Abstract. This paper investigates the synthesis of robust controllers from logical specification of regular properties given in an interval temporal logic QDDC. Our specification encompasses both hard robustness and soft robustness. Here, hard robustness guarantees invariance of commitment under user specified relaxed (weakened) assumptions. A systematic framework for logically specifying the assumption weakening by means of a formula, called Robustness criterion, is presented. The soft robustness pertains to the ability of the controller to maintain the commitment for as many inputs as possible, irrespective of any assumption. We present a uniform method for the synthesis of a robust controller which guarantees the specified hard robustness and it optimizes the specified soft robustness. The method is implemented using a tool DCSynth, which provides soft requirement optimized controller synthesis. Through the case study of a synchronous bus arbiter, we experimentally show the impact of hard robustness criteria as well as soft robustness on the ability of the synthesized controllers to meet the commitment "as much as possible". Both, the worst-case and the expected case behaviors are analyzed.
Introduction
In this paper we consider automatic synthesis of robust controllers from regular specification given using an interval temporal logic QDDC (Quantified Discrete Duration Calculus) [13] . A regular property D conceptually specifies a deterministic finite automaton A(D) over finite words. The property holds at a point in behavior if the past of the point is accepted by A(D). Such properties hold intermittently in the behaviour. QDDC is a highly succinct and powerful logic for specifying regular properties [11] . Formally, QDDC has the expressive power of regular languages.
A controller specification consists of a pair of QDDC formulas (D A , D C ) giving the specification of assumption and commitment, respectively. A standard correctness criterion, termed BeCorrect [3] , mandates that in all the behaviour of the synthesized controller, the commitment D C should hold invariantly provided the assumption D A holds invariantly. This can be denoted as (pref (D A ) ⇒ pref (D C )). Here pref (D) holds at a point in behaviour if the regular property D has been invariantly true in the past.
Robustness pertains to the ability of D C holding even when D A does not hold invariantly in the past [3] . A relaxed assumption Rb(D A ) specifies weaker condition than pref (D A ) and a robust specification can be given by the formula (Rb(D A ) ⇒ D C ) that should be satisfied invariantly. Thus, D C should hold whenever the relaxed assumption Rb(D A ) holds. We term this as hard robustness. For example, given integer parameters k and b, the relaxed assumption LenCntInt(D A , k, b) holds at a point i if the assumption D A is violated at most k times in the interval [i − (b + 1), i] spanning b previous cycles from the current point i. The controller synthesized under the relaxed assumption LenCntInt(D A , k, b) would be more robust as it will tolerate upto k assumption violations in recent past.
As a complementary notion of robustness, we propose soft robustness, which pertains to the ability of a controller to meet D C even when the relaxed assumption Rb(D A ) does not hold. The controller synthesis technique should try to satisfy D C "as much as possible" irrespective of the assumption [4] . Note that soft robustness is a global optimization problem [1] . For example, the commitment D C may be such that satisfying D C at a current point may prevent it from holding at most points in future. Hence the controller must choose not to satisfy it at the current point.
We structure the formulation of relaxed assumption Rb(D A ) (used to provide hard robustness) as a pair (Rb(A), D A ) where D A is the concrete assumption formulated by the user. Robustness criterion Rb(A), which is a QDDC formula over a fresh proposition A, specifies a generic method of relaxing any assumption D A . A notion of cascade composition Rb(A) Ind(D A , A) (formalized in this paper using logic QDDC), gives us the desired relaxed assumption formula Rb(D A ). We develop a theory of robustness criteria and its impact on the robustness of resulting controllers by defining dominance relation between them.
We show that logic QDDC can be used to conveniently and systematically formulate a wide variety of robustness criteria Rb(A). The interval logic modalities, bounded counting constraints and second order quantification features of logic QDDC are particularly helpful in the formulation of various robustness criteria. We provide a list of several useful robustness criteria, spanning some existing as well as novel notions.
Thus, we have a logic based specification of hard robustness. We can order these robustness criterion by their weakness (in logical implication order). We show that a weaker robustness criterion specifies a more robust controller. Hence, to get improved hard robustness, the designer must relax the concrete assumption D A with the weakest robustness criterion for which the controller remains realizable. We will illustrate this design aspect in our case studies.
Using the framework of soft requirement guided synthesis implemented in a tool DCSynth [18] , we give a method to synthesize robust controller which guarantees the hard robustness and it optimizes the soft robustness. Tool DCSynth uses techniques from optimal control of Markov Decision Processes [1, 14] for optimizing the expected value of soft robustness.
We show the impact of hard and soft robustness on the ability of the synthesized controller to maintain the desired commitment D C for as many inputs as possible. We give the case studies of a Synchronous bus arbiter (and a Mine pump controller specification in Appendix B). Our experiments show that soft robustness greatly improves the expected value of the commitment holding on random independent and identically distributed (iid) inputs. Moreover, hard robustness gives the worst case guarantees on meeting the commitments. Indeed we get multiple controllers with the same expected value of the commitment D C over random (iid) inputs. But these controllers satisfy D C for incomparable sets of inputs (under the subset ordering). These controllers guarantee D C under diverse relaxed assumptions, thus providing distinct hard guarantees. Thus, our synthesis technique, combining the hard and the soft robustness, seems useful.
The rest of the paper is arranged as follows. Section 2 describes syntax and semantics of the Logic QDDC and the necessary definitions for robust controller synthesis. Section 3 gives the syntax of DCSynth specification and brief outline of synthesis method. Section 4 introduces the theory of robust specifications and its controller synthesis. Section 5 describes Arbiter case study and the corresponding experimental results. In Section 6, we conclude the paper with major contribution and related work.
Quantified Discrete Duration Calculus (QDDC) Logic
Let P V be a finite non-empty set of propositional variables. Let σ a non-empty finite word over the alphabet 2 P V . It has the form σ = P 0 · · · P n where P i ⊆ P V for each i ∈ {0, . . . , n}. Let len(σ) = n + 1, dom(σ) = {0, . . . , n}, σ[i, j] = P i · · · P j and σ[i] = P i .
The syntax of a propositional formula over variables P V is given by:
with &&, ||, ! denoting conjunction, dis-junction and negation, respectively. Operators such as ⇒ and ⇔ are defined as usual. Let Ω(P V ) be the set of all propositional formulas over variables P V . Let i ∈ dom(σ). Then the satisfaction of propositional formula ϕ at point i, denoted σ, i |= ϕ is defined as usual and omitted here for brevity. The syntax of a QDDC formula over variables P V is given by:
where ϕ ∈ Ω(P V ), p ∈ P V , c ∈ N and ∈ {<, ≤, =, ≥, >}.
An interval over a word σ is of the form [b, e] where b, e ∈ dom(σ) and b ≤ e. Let Intv(σ) be the set of all intervals over σ. Let σ be a word over 2 iff b < e and ∀b ≤ i < e :
with Boolean combinations !D, D 1 || D 2 and D 1 && D 2 defined in the expected way. We call word σ a p-variant, p ∈ P V , of a word σ if ∀i ∈ dom(σ), ∀q = p :
Entities slen , scount and sdur are called terms. The term slen gives the length of the interval in which it is measured, scount ϕ where ϕ ∈ Ω(P V ), counts the number of positions including the last point in the interval under consideration where ϕ holds, and sdur ϕ gives the number of positions excluding the last point in the interval where ϕ holds. Formally, for ϕ ∈ Ω(P V )
and
0, otherwise. We also define the following derived constructs:
Finally, we define
A tool DCVALID implements this formula automaton construction in an efficient manner by internally using the tool MONA [8] . It gives minimal, deterministic automaton (DFA) for the formula D. We omit the details here. However, the reader may refer to several papers on QDDC for detailed description and examples of QDDC specifications as well as its model checking tool DCVALID [11] [12] [13] .
Supervisors and Controllers
Now we consider QDDC formulas and automata where variables P V = I ∪ O are partitioned into disjoint sets of input variables I and output variables O. We show how Mealy machines can be represented as special form of Deterministic finite automata (DFA). Supervisors and controllers are Mealy machines with special properties. This representation allows us to use the MONA DFA library [8] to efficiently compute supervisors and controllers in our tool DCSynth. 
An outputnondeterministic Mealy machine is a DFA with a unique reject (or nonfinal) state r which is a sink state i.e. F = Q − {r} and δ(r, i, o) = r for all
Intuition is that the transitions from q ∈ F to r are forbidden (and kept only for making the DFA total). Language of any such Mealy machine is prefixclosed. Recall that for a Mealy machine,
It follows that for all input sequences a nonblocking Mealy machine can produce one or more output sequence without ever getting into the reject state.
For a Mealy machine M over variables (
Here σ, ii, oo must have the same length. We will not distinguish between σ and (ii, oo) in the rest of the paper. Also, for any input sequence ii ∈ (2 I ) * , we will define
Definition 2 (Controllers and Supervisors
). An output-nondeterministic Mealy machine which is non-blocking is called a supervisor. An deterministic supervisor is called a controller.
The non-deterministic choice of outputs in a supervisor denotes unresolved decision. The determinism ordering below allows supervisors to be refined into controllers.
Definition 3 (Determinism Order and Sub-supervisor). Given two supervisors Sup 1 , Sup 2 we say that Sup 2 is more deterministic than Sup 1 , denoted
. We call Sup 2 to be a sub-supervisor of Sup 1 .
Note that being supervisors, they are both non-blocking, and hence
The supervisor Sup 2 may make use of additional memory for resolving and pruning the non-determinism in Sup 1 .
Definition 4 (Must Dominance). Given a supervisor Sup and a QDDC formula D, both over input-output alphabet (I, O), let the set of must-satisfying in- 
The following proposition states that any arbitrary resolution of non-determinism in supervisors preserves the must-guarantees.
For technical convenience, we define a notion of indicator variable for a QDDC formula (regular property). The idea is that the indicator variable w witnesses the truth of a formula D at any point in execution. Thus, Ind(D, w) = pref (EP (w) ⇔ D). Here, EP(w) = (true^ w ), i.e. EP (w) holds at a point if variable w is true at that point. Hence, w will be true exactly on those points where D is true. These indicator variables can be used as auxiliary propositions in another formula using the notion of cascade composition defined below. 
This composition gives a formula over input-output variables (I, O ∪ W ).
Cascade composition provides a useful ability to modularize a formula using auxiliary propositions W which witness regular properties given as QDDC formulas.
) which holds at a point provided the proposition A is false at most 3 times in entire past. Let formula D' = true^<!req>^(slen=1) || true^<ack> which holds at a point provided either the current point satisfies ack or the previous point does not satisfy req. Then, Rb(A) Ind(D',A) is equivalent to the formula (scount !A <=3) && pref(EP(A) <=> D'). This states that at each point, A holds provided D' holds, and the whole formula holds provided count of !A in past is at-most 3. Thus the whole formula holds provided D' is false at most 3 times in the entire past.
DCSynth Specification and Controller Synthesis
This section gives a brief overview of the soft requirement guided controller synthesis method from QDDC formulas. More details can be found in the original paper [18] . The method is implemented in a tool DCSynth. This method and the tool will be used for robust controller synthesis in the subsequent sections.
Recall that, by the definition of supervisors, Sup must be non-blocking. The supervisor Sup is called maximally permissive provided for any supervisor Sup such that (Sup realizes inv D) we have Sup ≤ det Sup . Thus, no other supervisor with larger languages realizes the invariance of D. This Sup is unique upto language equivalence of automata, and the minimum state maximally permissive supervisor is denoted M P S(D).
A well-known greatest fixed point algorithm for safety synthesis over A(D) gives us M P S(D) if it is realizable. We omit the details here (see [18] ).
Proposition 2 (MPS Monotonicity
, we have: 
it exist). The synthesis method first computes M P S(D h
). In the next step a sub-supervisor of M P S(D h ) which satisfies D s for "as many inputs as possible" is computed. This is formalized using a notion of H-optimality w.r.t. the soft requirement D s . Let H be a natural number called horizon. We construct a sub-supervisor of M P S(D s ) by pruning non-deterministic choice of outputs by retaining only the outputs which give the highest expected count of (intermittent) occurrence of D s over the next H steps of execution. This count is averaged over all input sequences of length H. A well known value-iteration algorithm due to Bellman [1] , adapted from optimal strategy synthesis for Markov Decision Processes, gives us the required sub-supervisor. Book [14] gives a proof of H-optimality of the value iteration algorithm and resulting supervisor. This construction is implemented in our tool DCSynth. See [18] for details of the algorithm and its symbolic BDD based implementation. The resulting sub-supervisor is denoted by M P HOS(D h , D s , H). As M P HOS is obtained by pruning nondeterministic outputs in M P S, we have the following proposition [18] .
Using Proposition 1, this shows that M P HOS retains all the must-guarantees
itself can be non-deterministic as from a state and on a given input there may be more than one choice of H-optimal output. All of these optimal choices are retained in M P HOS, giving the maximally permissive H-optimal sub-supervisor of
In tool DCSynth, we allow users to specify a preference ordering Ord on the set of outputs 2
O . Any supervisor Sup can be determinized by retaining only the highest ordered output amongst those permitted by Sup. This is denoted Det Ord (Sup). In tool DCSynth, the output ordering is specified by giving a lexicographically ordered list of output variable literals. This facility is used to determinize M P HOS(D h , D s , H) and M P S(D h ) supervisors as required.
Example 2. For a supervisor Sup over variables (I, {o 1 , o 2 }), an output ordering can be given as list (o 1 > !o 2 ), Then, the determinization step will select the highest allowed output in from ( 
Specification and Synthesis of robust controllers
This section introduces the notion of robustness and controller synthesis from Robust Specification. The reader is urged to re-look at the explanation and motivation for robust specification given in the Introduction section 1. We define the 
The hard requirement states that the commitment D C must hold whenever the relaxed assumption Rb(A) Ind(D A , A) holds. Moreover, it specifies D C as the soft-requirement. The controller must be optimized so that the soft requirement holds for as many inputs as possible, irrespective of the assumption.
Synthesis from Robust Specification
The robust controller synthesis method supported by tool DCSynth is as follows.
-The user provides the Robust specification (D A , D C , Rb(A)). The user also provides a horizon value H. -The corresponding DCSynth specification is automatically obtained as outlined in Equation 1. The tool DCSynth is used to obtain M P S and M P HOS supervisors as described in Section 3. These supervisors are denoted as
respectively. Both these supervisors may be output non-deterministic. The reader should recall that the M P S supervisor only guarantees the hard-robustness, whereas the M P HOS supervisor further improves M P S by optimizing the softrobustness (while retaining hard-robustness guarantee). -The user specifies an output order ord as a prioritized list of output literals. This is used to get the deterministic controllers H) ), respectively.
Designing and Comparing Robustness Criteria
A key element of our robust specification (D A , D C , Rb(A)) is the robustness criterion Rb(A). It provides a generic method of relaxing the assumption D A . In this section we study how to compare two robustness criteria. We also formulate some methods for systematic design of robustness criteria. Given robustness criteria Rb 1 (A) and Rb 2 (A), we say that Rb 1 (A) implies Rb 2 provided |= dc Rb 1 (A) ⇒ Rb 2 (A). This gives us the implication ordering on robustness criteria. The following theorem shows that implication ordering improves the worst case guarantee of D C holding but it makes supervisors less realizable.
Thus |= dc φ 2 ⇒ φ 1 . Then, by Proposition 2, we have M P S(φ 1 ) ≤ det M P S(φ 2 ). From this, by applying proposition 1, we get the desired result M P S(φ 1 ) ≤ D C must M P S(φ 2 ). We also get (b).
Error-Types: Defining Intervals with Assumption Errors. Let proposition A designate points in behaviour where assumption is satisfied. In terms of this, we define Erroneous intervals by giving Error-type formulas. For examples, intervals with at least three violations of A can be given by (scount !A >=3).
-Intervals where A does not hold at the end-point.
LocalErr(A) = (true^<!A>) -Intervals having more that k assumption violations (!A).
CountErr(A,k) = (scount !A > k). -Burst error interval is an interval where the assumption proposition A remains false invariantly. So, the intervals where there is burst error of length more than k is given by the formula
The intervals containing a subinterval with BurstError(A,k) are given by HasBurstErr(A,k) = (<>(BurstErr(A,k))).
-We define an interval to be a recovery interval, if A is invariantly true in that interval. Its length is called recovery period. Intervals where all recovery periods are of length less than b is denoted by
) Proof. These implications hold straightforwardly using the QDDC semantics. For example, RecoveryErr (b, Err ) = HasNoRecovery(A, b) && Err (by definition). This logically implies Err giving us (d). We omit the remaining proofs.
Error-Scope: Restricting the Occurrence of Errorneous Intervals Let
Err be any of the Error-type formulas giving erroneous intervals. We now specify the restrictions on occurrence of these errors by suitable QDDC formulas. These are called Error-scope formulas. They are parameterized by Err.
-The error never occurs in past for any interval.
NeverInPast(Err) = !<>Err. 
For any scope formula SCP (Err) defined above, we have if |= dc Err 1 ⇒ Err 2 , then |= dc SCP (Err 2 ) ⇒ SCP (Err 1 ) Proof. The proofs of these implications are immediate from definitions using QDDC semantics. For example, (true^Err) implies (true^Err^true) which equals Err by QDDC. Hence, NeverInPast(Err ) which equals ! Err implies !(true^Err ) which equals NeverInSuffix (Err ). This gives us (a).
As a second example, NeverInPast(Err ) = (! (Err )) (by definition), which implies ! ((slen ≤ (b − 1 )) && Err ). This, by definition, equals the formula, NeverInPastLen(b, Err ). Hence we get (c). We omit the remaining proofs. Table 1 . Robustness criteria Rb(A) defined using Error-types and Error-Scope formulas. There may use additional integer parameters K, B.
We combine various Error-type formulas with Error-scope formulas (defined above) to obtain a wide variety of Robustness Criteria. These are tabulated in Table 1 . These provide users with diverse ways of achieving robust specification. We give a brief intuitive description of some of the defined criteria.
-Criterion BeCorrect(A) holds at a point if !A never occurs in its past. By contrast BeCurrentlyCorrect(A) holds at a point (irrespective of the past) if A holds at the point. Thus, the later is implied by the former. -Criterion LenCntInt(A,K,B) with integer parameters K, B holds at a point i provided in last B cycles from i, violation !A occurs at most k times. The past beyond last B cycles does not affect its truth. -A resilient controller recovers from past errors provided A holds continuously for B cycles (such an interval is called a recovery interval). The criterion ResCntInt(A,K,B) holds at a point provided after the last recovery interval the count of violation of A is at most k. -A burst error of length K is said to occurs if !A occurs continuously for K points. Criterion LenBurstInt(A,K,B) holds at point i provided in last B cycles before i there is no burst error of length K.
The robustness criteria can be ordered by implication ordering which also improves the hard robustness of the synthesized controller (See Theorem 2). Figure 1 gives the implication ordering between the robustness criteria of Table 1 . Table 1 . Here A → B denotes the validity |= dc A ⇒ B.
Theorem 3. All the implications given in Figure 1 are valid. Proof. The proofs of these implications follow easily from the definitions of the robustness criteria by using propositions 4 and 5. As an example, we prove that |= dc BeCorrect(A) ⇒ BeCurrentlyCorrect(A). Formula BeCorrect(A) equals (by definition) NeverInPast(LocalErr (A)), which by Proposition 5(a) implies NeverInSuffix (LocalErr (A)) which by definition equals BeCurrentlyCorrect(A), thus proving the claim.
As a second example, we prove that |= dc ResCntInt(A) ⇒ ResBurstInt(A). We have |= dc HasBurstErr (A, k ) ⇒ CountErr (A, k ) by Proposition 4(b). Thus, |= dc RecoveryErr (b, HasBurstErr (A, k )) ⇒ RecoveryErr (b, CountErr (A, k )) by Prop 4(e). Then, using Prop. 5(e) and instantiating SCP by NeverInSuffix , we get HasBurstError (A, k )) ). This proves the result. We omit the remaining proofs.
Case Study: A Synchronous Bus Arbiter
An n-cell synchronous bus arbiter has inputs {req i } and outputs {ack i } where 1 ≤ i ≤ n. In any cycle, a subset of {req i } is true and the controller must set one of the corresponding ack i to true. The arbiter commitment, ArbCommit(n, k), is the conjunction of the following four properties. Resp(reqi, acki, k)) where
In QDDC, The formula trueˆ P holds at a point i in execution if the P holds at that point. Thus, the formula M utex(n) gives mutual exclusion of acknowledgments; N oLoss(n) states that if there is at least one request then there must be an acknowledgment; and N oSpurious(n) states that acknowledgment is only given to a requesting cell. Formula trueˆ(([[req]] && (slen = (k − 1))) states that in the last k cycles req is invariantly true. Similarly, the formula trueˆ(scount ack > 0 && (slen = (k − 1))) states that in last k cycles the ack has been true at least once. Then, the formula Resp(req, ack, k) states that if req has been continuously true in last k cycles, there must be at least one ack within last k cycles. So, Response(n, k) says that each cell requesting continuously for last k cycles must get an acknowledgment within last k cycles.
A controller can invariantly satisfy ArbCommit(n, k) if n ≤ k. Tool DCSynth gives us a concrete controller for the instance (D h = ArbCommit(6, 6), D s = true). It is easy to see that there is no controller which can invariantly satisfy ArbCommit(n, k) if k < n. Consider the case when all req i are continuously true. Then, it is not possible to give response to every cell in less than n cycles due to mutual exclusion of req i .
To handle such desirable but unrealizable requirement we make an assumption. Let the proposition Atmost(n, i) be defined as ∀S ⊆ {1 . . . n}, |S| ≤ i. ∧ j / ∈S ¬req j . It states that at most i out of total n requests can be true simultaneously. Then, the arbiter assumption is the formula ArbAssume(n, i) = true^ Atmost(n, i) , which states that Atmost(n, i) holds at the current cycle.
So the specification for the synchronous arbiter is an assumption-commitment pair (ArbAssume(n, i), ArbCommit(n, k)), which is denoted by Arbiter(n, k, i). Figure 2 in Appendix A gives the textual syntax for the robust specification (Arbiter(4, 3, 2)) with BeCurrentlyCorrect(A) criterion in tool DCSynth.
Expected Case Performance We can measure the performance of a synthesized controller Cnt in meeting a regular requirement D by evaluating E D (Cnt), the expected value of D holding in the behaviours of Cnt in long run under random (i.e. iid) inputs [1] . The tool DCSynth allows E D (Cnt) to be computed as outlined below.
The product Cnt × A(D) of the controller with the deterministic recognizer A(D) for formula D gives us a deterministic recognizer automaton which is in a final state precisely on inputs where Cnt satisfies the property D. We can translate this into a Discrete Time Markov Chain, denoted M unif (Cnt × A(D)), by assigning uniform discrete probabilities to all the inputs from any state. In constructing this Markov chain, we have assumed that the inputs are iid, i.e. they occur independently of the past, and all inputs are equally likely. Standard techniques from Markov chain analysis allow us to compute the Expected value of being in accepting states in long runs of M unif (Cnt × A(D)), which also gives us E D (Cnt). A leading probabilistic model checking tool MRMC implements this computation [7] . In DCSynth, we provide a facility to compute M unif (Cnt × A(D)) in a format accepted by the tool MRMC. Hence, using MRMC, we are able to compute E D (Cnt)
Experimental Results
The synchronous bus arbiter case study specifies the assumption-commitment pair (D A , D C ) for an Arbiter(n, k, i) consisting of n-cells with response time requirement of k cycles, under the assumption that at most i requests occur in each cycle. We denote by detM P S(Arb) and detM P HOS(Arb) the M P S and the M P HOS for Arbiter(4, 3, 2) determinized under the default output ordering a1 > a2 > a3 > a4. We use H = 50 in synthesizing the M P HOS. Controllers were synthesized for various robustness criteria, and their performance was measured as the corresponding expected values E D C (detM P S(Arb)) and E D C (detM P HOS(Arb)). Table 2 provides these values under the columns titled E(Arb − M P S) and E(Arb − M P HOS), respectively.
Similarly, for a case study of a Minepump Controller specification (omitted here for brevity but it can be found in Appendix B), we synthesized the determinized M P S and M P HOS controllers under the default output P umpOn and various robustness criteria. We measured the performance of these controllers as the expected values E D C (detM P S(M P )) and E D C (detM P HOS(M P )). Table  2 provides these values under the columns titled E(M P − M P S) and E(M P − M P HOS), respectively.
In all the above cases, the tool DCSynth performs efficiently by giving the required controllers for Arbiter within 1 seconds and for Minepump within 3 seconds. The detailed statistics for each of the example can be found in Appendix A and B. All these experiments were done on Ubuntu 18.04 system with Intel i5 64 bit, 2.5 GHz processor and 4 GB memory.
An examination of Table 2 is quite enlightening. We state our main finding.
-In both the case studies, the robustness criterion AssumeT rue leads to unrealizable specification whereas all other criteria give realizable specifications. -In both the case studies, for the M P S controllers, the Expected value of commitment D C increases with the implication ordering given in Figure 1 . The value ranges from 0 to 83% for the Arbiter and 0 to 99% for the Mine pump. Thus, the robustness criterion has a major effect on the performance of the synthesized M P S controller. Also, for many robustness criteria, the Expected D C value is 0. This happens as these criteria (defined using the Error-Scope formulas NeverInPast) are non-recoverable -once the criterion becomes false it remains false in future. Hence, it is desirable to use recoverable criteria defined using the Error-scope formulas NeverInSuffix . -The M P HOS controller which improves the M P S controller by optimizing the soft requirement D C has an overwhelming impact on the expected value of D C . In both the case studies, the value is above 99% irrespective of Arbiter(4,3,2) Minepump(8,2,6,2) Robustness the robustness criterion. Thus, soft-robustness vastly improves the expected performance of the controller and should be preferred over M P S.
-We often get M P HOS controllers with the same/similar expected value of D C for several robustness criteria. It should be noted that these are different controllers providing distinct hard-robustness guarantees. For example, in the Arbiter(4, 3, 2) case study, the controllers BeCurrentlyCorrect is mustincomparable with all the others, whereas for M inepump(8, 2, 6, 2), this is must equivalent but not identical with any of the other other controllers. Hence, the circumstances (relaxed assumptions) under which they guarantee D C are quite different. This shows that a combination of the hard and the soft robustness, as supported by our tool DCSynth, is useful. -We have also experimented with various default output orderings. Default values have quite small impact on the expected values of D C in M P HOS. However, they significantly impact the no. of states in resulting controller.
Contributions and Related Work
A robust controller should continue to function (i.e maintain its commitment) under failure of environmental/plant assumptions. When such failures are transient, the controller should be able to recover from the failure by reestablishing the commitment in bounded time [4, 10] . The main contribution of this paper is a logical framework of hard robustness for specifying and relaxing (weakening) assumptions under which a controller works. A formula based technique for relaxing any user specified regular assumption is developed. As the experiments show, such weakening has a marked impact on the Expected value of Commitment. Soft robustness pertains to the ability of the controller to maintain commitment "as much as possible" irrespective of any assumption; this is an optimization problem. We have proposed a method for synthesizing a controller which guarantees the hard robustness, and it optimizes the soft robustness. With case studies, we have shown the impact of hard and soft robustness on both the worst case and the expected behaviour of the controller. These experiments show that the combination of hard and soft robustness, as proposed here, is beneficial. Logic QDDC, based on Duration Calculus of Zhou et al [19] , provides a very powerful vocabulary for stating robustness properties.
Several authors have investigated the notion of robustness [4, 6, 10] . Bloem et al [4] provide a classification of different robustness notions; including the BeCorrect and BeCurrentlyCorrect criteria. They term our soft robustness as "Never Give Up" notion. Ehler et al [6] and Bloem [2] address the notion of resilience; an ability to recover from errors in bounded error-free period. We have shown that many such notions can be specified in our framework. We also give a method to compare robustness notions by an implication order and we use a must dominance order to compare the worst case behaviour of corresponding supervisors. Moreover, a uniform synthesis method is applied to these defined notions.
Traditional reactive synthesis has only focused on "correct-by-construction" from LTL properties. Recent work increasingly considers regular properties (see Belta et al [17] ). Controller Synthesis from regular properties was pioneered by Ramadge and Wonham [9, 15, 16] . Ehler et al [5] compares the supervisory control with the reactive synthesis framework. Here we enhance the Ramadge-Wonham framework to robustness.
A Arbiter DCSynth Specification and Robust controllers
This section gives the DCSynth specification for BeCurrentlyCorrect robust specification of Arbiter and robust controller synthesis form this specification. As the supervisors are finite state mealy machines and a commitment D C is a regular property, we can use validity checking of QDDC to check whether Sup 1 ≤ D C must Sup 2 for supervisors Sup 1 and Sup 2 . In tool DCSynth, we provide a facility to decide must-dominance between two supervisors. The tool also gives a counter example if must dominance fails. Following are the major observations.
-M P S supervisors for Arbiter(4, 3, 2) are found to follow exactly the same robustness order as given by theoretical result in Figure 1 . The "==" indicates that the supervisors are identical, whereas "=" indicates that they are must equivalent but not identical. -M P HOS supervisors does not have theoretical order. However, it is observed for Arbiter(4, 3, 2) that M P HOS supervisor for BeCurrentlyCorrect specification becomes incomparable with all other supervisors. All the other supervisors become identical as shown in Figure 3 . We use "==" to indicate that the supervisors are identical, whereas "=" indicates that they are must equivalent but not identical. 
A.1 Expected Case performance
Expected values of various robust controllers are given in Table 3 . It is evident that expected values of meeting the commitment using hard robustness (given as MPS in column 2) as well as soft robustness (given as MPHOS in column 4) are useful and maximize the holding of commitments.
A.2 Tool Performance
In this section we provide the detailed statistics on synthesis of various robust supervisors/controllers for Arbiter examples. Table 4 provides the details for Arbiter example. Appendix B (Table 7) provides the Minepump specification and related dominance and performance study.
The Table 4 provides the number of states and time required to synthesize the Monitor Automaton, the corresponding MPS, MPHOS and Controller Table 3 . Expected Values of meeting the commitments for various robust controllers of Arbiter (4, 3, 2) . The default output order to determinize the supervisor is a1 > a2 > a3 > a4. (using default value). It is evident that the Monitor construction from QDDC specification and the bounded horizon computation of MPHOS based on soft requirements takes most of the time. It can also be noted that MPHOS for most of the robust specifications (e.g. BeCorrect, KBLenCnt, KBLenBurst, KBResCnt, KBResBurst) having different behaviour in MPS specification becomes identical for MPHOS specification (See Controller stats in Table 4 ). This shows the effect of soft requirements in synthesis of optimal controller.
A.3 Simulation of Robust Controllers
The robust controllers synthesized are encoded as Lustre models. We give the simulation (on same inputs) traces of Arbiter(4, 3, 2) example using Lustre simulator. It can be seen how each one of them generator different output trace for the same inputs. A.4 Automata synthesized for 2 cell arbiter Fig. 8 gives the monitor automaton for 2-cell arbiter (See section 5.1) for n-cell arbiter specification. Each transition is labeled by 4 bit vector giving values of req 1 , req 2 , ack 1 , ack 2 . Fig. 9 gives the MPS automaton for the 2-cell arbiter computed from the safety monitor automaton of Fig. 8 . (There is an additional reject state. All missing transitions are directed to it. These are omitted from the diagram for simplicity.) Note that this is a DFA whose transitions are labelled by 4-bit vectors representing alphabet 2 {req1,req2,ack1,ack2} . As defined in Definition 1, the DFA also denotes an output-nondeterministic Mealy machine with input variables (req 1 , req 2 ) and output variables (ack 1 , ack 2 ). The automaton is nondeterministic in output as from state 1, on input (1, 1) it can move to state 2 with output (1, 0), or to state 3 with output (0, 1). The reader can verify that the automaton is non-blocking and hence a controller. In 2-cell arbiter example, with soft requirements ack1, ack2 which give ack1 priority over ack2, we obtain the MPHOS controller automaton of Fig. 9(b) from the MPS of Fig. 9(a) . Note that we minimize the automaton at each step.
B Mine pump DCSynth Specification and Robust controllers
In this section we illustrate the effect of soft requirements on the quality of the synthesized controllers with a case study of a mine pump controller specification [13] . The controller has two input sensors: high water level sensor HH2O and methane leakage sensor HCH4 ; and one output, PumpOn to keep the pump on. The objective of the controller is to safely operate the pump in such a way that the water level never remains high continuously for more that w cycles.
Thus, minepump controller has input and output variables ({HH2O, HCH4}, {P umpOn}). We have following assumptions on the mine and the pump.Their conjunction is denote M ineAssume( , ζ, κ). The conjunction of commitments is denoted M ineCommit(w). It is to be noted that all the assumption and commitments formulas are made intermittent by restricting the scope of each formula to the most recent interval of n cycles i.e. formula is satisfied or violation is decided based on the recent past instead of whole past. This is done by using formula using KBOU N DED(D, n) macro (See Figure B. 4) defined as ((slen < K => (D)) && (true^slen = K => true^(slen = K && (D)))). This is important for robust specification, because if we consider the whole past then even a single violation of formula will keep it unsatisfiable always without allowing it to recover ever. The Minepump specification M ineP ump(w, , ζ, κ) is given by the assumption, commitment pair (M ineAssume( , ζ, κ), M ineCommit(w)). Appendix B.4 gives the textual source of (M ineP ump(8, 2, 6, 2)) for BeCurrentlyCorrect robust specification used by the DCSynth tool.
B.1 Must Dominance betweeen various robust Controllers
Comparision based on Must Dominance We use "==" to indicate that the supervisors are identical, whereas "=" indicates that they are must equivalent but not identical. For M inepump(8, 2, 6, 2) case study some of the supervisors become identical as given in Appendix B Figure 10 .
-M P HOS supervisors does not have theoretical order. However, for M inepump (8, 2, 6, 2) the complete robustness order collapses and all supervisors becomes must equivalent. Although, they are not identical (See Appendix Figure 11 ). The nonInt represents that all the non intermittent specification i.e. ResCnt, LenCnt, ResBurst and LenBurst. 
B.2 Expected Case Performance
Expected values of various robust controllers are given in the Table 5 and 6. It is evident that expected values of meeting the commitment using hard robustness (given as MPS in column 2) as well as soft robustness (given as MPHOS in column 4) are useful and maximize the holding of commitments. Table 7 provides the detailed statistics for synthesizing various robust controllers. It can be seen that monitor automaton computation and MPHOS computation takes the maximum time and total for computing the controller is 3 seconds. (2, 8) 
B.3 Tool Performance

