By name: certified-closed-loop-control-packet-networks description: "Compositional certification framework for packet-network control as an executed-action certification problem. Certified operator sits between proposer and dataplane, projecting candidate actions to executable actions satisfying certificates. Covers backlog caps, service floors, Foster-Lyapunov drift, compositional envelope contracts. Activation: packet network control, certified control, compositional certification, network dynamical systems, closed-loop control certification."
Practical Defaults
- Paper: arXiv:2606.02368 - "Certified Closed-Loop Control for Packet Networks: A Compositional Certification Framework"
- Authors: Muhammad Bilal, Jon Crowcroft, Xiaolong Xu, Huaming Wu
- Submitted: 2026-06-01
- Categories: cs.NI (Networking), cs.SY (Systems/Control), eess.SY (Systems Engineering)
- MSC Classes: 93D15, 93D20 (Control theory), 90B22 (Queueing), 68M20 (System reliability)
Core Methodology
Problem Statement
Packet networks are controlled dynamical systems with:
- Discontinuities (packet arrivals/departures)
- Delayed observations (telemetry lag)
- Partial state information (queue depth estimates)
Adaptive or learning-driven proposers can improve performance, but an unsafe proposal may cause:
- Starvation
- Tail-delay spikes
- Unstable queue behavior
Certification Architecture
Treat packet-network control as an executed-action certification problem:
┌─────────────┐ ┌──────────────┐ ┌──────────┐
│ Proposer │ ──> │ Certified │ ──> │ Dataplane│
│ (learning/ │ │ Operator │ │ │
│ adaptive) │ │ │ │ │
└─────────────┘ └──────────────┘ └──────────┘
│ │
│ │
ǔ̃(t) u(t) or INFEASIBLE
candidate executable
action action
At each control tick:
- Proposer emits arbitrary candidate action ǔ̃(t)
- Operator projects to executable action u(t) satisfying certificate
- Or reports INFEASIBLE → executes always-defined fallback with quantified slack
- Certificate exports auditable envelope z̄(t) for downstream composition
Certificate Properties
The certificate provides conditional and explicit guarantees:
| Condition | Guarantee |
|---|---|
| Operator reports CERTIFIED | Action satisfies compiled constraints |
| Arrival envelope valid | Backlog bound achievable |
| Backlog bound valid | Service floor satisfied |
| Platform realizes service lower bound | Stability under drift constraints |
Mechanism Coverage
One unified mechanism covers:
| Mechanism | Purpose |
|---|---|
| Backlog caps | Prevent queue overflow |
| Service floors | Ensure minimum throughput |
| Mitigation caps | Limit recovery actions |
| Foster-Lyapunov drift | Queue stability constraints |
| Compositional envelope contracts | Feed-forward composition |
Compositional Safety Results
Three levels of safety guarantees:
| Level | Guarantee | Condition |
|---|---|---|
| Operator-level | Per-tick safety | Certificate satisfaction |
| Feed-forward compositional | Chain safety | Exported envelopes match downstream |
| Cyclic closure | Loop stability | Small-gain condition satisfied |
Small-Gain Condition
For cyclic compositions (A → B → C → A):
γ_A ◦ γ_B ◦ γ_C < id
where γ_i are envelope gain functions. When satisfied:
- Loop has stable fixed point
- Compositional safety closed
- No amplification in cycle
Implementation Pattern
Certified Operator Design
class CertifiedOperator:
def __init__(self, certificate_config):
self.certificate = compile_certificate(certificate_config)
self.fallback = FallbackPolicy()
self.service_tracker = ServiceTrackingFactor()
def process_action(self, candidate_action, telemetry):
# Check certificate conditions
arrival_valid = check_arrival_envelope(telemetry.arrivals)
backlog_valid = check_backlog_bound(telemetry.queues)
if not (arrival_valid and backlog_valid):
# Execute fallback with quantified slack
fallback_action = self.fallback.compute(candidate_action)
return Result('INFEASIBLE', fallback_action, slack=self.fallback.slack)
# Project candidate to executable
executable = self.certificate.project(candidate_action)
if self.certificate.satisfies(executable):
# Export auditable envelope
envelope = self.certificate.export_envelope(executable)
return Result('CERTIFIED', executable, envelope=envelope)
else:
# Fallback with projection slack
projected = self.certificate.best_projection(candidate_action)
slack = distance(candidate_action, projected)
return Result('INFEASIBLE', projected, slack=slack)
Certificate Compilation
def compile_certificate(config):
"""Compile configuration into verification certificate"""
constraints = []
# Backlog cap
constraints.append(BacklogCap(config.max_backlog))
# Service floor
constraints.append(ServiceFloor(config.min_service))
# Foster-Lyapunov drift
constraints.append(DriftConstraint(config.drift_bound))
# Compositional envelope
constraints.append(EnvelopeContract(config.envelope_spec))
return Certificate(constraints)
class Certificate:
def project(self, candidate):
"""Find closest executable action satisfying constraints"""
return self.constraints.project(candidate)
def satisfies(self, action):
"""Verify action meets all constraints"""
return all(c.check(action) for c in self.constraints)
def export_envelope(self, action):
"""Export auditable envelope for composition"""
return self.constraints.export_envelope(action)
Service Tracking Factor
Calibration linking certified targets to realized scheduler behavior:
class ServiceTrackingFactor:
"""Calibrate gap between certified targets and actual service"""
def calibrate(self, certified_service, realized_service):
# Track drift between specification and reality
drift = realized_service - certified_service
# Update tracking factor
self.factor = adaptive_estimate(drift)
# Adjust future certificates
return self.factor
Evaluation Results
Test Conditions
Validated under:
- Delayed telemetry (estimation lag)
- Delayed actuation (control lag)
- Weak proposers (suboptimal candidates)
- Envelope mismatch (incorrect arrival bounds)
- Overload (capacity exceeded)
- Millisecond-scale certification (real-time constraints)
Current Evaluation
- Byte-level closed-loop backend validated
- Certified execution boundary confirmed
- Deployment-level scheduler tracking → future work (Linux/hardware)
Practical Applications
Network Control Systems
- AQM (Active Queue Management) controllers
- Traffic shaping policies
- Load balancing decisions
- Congestion control algorithms
Composition Patterns
- Multi-hop network chains (A→B→C→D)
- Cyclic topologies (ring networks)
- Hierarchical control (edge→core→cloud)
Integration with Learning-Based Control
- RL-based proposers (policy gradient)
- Model-predictive control (MPC)
- Adaptive queue management
When to Use
- Packet networks with adaptive control
- Learning-based proposers need safety guarantees
- Multi-hop compositions requiring envelope contracts
- Systems needing explicit, auditable safety bounds
- Real-time certification (<1ms latency)
Key Contributions
- Executed-action certification paradigm for network control
- Compositional envelope contracts for chain safety
- Small-gain cyclic closure result
- Unified mechanism covering backlog, service, drift, envelope
- Service tracking factor for certification calibration
Related Skills
- [[ssm-contraction-control]] - Contractive controller design for SSMs
- [[control-systems/mpc-rl-integration]] - MPC-RL integration patterns
- [[small-gain-distributed-stability]] - Small-gain analysis for distributed systems
- [[safety-liveness-control-contracts]] - Safety-liveness control contracts
Pitfalls
- Certificate conditions must be verified → Guarantees are conditional
- Service tracking needs calibration → Real behavior ≠ specification
- Envelope mismatch causes infeasibility → Arrival bounds must be accurate
- Small-gain condition required for cycles → Verify before deployment
- Real-time certification has latency bounds → Millisecond-scale only
References
- arXiv:2606.02368 - Original paper
- Foster-Lyapunov drift theory
- Small-gain theorem for cyclic systems
- Compositional verification methods