Ensuring safety-critical control in embedded systems (e.g., automotive and railway systems) under adversarial or uncertain environments necessitates automated synthesis of permissive non-deterministic winning strategies for two-player hybrid games. Method: We introduce “subvalue mappings” as a compositional representation of strategies and establish an inductive semantic characterization based on differential game logic (dGL), proving for the first time the existence and correctness of its greatest fixpoint solution. Contribution/Results: Our approach enables modular modeling, formal verification, and scalable strategy synthesis, overcoming the conservativeness inherent in deterministic strategies. The implemented prototype synthesizes safety-guaranteed control envelopes with maximal action flexibility across multiple benchmark control scenarios. This significantly enhances design freedom and verifiability of safety-controllability boundaries.

Control problems for embedded systems like cars and trains can be modeled by two-player hybrid games. Control envelopes, which are families of safe control solutions, correspond to nondeterministic winning policies of hybrid games, where each deterministic specialization of the policy is a control solution. This paper synthesizes nondeterministic winning policies for hybrid games that are as permissive as possible. It introduces subvalue maps, a compositional representation of such policies that enables verification and synthesis along the structure of the game. An inductive logical characterization in differential game logic (dGL) checks whether a subvalue map induces a sound control envelope which always induces a winning play. A policy is said to win if it always achieves the desirable outcome when the player follows it, no matter what actions the opponent plays. The maximal subvalue map, which allows the most action options while still winning, is shown to exist and satisfy a logical characterization. A family of algorithms for nondeterministic policy synthesis can be obtained from the inductive subvalue map soundness characterization. An implementation of these findings is evaluated on examples that use the expressivity of dGL to model a range of diverse control challenges.