We investigate the problem of synthesizing robust controllers that ensure that the closed loop satisfies an input reach-while-stay specification, wherein all trajectories starting from some initial set I, eventually reach a specified goal set G, while staying inside a safe set S. Our plant model consists of a continuous-time switched system controlled by an external switching signal and plant disturbance inputs. The controller uses a state feedback law to control the switching signal in order to ensure that the desired correctness properties hold, regardless of the disturbance actions.
INTRODUCTION
The problem of correct-by-construction controller design seeks a feedback control law that controls a given plant model to satisfy a property specification. In this paper, we examine the problem of designing controllers that robustly control a switched system, which is subject to external disturbance inputs, lying inside a set D and a controlled switching mode from a finite set Q. The property specification is a reach-while-stay (RWS) property that states that all traces of the resulting closed loop starting from a set I will remain inside a safe set S until, eventually reach a goal set G.
The approach is to use a robust control Lyapunov-like function Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. (RCLF) V (x) defined over the plant states. For any state, we require that there be a switching mode q which can be chosen to strictly decrease the value of V , as long as the controller remains in the set S \ G. Additionally, we require that the value of V be negative inside the initial set I and positive at the boundary of the safe set S. These conditions together naturally guarantee the existence of a controller that can switch between appropriate control modes to satisfy the RWS property. Furthermore, we prove that such a controller will naturally satisfy a minimum dwell time property under the assumption that the sets I, S and G are all compact.
Next, we present an approach that will automatically discover an RCLF. This is posed as a constraint feasibility problem wherein the form of the function V is specified as a polynomial with unknown coefficients c. However, we require the solution to a set of nonlinear quantified constraints. It is well known that these constraints are hard to solve even for small systems. We provide an extension of a now well-known idea called counter-example guided inductive synthesis (CEGIS) [25, 26] . CEGIS was originally proposed as a program synthesis technique that can solve ∃∀ constraints to synthesize values for missing constants in program sketches so that the resulting program satisfies a set of assertions. Recently, we showed the applicability of the CEGIS approach to control synthesis, but in the absence of disturbance inputs [22] . In this paper, we extend the approach to solve problems with disturbances. In theory, the presence of disturbances requires us to consider an extra quantifier alternation yielding ∃∀∃∀ constraints. As a result, it is computationally challenging to naively extend CEGIS approach designed for ∃∀ constraints. We show that an extension that modifies the structure of the witnesses in the CEGIS procedure, can be applied to naturally handle this quantifier elimination.
We implement our approach using a combination of SMT solver Z3 [7] and an off-the-shelf linear matrix inequality (LMI) solver to synthesize RCLFs for benchmark examples. We compare our work with a default approach that ignores disturbances by setting them to a nominal fixed value. We show that the certificates thus obtained are not robust to disturbances in many situations. In contrast, our approach succeeds in finding a robust CLF.
Finally, we turn our attention to the problem of synthesizing the controller implementation from the RCLF. This problem is not considered in [22] , and is shown to be nontrivial, especially when the worst case execution times of the various components need to be taken into account to guarantee that the mode switches happen at the appropriate time instants. We design a time triggered implementation and illustrate it on two benchmark examples.
Related Work
Fundamentally, there are two types of approaches to solving control synthesis problems. The first is based on a combination of abstraction to a finite game graph and solving this finite game using fixed-point algorithms. One advantage of this approach is the ability to easily handle complex temporal specifications [16] . In this technique, the system is usually abstracted using a simulation relation. The abstraction guarantees that a solution (switching strategy) for the abstract system is also a solution for the original system. In the next step, a solution for the abstract system is calculated using fixed-point computation. Most of these techniques do not consider disturbances because of computational difficulties in solving two player games [17, 3, 21] . However, the uncertainties can be easily modeled in the abstraction and this, makes it easy to consider disturbances as well [30, 16] .
Another methodology is based on solving constraints. In the first phase, the problem is reduced to finding a control certificate (e.g. control Lyapunov function). A control certificate provides a control strategy and a certificate, which guarantees the specification. Dimitrova and Majumdhar provide a proof system for ATL * properties using a combination of control Lyapunov-like functions [8] . However, for the most part it has proven hard to manually generate such certificates. As a result, the approach in this paper, focuses on a smaller class of constraints while providing automated approaches for the controller synthesis problem. As mentioned earlier, we directly extend our previous work [22] in two ways: (a) we handle disturbance inputs and the attendant quantifier alternation involved, and (b) we provide a solution to the control implementation synthesis from the certificates.
In this paper, we use a control Lyapunov-like function (CLF) to guarantee the specification. The idea of using CLFs was originally proposed by Artstein [2] and Sontag [27] showed how to design a controller from a given CLF. Later, the concept of robust CLFs (RCLF) was introduced [24, 9] . Battilotti [4, 5] showed how one can design robust controls using RCLFs. In most of these methods, the control input has a fixed form. This fixed form can be a polynomial (in state variables) which yields a static feedback controller [29, 12] or a control table [14] .
The approach of Taly et al. synthesizes the missing parts of a skeleton switching logic that allows the overall system to satisfy some control objectives [28] . The similarities with our method include the use of constraint solvers to encode the presence of Lyapunov and barrier functions to guarantee reachability and safety properties. In this work, no such skeleton is specified and furthermore, we are able to deal with disturbances.
As mentioned earlier, this work extends the so-called counterexample guided inductive synthesis (CEGIS) procedure. The CEGIS procedure has been primarily used for parameter synthesis in programming languages (e.g. [25, 1] ) and hybrid systems [10, 31] . More recently, a similar procedure used for finding Lyapunov functions by Kapinski et. al [15] , and control Lyapunov functions [22] solving ∃∀ formulae. In this work we use CEGIS procedure to solve ∃∀∃∀ formulae when searching for RCLFs. We compare our approach to the "default" strategy that synthesizes a controller by nominally fixing a disturbance value and verifying the robustness of the resulting controller.
BACKGROUND
In this section, we discuss the model used for the switched system along with reach-while-stay objectives. We then discuss proof rules for enforcing the specification in the absence of disturbances.
We use R to denote the real numbers. For a set X ⊆ R n , we denote its interior as int(X). 
System Model
The system model is a switched system consisting of a plant and a controller. The plant has n continuous state variables written as x ∈ X ⊆ R n . The inputs to the plant are (i) the (controllable) mode of the plant which belongs to finite set Q and (ii) the (un-
The state of the plant updates according to the dynamics for the current mode of the system.
and (iv) a map from inputs and state to vector field f :
For simplicity, we write fq(
The control input signal q(.) : R + → Q is a piecewise constant function which maps time t to the control mode q(t). The state x(.) : R + → X is a function that satisfies .
The controller is memoryless, and has two parts: (i) the sensor which measures (estimates) the state of the plant x and (ii) the mode selector. The sensor has inputs (a) the plant state x and (b) the (uncontrollable) control disturbance d C , modeling the measurement error. The sensor then provides x (measured state) as output. The mode selector receives the measured state x and the current mode. The mode for the next time instant is its output. A schematic view of the closed loop system is shown in Figure 1 . DEFINITION 2 (CONTROLLER).The controller is defined over a state space X, set of modes Q, compact control disturbance space
, sensor function e : X × D C → X which maps plant state and control disturbance to measured plant state, and mode selector function switch : Q × X → Q which decides the new control mode for the system, given measured state and current mode. Formally, let κ(X, Q, D C , e, switch) denote a controller.
Similar to plant disturbance, control disturbance is uncontrollable and d C (.) : R + → D C is any function describing the control disturbance for all times. REMARK 1. It is feasible to extend the control model to consider (a) state estimation error wherein the state is estimated from an output through a filter, (b) delays in computing the control mode from a given state and (c) delays in a commanded state from taking effect. For instance, (a) and (b) are handled using an appropriate control disturbance and (c) through a plant disturbance input.
In a short form, the memoryless controller is a function and trace of the mode satisfies condition below
Notice that given x(0), q(0), d P (.) and d C (.), the traces of the system is unique. The control synthesis problem is to design function switch s.t. the closed loop system satisfies the specification.
Control Synthesis Problem
A specification ϕ is described over the trace of state x(.). The specification in this article is reach-while-stay w.r.t. compact regions S(⊆ X), I(⊆ int(S), G(⊆ I) as safe, initial and goal sets, respectively.
DEFINITION 3 (REACH-WHILE-STAY). RW S(S, I, G, x(.))
is a specification that guarantees a trace, starting from region I, reaches G, while staying in S. RW S(S, I, G, x(.)) is defined as
DEFINITION 4 (SYNTHESIS PROBLEM).
The problem of controller synthesis is to find switch function such that a specification RW S(S, I, G, x(.)) is guaranteed: Find switch s.t.
(1) Figure 2 shows different regions for reach-while-stay along with some traces which respect the specification.
Proof Rules
The specification RW S(S, I, G, x(.)) combines liveness and safety aspects that require the trace to eventually reach G, while staying within the set S. Proof rules involving Lyapunov-like functions for RWS properties are well-known [8, 22] . We recall a proof rule that does not involve disturbance inputs:
A Lyapunov-like function guarantees that RW S(S, I, G, x(.)) holds in absence of inputs. It enforces that the value of the function is negative initially and is positive whenever the system reaches the boundary of S. Furthermore, the derivative of V is negative inside S \ G. Together, these premises guarantee that (a) G must be eventually reached and (b) the boundary of S will never be reached by a trace starting from I. In fact, the set {x | V (x) = 0}∩S forms a barrier that ensures that the boundary of S is never reached. The dashed line in Fig. 2 defines places in S s.t. V (x) = 0 and the value of V decreases as time passes.
We will now define a Lyapunov-like function V in presence of control inputs. The first two constraints in Eq. (2) will be the same when the plant has a control input q. Figure 2 : Reach-while-stay Specification w.r.t safe set S, initial set I and goal set G.
S I G

DEFINITION 6 (CONTROL LYAPUNOV-LIKE FUNCTION
Comparing with Def. 5, we notice that the only change occurs in the last rule. Rather than requiring that ∇V.f is negative, we now require that at each state x, a mode q is available to enforce decrease of V (∇V.fq is negative).
However, Defs. 5 and 6 both do not consider disturbance inputs. The presence of disturbances (plant disturbance and control disturbance) adds one more level of difficulty to the problem, involving a quantifier alternation. We now present strategies to synthesize in the presence of disturbances.
HANDLING DISTURBANCES
In this section, we discuss the handling of disturbances for robust implementation of controllers. For simplicity, let d be a vector describing the joint plant disturbance d P and control disturbance
, assuming e is a polynomial. The idea is to find a control mode q such that the value of V decreases under all possible values of disturbances. We modify Def. 6 to incorporate disturbances for the property RW S(S, I, G, x(.)).
DEFINITION 7 (Robust CLF).A robust CLF (RCLF) is a polynomial function V with the following properties:
When compared to Eq. (3), the third condition for the RCLF is more complicated because of extra (∀d) quantifier. We use the counter-example guided synthesis (CEGIS) framework in Section 4 to handle this quantifier alternation.
Let us define a function condq(x) over a state x and mode q as
From Eq. (4), we note that the goal of a controller is to find a mode q that guarantees that condq(x) < − . For a given mode q and state x the controller performs the following actions: (a) Evaluate condq(x) and check if condq(x) < − s for a switching threshold value s (0 < s < ) supplied by the user. (b) If this fails, the controller finds a new modeq ∈ Q such that condq(x) < − . Otherwise, the mode remains q. The control function switch can be defined succinctly as
Now, we show that having a RCLF (V ) Eq. (6) gives a controller that does not switch too fast. Assume that the sets S, G in the specification and disturbances D are all compact sets. Let V and f D q be bounded for each mode q. Let x(t) be a time trajectory of the closed loop system with corresponding switching function q(t), using the switching law in Eq. (6). LEMMA 1. There exists a minimum dwell time δ > 0 such that for any time T , if for all t ∈ [T, T + δ]
1.
PROOF. Let q = q(T ). We are given that
and let τ > 0 be any time such that
Note that condq is a continuous and piecewise differentiable function of x. As a result, there is a Lipschitz constant Aq such that
) and furthermore the state space is compact. As a result, there exists a constant Bq such that
Let Λ = maxq∈Q Λq. Let us choose a δ such that
The above arguments show that for all t ∈ [T, T + δ],
Therefore, using that condq(x(T )) < − , we obtain for all t ∈ [T, T + δ], condq(x(T + t) ≤ − s.
As a direct corollary, we can establish the following lemma.
LEMMA 2. Let 0 ≤ t1 < t2 be any time interval such that the trajectory
The controller respects min dwell time property.
PROOF. Assume that (∇V
Let q(τ ) = q. Let τ0 < τ be a switch time instant such that ∀t ∈ (τ0, τ ], q(t) = q. By Eq. (6), we note that condq(x + (τ0)) < − < − s. Because condq is a continuous function, there must be a time τ1 such that τ0 < τ1 < τ and condq(τ1) = − s. We note by assumption that x(τ1) ∈ S \ G. As a result, by Eq. (6), we note that q + (τ1) = q(τ1), or in other words, a mode switch must happen at τ1 < τ . This contradicts our assumption that q(t) = q for all t ∈ (τ0, τ ] and hence, ∇V.f
By Lemma 1, there exists a δ > 0 defined purely in terms of V , the dynamics at each mode and the set S such that whenever condq(x(t)) < − , we have that condq(x(t + δ)) ≤ − s. As a result, we conclude that the time between two switches is at least δ. THEOREM 1. Given compact sets G, I and S (I ⊆ int(S)) and a polynomial RCLF (V ) satisfying Equation (4), there is a control strategy guaranteeing min dwell time property s.t. I =⇒ SUG.
PROOF. We show that there exists a set W s.t.
Having Equation (4), according to Lemma 2, there exists a controller which respects the min dwell time property. Also, the controller guarantees ∇V.f
Now we show that I =⇒ W UG. Assuming otherwise for the sake of contradiction, we conclude that either the trace must remain in W forever or exit W without reaching G. Since W ⊆ S is a compact set, the trace cannot remain in W \ G forever. Otherwise, V must decrease forever but V is a continuous function that is lower bounded inside W \ G. Therefore, the trace must exit W without reaching G. By the continuity of the trajectory, it must reach ∂W . Let T ≥ 0 be the first time instance s.t.
Therefore, state trace cannot stay forever in W \ G and cannot exit W before entering G. While x ∈ (W \ G), by the construction of the controller, we can conclude time diverges (because the controller respects the min dwell time property). We conclude that the RWS property holds.
COUNTEREXAMPLE GUIDED SYNTHESIS
So far, the problem of controller synthesis is reduced to the problem of finding RCLF V that satisfies Eq. (4). In this article, we restrict the search to polynomial RCLFs, which, in turn, leads to incompleteness of our method. Nevertheless, polynomial CLFs exists for many interesting problems [22] . Searching for a function V considers a parameterized function (a template) V (c, x) : α cαx α , where cα is a real-valued unknown coefficient and x α is a monomial in x. The goal is to find parameters c * ∈ C s.t V (c * , x) satisfies Eq. (4). Formally, we seek to solve a quantified problem:
(∃c ∈ C) (∀x ∈ X)(* Conditions from eq. (4) *) .
In this article we use a counterexample guided inductive synthesis (CEGIS) approach to solve our problem. The CEGIS approach has been used widely in program synthesis for safety [25] . The key idea is to solve ∃∀ formulae (such as in Eq. (8) above) by solving simpler unquantified problems, iteratively. We now explain the general structure of the CEGIS framework for solving a constraint of the form (∃c ∈ C)(∀x ∈ X) Ψ(c, x) . Figure 3 illustrates the iterative process. At each iteration, we maintain two sets: (a) A subset Cn ⊆ C of the candidate space that is implicitly maintained as the set of solutions to an assertion ψn[c] and (b) A finite subset Xn : {x1, . . . , xn} of witnesses, such that xi ∈ X.
Initially, ψ0 represents the entire candidate space C, and X0 is the empty set. At each iteration, we perform three steps:
1. Candidate Generation: We generate a candidate point cn ∈
Cn by solving the formula ψn and finding a satisfiable solution for it. Failure to obtain such a solution means that Cn = ∅ and we have thus run out of candidates.
Witness Generation:
We check whether the candidate c = cn represents a valid candidate by checking:
More precisely, we check its negation ¬ Ψ(cn, x) as a formula involving only x. If the negation is UNSAT, then we conclude that the current candidate cn is a valid solution and stop. Otherwise, we add a witness xn+1.
3. Refining Candidate Space: Finally, we compute a new formula ψn+1 that incorporates the witness as ψn+1 :
In other words, ψn+1 forces future candidates c to be valid for all witnesses including xn+1.
For a more detailed discussion of CEGIS, its decidability and complexity please refer to [23, 22] . When the CEGIS terminates, it either gives a solution c, or gives a set of witnesses Xn for which no candidate exists. As such, CEGIS approach cannot be used for the treatment of formula arising from Eq. (8), since it involves additional quantifier alternations of the form (∃c) (∀x) (∃ q) (∀d).
CEGIS for RCLF
We will now extend the original CEGIS framework to handle these further quantifier alternations. The idea is conceptually simple: we will extend the witnesses structure. Rather than witnesses which are simply points xi ∈ X, we will now allow witnesses that are of the form (xi, (Q → D)), i.e, a combination of a state xi ∈ X and a map from each mode to a disturbance vector. Since Q is finite, this map is explicitly stored as (xi, (q1, d1) , . . . , (qm, dm)).
First, we note that the RCLF requirements yield formulae of the form
but Ψ itself is a quantified formula with the following structure:
A first solution consists of applying CEGIS for ∃∀ described previously. However, doing so yields quantified constraints for the candidate and witness generation steps. Since our objective was to avoid these quantified constraints in the first place, we modify the witness structure. Witness Structure: As mentioned earlier, a witness to the violation of a given RCLF candidate c ∈ C include a state x ∈ X at which the violation happens along with for each mode qj that can be selected for the mode, a disturbance witness dj ∈ D that will violate the formula. With disturbances, each witness then has the following structure:
With this witness structure, the overall CEGIS procedure now extends naturally. Candidate Generation: Let Yn : {y1, . . . , yn} be the set of witnesses at the n th iteration, starting from Y0 : ∅. The candidate is generated by solving the formula:
wherein inst(Ψ, yi) substitutes the witness from Eq. (10) for the variables x, q, d in Eq. (9).
inst(Ψ, yi) :
We now use an SMT solver to find if the unquantified formula ψn from Eq. (11). Witness Generation: Once a candidate c = cn is generated by solving ψn, we now evaluate if it is a true RCLF. This involves, substituting cn for c in formula Ψ in Eq. (9) and checking if ¬Ψ is satisfiable. Since Ψ itself is the conjunction of r > 0 conditions, its negation is a disjunction and we can check each disjunct separately for satisfiability. Each disjunct has the following form:
We can remove the existential quantifier over d equivalently through m = |Q| fresh set of variables d1, . . . , dm. The new disjunct is written:
If satisfiable, we obtain a witness (xn+1, (q1, d
). Otherwise, we conclude that cn represents a valid RCLF.
Solving Constraints
Finally, we consider the constraints that are solved during the process of CEGIS for generating RCLFs. We note that the template V (c, x) is a linear function over c but in general a polynomial over x. As a result, when x and d are instantiated, each candidate generation problem ψn is a formula that involves Boolean combination of linear inequalities. Such a formula can be solved by efficient linear arithmetic SMT solvers such as Z3 [7] .
The difficulty arises in evaluating whether the witness generation formula obtained by instantiating c = cn is satisfiable. This involves a conjunction of polynomial inequalities. As such SMT solvers such as dReal [11] and Z3 [7] can support the solution of these constraints. But the process is forbiddingly expensive, especially since it involves constraints over |x| + |Q||d| variables.
In this regard, an idea previously proposed by authors can be used to extend this approach to larger systems [22] . This idea effectively introduces fresh variables corresponding to monomials zα : x α . Each polynomial p(x) is then written as a quadratic form z t P z where z collects the fresh variables corresponding to the monomials. Following this approach, we reduce Eq. (13) into a system of linear matrix inequalities (LMI) that can be solved efficiently using LMI solvers. Since LMIs are convex optimization problems, we can provide solutions to problems that have larger state and disturbance spaces.
Evaluation
We implemented the CEGIS framework using Z3 SMT solver [7] for candidate generation and Gloptipoly [13] as the LMI solver for finding witnesses. Gloptipoly is configured to use Mosek [18] as the SDP solver.
We compare the robust synthesis (RS) approach presented in this paper with a simple Synthesize and Verify Robustness (SVR) approach that uses a nominal disturbance value (e.g., d = 0) and checks whether the resulting controller is robust, as a last step. Specifically, the disturbance free case uses Eq. (2) for synthesis. In doing so, we also check whether adding a "margin" by increasing the value of during controller synthesis necessarily makes the resulting design more robust to disturbances. For comparison, several examples are considered and all the experiments are carried out on a laptop with 2.9 GHz Intel Core i7 processor and 16GB of memory. The time limit is set to 5 hours.
The examples below use plant disturbances D P : [−rD, rD] n , with varying values of rD. However, no control disturbances are added. The safe set S is [−rS, rS] n . Likewise the goal set G and initial set I are spheres of radius rG and rI , respectively around specified center points. For all examples, we use template V (c, x) = ( i≤j ci,j xixj) − 1. EXAMPLE 1. This problem instance is taken from [17] with two variables and a control input u ∈ [−1, 1]. The results of the RS method are shown in Table 1 . To evaluate the effect of disturbances on the CEGIS procedure, we use different disturbance sizes. As results suggests, bigger disturbances impose harder restrictions on the RCLF and many more iterations are needed, as the size of disturbance gets bigger.
On the other hand, using the SVR technique, first a CLF is found with preferably higher values for . The most robust controller is obtained using = 0.03 and it is verified that this controller can handle disturbances for rD = 0.2 . The results are shown in Table 2. These results suggest that RS method can provide provably robust controllers where the SVR approaches fails to synthesize controller for larger values of and fails to verify for larger disturbance values. EXAMPLE 2. We adopt this example from [20] . The plant consists of two variables x1 and x2 and three modes with the following dynamics
The goal is to reach a region around (−0.75, 1.75) (G :
First, we change the bases and set (−0.75, 1.75) as the new origin. Other parameters are rI = 1 and rS = 2.25.
For each method, we check for the biggest disturbance for which the problem can be solved. Using RS method, we were able to solve the problem when rD = 0.5 using = 0.01. For the SVR method, the most robust controller (obtained by setting = 0.2) is verified to decrease V when rD = 0.03. Detailed results are shown in Table 3 . Again, these results suggest RS method yields more proved robust controllers.
EXAMPLE 3.
The following example is taken from [6] . The system has 3 continuous variables with 4 different modes as follows: The problem is instantiated for the following parameters; rG = 0.1, rI = 0.5, rS = 1.0. Again, the goal is to find the most robust controller. The RS method can find a RCLF with disturbance rD = 0.1 when = 0.01 is used. The SVR method failed to synthesize a controller for = 0.3 and using = 0.2, it failed to verify the controller for rD = 0.009. The controller could guarantee robustness for rD = 0.008. EXAMPLE 4. This benchmark, which includes 5 problem instances, is adopted from [19, 22] . The goal is to keep different rooms of an apartment warm, using few number of active heaters. The reader can refer to the mentioned articles for details description of these systems. While these examples do not have disturbances, we incorporate disturbances of the form
where fq are the original vector fields described in these references. We use these problem instances to demonstrate the scalability. The results for both methods are shown in Table 4 . These results demonstrate our method is scalable to larger problems while dealing with robustness. Notice that both methods fail for the last problem instance as the verification of such big problem even using LMI relaxation is expensive.
CONTROLLER SYNTHESIS
Thus far, we have discussed the RCLF certificates and their synthesis using the CEGIS procedure. We present the control implementation in this section. Given a RCLF, the controller is designed according to the feedback law from Eq. (6). Also, according to Lemma 2, we define a minimum dwell time δ between two mode changes triggered by the feedback law above. We consider a periodic (time-triggered) scheme in this section and analyze conditions on the period τ of the feedback law. The scheme involves a series of offline computations to determine the key parameters of the controller. Once these computations are performed, the controller performs a series of online computations for each cycle. We start with the online computations needed and discuss the constraints on the periodicity of the feedback law computation. Rapid Estimation of condq: Note that condq(x) is defined in Eq. (5) and recalled below:
Since V is computed offline, we may also compute the expression ∇V (x), and f D q (x, d) for each mode q ∈ Q. The measured value of x is used and we are required to now compute max d∈D gq(x, d). This is an instance of a polynomial minimization problem and is very hard to solve precisely in real time. One solution is to compute the feedback function offline [9, 5] . We provide another solution: rather than precisely compute condq, we will estimate an over approximation. As an offline step, we wish to choose a nominal disturbance value d * and approximate
* ) +d, whered ∈D measures the maximum approximation error possible. Doing so abstracts the plant model and it is possible to run the CEGIS procedure and synthesize an RCLF for this simpler abstract model.
Formally, the errorD ensures that
This can be computed/checked offline for a given V and d * .
Now we redefine condq(x) as
The maximization simply involves that of a linear combination of d over a boxD. This is computed online by either selecting the lower bound or upper bound according to the sign of (∇V (x))i.
The approximation error can be reduced arbitrarily (if needed) by subdividing S into multiple regions and choosing a different nominal point d * for each region.
Mode Selection: Mode selection considers each possible mode qi ∈ Q in turn, optionally according to a prioritized list selected by the optimizer. For each mode it calculates condq i (x) and selects the first mode for which condq i (x) < − .
Task Schedule: We now analyze the task schedule. Our analysis assumes that the worst case execution times for various components are known. In particular, let we and wms be the worst case times for the ESTIMATION and MODE SELECTION, respectively. We will assume for simplicity that (a) the states x are measured/estimated in parallel to provide a new update each time the feedback task is invoked, and (b) the command for changing mode takes effect within at most wc time after the command is issued.
EST. EST. MODE SEL. changeMode τ ≤ δ
In the worst case, we require that the time period τ be large enough so that the ESTIMATION, MODE SELECTION and changeMode all run in a single period. I.e, τ > we + wms + wc. Also, we require that if the event condq(x) ≥ − happens just after a feedback computation has commenced, then in the worst case, the time taken to notice the change and react to it be shorter than the min dwell time δ. I.e, τ + we + wc + wms ≤ δ. Combining, we obtain the constraints we + wms + wc < τ ≤ δ − we − wc − wms .
Note that under situations where the controller does not switch, there is idle time. This time could presumably be used to run optional computations such as that of the optimizer, which selects an appropriate sequence of prioritized modes.
Finally, our design requires the computation of feedback law periodically at each time τ . It is, in fact, possible to defer the computation of the feedback law based on the current state x. From the proof of Lemma 1, we derive a bound
wherein Λq is computed offline as a function of the safe set S and the RCLF V . Suppose, we have an estimate for condq(x(T )) at time T and it is less than − , we can in fact conservatively estimate a future time T + t at which condq(x(T + t)) ≥ − s as t = s + condq (x(T )) Λq
. In practice, it may be the case that t τ , which allows us to avoid unnecessary recomputation of the feedback law. Offline Computations: We now summarize the offline calculations that will be needed to design a controller. First and foremost, a template for V is chosen. Then the modules in Figure 4 are synthesized and a WCET estimation is used to predict their WCETs statically, yielding wms, we and wc. This allows us to design the period τ . Only then, the control disturbance is calculated to model delays caused by WCETs. Then, we require an estimation ofD for a disturbance estimate around a nominal point, that allows us to
* ) +d. This model is input to a RCLF synthesis tool to generate coefficients of V . After acquiring V , offline computations are needed to compute the minimum dwell time δ and check Equations (14) and (15).
Two Case Studies
Inverted Pendulum For the first case study, a classical inverted pendulum example is considered. The system of interest has two state variables θ and ω with the following dynamics
where u is the control input belong to set U : [−30, 30] . The region of interest is S : 
The set U is discretized to the set U : {−30, 30} to yield a switch system. Notice that the control implementation can always choose a larger set of modes. For example, control can allow all u s.t. Calculated δ is 2µs using ( s = 0.002). We also have Equations (14) and (15) checked. We implemented the plant and controller in Matlab(tm) using the Simulink(tm) design environment. Some traces of the system are shown in Fig. 5 for three different initial states (using three different color) with some uniformly random control disturbances. Fig. 5 shows values of states, RCLF V and control input through the time. Each simulation is stopped when G is reached. As shown in the figure, the minimum switch time in the simulation is 0.005 which is far bigger than the calculated δ. Room Heating The second case study is the first problem instance from Example 4. The goal is to control the temperature of three rooms (T1, T2 and T3) and keep them around 21. There are four different modes. Either the heater is off or the heater is on in at most one of the rooms. The dynamics are described below In this example, the worst case execution times are w wd = we = 0.004 and wc = 0.005. We assume e has form x + d C and control disturbance is in [−0.01, 0.01] 3 models both measurement error and delay cause by execution time. Also, we assume the plant has disturbance [−0.01, 0.01] 3 , meaning that temperature of each room can change by disturbance, at rate 1
• C per 100 seconds. To use the estimated disturbance model, we chooseD : [−0.04, 0.04] 3 . The RCLF (which is calculated in Example 4 by = 0.001) is used and δ is set to be 0.02. Next, it is confirmed thatD and δ are big enough by checking Equations (14) and (15) .
The optimizer uses a MPC paradigm for prioritizing modes for selection according to their costs. The cost function considers (a) switch cost, (b) operation cost and (c) terminal cost. Switch cost is 1 if a switch is needed and operation cost for mode q is 1 if a heater is on for mode q. Also, terminal cost for mode q and optimized time T * q is V (xq (T * q )) T * q , where xq(.) shows trace of x under dynamics of mode q.
The plant and controller are implemented in Simulink(tm) design environment. Some traces for different initial states are shown in Fig. 6 . Ti is temperature for room i and simulations are stopped, once set G is reached.
CONCLUSIONS
In this paper, robust controller synthesis using RCLFs is considered. RCLFs guarantee that there is a switching strategy even in presence of disturbances. We provided a CEGIS framework to generate RCLFs automatically. We demonstrated that using RCLF to synthesis controller gives provably more robust controllers compare to cases when only some parameters are tuned for increasing robustness. Next, we showed that under certain disturbance models, the controller can implement the switching strategy efficiently.
For future work, we wish to investigate problem of synthesizing output feedback controllers and focus on a larger class of temporal properties.
ACKNOWLEDGMENTS
This work was supported by the US National Science Foundation (NSF) under CNS-0953941 and CCF-1527075. All opinions expressed are those of the authors and not necessarily of the NSF.
