Symbolic Control Design of Nonlinear Networked Control Systems

arXiv:1404.0237v2 [cs.SY] 22 Aug 2014 Symbolic Control Design of Nonlinear Networked Control Systems Alessandro Borri, Giordano Pola and Maria Domenica Di Benedetto Abstract Networked Control Systems (NCS) are distributed systems where plants, sensors, actuators and controllers communicate over shared networks. Non-ideal behaviors of the communication network include variable sampling/transmission intervals and communication delays, packet losses, communication constraints and quantization errors. NCS have been the object of intensive study in the last few years. However, due to the inherent complexity of NCS, current literature focuses on only a subset of these non-idealities and mostly considers stability and stabilizability problems. Recent technology advances indeed demand that different and more complex control objectives are considered. In this paper we present first a general model of NCS, including all the non-idealities of the communication network; then, we propose a symbolic model approach to the control design with objectives expressed in terms of non-deterministic transition systems. The presented results are based on recent advances in symbolic control design of hybrid and continuous control systems. An example in the context of robot motion planning with remote control is included, showing the effectiveness of the approach taken. 1 Introduction Networked Control Systems (NCS) are complex, heterogeneous, spatially distributed systems where physical processes interact with distributed computing units through non-ideal communication networks. In the past, NCS were limited in the number of computing units and in the complexity of the interconnection ∗ The research leading to these results has been partially supported by the Center of Excellence DEWS and received funding from the European Union Seventh Framework Programme [FP7/2007-2013] under grant agreement n. 257462 HYCON2 NoE. † Alessandro Borri is with the Istituto di Analisi dei Sistemi ed Informatica ”A. Ruberti”, Consiglio Nazionale delle Ricerche (IASI-CNR), 00185 Rome, Italy, alessandro.borri@iasi.cnr.it. ‡ Giordano Pola and Maria Domenica Di Benedetto are with the Department of Information Engineering, Computer Science and Mathematics, Center of Excellence for Research DEWS, University of L’Aquila, 67100, L’Aquila, Italy, {giordano.pola,mariadomenica.dibenedetto@univaq.it.} ∗†‡ network so that it was possible to obtain reasonable performance by aggregating subsystems that were locally designed and optimized. However the growth of complexity of the physical systems to control, together with the continuous increase in functions that these systems must perform, requires today to adopt a unified design approach where different disciplines (e.g. control systems engineering, computer science, software engineering and communication engineering) should come together to reach new levels of performance. The heterogeneity of the subsystems that are to be connected in a NCS make the control of these systems a hard but challenging task. NCS have been the focus of much recent research in the control community: Murray et al. in [1] presented control over networks as one of the important future directions for control. Following [2], the most important non-idealities considered in the study of NCS are: (i) variable sampling/transmission intervals; (ii) variable communication delays; (iii) packet dropouts caused by the unreliability of the network; (iv) communication constraints (scheduling protocols) managing the possibly simultaneous transmissions over the shared channel; (v) quantization errors in the digital transmission with finite bandwidth. There are two approaches to manage such non-idealities: the deterministic approach, which assumes worst-case (deterministic) bounds on the aforementioned imperfections, and the stochastic approach, which provides a stochastic description of the non-ideal communication network. We focus our attention on the deterministic methods, which can be further distinguished according to the modeling assumptions and the controller synthesis for NCS: a) the discrete-time approach (see e.g. [3], [4]) considers discrete-time controllers and plants; b) the sampled-data approach (see e.g. [5], [6]) assumes discrete-time controllers and continuous-time (sampled-data) plants; c) the continuous-time (emulation) approach (see e.g. [7], [8]) focuses on continuous-time controllers and continuous-time (sampled-data) plants. In the deterministic approach, results obtained during the past few years are mostly about stability and stabilizability problems, see e.g. [9, 2, 10], with results that depend on the method considered and the assumptions on the non-ideal communication infrastructure. In addition, current approaches in the literature take into account only a subset of these non-idealities. As reviewed in [2], for example, [11] studies imperfections of type (i), (iv), (v), [3], [12], [6] consider simultaneously (i), (ii), (iii), [8] focuses on (i), (iii), (iv), while [5] manages (ii), (iii) and (v). Three types of non-idealities, namely (i), (ii), (iv), are considered for example in [13], [14], [7]. In [15], the five non-idealities are dealt with but small delay and other restrictive assumptions are considered. Finally, novel results in the stability analysis of NCS can be found in [16], [17], [18], [19]. However, existing results do not address control design of NCS with complex specifications, as for example safety and liveness properties, obstacle avoidance, fairness constraints, language and logic specifications. This paper follows the deterministic approach and constitutes a first step towards a unified theory for NCS control design where the most relevant non-idealities of the communication and computing infrastructures can be dealt with. The approach taken is based on the use of discrete abstractions of continuous and hybrid systems [20, 21]. This approach is a sound paradigm to solve control problems where software and hardware interact with the physical world and, to address a wealth of novel specifications, which are difficult to enforce by means of conventional control design methods. Examples of such specifications include logic specifications expressed in linear temporal logic or automata. Central to this approach is the construction of symbolic models, which are abstract descriptions of complex systems where a symbol corresponds to an “aggregate” of continuous states and a symbolic control label to an “aggregate” of continuous control inputs. Several classes of dynamical and control systems that admit equivalent symbolic models have been identified in the literature. Within the class of hybrid automata we recall timed automata [22], rectangular hybrid automata [23], and o-minimal hybrid systems [24, 25]. Early results for classes of control systems were based on dynamical consistency properties [26], natural invariants of the control system [27], l-complete approximations [28], and quantized inputs and states [29, 30]. Recent results include work on controllable discrete-time linear systems [31], piecewise-affine and multi-affine systems [32, 33], set-oriented discretization approach for discrete-time nonlinear optimal control problems [34], abstractions based on convexity of reachable sets [35], incrementally stable and incrementally forward complete nonlinear control systems with and without disturbances [36, 37, 38, 39], switched systems [40] and time-delay systems [41, 42]. The interested reader is referred to [43, 21] for an overview on recent advances in this domain. In this paper we address the control design of a fairly general model of NCS with complex specifications. The main contributions of this paper are: • A general model of NCS. We consider NCS where the plant is a continuous– time nonlinear control system, the computing units are modelled by finite state transition systems, and the communication network non-idealities are quantization errors, time-varying delay in accessing the network, timevarying delay in delivering messages through the network, limited bandwidth and packet dropouts. The proposed model covers non-idealities (i)-(v) in NCS and, due to its flexibility, can embed specific communication protocols, data compression and encryption in the message delivery, and scheduling rules in the communication network and computing units. • A symbolic model approach to the control design of NCS. We propose symbolic models that approximate NCS in the sense of alternating approximate (bi)simulation with arbitrarily good accuracy. More specifically, under the assumption of existence of an incremental forward complete Lyapunov function for the plant of the NCS, we derive symbolic models approximating the NCS in the sense of alternating approximate simulation; for incrementally stable plants we derive symbolic models that approximate the NCS in the sense of alternating approximate bisimulation. The first result is important because it does not require the stability of the open-loop NCS while the second result is important because it provides a completeness property in the control design: if a solution does not exist for the given control problem (with desired accuracy) for the symbolic model, no control strategy exists for the original NCS. Building upon these symbolic models, we address the NCS control design where specifications are expressed in terms of transition systems. Given a NCS and a specification, a symbolic controller is derived such that the controlled system meets the specification in the presence of the considered non-idealities in the communication network. This paper follows the approach proposed in [36, 37] based on the construction of symbolic models for nonlinear control systems. It provides an extended version of the preliminary results published in [44, 45], including a comprehensive NCS modeling, extensions and full proofs of the technical results and an example in the context of robot motion planning with remote control. Moreover, while in [44, 45] controllers are assumed to be static, we consider here the general class of dynamic controllers. The paper is organized as follows. In Section 2 the notation is introduced. In Section 3 a model is proposed for a general class of nonlinear NCS. In Section 4 symbolic models approximating NCS are derived. In Section 5 symbolic control design is addressed. An example of application of the proposed results is included in Section 6. Finally, Section 7 offers some concluding remarks and outlook for future work. The Appendix recalls some technical notions that are instrumental in the paper. 2 Notation and preliminary definitions Notation. The symbols N, N0 , Z, R, R− , R+ and R+ 0 denote the set of natural, nonnegative integer, integer, real, negative real, positive real, and nonnegative real numbers, respectively. The cardinality of a set A is denoted by |A|. Given a set A we denote A2 = A × A and An+1 = A × An for any n ∈ N. Given a pair of sets A and B and a relation R ⊆ A × B, the symbol R−1 denotes the inverse relation of R, i.e. R−1 = {(b, a) ∈ B × A : (a, b) ∈ R}. Given an interval [a, b] ⊆ R+ 0 , we denote by [a; b] the set [a, b] ∩ N, if a ≤ b, and the empty set ∅ otherwise. We denote the ceiling of a real number x by ⌈x⌉ = min{n ∈ Z|n ≥ x}. Given a vector x ∈ Rn we denote by kxk the infinity norm and by kxk2 the Euclidean norm of x. + Preliminary definitions. A continuous function γ : R+ 0 → R0 is said to belong to class K if it is strictly increasing and γ(0) = 0; a function γ is said to + belong to class K∞ if γ ∈ K and γ(r) S → ∞ as r → ∞. Given S µ ∈ R and i n n A ⊆ R , we set [A]µ = µZ ∩ A; if B = i∈[1;N ] A then [B]µ = i∈[1;N ] ([A]µ )i . S Consider a set A given as a finite union of hyperrectangles, i.e. A = j∈[1;J] Aj , Q for some J ∈ N, where Aj = i∈[1;n] [aji , bji ] ⊆ Rn with aji < bji , and de- fine µ̂A = minj∈[1;J] µAj , where µAj = min{|bj1 − aj1 |, . . . , |bjn − ajn |}. Following [37], for any µ ≤ µ̂A and any a ∈ A there exists b ∈ [A]µ such that ka − bk ≤ µ. Given any a ∈ A and µ ≤ µ̂A , in the sequel we denote by [a]µ ∈ [A]µ a vector such that ka − [a]µ k ≤ µ. τ ũs ZoH τ u(t) Plant x(t) P Sensor ỹs µX ys tpc k ∆net,cp k tcp k Network vk ∆net,pc k Symbolic wk Controller µU Figure 1: Networked Control System. A detailed description of the sub–systems depicted in this figure is reported in Section 3. 3 Networked Control Systems The class of NCS that we consider is depicted in Fig. 1. It consists of a nonlinear control system (the plant P ), whose control loop is closed over a non-ideal communication network, taking into account the most important non-idealities commonly considered in the literature, including finite time-varying network delays, finite bandwidth, signal quantization, communications constraints due to shared access to the network, transmission overhead, finite computational resources and packet losses. A non-ideal network is placed both in the plantto-controller branch and in the controller-to plant branch of the loop. The analog-to-digital (sensor and quantizer) and digital-to-analog (ZoH) interfaces of the continuous plant allow the transmission of sensing and control digital samples over a channel with finite bandwidth. The symbolic controller provides quantized control samples depending on the value of the measured output. Our framework is inspired by the models reviewed in [2]. The sub-systems composing the NCS are described hereafter in more detail. Plant. The direct branch of the network includes the plant P that is a nonlinear control system in the form of:  ẋ(t) = f (x(t), u(t)), t ∈ R+ 0, (1) x ∈ X ⊆ Rn , x(0) ∈ X0 ⊆ X, u(·) ∈ U, where x(t) and u(t) are the state and the control input at time t ∈ R+ 0 , X is the state space, X0 is the set of initial states and U is the set of control inputs that are supposed to be piecewise-constant functions of time from intervals of the form ]a, b[⊆ R to a finite non-empty set U ⊂ [Rm ]µU for some µU ∈ R+ . We suppose that the set X is in the form of a finite union of hyperrectangles. The function f : X × U → Rn is assumed to be Lipschitz on compact sets with respect to the first argument. In the sequel we denote by x(t, x0 , u) the state reached by (1) at time t under the control input u from the initial state x0 ; this point is uniquely determined, since the assumption on f ensures existence and uniqueness of trajectories. We assume that the control system P is forward complete, namely that every trajectory x(·, x0 , u) of P is defined on an interval of the form ]a, ∞[. Sufficient and necessary conditions for a control system to be forward complete can be found in [46]. In the remainder of the paper, we abuse notation by denoting the constant control input u(t) = u in the compact domain [0, τ ] (for some τ ∈ R+ ) by u. Sensor. On the right-hand side of the plant P in Fig. 1, a sensor is placed. We assume that: (A.1) The sensor is synchronized with the plant and updates its output value at times that are integer multiples of τ ∈ R+ , i.e. ỹs = x(sτ, x0 , u), for some x0 ∈ X0 and u ∈ U, and any s ∈ N0 , where s is the index identifying the sampling interval (starting from 0). The above synchronization assumption is not restrictive since the sensor is physically connected to the plant. Quantizer. A quantizer follows the sensor. For simplicity, we assume that the quantizer is uniform, with accuracy µX ∈]0, µ̂X [. The role of the quantizer is: i) to discretize the continuous-valued sensor measurement sequence {ỹs }s∈N0 to get the quantized sequence {ys }s∈N0 , with ys = [ỹs ]µX ; ii) to encode the signals into digital messages of length ⌈log2 |[X]µX |⌉ and to add overhead bits, resulting in the sequence of digital messages {ȳs }s∈N0 . The transmission overhead takes into account the communication protocol, the packet headers, source and channel coding as well as data compression and encryption. We assume a + on each data bit; since data compression fixed average relative overhead Npc + may be considered, the relative overhead Npc may be negative. More precisely: + bits are added per each bit of the digital signal encoding ys , i.e. the (A.2) Npc + number of bits of message ȳs is (1 + Npc )⌈log2 |[X]µX |⌉, for all s ∈ N0 . Network. In the following, the index k ∈ N denotes the current iteration in the feedback loop. Due to the non-idealities of the network, not all the output samples can be transmitted through the network. We assume that only one output sample per iteration is sent. In particular, {Mk }k∈N ⊆ N denotes the subsequence of the sampling intervals when the output samples are sent through the network, i.e. at time Mk τ the digital message ȳMk encodes the output sample yMk = [x(Mk τ )]µX and is sent (iteration k). We set M1 = 0. The communication network is characterized by the following features: (Time-varying access to the network) The digital message ȳMk cannot be sent instantaneously to the network, because the communication channel is assumed to be a resource which is shared with other nodes or processes in the network. The policy by which a signal of a node is sent before or after a message of another node is managed by the network scheduling protocol selected. We assume that: (A.3) The sequence {∆req,pc }k∈N of network waiting times in the plant-to-controller k req branch of the feedback loop is bounded, i.e. ∆req,pc ∈ [∆req min , ∆max ], for k req + req all k ∈ N, for some ∆min , ∆max ∈ R0 . req,pc At time tpc , the message w̄k := ȳMk is sent through the k := Mk τ + ∆k network. (Limited bandwidth) In real applications, the capacity of the digital communication channel is limited and time-varying. We denote by Bmin , Bmax ∈ R+ the minimum and maximum capacities of the channel (expressed in bits per second, bps). In view of the binary coding and the transmission overhead (see Assumption (A.2)), we assume that: B,pc (A.4) At iteration k, a delay ∆B,pc ∈ [∆B,pc min , ∆max ] due to the limited bandk width is introduced in the plant-to-controller branch of the feedback loop, B,pc + + with ∆B,pc min = (1+Npc )⌈log2 |[X]µX |⌉/Bmax and ∆max = (1+Npc )⌈log2 |[X]µX |⌉/Bmin . (Time-varying delivery of messages) The delivery of message w̄k may be subject to further delays, due to congestion phenomena in the network, etc. We assume that: (A.5) The sequence {∆net,pc }k∈N of network communication delays in the plantk net to-controller branch of the feedback loop is bounded, i.e. ∆knet,pc ∈ [∆net min , ∆max ], + net net for all k ∈ N, for some ∆min , ∆max ∈ R0 . (Packet dropout) In real applications, one or more messages can be lost during the transmission, because of the unreliability of the communication channel. We assume that: (A.6) The maximum number of successive packet dropouts is Npd . Symbolic controller. Unless message w̄k is lost, it is decoded into the quantized sensor measurement wk and reaches the controller. The symbolic controller C is dynamic, remote and asynchronous with respect to the plant and is expressed as a Mealy machine:  ξk+1 ∈ fC (ξk , wk ), C: (2) vk = hC (ξk , wk ), where Ξ is the state space of the controller and DomC ⊆ Ξ × [X]µX is the domain of the functions fC : DomC → 2Ξ and hC : DomC → U. At each iteration k, the controller takes as input the measurement sample wk ∈ [X]µX and returns as output the control sample vk = hC (ξk , wk ) ∈ U, which is synthesized by a computing unit that may be employed to execute several tasks. Note that, when Ξ is a singleton set, C becomes static. The policy by which a computation is executed before or after another computation depends on the scheduling protocol adopted. We assume that: (A.7) The computation time ∆ctrl for the symbolic controller to return its output k ctrl ctrl value vk is bounded, i.e. ∆ctrl ∈ [∆ctrl min , ∆max ], for all k ∈ N, for some ∆min , k + ctrl ∆max ∈ R0 . The control sample vk is encoded into a digital signal of length ⌈log2 |U|⌉, and some overhead information is added to take into account the communication protocol, the packet headers, source and channel coding as well as data compression and encryption. The resulting message is denoted by v̄k . We as+ sume a fixed average relative overhead Ncp on each data bit, which may also be negative due to possible data compression. The following Assumptions (A.8) to (A.11), describing the non-idealities in the controller-to-plant branch of the network, correspond exactly to Assumptions (A.2) to (A.5), previously given for the plant-to-controller branch: + (A.8) Ncp bits are added per each bit of vk , i.e. the number of bits of v̄k is + (1 + Ncp )⌈log2 |U|⌉. (A.9) The sequence {∆req,cp }k∈N of network waiting times in the controller-tok req plant branch of the feedback loop is bounded, i.e. ∆req,pc ∈ [∆req min , ∆max ], k for all k ∈ N. req,pc req,cp At time tcp + ∆B,pc + ∆net,pc + ∆ctrl , the message k + ∆k k := Mk τ + ∆k k k v̄k is sent. B,cp (A.10) At iteration k, a delay ∆B,cp ∈ [∆B,cp min , ∆max ] due to the limited bandk width is introduced in the controller-to-plant branch of the feedback loop, + B,cp + with ∆B,cp min = (1+Ncp )⌈log2 |U|⌉/Bmax and ∆max = (1+Ncp )⌈log2 |U|⌉/Bmin . (A.11) The sequence {∆net,cp }k∈N of network communication delays in the controllerk net to-plant branch of the feedback loop is bounded, i.e. ∆net,cp ∈ [∆net min , ∆max ], k for all k ∈ N. The resulting total delay induced by network and computing unit at iteration req,cp k is ∆k := ∆req,pc + ∆B,pc + ∆net,pc + ∆ctrl + ∆B,cp + ∆net,cp . In the k + ∆k k k k k k ¯ ¯ ¯ min , ∆ ¯ max ∈ absence of packet dropouts, one has ∆k ∈ [∆min , ∆max ], where ∆ + R are the minimum and maximum delays computed according to the previous ¯ min := ∆B,pc +∆ctrl +∆B,cp +2∆req +2∆net assumptions (excluding (A.6)), as ∆ min min min min min B,pc ctrl B,cp req net ¯ and ∆max := ∆ + ∆ + ∆ + 2∆ + 2∆ . We can finally define max max max max max   Nk := ∆τk as the discrete delay induced by iteration k, expressed in terms of number of sampling intervals of duration τ . ZoH. Unless message v̄k is lost, it is decoded into the control input vk and reaches the Zero-order-Holder (ZoH) at time Mk τ + ∆k . From the definitions of Mk and Nk , we get Mk+1 = Mk + Nk . Note that, since we assumed finite bandwidth Bmax ∈ R+ , one has Nk ≥ 1 for all k. The ZoH is updated to the new value vk at time Mk+1 τ . The ZoH input sequence is indicated as {ũs }s∈N0 and is so defined by ũs = vk for Mk+1 ≤ s < Mk+2 , meaning that the value vk is held exactly for one iteration. The ZoH is placed on the left-hand side of the plant P in Fig. 1. We assume that: (A.12) The ZoH is synchronized with the plant and updates its output value at times that are integer multiples of τ , i.e. u(sτ + t) = u(sτ ) = ũs , for t ∈ [0, τ [ and s ∈ N0 , where s is the index identifying the sampling interval (starting from 0). The above synchronization assumption is not restrictive since the sub-system ZoH is physically connected to the plant. The ZoH holds a sample until a new one shows up. At time t = 0 a reference control input ũ0 ∈ U is held by ZoH. So far we have not considered packet dropouts. Under Assumption (A.6) and following the so-called emulation approach, reformulating packet dropouts in terms of additional delays, see e.g. [2], it is readily seen that iteration k ¯ min and introduces a time-varying delay ∆k ∈ [∆min , ∆max ], with ∆min = ∆ ¯ max , where Npd is the maximum number of subsequent ∆max = (1 + Npd)∆ packet dropouts. From the previous assumptions, we conclude that iteration k introduces a discrete delay of Nk ∈ [Nmin ; Nmax ] sampling intervals, where the bounds are given by:     ∆min ∆max Nmin = , Nmax = . (3) τ τ The semantics of the NCS described above is formally specified by the following equations:                            Nk = ∆τk , k ∈ N,  Mk+1 = Mk + Nk , k ∈ N, Sampling/holding time sequence: M1(= 0, vk−1 , s ≥ N1 ∧ s ∈ [Mk ; Mk+1 [, Input sequence: ũs = ũ0 , otherwise,  P∞ u(t) = s=0 ũs 1[sτ,(s+1)τ [ (t), t ∈ R+ 0, ZoH: u(0) = ũ , 0 Σ:   ẋ(t) = f (x(t), u(t)), t ∈ R+  0,  Plant:   x(0) = x ,  0    Sensor: ỹs = x(sτ, x0 , u), s ∈ N0 ,     Quantizer: y  s = [ỹs ]µX , s ∈ N0 ,    Switch: w   k = ys , s = Mk , k ∈ N,    ξk+1 ∈ fC (ξk , wk ),   Controller: k ∈ N, vk = hC (ξk , wk ), (4) Due to possible different realizations of non-idealities, the model of NCS considered is non-deterministic. In the sequel we refer to the above NCS as Σ. Note that the definition of NCS given in this section allows taking into account different scheduling protocols and communication constraints: any protocol or set of protocols satisfying Assumptions (A.2—A.5), (A.6) and (A.8—A.11) can be used. For example, communication protocols designed for safety-critical control systems, such as Controller Area Network (CAN) [47] and Time Triggered Protocol (TTP) [48] used in vehicular and industrial applications, satisfy the assumptions above. Iteration delay: 4 Symbolic Models for NCS In this section we propose symbolic models that approximate NCS with arbitrarily good accuracy. The approximation scheme employed is based on the notions of alternating approximate simulation and bisimulation [38] that are formally recalled in the Appendix. In Subsection 4.1, we provide a representation of NCS in terms of systems [21]; this first step is instrumental in deriving symbolic models. In Subsection 4.2, we propose symbolic models that approximate NCS with plant P admitting incremental forward complete Lyapunov functions, in the sense of alternating approximate simulation; finally, in Subsection 4.3 we show that the proposed symbolic models approximate the NCS in the sense of alternating approximate bisimulation when the plant P enjoys the property of incremental stability. 4.1 NCS as systems NCS are characterized by heterogeneous dynamics; while the plant is described by a differential equation, the controller can be easily represented as a finite state automaton. In order to deal with this heterogeneity, we use the notion of systems as a unified mathematical framework to describe control systems as well as symbolic controllers. Definition 1 [21] A system is a sextuple S = (X, X0 , U, ✲ , Y, H) consisting of a set of states X, a set of initial states X0 ⊆ X, a set of inputs U , a transition ✲ ⊆ X × U × X, a set of outputs Y and an output function relation ✲ of S is denoted by x u✲ x′ . For H : X → Y . A transition (x, u, x′ ) ∈ such a transition, state x′ is called a u-successor or simply a successor of state x. We denote by Postu (x) the set of u-successors of a state x and by U (x) the set of inputs u ∈ U for which Postu (x) is nonempty. System S is said to be symbolic (or finite), if X and U are finite sets; metric, if the output set Y is equipped with a metric d : Y × Y → R+ 0 ; deterministic, if for any x ∈ X and u ∈ U there exists at most one state x′ ∈ X such that u ✲ x′ for some u ∈ U ; non-blocking, if U (x) 6= ∅ for any x ∈ X. The x evolution of systems is captured by the notions of state and output runs. A state run of S is a (possibly infinite) sequence {xi }i∈N0 such that for any i ∈ N0 ui there exists ui ∈ U for which xi ✲ xi+1 . An output run is a (possibly infinite) sequence {yi }i∈N0 such that there exists a state run {xi }i∈N0 with yi = H(xi ) for any i ∈ N0 . In order to give a representation of NCS in terms of systems, we first need to provide an equivalent formulation of NCS. We start by defining a sequence of discrete time-varying delays {Rs }s∈N0 , where Rs = Nk for all s ∈ N0 satisfying Mk ≤ s < Mk+1 . This sequence takes into account all delays introduced by the computing unit and the communication channel in the NCS Σ. Given the NCS Σ, define the system Σd , which includes a single delay block taking into account all the delays in the NCS Σ, in particular the delay ∆net,pc (before the symbolic k controller block) and the delay ∆net,cp (after the symbolic controller block) in k Fig. 1. System Σd is depicted in Fig. 2 and its semantics is formally specified by the following equations: Σd :                    Σ̄d :       Iteration delay:       Sampling/holding time sequence:       Switch:    Discrete delay block:    Delayed input:             Sampled-data control system:             Quantizer: ys = [ỹs ]µX , s ∈ N0 ,     Switch: wk = ys , s = Mk , k ∈ N,      ξk+1 ∈ fC (ξk , wk ),   k ∈ N.  Controller: vk = hC (ξk , wk ), N  k ∈ [Nmin ; Nmax ], k ∈ N, Mk+1 = Mk + Nk , k ∈ N, M1 = 0, ṽs = vk , s ∈ [Mk ; Mk+1 [. Rs = ( Nk , s ∈ [Mk ; Mk+1 [, ṽs−Rs , s ≥ N1 , ũs = ũ otherwise, ( 0 ¯ zs+1 = f (zs , u˜s ), Pd : s ∈ N0 , ỹs = zs , (5) In equations (5), we abstracted the interconnection of blocks ZoH, Plant and Sensor into a nonlinear sampled-data control system Pd which is the time discretization of the plant P with sampling time τ , namely zs+1 = f¯(zs , u˜s ) := x(τ, zs , ũs ) for all s ∈ N0 . A sequence {zs }s∈N0 is called a trajectory of the sampled-data control system Pd if it satisfies the above equation for some ũs , for all s ∈ N0 . Note that, since the symbolic controller C in (2) is eventdriven and not time-varying, and the discrete delay block in (5) introduces a cumulative delay equal to the iteration delay Nk in Σ, the sequence of inputs {ũs }s∈N0 results to be the same in (4) and (5). As a consequence, for any initial condition and controller given, the corresponding sequences of states measured at the sensors of systems Σ and Σd coincide. We now have all the ingredients to provide a system representation of the control system Σ̄d in (5). To this purpose, we preliminarily define: [ XN . Xe = N ∈[Nmin ;Nmax ] Definition 2 Given Σ̄d , define the system S(Σ̄d ) = (Xτ , X0,τ , U, ✲ , Yτ , Hτ ), τ  where Xτ = (X0 × U)∪ (x1 , ..., xN , ū) ∈ Xe × U : ∃u ∈ U s.t. xi+1 = f¯(xi , u) ∀i ∈ [1; N − 1] },

u ✲ x2 = x2 , x2 , ..., x2 , ū2 , if X0,τ = X0 × U, x1 = x1 , x1 , ..., x1 , ū1 1 2 N1 τ 1 2 N2 2 ū = u and x2i+1 ( f¯(x1 1 , ū1 ), = ¯ N f (x2i , ū1 ), if i = 0, if i ∈ [1; N2 − 1], (6) τ Rs ṽs s = Mk ũs Delay Σ̄d ỹs τ u(t) ZoH Plant x(t) Sensor P Pd vk ys wk Symbolic Controller µU s = Mk µX Figure 2: Illustration of Σd , which is formally described by the equations in (5). The sequence {ỹs }s∈N0 includes all output samples of the sampled-data control system Pd . At each iteration k, the quantized output wk = ys = [ỹs ]µX for s = Mk reaches the controller and a control input value vk is computed. Block Delay takes into account the total delay Nk of the NCS loop at iteration k, after which the control input vk reaches Pd . Yτ = X0 ∪Xe and Hτ (x1 , x2 , ..., xN , ū) = (x1 , x2 , ..., xN ), for all (x1 , x2 , ..., xN , ū) ∈ Xτ . Note that S(Σ̄d ) is non-deterministic because, depending on the values of N2 in the transition relation, more than one u-successor of x1 may exist. System S(Σ̄d ) can be regarded as a metric system with the metric dYτ on Yτ naturally induced by the metrics dX (x1 , x2 ) = kx1 − x2 k on X, as follows. Given any xi = (xi1 , xi2 , ..., xiNi , ūi ), i = 1, 2, we set dYτ (x1 , x2 ) = maxi∈[1;N ] kx1i − x2i k if N1 = N2 = N , and dYτ (x1 , x2 ) = +∞, otherwise. Since the state vectors of S(Σ̄d ) are built from the trajectories of Pd in Σ̄d , it is readily seen that: Theorem 1 For any trajectory {zs }s∈N0 of the sampled-data control system Pd in Σ̄d , there exists a state run (x0 , ũ0 ) | {z } u1 ✲ (x̄1 , u1 ) | {z } x0 ✲ (x̄2 , u2 ) | {z } x1 of S(Σ̄d ) such that: {x0 u2 ✲ ... (7) x2 , x̄11 , ..., x̄1N1 , x̄21 , ..., x̄2N2 | {z } | {z } x̄1 u3 , ...} = {zs }s∈N0 . (8) x̄2 Conversely, for any state run (7) of S(Σ̄d ), there exists a trajectory {zs }s∈N0 of the sampled-data control system Pd in Σ̄d such that (8) holds. Proof 1 The proof of the above result follows directly from equations (5), defining Pd and Σ̄d , and from Definition 2 of S(Σ̄d ). Although system S(Σ̄d ) contains all the information of the NCS available at the sensor, it is not a finite model. Hence, in the following subsections, we illustrate the construction of finite systems approximating S(Σ̄d ). 4.2 Symbolic models for possibly unstable NCS In this section we propose symbolic models that approximate possibly unstable NCS in the sense of alternating approximate simulation, whose definition is formally recalled in the Appendix. Our results rely on the assumption of existence of an incremental forward complete (δ-FC) Lyapunov function for the plant control system of the NCS. More formally: Definition 3 [37] A smooth function V : X × X → R+ 0 , is a δ-FC Lyapunov function for the plant control system of the NCS if there exist a real λ ∈ R and K∞ functions α and α such that, for any x1 , x2 ∈ X and any u ∈ U, the following conditions hold: (i) α(kx1 − x2 k) ≤ V (x1 , x2 ) ≤ α(kx1 − x2 k), (ii) ∂V ∂x1 f (x1 , u) + ∂V ∂x2 f (x2 , u) ≤ λV (x1 , x2 ). In [37] it was shown that existence of δ-FC Lyapunov functions for a nonlinear control system is a sufficient condition for the control system to enjoy the so–called incremental forward completeness property. This notion requires that the distance between two arbitrary trajectories of a control system are bounded by a continuous function capturing the mismatch between initial conditions. The class of δ-FC control systems is rather large and includes also some subclasses of unstable control systems; for instance, unstable linear systems are δ-FC. The interested reader can refer to [37] for further details on this notion. In the following, we suppose the existence of a δ-FC Lyapunov function V for the control system P in the NCS Σ. Moreover, let γ be a K∞ function1 such that V (x, x′ ) − V (x, x′′ ) ≤ γ(kx′ − x′′ k), for every x, x′ , x′′ ∈ X. We assume that V is symmetric, i.e. V (x1 , x2 ) = V (x2 , x1 ) for all x1 , x2 ∈ X. This assumption can be given without loss of generality because for any δ-FC + Lyapunov function V : X × X → R+ 0 , function V̄ : X × X → R0 defined by V̄ (x1 , x2 ) = V (x1 , x2 ) + V (x2 , x1 ), for all x1 , x2 ∈ X, is a δ-FC Lyapunov function and also symmetric. We are now ready to introduce symbolic models approximating NCS. Given a design parameter η ∈ R+ , define the system S∗ (Σ̄d ) := (X∗ , X0,∗ , U, ✲ , Y∗ , H∗ ), ∗ where X∗ = ([X0 ]µX × U)∪{(x∗1 , x∗2 , ..., x∗N , ū∗ ) ∈ [Xe ]µX ×U : ∃u∗ ∈ U s.t. V (f¯(x∗i , u∗ ), x∗i+1 ) ≤ 1 and X is bounded, one can always choose γ(kw − zk)   Since V is smooth (x, y)k kw − zk. supx,y∈X k ∂V ∂y = 
u∗ 2 ✲ x = eλτ α(η)+γ(µX ), ∀i ∈ [1; N −1]}; X0,∗ = [X0 ]µX ×U, x1 = x11 , x12 , ..., x1N1 , ū1∗ ∗
x21 , x22 , ..., x2N2 , ū2∗ , if ū2∗ = u∗ and ( V (f¯(x1N1 , ū1∗ ), x21 ) ≤ eλτ α(η) + γ(µX ), (9) V (f¯(x2i , ū1∗ ), x2i+1 ) ≤ eλτ α(η) + γ(µX ), i ∈ [1; N2 − 1]; Y∗ = Yτ , and H∗ (x∗1 , x∗2 , ..., x∗N , ū∗ ) = (x∗1 , x∗2 , ..., x∗N ), for all (x∗1 , x∗2 , ..., x∗N , ū∗ ) ∈ X∗ . Remark 1 The size of the set of states X∗ scales exponentially with the bound Nmax of the time delay and, when Nmax is large, this can be problematic from the space complexity point of view. The motivation in the present formulation of X∗ is that it makes the formal comparison between S∗ (Σ̄d ) and S(Σ̄d ) easier, as we shall show in the sequel. However, for computational purposes, it is possible to give a more succinct representation of X∗ by mapping any state 1 N x∗ = (x1∗ , x2∗ , ..., xN ∗ , ū∗ ) into (x∗ , x∗ , N, ū∗ ), where the intermediate components of the aggregate vector x∗ are not stored, in order to save memory; when Nmax is large, this representation of states drastically reduces the space complexity, if compared with the formulation of X∗ in S∗ (Σ̄d ). Since the set X is bounded, the set [X]µX is finite, from which system S∗ (Σ̄d ) is symbolic. Furthermore, it is metric when we regard the set Y∗ as being equipped with the metric dYτ . We can now present the following result that identifies in the existence of incremental forward complete Lyapunov functions a sufficient condition for the symbolic model S∗ (Σ̄d ) to approximate S(Σ̄d ) in the sense of alternating approximate simulation2 with (any desired) accuracy ε, i.e. S∗ (Σ̄d ) alt ε S(Σ̄d ). Theorem 2 Consider Σ̄d and suppose that there exists a δ-FC Lyapunov function V for the control system P in the NCS Σ. Then for any desired precision ε ∈ R+ , any sampling time τ ∈ R+ , any state quantization µX ∈ R+ and any choice of the design parameter η ∈ R+ satisfying the inequality: µX < min{µ̂X , α−1 (α(ε))} ≤ ε = η, (10) we have S∗ (Σ̄d ) alt ε S(Σ̄d ). Proof 2 Consider the relation R ⊆ X∗ × Xτ defined by (x∗ , x) ∈ R if and only if x∗ = (x∗1 , x∗2 , ..., x∗N , ū∗ ), x = (x1 , x2 , ..., xN , ū), for some N , V (x∗i , xi ) ≤ α(ε) for all i ∈ [1; N ], and ū∗ = ū. We first prove condition (i) of Definition 5 in the Appendix. For any x∗ = (x∗0 , ū∗ ) ∈ X0,∗ , choose x = (x0 , ū) ∈ X0,τ , with x0 = x∗0 and ū = ū∗ , which implies that kx∗0 − x0 k = 0 ≤ µX . Hence, from condition (i) in Definition 3 and the inequality in (10) one gets: V (x∗0 , x0 ) ≤ α(µX ) ≤ α(α−1 (α(ε))) = α(ε), (11) 2 For ease of notation in the sequel we refer to an alternating approximate simulation with accuracy ε by AεA simulation. which concludes the proof of condition (i). We now consider condition (ii) of Definition 5. For any (x∗ , x) ∈ R, from the definition of the metric dYτ , the definition of R and condition (i) in Definition 3, one can write dYτ (x∗ , x) = maxi kx∗i − xi k ≤ maxi α−1 (V (x∗i , xi )) ≤ α−1 (α(ε)) = ε. We now show that condition (iii′ ) in Definition 5 holds. Consider any (x∗ , x) ∈ R, with x∗ = (x∗1 , x∗2 , ..., x∗N , ū∗ ) and x = (x1 , x2 , ..., xN , ū); then pick any u = u∗ ∈ U and u consider any transition x ✲ x̄, with x̄ = (x̄1 , x̄2 , ..., x̄N̄ , u), for some N̄ . Pick τ x̄∗ = (x̄∗1 , x̄∗2 , ..., x̄∗N̄ , u∗ ) defined by x̄∗i = [x̄i ]µX for all i ∈ [1; N̄ ]. We now prove u∗ that x∗ ✲ x̄∗ is a transition of S∗ (Σ̄d ). First, from condition (i) in Definition 3, the definition of x̄ and the first inequality in (10), one can write: V (x̄∗i , x̄i ) ≤ α(µX ) ≤ α(α−1 (α(ε))) = α(ε) (12) for all i ∈ [1; N̄ ]. By using condition (ii) in Definition 3, one has: ∂V ∂V f (xN , ū) ≤ λV (x∗N , xN ). f (x∗N , ū∗ ) + ∂x∗N ∂xN By the definitions of γ, R and S(Σ̄d ), and by integrating the previous inequality, the following holds: V (f¯(x∗N , ū∗ ), x̄∗1 ) ≤ V (f¯(x∗N , ū∗ ), x̄1 ) + γ(kx̄1 − x̄∗1 k) ≤ eλτ V (x∗N , xN ) + γ(kx̄1 − x̄∗1 k) ≤ eλτ α(ε) + γ(µX ) = eλτ α(η) + γ(µX ), (13) where condition ε = η in (10) has been used in the last step. By similar computations, it is possible to prove that the inequality in (12) implies: V (f¯(x̄∗i , ū∗ ), x̄∗i+1 ) ≤ eλτ α(η) + γ(µX ), i ∈ [1; N̄ − 1]. (14) Hence, from the inequalities in (13)–(14) and from the definition of the tranu∗ sition relation of S∗ (Σ̄d ) in (9), the transition x∗ ✲ x̄∗ is in S∗ (Σ̄d ), implying ∗ with (12) that (x̄ , x̄) ∈ R, which concludes the proof. Remark 2 In some practical case studies, the accuracy µX of the quantizer may not be chosen arbitrarily small as requested in condition (10). If a lower bound µX,min to the accuracy of the quantizer is given, the attainable accuracy ε in the above result is lower bounded by εmin = α−1 (α(µX,min )). The result given above is important because it provides symbolic models that approximate possibly unstable nonlinear NCS with arbitrarily good accuracy. However, since the relationship between S(Σ̄d ) and S∗ (Σ̄d ) is given in terms of alternating approximate simulation, if a symbolic controller, designed on the basis of S∗ (Σ̄d ) for enforcing a given specification, fails to exist, there is no guarantee that a controller, enforcing the same specification, does not exist for the original NCS model. When alternating approximate simulation is replaced by alternating approximate bisimulation, the above drawback is overcome. In the following subsection, we derive sufficient conditions under which alternatingly approximately bisimilar symbolic models can be constructed. 4.3 Symbolic models for incrementally stable NCS In this section we suppose the existence of a symmetric δ-FC Lyapunov function for the control system P , which satisfies the inequality (ii) in Definition 3 for some λ < 0. This corresponds to the incremental global asymptotic stability (δ-GAS) of the control system P . Incremental global asymptotic stability requires that trajectories of a control system with different initial conditions but same control input converge to each other as time goes to infinity. The interested reader is referred to [49] for further details on this stability notion. Under this assumption, we propose a modification of the construction of the symbolic model given in Section 4.2, resulting in the following system S∗ (Σ̄d ) := ✲ , Y∗ , H∗ ), where X∗ = ([X0 ]µX × U) ∪ {(x∗ , x∗ , ..., x∗ , ū∗ ) ∈ (X∗ , X0,∗ , U, 1 2 N ∗ ∗ ∗ ¯ [Xe ]µX × U : ∃u∗ ∈ U s.t. xi+1 = [f (xi , u∗ )]µX ∀i ∈ [1; N − 1]}, X0,∗ =
u∗
✲ x2 = x21 , x22 , ..., x2 , ū2∗ , if ū2∗ = u∗ , [X0 ]µX ×U, x1 = x11 , x12 , ..., x1N1 , ū1∗ N2 ∗ and ( x21 = [f¯(x1N1 , ū1∗ )]µX , (15) i ∈ [1; N2 − 1], x2i+1 = [f¯(x2i , ū1∗ )]µX , Y∗ = Yτ , and H∗ (x∗1 , x∗2 , ..., x∗N , ū∗ ) = (x∗1 , x∗2 , ..., x∗N ), for all (x∗1 , x∗2 , ..., x∗N , ū∗ ) ∈ X∗ . Note that the design parameter η plays no role in the modified symbolic model. We can now give the following result. Theorem 3 Consider the NCS Σ and suppose that there exists a symmetric δ-FC Lyapunov function for the control system P in the NCS Σ satisfying the inequality (ii) in Definition 3 for some λ < 0. Then for any desired precision ε ∈ R+ , any sampling time τ ∈ R+ and any state quantization µX satisfying the following inequality:

(16) µX ≤ min γ −1 1 − eλτ α(ε) , α−1 (α(ε)), µ̂X , systems S∗ (Σ̄d ) and S(Σ̄d ) are alternatingly approximately bisimilar with accuracy3 ε. Proof 3 Consider the relation (already used in the proof of Theorem 2) R ⊆ X∗ × Xτ defined by (x∗ , x) ∈ R if and only if x∗ = (x∗1 , x∗2 , ..., x∗N , ū∗ ), x = (x1 , x2 , ..., xN , ū), for some N , V (x∗i , xi ) ≤ α(ε) for all i ∈ [1; N ], and ū∗ = ū. The proof of conditions (i)-(ii) of Definition 5 in the Appendix is the same as the one given in the proof of Theorem 2, since it is not affected by the modifications on the symbolic model S∗ (Σ̄d ). Next we show that condition (iii′ ) in Definition 5 holds. Consider any (x∗ , x) ∈ R, with x∗ = (x∗1 , x∗2 , ..., x∗N , ū∗ ), x = (x1 , x2 , ..., xN , ū); then pick any u = u∗ ∈ U and consider any transition u ✲ x̄, with x̄ = (x̄1 , x̄2 , ..., x̄N̄ , u), for some N̄ . Now pick the transition x τ 3 For ease of notation in the sequel we refer to an alternating approximate (bi)simulation with accuracy ε by AεA (bi)simulation and to alternatingly approximately bisimilar systems with accuracy ε by AεA-bisimilar systems. u∗ x∗ ✲ x̄∗ , with x̄∗ = (x̄∗1 , x̄∗2 , ..., x̄∗N̄ , u∗ ), and define the state x̃∗1 := f¯(x∗N , ū∗ ). By using condition (ii) in Definition 3, one gets: ∂V ∂V f (xN , ū) ≤ λV (x∗N , xN ). f (x∗N , ū∗ ) + ∂x∗N ∂xN (17) By the symmetry property of V , the definitions of γ, R, S(Σ̄d ) and S∗ (Σ̄d ), and by integrating the previous inequality, the following holds: V (x̄∗1 , x̄1 ) ≤ V (x̃∗1 , x̄1 ) + γ(kx̃∗1 − x̄∗1 k) ≤ eλτ V (x∗N , xN ) + γ(kx̃∗1 − x̄∗1 k) ≤ eλτ α(ε) + γ(µX ) ≤ α(ε), (18) where condition (16) has been used in the last step. By similar computations, it is possible to prove by induction that V (x̄∗i , x̄i ) ≤ α(ε) implies V (x̄∗i+1 , x̄i+1 ) ≤ α(ε), for any i ∈ [1; N̄ − 1]. Hence the inequality V (x̄∗i , x̄i ) ≤ α(ε) has been proven for any i ∈ [1; N̄ ], implying (x̄∗ , x̄) ∈ R, which concludes the proof of condition (iii′ ) of Definition 5. We complete the proof by showing that the conditions (i), (ii) and (iii′ ) of Definition 5 hold for the relation R−1 . We first prove condition (i) of Definition 5. For any x = (x0 , ū) ∈ X0,τ , choose x∗ = (x∗0 , ū∗ ) ∈ X0,∗ , with x∗0 = [x0 ]µX and ū∗ = ū, which implies that kx0 − x∗0 k ≤ µX . Hence the inequality in (11) holds, which concludes the proof of condition (i). The proof of condition (ii) of Definition 5 for the relation R−1 is the same as the one for the relation R and is not reported. Next we show that condition (iii′ ) in Definition 5 holds for R−1 . Consider any (x, x∗ ) ∈ R−1 , with x = (x1 , x2 , ..., xN , ū), x∗ = (x∗1 , x∗2 , ..., x∗N , ū∗ ); then pick any u = u∗ ∈ U u∗ and consider any transition x∗ ✲ x̄∗ , with x̄∗ = (x̄∗ , x̄∗ , ..., x̄∗ , u∗ ), for some 1 2 N̄ u ✲ x̄, with x̄ = (x̄1 , x̄2 , ..., x̄N̄ , u), and define N̄ . Now pick the transition x τ the state x̃∗1 := f¯(x∗N , ū∗ ). After that, it is possible to rewrite exactly the same steps as in the proof of condition (iii′ ) for R, in particular (18), implying that V (x̄∗i , x̄i ) ≤ α(ε) for any i ∈ [1; N̄ ]; as a consequence (x̄∗ , x̄) ∈ R, hence one gets (x̄, x̄∗ ) ∈ R−1 , concluding the proof. The above theorem provides stronger results than Theorem 2 (AεA bisimulation vs. AεA simulation) at the expense of stronger assumptions (δ-GAS vs. existence of δ-FC Lyapunov functions). Remark 3 By Proposition 3.4 of [49], for control systems with compact state space, incremental global asymptotic stability (δ-GAS) and global asymptotic stability (GAS) are equivalent notions. Moreover in [49] it is shown that the existence of a δ-GAS Lyapunov function is equivalent to the GAS property. For this reason, the assumption of existence of a δ-GAS Lyapunov function in Theorem 3 can be replaced by the GAS property. However, since at present there are no constructive results available in the literature to derive a δ-GAS Lyapunov function for a GAS control system (as requested in the statement of Theorem 3 and in the definition of the symbolic model S∗ (Σ̄d )), when the assumptions of Theorem 3 are replaced by the GAS property, the result obtained is only of existential nature. 5 NCS Symbolic Control Design In this section, we address NCS symbolic control design with specifications expressed in terms of non-deterministic transition systems. We consider a control design problem where the NCS Σ has to satisfy a given specification Q while being robust with respect to the non-idealities of the communication network. Our specification Q is expressed in terms of a collection of transitions ✲ ⊆ XQ × XQ , where XQ is a finite subset of X, and a set of initial states Q 0 XQ ⊆ XQ . For the forthcoming developments it is convenient to reformulate the specification Q in terms of the following system: 0 S(Q) = (Xq , XQ , Uq , ✲ , Yq , Hq ), (19) q 0 N where Xq = XQ ∪{x = (x1 , x2 , ..., xN ) ∈ XQ , N ∈ [Nmin ; Nmax ]|xi ✲ xi+1 , i ∈ Q uq ✲ x2 , if x1 = [1; N − 1]}, Uq = {uq }, where uq is a dummy symbol, x1 q ✲ x21 , Yq = Yτ , and Hq (x) = (x11 , x12 , ..., x1N1 ), x2 = (x21 , x22 , ..., x2N2 ) and x1N1 Q x, for all x ∈ Xq . We can now formally state the symbolic control problem considered. Problem 1 Consider the NCS Σ, the specification S(Q) in (19) and a desired precision ε ∈ R+ . Find a symbolic controller system SC , a parameter θ ∈ R+ and a AθA simulation relation R from SC to S(Σ̄d ) such that: (1) the θ-approximate feedback composition of S(Σ̄d ) and SC , denoted S(Σ̄d )×R θ SC , is approximately simulated4 by S(Q) with accuracy ε, i.e. S(Σ̄d ) ×R θ SC ε S(Q); (2) the system S(Σ̄d ) ×R θ SC is non-blocking. The above control design problem is known in the literature as approximate similarity game (see e.g. [21]), where condition (1) requires the state trajectories of the NCS to be close to the state run of the specification S(Q) up to the accuracy ε irrespective of the particular realization of the network non-idealities, and condition (2) prevents deadlocks in the interaction between the plant and the controller. In Problem 1 we considered a controller in the form of a symbolic system rather than a Mealy machine as in (2). In the end of this section we discuss how to derive a Mealy machine controller C from the controller SC . In order to solve Problem 1, some preliminary definitions and results are needed. ✲ , Yi , Hi ) (i = 1, 2), S1 is a subGiven two systems Si = (Xi , X0,i , Ui , i ✲ ⊆ ✲ , Y1 ⊆ Y2 , system of S2 if X1 ⊆ X2 , X0,1 ⊆ X0,2 , U1 ⊆ U2 , 1 2 and H1 (x) = H2 (x) for any x ∈ X1 . Given two sub-systems Si = (Xi , X 0,i , Ui , ✲ , Yi , Hi ) (i = 1, 2) of a system S, define the union system S1 F S2 as i (X1 ∪ X2 , X0,1 ∪ X0,2 , U1 ∪ U2 , ✲ ∪ 1 ✲ , Y1 ∪ Y2 , H), where H(x) = H1 (x) 2 4 The notions of approximate feedback composition and of approximate simulation are formally recalled in the Appendix. F is x ∈ X1 and H(x) = H2 (x) otherwise. Note that S1 S2 is a sub-system of S. It is easy to see that the union operator enjoys the associative property. We now have all the ingredients to introduce the controller SC ∗ that will solve Problem 1. Definition 4 The symbolic controller SC ∗ is the maximal non-blocking subsystem5 SC of S∗ (Σ̄d ) such that: (1) SC is approximately simulated by S(Q) with accuracy µX , i.e. SC µX S(Q); (2) SC is alternatingly 0-simulated by S∗ (Σ̄d ), i.e. SC alt 0 S∗ (Σ̄d ). Condition (1) requires that for any state run rc of SC there exists a state run rq in S(Q) such that rc approximates rq within the accuracy µX . Condition (2) ensures that the controller enforces the specification irrespective of the timedelay realization induced by the communication network. The following result holds. Proposition 1 The symbolic controller SC ∗ is the union of all non-blocking sub-systems SC of S∗ (Σ̄d ) satisying conditions (1) and (2) of Definition 4. The proof of the above result is a direct consequence of the definition of the union operator and of Definition 4; it is therefore omitted. Since S(Q) and S∗ (Σ̄d ) are symbolic systems, a symbolic (finite) controller SC ∗ can be computed in a finite number of steps by adapting standard fixed point characterizations of bisimulation [50, 21]. We are now ready to provide the solution of Problem 1. Theorem 4 Consider the NCS Σ and the specification S(Q). Suppose that there exists a δ-FC Lyapunov function V for the control system P in the NCS Σ. For any desired precision ε ∈ R+ , choose the parameters θ, µX , η ∈ R+ such that: µX + θ ≤ ε, µX < min{µ̂X , α (20) −1 (α(θ))} ≤ θ = η. (21) Then a AθA simulation relation R from SC ∗ to S(Σ̄d ) exists which solves Problem 1 with SC = SC ∗ . Proof 4 By condition (2) in Definition 4, a (non-empty) A0A simulation relation R1 from SC ∗ to S∗ (Σ̄d ) exists. Let R2 be a AθA simulation relation from S∗ (Σ̄d ) to S(Σ̄), which exists by the assumption on existence of a δ–FC Lyapunov function for the plant P of the NCS in view of Theorem 3. Define the relation R = {(x1 , x3 ) ∈ XC ∗ × Xτ |∃x2 ∈ X∗ s.t. (x1 , x2 ) ∈ R1 and (x2 , x3 ) ∈ R2 }, where XC ∗ is the set of states of controller SC ∗ . By Lemma 1 (ii), R is a AθA 5 Here maximality is defined with respect to the preorder induced by the notion of subsystem. simulation relation from SC ∗ to S(Σ̄d ). We now prove condition (1) of Problem 1. From condition (2) in Definition 4, SC ∗ alt 0 S∗ (Σ̄d ). (22) Furthermore from Theorem 2, the condition in (21) implies that S∗ (Σ̄d ) alt θ S(Σ̄d ). (23) Hence, from Lemma 1 (ii) in the Appendix, by combining (22) and (23) one gets SC ∗ alt θ S(Σ̄d ) which, by Lemma 1 (iii) implies S(Σ̄d ) ×R θ SC ∗  θ SC ∗ , (24) since R is a AθA simulation relation from SC ∗ to S(Σ̄d ). By condition (1) in Definition 4, (25) SC ∗ µX S(Q). By Lemma 1 (ii) and condition (20) the similarity inclusions in (24) and (25) imply S(Σ̄d ) ×R θ SC ∗ ε S(Q), which concludes the proof of condition (1) of Problem 1. We now show that condition (2) holds. Consider any state (x, xc ) of S(Σ̄d ) ×R θ SC ∗ . Pick any uc ∈ Uc (xc ), which is a non-empty set because SC ∗ u is non-blocking. Since (xc , x) ∈ R, there exists u such that for any x ✲ x′ in τ S(Σ̄d ) there exists xc uc ✲ x′ in SC ∗ with (x′ , x′ ) ∈ R. Hence, from Definition c c c u R 6, the transition (x, xc ) ✲ (x′ , x′c ) is in S(Σ̄d )×R θ SC ∗ , implying that S(Σ̄d )×θ SC ∗ is non-blocking, which concludes the proof of condition (ii) in Problem 1. Remark 4 Note that the choice of θ and µx is not unique, provided they satisfy the conditions in Theorem 4. A larger θ results in a larger AθA-simulation relation in the R from SC ∗ to S(Σ̄d ) in the controller; as a consequence, states in the plant can be mapped into states of the controller with a higher approximation, resulting in a less precise control action with respect to the choice of a smaller θ. On the other hand, a smaller θ forces the choice of a smaller quantization µx in the symbolic controller, according to (21), resulting in a higher space complexity. We conclude this section by deriving a controller C ∗ in the form of (2), on the basis of the symbolic controller SC ∗ . We first note that the controller SC ∗ is in general non-deterministic because it is obtained as a sub-system of the non-deterministic symbolic model S∗ (Σ̄d ). In particular, multiple sequences of control inputs can solve the specification, even starting from the same initial condition. Since SC ∗ is a sub-system of S∗ (Σ̄d ), from (9) the transitions of

u∗ ✲ x2 = x2 , x2 , ..., x2 , ū2∗ . SC ∗ are in the form x1 = x1 , x1 , ..., x1 , ū1∗ 1 2 N1 c 1 2 Starting from SC ∗ , we define the controller C ∗ in (2) by Ξ = X∗ and ( hC (ξ, w) ∈ U (ξ), fC (ξ, w) = PosthC (ξ,w) (ξ), N2 (26) for any (ξ, w) ∈ DomC := {(ξ, w) = ((x∗1 , ..., x∗N , ū), w) ∈ Ξ×[X]µX : kx∗N −wk ≤ θ}, where U (ξ) and PosthC (ξ,w) (ξ) are defined as in Definition 1 applied to system SC ∗ . Note from the first line in (26) that the controller SC ∗ derived from a non-deterministic system SC ∗ is not uniquely determined, since U (ξ) may not be a singleton. Moreover, the second line in (26) takes into account that x∗N is the state of the aggregate vector x∗ in ξ which is required to match the output sample w, sent through the plant-to-controller branch of the network and reaching the controller (as illustrated in Section 3). 6 Application to Robot Motion Planning with Remote Control In this section, we apply the results derived in the previous sections to an example in the context of robot motion planning with remote control. Symbolic techniques for robot motion planning and control have been greatly exploited in the literature, see e.g. [51] and the references therein. However, existing work does not consider the symbolic control of robot motion over non-ideal communication networks. In this section we exploit the remote control of an electric car-like robot, with limited power, sensing, computation and communication capabilities, whose goal is the surveillance of an area. The motion of the robot P is described by means of the following nonlinear control system:     3 +δ(u2 )) u1 cos(x ẋ1 cos(δ(u2 ))  3 +δ(u2 ))  ẋ2  =  (27)  u1 sin(x , cos(δ(u2 )) u1 ẋ3 b tan(u2 )   2) where δ(u2 ) = arctan a tan(u , a = 0.5 is the distance of the center of b mass from the rear axle and b = 1.5 is the wheel base, see Fig. 3 (top left panel). The state quantities are the 2D-coordinates of the center of mass of the vehicle and its heading angle, while the inputs are the velocity of the rear wheel and the steering angle. Note that u1 is always nonnegative to guarantee that the vehicle does not move backwards. All the quantities are expressed in units of the International System (SI). We suppose that x ∈ X = X0 = [−x1,max , x1,max ] × [−x2,max , x2,max ] × [−x3,max , x3,max ] and u ∈ U = [0, u1,max] × [−u2,max , u2,max ], where xmax = [x1,max , x2,max , x3,max ]′ = [50, 50, π]′ and umax = [u1,max , u2,max ]′ = [5, π3 ]′ . The model above is known in the literature as single-track vehicle model and is widely used because, in spite of its simplicity, it well captures the major features of interest of the vehicle cornering behavior [52]. The robot P is remotely connected to a controller, implemented on a shared CPU, by means of a non-ideal communication network. The control loop forms a NCS, as the one in Fig. 1, whose network/computation parameters are Bmin = 0.1 kbit/s, Bmax = 1 kbit/s, τ = 1s, ∆ctrl min = 0.01s, req req net net ∆ctrl = 0.1s, ∆ = 0.05s, ∆ = 0.2s, ∆ = 0.1s, ∆ = 0.25s. The max max max min min state quantization, assumed to be different (in absolute values) for each compo- nent of the state, is equal to xi,max /100 for the state xi (i = 1, 2, 3), so that we have 201 quantization values for each state component. We assume the input quantization to be equal to ui,max /5 for the input ui (i = 1, 2) and the network protocols to introduce a relative overhead which is bounded by the 20% of the + + total number of data bits (Ncp = Npc = 0.2). This implies |[X]µX | = 2013 B,cp B,pc and |U| = 66, hence ∆B,pc min = 0.0275s, ∆max = 0.275s, ∆min = 0.0073s, B,cp ∆max = 0.073s. We assume there may be packet dropouts, with the constraint that two consecutive dropouts are not allowed (Npd = 1). The motion planning problem considered here is described in the following. We require that the robot leaves its support (HOME location) and visits (in the exact order) two buildings, denoted by B1 and B2, to then reach an outlet where it possibly powers up the battery (CHARGE location). Finally, the vehicle returns HOME. During the whole path, the robot is requested to avoid some obstacles, such as walls and other buildings. We denote the union of the obstacles locations as the UNSAFE location. We now start applying the results in Section 4 regarding the design of a symbolic model for the given NCS. According to the definition of Σd in Subsection 4.1, the minimum and maximum delays in a single iteration of the network amount to ∆min = 0.34s and ∆max = 2.70s, respectively. From (3), this results in Nmin = 1, Nmax = 3. In order to have a uniform quantization in the state space and in the input space, we apply the results to a normalized plant P̃ , whose state and input are those of P , but component-wise normalized with respect to xmax and umax . According to the previous description of the NCS, this results in µX = 0.005 and µU = 0.1. We assume that the normalized signals are sent through the network and the static blocks implementing the coordinate change from P to P̃ and vice versa (omitted in the general scheme) are physically connected to the sensor and to the ZoH, respectively. It is possible to show that the quadratic Lyapunov-like function V (x, x′ ) = 0.5 kx − x′ k22 , is 2u1,max δ-FC for control system (27), with λ = cos(δ(u , α(r) = 0.5r2 , α(r) = 1.5r2 2,max )) and γ(r) = 6r; hence Theorem 2 can be applied. Further details are omitted because, as it will be discussed in the sequel, the explicit construction of the symbolic model is not needed to solve the control design problem. In the symbolic control design step, we apply the results illustrated in Section 5 and we consider a finite automaton encoding all the trajectories satisfying the given specification. Although a covering specification can be repeated many times, we consider a single surveillance round, which can be coded into a finite-time specification by means of the following co-safe LTL formula [53]: φ = HOME ∧ (¬UNSAFE U HOME)∧(¬HOME U (B1∧♦(B2∧♦CHARGE))), (28) where ¬ and ∧ are the logical connectives of negation (not) and conjunction (and), while U and ♦ are the temporal operators of until and eventually, respectively. The formula in (28) is the logical conjunction of two formulas, where the first one requires that the vehicle goes back to the location HOME in finite time while keeping safe during the whole path (i.e. without hitting any obstacle); the second one requires that the vehicle does not come back HOME before visiting the locations B1, B2 and CHARGE, in the exact order. We assume that the robot starts from HOME. For a precision ε = 0.025, starting from a specification Q encoding point-topoint trajectories fulfilling the formula in (28), for the choice of the parameters θ = η = 0.0125, Theorem 4 holds and the controller SC ∗ in Definition 4 solves the control problem. Estimates of the space complexity in constructing SC ∗ indicate 4 · 1013 32-bit integers. Because of the large computational complexity in building the controller and the specification automaton, we do not construct the whole models but solve the motion control problem by means of the procedure illustrated in [45] for the on-the-fly NCS control design, generalizing the integrated control design technique developed in [54] for nonlinear systems to the case of non-determinism and unstable plants. The total memory occupation and time required to construct SC ∗ are respectively 3742 32-bit integers and 2833 s. The computation has been performed on the Matlab suite through an Apple MacBook Pro with 2.5GHz Intel Core i5 CPU and 16 GB RAM. In Fig. 3 (bottom panel), we show a sample path of the NCS (blue solid line), for a particular realization of the network uncertainties, compared to the trajectory of the system controlled through an ideal network (black dashed line). As described before, the robot visits the regions B1, B2 and CHARGE (in yellow), while avoiding the obstacles (in red), to finally go back HOME (in green). Each time delay Nk is sampled from a discrete uniform random distribution over [Nmin ; Nmax ]. As a result, the NCS used just 59 control samples, in spite of the 94 control samples (one at each τ ) used in the ideal case. The plot of the NCS input function and of the realization of time delays are in Fig. 3 (top right panel). Note that, although the behavior of the NCS is not as regular as in the ideal case, the specifications are indeed met. 7 Conclusions In this paper we proposed a symbolic approach to the control design of nonlinear NCS, where the most important non-idealities in the communication channel are taken into account. Under the assumption of existence of incremental forward complete Lyapunov functions, we derived symbolic models that approximate NCS in the sense of alternating approximate simulation. Under the assumption of incremental global asymptotic stability, alternatingly approximately bisimilar symbolic models are constructed. NCS symbolic control design, where specifications are expressed in terms of transition systems, was then solved and applied to an example in the context of robot motion planning. The results presented in this paper represent a first step in solving complex control problems where non-idealities in communication infrastructures and computing units are taken into account. However, some simplifying assumptions have to be dropped to make the proposed results applicable to more realistic industrial cases and more complex control objectives. In particular, multiple control and measurement packets (with out-of-order packet management) within each network iteration can be considered, thereby improving the control performance at the expense of additional formal complexity. Moreover, specifications expressed in terms of 5 u 1 4 3 2 1 0 10 20 30 40 50 Time 60 70 80 90 0 10 20 30 40 50 Time 60 70 80 90 0 10 20 30 40 50 Time 60 70 80 90 1 u2 0.5 0 −0.5 N k 3 2 1 50 40 Control without network Control with network B2 B1 30 20 x2 10 0 −10 −20 −30 −40 CHARGE HOME −50 −50 −40 −30 −20 −10 0 x1 10 20 30 40 50 Figure 3: Overhead view of the robot dynamics (top left panel). Control input and realization of the network delays (top right panel) in the NCS Σ. Space trajectory of the vehicle (bottom panel). Linear Temporal Logic formulae can be taken into account. Acknowledgements The authors are grateful to Pierdomenico Pepe for fruitful discussions on the topic of this article. References [1] R. Murray, K. Astrom, S. Boyd, R. Brockett, and G. Stein, “Control in an information rich world,” IEEE Control Systems Magazine, vol. 23, no. 2, pp. 20–33, April 2003. [2] W. Heemels and N. van de Wouw, “Stability and stabilization of networked control systems,” in Networked Control Systems, ser. Lecture notes in control and information sciences, A. Bemporad, W. Heemels, and M. Johansson, Eds. London: Springer Verlag, 2011, vol. 406, pp. 203–253. [3] M. B. Cloosterman, L. Hetel, N. Van De Wouw, W. Heemels, J. Daafouz, and H. Nijmeijer, “Controller synthesis for networked control systems,” Automatica, vol. 46, no. 10, pp. 1584–1594, 2010. [4] M. Garcı́a-Rivera and A. Barreiro, “Analysis of networked control systems with drops and variable delays,” Automatica, vol. 43, no. 12, pp. 2054–2059, 2007. [5] H. Gao, T. Chen, and J. Lam, “A new delay system approach to networkbased control,” Automatica, vol. 44, no. 1, pp. 39–52, 2008. [6] P. Naghshtabrizi, J. P. Hespanha, and A. R. Teel, “Stability of delay impulsive systems with application to networked control systems,” Transactions of the Institute of Measurement and Control, vol. 32, no. 5, pp. 511–528, 2010. [7] W. H. Heemels, A. R. Teel, N. van de Wouw, and D. Nesic, “Networked control systems with communication constraints: Tradeoffs between transmission intervals, delays and performance,” IEEE Transactions on Automatic Control, vol. 55, no. 8, pp. 1781–1796, 2010. [8] D. Nesic and A. R. Teel, “Input-output stability properties of networked control systems,” IEEE Transactions on Automatic Control, vol. 49, no. 10, pp. 1650–1667, 2004. [9] J. Hespanha, P. Naghshtabrizi, and X. Yonggang, “A survey of recent results in networked control systems,” Proceedings of the IEEE, vol. 95, no. 1, pp. 138–162, January 2007. [10] W. Heemels, N. van de Wouw, R. Gielen, M. Donkers, L. Hetel, S. Olaru, M. Lazar, J. Daafouz, and S. Niculescu, “Comparison of overapproximation methods for stability analysis of networked control systems,” in Hybrid Systems: Computation and Control, ser. Lecture Notes in Computer Science, K. Johansson and W. Yi, Eds. Berlin: Springer Verlag, 2010, vol. 6174, pp. 181–191. [11] D. Nesic and D. Liberzon, “A unified framework for design and analysis of networked and quantized control systems,” IEEE Transactions on Automatic Control, vol. 54, no. 4, pp. 732–747, 2009. [12] P. Naghshtabrizi and J. P. Hespanha, “Designing an observer-based controller for a network control system,” in 44th IEEE Conference on Decision and Control, 2005 and 2005 European Control Conference. CDC-ECC’05. IEEE, 2005, pp. 848–853. [13] A. Chaillet and A. Bicchi, “Delay compensation in packet-switching networked controlled systems,” in 47th IEEE Conference on Decision and Control, 2008. CDC 2008. IEEE, 2008, pp. 3620–3625. [14] M. Donkers, W. Heemels, N. Van De Wouw, and L. Hetel, “Stability analysis of networked control systems using a switched linear systems approach,” IEEE Transactions on Automatic Control, vol. 56, no. 9, pp. 2101–2115, 2011. [15] W. P. M. H. Heemels, D. Nesic, A. Teel, and N. Van de Wouw, “Networked and quantized control systems with communication delays,” in Proceedings of the 48th IEEE Conference on Decision and Control, 2009 held jointly with the 2009 28th Chinese Control Conference. CDC/CCC 2009., Dec 2009, pp. 7929–7935. [16] R. Alur, A. D’Innocenzo, K. H. Johansson, G. J. Pappas, and G. Weiss, “Compositional modeling and analysis of multi-hop control networks,” IEEE Transactions on Automatic control, vol. 56, no. 10, pp. 2345–2357, 2011. [17] D. J. Antunes, J. P. Hespanha, and C. J. Silvestre, “Volterra integral approach to impulsive renewal systems: Application to networked control,” IEEE Transactions on Automatic Control, vol. 57, no. 3, pp. 607–619, 2012. [18] N. W. Bauer, P. J. Maas, and W. Heemels, “Stability analysis of networked control systems: A sum of squares approach,” Automatica, vol. 48, no. 8, pp. 1514–1524, 2012. [19] N. van de Wouw, D. Nešić, and W. Heemels, “A discrete-time framework for stability analysis of nonlinear networked control systems,” Automatica, vol. 48, no. 6, pp. 1144–1153, 2012. [20] R. Alur, T. A. Henzinger, G. Lafferriere, and G. J. Pappas, “Discrete abstractions of hybrid systems,” Proceedings of the IEEE, vol. 88, pp. 971–984, 2000. [21] P. Tabuada, Verification and Control of Hybrid Systems: A Symbolic Approach. Springer, 2009. [22] R. Alur and D. L. Dill, Automata, Languages and Programming, ser. Lecture Notes in Computer Science. Berlin: Springer, April 1990, vol. 443, ch. Automata for modeling real-time systems, pp. 322–335. [23] T. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s decidable about hybrid automata?” Journal of Computer and System Sciences, vol. 57, pp. 94–124, 1998. [24] G. Lafferriere, G. J. Pappas, and S. Sastry, “O-minimal hybrid systems,” Math. Control Signal Systems, vol. 13, pp. 1–21, 2000. [25] T. Brihaye and C. Michaux, “On the expressiveness and decidability of o-minimal hybrid systems,” Journal of Complexity, vol. 21, no. 4, pp. 447– 478, 2005. [26] P. E. Caines and Y. J. Wei, “Hierarchical hybrid control systems: A latticetheoretic formulation,” Special Issue on Hybrid Systems, IEEE Transaction on Automatic Control, vol. 43, no. 4, pp. 501–508, April 1998. [27] X. D. Koutsoukos, P. J. Antsaklis, J. A. Stiver, and M. D. Lemmon, “Supervisory control of hybrid systems,” Proceedings of the IEEE, vol. 88, no. 7, pp. 1026–1049, July 2000. [28] T. Moor, J. Raisch, and S. D. O’Young, “Discrete supervisory control of hybrid systems based on l-complete approximations,” Journal of Discrete Event Dynamic Systems, vol. 12, pp. 83–107, 2002. [29] D. Forstner, M. Jung, and J. Lunze, “A discrete-event model of asynchronous quantised systems,” Automatica, vol. 38, pp. 1277–1286, 2002. [30] A. Bicchi, A. Marigo, and B. Piccoli, “On the reachability of quantized control systems,” IEEE Transactions on Automatic Control, vol. 47, no. 4, pp. 546–563, 2002. [31] P. Tabuada and G. Pappas, “Linear time logic control of discrete-time linear systems,” IEEE Transactions of Automatic Control, vol. 51, no. 12, pp. 1862–1877, 2006. [32] L. Habets, P. Collins, and J. V. Schuppen, “Reachability and control synthesis for piecewise-affine hybrid systems on simplices,” IEEE Transactions on Automatic Control, vol. 51, no. 6, pp. 938–948, 2006. [33] C. Belta and L. Habets, “Controlling a class of nonlinear systems on rectangles,” IEEE Transactions on Automatic Control, vol. 51, no. 11, pp. 1749–1759, 2006. [34] O. Junge, “A set oriented approach to global optimal control,” ESAIM: Control, optimisation and calculus of variations, vol. 10, no. 2, pp. 259– 270, 2004. [35] G. Reißig, “Computation of discrete abstractions of arbitrary memory span for nonlinear sampled systems,” in Proc. of 12th Int. Conf. Hybrid Systems: Computation and Control (HSCC), vol. 5469, pp. 306–320, April 2009. [36] G. Pola, A. Girard, and P. Tabuada, “Approximately bisimilar symbolic models for nonlinear control systems,” Automatica, vol. 44, pp. 2508–2516, October 2008. [37] M. Zamani, M. Mazo, G. Pola, and P. Tabuada, “Symbolic models for nonlinear control systems without stability assumptions,” IEEE Transactions of Automatic Control, vol. 57, no. 7, pp. 1804–1809, July 2012. [38] G. Pola and P. Tabuada, “Symbolic models for nonlinear control systems: Alternating approximate bisimulations,” SIAM Journal on Control and Optimization, vol. 48, no. 2, pp. 719–733, 2009. [39] A. Borri, G. Pola, and M. D. Di Benedetto, “Symbolic models for nonlinear control systems affected by disturbances,” International Journal of Control, vol. 88, no. 10, pp. 1422–1432, September 2012. [40] A. Girard, G. Pola, and P. Tabuada, “Approximately bisimilar symbolic models for incrementally stable switched systems,” IEEE Transactions of Automatic Control, vol. 55, no. 1, pp. 116–126, January 2010. [41] G. Pola, P. Pepe, M. Di Benedetto, and P. Tabuada, “Symbolic models for nonlinear time-delay systems using approximate bisimulations,” Systems and Control Letters, vol. 59, pp. 365–373, 2010. [42] G. Pola, P. Pepe, and M.D. Di Benedetto, “Symbolic models for timevarying time-delay systems via alternating approximate bisimulation,” International Journal of Robust and Nonlinear Control, 2014, DOI: 10.1002/rnc.3204, http://arxiv.org/abs/1011.5835. To appear. [43] A. Girard and G. Pappas, “Approximate bisimulation: a bridge between computer science and control theory,” European Journal of Control, vol. 17, no. 5–6, pp. 568–578, 2011. [44] A. Borri, G. Pola, and M. D. Di Benedetto, “A symbolic approach to the design of nonlinear networked control systems,” in Proceedings of the 15th ACM international conference on Hybrid Systems: Computation and Control, ser. HSCC ’12. New York, NY, USA: ACM, 2012, pp. 255–264. [Online]. Available: http://doi.acm.org/10.1145/2185632.2185670 [45] A. Borri, G. Pola, and M. Di Benedetto, “Integrated symbolic design of unstable nonlinear networked control systems,” in 51th IEEE Conference on Decision and Control, 2012, pp. 1374–1379. [46] D. Angeli and E. Sontag, “Forward completeness, unboundedness observability, and their Lyapunov characterizations,” Systems and Control Letters, vol. 38, pp. 209–217, 1999. [47] ISO 11898-1:2003, Road vehicles – Controller area network (CAN) – Part 1: Data link layer and physical signalling. ISO, Geneva, Switzerland. [48] H. Kopetz and G. Grunsteidl, “Ttp-a protocol for fault-tolerant real-time systems,” Computer, vol. 27, no. 1, pp. 14–23, Jan 1994. [49] D. Angeli, “A Lyapunov approach to incremental stability properties,” IEEE Transactions on Automatic Control, vol. 47, no. 3, pp. 410–421, 2002. [50] E. Clarke, O. Grumberg, and D. Peled, Model Checking. MIT Press, 1999. [51] C. Belta, A. Bicchi, M. Egerstedt, E. Frazzoli, E. Klavins, and G. Pappas, “Symbolic planning and control of robot motion,” IEEE Robotics & Automation Magazine, vol. 14, no. 1, pp. 61–70, March 2007. [52] T. Gillespie, Fundamentals of Vehicle Dynamics. SAE BRASIL, 1992. [53] O. Kupferman and M. Vardi, “Model checking of safety properties,” Formal Methods in System Design, vol. 19, pp. 291–314, 2001. [54] G. Pola, A. Borri, and M. D. Di Benedetto, “Integrated design of symbolic controllers for nonlinear systems,” IEEE Transactions on Automatic Control, vol. 57, no. 2, pp. 534 –539, feb. 2012. [55] A. Girard and G. Pappas, “Approximation metrics for discrete and continuous systems,” IEEE Transactions on Automatic Control, vol. 52, no. 5, pp. 782–798, 2007. In this appendix, we recall some notions of approximate equivalence and composition that are used in the paper. Definition 5 [55, 38] Let Si = (Xi , X0,i , Ui , ✲ , Yi , Hi ) (i = 1, 2) be met- i ric systems with the same output sets Y1 = Y2 and metric d, and let ε ∈ R+ 0 be a given precision. Consider a relation R ⊆ X1 × X2 satisfying the following conditions: (i) ∀x1 ∈ X0,1 ∃x2 ∈ X0,2 such that (x1 , x2 ) ∈ R, and (ii) ∀(x1 , x2 ) ∈ R, d(H1 (x1 ), H2 (x2 )) ≤ ε. Relation R is an ε-approximate simulation relation from S1 to S2 if it enjoys conditions (i), (ii) and the following u1 u2 one: (iii) ∀(x1 , x2 ) ∈ R if x1 ✲ x′ then ∃x2 ✲ x′ such that (x′ , x′ ) ∈ R. 1 1 2 2 1 2 System S1 is ε-simulated by S2 or S2 ε-simulates S1 , denoted S1 ε S2 , if there exists an ε-approximate simulation relation from S1 to S2 . Relation R is an εapproximate bisimulation relation between S1 and S2 if R is an ε-approximate simulation relation from S1 to S2 and R−1 is an ε-approximate simulation relation from S2 to S1 . Furthermore, systems S1 and S2 are ε-bisimilar, denoted S1 ∼ =ε S2 , if there exists an ε-approximate bisimulation relation R between S1 and S2 . Relation R is an alternating ε-approximate (AεA) simulation relation from S1 to S2 if it enjoys conditions (i), (ii) and the following one: (iii′ ) u2 u1 ∀(x1 , x2 ) ∈ R ∀u1 ∈ U1 (x1 ) ∃u2 ∈ U2 (x2 ) such that ∀x2 ✲ x′ ∃x1 ✲ x′ 2 2 1 1 with (x′1 , x′2 ) ∈ R. System S1 is alternatingly ε-simulated by S2 or S2 alternatingly ε-simulates S1 , denoted S1 alt ε S2 , if there exists an AεA simulation relation from S1 to S2 . When ε = 0 system S1 is said to be exactly alternatingly simulated by S2 or S2 exactly alternatingly simulates S1 . Relation R is an AεA bisimulation relation between S1 and S2 if R is an AεA simulation relation from S1 to S2 and R−1 is an AεA simulation relation from S2 to S1 . Furthermore, systems S1 and S2 are AεA-bisimilar, denoted S1 ∼ =alt ε S2 , if there exists an AεA bisimulation relation R between S1 and S2 . For details on the above notions, see [21, 38]. Interaction between systems is formalized hereafter. ✲ , Definition 6 [21] Consider a pair of metric systems Si = (Xi , X0,i , Ui , i Yi , Hi ) (i = 1, 2) with the same output sets Y1 = Y2 and metric d, and let ε ∈ R+ 0 be a given precision. Let R be an AεA simulation relation from S2 to S1 . The ε-approximate feedback composition of S1 and S2 , with composition ✲ , Y, H), where X = R−1 , relation R, is the system S1 ×R ε S2 = (X, X0 , U, u1 ✲ (x′ , x′ ) if x1 u1✲ x′ and X0 = X ∩ (X0,1 × X0,2 ), U = U1 , (x1 , x2 ) 1 x2 2 1 1 u2 2 ✲ x′ for some u2 ∈ U2 , Y = Y1 , and H(x1 , x2 ) = H1 (x1 ) for any 2 (x1 , x2 ) ∈ X. We conclude with a useful technical lemma. ✲ , Yi , Hi ) (i = 1, 2, 3) be metric Lemma 1 [21] Let Si = (Xi , X0,i , Ui , i systems with the same output sets Y1 = Y2 = Y3 and metric d. Then, the (alt) (alt) following statements hold: (i) for any ε1 ≤ ε2 , S1 ε1 S2 implies S1 ε2 S2 ; (alt) (alt) (alt) (ii) if S1 ε12 S2 and S2 ε23 S3 then S1 ε12 +ε23 S3 ; (iii) for any ε ∈ R+ 0 and any AεA simulation relation R from S2 to S1 , S1 ×R ε S2  ε S2 . View publication stats