Safety-Guarantee Controller Synthesis for Cyber-Physical Systems

The verification and validation of cyber-physical systems is known to be a difficult problem due to the different modeling abstractions used for control components and for software components. A recent trend to address this difficulty is to reduce the need for verification by adopting correct-by-design methodologies. According to the correct-by-design paradigm, one seeks to automatically synthesize a controller that can be refined into code and that enforces temporal specifications on the cyber-physical system. In this paper we consider an instance of this problem where the specifications are given by a fragment of Linear Temporal Logic (LTL) and the physical environment is described by a smooth differential equation. The contribution of this paper is to show that synthesis for cyber-physical systems is viable by considering a fragment of LTL that is expressive enough to describe interesting properties but simple enough to avoid Safra’s construction. We report on two examples illustrating a preliminary implementation of these techniques on the tool PESSOALTL.

💡 Research Summary

The paper tackles the longstanding difficulty of verifying cyber‑physical systems (CPS) that arise from the mismatch between continuous physical dynamics and discrete software specifications. Rather than relying on heavyweight post‑hoc verification, the authors adopt a correct‑by‑design paradigm: they automatically synthesize a controller that can be refined into executable code while guaranteeing a set of temporal properties. The key technical contribution is the identification of a restricted fragment of Linear Temporal Logic (LTL) that is expressive enough to capture realistic safety and liveness requirements yet simple enough to avoid Safra’s determinization construction. By limiting the use of nesting and complex until operators, the fragment enables a direct translation of specifications into deterministic automata without exponential blow‑up.

The physical plant is modeled by smooth differential equations. To bridge the continuous–discrete gap, the authors employ a reachability‑based abstraction that partitions the state space into finitely many cells and constructs a transition graph representing possible evolutions under admissible control inputs. This abstraction yields a finite‑state game between the controller (the “protagonist”) and the environment (the “antagonist”). The synthesis algorithm proceeds in two stages. First, a safety game is solved to compute a controllable invariant—states from which the controller can forever avoid unsafe regions. Second, a liveness game is solved on the reduced state space to enforce the LTL fragment specifications, using fixed‑point calculations that remain tractable because of the fragment’s limited expressive power.

The authors formalize the approach with two theorems: (1) any specification expressed in the chosen fragment is realizable if and only if the corresponding safety and liveness games admit winning strategies, and (2) the synthesized controller, when refined back to the continuous domain, guarantees that the original differential equation never reaches an unsafe set while satisfying the temporal objectives. A prototype tool, PESSOALTL, implements the full pipeline—from LTL fragment parsing, through abstraction generation, game solving, to controller code generation.

Two case studies illustrate the methodology. The first concerns an autonomous vehicle lane‑keeping system: the controller must ensure that the vehicle never leaves its lane (a safety property) and eventually reaches a designated waypoint (a liveness property). The second involves a temperature regulation system where the temperature must stay within prescribed bounds while reaching a target temperature within a deadline. In both scenarios, the synthesized controllers successfully handled model uncertainties and external disturbances in simulation, confirming the practical viability of the approach.

Overall, the paper demonstrates that by carefully selecting an LTL fragment and leveraging game‑theoretic synthesis on a reachability‑based abstraction, one can achieve scalable, correct‑by‑design controller synthesis for CPS without resorting to Safra’s construction. The work opens avenues for extending the fragment, improving abstraction precision, and applying the technique to real‑time embedded platforms.