Safety Control with Preview Automaton

Safety Contr ol with Pre view A utomaton Zexiang Liu and Necmiye Ozay Abstract — This paper consid ers the problem of safety con- troller synth esis fo r systems equip ped wit h sensor modalities that can p rovide preview information. W e consider switched systems where switching mode is an external signal for which prev iew information is a vailable. In particular , it is assumed that the sensors can notify the controller about an upcoming mode switch befor e the switch occurs. W e pro pose pre view automaton, a mathematical co nstruct that captures b oth th e prev iew information and th e possib le constraints on switching signals. Th en, we st u dy safety control synthesis problem wi th prev iew informa tion. An algorithm that computes the maximal in variant set in a given mode-d ependent safe set is developed. These ideas ar e demonstrated on two case studies from au- tonomous driving domain. I . I N T R O D U C T I O N Modern auto nomou s systems, like self- driving car s, un- manned ae rial vehicles, or robots, are equipped with sensors like ca m eras, rad ars, or GPS that can provide inf ormation about what lies a h ead. I ncorpo rating such p r evie w informa- tion in contro l an d decision-m aking is an appea lin g idea to improve system performa n ce. For in stance, a c onsiderab le amount of work has been do ne for design ing closed-fo r m optimal control strate gies with limited previe w on futu re referenc e signal [2]–[ 5] with app lications in vehicle co ntrol [6], [7]. Previe w information o r forecasts of external factors can also be easily incor porated in a mod el predictive control framework [8 ], [9 ]. Howe ver , similar ideas are less explored in the context of improving system ’ s safety assurances. For the afo remen- tioned method s on optimal control with preview informa tio n, extra constrain ts need to be intr oduced in to the optimal control pro blem to have safety guar antees, for which the closed-for m o ptimal so lution cann ot be derived easily in general. In mode l predictive co ntrol f ramework, the o nline optimization is only tractable over a finite receding horizo n, and thu s it is d ifficult to hav e assurance on safety for which the constraints need to be satisfied over an infin ite horizon . Th e goal of this paper is to develop a fram ew ork to enable in c orpor a tion o f preview info r mation in co rrect-by - construction control. Specifically , we consider d iscr ete-time switched systems where the m ode sign al is con trolled by externa l factors. W e assume the system is e quipped with sensors that provide previe w inform ation on the mode sig n al ( i. e., so me f uture Zexia ng Liu and Necmiye Ozay are with the Dept. of Electrical Engi- neering and Computer Scienc e, Univ . of Michigan , Ann Arbor , MI 48109, USA zexiang,ne cmiye@umich.e du . This work was supported by ONR grant N00014-1 8-1-2501, NSF gra nt ECCS-15 53873, and an Early Career Facu lty grant from NASA ’ s Space T echn ology Research Grants Program. A poster abstract on our preliminary results was presented at HSCC [1]. Fig. 1: A simple exam p le o n au to nomou s vehicle cru ise control. The r oad grade alternates between three ranges r 1 , r 2 , r 3 , mod eled by a switched system Σ with thr ee modes. The blue shadows indicate the regions where the vehicle’ s sensors are able to look ahead and upo n the detection of the upcomin g change, a preview inpu t is re leased. values of the mode sign al can be sen sed/predicted at r un- time). T o capture how the m ode sign al ev olves and how it is sensed/predicted at r un-time, we introduce pre view automato n . Th en, we focus o n safety specificatio ns de fin ed in terms of a safe set w ith in each mod e , and dev elop an algorithm that compu tes the maxim al in variant set inside these safe sets wh ile inc o rpora tin g the previe w informatio n. A simp le example where such informa tion c an be relev ant is depicted in Fig. 1, where an autonom ous vehicle can u se its forward looking sensors or GPS and map information to predict when the roa d gr a de will ch ange. The prop o sed framework provides a mean s to leverage such informatio n to compute provably-safe controllers that are less c onservati ve compare d to their previe w agno stic cou nterpar ts. Our work is related to [10]–[12 ] where synthesis fro m linear tempo r al log ic or g eneral om ega- regular specifica- tions are considered for discrete-state systems. In [10], it is assum ed that a fixed h orizon look ahead is available; whereas, in our work, th e preview or lookah ead time is no n- deterministic, and pr evie w automato n can be co mposed with both discrete-state and continuo u s-state systems. While we restrict ou r attentio n to safety contr o l synthesis, extension s to other logic specifications are also po ssible. An other main difference with [10 ] is that we use the preview au tomaton also to capture constraints on mode switching. The idea of using automata or temporal logics to cap ture assumptio ns on mo de switching is u sed in [13 ] and [14] . In particular, the stru cture of th e contro lled inv ariant sets we co mpute is similar to the in variant sets (for systems without contro l) in [ 1 3]. Howe ver , neither [13] nor [14] takes into a ccount previe w information . The remain d er o f this pap er is organized as fo llows. After briefly introdu c ing the b asic no ta tio ns next, in Section II, we describe the proble m setup , defin e the previe w automato n and form ally state the safety control problem . An algorithm to solve the safety co ntrol p r oblem with p revie w is pr o posed and ana ly zed in Section III. In Section IV, we dem onstrate the prop osed algorithm by two case stud ies o ne on veh ic le cruise contro l and ano th er o n lane keeping bef o re we con- clude th e paper in Section V. Notation: W e u se the conv ention that the set N of natural number con tains 0. Den o te the expan ded natu ral numb e rs as N = N ∪ { ∞ } . Denote th e power set of set X as 2 X . I I . P R O B L E M S E T U P In this pap er , we consider switched system s Σ of the form: x ( t + 1 ) ∈ f σ ( t ) ( x ( t ) , u ( t )) , (1) where σ ( t ) ∈ { 1 , . . . , s } is the mode of the system, x ( t ) ∈ X is the state and u ( t ) ∈ U is the co ntrol inp ut. W e assume that the switching is u ncontr o lled (i.e ., the mo d e σ ( t ) is determ ined by the extern al environment) however σ ( t ) is known when choosing u ( t ) at time t . By d efining each f i : X × U → 2 X to be set-valued, we captur e po te n tial d isturbance s and uncertainties in the system dynamics that are not directly measured at run - time but that affect the system’ s ev olution. W e are particu larly interested in scenarios wh ere some pr eview info rmation abou t the mode signal is av ailable at run-time. Th a t is, the system has the ability to loo kahead and get notified of th e value of mod e signal befo re the mode sign al switches value. More spe cifically , we assume that for eac h pa ir of m odes ( i , j ) , if th e switching fro m i to j takes place next, a sensor can detect this switch ing for τ i j time steps ahead of the switching time, where τ i j ≥ 0 is called the pre view time an d belong s to a tim e interval T i j . Mathematically , if σ ( t + τ i j − 1 ) = i and σ ( t + τ i j ) = j , then the v alue σ ( t + τ i j ) is av ailable before choo sing u ( t ) at time t , for som e τ i j ∈ T i j . In many applications, switching is not arbitrarily fast. That is, there is a minim al holding time (or , dwell time) between two consecu tiv e switches. For each mode i of the switched system, we associate a least holding time H i ≥ 1 such that if th e system switches to mode i at time t , the en vironm ent cannot switch to another mode at any time between t and t + H i − 1. Note th a t H i = 1 f o r all i is the trivial case where the system do es not have any constraints on the least holding time. Moreover , there c ould be constrain ts o n what modes can switch to what o ther mo des. Follo wing example illustrates some of the concepts above. Example 1. In Figu re 1, a vehicle runs o n a hig hway where the road grad e can switch b etween ranges r 1 = [ − 30 . 5 , − 29 . 5 ] and r 2 = [ − 0 . 5 , 0 . 5 ] an d between r 2 and r 3 = [ 29 . 5 , 3 0 . 5 ] (no direct switching between r 1 and r 3 ). W e use a switched system Σ of 3 modes to model the three ranges r 1 , r 2 and r 3 . Thank s to the perception system on the vehicle, the switching f rom mode i to mode j can be detected τ i j ∈ T i j steps ahead, wh ere T i j is a k nown interval of feasible previe w times for ( i , j ) ∈ { ( 1 , 2 ) , ( 2 , 1 ) , ( 2 , 3 ) , ( 3 , 2 ) } . Also, the least time steps f or the vehicle in r ange r i is H i for i = 1 , 2 , 3. For simplicity , in th e rest o f the pap e r, we will assume that the le a st holding time is greater than o r equal to the least fea sible p revie w tim e amon g all modes th at th e system can switch ed to fro m mod e i , i.e ., H i ≥ min ( ∪ j T i j ) f or any mode i . This assumption is justified in many applications where switching is “slo w” compared to th e worst-case sensor range. For in stance, the road curvature or ro ad grade does not ch a nge too frequen tly . The main contr ibution of this paper is two fold s: • to provide a new mo d eling mechan ism fo r switche d systems that can captu r e both the constrain ts on the switching and the previe w information , • to develop algor ithms that can co mpute con trollers to guaran tee safety with previe w inform ation in a way that is less con servati ve comp ared to their p revie w ag n ostic counterp arts. A. Pr eview Automaton Provided the prior knowledge on the preview time interval T i j and the least h olding time H i , we mo d el the allow able switching sequences of a switched system with pr eview with a m a thematical constru ct we call p r evie w automa ton . Definition 1 . ( Preview A utomaton ) A pr eview auto maton G cor respond ing to a switched system Σ with s mod es is a tuple G = { Q , E , T , H } , wh e re • Q = { 1 , 2 , · · · , s } is a set of n odes (discrete states), where nod e q ∈ Q cor respond s to the mode q in Σ ; • E ⊆ Q × Q is a set of transitions; • T : E → { [ t 1 , t 2 ] : 0 ≤ t 1 ≤ t 2 , t 1 ∈ N , t 2 ∈ N } labels each transition with the time interval o f possible previe w times co rrespon d ing to that transition; • H : Q → ( N \{ 0 } ) ∪ { ∞ } lab els each nod e q ∈ Q with the least holding time co rrespon ding to that node. W e make a few remar ks. First, we do n o t allow any self- loops, i.e., ( q , q ) 6∈ E for all q ∈ Q . Second , the previe w times T ( q 1 , q 2 ) for any ( q 1 , q 2 ) ∈ E is in one of the three forms: a singleton set { t 1 } (interval [ t 1 , t 1 ] ), or a finite interval [ t 1 , t 2 ] with t 1 < t 2 , or an infin ite interval [ t 1 , ∞ ) . Finally , if the r e is a state q with no ou tgoing edges, that is { ( q , p ) ∈ E : p ∈ Q } = / 0, we set H ( q ) = ∞ to indicate th at onc e th e system visits q , it remains in q indefinitely , so th e dead locks are not allowed. W e call such a state a sin k state. Th e set of sink states and th e set of n o n-sink states in Q are den oted by Q s and Q ns . In Defin ition 1, th e node s of the previe w automa to n are chosen to b e the mo d es of the switched system fo r simplicity . It is easy to extend the definition to allow mu ltiple nod es in th e preview auto maton to corr espond to th e same m o de. Alternatively , redefinin g the switched system by r eplicating certain m odes an d keeping the cu r rent definitio n can serve the same pur p ose. Fig. 2: This previe w au tomaton correspon ds to the switched system in Examp le 1. Example 2. T h e previe w autom a ton fo r the switched sys- tem in Example 1 has n odes Q = { 1 , 2 , 3 } with transitions shown in Figu re 2. The least holding mapping H ( q ) = H q for all q ∈ Q an d T ( q 1 , q 2 ) = T q 1 q 2 for ( q 1 , q 2 ) ∈ { ( 1 , 2 ) , ( 2 , 1 ) , ( 2 , 3 ) , ( 3 , 2 ) } . Any tr ansition in th e preview autom a ton is associated with an in put in the for m of the preview of the switchin g mode. W e assum e that there is at m ost one previe w between any two consecutive switches. Durin g the execution of the previe w automaton, if a previe w takes place at time t , there is a correspo nding pr eview input of the pr evie w automaton , including th e timestamp t of the oc c u rrence of the pr evie w , the destinatio n state d ∈ Q of th e next transition and the re- maining tim e steps (th e previe w time) τ from the curren t tim e t up to the n ext transition. If no pr evie w takes p lace before the next switchin g time 1 , the previe w inp ut co rrespon d ing to that switch is trivially ( t , 0 , q ) , wh ere t and q are the time instant and destination of the next tran sition. Note th at t + τ is the time th a t the sy stem transits fr om the last mo de to the mode d . Definition 2. Given previe w a utomaton G = { Q , E , T , H } an d initial state q 0 ∈ Q , a sequ ence of tuples { ( t k , τ k , d k ) } N k = 1 ( N < ∞ wh en th e system remains in d N after t ≥ t N + τ N ) is a valid pr evie w input seq uence of G if fo r all 1 ≤ k ≤ N , the sequence satisfies (with t 0 = 0, τ 0 = 0, d 0 = q 0 ) th at (1) τ k − 1 ≥ 0 an d t k − 1 + τ k − 1 ≤ t k and (2) ( d k − 1 , d k ) ∈ E and τ k ∈ T ( d k − 1 , d k ) and (3) ( t k + τ k − 1 ) − ( t k − 1 + τ k − 1 ) ≥ H ( d k − 1 ) . In above definitio n, con d itions (1) , (2) a n d (3) gu a rantee that on ly one preview input is recei ved be twe e n two co nsec- utiv e switches, the mode switch constra in ts and previe w time constraints are met, and th e ho lding time constraint is met, respectively . Once a valid in put seq uence is given, we c an uniquely identify the transitions of the previe w automa ton over time, that is, the execution of th e preview au to maton with respect to that input seque n ce. In the rest o f the pap er , we on ly consider valid previe w input sequence s an d drop th e word valid when it is clear from the con text. Definition 3. Given previe w a utomaton G = { Q , E , T , H } an d a preview input sequence { t k , τ k , d k } N k = 1 , the execution of G with respect to the preview inp ut sequence is a seq uence of tuples { ( I k , q k ) } N k = 0 , wh ere (1) I 0 = [ 0 , t 1 + τ 1 − 1 ] and I k = [ t k + τ k , t k + 1 + τ k + 1 − 1 ] for 1 This is possible when the lower bound of the time inte rv al of possible pre vie w times is 0. all k ≥ 0, (2) q k = d k for all k ≥ 1. Note that two different valid preview in p ut sequence may have the same execution. Accord in g to Definition 2 and 3, the set of p ossible executions of one preview automaton is determined by the set of valid p revie w input sequ ences of the previe w automaton. Once we ha ve the preview automaton G correspond in g to a switched system Σ , we hav e a model of the allowable switching seque n ces for Σ , giv en by th e executions of G . Therefo re we can define the ru n s o f a switched system with respect to a preview autom aton. Definition 4. A sequ e n ce { ( q ( t ) , x ( t )) } ∞ t = 0 is a run of the switched system Σ o f s modes with previe w automato n G under the con trol inputs { u ( t ) } ∞ t = 0 if (1) { q ( t ) } ∞ t = 0 is an execution of G for some previe w inp ut sequence and ( 2) x ( t + 1 ) ∈ f q ( t ) ( x ( t ) , u ( t )) f or t ≥ 0 . B. Pr oblem Statemen t Thoug h the pr eview au to maton can be usef ul in the exis- tence of mor e general specification, we focus on ly on safety specifications in this work. Suppose that each m ode k is asso- ciated with a safe set S k ⊆ X , that is the set of states where we require the switched system to stay within when the system’ s activ e m o de is k . Denote the collectio n of safe sets { S i } i ∈ Q for each mod e as a safety specificatio n for the switched system Σ . Then, given a safety specification { S i } i ∈ Q , a run { ( q ( t ) , x ( t )) } ∞ t = 0 is safe if ( q ( t ) , x ( t )) ∈ ∪ i ∈ Q ( i , S i ) f o r all t ≥ 0. Othe r wise, this run is u nsafe . A contr oller is usually assumed to know th e partial run of the system up to the cur rent time befor e making a control decision at each time in stant. I n ou r case, since the system can look ahead and see the next transition, re flected by the previe w inp ut signal, the c o ntroller for a switched system equippe d with a previe w auto m aton is assumed to ha ve access to th e preview inpu ts of the p revie w automato n u p to th e curr ent time. Definition 5. Deno te { ( p ( t ) , x ( t )) } t ∗ t = 0 and { ( t k , τ k , d k ) } k ∗ k = 0 as the partial run and preview in puts of the switched system up to time t ∗ ( k ∗ refers to the latest pre view up to t ∗ , i.e., k ∗ = max k s.t. t k ≤ t ∗ ). A con tr oller U of the switched system Σ with pr evie w automaton G is a fu nction th at map s the partial run { ( p ( t ) , x ( t )) } t ∗ t = 0 and the preview inpu ts { ( t k , τ k , d k ) } k ∗ k = 0 to a control input u ( t ∗ ) of the switched system for any t ∗ ≥ 0. Definition 6. Giv en a switched system Σ and a safety specification { S i } i ∈ Q , a sub set W i of the state space of Σ is a sin g le winning set with respect to mode i if there exists a con troller U su ch th at any ru n of th e closed -loop switched system with initial state in { i } × W i is safe. A winning set W i is the m a ximal winnin g set with respect to the mode i if for any x 6∈ W i , f or any contr oller U , th ere exists an unsafe run with initial state ( i , x ) . A winning set with r espect to the switched system Σ is the collection { W i } n i = 1 of single winning sets f or all mod es, which is called winning set for sho rt. Fig. 3: A switched finite tra n sition system with 2 modes f 1 and f 2 . T h e safe set ( blue) is { s 1 , s 2 } for each mod e . W e note that, by definitio n, arbitrary u nions of winning sets with respect to one mo de is still a winnin g set, and therefor e the ma ximal win ning set is un ique u nder m ild condition s [ 15] and contains all the winning sets with respect to that mode. Now , we are ready to state th e pr o blem of interest. Problem 1. Give n a switched system Σ with corr esponding pr eview automa ton and safety specifica tion { S i } i ∈ Q , find the maximal winn ing set { W i } i ∈ Q . Before an alg orithm th at co mputes the maxim a l winn in g set is introd uced, we first study the fo llowing toy examp le to d emonstrate the usefulne ss o f pr eview inf ormation . Example 3. A switched transition sy stem with two mode s is shown in Figure 3. The state space a nd inpu t space of the switche d system are { s 1 , s 2 , s 3 } an d { u 1 , u 2 } re sp ectiv ely . The safety specification is S 1 = S 2 = { s 1 , s 2 } . T o satisfy this safety specification, the system state ha s to be s 1 when f 1 is active and be s 2 when f 2 is active. Thu s by inspection, when there is no pr evie w , the winnin g sets are empty and when th ere is a pr eview f or at least on e-step ahead befo re each transition, th e re is a non -empty winning set W 1 = { s 1 } and W 2 = { s 2 } . Example 3 sug gests that a winning set is not the same as a contro lled in variant set of the switched system. When the previe w info rmation is ignore d or un av ailable, they are th e same an d theref ore Pro blem 1 c an b e solved by computin g the con trolled in variant sets with in the safe sets. Howe ver , if the preview is av ailable, the con trolled in variant sets can b e conservati ve since their comp utation does not take advantage of the online p revie w inform ation. Ther efore, in Ex ample 3, the ma x imal controlled inv ariant set is em pty , but the winning set is no n-empty . I I I . M A X I M A L W I N N I N G S E T C O M P U TA T I O N W I T H P R E V I E W I N F O R M AT I O N In this section, we propo se an a lgorithm to solve Problem 1. Recall that in Definition 1, the feasible preview time interval given by T can be unboun ded fro m the right, wh ich is difficult to d eal with in gener a l becau se it essentially correspo n ds to a potentially unboun ded c lock. Howe ver , the following theor em r eveals an imp o rtant proper ty of the previe w au tomaton, which allows us to rep lace the pr evie w time interval with its lower b ound in the com p utation of winning sets. Theorem 1. Let G = { Q , E , T , H } and b G = { Q , E , b T , H } be two pr evie w automata o f the switc hed system Σ with s modes, wher e b T ( q 1 , q 2 ) = min ( T ( q 1 , q 2 )) for a ny ( q 1 , q 2 ) ∈ E . Then given a sa fety specification { S i } i ∈ Q , { W i } i ∈ Q is a winning set with r espect to G if and only if { W i } i ∈ Q is a winning set with respect to b G. Pr o of. Note th at G and b G are th e same except the feasible previe w time interval T . F or each tran sition ( p 1 , p 2 ) ∈ E , b T ( q 1 , q 2 ) is equ al to th e lower bo und of T ( q 1 , q 2 ) . T o show the “only if” dir ection, suppose that W i is a winning set with respect to G for mode i . Then b y Definition 6, there exists a controller U such that any ru n of the closed- loop system with initial state in { i } × W i with respect to any valid previe w inp ut seq u ence of G is safe. By Definition 2 and 3, any p revie w inp u t sequence a n d the cor respond ing execution o f b G are also valid preview inputs and execution of G . Therefor e , using the same controller U , any run of the closed-loo p system with initial state in { i } × W i with respect to any valid pr evie w inpu t sequence of b G is safe. Hence we conclud e that each W i , for i ∈ Q , is a winning set with respect to b G fo r mo d e i . T o show the “if” direction , suppo se that W i is a win ning set with respect to b G f or mo de i , and U is a controller such that any run o f the closed-lo o p sy stem w ith in itial state in { i } × W i with respect to any valid previe w input sequence for b G is safe. Note that any ex ecution of G is also an execution of b G , but the co rrespon ding previe w input sequen ces of G and b G c an be different. Su ppose that { ( t k , τ k , q k ) } N k = 1 and { ( t ′ k , τ ′ k , q k ) } N k = 1 are two pr evie w input sequences o f G an d b G correspond ing to the same execution π = { ( I k , q k ) } N k = 0 . Then by Defin ition 2, for all k ≥ 1 , τ ′ k = b T ( q k , q k + 1 ) = min ( T ( q k , q k + 1 )) and τ k ∈ T ( q k , q k + 1 ) and t ′ k + τ ′ k = t k + τ k = min ( I k + 1 ) . Hence τ ′ k ≤ τ k and t ′ k ≥ t k for all k ≥ 1 , wh ich implies that for any transition in π , a controller o f G alw ays knows th e next mo d e from th e preview input o f G earlier than a con tr oller of b G . Since the pre view inpu t of the next transition is earlier in G than in b G , given an execution π = { ( I k , q k ) } N k = 0 , fo r any k ≥ 1, U ca n always in fer 2 the k t h previe w inp ut of b G from th e k t h input of G bef o re time t ′ k . W e forc e contro ller U to ge n erate control inputs for the switched sy stem Σ with previe w autom aton G based on the inferre d inputs o f b G . Then any run of Σ wh e n closing the loop with the customize d U and G is a run of the closed - loop system with respect to Σ , U and b G , wh ich is safe if the initial state is in { i } × W i . Hence W i is a win n ing set of G for all i ∈ Q . Thanks to Theor e m 1, in terms of m aximal winn in g set co mputation , it is en ough to consider the previe w au - tomaton wh ose previe w tim e in terval is a singleto n set for all tran sitions without intro ducing any conser vatism. This 2 Gi ven the k t h pre vie w input ( t k , τ k , q k + 1 ) of G , the k t h pre vie w input of b G is ( t k + τ k − τ ′ k , τ ′ k , q k + 1 ) with τ ′ k = b T ( q k , q k + 1 ) . proper ty stated in Th e o rem 1 can reduce compu tation cost and simplify the algorith ms. Ther efore, whe never there is a previe w au tomaton G , we first c o n vert G into the for m of b G in Theo rem 1. Algorithm 1 is designed to com pute the maximal winning set for the previe w automa to n in the fo rm of b G , whose result is eq ual to the maximal winning set of G . W e note that b G can be expanded to a n o n-deter ministic finite transition system with ∑ i ( H i − ( min j T i , j ) + ∑ j T i , j ) states. T aking a product of this finite transition system with the switched system, the pro blem can b e r educed to an inv ari- ance com putation (with measurable and unmeasura ble no n - determinism) on the produ ct system. Howe ver , the a lgorithms we propo se av oid p roduc t con struction a nd directly d efine fixed-point operatio n s on the switched system’ s state sp ace. In Algorith m 1, lines 4-6 com p ute the maximal winning set f or each sink state in G . Lines 7-1 2 compu te the winning sets of the non- sin k states iteratively , with updates given by Algorithm 2. The main o perators used in these alg o rithms are as follows. First, given a mod e i of the switched system with state space X and action space U , and a su bset V o f X , the one-step contr o lled pr edecessor of V with respect to the dynamics f i is defined as Pre f i ( V ) = { x ∈ X : ∃ u ∈ U , f i ( x , u ) ⊆ V } , (2) that is the set of states that can be g u aranteed to re a ch th e set V in on e time step b y some contro l inputs in U . Second, given a safe set S i ⊂ X , th e one- step constrained contr olled pr edecessors PreI nt ( · ) o f an arb itrary set V with respect to the dynamics f i as PreI nt f i ( V , S i ) = Pre f i ( V ) ∩ S i . (3) Now define V 0 = S i and u pdate V k recursively f or k ≥ 0 by V k + 1 = PreI nt f i ( V k , S i ) . (4) Note th at { V k } ∞ k = 0 in (4) is mono tonically non-in c reasing sequence o f sets and the fixed po int (reach ed when V k + 1 = V k ) is the maximal con tr olled invariant set within the safe set S i with respect to the dynamics f i , deno te d as I nv f i ( S i ) . Finally , given the p revie w automaton G = { Q , E , T , H } , the successors of some no de i ∈ Q is defined as P ost G ( i ) = { j : ( i , j ) ∈ E } . Some properties of these operators and the I nvPre operator defined by Algo rithm 2 ar e ana lyzed next. Th ese p roperties are u sed later to pr ove the correctness of th e main algorithm . In wh at follo ws we use { b W i } i ∈ Q ⊆ { W i } i ∈ Q to den ote th e element-wise set inclusion b W i ⊆ W i for all i ∈ Q . When we talk abou t m aximality , maximality is in (elemen t-wise) set inclusion sense. Lemma 1. Consider two collec tio ns of subsets b W = { b W i } i ∈ Q and W = { W i } i ∈ Q of X . If b W ⊆ W ⊆ S , th en b W a nd W satisfy I n vPre f i ( G , b W , S ) ⊆ I n vPre f i ( G , W , S ) ⊆ S i (5) for a ny no n-sink state i ∈ Q ns . Algorithm 1 W inning Set for Pr oblem 1 1: function C onI nv ( Σ , S = { S i } i ∈ Q , G ) 2: initialize { W i } i ∈ Q with W i = S i , ∀ i ∈ Q . 3: initialize { V i } i ∈ Q with V i = / 0. 4: for i ∈ Q su c h that H ( i ) = ∞ ( sink states) do 5: W i ← I n v f i ( S i ) 6: end for 7: while ∃ i ∈ Q such that W i 6 = V i do 8: V i ← W i , ∀ i ∈ Q 9: for i ∈ Q su c h th at H ( i ) < ∞ do 10: W i ← I nvPr e f i ( G , { W j } j ∈ P ost ( i ) , S ) 11: end for 12: end while 13: return { W i } i ∈ Q 14: end f unction Algorithm 2 I nvPr e operator fo r Algor ithm 1 1: function I nvPre f i ( G , W , S ) 2: for j in P ost G ( i ) do 3: C 0 , j = W j and T i j = T ( i , j ) 4: for l = 1 , 2 , 3 , ..., T i j do 5: C l , j = PreI nt f i ( C l − 1 , j , S i ) 6: end for 7: end for 8: T min = min j ∈ P ost G ( i ) T ( i , j ) 9: C T min = I nv f i ( T j ∈ P ost G ( i ) C T i j , j ) 10: H i = H ( i ) 11: for k = T min + 1 , · · · , H i do 12: C k = PreI nt f i ( C k − 1 , S i ) 13: if J k = { j ∈ P os t G ( i ) : T i j ≥ k } 6 = / 0 then 14: C k = C k ∩  T j ∈ J k C T i j , j  15: end if 16: end for 17: return C H i 18: end f unction Lemma 2. W = { W i } i ∈ Q is th e maximal winning set with r espect to the safe set S = { S i } i ∈ Q if and o nly if { W i } i ∈ Q ns is the maxima l solutions of th e following equatio ns: W i = I nvPr e f i ( G , W , S ) , ∀ i ∈ Q ns , (6) wher e th e compon e n ts of th e winning set W fo r sin k states ar e chosen acc o r ding to W j = I nv f j ( S j ) for all j ∈ Q s . The pr oofs of Lemma 1 a n d 2 are given in the appen d ix. Let us illustrate how Algorith m 1 w orks, using the switched system shown in Fig. 3 with previe w automato n in Fig. 4 b efore provin g that the propo sed algorithm indeed computes the max imal winning set. Example 4. Sin c e there ar e n o sink no des in the p revie w automaton in Fig. 4, lines 4-6 in Algor ith m 1 are skippe d . W e use pair ( k , l ) to in d icate the k t h iteration of the while loop and l t h iteration o f the for loop in line 7 and 9 in Algorithm 1, and use W k , l i to r e fer to the value of W i after the ( k , l ) Fig. 4: The previe w auto maton cor respond ing to the switched system in Fig. 3. H 1 = H 2 = 3 is the least hold ing time for b oth m odes, and T 12 = T 21 = 1 is the previe w time f or transitions ( 1 , 2 ) and ( 2 , 1 ) . iteration. Note that at iteration ( k , l ) , only W l is being updated and th e other W i remains u nchang ed for i 6 = l . Initially W 0 , 0 1 = W 0 , 0 2 = { s 1 , s 2 } . In the iter a tion ( 0 , 1 ) , W 0 , 1 1 = I nvPre f 1 ( G , { W 0 , 0 1 , W 0 , 0 2 } , S ) = { s 1 } and W 0 , 1 2 = W 0 , 0 2 . In the iteration ( 0 , 2 ) , W 0 , 2 2 = I nvPre f 1 ( G , { W 0 , 1 1 , W 0 , 1 2 } , S ) = { s 2 } and W 0 , 2 1 = W 0 , 1 1 . In the following iteration s ( 1 , 1 ) , ( 1 , 2 ) , W 1 , 1 and W 1 , 2 are unch anged. Theref ore, the termination cond ition in line 7 is satisfied and the outpu t of Algorithm 1 of this example is W 1 = { s 1 } and W 2 = { s 2 } . It is e a sy to verify th a t W 1 = { s 1 } an d W 2 = { s 2 } f o rm the maximal w in ning set for th is pr oblem. The main comp leteness result is p rovided next. Theorem 2. If Algorithm 1 terminates, th e tuple of sets { W i } n i = 1 it r eturns is the ma x imal winning set within the safe set S = { S i } i ∈ Q of the switched system Σ with the pre view automato n G. Pr o of. Suppose that { W ∗ i } i ∈ Q is the max imal winning set we are looking for . Let us partition the discrete state spa c e Q into the set of sink states Q s = { q ∈ Q : H ( q ) = ∞ } an d the set of no n-sink states Q ns = Q \ Q s = { q ∈ Q : H ( q ) < ∞ } . If q is a sink state, once the system e nters the mod e q , the system rem ains in mod e q withou t any f uture switching. Therefo re, th e maximal winn in g set W q is trivially the maximal c ontrolled in variant set within th e safe set S q with respect to the dynam ics of mode q , that is W ∗ q = I nv f q ( S q ) . In line 4 -6 of Algorithm 1, we com pute the maximal winn ing sets f or all the sin k states. W e have solved W ∗ i for sink state i ∈ Q s . L e t us consid er the m aximal winning sets fo r non- sink states. W e want to show that W b eing upda ted based on lines 7-12 of Algo rithm 1 conver ges to W ∗ . W ithout loss of gen e r ality , assum e that Q ns = { 1 , 2 , ..., s ns } an d let the “for” loo p in line 9 iterate over the ind ic e s 1 , 2 , ..., s ns in the natur al order . W e use W k , l to in dicate the updated value of W after th e k t h iteration of the “wh ile” loop (line 7) a n d the l t h iteration of th e “fo r” loo p (line 9). Then the initial v alue of W is W 0 , 0 = { W 0 , 0 i } i ∈ Q where W 0 , 0 i = S i for all i ∈ Q ns and W 0 , 0 j = W ∗ j for all j ∈ Q s . Acc ording to line 9-10, for all k ≥ 0 an d 0 ≤ l ≤ s ns − 1, W k , l + 1 i = I nvPr e f i ( G , W k , l , S ) fo r i = l + 1 and W k , l + 1 j = W k , l j for all j 6 = l + 1 and W k + 1 , 0 = W k , s ns . Now we want to prove that if W ∗ ⊆ W k , 0 ⊆ S for some k ≥ 0, then W ∗ ⊆ W k , l ⊆ S for a ny l ∈ { 1 , 2 , ..., s ns } by indu ction. (Base case 1) Sin c e we have W ∗ ⊆ W k , 0 ⊆ S , b y Lem ma 1 and 2 , we have W ∗ i = I nvPr e f i ( G , W ∗ , S ) ⊆ I nvPr e f i ( G , W k , 0 , S ) = W k , 1 i ⊆ S i for i = 1. Since W ∗ ⊆ W k , 0 and W k , 1 j = W k , 0 j for all j 6 = 1, we have W ∗ ⊆ W k , 1 ⊆ S . (I nduction hyp othesis 1) Suppo se that W ∗ ⊆ W k , l ⊆ S for some 0 ≤ l ≤ s ns − 1 . Again, by Lemma 1 and 2, W ∗ ⊆ W k , l + 1 ⊆ S . Finally by indu ction, if W ∗ ⊆ W k , 0 ⊆ S , W ∗ ⊆ W k , l ⊆ S for a ll l ∈ { 1 , 2 , ..., s ns } . Then next we want to prove by induction that W ∗ ⊆ W k , 0 ⊆ S fo r all k ≥ 0. (Base case 2) W ∗ ⊆ W 0 , 0 ⊆ S by constru ction. (Indu ction hy p othesis 2 ) Suppo se W ∗ ⊆ W k , 0 ⊆ S for some k ≥ 0 . T hen, we have p r oven that W ∗ ⊆ W k , s ns = W k + 1 , 0 ⊆ S . Therefo re by indu c tio n, W ∗ ⊆ W k , 0 ⊆ S for a ny k ≥ 0. The two indu c tion arguments above prove that W ∗ ⊆ W k , l for any k ≥ 0 an d 0 ≤ l ≤ s ns . Now let us show that W 0 , 0 , W 0 , 1 , W 0 , 2 , ..., W k , 0 , W k + 1 , 1 , ... is a non- expanding seq u ence. Sinc e W k , s ns = W k + 1 , 0 for all k ≥ 0, it suffices to show W k , l + 1 ⊆ W k , l for any k ≥ 0 and 0 ≤ l ≤ s ns − 1 . (Base case 3) Note that I nvPr e f i ( G , V , S ) ⊆ S i for ar- bitrary V ⊆ X and i ∈ Q . Thus by definition W 0 , 1 i = I n vPre f i ( G , W 0 , 0 , S ) ⊆ S i = W 0 , 0 i for i = 1. Note that W 0 , 1 j = W 0 , 0 j for a ll j 6 = 1. Th us W 0 , 1 ⊆ W 0 , 0 . Now consider W 0 , 2 . Note tha t W 0 , 2 j = W 0 , 1 j for all j 6 = 2. For i = 2, W 0 , 2 i = I n vPre f i ( G , W 0 , 1 , S ) ⊆ S i = W 0 , 1 i . Thu s W 0 , 2 ⊆ W 0 , 1 . Simi- larly , we have W 0 , s ns ⊆ ... ⊆ W 0 , 1 ⊆ W 0 , 0 . (Indu ction h ypothe sis 3) Sup pose W k , s ns ⊆ ... ⊆ W k , 1 ⊆ W k , 0 for som e k > 0. T o show that W k + 1 , l + 1 ⊆ W k + 1 , l for all l , we need another in d uction argu ment. (Base case 4) W e k now W k + 1 , 0 = W k , s ns , and W k + 1 , 1 j = W k + 1 , 0 j for j 6 = 1. For i = 1 , W k + 1 , 0 i = W k , s ns i = W k , 1 i = I nvPre f i ( G , W k , 0 , S ) . By induction hypoth esis 3, W k , s ns ⊆ W k , 0 and thus by Lemma 1 and 2, W k + 1 , 1 i = I nvPre f i ( G , W k + 1 , 0 , S ) ⊆ I nvPr e f i ( G , W k , 0 , S ) = W k + 1 , 0 i for i = 1, and therefor e W k + 1 , 1 ⊆ W k + 1 , 0 . (Indu ction hypoth esis 4) Suppose that W k + 1 , l ⊆ W k + 1 , l − 1 ⊆ ... ⊆ W k + 1 , 0 . By definition , W k + 1 , l + 1 j = W k + 1 , l j for all j 6 = l + 1. Also, for i = l + 1, W k + 1 , l i = W k , l + 1 i = I n vPre f i ( G , W k , l , S ) . By the indu ction h ypoth esis 3 and 4, W k + 1 , l ⊆ W k , l and thus by Lemma 1 and 2 again, for i = l + 1, W k + 1 , l + 1 i = I nvPre f i ( G , W k + 1 , l , S ) ⊆ I nvPr e f i ( G , W k , l , S ) = W k + 1 , l i and ther efore W k , l + 1 ⊆ W k , l . Th en by induction 4, we have W k + 1 , s ns ⊆ ... ⊆ W k + 1 , 1 ⊆ W k + 1 , 0 . Therefo re by the induction 3 , we show that W 0 , 0 , ..., W k , 0 , W k + 1 , 1 , ... is n on-expan ding. By far, we h av e shown that W 0 , 0 W 0 , 1 ... W k , 0 W k , 1 ... is a monoto nic non- expanding sequence within S , which implies that the limit of this sequ ence W ∞ , 0 (the outp ut of Algorithm 1) exists and is c ontained by S thus safe. By lin e 7-12 o f Algorithm 1, W ∞ , 0 is a solu tion of equ ations in (6). Also, since f o r any k and l , W ∗ ⊆ W k , l and W ∗ is th e m aximal solution o f equ ations in (6), we have W ∞ , 0 = W ∗ . Note that the above proof also gu arantees termin ation if the switched system u nder con sideration has finitely many states. For switch e d systems with contin uous state spaces, the non-expand ing proper ty o f the compu ted sets guar antees conv ergence but termin ation in finite numb e r o f steps is not guaranteed, in gen eral. For linear switched systems, termination can still be guarante e d using a lg orithms from [16], [1 7] by slightly sacrificing m a ximality (see also [1 8 ]). Once the maxima l winning set (or a win ning set) W ∗ = { W ∗ i } i ∈ Q is obtained , a co ntroller can be extracted rough ly as follows: for a sink node i ∈ Q s , the allowable control inputs for each state in the contro lled inv ariant set W ∗ i can be obtained by ap p lying the Pre operator to W ∗ i . For a non - sink nod e j ∈ Q ns , we need a “in variance” co ntroller to make sure the system state remain in W ∗ i before a pr eview happens, and a “reach ability” contro ller for each tra n sition ( j , k ) ∈ E and eac h possible pr eview time τ jk ∈ T ( j , k ) suc h that from the time point a previe w is received by the controller, system state can g uarantee to r e ach W k in τ jk steps, where th e allow- able con trol in put for each step can be obtained by applying the PreI nt recu rsiv ely for τ jk times. For the “inv ariance” controller, we also need to ma ke sure that the system state reaches certain par ts o f the maximal winning set based on th e holding time (time steps elapsed since last transition) such that o nce a previe w occurs, the sy stem state is with in th e domain of the co r respond ing “reach ability” co ntroller . The process of com puting the “reachability ” contr o llers actually correspo n ds to line 2- 7 in Algorith m 2, and the process of computin g the “ in variance” contro ller corr esponds to line 9 and 12- 14, if the p revie w autom aton has a singleton previe w time inter val. The proc ess ca n be gener alized to general previe w time intervals from the Alg o rithm 2 b ased on the description ab ove. I V . C A S E S T U D I E S In th e fo llowing case studies, we apply th e pr oposed algo - rithms to switched affine systems, wh ere the state space an d safe set are polytope s. I n this case Pre and PreI n v op e r ators reduces to p olytopic op erations, which we implem ent using the MPT3 too lb ox [19 ] . A. V ehicle Cruise Contr ol Our first e xample is a cruise contro l problem for the scenario sho wn in Exam ple 1. The longitud inal dynam ics of a vehicle with road grade is given by ˙ v = − f 0 m − f 1 m v + F w m − g sin θ (7) where v is the long itudinal speed, m is the vehicle m ass, f 0 and f 1 are the coefficients related to frictions, F w is the wheel for ce, g is the gravitational acceleration and θ is the road gr a de. W e ch oose F w as th e contro l input and θ as a disturbanc e . W e discretize (7) with time step ∆ t = 0 . 1 s . Th e discrete-time dynam ics with disturbance ranges r 1 , r 2 and r 3 consist o f the modes 1 , 2 , 3 in th e switche d system defined in E xample 1. The safety specification is to keep the longitud inal speed within X = [ 31 . 95 , 32 ] m / s . T h e speed rang e is intention ally picked small enough so that the chan ge the road grade induces o n the dynam ics makes the specification ha r d to be satisfied. The parameter s ar e cho sen as m = 1 650 k g , f 0 = 0 . 1 N , f 1 = 5 N · s / m , g = 10 m / s 2 . The control input range is F w ∈ [ − 0 . 6 5 mg , 0 . 6 6 mg ] . For the p revie w automaton shown in Fig. 2, the holding tim e f or each mode is 2 a n d the previe w time for each transition is 1. T o make a comparison , we compute the maximal con- trolled inv ariant set for the dynamics discretized fro m (7) with disturban ce in [ − 30 . 5 ◦ , 30 . 5 ◦ ] (conve x hull of r 1 , r 2 , r 3 ). I f such an in variant set exists, it is a feasible winnin g set for our prob lem. Ho wever , the resultin g controlled inv ariant set is empty , wh ich sug gests that the pr o blem is infeasible if distur bance can vary arb itr arily in [ − 3 0 . 5 ◦ , 30 . 5 ◦ ] . In contrast, the winning set obtained from Algo rithm 1 is { W i } 3 i = 1 with W 1 = W 2 = W 3 = X . T herefor e the preview automaton is crucial in this case study fo r the existence of a safety con troller . B. V ehicle Lan e K eeping Co n tr o l In the seco nd example, we apply the proposed meth o d to syn thesize a lane-keeping contr oller , which contro ls the steering to limit the lateral displacemen t of vehicle within the lane bo u ndaries. The later a l dyn a m ics we use are fr om a linearized bicycle model [18]. The four states of the model consist of the lateral displacement y , lateral veloc ity v , y aw angle ∆Ψ and yaw rate r . The vehicle is co ntrolled by the steering input δ f in ran g e [ − π / 2 , π / 2 ] . W e assume that the long itudinal veloc ity u of the vehicle is con stant and equal to 30 m / s . The d isturbance r d is a fun ction of the road cu rvature, wh ich is what we assume to have previe w information on at r u n-time. The maximal recomm ended range of r d on Michi- gan highways [20] with respect to u = 3 0 m / s is abou t [ − 0 . 06 , 0 . 06 ] . W e divide [ − 0 . 06 , 0 . 06 ] e venly into 5 inter - vals d 1 = [ − 0 . 06 , − 0 . 036 ] , d 2 = [ − 0 . 036 , − 0 . 012 ] , . . ., d 5 = [ 0 . 036 , 0 . 06 ] and construc t a switche d system with 5 mo des, where each mod e i ∈ Q = { 1 , 2 , 3 , 4 , 5 } co rrespon ds to a lateral dynamics with r d bound ed in d i , denoted by f i . The correspon ding pr evie w automaton is shown in Fig. 5, where transitions are on ly between any two modes with adjacent r d intervals. For simplicity , the previe w time inte r val T ( i , j ) = τ c for all ( i , j ) ∈ E , and the least holding time H ( i ) = τ d for all i ∈ Q for some con stants τ c and τ d . The safe set is given by the constraints | y | ≤ 0 . 9, | v | ≤ 1 . 2, | ∆Ψ | ≤ 0 . 05 , | r | ≤ 0 . 3 for all mod es. T ABLE I : Com putation costs f or different ( τ c , τ d ) ( τ c , τ d ) #iteratio ns time (min) ( 1 , 2 ) 4 18 . 9 ( 2 , 2 ) 4 18 . 0 ( 1 , 1 ) 5 20 . 3 ( 5 , 5 ) 3 16 . 8 W e ap p ly Algorith m 1 to compute the max imal win n ing sets fo r various τ c and τ d . The values of ( τ c , τ d ) with co r- respond in g numb ers of iterations at termin ation and runn ing time are listed in T able I. Denote the maximal winning set Fig. 5: Previe w autom a ton for the lane- keeping case study (a) project on ( y , v , ∆Ψ ) (b) project on ( y , v , r ) Fig. 6: Pro jections of W inv , W 2 , ( 1 , 2 ) , W 2 , ( 2 , 2 ) onto two sub- spaces. The red , blue and green region s are th e p rojection of W inv , the difference of pr ojections of W 2 , ( 1 , 2 ) and W inv and the difference o f pr o jections of W 2 , ( 2 , 2 ) and W 2 , ( 1 , 2 ) . with respec t to mode 2 for each pair ( τ c , τ d ) in T ab le I as W 2 , ( τ c , τ d ) . As a co mparison , we co mpute the maximal contro lled in variant set for the lateral dynamics with r d in [ − 0 . 06 , 0 . 06 ] , denoted by W inv . Th e p rojections of W 2 , ( τ c , τ d ) and W inv onto 3-dimen sional subspaces are shown in Figs. 6 and 7 . Fig. 6 co mpares W inv , W 2 , ( 1 , 2 ) and W 2 , ( 2 , 2 ) , where the holding time τ d is fixed and the preview time τ c are tuned to show the effect o f previe w time o n winning set. In theo ry , W inv ⊆ W ( τ c , τ d ) ⊆ W ( τ ′ c , τ ′ d ) for any τ c ≤ τ ′ c and τ d ≤ τ ′ d , which is verified by th e nu merical re sult whe r e W inv ⊆ W 2 , ( 1 , 2 ) ⊆ W 2 , ( 2 , 2 ) . The blue region in Fig. 6 shows the difference of W 2 , ( 1 , 2 ) and W inv , indicating how much we gain from the previe w informa tio n with ( τ c , τ d ) = ( 1 , 2 ) c o mpared to no previe w . The green region in Figur e 6 shows the dif ference o f W 2 , ( 2 , 2 ) and W 2 , ( 1 , 2 ) , wh ich indicates how mu ch the m a x imal winning set g rows as th e pr evie w tim e τ c increases f rom 1 to 2 while the least ho lding time τ d = 2 is fixed. As revealed by the size of the g reen region in Fig. 6, th e growth o f the maximal winning set decreases as the preview time becomes one step long er . Understan ding th e c ondition s und er wh ich a lon ger p r evie w do e s or does not help the growth of the maximal w in ning set is subject of our future work. Fig. 7 compar es W inv , W 2 , ( 1 , 1 ) and W 2 , ( 1 , 5 ) , where we fix the preview time τ c and chang e th e least hold ing time τ d . The b lue and green region s sh ow th e difference of W 2 , ( 1 , 1 ) and W inv and the dif ference o f W 2 , ( 1 , 5 ) and W 2 , ( 1 , 1 ) . Therefore , the size of the green region indicates how mu ch th e winnin g set gr ows as we in crease the least holding time τ d from 1 to 5. Compared to Fig. 6, the win n ing set is more sensiti ve to (a) project on ( y , v , ∆Ψ ) (b) project on ( y , v , r ) Fig. 7: Pro jections of W inv , W 2 , ( 1 , 1 ) , W 2 , ( 1 , 5 ) onto two sub- spaces. The red , blue and green region s are th e p rojection of W inv , the difference of pr ojections of W 2 , ( 1 , 1 ) and W inv and the difference o f pr o jections of W 2 , ( 1 , 5 ) and W 2 , ( 1 , 1 ) . the chang e of the least hold ing time τ d than the change of the previe w time τ c . Finally , W inv , W 2 , ( 1 , 1 ) , W 2 , ( 5 , 5 ) are co mpared in Fig. 7, where we increase τ c and τ d simutaneou sly . W 2 , ( 5 , 5 ) is numerically equ al to W 2 , ( 1 , 5 ) , and thus its projections are the same as the pro jections of W 2 , ( 1 , 5 ) shown in Fig. 7. In fact, the winning sets with respect to modes 2, 3, 4 fo r τ c = 1 , τ d = 5 and τ c = 5 , τ d = 5 are numerically equal; th e winn ing set with respec t to m ode 1 and 5 slightly grows when ( τ c , τ d ) changes fr om ( 1 , 5 ) to ( 5 , 5 ) , b ut the growth is too small to be visua lize d . Th e ob servation in Fig. 6 and 7 reveals one theor e tical conjucture : If the p revie w time and the least holding time are large enough, a lo n ger pr eview time and /or a longer hold ing time will n ot increase the size of the m aximal winning set. That is, the size of the maximal winnin g set conv erges as the p revie w time and the least ho lding time increase. T o verify this co njecture is part of o ur futur e work. V . C O N C L U S I O N S A N D F U T U R E W O R K In this pap er , we introd uced pr evie w automaton and provided an algor ith m for safety contr ol synthesis in the existence of p revie w info rmation. The p ropo sed algo rithm is sh own to comp ute the maximal winning set u pon ter- mination. These id eas are d emonstrated with two examples from the autonomou s driving dom ain. As sh own in th ese examples, incorp oration of previe w inform ation in control synthesis lead s to less conservati ve safety guaran te e s co m- pared to stan d ard co ntrolled in variant set ba sed ap proach es. In the f uture, we will in vestigate the u se of pr evie w auto ma- ton for syn thesizing contr o llers from more general speci- fications. W e also have some ongoin g work investigating the co nnection s of p revie w automaton with d iscr ete-time I/O hybrid autom aton with clock variables r epresenting p revie w and h olding times. R E F E R E N C E S [1] Z. Liu and N. Ozay , “Safety control with previe w automaton, ” in Pr oceedi ngs of the 22nd ACM Internatio nal Confer ence on Hybrid Systems: Computation and Contr ol . A CM, 2019, pp. 280–281. [2] T . B. Sheridan, “Three models of pre view control, ” IEEE T ransaction s on Human F act ors in Electr onics , no. 2, pp. 91–102, 1966. [3] M. T omizuka and D. Whitney , “Optimal discrete finite previe w prob- lems (why and how is future information important?), ” J ournal of Dynamic Systems, Measur emen t, and Contr ol , vol. 97, no. 4, pp. 319– 325, 1975. [4] T . Kata yama, T . Ohki, T . Inoue, and T . Kato, “Design of an optimal control ler for a discret e-time system subject to previe wable demand, ” Internati onal Journal of Contr ol , vo l. 41, no. 3, pp. 677–699, 1985. [5] A. Hazell, “Discrete -time opti mal previe w control, ” Ph.D. dissertation, Imperial College L ondon, 2008. [6] H. Peng and M. T om izuka, “Previe w control for vehi cle lateral guidanc e in highwa y automati on, ” J ournal of Dyn amic Syste ms, Mea- sure ment, and Contr ol , vol. 115, no. 4, pp. 679–686, 1993. [7] S. Xu and H. Peng, “Design, analysis, and expe riments of pre vie w path tracking cont rol for autonomous vehicle s, ” IE EE T ransac tions on Intell igen t T ra nsportation Systems , 2019. [8] C. E. Garcia , D. M. Prett, and M. Morari, “Model predicti ve control: theory and practice – a surve y , ” Aut omatica , vol. 25, no. 3, pp. 335– 348, 1989. [9] J. L aks, L. Pao, E. Simley , A. Wright, N. Kelle y , and B. Jonkman, “Model pre dicti ve control using previ e w measurements fro m li dar , ” in 49th A IA A Aerospa ce Scienc es Meeting includi ng the New Horizons F orum and Aerospac e Exposition , 2011, p. 813. [10] O. K upferman, D. Sadigh , and S. A. Seshia, “Synthesis with clairv oy- ance, ” in Haifa V erification Confer ence . Spri nger , 2011, pp. 5–19. [11] M. Holtmann, Ł. Kaiser , and W . Thomas, “Degrees of lookahead in regul ar infinite games, ” in Internat ional Confer ence on F oundations of Softwar e Science and Computati onal Structur es . Springer , 2010, pp. 252–266. [12] M. Zimmermann, “Finite-st ate strategie s in delay games, ” arXiv pre print arX iv:1709.035 39 , 2017. [13] N. Athanasop oulos, K. Sm poukis, and R. M. J ungers, “Safety and in varianc e for constrained switching systems, ” in 2016 IEE E 55th Confer enc e on Decisi on and Contr ol (CDC) . IEEE , 2016, pp. 6362– 6367. [14] P . Nilsson, N. ¨ Ozay , U. T opcu, and R. M. Murray , “T emporal logic control of switched affine systems with an applicati on in fuel balanc- ing, ” in 2012 American Cont r ol Confer enc e (ACC) . IEEE, 2012, pp. 5302–5309. [15] D. Bert sekas, “Infinit e time reachabi lity of state -space re gions by using feedbac k contr ol, ” IE EE Tr ansacti ons on Automatic Contr ol , vol. 17, no. 5, pp. 604–613, 1972. [16] E. De Santis, M. D. Di Benede tto, and L. Berardi, “Computation of maximal safe sets for sw itching systems, ” IEE E T ransactions on Automat ic Contr ol , vo l. 49, no. 2, pp. 184–195, 2004. [17] M. Rungger and P . T abuad a, “Computi ng robust controlle d inv ariant sets of linear systems, ” IEEE T ransact ions on Automatic Contr ol , vol. 62, no. 7, pp. 3665–3670, 2017. [18] S. W . Smith, P . Nilsson, and N. Ozay , “Inte rdepende nce quantification for compositional control synthesis with an applica tion in vehi cle safety systems, ” in Decision and Contr ol (CDC), 2016 IE EE 55th Confer enc e on . IEEE, 2016, pp. 5700–5707. [19] M. Herceg, M. Kvasnica , C. Jones, and M. Morari, “Multi- Parame tric T oolbox 3.0, ” in Proc. of the Europe an Contr ol Con- fer ence , Z ¨ urich, Sw itzerland, July 17–19 2013, pp. 502–5 10, http:/ /control .ee.ethz.ch/ ∼ mpt. [20] Road Design Manual . Mic higan Department of Transpo rtation . A P P E N D I X Pr o of of Lemma 1. By definitio n o f P re , f or any sets W 1 ⊆ W 2 ⊆ S , Pre f 1 ( W 1 ) ⊆ P re f 1 ( W 2 ) f or a ny i ∈ Q . There- fore PreI nt f i ( W 1 , S i ) ⊆ PreI nt f i ( W 2 , S i ) ⊆ S i and f urtherm o re I n v f i ( W 1 ) ⊆ I nv f i ( W 2 ) ⊆ S i for any i ∈ Q . Accordin g to lin e 2 of Algo r ithm 1, the in p ut W of I nvPr e is a lways a sub set of S . Note that all the intermed ia te variables C l , j , C T min , C k are recursively com puted by PreI nt and I n v . Based on the monoto nicity of PreI nt a nd I nv , we can check step b y step that the values of the inter m ediate variables C l , j , C T min , C k of I nvPr e with respect to inp ut W 1 are conta in ed by the values of tho se variables with respect to in put W 2 . Ther efore I n vPre f i ( G , W 1 , S ) ⊆ I nvPr e f i ( G , W 2 , S ) ⊆ S i . Pr o of of Lemma 2. First note that I n vPre f i { G , W , S } only depend s o n G , { W j } j ∈ P ost G ( i ) and S , thou gh we u se th e whole W instead o f { W j } j ∈ P ost G ( i ) as input of Algo rithm 2 fo r short. In this proof, we c hange th e no tation to I n vPre f i ( G , { W j } j ∈ P ost G ( i ) , S ) to make this poin t clear . The ke y observation in this proof is: if the system switches from n ode i to no d e j at so me tim e t with state x ( t ) , f or the purpo se of synthe sizing fu ture control strategies, it is equiv alent to the ca se that the system initially starts from the state ( j , x ( t )) , and theref ore there exists a c o ntroller to guaran tee safe ty for the rest of the r un if and only if x ( t ) ∈ W ∗ j . Denote { W ∗ i } i ∈ Q as th e maximal win ning set. By Proposi- tion 2, W ∗ j = I nv f j ( S j ) for all sink states j ∈ Q s . Let k ∈ Q ns . Now suppose that we know the max im al winning set W ∗ k with respect to all k ∈ Q ns except i . W e want to show that W ∗ i can actually be compu ted by I n vPre f i ( G , { W ∗ j } j ∈ P ost ( i ) , S ) . Note that i 6∈ P ost ( i ) since we d o not allo w self-loops in the previe w automaton. Denote the min imum pr eview time amo ng all feasible transitions as T min = min j ∈ P ost G ( i ) T ( i , j ) . Let us first con sid e r the case wh ere no p revie w happens dur ing the time in te r val [ 0 , t − 1 ] with t ≥ H ( i ) − T min . In this case, the least ho lding time con stra in t will be satisfied whatever the next transition is. Let us consider the maximal set of states C T min such that if x ( t ) is within C T min , ther e exists a con troller that makes th e closed-loo p system satisfy the safety spec. Suppose that one previe w h a ppens at t with destination state j ∈ P ost G ( i ) and rema in ing time τ i j = T ( i , j ) . T o guaran tee the safety spe c being satisfied in the futu re, f or any t ≤ t ′ < t + τ i j , x ( t ′ ) ha s to be within S i , a n d x ( t + τ i j ) ha s to be within W ∗ j at time t + τ i j . The m aximal subset of S i that is able to reach W ∗ j in one step is given b y PreI nv f i ( W ∗ , S ) . By ap plying PreI nv τ i j many times, w e obtain the max imal subset of states in S i that can stay within S i until reachin g W ∗ j at t + τ i j , wh ich is C T i j , j in line 2-7 of Algorith m 2. The intersection T j ∈ P ost G ( i ) C T i j is the m aximal set o f values of x ( t ) that gu arantees safety spec under the condition that a previe w takes place at t . If there is no p revie w at t , t + 1, ... , the system nee ds to stay within T j ∈ P ost G ( i ) C T i j for safety at time t + 1, t + 2, ... Th e refore C T min = I nv f i ( T j ∈ P ost G ( i ) C T i j ) (line 9) . Now consider th e ca se wh e re no previe w takes place between [ 0 , t − 1 ] where t = H ( i ) − T min − 1 . Deno te C T min + 1 as the max imal subset of S i such that if x ( t ) ∈ C T min + 1 there exists a contro ller to guaran tee safety spec; oth e rwise there is no such a co n troller . I f there is no p revie w at time t , all we want for safety is x ( t + 1 ) ∈ C T min . Then PreI nv f i ( C T min ) is the m aximal set of values of x ( t ) such that there exists a contro l inpu t to make sure x ( t + 1 ) ∈ C T min . Otherwise, if there is a p revie w at t with d estination state j , all we want is x ( t ) ∈ C T i j by the p revious discussion. The set of a ll f easible d estination states that can have previe w at t is J T min + 1 = { j ∈ P ost G ( i ) : T i j ≥ T min + 1 } . T herefor e, depend ing on wheth er J T min + 1 is empty or not, C T min + 1 is equal to PreI nv f i ( C T min ) or PreI nv f i ( C T min ) ∩ ( T j ∈ J T min + 1 C T i j ) (line 12 an d 14), which is g u aranteed to have a safety controller fo r all the situations. T he same discussion can be repeated for t = H ( i ) − T min − k up to k = H ( i ) − T min , resulting in C T min + k = PreI nv f i ( C T min + k − 1 ) ∩ T j ∈ J T min + k C T i j for J T min + k = { j ∈ P o s t G ( i ) : T i j ≥ T min + k } . F or th e case k = H ( i ) − T min , t = 0 and C H ( i ) is the maximal set of values of x ( 0 ) such that if x ( 0 ) ∈ C H ( i ) , there exists a controller that makes sure the clo sed-loop system satisfy the safety spec, which is the maximal winnin g set w ith resp e c t to i . Therefo re W ∗ i = C H ( i ) = I nvPre f i ( G , { W ∗ j } j ∈ P ost G ( i ) , S ) (line 14), and { W ∗ j } j ∈ Q ns is a solu tion of eq uations in (6). W e have proved that th e max imal winning set must satisfy the eq uations in ( 6). On th e other h a nd, by con struction o f I n vPre , it can be verified that any so lution { W i } i ∈ Q ns with W j ⊆ S j for j ∈ Q ns of the equation s in (6) with respect to { W ∗ k } k ∈ Q s is a w in ning set (n ot necessarily max im al). Also, since by definitio n , the unio n of winning sets is still a winning set, the maxim al win ning set must be uniq ue an d contain all the winning sets. Therefo r e, { W ∗ i } i ∈ Q ns must be the m aximal solutio n o f eq uations in (6) with respect to { W ∗ k } k ∈ Q s .