Controller synthesis techniques based on symbolic abstractions appeal by producing correct-by-design controllers, under intricate behavioural constraints. Yet, being relations between abstract states and inputs, such controllers are immense in size, which makes them futile for embedded platforms. Control-synthesis tools such as PESSOA, SCOTS, and CoSyMA tackle the problem by storing controllers as binary decision diagrams (BDDs). However, due to redundantly keeping multiple inputs per-state, the resulting controllers are still too large. In this work, we first show that choosing an optimal controller determinization is an NPcomplete problem. Further, we consider the previously known controller determinization technique and discuss its weaknesses. We suggest several new approaches to the problem, based on greedy algorithms, symbolic regression, and (muli-terminal) BDDs. Finally, we empirically compare the techniques and show that some of the new algorithms can produce up to ≈ 85% smaller controllers than those obtained with the previous technique.
Introduction
Controller synthesis techniques based on symbolic models, such as e.g. [28, 23, 17] , are becoming increasingly popular. One of the key advantages of these techniques is that they allow for synthesising correct-by-construction controllers of general nonlinear systems under intricate behavioural requirements. However, the downside of the synthesised controllers is their size as, in essence, they are huge tables mapping abstract state-space elements into input-signal values. Even for toy examples, the produced controllers can reach a size of several megabytes. In real-life applications however, they can be several orders of magnitude larger. The latter prohibits them from being used on embedded microcontrollers which typically have very limited memory resources. In general, this state-space explosion is the consequence of: (1) the number of abstract system states and inputs which are exponential in the number of dimensions and inverse-polynomial in the discretisation values; and (2) storing multiple valid input signals per abstract state.
There are numerous tools, implementing or incorporating control synthesis, such as PESSOA, SCOTS, CoSyMA, LTLMoP, TuLiP, see [18] , [24] , [19] , [7] , and [32] correspondingly. Internally, they either use an explicit control law representation in a table form or employ Reduced Ordered Binary Decision Diagrams, introduced by [4] and called RO-BDDs or simply BDDs, in an attempt to optimise the memory needed to store the synthesised control law. RO-BDDs are canonical, efficiently manipulable, and in many cases allow for compact data representation. However, their size is strongly dependent on the variables' ordering and the problem of finding an optimal one is known to be NP-complete, as shown by [3] . To fight that issue, tools such as SCOTS and Pessoa use the state of the art RO-BDD library CUDD, see [26] , which implements numerous efficient variable ordering optimisation heuristics. Yet, even when using BDDs, controllers synthesised for practical applications can easily reach hundreds of megabytes.
To our knowledge, there have been just a few attempts made to find compact but practical representations of (symbolically produced) control laws. Except for using BDDs, we are only aware of another two approaches. The first one, suggested by [27] , uses piece-wise linear functions, also known as linear in segments (LIS) functions, to approximate control functions of the form g : R → R. The approximation is considered for scalar control functions of one argument only. The main motivation for LIS is to reduce the memory footprint of implementing controllers at the cost of some on-line computations, which nonetheless are fast to perform. However, this approach does not directly scale to multiple dimensions or allows to resolve multiple-input's non-determinism.
Another technique to reduce the control-law size, we shall refer to as LA (Local Algorithm), was proposed by [9] . It borrows ideas from algebraic decision diagrams (ADDs), see [1] , for compact function representation and exploits the non-determinism inherent to safety controllers. The considered controllers are multi-valued maps g : R n ⇒ N. The suggested approach attempts to optimise the controller size determinizing the control law by choosing one of the possible control signals for each of the state-space points. In the selection of such unique inputs, LA maximizes the size of state-space neighbourhoods employing the same input with the expected outcome of minimizing an ADD representation of the resulting control function. However, the minimality of the ADD representation cannot be guaranteed in general by this approach, which leads us to investigate if better compression approaches may be viable.
In this paper, we first prove that the problem of choosing a size-optimal controller determinization is NP-complete. We do that assuming the BDD controller representation, but the result can be easily generalised. Next, we suggest two new determinization approaches : GA (Global Algorithm) -based on a greedy algorithm for the minimum set-cover selection problem, see [12, 5] ; SR -a hybrid of ADD-based and symbolic regression techniques, powered by genetic programming, see [14, 31] . GA attempts to minimise the BDD size by maximising the number of controller states having the same input signal. It differs from LA in that, when choosing a common input for a set of states, it looks at the state-space globally, without considering the actual state positions. SR (Symbolic Regression) aims at bridging the intrinsic limitations of LA and GA by using "arbitrary" (polynomial and sigmoid in our case) functions as controller representations. This way we realise the Kolmogorov's [16] view on data compression 1 . Further, we combine LA and GA into a hybrid approach called LGA (Local-Global Algorithm). The idea here is that the determinization is done as in LA but, if multiple common inputs are possible, the preference is given to the one suggested by GA. In addition, we consider B-prefixed version of LGA (BLGA) which attempts for a better compression by using BDD variable reordering to produce abstract state indexes.
We perform an empirical evaluation on a number of examples from the literature. Our results show that compression-wise 2 there is no absolute best approach. However, LGA seems, on most cases, to be providing the best compression. The SR approach, while only providing better compressions in few examples, may be most promising when looking at actual embedded deployments, if it could be pushed to remove any use of BDDs, and their overhead on actual implementations.
Symbolic regression
Symbolic regression is a type of regression analysis that searches for analytical expressions best fitting a given dataset of numerical data, both in terms of accuracy and simplicity. We apply this technique in order to find the smallest analytical expressions best fitting symbolic-model-based control-law functions, ensuring for the smallest control law representation. One of the most popular means for symbolic regression is genetic programming, see [13] (GP). In this work, similar to [30] , we employ grammar guided genetic programming algorithms (GGGP) to find multi-dimensional analytical expressions fitting the controller's data. In fact, the genetic process follows [29] except for that the realvalue parameter tuning is done with CMA-ES [10] . To speed up the CMA-ES procedure, we use sep-CMA-ES which has a linear time and space complexity [21] .
Binary Decision Diagrams
Binary Decision Diagrams (BDDs), represented with rooted directed acyclic graphs were introduced by [4] , as a compact representation for boolean functions F : {0, 1} n → {0, 1}. Given F with a list of arguments {v i } n i=0 , also called BDD variables or just variables, the BDD of F results from the Shannon expansion thereof. The order of arguments in the signature of F has clearly no impact on F itself, but it has a drastic impact on the size of the resulting BDD. Finding a size-optimal BDD variable ordering was shown, in [3] , to be NP-complete. Yet, there are multiple polynomial heuristics, [25] , that can find a semi-optimal variable ordering. One of the most popular thereof is sifting, [22] , and its variants. Multi Terminal BDDs (MTBDDs) extend BDDs in that tree's terminal nodes allow for arbitrary labels, thus useful to encode functions of the form F : {0, 1} n → U , with |U | < ∞. The BDD reduction algorithm is naturally extendable towards MTBDD which thus have the canonical RO-MTBDD form. For an (MT)BDD M , we define R (.) as a reduction function producing the RO-(MT)BDD R (M ). Algebraic Decision Diagrams (ADDs), introduced by [1] , are a synonym of MTBDDs. The current state of the art implementation for RO-(MT)BDDs is provided by the CUDD package [26] .
SCOTS v2.0
SCOTS is an open source software that implements construction of symbolic models, also known as discrete abstractions, of possibly perturbed, nonlinear control systems. The tool natively supports invariance and reachability specifications as well as several control synthesis algorithms. The control laws can be stored in BDD. SCOTS comes in a form of a header-only C++ library that can be easily included in any C/C++ code but also has a MATLAB interface. We base our algorithms on the interfaces provided by the UniformGrid and SymbolicSet classes of the tool.
Problem statement
Consider a (possibly non-linear) discrete time control system of the form:
Symbolic approaches, see e.g. [28] , automatically synthesize controllers in the form of discrete state transition systems. Furthermore, the resulting controllers can often be reduced to a look-up table, see [20] , prescribing for each point of the state-space a set of applicable inputs guaranteeing that the control specification is satisfied. Such synthesized controllers usually take the form of the combination of a (finite) set-valued map g : S ⇒ V, and quantization maps q x : X → S, q u : U → V reducing the originally infinite state and input sets to finite sets (usually defining a grid), i.e. S ⊂ X , S ⊂ X , |S| < ∞, |V| < ∞. Moreover, the usual approach is to quantize each dimension of X and U independently, i.e. q x (x) = (q
, where each of the q i x : X i ⊂ R → S i , such that S = S 1 × . . . × S n , and similarly for the input quantizer. This results in controller implementations selecting at each time step u(k) ∈ g (q x (x(k))), see for details of such controllers [20] . Most often, the controllers synthesized do not provide a valid input for some subset S ∅ ⊂ S. We define the set S c := S \ S ∅ . We may assume that there is some element nc ∈ V denoting a "no-input", and thus we can define S ∅ := g −1 (nc). A symbolic controller g ⊆ S×V, by indexing the countable sets S i and V i , can alternatively be interpreted as a relation g ⊂ Z ≥0 × Z ≥0 . Consider B := {0, 1}, and let us define a fixed-length base-2 bit encoding for non-negative integers bits :
, mapping the bit vector (bits (k 1 ) , bits (k 2 )) to a boolean 1 defines a BDD encoding of g. Similarly, one can construct an MTBDD encoding of g by mapping bits (k 1 ) to k 2 .
Relating elements of S or V with Z ≥0 can be done with an indexing function, typically defined as:
Here, N j :=|S j | for j∈1, n, and N j :=|V j | for j∈n+1, n+m; |bits (N j ) | is the data-type size needed to enumerate intervals in j. Equations 2 and 1 are both used in SCOTSv2.0. The former is employed in its interface classes (UniformGrid and SymbolicSet), as it delivers smaller indexes. The latter is used for BDD encoding as it avoids bit sharing between distinct dimension interval indices.
In the present we consider the following minimisation problem aimed at finding the smallest controller determinization of a given controller g:
where In theoretical derivations, as in [15] , we define |.| to be the number of (MT)BDD nodes. In practice, |.| is the number of bits used to store the (MT)BDD by the CUDD package in the best-found, variable reordering.
4 LA on MTBDDs [9] suggests a controller-size minimisation technique, which we call LA, that uses ideas from MTBDDs to represent the controller function in the form of a binary tree. The approach does dimension-wise binary splitting of the controller's state-space bounding box. The areas with no-inputs are considered to allow for any input. For the areas with common inputs possible a single input is selected non-deterministically. A branch in the tree represents a state-space area with all states having common inputs (stored in terminal nodes). The determinization aims at choosing single inputs in a way minimising the depth of the tree branches. The latter is equivalent to reductions as in steps (1) and (2) of the RO-BDD construction (c.f. Section 2.3), but not (3). [9] showed that LA can lead to drastic size reductions, e.g., for "the simple thermal model of a two-room building" example the original controller required 1.000.000 data units, whereas in the tree format it went down to 27. Yet, in its original form this approach: (i) does not preserve the controller's domain -neglecting basic
Figure 1: An example MTBDD data of safe initial states; (ii) employs a fixed state-space splitting algorithmnot using controller's structural features; (iii) uses simple binary trees which are less efficient than MTBDDs, due to the latter compression abilities by variable reordering and their canonical reduced form. This motivates extending the approach towards MTBDDs. LA can be adapted to quantised state-spaces, since:
(i) For dimension i∈1, n and s i ∈S i , the bit sequence bits (s i ), defines a binarytree path to s i in S i .
(ii) For s∈S, the alternating bit sequence obtained from bits (s 1 ) , . . . , bits (s n ) defines a binary-tree path to s in S.
The latter, using bounded-length bit sequences as in Section 3, allows to encode the LA's binary tree as an MTBDD. The size reductions obtained for the original LA are then a subset of those we get using MTBDDs 4 , as we can: (i) obtain RO-MTBDDs, utilising all the reduction steps (ii) find a more efficient variable ordering. Let us now show that, however good, LA does not allow to utilise the full power of the MTBDD reductions due to its pure spacial orientation.
Consider an MTBDD encoding of some LA's binary tree, in its original variable ordering, see Figure 1 . LA traverses an MTBDD trying to find common inputs, stored in terminal nodes, for all of its sub-trees. A sub-tree with a common input can then be trivially reduced to a single terminal node. In this case however, there are no non-trivial sub-trees with common inputs, so LA has to non-deterministically choose one (arbitrary) input value per terminal node. This results in 16 possible determinization variants, most of which would not be reducible, see e.g. Figure 2 , but a few would allow for reductions; the best one is in Figure 3 .
In this paper, we suggest alternatives and hybrid approaches to overcome this potential shortcoming of LA, see Section 6. Furthermore, to preserve information on safe initial states, we shall consider a modification of LA which forbids assignment of "any input" to "no-input" grid cells.
NP-completeness of determinization
Theorem 5.1. The OD problem is NP-complete (NP-C).
Figure 2: A non-reducible determinization
(a) After determinization Here, val (.) is terminals' labelling function; the low terminals encode the MSC sets; and the high terminals prevent all but low-terminals' reductions. The resulting binary tree T is a polynomial-space encoding of MSC as 7 : |T | = 4×
5 I.e. it has a non-deterministic step which always makes a "proper" (relative to the algorithm's goal) guess, see e.g. [2] . 6 All the missed auxiliary operations, e.g.: counting node inputs, removing the non-chosen inputs, and etc. are also polynomial time.
7 Remember that we have 2 × N terminal nodes.
Algorithm 1: NP algorithm for selection OD N − 1. Also, this is a polynomial-time encoding, as is realisable by Algorithm 2, of time complexity O (N ). To convert this binary tree into an MTBDD M , we shall interpret its non-terminal nodes as decision nodes, and its terminal nodes t as value nodes, labeled with val (t). This trivial conversion can also be done in polynomial time and space. b) Solving OD for M solves MSC : For the given M encoding of MSC, R (M ), in Algorithm 1, can only re-combine low terminals of M as high-terminal and thus non-terminal node reductions are prevented by the distinct high terminal node idexes. The high and non-terminals will stay intact and Algorithm 1 will effectively minimise the number of low terminals. The set I of low-terminal labels of M then yields the solution for MSC as: (a) I defines a sub-cover of S; (b) |I| is minimal. The former is clear as each x i of X is related to a low-terminal. The latter can be proved by contradiction. First, fix low-terminal node values of M to those of I to get an MTBDD M I for which |R (M I ) | = 3 × N − 1 + |I|. Let us assume that I is not a solution of MSC then there exists a sub-cover I , such that |I | < |I|. Similarly, for M I we have |R (M I ) | = 3 × N − 1 + |I |, and thus R (M I ) < R (M I ). The latter contradicts the fact that Algorithm 1 solves OD. c) Decoding MSC solution from OD solution: Decoding of the MSC solution from M is straightforward: one needs to go through all of the low-terminal nodes and collect their labels. This requires linear time and space algorithm.
Finally, since MSC is NP-C, (i)&(ii), imply that OD is NP-C.
Determinization algorithms
The newly suggested determinization algorithms have various underlying ideas: GA tries to maximise the number of states with the same input, and minimise the number of different inputs as a whole, both in an attempt to maximise the chances for (MT)BDD reductions;
LGA combines complementary ideas of LA and GA to reduce the number of non-deterministic choices to be taken in the former one; SR attempts to find an analytical expression fitting the controller points on the largest part of its domain to reduce the number of distinct control mode
Algorithm 2: Encode MSC as OD areas to be stored;
Global Approach
The GA approach is summarised in Algorithm 3, where:
(i) inputs to states (.) creates C -the set of domain state indexes, I -the set of input indexes, and {C j } j∈I -the sets of states for the given inputs;
(ii) get min set cover(.) implements the MSC solution algorithm for unit set weights 8 , see Section 2.1;
(iii) determinize (.) iterates over I * and for each state with the input removes all other inputs.
Algorithm 3: The GA approach GA differs from LA by looking at the state-space globally regardless of its' elements location. It maximizes the number of terminal nodes with identical labels, generally leading to a reduction in the number of used labels, which should facilitate MTBDD reductions.
Local-Global Approach
Recall the MTBDD-based LA algorithm discussed in Section 4. We showed that such determinization procedure can suffer from sub-optimal non-deterministic resolutions when multiple input choices are available in some regions.
LGA combines LA with GA in an attempt to improve the resulting reductions by minimising this uncertainty. In essence, the LGA approach proceeds as LA up to the moment a non-trivial set of inputs, common for a grid area, is found; then the input is chosen according to the priority-descending order of inputs, as pre-computed by the get min set cover (.) function, see Algorithm 3.
BDD-index based Local-Global Approach
RO-(MT)BDDs achieve significant size reductions only if a "good" variable ordering is found, see Section 2. form of cell re-indexing. Figure 4 shows the effects thereof on the g ⊂ Z ≥0 ×Z ≥0 function for an LGA-determinized BDD controller of the DC motor case study, see Section 7.1. The horizontal and vertical axes of the plots correspond to the state-and input-space element indexes respectively. The distinct vertical lines on Figures 4a and 4b are the 1.000 point marks. According to Section 3, the BDD's range of S indexes is wider than that of SCOTSv2.0. Comparing g (.) in RO-BDD and SCOTSv2.0 indexes, the former exhibits better data clustering. To use this to our benefit, we suggest a version of LGA, called BLGA, using the RO-BDD indexes.
Symbolic Regression
For the SR algorithm, a set of candidate controllers is evolved using a combination of GGGP and sep-CMA-ES, c.f. references in Section 2.2, using i max individuals (i.e. candidate solutions) for N generations. GGGP is used to evolve the functional structure of the controller based on a grammar and sep-CMA-ES to optimize the parameters. Given a candidate controller g SR : R n → R m , the fitness function F with respect to a finite set S is defined as:
In order to reduce the computation time, the set of states S c is down-sampled to a set with a maximum of λ elements. The reproduction involves selecting individuals based on tournament selection and the genetic operators crossover and mutation, in which parts of the individuals are exchanged or randomly altered respectively. More in depth descriptions of the used GGGP and sep-CMA-ES algorithms can be found in [29] and [21] respectively. After a maximum amount of generations the individual with the highest fitness is selected. For the resulting controller, it is verified for which states s ∈ S c it holds that q u (g SR (s)) ∈ g(s). For the remaining states the inputs are determinized using GA, LA or LGA. Finally, all states and corresponding new input indexes are again stored in a BDD.
9 Swapping bits affects all indexes; bits can not change value.
For our experiments we used the parameters in Table 1 . Table 2 shows the grammar employed to determine in which space analytical expressions to fit the controllers were selected. Here sgn denotes the signum function and Random Real ∈ [−1, 1] creates a random real within the specified interval. The used starting symbol is strt . 7 Empirical evaluation
Case studies
All of the considered case-studies, but the last one, are taken from the standard distribution of SCOTSv2.0: Aircraft -a DC9-30 aircraft landing maneuver, see [20] ; Vehicle -a path planning problem for an autonomous vehicle, see [33] and [20] ; DCDC -a boost DC-DC converter with a reach-and-stay voltage specification, see [8] ; DCDC rec 1/2 -the same as DCDC but enforces a recurrence specification for two targets; DCM -a DC motor with a reach-and-stay velocity specification, see [18] .The symbolic BDD controller sizes were varied by modifying the models' input-/state-space discretisation parameters.
Software details
For the evaluation, we have realised the following software:
• A C++11 based LibLink library 10 for Mathematica 11, see [11] , allowing to load and store BDD-based symbolic controllers of SCOTSv2.0.
• A C++11 based application implementing LA, GA, LGA, and BLGA. Our code is single-threaded as constrained by CUDD.
• A Mathematica 11 package implementing the SR approach. This realisation is natively multi-threaded and allows for a best utilisation of the CPU cores.
Experimental setup
We have measured: (i) determinization run-time in seconds as reported by the tools; (ii) size of the determinized controllers in bytes, when stored to the file system. SR is probabilistic and therefore each of its experiments was repeated 5 times. All other approaches are deterministic and thus their experiments were repeated only once. Overall, we have considered the algorithms on various size models, varying the discretization parameters, and thus changing: Given, a significant difference in software realization (Mathematica v.s. C++11, multi v.s. single threaded), running SR on faster multicore machine, and that controllers' determinization is an offline job, our run-time data: (i) is only dedicated to show the approaches' feasibility; (ii) can only hint the actual performance differences between SR and others. This is why also the run-time for LA, GA, LGA, and BLGA is not averaged over multiple re-runs. Table 3 presents the core experimental data for models obtained by varying the number of inputs. Here, column: "SCOTS" lists information for the original controllers; "Time" is the algorithm's run-time in seconds; "A-SR" and "M-SR"stand for the average and maximum SR values over 5 repetitions; and "Fit %" is the fitness percentage of the SR controller's symbolic part. To compare the compressing power of the approaches, for an algorithm ω and a case study ν we define size compression as: C LGA 12 . The plot features mean compressions and the standard deviation thereof. We conclude the next compression ranking of the algorithms: 1.
Results
LGA, 2. BLGA, 3. LA, 4. GA, 5. M-SR 6. A-SR. Figure 6 summarises the execution times for the set-up of Table 3 . Relative to LA, on average: GA is ≈ 0.8 times faster; LGA is comparable; BLGA is ≈ 1.1 times slower; A-SR is ≈ 180 times slower but has a huge deviation of ≈ 174. The latter is due to probabilistic nature of SR. Note that, A-SR is multi-threaded and was run on a faster machine than the single-threaded LA. So the actual performance difference between the algorithms is more significant.
Additionally, we compared GA, LGA, BLGA and LA on up to 52 Mb size BDD controllers, obtained by varying the number of system states. These experiments only strengthened the algorithms' ranking conclusions implied by Figure 5 . We omit further detail on that, to save space.
To conclude, we present Figure 7 summarising the compression of LGA relative to LA on all of the 67 considered BDD controllers. Per case-study ν the compression is computed as: C Figure 7 shows the discretized distribution of C ν
LGA, LA , the plot on the right shows its mean and standard deviation. Notice that, on average, LGA produces ≈ 14% smaller controllers than LA, in the best case LGA was capable of delivering up to ≈ 85% smaller controllers.
Conclusions
In this work, we have considered the problem of size-optimal BDD controllers determinisation (OD), which we show to be NP-complete. Up until now, the only heuristic approach to solve OD was proposed by [9] and was based on representing the controller function as a binary tree. We have shown how that such an approach, which we call LA, can be extended to use the more size-efficient RO-(MT)BDDs data structure. In addition, we have identified examples where LA LGA, LA distribution, deviation and average is sub-optimal due to only considering controller's local properties. A global approach (GA), based on the minimum set cover problem solution algorithm, was proposed to remedy this. Further, a hybrid of GA and LA, called LGA, was suggested to incorporate the strengths of both approaches. To exploit the clustering of internal BDD indexes, we have come up with a BDD-index based version of LGA, called BLGA. Finally, we made an attempt of substituting the BDD-based control-law representations by functions generated using the symbolic regression (genetic-algorithm powered) approach, we refer to as SR.
All of the devised approaches were compared in compressing power and runtime by means of an extended empirical evaluation. The compression ranking of the algorithms turns out to be: 1.
LGA, 2. BLGA, 3. LA, 4. GA, 5. SR. The run times of LA, GA, LGA, and BLGA are of the same order but SR is at least one to two orders of magnitude slower.
In principle, SR could allow us to eliminate BDDs completely, leading to potentially smaller functional expressions and prevent using BDD-data accessing code that, as for CUDD, is difficult (and size expensive) to port to embedded hardware. We did not manage to achieve that due to: (i) our SR realization not being powerful enough, see low fitness values in Table 3 ; (ii) using BDDs for storing the controller's support, due to a decision to preserve controller's domain. For now, we shall note that SR still looks promising for getting small and practical controllers. However, symbolic controllers seem to have structure that is not easy for SR to achieve a 100% fitness on. So more research is needed to be done in this direction.
