implementation). To the best of our knowledge, this is the first time that an algorithm for stabilizing controllers for QKS is presented. The paper outline is as follows. We recall the mathematical notations which formalizes the synthesis of software controllers (Section 2). Then, we introduce and formalize the concept of stabilizing controllers (Section 3). Under this framework, we present a new algorithm to generate stabilizing controllers (Section 4). Finally, we report an experimental comparison between the existing algorithm of controller synthesis provided by QKS and the synthesis algorithm of stabilizing controllers (Section 5). To this end, our case studies are the well-known Multi-input Buck DC-DC converter and the Inverted Pendulum. 2. Formal Framework To make this paper self-contained, we briefly summarize all concepts needed for the formaliza- tion of stabilizing controllers. For a complete discussion, see [43]. 2.1. Linear Predicate Let [๐] = {1, . . . , ๐} be the set of positive integers less than ๐ and let ๐ = [๐ฅ1 , . . . , ๐ฅ๐ ] be a sequence of distinct variables. Every variable ๐ฅ โ ๐ is defined on either a finite (e.g., boolean variables) or infinite (e.g., discrete or continuous variables) domain, denoted by ๐๐ฅ . Boolean variables are denoted as ๐ฅ๐ , continuous variables as ๐ฅ๐ , and discrete variables as ๐ฅ๐ . Along the same lines, ๐ ๐ (resp., ๐ ๐ , ๐ ๐ ) represents the sequence of the boolean (resp, discrete and real) variables among the ones in ๐. The domain of a sequence of variables ๐ is denoted by ๐๐ = ๐ฅโ๐ ๐๐ฅ . โ๏ธ A linear expression ๐ฟ(๐) is a linear combination of variables in ๐, i.e., ๐ฅโ๐ ๐๐ฅ ๐ฅ where ๐๐ฅ โ๏ธ are rational constants. A linear constraint is an expression of the form ๐ฟ(๐) โโท ๐ where ๐ is a rational constant and โโท โ {โค, โฅ, =} . A predicate is any logical combination of OR and AND operations among linear constraints. A conjunctive predicate is predicate with AND operations only. A valuation over ๐ is a function ๐ฃ : ๐ โ ๐๐ , assigning to each variable ๐ฅ a value in the cor- responding domain ๐๐ฅ . Given a valuation ๐ฃ, we write ๐ * for the sequence [๐ฃ(๐ฅ1 ), . . . , ๐ฃ(๐ฅ๐ )] โ ๐๐ , and we call it valuation as well. A satisfying assignment to predicate ๐ (๐) is a valuation of ๐ * such that ๐ (๐) holds. If ๐ (๐ * ) holds for some ๐ * , then ๐ is feasible. Given a constraint ๐ถ(๐) and a fresh variable ๐ฆ, the guarded constraint ๐ฆ โ ๐ถ(๐) (if ๐ฆ then ๐ถ(๐)) denotes the predicate (๐ฆ = 0) โจ ๐ถ(๐). By negating the guard variable, denoted by (๐ฆยฏ โ ๐ถ(๐)), we get the predicate (๐ฆ = 1) โจ ๐ถ(๐) (if not ๐ฆ the ๐ถ(๐)). A guarded predicate is a conjunction of either constraints or guarded constraints. If all variables in ๐ are bounded (which implies that a linear expression ๐ฟ(๐) has a finite supremum), then any guarded constraint may be translated in a linear constraint as follows: ๐ฆ โ ๐ฟ(๐) โค ๐ is equivalent to (๐ ๐ข๐(๐ฟ(๐)) โ ๐)๐ฆ + ๐ฟ(๐) โค ๐ ๐ข๐(๐ฟ(๐)), while ๐ฆยฏ โ ๐ฟ(๐) โค ๐ is equivalent to (๐ โ ๐ ๐ข๐(๐ฟ(๐)))๐ง + ๐ฟ(๐) โค ๐. By recalling that ๐ฟ(๐) โฅ ๐ is equivalent to โ๐ฟ(๐) โค โ๐ and ๐ฟ(๐) = ๐ is equivalent to ๐ฟ(๐) โค ๐ โง ๐ฟ(๐) โฅ ๐, all guarded constraint may be translated to linear predicates. 2.2. Labeled Transition Systems A Labeled Transition System (LTS) is a tuple ๐ฎ = (๐, ๐ด, ๐ ) where ๐ is a (possibly infinite) set of states, ๐ด is a (possibly infinite) set of actions and, ๐ : ๐ ร ๐ด ร ๐ โ B is the transition relation of ๐ฎ. Let s โ ๐ and a โ ๐ด, ๐ด๐๐(๐ฎ, ๐ ) = {๐ โ ๐ด | โ๐ โฒ : ๐ (s, a, s โฒ )} is the set of admissible actions starting from a state ๐ , while ๐ผ๐๐(๐, ๐ , ๐) = {s โฒ โ ๐ : ๐ (s, a, s โฒ )} is the set of next states of s through the action a (non-deterministic action). A transition is a triple (s, a, s โฒ ) โ ๐ ร ๐ด ร ๐ such that ๐ (s, a, s โฒ ) holds. If s = s โฒ , then the transition (s, a, s) is a self-loop. A path for an LTS ๐ฎ is a sequence of states-actions ๐ = ๐ 0 ๐0 ๐ 1 ๐1 . . . . . . where โ๐ก โฅ 0 ๐ (๐ ๐ก , ๐๐ก , ๐ ๐ก+1 ) holds. In addition, |๐| is the length of a given path that represents the number of actions within ๐. ๐ (๐) (๐ก) denotes the (๐ก + 1)-th state within ๐ and, ๐ (๐ด) (๐ก) denotes the (๐ก + 1)-th action over ๐. 2.3. Discrete Time Hybrid System A Discrete Time Hybrid System (DTHS) โ = (๐, ๐ , ๐ , ๐ ) is a tuple defined as follows: โข ๐ = ๐ ๐ โช ๐ ๐ is a finite sequence of real as well as discrete variables (possibly including boolean variables). It models the current state. Along the same lines, ๐ โฒ denotes the next state. โข ๐ = ๐ ๐ โช ๐ ๐ is a finite sequence of input variables. โข ๐ = ๐ ๐ โช ๐ ๐ is a finite sequence of auxiliary variables typically used to model local variables. โข ๐ (๐, ๐, ๐, ๐ โฒ ) is the predicate that defines the system transition relation. An LTS can model the dynamics of a DTLHS as follows. Given a DTLHS โ = (๐, ๐, ๐, ๐ ), the LTS of โ is defined as ๐ฟ๐ ๐(โ) = (๐๐ , ๐๐ , ๐ ห ), where ๐ ห : ๐๐ฅ ร ๐๐ ร ๐๐ฅ โ B is a function such that ๐ (๐ฅ, ๐ข, ๐ฅ) โก โ๐ฆ โ ๐๐ฆ ๐ (๐ฅ, ๐ข, ๐ฆ, ๐ฅ ), i.e., it represents the transition relation ห โฒ for the dynamics of the system. In such a way, a state for โ is also a state for ๐ฟ๐ ๐(โ), and a path for โ is also a path for ๐ฟ๐ ๐(โ). 2.4. LTS control problem A controller ๐พ is a solution for a control problem of a given DTLHS โ. It restricts the set of enabled behaviors of โ by selecting only those actions that bring the system to a goal region infinitely often. In the following, we recall the main formalization for controllers and control problems. 2.4.1. Definition of controller Given a set of states ๐ and a set of actions ๐ด, a controller is a function ๐พ : ๐ ร ๐ด โ B such that, โ๐ โ ๐ and โ๐ โ ๐ด, if ๐พ(๐ , ๐) holds, then โ๐ โฒ โ ๐ such that ๐ (๐ , ๐, ๐ โฒ ) holds. If ๐พ(๐ , ๐) holds, we say that action ๐ is enabled in state ๐ by ๐พ. The set of states for which the at least one action is enabled by a given controller ๐พ is defined as ๐๐๐(๐พ) = {๐ โ ๐ | โ๐ ๐พ(๐ , ๐)}. Given a controller ๐พ on ๐ and ๐ด, the closed-loop system for an LTS ๐ฎ = (๐, ๐ด, ๐ ) is the LTS ๐ฎ (๐พ) = (๐, ๐ด, ๐ (๐พ) ) where ๐ (๐พ) (๐ , ๐, ๐ โฒ ) = ๐ (๐ , ๐, ๐ โฒ ) โง ๐พ(๐ , ๐). In addition, a controller ๐พ is also a control law if, โ๐ โ ๐, ๐พ(๐ , ๐) holds at most for one action. Given an LTS ๐ฎ, a path ๐ is a fullpath if either it is infinite or its last state (๐ (๐) (|๐|)) does not have any successor state, (i.e., ๐ด๐๐(๐ฎ, ๐ (๐) (|๐|)) = โ ). The set of fullpaths of ๐ฎ starting from a state ๐ (i.e., ๐ (๐) (0) = ๐ ) with an action ๐ (i.e., ๐ (๐ด) (0) = ๐) is denoted by ๐ ๐๐กโ(๐ฎ, ๐ , ๐). Given a fullpath ๐ and a region ๐บ โ ๐, ๐(๐ฎ, ๐, ๐บ) denotes the shortest distance to reach ๐บ through ๐, i.e., ๐(๐ฎ, ๐, ๐บ) = min{๐ | ๐ > 0 โง ๐ (๐) (๐) โ ๐บ} if ๐(๐) โ ๐บ for some ๐, otherwise ๐(๐ฎ, ๐, ๐บ) = +โ. Furthermore, let ๐ฝ(๐ฎ, ๐บ, ๐ , ๐) = sup{๐(๐ฎ, ๐, ๐บ) | ๐ โ ๐ ๐๐กโ(๐ฎ, ๐ , ๐)} be the shortest distance to ๐บ starting with state ๐ and action ๐. This allows us to define ๐ฝ * (๐ฎ, ๐บ, ๐ ) = sup{๐ฝ(๐ฎ, ๐บ, ๐ , ๐) | ๐ โ ๐ด๐๐(๐ฎ, ๐ ) for some ๐ โ ๐ด} as the worst case distance from ๐บ. 2.4.2. Definition of control problem An LTS control problem is a triple ๐ซ = (๐ฎ, ๐ผ, ๐บ), where ๐ฎ = (๐, ๐ด, ๐ ) is an LTS and ๐ผ, ๐บ โ ๐. A (strong) solution for ๐ซ is a controller ๐พ for ๐ฎ such that ๐ผ โ ๐๐๐(๐พ) and โ๐ โ ๐๐๐(๐พ), ๐ฝ * (๐ฎ (๐พ) , ๐บ, ๐ ) is finite. An optimal solution for a control problem ๐ซ is a controller ๐พ * such * that โ๐พ ๐ฝ * (๐ฎ (๐พ ) , ๐บ, ๐ ) โค ๐ฝ * (๐ฎ (๐พ) , ๐บ, ๐ ). Along the same lines, the most general optimal (m.g.o.) solution is the solution ๐พ ยฏ such that, for all optimal solutions ๐พ * to ๐ซ, โ๐ โ ๐ and โ๐ โ ๐ด, ๐พ(๐, ๐ ) โ ๐พ ยฏ (๐, ๐ ) holds, i.e., if ๐พ(๐ , ๐) holds, then ๐พ ยฏ (๐ , ๐) holds. The m.g.o. solution is unique. 2.5. Control Problem for DTLHS Since an LTS models the dynamics of a DTLHS, a control problem for a DTLHS is formally reduced to a control problem for an LTS. Thus, a control problem for a DTLHS โ = (๐, ๐, ๐, ๐ ) is denoted as (๐ฟ๐ ๐(โ), ๐ผ, ๐บ) for some ๐ผ, ๐บ โ ๐๐ . In order to manage AD and DA conversions, we define a quantization function for real interval [๐, ๐] as a non-decreasing function ๐พ : [๐, ๐] โ Z, that maps real values inside a continuous real interval in integer values. Let a DTLHS โ = (๐, ๐, ๐, ๐ ) and let ๐ = ๐ โช ๐ , a quantization ๐ฌ is a pair (๐ด, ฮ) where: โข ๐ด is a predicate over ๐ that bounds real variables in ๐ , i.e., ๐ด = โง๐คโ๐ ๐ด๐ค = โง๐คโ๐ ๐๐ค โค โ๏ธ โค ๐๐ค . ๐ด๐ค defines the admissible region for variable ๐ค. For any ๐ โ ๐ , ๐ด๐ = ๐ค ๐ฃโ๐ ๐ด๐ฃ . โข ฮ = {๐พ๐ค | ๐ค โ ๐ โง ๐พ๐ค is a quantization function for ๐ด๐ค }, i.e., ฮ is a set of quantization functions for all real variables in โ. For ๐ = [๐ค1 , . . . , ๐ค๐ ] and ๐ฃ = [๐ฃ1 , . . . , ๐ฃ๐ ], we will write ฮ(๐ฃ) for the tuple [๐พ๐ค1 (๐ฃ1 ), . . . , ๐พ๐ค๐ (๐ฃ๐ )]. A quantized feedback control solution for a DTLHS control problem ๐ซ = (โ, ๐ผ, ๐บ), given a quantization ๐ฌ = (๐ด, ฮ) for โ = (๐, ๐, ๐, ๐ ), is a ๐พ solution to ๐ซ s.t.: โข if (๐ฅ, ๐ข) โ / ๐ด๐ ร ๐ด๐ , then ๐พ(๐ฅ, ๐ข) = 0; โข otherwise, ๐พ(๐ฅ, ๐ข) = ๐พ ห (ฮ(๐ฅ), ฮ(๐ข)), being ๐พ ห : ฮ(๐ด๐ ) ร ฮ(๐ด๐ ) โ B, i.e., ๐พ works by only looking at the (integer) values coming after the AD conversion. 2.6. Automatically Generating Quantized Feedback Solutions for DTLHS Quantized Control Problems In the following, we focus on QKS (Quantized Kontrol Synthesizer, [43]), which takes as input a quantization control problem ๐ซ = (โ, ๐ผ, ๐บ) for a DTLHS โ = (๐, ๐, ๐, ๐ ) with quantization ๐ฌ = (๐ด, ฮ) and output a correct-by-construction quantized feedback control solution to ๐ซ. To this aim, QKS goes through the procedure shown in Algorithm 1. Namely, in step 1, initial region ๐ผ and goal region ๐บ are quantized. In step 2, a minimal control abstraction is computed as an LTS โฬ(ฮ(๐ด๐ ), ฮ(๐ด๐ ), ๐ ห ). In a nutshell, in the minimal control abstraction, each abstract transition in ๐ ห stems from some concrete transition in โ and viceversa, i.e., ๐ ห, ๐ หโฒ ) if and ห (๐ ห, ๐ only if there exists ๐ฆ โ ๐ s.t. ๐ (๐ , ๐, ๐ โฒ ) holds. Some special cases (self loops and actions going outside the admissible region ๐ด) are treated separately [43]. In step 3, the output quantized controller ๐พ ห is computed with its domain ๐ท ห and a boolean value ๐ which is true iff ๐ผห โ ๐๐๐(๐พ ห ), i.e., if ๐พ is able to control all states in the initial region. Note that, if ๐ is false, QKS provides ห a necessary condition (not detailed here) for controller existence. The quantized controller synthesis for DTLHSs is actually an undecidable problem [49]. Algorithm 1 QFC Synthesis Algorithm Input: DTLHS control problem (โ, ๐ผ, ๐บ), quantization ๐ฌ = (๐ด, ฮ) function: ๐๐ถ๐ก๐๐๐ฆ๐๐ก(โ, ๐ฌ, ๐ผ, ๐บ) ห โ ฮ(๐ผ), ๐บ 1: ๐ผ ห โ ฮ(๐บ) 2: โณฬ โ ๐๐๐๐ถ๐ก๐๐ด๐๐ (โ, ๐ฌ) ห,๐พ 3: (๐, ๐ท ห ) return (๐, ๐ท ห ) โ ๐ ๐ก๐๐๐๐๐ถ๐ก๐(โณฬ, ๐ผห, ๐บ ห,๐พ ห) Algorithm 2 details the computation performed in step 3 of Algorithm 1. Namely, function ๐ ๐ก๐๐๐๐๐ถ๐ก๐ starts with an empty controller (step 1). Then, a loop is performed in which, at the ๐-th iteration, the states which are at worst case distance ๐ from the goal for some action ๐ (๐น in step 3) are added to ๐พ, provided that no other actions already existed for those states (with distance ๐ < ๐, step 4). All computations are performed representing sets as OBDDs (Ordered Binary Decision Diagrams) [50, 51]. Algorithm 2 Most General Optimal Controller Synthesis Input: An LTS control problem (๐ฎ, ๐ผ, ๐บ), ๐ฎ = (๐, ๐ด, ๐ ). function: ๐ ๐ก๐๐๐๐๐ถ๐ก๐(๐ฎ, ๐ผ, ๐บ) 1: ๐พ(๐ , ๐) โ 0, ๐ท(๐ ) โ ๐บ(๐ ), ๐ท ห (๐ ) โ 0 ห 2: while ๐ท(๐ ) ฬธ= ๐ท (๐ ) do: 3: ๐น (๐ , ๐) โ โ๐ โฒ ๐ (๐ , ๐, ๐ โฒ ) โง โ๐ โฒ [๐ (๐ , ๐, ๐ โฒ ) โ ๐ท(๐ โฒ )] 4: ๐พ(๐ , ๐) โ ๐พ(๐ , ๐) โจ (๐น (๐ , ๐) โง ฬธ โ๐ ๐พ(๐ , ๐)) 5: ๐ทห (๐ ) โ ๐ท(๐ ), ๐ท(๐ ) โ ๐ท(๐ ) โจ โ๐ ๐พ(๐ , ๐) 6: return โจโ๐ [๐ผ(๐ ) โ โ๐ ๐พ(๐ , ๐)], โ๐ ๐พ(๐ , ๐), ๐พ(๐ , ๐)โฉ 3. Stabilizing Controllers The quantized controllers defined in Section 2 are designed so that to drive all controlled states inside the goal infinitely often. That is, for a DTLHS control problem ๐ซ = (โ, ๐ผ, ๐บ), if ๐ โ ๐บ, then a controller ๐พ can possibly enable an action ๐ leading to a state ๐ โฒ โ / ๐บ, i.e., ๐พ(๐ , ๐) โง โ๐ โฒ [๐ / ๐บ]. However, ๐พ will eventually bring all descendants of ๐ โฒ back ห (๐ , ๐, ๐ โฒ ) โง ๐ โฒ โ into ๐บ, i.e., if ๐ฎ = ๐ฟ๐ ๐(โ), โ๐ โ ๐ด. ๐พ(๐ โฒ , ๐) โ โ๐ โ ๐ ๐๐กโ(๐ฎ (๐พ) , ๐ โฒ , ๐). โ๐ ๐ ๐ (๐) โ ๐บ. In some safety- or mission-critical applications, this could not be enough, as it is desired that, once the goal is reached, the controller does not let any state escape from it, i.e., โ๐ โ ๐บ โฉ ๐๐๐(๐พ), if ๐พ(๐ , ๐) then โ๐ โฒ . ๐ (๐ , ๐, ๐ โฒ ) โ ๐ โฒ โ ๐บ. If a controller succeeds in doing this, then it is said to be a stabilizing controller. It is easy to see that, for a given quantized DTLHS control problem, if a stabilizing controller ๐พ exists, then QKS returns ๐พ. In fact, function ๐ ๐ก๐๐๐๐๐ถ๐ก๐ in Algorithm 2 always returns the action with the lowest (worst case) distance from the goal, thus if there exists an action ๐ which directly maintains a goal state ๐ โ ๐บ inside the goal, ๐ is enabled in ๐ by ๐พ. If another action ๐ is enabled in ๐ by ๐พ, it must not have the same distance as ๐, thus it is stabilizing as well. Unfortunately, the procedure used by QKS does not detect if the output controller is actually stabilizing or not. In this paper, we present an automatic procedure which modifies function ๐ ๐ก๐๐๐๐๐ถ๐ก๐ so that the controlled states are all stabilized in the goal for at least ๐ โฅ 0 steps, where ๐ is an additional input to both ๐ ๐ก๐๐๐๐๐ถ๐ก๐ and ๐๐ถ๐ก๐๐๐ฆ๐๐ก (Algorithm 1). That is, the output ๐พ๐ must be an ๐-stabilizing controller such that: 1. ๐พ๐ is a strong controller for the problem ๐ซ. 2. โ ๐ โ ๐๐๐(๐พ๐ ) โ ๐ โ ๐ด๐๐(๐ฎ, ๐ ) ๐พ๐ (๐ , ๐) holds if and only if โ๐ โฅ 0, ๐ โ ๐ ๐๐กโ(๐ฎ (๐พ๐ ) , ๐ , ๐). ๐ (๐) (๐) โ ๐บ โ [โ ๐ = 1, . . . , ๐ โ 1. ๐ (๐) (๐ + ๐) โ ๐บ]. 4. Synthesis of Stabilizing Controllers In order to compute the ๐-stabilizing controller for a quantized DTLHS control problem ๐ซ = (โ, ๐ผ, ๐บ) with quantization ๐ฌ, we modified function ๐๐ถ๐ก๐๐๐ฆ๐๐ก of Algorithm 1 so that: i) it takes an integer ๐ โฅ 0 as an additional input; ii) in step 3, it calls function ๐ ๐ก๐๐๐๐๐๐ก๐๐๐ถ๐ก๐ instead of function ๐ ๐ก๐๐๐๐๐ถ๐ก๐, also passing ๐ to it. Algorithm 3 Stabilizing Controller Synthesis Input: An LTS control problem (๐ฎ, ๐ผ, ๐บ), ๐ฎ = (๐, ๐ผ, ๐บ), integer ๐ โฅ 0. function: ๐ ๐ก๐๐๐๐๐๐ก๐๐๐ถ๐ก๐(๐ฎ, ๐ผ, ๐บ, ๐) 1: ๐พ๐ (๐ , ๐) โ 0, ๐ท(๐ ) โ 0, ๐ท ห (๐ ) โ 1 ห 2: while ๐ท(๐ ) ฬธ= ๐ท (๐ )) do: 3: ๐น (๐ , ๐) โ โ๐ โฒ ๐ (๐ , ๐, ๐ โฒ ) โง โ๐ โฒ [๐ (๐ , ๐, ๐ โฒ ) โ (๐ท(๐ โฒ ) โจ (๐บ(๐ โฒ ) โง 4: โง โ๐ 1 ๐1 , . . . , ๐ ๐ ๐๐ ๐ 1 = ๐ โฒ โง โ๐ = 1, . . . , ๐ [๐ (๐ ๐ , ๐๐ , ๐ ๐+1 ) โ ๐บ(๐ ๐+1 )])] 5: ๐พ๐ (๐ , ๐) โ ๐พ๐ (๐ , ๐) โจ (๐น (๐ , ๐) โง ฬธ โ๐ ๐พ๐ (๐ , ๐)) 6: ๐ทห (๐ ) โ ๐ท(๐ ), ๐ท(๐ ) โ ๐ท(๐ ) โจ โ๐ ๐พ๐ (๐ , ๐) 7: return โจโ๐ [๐ผ(๐ ) โ โ๐ ๐พ๐ (๐ , ๐)], โ๐ ๐พ๐ (๐ , ๐), ๐พ๐ (๐ , ๐)โฉ We then added function ๐ ๐ก๐๐๐๐๐๐ก๐๐๐ถ๐ก๐ to QKS, which is detailed in Algorithm 3. Functions ๐ ๐ก๐๐๐๐๐๐ก๐๐๐ถ๐ก๐ and ๐ ๐ก๐๐๐๐๐ถ๐ก๐ are similar, but with important differences. Both use a set ๐ท(๐ ) (set of controlled states) to accumulate all found controllable states in the current iteration and a set ๐ท ยฏ (๐ ) to store all controlled states up to the previous iteration. Basically, the idea is to end the computation when the procedure does not find other controllable states. Iteratively, both procedures look for new pairs state-action. After that, they update the ๐ท ยฏ (๐ ) to the previous iteration and add new controllable states to ๐ท(๐ ). The main difference is in selecting pairs state-action. The state-of-the-art condition requires that a state ๐ is controllable if, for a given action ๐, it presents at least a transition to successor state and, every successor state is inside the set of controlled states. A controlled state can be inside the goal region or belongs to a path that brings the system to the goal region. Since the set of the controlled state is initialized as the set of states within the goal region, the condition works. By contrast, stabilizing controllers are required to check also the stabilizing subpath inside ๐บ. This new condition establishes that each state is controllable if: โข it presents at least a successor state; โข every successor state either is inside the set of controlled states or belongs to the goal region along with a next stabilizing subpath of length ๐ where each state is inside the goal region. In such a way, a state can be controlled even when it belongs to a path that brings the system up to ๐บ and stabilizes it inside ๐บ. Making a comparison between these two conditions, we can see how stabilizing controllers incrementally restrict possible paths of the system, because any shortest stabilizing subpath than ๐ inside the goal region is discarded. 5. Experimental Results To establish the viability of our approach, we provided a C implementation of our algorithm inside QKS. We exploited the OBDD library as for the standard strong m.g.o. synthesis algorithm. Likewise, our algorithm will result in a controller implemented as a C function. We performed several experiments on two case studies: Multi-Buck DC-DC converter [52, 53] and Inverted Pendulum [54]. We provided experimental results on several configurations of Multi-Buck DC-DC converter in terms of switches. For the inverted pendulum, instead, we have one configuration. We used several machines on High-Performance Computing (HPC) infrastructure to synthesize the output controller. The quantization of the control problem requires specifying the number of bits for the quantization schema. We carried out several runs by using 9, 10 and 11 bits. Moreover, we incremented the size of ๐ according to obtained results. When QKS did not find a stabilizing controller for a given ๐, we terminated the experiments on that model. 5.1. Multi Buck DC-DC converter 5.1.1. Case study description Buck DC-DC converter is a mixed-mode circuit that converts DC input voltage to desired output DC output voltage. For example, it is used to scale down to typical laptop battery voltage (12-24) getting a few low voltages needed by laptop processor (e.g., [53]). Another example m +๐ฃ๐๐ข ฮธ ๐ข๐ ๐ผ๐๐ข ๐ข +๐ฃ๐โ1 ๐ท ๐ท ๐ข๐โ1+๐ฃ๐โ1 ๐โ1 ๐ข ๐ผ๐โ1 ๐๐ฟ l +๐ฃ๐๐ข +๐ฃ ๐ท ๐ข๐ ๐ ๐ท๐ ๐๐ฟ +๐ฃ๐ ๐๐ ๐ผ๐๐ข ๐ฟ ... +๐ฃ1๐ข ๐๐โ1 ๐ข1 ๐ท1 +๐ฃ๐ถ ๐ถ F ๐๐ ... ๐ผ1๐ข +๐ฃ1๐ท ๐ ๐1 ๐ท0 ๐๐ถ ๐๐ถ +๐ฃ๐ท ๐๐ท (a) Multi-input Buck DC-DC converter (b) Inverted Pendulum Figure 1: Case studies for experiments concerns to support Dynamic Voltage and Frequency Scaling (DVFS) in multicore processors (e.g., [55]). A typical software approach manages the switches ๐ข1 , ...๐ข๐ through a microcontroller. In such a model, shown in Figure 1a, we have ๐ power supplies with voltage ๐1 , ..., ๐๐ . ๐ switches with voltage ๐ฃ1๐ข , ...., ๐ฃ๐๐ข . Current values ๐ผ1๐ข , ...., ๐ผ๐๐ข . ๐ input diodes ๐ท0 , ...., ๐ท๐โ1 and current ๐๐ท0 , ...., ๐๐โ1 . The circuit state variables are ๐๐ฟ and ๐ฃ๐ . In the following we recall the ๐ท guarded predicate which model the multi-buck as a DTLHS, where coefficients ๐๐ depend on circuit parameters as follows: ๐1,1 = โ ๐๐ฟ๐ฟ , ๐1,2 = โ ๐ฟ1 , ๐1,3 = โ ๐ฟ1 , ๐2,1 = ๐๐๐ ๐๐ ๐๐ฟ +๐ [โ ๐ฟ + ๐ถ ], 1 +๐ [ ๐ฟ + ๐ถ ], ๐2,3 = โ ๐ฟ ๐๐ +๐ . For a complete discussion see [48]). ๐2,2 = ๐๐โ1 ๐๐ ๐ 1 1 ๐๐ ๐ ๐โฒ๐ฟ = (1 + ๐ ๐1,1 )๐๐ฟ + ๐ ๐1,2 ๐ฃ๐ + ๐ ๐1,3 ๐ฃ๐ท ๐ฃ๐ท = ๐ฃ๐๐ขโ๏ธ โ ๐๐ ๐0 โ (๐๐ท โฅ 0) โฒ ๐ฃ๐ = ๐ ๐โ๏ธ2,1 ๐๐ฟ + (1 + ๐ ๐2,2 )๐ฃ๐ + ๐ ๐2,3 ๐ฃ๐ท ๐๐ฟ = ๐๐ท + ๐๐=1 ๐ผ๐๐ข ยฏ๐ 0 โ (๐ฃ๐ท โค 0) ๐ โ (๐ฃ๐๐ท = ๐ on ๐ผ๐๐ข ) ๐ โ (๐ฃ๐ท = ๐ on ๐๐ท ) ยฏ๐ โ (๐ฃ๐ท = ๐ off ๐๐ท ) โ๏ธ ๐โ[๐] ๐ โ๏ธ0 โ๏ธ0 ยฏ๐ ๐ โ (๐ฃ๐๐ท = ๐ off ๐ผ๐๐ข ) ๐๐ โ (๐ผ๐๐ข โฅ 0) ยฏ๐ โ (๐ฃ ๐ท โค 0) โ๏ธ ๐โ[๐] ๐ข ๐ข โ๏ธ ๐โ[๐] ๐ข ๐ข โ๏ธ ๐โ[๐] ๐ ๐ข ๐ ๐ท ๐โ[๐โ1] ๐ข๐ โ (๐ฃ๐ = ๐ on ๐ผ๐ ) ๐โ[๐โ1] ๐ขยฏ ๐ โ (๐ฃ๐ = ๐ off ๐ผ๐ ) ๐โ[๐] ๐ฃ๐ท = ๐ฃ๐ + ๐ฃ๐ โ ๐๐ 5.1.2. Experiments evaluation We used three different configurations of the non-robust buck DC-DC converter. We carried out experiments with ๐ = 1, 2, 3 in the number of switches. For every configuration, as a baseline, we synthesized a controller also using the standard strong m.g.o. synthesis algorithm (๐ = 0). Our experimental results are shown in Table 1. Columns in Table 1 have the following meaning: ๐ is the number of power supplies in the multi-buck, Bits is the number of bits used for the quantization of the DTLHS state variables, ๐ is the value for the ๐-stabilizing controller, Nodes is the number of internal nodes of the OBDD representing the resulting ๐-stabilizing controller, Actions and States are the number of actions enabled and the number of states controlled by the resulting ๐-stabilizing controller, and finally Memory and Time provide the RAM usage in MB and the execution time in seconds, respectively. As shown in Table 1, we are able to synthesize only 0-stabilizing controllers using 9 bits. By contrast, using 10 and 11 bits, our runs result in a strong controller with stabilizing length ๐ = 1 for ๐ = 1, 2, 3 power supplies. In any case, we did not obtain a stabilizing controller for ๐ = 2. We simulated the system with ๐ = 1 power supplies and ๐ = 10 bits for the AD quantization. (a) ๐ฃ๐ simulation trajectories (b) ๐๐ฟ simulation trajectories Figure 2: Multi-Buck DC-DC simulations with n=1 and b=10 bits The starting state of the simulation is ๐ฃ๐ = 4 and ๐๐ฟ = 3. We obtained the trajectories reported in Figure 2 over a time horizon ๐ โ [0, 200] in three different settings: without a controller, control-loop with the 0-stabilizing controller, and control-loop with the 1-stabilizing controller. In Figure 2a, we can observe how both controllers drive the system toward the goal region. However, the 1-stabilizing controller stabilizes the system faster than the 0-stabilizing controller, and it provides better stability inside the goal region. Conversely, Figure 2b shows that in any case, the current value reaches the goal, but still, ๐-stabilizing controllers, incrementally in terms of ๐, lead to better stability. (a) Actions (b) 1-Stabilizing Controller Figure 3: Multi-Buck DC-DC experiment with n=1 and b=10 bits In Figure 3 we provide a visual representation for ๐ = 1 power supplies and ๐ = 10 bits for the AD quantization. Figure 3a encodes action 1 with green, 0 with purple and any action with pink. It illustrates the distribution of actions inside the control region. Figure 3b shows the distribution of actions in the control region. The synthesis of stabilizing controllers involves a higher computational cost. In fact, the size of ๐ increases the amount of memory and time needed for a single computation. In such a context, both the memory usage and execution time depend on the number of bits used for the quantization schema, the size of the model and the length of the stabilizing subpath specified by the user. Table 1 Multi Buck DC-DC converter experiments ๐ Bits ๐ Nodes Actions States Memory (MB) Time (s) 1 9 0 3246 255309 223703 218.07 2.213460e+03 1 9 1 1 0 0 298.36 2.269390e+03 1 10 0 12207 1048770 943713 552.08 9.285320e+03 1 10 1 11865 1042325 943713 876.57 2.681168e+04 1 10 2 1 0 0 1952.13 8.743820e+03 1 11 0 32597 4312433 3840526 1832.43 3.896438e+04 1 11 1 31216 4277932 3840526 3184.59 9.040446e+04 1 11 2 1 0 0 7956.45 3.257370e+04 2 9 0 8063 318057 237420 337.75 5.760150e+03 2 9 1 1 0 0 433.08 5.258140e+03 2 10 0 25977 1290474 986115 978.55 2.171697e+04 2 10 1 25145 1260858 986115 1475.83 4.703410e+04 2 10 2 1 0 0 2975.62 1.545672e+04 2 11 0 62733 5314364 3981081 3520.31 9.021701e+04 2 11 1 60308 5202979 3981081 5392.5 1.530524e+05 2 11 2 1 0 0 12096.40 6.382998e+04 3 9 0 12150 946463 240977 558.31 1.249221e+04 3 9 1 1 0 0 682.47 1.150078e+04 3 10 0 37201 3817353 997023 1829.64 4.669121e+04 3 10 1 37101 3767342 997023 2502.92 5.028375e+04 3 10 2 1 0 0 4849.4 3.937717e+04 3 11 0 91502 15715546 4022278 6855.14 1.629664e+05 3 11 1 92178 15390590 4022278 9474.27 2.455190e+05 3 11 2 1 0 0 20331.05 1.588620e+05 5.2. Inverted Pendulum 5.2.1. Case study description The controller synthesis for the Inverted Pendulum (IP) [54] is widely studied through QKS (e.g., [56, 57, 48]). The system, shown in Figure 1b, is modelled by using an angle ๐ and the angular velocity ๐ฬ as a state variables. The input variable is the torquing force that influences the torquing velocity in both directions. The input of the system is the torquing force ๐ข ยท ๐น which can influence the velocity in any direction. ๐ข is the direction and ๐น is the intensity of the force. In this problem, we try to find a discrete controller whose actions can be: โapply the force clockwiseโ (๐ข = 1), โapply the force counterclockwiseโ (๐ข = โ1) and โdo nothingโ (๐ข = 0). The behaviour of the system is based on the pendulum mass ๐, the length of the pendulum ๐ and the gravitational acceleration ๐. The motion of the system is described by the differential equation ๐ฬ = ๐๐ sin ๐ + ๐๐1 2 ๐ข๐น . In the following we recall the guarded predicate which model the inverted pendulum as a DTLHS, where ๐ฆ๐ variables are in ๐ and ๐ผ๐ for ๐ = 1, . . . , 4 represent a partition of the interval [โ๐, ๐]. For a complete discussion see [48]. ๐ 1 (๐ฅโฒ1 = ๐ฅ1 + 2๐๐ฆ๐ + ๐ ๐ฅ2 ) โง (๐ฅโฒ2 = ๐ฅ2 + ๐ ๐ฆsin + ๐ 2 ๐ข๐น ) ๐ โ๏ธ ๐๐ โง ๐โ[4] ๐ฆ๐ โ ๐๐โ (๐ฆ๐ผ ) โค ๐ฆsin โค ๐๐+ (๐ฆ๐ผ ) โง ๐โ[4] ๐ฆ๐ โ ๐ฆ๐ผ โ ๐ผ๐ โง ๐โ[4] ๐ฆ๐ โฅ 1 โ๏ธ โ๏ธ โง ๐ฅ1 = 2๐๐ฆ๐ + ๐ฆ๐ผ โง โ๐ โค ๐ฅโฒ1 โค ๐ 5.2.2. Experiments evaluation Our experimental results are shown in Table 2. Columns in Table 2 have the same meaning of the columns with the same name in Table 1. We note that, in such a case study, only 0-stabilizing controllers exist. Table 2 Inverted pendulum experiments Bits ๐ Nodes Actions States Memory (MB) Time 9 0 12238 453843 262144 324.87 7.200670e+03 9 1 1 0 0 455.29 6.550130e+03 10 0 24878 1831288 1048576 916.39 3.348904e+04 10 1 1 0 0 1495.06 3.536044e+04 11 0 51110 7335238 4194304 3229.16 1.658496e+05 11 1 1 0 0 5602.21 1.640529e+05 6. Conclusions We provided a new concept of controllers along with a specific synthesis algorithm. Ensuring the system meets liveness/safety property is a key goal in safety/mission-critical contexts. On such a basis, the development of correct-by-construction controllers increasing safety guarantees can become a challenge for many CPSs. On the other hand, the experiments showed several settings in which we can not obtain stabilizing controllers. Moreover, each performed run required more computational resources (i.e., time and memory) than the standard synthesis algorithm. However, the need for correctness of safety/mission-critical systems justifies the usage of a higher quantity of computational resources. As future works, we may go in several directions. Firstly, we plan to provide a simulation environment as a tool to observe the resulting trajectories of the input system in the closed-loop with the controller provided by QKS. Secondly, to extend the algorithm of weak controller synthesis to give the user some information about stabilizing controllers (if the strong algorithm fails). Thirdly, to perform computational evaluations to establish the computational cost in terms of user-defined input parameters. Last but not least, we plan to provide more experimental results on several case studies. Acknowledgments This work was partially supported by: Italian Ministry of University and Research under grant โDipartimenti di eccellenza 2018โ2022โ of the Department of Computer Science of Sapienza University of Rome. References [1] A. Basu, S. Bensalem, M. Bozga, B. Delahaye, A. Legay, E. Sifakis, Verification of an AFDX infrastructure using simulations and probabilities, in: RV 2010, volume 6418 of LNCS, Springer, 2010. doi:10.1007/978-3-642-16612-9_25. [2] L. Planke, Y. Lim, A. Gardi, R. Sabatini, T. K., N. Ezer, A cyber-physical-human system for one-to-many uas operations: Cognitive load analysis, Sensors 20 (2020). doi:10.3390/ s20195467. [3] Z. Wu, N. Huang, X. Zheng, X. Li, Cyber-physical avionics systems and its reliability evaluation, in: IEEE CYBER 2014, IEEE, 2014. doi:10.1109/CYBER.2014.6917502. [4] K. Sampigethaya, R. Poovendran, Aviation cyber-physical systems: Foundations for future aircraft and air transport, Proc. IEEE 101 (2013). doi:10.1109/JPROC.2012.2235131. [5] T. Mancini, F. Mari, I. Melatti, I. Salvo, E. Tronci, J. Gruber, B. Hayes, M. Prodanovic, L. Elmegaard, Demand-aware price policy synthesis and verification services for smart grids, in: SmartGridComm 2014, IEEE, 2014. doi:10.1109/SmartGridComm.2014. 7007745. [6] I. Melatti, F. Mari, T. Mancini, M. Prodanovic, E. Tronci, A two-layer near-optimal strategy for substation constraint management via home batteries, IEEE Trans. Ind. Elect. (2021). doi:10.1109/TIE.2021.3102431. [7] B. Hayes, I. Melatti, T. Mancini, M. Prodanovic, E. Tronci, Residential demand management using individualised demand aware price policies, IEEE Trans. Smart Grid 8 (2017). doi:10. 1109/TSG.2016.2596790. [8] T. Mancini, F. Mari, I. Melatti, I. Salvo, E. Tronci, J. Gruber, B. Hayes, M. Prodanovic, L. Elmegaard, User flexibility aware price policy synthesis for smart grids, in: DSD 2015, IEEE, 2015. doi:10.1109/DSD.2015.35. [9] T. Mancini, F. Mari, I. Melatti, I. Salvo, E. Tronci, J. Gruber, B. Hayes, L. Elmegaard, Parallel statistical model checking for safety verification in smart grids, in: SmartGridComm 2018, IEEE, 2018. doi:10.1109/SmartGridComm.2018.8587416. [10] D. Goswami, R. Schneider, A. Masrur, M. Lukasiewycz, S. Chakraborty, H. Voit, A. An- naswamy, Challenges in automotive cyber-physical systems design, in: SAMOS 2012, IEEE, 2012. doi:10.1109/SAMOS.2012.6404199. [11] S. Chakraborty, M. Al Faruque, W. Chang, D. Goswami, M. Wolf, Q. Zhu, Automotive cyberโphysical aystems: A tutorial introduction, IEEE Des.&Test 33 (2016). doi:10.1109/ MDAT.2016.2573598. [12] L. Zhang, Modeling automotive cyber physical systems, in: DCABES 2013, IEEE, 2013. doi:10.1109/DCABES.2013.20. [13] S. Osswald, S. Matz, M. Lienkamp, Prototyping automotive cyber-physical systems, in: Adjunct Proceedings of the 6th International Conference on Automotive User Interfaces and Interactive Vehicular Applications, 2014, pp. 1โ6. [14] M. Hengartner, T. Kruger, K. Geraedts, E. Tronci, T. Mancini, F. Ille, M. Egli, S. Roeblitz, R. Ehrig, L. Saleh, K. Spanaus, C. Schippert, Y. Zhang, B. Leeners, Negative affect is unrelated to fluctuations in hormone levels across the menstrual cycle: Evidence from a multisite observational study across two successive cycles, J. Psycho. Res. 99 (2017). doi:10.1016/j.jpsychores.2017.05.018. [15] B. Leeners, T. Kruger, K. Geraedts, E. Tronci, T. Mancini, F. Ille, M. Egli, S. Roeblitz, L. Saleh, K. Spanaus, C. Schippert, Y. Zhang, M. Hengartner, Lack of associations between female hormone levels and visuospatial working memory, divided attention and cognitive bias across two consecutive menstrual cycles, Front. Behav. Neuro. 11 (2017). doi:10.3389/ fnbeh.2017.00120. [16] B. Leeners, T. Krรผger, K. Geraedts, E. Tronci, T. Mancini, M. Egli, S. Rรถblitz, L. Saleh, K. Spanaus, C. Schippert, Y. Zhang, F. Ille, Associations between natural physiological and supraphysiological estradiol levels and stress perception, Front. Psycol. 10 (2019). doi:10.3389/fpsyg.2019.01296. [17] F. Maggioli, T. Mancini, E. Tronci, SBML2Modelica: Integrating biochemical models within open-standard simulation ecosystems, Bioinformatics 36 (2020). doi:10.1093/ bioinformatics/btz860. [18] T. Mancini, E. Tronci, I. Salvo, F. Mari, A. Massini, I. Melatti, Computing biological model parameters by parallel statistical model checking, in: IWBBIO 2015, volume 9044 of LNCS, Springer, 2015. doi:10.1007/978-3-319-16480-9_52. [19] T. Mancini, F. Mari, A. Massini, I. Melatti, I. Salvo, S. Sinisi, E. Tronci, R. Ehrig, S. Rรถblitz, B. Leeners, Computing personalised treatments through in silico clinical trials. A case study on downregulation in assisted reproduction, in: RCRA 2018, volume 2271 of CEUR W.P., CEUR, 2018. [20] E. Tronci, T. Mancini, I. Salvo, S. Sinisi, F. Mari, I. Melatti, A. Massini, F. Daviโ, T. Dierkes, R. Ehrig, S. Rรถblitz, B. Leeners, T. Krรผger, M. Egli, F. Ille, Patient-specific models from inter-patient biological models and clinical records, in: FMCAD 2014, IEEE, 2014. doi:10. 1109/FMCAD.2014.6987615. [21] S. Sinisi, V. Alimguzhin, T. Mancini, E. Tronci, B. Leeners, Complete populations of virtual patients for in silico clinical trials, Bioinformatics 36 (2020). doi:10.1093/ bioinformatics/btaa1026. [22] S. Sinisi, V. Alimguzhin, T. Mancini, E. Tronci, F. Mari, B. Leeners, Optimal personalised treatment computation through in silico clinical trials on patient digital twins, Fundam. Inform. 174 (2020). doi:10.3233/FI-2020-1943. [23] S. Sinisi, V. Alimguzhin, T. Mancini, E. Tronci, Reconciling interoperability with efficient verification and validation within open source simulation environments, Simul. Model. Pract. Theory 109 (2021). doi:10.1016/j.simpat.2021.102277. [24] W. Brogan, Modern Control Theory (3rd Ed.), Prentice H., 1991. doi:10.5555/135299. [25] M. Cadoli, T. Mancini, F. Patrizi, SAT as an effective solving technology for constraint problems, in: ISMIS 2006, volume 4203 of LNCS, Springer, 2006. [26] M. Cadoli, T. Mancini, Combining relational algebra, SQL, constraint modelling, and local search, TPLP 7 (2007). doi:10.1017/S1471068406002857. [27] T. Mancini, P. Flener, J. Pearson, Combinatorial problem solving over relational databases: View synthesis through constraint-based local search, in: SAC 2012, ACM, 2012. doi:10. 1145/2245276.2245295. [28] G. Gottlob, G. Greco, T. Mancini, Conditional constraint satisfaction: Logical foundations and complexity, in: IJCAI 2007, 2007. [29] T. Mancini, M. Cadoli, Detecting and breaking symmetries by reasoning on problem specifications, in: SARA 2005, volume 3607 of LNCS, Springer, 2005. [30] T. Mancini, M. Cadoli, D. Micaletto, F. Patrizi, Evaluating ASP and commercial solvers on the CSPLib, Constraints 13 (2008). [31] E. Clarke, O. Grumberg, D. Peled, Model Checking, MIT, 1999. [32] G. Della Penna, B. Intrigila, I. Melatti, E. Tronci, M. Venturini Zilli, Bounded probabilistic model checking with the Mur๐ verifier, in: FMCAD 2004, IEEE, 2004. [33] T. Mancini, F. Mari, A. Massini, I. Melatti, F. Merli, E. Tronci, System level formal verification via model checking driven simulation, in: CAV 2013, volume 8044 of LNCS, Springer, 2013. doi:10.1007/978-3-642-39799-8_21. [34] T. Mancini, F. Mari, A. Massini, I. Melatti, E. Tronci, System level formal verification via distributed multi-core hardware in the loop simulation, in: PDP 2014, IEEE, 2014. doi:10.1109/PDP.2014.32. [35] T. Mancini, F. Mari, A. Massini, I. Melatti, E. Tronci, Anytime system level verification via random exhaustive hardware in the loop simulation, in: DSD 2014, IEEE, 2014. doi:10. 1109/DSD.2014.91. [36] T. Mancini, F. Mari, A. Massini, I. Melatti, E. Tronci, SyLVaaS: System level formal verification as a service, in: PDP 2015, IEEE, 2015. doi:10.1109/PDP.2015.119. [37] T. Mancini, F. Mari, A. Massini, I. Melatti, E. Tronci, SyLVaaS: System level formal verification as a service, Fundam. Inform. 149 (2016). doi:10.3233/FI-2016-1444. [38] T. Mancini, F. Mari, A. Massini, I. Melatti, E. Tronci, Anytime system level verification via parallel random exhaustive hardware in the loop simulation, Microprocessors and Microsystems 41 (2016). doi:10.1016/j.micpro.2015.10.010. [39] T. Mancini, F. Mari, A. Massini, I. Melatti, I. Salvo, E. Tronci, On minimising the maximum expected verification time, Inf. Proc. Lett. 122 (2017). doi:10.1016/j.ipl.2017.02.001. [40] T. Mancini, I. Melatti, E. Tronci, Any-horizon uniform random sampling and enumeration of constrained scenarios for simulation-based formal verification, IEEE TSE (2021). doi:10. 1109/TSE.2021.3109842. [41] M. Mazo, A. Davitian, P. Tabuada, PESSOA: A tool for embedded controller synthesis, in: CAV 2010, volume 6174 of LNCS, Springer, 2010. doi:10.1007/978-3-642-14295-6_ 49. [42] H. Peter, R. Ehlers, R. Mattmรผller, Synthia: Verification and synthesis for timed automata, in: CAV 2011, volume 6806 of LNCS, Springer, 2011. doi:10.1007/978-3-642-22110-1_ 52. [43] F. Mari, I. Melatti, I. Salvo, E. Tronci, Model based synthesis of control software from system level formal specifications, ACM TOSEM 23 (2014). [44] F. Dullerud, G.E.and Paganini, Stabilizing Controllers, Springer, 2000. doi:10.1007/ 978-1-4757-3290-0_6. [45] V. M. Popov, R. Georgescu, Hyperstability of Control Systems, Springer, 1973. doi:10. 5555/578779. [46] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo, E. Tronci, On-the-fly control software synthesis, in: SPIN 2013, volume 7976 of LNCS, Springer, 2013. doi:10.1007/ 978-3-642-39176-7_5. [47] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo, E. Tronci, A map-reduce parallel approach to automatic synthesis of control software, in: SPIN 2013, volume 7976 of LNCS, Springer, 2013. doi:10.1007/978-3-642-39176-7_4. [48] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo, E. Tronci, On model based synthesis of embedded control software, in: EMSOFT 2012, ACM, 2012. doi:10.1145/2380356.2380398. [49] F. Mari, I. Melatti, I. Salvo, E. Tronci, Undecidability of quantized state feedback control for discrete time linear hybrid systems, in: ICTAC 2012, volume 7521 of LNCS, Springer, 2012. doi:10.1007/978-3-642-32943-2_19. [50] R. Bryant, Binary decision diagrams and beyond: Enabling technologies for formal verification, in: ICCAD 1995, IEEE, 1995. doi:10.1109/ICCAD.1995.480018. [51] R. Drechsler, J. Shi, G. Fey, Synthesis of fully testable circuits from BDDs, IEEE Trans. Comp.-Aided Des. Integr. Circ. & Sys. 23 (2004). doi:10.1109/TCAD.2004.823342. [52] G. Schrom, P. Hazucha, J. Hahn, D. S. Gardner, B. A. Bloechel, G. Dermer, S. G. Narendra, T. Karnik, V. De, A 480-mhz, multi-phase interleaved buck dc-dc converter with hysteretic control, in: 2004 IEEE 35th annual power electronics specialists conference (IEEE Cat. No. 04CH37551), volume 6, IEEE, 2004, pp. 4702โ4707. [53] W.-C. So, C. Tse, Y.-S. Lee, Development of a fuzzy logic controller for DC/DC converters: Design, computer simulation, and experimental evaluation, IEEE Trans. Pow. Electr. 11 (1996). [54] G. Kreisselmeier, T. Birkholzer, Numerical nonlinear regulator design, IEEE Trans. Aut. Contr. 39 (1994). [55] W. Kim, M. S. Gupta, G.-Y. Wei, D. M. Brooks, Enabling on-chip switching regulators for multi-core processors using current staggering, Proceedings of the Work. on Architectural Support for Gigascale Integration (2007). [56] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo, E. Tronci, Linearizing discrete-time hybrid systems, IEEE TAC 62 (2017). doi:10.1109/TAC.2017.2694559. [57] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo, E. Tronci, Automatic control software synthesis for quantized discrete time hybrid systems, in: CDC 2012, IEEE, 2012. doi:10.1109/CDC. 2012.6426260.