Divergent stutter bisimulation abstraction for controller synthesis with linear temporal logic specifications

This paper proposes a method to synthesise controllers for systems with possibly infinite number of states that satisfy a specification given as an LTL \◦ formula. A common approach to handle this problem is to first compute a finite-state abstraction of the original state space and then synthesise a controller for the abstraction. This paper proposes to use an abstraction method called divergent stutter bisimulation to abstract the state space of the system. As divergent stutter bisimulation factors out stuttering steps , it typically results in a coarser and therefore smaller abstraction, at the expense of not preserving the temporal ‘‘next’’ operator. The paper leverages results about divergent stutter bisimulation from model checking and shows that divergent stutter bisimulation is a sound and complete abstraction method when synthesising controllers subject to specifications in LTL \◦ . © 2021TheAuthor(s).PublishedbyElsevierLtd.ThisisanopenaccessarticleundertheCCBYlicense (http://creativecommons.org/licenses/by/4.0/).


Introduction
Dynamic system models are often used for safety-critical applications, where formal verification and synthesis are of great importance (Belta et al., 2017). This paper is concerned with controller synthesis, where the control logic is automatically computed from a model of the system with possibly infinite number of states and a specification of the desired behaviour in temporal logic. In this context, the state space is typically abstracted and partitioned to produce a finite transition system, and then finitestate machine synthesis methods are applied (Kloetzer & Belta, 2008;Ramadge, 1989).
The most commonly used abstraction method for this purpose is bisimulation (Milner, 1989). Bisimulation is a strong behavioural equivalence of transition systems, which preserves all temporal logic properties (Baier & Katoen, 2008). There exist polynomialtime algorithms to calculate a bisimilar abstraction of a finitestate system (Fernandez, 1990). Bisimulation can also be applied to continuous state spaces (Belta et al., 2017;Megawati & van der Schaft, 2016;Pappas, 2003), but the bisimulation algorithms are ✩ The material in this paper was not presented at any conference. This paper was recommended for publication in revised form by Associate Editor Dimos V. Dimarogonas under the direction of Editor Christos G. Cassandras. only guaranteed to terminate for specific classes of continuous systems (Alur et al., 2000).
To overcome these difficulties, the literature proposes various alternatives to bisimulation. Approximate bisimulation relaxes bisimulation by allowing a bounded mismatch between the behaviours of the abstract and concrete system (Girard & Pappas, 2007). A further relaxation is obtained by considering (approximate) simulation and feedback refinement relations. These are sound but not necessarily complete abstraction methods, in the sense that the nonexistence of a controller for the abstract system does not imply the nonexistence of a controller for the concrete system (Belta et al., 2017;Reissig et al., 2016;Tabuada, 2009;Zamani et al., 2011). Dual-simulation (Wagenmaker & Ozay, 2016) produces a coarser abstraction than bisimulation; it uses overlapping subsets rather than quotient sets. Moreover, the dualsimulation algorithm avoids the set difference operation, so that it preserves the convexity of the regions in the abstracted state space. Unlike bisimulation, it does not preserve all temporal logic properties, but it preserves the results of controller synthesis when applied to linear temporal logic (LTL).
Bisimulation and its variants consider all transitions as significant. The potential for abstraction can be increased by factoring out so-called stuttering steps where the system remains in the same region of the state space without changing any of the propositions relevant for the specification. By combining sequences of stuttering steps with the next non-stuttering step in a single transition, a coarser abstraction is produced. However, the temporal ''next'' operator is no longer preserved because the number of steps between two states may change. Accordingly, over-approximations (Liu et al., 2013;Nilsson et al., 2017) have been proposed to synthesise controllers for continuous-time systems. The approach is sound for specifications in LTL \• , the LTL fragment without the ''next'' operator, but not complete in general.
This paper considers another approach to factor out stuttering steps, called divergent stutter bisimulation (Baier & Katoen, 2008). Divergent stutter bisimulation preserves CTL * \• , the fragment of the Computation Tree Logic CTL * without the ''next'' operator (Baier & Katoen, 2008). An efficient algorithm to compute abstractions based on divergent stutter bisimulation exists and has been used to simplify state spaces (Groote et al., 2017;Groote & Vaandrager, 1990). Once an abstraction and a quotient system are constructed using divergent stutter bisimulation, verification can be done using existing tools (Baier & Katoen, 2008;Clarke et al., 1999) and gives the same result as for the original system. Yet, synthesis is more difficult, because it is not immediately clear how a controller synthesised for the abstracted system can be used to control the original system. A single transition of the abstract controller has to be implemented by a sequence of several transitions (including stuttering steps) in the original system. This paper shows that divergent stutter bisimulation is a sound and complete abstraction method when synthesising for specifications in LTL \• . It is shown that a controller for the abstracted system exists if and only if such a controller exists for the original system with possibly infinite number of states, and it is shown how the controller for the original system can be constructed from the abstract controller.
The divergent stutter bisimulation algorithm and the algorithm to construct a controller for the original system from the abstract controller have been implemented in TuLiP (Filippidis et al., 2016) and applied to discrete-time linear systems from Hussien and Tabuada (2018) and Wagenmaker and Ozay (2016). It is shown that the abstracted system from divergent stutter bisimulation is smaller compared to bisimulation. As expected, lifting the control from the discrete abstraction to the original system is more laborious than it would be using only bisimulation.
This paper is organised as follows. Section 2 gives a brief background on modelling and linear temporal logic and abstraction. Next, Section 3 explains divergent stutter bisimulation and reviews the algorithm to partition a state space while preserving divergent stutter bisimulation. Section 4 shows how the abstracted controller is used to construct a controller for the original system and proves that the abstraction method is sound and complete. Section 5 applies the algorithm to examples, and Section 6 gives concluding remarks.

Preliminaries
This section gives a brief overview of notations used throughout the paper. Most of the following definitions are adopted from Baier and Katoen (2008).

Finite and infinite strings
Let X be a set. The sets of finite and infinite strings of symbols from X are denoted by X * and X ω , respectively. The combined set of finite and infinite strings over X is X ∞ = X * ∪ X ω . The empty string is ε ∈ X * , and the set of nonempty finite strings is The concatenation of strings s ∈ X * and t ∈ X ∞ is written as st. The notation s k refers to the string obtained by concatenating k ≥ 0 copies of string s ∈ X * . A string s ∈ X * is called a prefix of t ∈ X ∞ , written s ⊑ t, if there exists u ∈ X ∞ such that su = t. An infinite ascending sequence s 0 ⊑ s 1 ⊑ s 2 ⊑ · · · of finite strings s i ∈ X * has a unique least upper bound s ∈ X ∞ with s i ⊑ s for all i ≥ 0, called its closure and denoted by clo{ s i | i ≥ 0 }. For s ∈ X ∞ , the duplicate-free string uniq(s) ∈ X ∞ is obtained from s by removing all elements that are equal to their predecessor.
For example, uniq(001322233 · · ·) = 01323. Removing duplicates from an infinite string may result in a finite or infinite string.

Transition systems and problem formulation
Definition 2. A finite path fragment s in a transition system A path in a transition system describes a possible behaviour of the system.
The labelling function L relates to each state x ∈ Q a set of atomic proposition that are satisfied by state x. The labelling function L is extended to finite or infinite path fragments s = x 0 x 1 · · · ∈ Q ∞ by applying it to each state of the path fragment, L(s) = L(x 0 )L(x 1 ) · · ·. This paper is concerned with the construction of controllers that restrict a transition system so that it only enters certain states.
The controller takes as argument a path, representing the history of all states visited in the path. If x 0 , . . . , x n ∈ Q are states (n ≥ 0), then the path composed of these states is written x 0 · · · x n ∈ Q * . The idea is that, after visiting states x 0 , . . . , x n ∈ Q , the controlled system is allowed to enter a state x n+1 ∈ Q if and only if x n+1 ∈ C (x 0 · · · x n ).
Definition 5. Let G = ⟨Q , Q • , →, Π, | =⟩ be a transition system, and let C : Q * → 2 Q be a controller for G. The controlled system, G under the control of C , is if and only if x n → x n+1 in G and x n+1 ∈ C (x 1 · · · x n ), (ii) x 0 · · · x n | = |C π if and only if x n | = π.
In Definition 5, the states of the closed-loop system, C /G, are paths of G that are accepted by C . The transitions of the closedloop system have the from of x 1 · · · x n → |C x 1 · · · x n+1 , where x 1 · · · x n is path of G and a state of the controlled system C /G. From a state x 1 · · · x n of C /G, the next state x 1 · · · x n+1 can be reached if x n → x n+1 is a transition in G and x n+1 ∈ C (x 1 · · · x n ).
Accordingly, the paths in C /G are strings of the states of C /G, i.e., strings of strings. The following definition adds a more convenient notation to also consider strings over states of G as paths in C /G.

Definition 6.
Let G = ⟨Q , Q • , →, Π, | =⟩, and let C be a controller for G. A string s ∈ Q ∞ is said to be a path in C /G if s is a path in G, and for every prefix rx ⊑ s with r ∈ Q * and x ∈ Q it holds that x ∈ C (r).
Another important concern in the following is divergence, where a transition system stays in the same state indefinitely.
The transition system G is said to satisfy ϕ, written G | = ϕ, if s | = ϕ holds for every infinite path s in G.
According to this semantics, a transition system satisfies an LTL \• formula if the formula holds on every infinite path. The definition does not cover paths that visit a deadlock state, i.e., a state without outgoing transitions. It is common to rule out this case so that all paths can be extended to an infinite path.
Then G is called deadlock free if, Q • ̸ = ∅ and for every reachable state x ∈ Q there exists a state y ∈ Q such that x → y.
This paper is concerned with the synthesis problem, which is to compute a controller enforcing a specification given as an LTL \• formula for a given transition system. This problem can now be defined formally as follows.
Problem 1. Given a transition system G and an LTL \• formula ϕ, find a controller C such that C /G is deadlock-free and C /G | = ϕ.
There are several methods to construct a controller that enforces an LTL \• formula on a finite transition system. This can be done by transforming the LTL \• formula to a Rabin or a Büchi automaton, taking a product of the automaton with the transition system, and then solving the control problem using existing methods (Kloetzer & Belta, 2008;Ramadge, 1989).

Abstraction
For systems with very large or infinite state spaces, finding a solution to Problem 1 becomes intractable. One approach to handle the synthesis problem in such cases is the use of abstraction techniques, where the state space is partitioned to produce an equivalent synthesis problem that can be solved more easily.
A common way to partition a transition system is to identify and group equivalent states. Given a set X , a relation ≈ ⊆ X × X is an equivalence relation on X if it is reflexive, symmetric, and Given an equivalence relation ≈ on the state set Q of a transition system, a quotient transition system can be constructed by grouping all equivalent states into a single abstract state, i.e., using Q /≈ as a reduced state set. For the quotient transition system to preserve liveness properties, it is important to distinguish whether or not it is possible for the system behaviour to remain within an equivalence class indefinitely.
Like a standard quotient transition system, the divergencerespecting quotient includes a transitionx→ỹ between two equivalence classes if the original transition system has a transition x → y between some states of these classes, and an equivalence class satisfies a proposition if one of its states satisfies that proposition. The difference to a standard quotient lies in the treatment of selfloop transitions: a selfloopx→x is only included in the divergence-respecting quotient ifx is a divergent equivalence class.
For simplicity of notation, in the following, the tilde superscripts of the transition and satisfaction relations of quotient transition systems will be omitted, thus identifying→ with → and | = with | =. Further, the following definition is used to relate path fragments of a transition system to those of its quotient.

Stutter equivalence
This paper addresses the problem of abstracting a transition system before calculating a controller to enforce an LTL \• specification. Without the temporal ''next'' operator, the logic LTL \• cannot distinguish how often states with the same labels are repeated. This leads to the idea of stutter equivalence (Baier & Katoen, 2008). Transitions between states with equal labels are called stuttering steps, and stutter bisimulation considers transition systems as equivalent if they have the same infinite paths while factoring out the stuttering steps. To preserve liveness properties, this relation is refined to divergent stutter bisimulation (Baier & Katoen, 2008).
transition systems, and let s i be path fragments in G i , for i = 1, 2. Then s 1 and s 2 are stutter equivalent if uniq(L(s 1 )) = uniq(L(s 2 )) and s 1 and s 2 are either both finite or both infinite.
According to Definition 3, L(s) is the sequence of labellings visited on the path fragment s, and uniq(L(s)) is the same sequence after removing duplicates. Therefore, stutter equivalent paths have the same sequences of atomic propositions, while the number of states repeated by stuttering steps, i.e., transitions whose source and target states satisfy exactly the same propositions, does not need to be equal. It is known that stutter equivalent paths satisfy the same LTL \• formulas.
If s 1 and s 2 are stutter equivalent, then s 1 | = ϕ if and only if s 2 | = ϕ for any LTL \• formula ϕ.
Condition (i) requires that equivalent states are labelled with the same propositions, i.e., the equivalence relation is proposition-preserving. According to conditions (ii) and (iii), for two states to be considered as equivalent, if one of them reaches a state in a different equivalence class then the other must reach an equivalent state either directly or after some stuttering steps. The last condition (iv) means that two states are only equivalent if either both exhibit divergent paths or none of them does.
Theorem 2 (Baier & Katoen, 2008). Let G = ⟨Q , Q • , →, Π, | =⟩ be a transition system, and let ≈ be a divergent stutter bisimulation on G. If s ∈ Q ω is a path in G then there exists a stutter equivalent infinite paths in G/ /≈.
Theorem 2 shows that, if a transition system G is abstracted to a divergence-respecting quotient G/ /≈ with respect to a divergent stutter bisimulation, then for any infinite path in the original system G there exists a stutter equivalent infinite path in the abstraction G/ /≈. By Proposition 1, these paths satisfy the same LTL \• properties.

Divergent stutter bisimulation algorithm
There exists a polynomial-time algorithm to calculate the coarsest divergent stutter bisimulation relation of a transition system (Groote et al., 2017;Groote & Vaandrager, 1990), which is summarised in this section. The algorithm performs partition refinement starting from an initial partition consisting of regions determined by the propositions. Regions are split repeatedly when they contain states that cannot reach the same successors. The splits are performed by calculating the sets of predecessors of a region and then intersecting all regions with this predecessor set.
PPre(T , P) = { y ∈ P | there exists a finite path fragment yy 1 · · · y n x in G with n ≥ 0 and y 1 , . . . , y n ∈ P and x ∈ T } . (1) The set of divergent states within P is Div(P) = { y ∈ P | there exists an infinite path fragment yy 1 y 2 · · · in G such that y k ∈ P for all k ≥ 1 } . (2) The stutter predecessors of T within P are states in the region P that can reach a state in T directly or after a finite number of steps within P. The divergent states within P are states from where an infinite number of transitions is possible while staying within P. The sets of stutter predecessors and divergent states can be characterised as fixed points. Given the recursive definition PPre 0 (T , P) = Pre(T ) ∩ P ; (3) PPre i+1 (T , P) = Pre(PPre i (T , P)) ∩ P ; (4) it is clear that PPre i (T , P) ; PPre i (P, P) .
For finite-state systems, these state sets can be computed in a finite number of steps, but for infinite systems the calculation of PPre(T , P) or Div(P) may fail to terminate.
Algorithm 1 uses these operations to calculate a partition that respects divergent stutter bisimulation. Line 1 computes the initial partition based on the propositions. It can be constructed and only if y | = p for all p ∈ Π. Then the algorithm enters the loop, which repeatedly refines each region until all conditions in Definition 14 are satisfied. Line 4 checks for regions to be refined based on divergence. If a region P contains both divergent and non-divergent regions, i.e., if the set Div(P) is nonempty and a proper subset of P, then it is refined by putting the divergent and non-divergent states into their own regions. Additionally, line 8 checks for splits based on stutter predecessors. Here it needs to be checked for each pair of regions P and T whether some of the states in P are stutter predecessors of T while others are not, in which case P is split. The algorithm terminates when no more splits are necessary. Then the resultQ represents the coarsest partition that respects divergent stutter bisimulation.

Control strategy
This section presents the main contributions of the paper and shows how divergent stutter bisimulation can be used for synthesis. After partitioning the state space using Algorithm 1, the synthesis problem can be solved for the abstract system. It remains to construct a controller that solves Problem 1 for the original system. Next, Section 4.1 describes the construction of this controller, and afterwards Sections 4.2 and 4.3 show that the method is sound and complete.

Controller construction
Given a transition system G and LTL \• specification ϕ, the objective of this paper is to find a solution for Problem 1, i.e., a deadlock free controller that enforces ϕ on G. Using Algorithm 1, the transition system is replaced by a divergent stutter bisimilar abstractionG. Then a traditional synthesis procedure (Kloetzer & Belta, 2008;Ramadge, 1989) can be used to solve Problem 1 for the abstractionG, which results in a controllerC that enforces the specification ϕ on the abstractionG.
It follows from the results cited in Section 3.2 that the system G and its abstractionG satisfy the same LTL \• properties, but this is only useful to verify that ϕ holds on the uncontrolled system. After synthesis, it remains to be shown that the existence of the controller for the abstract system implies the existence of a controller for the original system. Therefore, it is now shown how the abstract controllerC that enforces the specification on the abstract systemG can be used to design a controller C that enforces the same specification on the original system G. Its construction, which is given in Definition 16, works by considering the states in the original system G that correspond to the classes that form the abstractionG.
The controller C to be constructed for the original system observes a path s = x 1 · · · x k and makes a control decision C (s) of states allowed next. To base this decision on the abstract controllerC , the path s is mapped to a paths of the abstract system, and then the control decisionC (s) is used to inform the choice of C (s).
Consider a paths =x 1 · · ·x k ∈ (Q /≈) + of the abstraction, which also is a state of the abstract controlled systemC /G by Definition 5. To useC (s) when making the control decision C (s), it will be considered what classes can be reached froms under control ofC after possible stuttering steps withinx k : S i (s) is the set of equivalence classes that can be reached in the abstract controlled system after executings and then staying i times in the last classx k ofs, andS(s) is the set of equivalence classes reached after an arbitrary number of repetitions of the last class. This allows for abstract controllers that transition fromx k to the next class immediately, or that keep the system inx k for some number of steps before transitioning.
Now consider a finite path s ∈ Q + in G, for which a control decision is to be made. This path is converted to a paths ∈ (Q /≈) + so thatC (s) can be used to inform the control decision C (s). The paths must be constructed in such a way thats is a path inC /G and is stutter equivalent to s. This is achieved by repeating each of the equivalence classes in [s] for the smallest number of times needed to form a path inC /G. Specifically,s = ⌊s⌋C according to the following recursive definition, where r ∈ Q * and x, y ∈ Q : ⌊y⌋C = [y] ; where i = min{ i ≥ 0 | [y] ∈S i (⌊rx⌋C ) } in the last case. Also, ⌊s⌋C is undefined if none of the above conditions applies. By construction, ⌊s⌋C is stutter equivalent to s if it is defined, and it is prefix-preserving, i.e., s ⊑ t implies ⌊s⌋C ⊑ ⌊t⌋C if defined.
Now the set of successors outside of the current class that C allows after s is the union of the classes that can be reached under control ofC after ⌊s⌋C , After observing s ∈ Q + , the controller C guides the system to a state in S(s), possibly after stuttering steps within the class of the final state of s. IfC permits divergence, then C allows it also, otherwise it follows a shortest path to a state in S(s). These ideas are formalised in the following definition.
Second, for a nonempty path s = x 0 · · · x n ∈ Q + , the value of C (s) depends on divergence: In Definition 16, C allows as initial states all states in classes allowed as initial byC . Otherwise the decision depends on the equivalence class [x n ] that corresponds to the last state of s.
In case (i), this class [x n ] is not divergent or it is divergent in the abstract controlled system, i.e, ⌊s⌋C [x n ][x n ] · · · is a path iñ C /G, and then C allows the system to stay in [x n ] or to transit to the classes S(s) allowed as successors byC . Fig. 1 shows the case of a non-divergent class to the left, and in the middle class that is divergent in the abstract controlled system.
In case (ii), [x n ] is a divergent class in the uncontrolled system but the abstract controllerC does not allow this divergence.
The controller C prevents the divergent behaviour within [x n ] and forces the system to transition to a different equivalence class eventually. The construction (15) ensures that the system transitions to another equivalence class permitted by the abstract controller when possible, and otherwise only allows transitions within [x n ] that take the system closer to a state from where it is possible to leave [x n ]. This case is shown in Fig. 1 to the right.

Soundness
Soundness means that any controller synthesised by the abstraction-based method correctly solves Problem 1. Here it is shown that if there exists a solutionC to the synthesis problem for an abstracted systemG, then the controller constructed according to Definition 16 solves the synthesis problem for the original system G.
For the controller to be correct, it must enforce its LTL \• specification and be deadlock free, which is shown in Propositions 4 and 5. Both results depend on the following lemma, which shows that the path ⌊s⌋C used in the construction of the controller C is a path in the abstract controlled systemC /G if s is a path in the original controlled system G.
Lemma 3. Let G be a transition system, let ≈ be a divergent stutter bisimulation on G, letC be a controller forG = G/ /≈, and let C be the controller constructed fromC according to Definition 16. If a finite string s ∈ Q + is a path in C /G, then ⌊s⌋C is defined and is a path inC /G. Proof. Let s = x 0 · · · x n , and let s k = x 0 · · · x k be the kth prefix of s. It is shown by induction on k = 0, . . . , n that ⌊s k ⌋C is defined and a path inC /G. Base case: k = 0. As s 0 = x 0 is a path in C /G, it is clear that } =Q • is an initial state ofG, and from x 0 ∈ C (ε) = ⋃C (ε) it follows that [x 0 ] ∈C(ε). This means that [x 0 ] is an initial state of C /G, which implies that ⌊s 0 ⌋C = [x 0 ] is defined and a path inC /G. Inductive step: Assume the claim holds for some 0 ≤ k < n, i.e, ⌊s k ⌋C is defined and a path inC /G. It must be shown that ⌊s k+1 ⌋C is defined and a path inC /G. As k ≥ 0, the path s k+1 can be written as s k+1 = s k x k+1 = s k−1 x k x k+1 . As s and thus its prefix s k+1 is a path in C /G, it is clear that x k+1 ∈ C (s k ) by Definition 6.
Consider two cases.
If x k ≈ x k+1 , then it follows by (11) that ⌊s k+1 ⌋C = ⌊s k−1 x k x k+1 ⌋C = ⌊s k−1 x k ⌋C = ⌊s k ⌋C is defined and a path inC /G by the inductive assumption.
Otherwise x k+1 / ∈ [x k ], and as x k+1 ∈ C (s k ) it follows in both cases (i) and (ii) of Definition 16 that x k+1 ∈ S(s k ). (For case (ii), note that ] is a path inC /G. Choose i to be the smallest with this property. Then (12), so ⌊s k+1 ⌋C is defined and a path inC /G. □ Now it can be shown that the controller constructed according to Definition 16 enforces the same LTL \• properties on the original system as the abstract controller does.
Proposition 4. Let G be a transition system, let ≈ be a divergent stutter bisimulation on G, let ϕ be an LTL \• specification, letC be a controller forG = G/ /≈ that enforces ϕ onG, and let C be the controller constructed fromC according to Definition 16. Then C enforces ϕ on G.
Proof. Assume s = x 0 x 1 . . . is an arbitrary infinite path in C /G. It is to be shown that s | = ϕ. By Lemma 3, for every prefix s n = x 0 · · · x n of s, it holds that ⌊s n ⌋C is defined and is a path inC /G. Therefore, as ⌊s⌋C is prefix-preserving, there is an ascending sequence ⌊s 0 ⌋C ⊑ ⌊s 1 ⌋C ⊑ · · · of paths inC /G. The closure of this sequence may be finite or infinite.
If it is infinite, then lets = clo{ ⌊s i ⌋C | i ≥ 0 }, which is an infinite path inC /G and stutter equivalent to s.
Otherwise there exists k ≥ 0 such that ⌊s n ⌋C = ⌊s k ⌋C for all n ≥ k. As ⌊s n ⌋C is defined for all n ≥ 0, it must have been constructed from (11) and x n ≈ x k for all n ≥ k. As s is a path in G, it follows that s k is divergent in C /G and x k is divergent in G. The fact that s k is divergent in C /G means that C (s k ) cannot be constructed according to case (ii) of Definition 16, as this case only allows a finite number i of steps within [x k ]. Then case (i) of Definition 16 must be used, i.e., ⌊s k ⌋C is divergent inC /G. This means by Definition 7 thats = ⌊s k ⌋C [x k ][x k ] · · · is an infinite path inC /G. Also, as [x n ] = [x k ] for all n ≥ k, it is clear thats is stutter equivalent to s.
In both cases, there exists an infinite paths inC /G that is stutter equivalent to s. SinceC enforces ϕ onG, it follows that s | = ϕ. Sinces is stutter equivalent to s, based on Proposition 1 it holds that s | = ϕ. □ The second property required of a correct controller is that it is deadlock free. Therefore, the following proposition establishes that if the abstracted closed-loop system is deadlock free, then the controller constructed using Definition 16 produces a deadlock free closed-loop behaviour for the original system. Proposition 5. Let G be a transition system, let ≈ be a divergent stutter bisimulation on G, letC be a controller forG = G//≈ such thatC /G is deadlock free, and let C be the controller constructed fromC according to Definition 16. Then C /G is deadlock free. Fig. 1. Construction of a controller for the original system from the abstraction according to Definition 16, depending on whether [x n ] is not divergent in G (left), ⌊s⌋C is divergent inG (middle), or [x n ] is divergent in G and ⌊s⌋C is not divergent inG (right). Transitions disabled by the controller are shown as dashed arrows.
Proof. Consider a reachable state s of C /G, which can be written as s = x 0 · · · x n , which must be a path in C /G. It follows by Lemma 3 that ⌊s⌋C is defined and is a path inC /G. By construction, ⌊s⌋C can be written as ⌊s⌋C =x 0 · · ·x k with x n ∈x k .
First consider the case that ⌊s⌋C is divergent inC /G, which by Definition 7 means thatx 0x1 · · ·x kxkxk · · · is a path inC /G. This implies thatx k is divergent inG, and as ≈ is a divergent stutter bisimulation on G, it follows that [ Also C (s) is constructed according to case (i) of Definition 16 for divergent ⌊s⌋C , and thus x n+1 ∈ [x n ] ⊆ [x n ] ∪ S(s) = C (s). Now consider the case that ⌊s⌋C is not divergent inC /G. Then, sinceC /G is deadlock free, there must exist i ≥ 0 and a class y ̸ =x k such that ⌊s⌋Cx i kỹ is a path inC /G. It follows from (8)-(9) thatỹ ∈S(⌊s⌋C ). Also, as ⌊s⌋Cx i kỹ is a path inC /G, it holds that x k →ỹ inG, which means that there exist states x ∈x k and y ∈ỹ such that x → y in G. Then x n ≈ x, and as ≈ is a divergent stutter bisimulation on G, there exists a path fragment in G where x n , . . . , x n+m−1 ∈x k and x n+m ∈ỹ. Assume without loss of generality that (16) is a shortest path fragment with these properties. Note that, as x n+m ∈ỹ andỹ ∈S(⌊s⌋C ), it follows from (13) that x n+m ∈ S(s). Now consider the two cases from Definition 16.
In all the cases there exists x n+1 ∈ C (s) with x n → x n+1 . It follows that s → sx n+1 in C /G, which shows that C /G is deadlock free. □ The following theorem combines the results from Propositions 4 and 5 to show that synthesis after divergent stutter bisimulation is sound.
Theorem 6 (Soundness). Let G be a transition system and ϕ be an LTL \• formula. LetC be a controller forG = G/ /≈ such thatC /G is deadlock free andC /G | = ϕ. Let C be the controller constructed fromC according to Definition 16. Then C /G is deadlock free and C /G | = ϕ Proof. Follows directly from Propositions 4 and 5. □ Theorem 6 establishes that divergent stutter bisimulation can be used as an abstraction method before solving Problem 1. Moreover, Definition 16 can be used to construct a controller for the original system from the abstracted controller, which is a solution for Problem 1.

Completeness
Completeness of a synthesis method means that if there exists a solution to the synthesis problem, then the method finds a solution. The following theorem shows that, if there exists a controller C for a system G, then there also exists a controllerC that enforces the same LTL \• specification on the divergent stutter bisimilar abstractionG.
Theorem 7 (Completeness). Let G be a transition system, let ≈ be a divergent stutter bisimulation on G, let ϕ be an LTL \• specification, and let C be a controller for G that enforces ϕ on G such that C /G is deadlock free. Then there exists a controllerC forG = G/ /≈ that enforces ϕ onG such thatC /G is deadlock free.
Proof. Since C /G is deadlock free, from every initial state of C /G there exists an infinite path in C /G.
} be the set of classes of initial states allowed by C . Then choose an initial classx 0 ∈Q • C , and an initial state x 0 ∈ x 0 ∩ Q • ∩ C (ε), and an infinite path s = x 0 x 1 · · · in C /G. As s is an infinite path in G, by Theorem 2, there exists a stutter equivalent infinite paths =x 0x1 · · · inG. Now construct the controllerC such thatC (ε) = {x 0 } andC (x 0 · · ·x k−1 ) =x k for all k ≥ 0.
By construction,C constrains the abstracted systemG such that it can only follow the infinite paths, which implies thatC /G is deadlock free. As s is a path in C /G, and C enforces ϕ on G, it holds that s | = ϕ. Ass is stutter equivalent to s, it follows by Proposition 1 thats | = ϕ. Then, since thes is the only infinite path inC /G, it follows thatC enforces ϕ onG. □ Theorem 7 confirms that, whenever there exists a solution to Problem 1, the method of synthesis after divergent stutter bisimulation also finds a solution. Assume that there exists a controller C that enforces a given LTL \• specification on a given system G. Then by Theorem 7, there exists controllerC that enforces the same specification on the abstractionG. Given a complete procedure to solve the synthesis problem forG, it is possible to compute such a solution. This solution can then be converted to a controller for the original system using Definition 16, which by the results of Section 4.2 solves Problem 1 for the original system.

Examples
This section applies the synthesis and controller construction method using divergent stutter bisimulation to a variety of systems and compares the results to regular bisimulation.
As shown in Example 1, there are cases where the coarsest partition for bisimulation is infinite while a finite divergent stutter bisimulation partition exists. Even when bisimulation is applicable, stutter bisimulation can offer simpler partitions and faster computation. This is demonstrated with the next two examples featuring finite and continuous state spaces. In both cases the systems are abstracted, controllers are synthesised, and the closed-loop systems are simulated using TuLiP (Filippidis et al., 2016). All computations were performed on an Intel i7-4770K CPU with 32 GiB of RAM.

Example 2.
Consider a system where K robots, numbered 1, . . . , K , navigate in a two-dimensional grid G = {0, . . . , w} × {0, . . . , h}. The system state x consists of the robot locations x 1 , . . . , x K ∈ G and evolves according to The corners of the grid are special locations where the robots charge at home or perform tasks: Home = (0, 0), Task 0 = (w, 0), A robot is charged when it enters Fig. 3. The abstractions in Example 3 using bisimulation (left) and divergent stutter bisimulation (right). A path using the synthesised controller is shown for the divergent stutter bisimulation.
the home location, and a task is completed when a robot enters the task region. Each robot should be charged infinitely often and each task should be completed infinitely often by some robot, while no two robots should occupy the same location at the same time. This is modelled by the LTL \• formula where x | = T j ⇔ ∃i : Experiments are carried out for K = 2 robots and grid sizes (w, h) ∈ {(2, 2), (2, 3), (3, 3), (3, 4), (4, 4), (5, 5)}. For larger grids, the bisimulation algorithm does not converge within one hour. The states in this example are only bisimilar to themselves, so the coarsest bisimulation is the original partition defined by the propositions (19)-(21). For grid sizes 3 × 3 and above, it has 20 regions. Fig. 2 (top) shows the computation times, which are significantly faster for divergent stutter bisimulation. Next, controllers are synthesised for the abstracted systems and evaluated by simulating a path. At each step, the time to map the control decision from the abstract system to a control decision for the original system is measured and shown in Fig. 2 (bottom). The synthesis time for the divergent stutter bisimulation abstraction is significantly lower as expected from the smaller abstraction size. On the other hand, mapping control decisions from the abstract system to the original system is significantly faster for bisimulation as the construction of the divergent stutter bisimulation controller is nontrivial. □ Example 3. Consider a continuous analogue of Example 2 with one robot modelled by the linear system The state space Q is a subset of [0, 6] × [0, 4] with polygonal obstacles as shown in Fig. 3 removed. The atomic propositions are as in Example 2, and the satisfaction relation is defined similarly where the home and task locations are squares at the corners of Q . The abstraction algorithms are implemented for regions given by unions of polytopes whose predecessors can be computed with linear programming. The bisimulation algorithm is prematurely terminated by splitting only regions exceeding a minimum area, resulting in an abstraction with 158 regions that takes 349 s to compute. The divergent stutter bisimulation algorithm takes 2003 s and converges to the original partition. These abstractions are depicted in Fig. 3.  Next, when synthesising controllers, the computer runs out of memory during synthesis for bisimulation, while a controller is synthesised in 38 ms for the much smaller divergent stutter bisimulation abstraction. When simulating a path of the closedloop system for the divergent stutter bisimulation abstraction, the average time to map control inputs for the abstraction to the original system is 0.81 ms. □ Even when divergent stutter bisimulation does not result in the original partition, the resulting abstraction can still be significantly less complex than abstractions using bisimulation, as shown in the next two examples.
Example 4. Consider the following continuous-state doubleintegrator system:  Fig. 4. Although divergent stutter bisimulation takes longer to compute, it results in a smaller abstraction. □ Example 5 (Wagenmaker & Ozay, 2016). Consider the following two-dimensional linear system: converges to a partition of 15 regions as shown in Fig. 5, after 37 s computation time. The dual-simulation algorithm converges to a partition of 66 regions after 137 s, while the bisimulation algorithm does not terminate after 1 h-it produces an approximate partition of 700 regions in 35 min. Wagenmaker and Ozay (2016). □

Conclusions
The abstraction method of divergent stutter bisimulation has been applied to reduce a state space before controller synthesis. Divergent stutter bisimulation is a well-known abstraction in the field of model checking, which preserves CTL * \• properties. This paper leverages these results to simplify the task of controller synthesis. It is shown that a controller synthesised to satisfy any LTL \• specification on a reduced state space based on divergent stutter bisimulation can be converted back to a controller for the original system. This synthesis method is sound and complete relative to a sound and complete synthesis procedure for the abstract state space.
These results improve on bisimulation-based abstraction, because divergent stutter bisimulation results in coarser partitions and is more likely to terminate even for infinite state spaces. This abstraction can also be considered as more insightful for continuous systems as it ignores the number of steps needed to transition from one region to another.
In future work, the authors would like to combine divergent stutter bisimulation with dual-simulation (Wagenmaker & Ozay, 2016). Dual-simulation is related to simulation equivalence (Henzinger et al., 2005) and improves on bisimulation using covers instead of partitions, and could benefit from the abstraction of stuttering steps in the same way as bisimulation does. It would also be interesting to generalise the results about LTL \• specifications to CTL \• or CTL * \• , and to consider control under uncertainty or disturbance.