promise to revolutionize the construction of high-con dence software. However, approaches based on explicit state-machine models are subject to extreme state-space explosion and the accompanying scale limitations. In this paper, we describe how to exploit an implicit, transition-based, representation of timed automata in controller synthesis. The CIRCA Controller Synthesis Module (CSM) automatically synthesizes hard realtime, reactive controllers using a transition-based implicit representation of the state space. By exploiting this implicit representation in search for a controller and in a customized model checking veri er, the CSM is able to e ciently build controllers for problems with very large state spaces. We provide experimental results that show substantial speed-up and orders-of-magnitude reductions in the state spaces explored. These results can be applied to other veri cation problems, both in the context of controller synthesis and in more traditional veri cation problems.
Introduction
This paper describes techniques for exploiting implicit representations in timed automaton controller synthesis. We show how reachability search exploits the implicit representation to substantially improve its e ciency. We have developed and implemented a system, the CIRCA Controller Synthesis Module (CSM), for automatic synthesis and execution of hard real-time discrete controllers. Unlike previous, game-theoretic algorithms 2, 8] , the CSM derives its controller \on-the-y" 14]. The CSM exploits a feature-and transition-based implicit representation of its state space, both in searching for the controller and in checking its correctness. Finally, the CSM generates memoryless and clockless controllers. These design elements substantially decrease the number of states that must be explored in the synthesis process.
The CSM is a component of the CIRCA architecture for intelligent control of mission-critical real-time autonomous systems 10, 11] . To permit on-line recon guration, CIRCA has concurrently-operating controller synthesis (planning) and control (plan-execution) subsystems. The CSM uses models of the world (plant and environment) to automatically synthesize hard real-time safetypreserving controllers (plans). Concurrently a separate Real-Time Subsystem (RTS) executes the controllers, enforcing response time guarantees. The concurrent operation means that the computationally expensive methods used by the CSM will not violate the tight timing requirements of the controllers.
This paper discusses how the CSM's controller synthesis algorithm interacts with a model-checking reachability search algorithm that exploits the implicit representation. This technique substantially improves veri cation e ciency; by two orders of magnitude for large examples. We start by introducing the CIRCA CSM and its transition-and feature-based representation. Then we outline the forward search algorithm that the CSM uses to synthesize controllers, pointing out the role played by timed automaton veri cation. Next we explain how to formulate the execution semantics of the CIRCA model as a construction of sets of timed automata. The timed automaton model provides the semantics, but does not provide a practical approach for veri cation. We describe methods for model-checking that exploit CIRCA's implicit, transition-based, state space representation. We conclude with a comparison to related work in controller synthesis and AI planning.
The Controller Synthesis Module
CIRCA's CSM automatically synthesizes real-time reactive discrete controllers that guarantee system safety when run on CIRCA's Real-Time Subsystem (RTS). The CSM takes in a description of the processes in the system's environment, represented as a set of time-constrained transitions that modify world features. Discrete states of the system are modeled as sets of feature-value assignments. Thus the transition descriptions, together with speci cations of initial states, implicitly de ne the set of possible system states.
For example, Fig. 1 shows several transitions taken from a problem where CIRCA is to control the Cassini spacecraft in Saturn Orbital Insertion 4, 12] . This gure also includes the initial state description.
The CSM reasons about transitions of three types:
Action transitions represent actions performed by the RTS. These parallel the operators of a conventional planning system. Associated with each action is a worst case execution time, an upper bound on the delay before the action occurs.
Temporal transitions represent uncontrollable processes, some of which may need to be preempted. See Sect. 2.1 for the de nition of \preemption" in this context. Associated with each temporal transition is a lower bound on its delay. Transitions whose lower bound is zero are referred to as \events," and are handled specially for e ciency reasons. Reliable temporal transitions represent continuous processes that may need to be employed by the CIRCA agent. Reliable temporal transitions have both upper and lower bounds on their delays. While in the worst case an implicit representation is not superior to explicit state space enumeration, in practice there are substantial advantages. In many problems, vast sub-spaces of the state space are unreachable, either because of the control regime, or because of consistency constraints. The use of an implicit representation, together with a constructive search algorithm, allow us to avoid enumerating the full state space. The transition-centered representation allows us to conveniently represent processes that extend over multiple states. For example, a single transition (e.g., warming up a piece of equipment) may be extended over multiple discrete states. A similar representational convenience is often achieved by multiplying together many automata, but expanding the product construction restores the state explosion. Finally, in this paper we show how the transition-based implicit representation can be exploited in a veri er.
CSM Algorithm
Given problem representations as above, the controller synthesis (planning) problem can be posed as choosing a control action for each reachable discrete state (feature-value assignment) of the system. Note that this controller synthesis problem is simpler than the general problem of synthesizing controllers for timed automata. In particular, CIRCA's controllers are memoryless and cannot reference clocks. This restriction has two advantages: rst, it makes the synthesis problem easier and second, it allows us to ensure that the controllers we generate are actually realizable in the RTS.
Since the CSM focuses on generating safe controllers, a critical issue is making failure states unreachable. In controller synthesis, this is done by the process we refer to as preemption. A transition t is preempted in a state s i some other transition t 0 from s must occur before t could possibly occur. The CSM achieves preemption by choosing a control action that is fast enough that it is guaranteed to occur before the transition to be preempted. During the course of the search algorithm, the CSM will use the veri er module after each assignment of a control action (see step 4). This means that the veri er will be invoked before the controller is complete. At such points we use the veri er as a conservative heuristic by treating all unplanned states as if they are \safe havens." Unplanned states are treated as absorbing states of the system, and any veri cation traces that enter these states are regarded as successful. Note that this process converges to a sound and complete veri cation when the controller synthesis process is complete. When the veri er indicates that a controller is unsafe, the CSM will query it for a path to the distinguished failure state. The set of states along that path provides a set of candidate decisions to revise.
For those familiar with designs for game-theoretic synthesis of controllers for timed systems 2, 8] , the CSM algorithm is the same in its purpose. One di erence is that the CSM algorithm works starting from an initial state and building forward by search. The game-theoretic algorithms, on the other hand, typically use a xpoint operation to nd a controllable subspace, starting from unsafe states (or other synthesis failures). Another di erence is that the CSM algorithm heavily exploits its implicit state space representation. Because of these features, for many problems, the CSM algorithm is able to nd a controller without visiting large portions of the state space.
Two further remarks are worth making. The rst is that the search described here is not made blindly. We use a domain-independent heuristic, providing limited lookahead, to direct the search. We do not have space to describe that heuristic here; it is based on one developed for AI planning 9]. Without heuristic direction, even small synthesis problems can be too challenging. The second is that we have developed an alternative method of search that works by divideand-conquer rather than reasoning forward 6]. For many problems, this supplies a substantial speed-up. Again, we do not have space to discuss this approach in depth here.
Modeling for Veri cation
The CSM algorithm described above operates entirely in the discrete domain of the timed problem. This ensures that the controllers may be easily implemented automatically. However, a path-dependent computation is required to determine how much time remains on a transition's delay when it applies to two or more states on a path. The CSM uses a timed automaton veri cation system to ensure that the controllers the CSM builds are safe. In this section, we discuss a formal model of the RTS, expressed in terms of timed automata. The following section describes how to reason about this model e ciently.
Execution Semantics
The controllers of the CIRCA RTS are not arbitrary pieces of software; they are intentionally very limited in their computational power. These limitations serve to make controller synthesis computationally e cient and make it simpler to build an RTS that provides timing guarantees. The controller generated by the CSM is compiled into a set of Test-Action Pairs (TAPs) to be run by the RTS. Each TAP has a boolean test expression that distinguishes between states where a particular action is and is not to be executed. Note that these test expressions do not have access to any clocks. A sample TAP for the Saturn Orbit Insertion domain is given in Fig. 2 .
The set of TAPs that make up a controller are assembled into a loop and scheduled to meet all the TAP deadlines. Note that in order to meet deadlines, this loop may contain multiple copies of a single TAP. The deadlines are computed from the delays of the transitions that the control actions must preempt.
Timed Automata
Now that we have a sense of the execution semantics of CIRCA's RTS, we brie y review the modeling formalism, timed automata, before presenting the model itself. It often simpli es the representation of a complex system to treat it as a product of some number of simpler automata. The labels L are used to synchronize edges in di erent automata when creating their product. We give the semantics of CSM models in terms of sets of interacting timed automata (see Fig. 3 ). Using multiple automata allows us to accurately capture the interaction of multiple, simultaneously operating processes. The starting point of the translation is the CIRCA plan-graph, constructed by the CIRCA CSM: 6. I S is a distinguished subset of initial states.
De nition 2 (Product Automaton

T = U A is the set of transitions, made up of an uncontrollable (U)
subset, the temporals and reliable temporals, and a controllable (A) subset, the actions. Each transition, t, has an associated delay ( t ) lower and upper bound: lb( t ) and ub( t ). For temporals ub( t ) = 1, for events lb( t ) = 0; ub( t ) = 1. 8 . is an interpretation of the edges: : E 7 ! T. 9. : S 7 ! 2 T is the enabled relationship | the set of transitions enabled in a particular state.
p : S 7 ! A (where is the \action" of doing nothing) is the actions that
the CSM has planned. Note that p will generally be a partial function. 11. : S 7 ! 2 U is a set of preemptions the CSM expects.
For every CIRCA plan graph, P, we construct a timed automaton model, (P). (P) is the product of a number of individual automata. There is one automaton, which we call the base model, that models the feature structure of the domain. There is an RTS model that models the actions of the CIRCA agent. Finally, for every uncontrollable transition, there is a separate timed automaton modeling that process. Proper synchronization ensures that the base machine state re ects the e ect of the transitions and that the state of the other automata accurately indicate whether or not a given process will (may) be underway.
De nition 4 (Translation of CIRCA Plan Graph).
(P) = (P) (P) Q u2U(P) (u) where (P) is the base model; (P) is the RTS model; and (u) is the automaton modeling the process that corresponds to uncontrollable transition u. 
De nition 5 (Base model). (P) = (S)
;
(P) is the label set; it is given as De nition 6. 3. E (P) is the edge set of the base model. It is given as De nition 7.
Note that there are no clocks in the base machine; all timing constraints will be handled by other automata in the composite model. Thus, the invariant for each state in this model is simply >. We have notated this vacuous invariant as I > . Similarly, all of the edges have a vacuous guard. The labels of the translation model ensure that the other component automata synchronize correctly.
De nition 6 (Label set for (P)).
(P) = fe u ; d u ; f u j u 2 Ug(1) ff a j a 2 Ag (2) fr a g
The symbols in (1) are used to synchronize the automata for uncontrollable transitions with the base model. The symbols in (2) Edge set (1) is merely a set of initialization edges, that carry the base model from its distinguished single initial location to the image of each of the initial states of P. (2) takes the base model to its distinguished failure location, l F , when a preemption fails. (3) captures the e ects of the uncontrollable transitions the CSM didn't preempt. (4) synchronizes with the RTS transitions that capture the RTS committing to execute a particular action (i.e., the test part of the TAP). (5) captures the e ects of a successfully-executed action. (6) captures a failure due to a race condition. Event sets (t; s) are used to capture the e ects on the various processes of going to s by means of t.
De nition 8.
(t; s) = fe u j u 2 (s)g fd u j u 6 = t^u 6 2 (s)g fr a g The symbol set (t; s) contains an enable symbol for each u enabled in s, and a disable symbol for each u not enabled in s. The addition of the symbol r a ensures that the RTS machine will \notice" the state transition.
There will be one automaton, (u) for every uncontrollable transition, u. Each such model will have two states, enabled, e u , and disabled, d u , and transitions for enabling, disabling, and ring: e u ; d u , and f u , respectively (see Fig. 3 ).
It will also have a clock, c u , and the guards and invariants will be derived from the timing constraints on u:
De nition 9 (Uncontrollable Transition Automata). There are two classes of safety violations the veri er must detect. The rst is a failure to successfully preempt some nonvolitional transition. This case is caught by transitions (2) of De nition 7. The second is a race condition: here the failure is to plan a for state s but not complete it before an uncontrolled process brings the world to another state, s 0 , that does not satisfy the preconditions of a. The latter case is caught by transitions (6) of De nition 7. 3 
Exploiting the Model in Veri cation
A direct implementation of the above model will su er a state space explosion. To overcome this, we have built a CIRCA-speci c veri er (CSV) able to exploit CIRCA's implicit state-space representation. The CSV constructs its timed automata, both the individual automata and their product, in the process of computing reachability. This on-the-y computation relies on the factored representation of the discrete state space and on the limitations of CIRCA's RTS.
The e ciency gains from our factored state representation come in the computation of successor states. A naive implementation of the search would compute all of the locations (distinct discrete states) of the timed automaton up front, but many of those might be unreachable. We compute the product automaton lazily, rather than before doing the reachability search, thus constructing only reachable states.
The individual automata, as well as their product, are computed on-the-y. The timed automaton formalism permits multiple automata to synchronize in arbitrary ways. However, CIRCA automata synchronize in only limited ways. There will be only one \primary transition" that occurs in any state of the CIRCA product automaton: either a controlled transition that is part of the RTS automaton, or a single uncontrolled transition. Thus we may dispense with component transitions and their labels.
The transitions that synchronize with the primary transition are of three types:
1. updates to the world automaton, recording the e ect (the postconditions) of the primary jump on the discrete state of the world; 2. enabling and disabling jumps that set the state of uncontrolled transitions in the environment; 3. a jump that has the e ect of activating the control action planned for the new state. Accordingly, we can very e ciently implement a lazy successor generation for a set of states S = hs; Ci; where s is a discrete state and C is a symbolic representation of a class of clock valuations, in our case a di erence-bound matrix. When one needs to compute the successor locations for the location s, one need only compute a single outgoing edge for the RTS transition and make one outgoing edge for each uncontrollable transition. Making the outgoing edges is a matter of (again lazily) building the successor locations and determining the clock resets for the edge. The clocks that must be reset are: (a) For each uncontrolled transition that is enabled in the successor location, but not enabled in the source location, s, add a clock reset for the corresponding transition; (b) If the action planned for the successor location is di erent from the action planned for the source location, reset the action clock. These computations are quite simple to make and much easier than computing the general product construction.
Our experimental results show that the CSV substantially improves performance over Kronos 15] and also over a conventional model checker (denoted \RTA") that we built into CIRCA before developing the CSV. Table 1 contains comparison data between the conventional veri ers and the CSV, for two di erent search strategies. 4 The columns marked \forward," correspond to the algorithm described in this paper. The columns marked \DAP" correspond to the divide-and-conquer alternative 6]. The times, given in milliseconds, are for 4 The problems are available at: http://www.htc.honeywell.com/projects/ants/ runs of the CSM on a Sun UltraSparc 10, SPARC v. 9 processor, 440 MHz, with 1 gigabyte of RAM. An 1 indicates a failure to nd an automaton within a 20 minute (i.e., t > 1; 200; 000) time limit.
To give a sense of the raw size of the problems, the \Size" column presents a worst-case bound on the number of discrete states for the nal veri cation problem of each scenario. This value is computed by multiplying the number of possible CSM world model states (for the base model) times the number of transition model states (2 jUj ) times the number of RTS model states (jAj + 1).
Using the forward search strategy, the CSV is faster on 16 out of 20 scenarios. Using DAP, the CSV is faster on all 20 trials. The probability of these occurring, if the CSV and the conventional veri er were equally likely to win on any given trial, is .0046 and .000019, respectively. Table 1 indicates a speed-up of two orders of magnitude on the larger scenarios, numbers 9-11, using DAP. Table 2 shows the state space reductions achieved by exploiting the implicit representation. This table compares the total number of states visited by each veri er in the course of controller synthesis.
A few facts should be noted: A veri er will be run many times in the course of synthesizing a controller. To minimize this, a number of cheaper tests lter controller synthesis choices in advance of veri cation, in order to avoid veri cation search whenever possible. The comparison is only with Kronos used as a component of the CSM, not Kronos as a general veri cation tool. Finally, the computations done by Kronos and RTA are of a special-purpose product model that is slightly simpler and less accurate than the CSV's model.
Related Work
Asarin, Maler, Pneuli and Sifakis (AMPS) 2, 8] independently developed a gametheoretic method of synthesizing real-time controllers. This work stopped at the design of the algorithm and derivation of complexity bounds; to our knowledge it was not implemented. The AMPS approach has been implemented for the special case of automatically synthesizing schedulers 1]. The \planning as model checking" 5] approach is similar to work on game-theoretic controller synthesis, but limited to purely discrete systems. Kabanza 7 ]'s SimPlan is very similar to our CSM. However, SimPlan adopts a discrete time model and uses domain-speci c heuristics.
Tripakis and Altisen (TA) 14] have independently developed a controller synthesis algorithm for discrete and timed systems, that also uses forward search with on-the-y generation of the state space. Note that on-the-y synthesis has been part of the CIRCA system since its conception in the early 1990s 10, 11]. TA's on-line synthesis has some di erent features from ours. They allow for multiple control actions in a single state, and they allow the controller to consult clocks. TA's implicit representation of the state space is based on composition of automata, as opposed to our feature and transition approach. We hope to compare performance of CIRCA and a recent implementation of the TA algorithm 13]. Table 2 . Comparison of state spaces explored with di erent search strategies (Forward and DAP), timed automaton veri er (RTA) versus CIRCA-speci c veri er (CSV). Units are veri er state objects, i.e., a location a di erence-bound matrix.
Scenario Forward RTA Forward CSV DAP RTA DAP CSV
