DCSYNTH: Guided Reactive Synthesis with Soft Requirements by Wakankar, Amol et al.
DCSynth: Guided Reactive Synthesis with Soft
Requirements
Amol Wakankar1, Paritosh K. Pandya2, and Raj Mohan Matteplackel2
1 Homi Bhabha National Institute, Mumbai, India.
Bhabha Atomic Research Centre, Mumbai, India.
2 Tata Institute of Fundamental Research, Mumbai 400005, India.
Abstract. In reactive controller synthesis, a number of implementations
(controllers) are possible for a given specification because of incomplete
nature of specification. To choose the most desirable one from the var-
ious options, we need to specify additional properties which can guide
the synthesis. In this paper, We propose a technique for guided controller
synthesis from regular requirements which are specified using an inter-
val temporal logic QDDC. We find that QDDC is well suited for guided
synthesis due to its superiority in dealing with both qualitative and quan-
titative specifications. Our framework allows specification consisting of
both hard and soft requirements as QDDC formulas.
We have also developed a method and a tool DCSynth, which computes
a controller that invariantly satisfies the hard requirement and it opti-
mally meets the soft requirement. The proposed technique is also use-
ful in dealing with conflicting i.e., unrealizable requirements, by making
some of the them as soft requirements. Case studies are carried out to
demonstrate the effectiveness of the soft requirement guided synthesis in
obtaining high quality controllers. The quality of the synthesized con-
trollers is compared using metrics measuring both the guaranteed and
the expected case behaviour of the controlled system. Tool DCSynth fa-
cilitates such comparison.
1 Introduction
Reactive synthesis aims at constructing a controller (say a Mealy Machine) al-
gorithmically from a given temporal logic specification of its desired behaviour.
Considerable amount of research has gone into the area of reactive synthesis and
several tools are available for experimenting with reactive synthesis [13]. How-
ever, existing tools do not have the capability to guide the synthesis towards the
most desirable controller. In practice, user specification may be incomplete and
it may contain certain requirements, which are not mandatory, but desirable.
We term the desirable properties as soft requirements.
In this work, we propose a specification consisting of hard requirement which
are mandatory and needs to be satisfied invariantly, and the soft requirement
which are desirable and should be satisfied at as many points in the execution as
possible. We choose to specify the hard and soft requirements as regular proper-
ties in logic Quantified Discrete Duration Calculus(QDDC) [20, 21]. QDDC is
the discrete time variant of Duration Calculus proposed by Zhou et.al. [8, 33].
ar
X
iv
:1
90
3.
03
99
1v
3 
 [c
s.L
O]
  2
7 M
ay
 20
19
Regular properties can conceptually be specified by a deterministic finite
state automaton (DFA). At any point in the execution, a regular property holds
provided the past behaviour upto the point is accepted by its DFA. The study
of synthesis of controllers for such properties was pioneered by Ramadge and
Wonham [18,25,26]. QDDC is an interval temporal logic, which has the expres-
sive power of regular languages. Section 2 presents the syntax and semantics
of this logic. Prior work [17, 20, 21] shows that any formula in QDDC can be
effectively translated into a language equivalent DFA over finite words. Logic
QDDC’s bounded counting features, interval based modalities and regular ex-
pression like primitives allow complex qualitative and quantitative properties
(such as latency, resource constraints) to be specified succinctly and modularly
(see the example below). With illustrations, papers [19, 21, 22] show how quan-
titative and qualitative regular properties can be succinctly specified in QDDC.
Paper [19] also gives a comparison with other logics such as LTL and PSL. It
should be noted that QDDC does not allow specification of general liveness prop-
erties, however, time bounded liveness can be specified. The following example
motivates need for soft requirement guided synthesis.
Example 1 (Arbiter for Mutually Exclusive Shared Resource). The arbiter has
an input ri (denoting request for access) and an output ai (denoting acknowl-
edgement for access) for each client 1 ≤ i ≤ n. The specification consists of the
following two properties, given as QDDC formulas together with their intuitive
explanation. Section 2 gives the formal syntax and semantics of QDDC.
−Mutual Exclusion Requirement R1: [[ ∧i 6=j ¬(ai ∧ aj) ]], states that at every
point, the access to the shared resource should be mutually exclusive.
−k-cycle Response Requirement R2: [](∧i (([[ri]] && (slen >= (k − 1))) ⇒
(scount ai > 0)) , states that in any observation interval spanning k cycles if
request from ith client (ri) is continuously high during the interval, then that
client should get at least one access (ai) within the observation interval. Modality
[]D states that sub-formula D should hold for all observation intervals. Term slen
gives the length of the observation interval and the term (scount P ) counts the
number of occurrences of proposition P within the observation interval. The
property R2 is asserted for each client 1 ≤ i ≤ n.
When k < n no controller can satisfy both requirements (their conjunction
is unrealizable); consider the case where all clients request all the time. We may
want to opt for an implementation, which mandatorily satisfies R1 and it tries
to meet the R2 “as much as possible”. This can be specified in our framework,
by making requirement R2 as a soft requirement. One possible controller in
such a case will make ai true in a round-robin manner for all the requesting
clients. Let r denote the number of clients requesting simultaneously. The round-
robin policy will mandatorily satisfy R2 under the assumption that invariantly
r ≤ k. But when r > k (overload condition), this controller will be able to
meet the response time requirement R2 for only k out of n clients. Using the
soft requirement, we can also given priority to the clients which meet response
time requirements under overload condition. Thus, soft requirements allow us to
choose the preferred one from several candidate controllers. uunionsq
This paper introduces a tool DCSynth which allows synthesis of controllers
from regular properties (QDDC formulas). The specification in DCSynth is a
tuple (I,O,Dh, Ds), where Dh and Ds are QDDC formulas over a set of in-
put and output propositions (I,O). Here, Dh and Ds are the hard and the
soft requirement, respectively1. We use the term supervisor for a non-blocking
Mealy machine which may non-deterministically produce one or more outputs
for each input. A supervisor may be refined to a sub-supervisor by resolving
(pruning) the non-determinstic choice of outputs (the sub-supervisor may use
additional memory for making the choice.) We define a determinism ordering on
supervisors in the paper. A controller is a deterministic supervisor. Ramadge
and Wonham [25, 26] investigated the synthesis of the maximally permissive
supervisor for a regular specification. The maximally permissive supervisor is
a unique supervisor, which encompasses all the behaviors invariantly satisfying
the specified regular property (See Definition 6). The well known safety synthesis
algorithm applied to the DFA for Dh gives us the maximally permissive super-
visor MPS(Dh) [10]. If no such supervisor exists, the specification is reported
as unrealizable.
Any controller obtained by arbitrarily resolving the nondeterministic choices
for outputs in MPS(Dh) is correct-by-construction. This results in several con-
trollers with distinct behaviours (as shown by previous example). Thus, only
correct-by-construction synthesis is not sufficient [3]. Some form of guidance
must be provided to the synthesis method to choose among the possible con-
trollers. We use the soft requirements to provide such guidance. Our synthesis
method tries to choose a controller, which satisfies the soft requirements (Ds) “as
much as possible”. Soft requirement can also specify the desirable requirements,
which cannot be met invariantly. For example, in a Mine-pump controller, as
soft requirement “keep the pump off unless mandated by the hard requirement”
specifies an energy efficient controller. Specification of scheduling, performance
and quality constraints are often such desirable properties. Moreover, a specifi-
cation may consist of a conjunction of conflicting requirements. In this case, all
the requirements cannot be invariantly met simultaneously. User may resolve the
conflict(s) by making some of these requirements as soft. Therefore, soft require-
ments give us a capability to synthesize meaningful and practical controllers.
In DCSynth, we formalize the notion of a controller meeting the soft require-
ment Ds “as much as possible”, by synthesizing a sub-supervisor of MPS(Dh)
(guaranteeing invariance of Dh), which maximizes the expected value of count
of Ds in next H moves when averaged over all the inputs. The classical value
iteration algorithm due to Bellman [2] allows us to compute this H-optimal
sub-supervisor. This can be further refined to a controller as desired. Thus, our
synthesis method gives a controller which, (a) invariantly satisfies Dh and (b) it
is H-optimal for Ds amongst all controllers meeting condition (a).
The above synthesis method is implemented in tool DCSynth. An efficient
representation of DFA using BDDs, originally introduced by the tool MONA [15],
1 The tool supports more general lexicographically ordered list of soft requirements.
However, we omit the general case for brevity
is used for representing both automata and supervisors. We adapt the safety syn-
thesis algorithm and the value iteration algorithm so that they work symbolically
over this MONA DFA representation.
We illustrate our specification method and synthesis tool with the help of two
case studies2. We define metrics to compare the controllers for their guaranteed
and expected behaviour. The tool DCSynth facilitates measurement of both these
metrics. The main contributions of this paper are as follows:
– We develop a technique for the synthesis of controllers from QDDC require-
ments. This extends the past work on model checking interval temporal logic
QDDC [7,17,20,21,29] with synthesis abilities.
– We propose a method for guided synthesis of controllers based on soft re-
quirements which are met in a H-optimal fashion. Conceptually, this en-
hances the Ramadge-Wonham framework for optimal controller synthesis.
– We present a tool DCSynth for guided synthesis, which
• represents and manipulates automata/supervisors using BDD-based semi-
symbolic DFA. It uses eager minimization for efficient synthesis, and
• provides facility to compare both the guaranteed and expected case be-
haviours of the candidate controllers.
– We analyse the impact of soft requirements on the quality of the synthesized
controllers experimentally using case studies.
The rest of the paper is arranged as follows. Section 2 describes the syntax
and semantics of QDDC. Important definitions are presented in Section 3. Syntax
of DCSynth specification and the controller synthesis method are presented in
Section 4. Section 5 discusses case studies and experimental results. The paper
is concluded with a discussion and related work in Sections 6 and 7.
2 Quantified Discrete Duration Calculus (QDDC) Logic
Let PV be a finite non-empty set of propositional variables. Let σ a non-empty
finite word over the alphabet 2PV . It has the form σ = P0 · · ·Pn where Pi ⊆ PV
for each i ∈ {0, . . . , n}. Let len(σ) = n + 1, dom(σ) = {0, . . . , n}, σ[i, j] =
Pi · · ·Pj and σ[i] = Pi.
The syntax of a propositional formula over variables PV is given by:
ϕ := false | true | p ∈ PV | !ϕ | ϕ && ϕ | ϕ || ϕ
with &&, ||, ! denoting conjunction, dis-junction and negation, respectively. Op-
erators such as ⇒ and ⇔ are defined as usual. Let Ω(PV ) be the set of all
propositional formulas over variables PV . Let i ∈ dom(σ). Then the satisfaction
of propositional formula ϕ at point i, denoted σ, i |= ϕ is defined as usual and
omitted here for brevity.
The syntax of a QDDC formula over variables PV is given by:
D := 〈ϕ〉 | [ϕ] | [[ϕ]] | D ^ D | !D | D || D | D && D
ex p. D | all p. D | slen ./ c | scount ϕ ./ c | sdur ϕ ./ c
2 DCSynth can be downloaded at [31] along with the specification files for experiments.
where ϕ ∈ Ω(PV ), p ∈ PV , c ∈ N and ./∈ {<,≤,=,≥, >}.
An interval over a word σ is of the form [b, e] where b, e ∈ dom(σ) and
b ≤ e. Let Intv(σ) be the set of all intervals over σ. Let σ be a word over 2PV
and let [b, e] ∈ Intv(σ) be an interval. Then the satisfaction relation of a QDDC
formula D over Σ and interval [b, e] written as σ, [b, e] |= D, is defined inductively
as follows:
σ, [b, e] |= 〈ϕ〉 iff b = e and σ, b |= ϕ,
σ, [b, e] |= [ϕ] iff b < e and ∀b ≤ i < e : σ, i |= ϕ,
σ, [b, e] |= [[ϕ]] iff ∀b ≤ i ≤ e : σ, i |= ϕ,
σ, [b, e] |= {{ϕ}} iff e = b+ 1 and σ, b |= ϕ,
σ, [b, e] |= D1^D2 iff ∃b ≤ i ≤ e : σ, [b, i] |= D1 and σ, [i, e] |= D2,
with Boolean combinations !D, D1 || D2 and D1 && D2 defined in the expected
way. We call word σ′ a p-variant, p ∈ PV , of a word σ if ∀i ∈ dom(σ),∀q 6= p :
q ∈ σ′[i]⇔ q ∈ σ[i]. Then σ, [b, e] |= ex p. D ⇔ σ′, [b, e] |= D for some p-variant
σ′ of σ and (all p. D)⇔ (!ex p. !D).
Entities slen , scount and sdur are called terms. The term slen gives the
length of the interval in which it is measured, scount ϕ where ϕ ∈ Ω(PV ),
counts the number of positions including the last point in the interval under
consideration where ϕ holds, and sdur ϕ gives the number of positions exclud-
ing the last point in the interval where ϕ holds. Formally, for ϕ ∈ Ω(PV )
we have slen(σ, [b, e]) = e − b, scount(σ, ϕ, [b, e]) = ∑i=ei=b {1, if σ, i |= ϕ,0, otherwise.
}
and
sdur(σ, ϕ, [b, e]) =
∑i=e−1
i=b
{
1, if σ, i |= ϕ,
0, otherwise.
}
We also define the following derived constructs: pt = 〈true〉, ext =!pt, 〈〉D =
true^D^true, []D = (!〈〉!D) and pref(D) =!((!D)^true). Thus, σ, [b, e] |= []D
iff σ, [b′, e′] |= D for all sub-intervals b ≤ b′ ≤ e′ ≤ e and σ, [b, e] |= pref (D) iff
σ, [b, e′] |= D for all prefix intervals b ≤ e′ ≤ e.
Definition 1 (Language of a formula). Let σ, i |= D iff σ, [0, i] |= D, and
σ |= D iff σ, len(σ) − 1 |= D. We define L(D) = {σ | σ |= D}, the set of
behaviours accepted by D. Formula D is called valid, denoted |=dc D, iff L(D) =
(2PV )+. uunionsq
Thus, a formula D holds at a point i in a behaviour provided the past of the
point i satisfies D.
Theorem 1. [21] For every formula D over variables PV we can construct
a Deterministic Finite Automaton (DFA) A(D) over alphabet 2PV such that
L(A(D)) = L(D). We call A(D) a formula automaton for D or the monitor
automaton for D. uunionsq
A tool DCVALID implements this formula automaton construction in an efficient
manner by internally using the tool MONA [15]. It gives minimal, deterministic
automaton (DFA) for the formula D. We omit the details here. The reader may
refer to several papers on QDDC for detailed description and examples of QDDC
specifications as well as its model checking tool DCVALID [7,19–21,29].
3 Supervisor and Controller
In this section we present QDDC formulas and automata where variables PV =
I∪O are partitioned into disjoint sets of input variables I and output variables O.
It is known that supervisors and controllers can be expressed as Mealy machines
with special properties. Here we show how Mealy machines can be represented as
special form of Deterministic finite automata (DFA). This representation allows
us to use the MONA DFA library [15] to compute supervisors and controllers
efficiently using our tool DCSynth.
Definition 2 (Output-nondeterministic Mealy Machine). A total and
Deterministic Finite Automaton (DFA) over input-output alphabet Σ = 2I × 2O
is a tuple A = (Q,Σ, s, δ, F ) having conventional meaning, where δ : Q × 2I ×
2O → Q. An output-nondeterministic Mealy machine is a DFA with a
unique reject (or non-final) state r which is a sink state i.e., F = Q − {r} and
δ(r, i, o) = r for all i ∈ 2I , o ∈ 2O. uunionsq
The intuition behind this definition is that the transitions from q ∈ F to r are
forbidden (and kept only for making the DFA total). The language of any such
Mealy machine is prefix-closed. Recall that for a Mealy machine, F = Q− {r}.
A Mealy machine is deterministic if ∀s ∈ F , ∀i ∈ 2I , ∃ at most one o ∈ 2O
such that δ(s, i, o) 6= r.
Definition 3 (Non-blocking Mealy Machine). An output-nondeterministic
Mealy machine is called non-blocking if ∀s ∈ F , ∀i ∈ 2I ∃o ∈ 2O such that
δ(s, i, o) ∈ F . It follows that for all input sequences a non-blocking Mealy ma-
chine can produce one or more output sequence without ever getting into the
reject state. uunionsq
For a Mealy machine M over variables (I,O), its language L(M) ⊆ (2I×2O)∗. A
word σ ∈ L(M) can also be represented as pair (ii, oo) ∈ ((2I)∗, (2O)∗) such that
σ[k] = ii[k]∪ oo[k],∀k ∈ dom(σ). Here σ, ii, oo must have the same length. Note
that in the rest of this paper, we do not distinguish between σ and (ii, oo). Also,
for any input sequence ii ∈ (2I)∗, we define M [ii] = {oo | (ii, oo) ∈ L(M)}.
Definition 4 (Controllers and Supervisors). An output-nondeterministic
Mealy machine which is non-blocking is called a supervisor. An deterministic
supervisor is called a controller. uunionsq
The non-deterministic choice of outputs in a supervisor denotes unresolved de-
cision. The determinism ordering defined below allows supervisors to be refined
into controllers.
Definition 5 (Determinism Order and Sub-supervisor). Given two su-
pervisors S1 and S2, we say S1 ≤det S2 (S2 is more deterministic than S1), iff
L(S2) ⊆ L(S1). We call S2 to be a sub-supervisor of S1. uunionsq
Note that being supervisors, they are both non-blocking and hence ∅ ⊂ S2[ii] ⊆
S1[ii] for any ii ∈ (2I)∗. The supervisor S2 may make use of additional memory
for resolving and pruning the non-determinism in S1.
For technical convenience, we define a notion of indicator variable for a
QDDC formula (regular property). The idea behind this is that the indicator
variable w witnesses the truth of a formula D at any point in execution. Thus,
Ind(D,w) = pref(EP (w)⇔ D)
Here, EP(w) = (true^〈w〉), i.e. EP (w) holds at a point i, if variable w is true
at that point i. Hence, w will be true exactly on those points where D is true.
The formula automaton A(Ind(D,w)) gives us a controller with input-output
alphabet (I∪O,w) such that it outputs w = 1 on a transition iff the past satisfies
D. Since our formula automata are minimal DFA, A(Ind(D,w)) characterizes
the least memory needed to track the truth of formula D.
4 DCSynth Specification and Controller Synthesis
This section defines the DCSynth specification and presents the algorithm used
in our tool DCSynth for soft requirement guided controller synthesis from a
DCSynth specification. The process of synthesizing a controller as discussed in
Section 4.4 uses three main algorithms given in Sections 4.1-4.3.
4.1 Invariance Properties and Maximally Permissive Supervisor
A QDDC formula D specifies a regular property which may hold intermittently
during a behaviour (see Definition 1). An important class of properties, denoted
by inv D, states that D must hold invariantly during the system behaviour.
Definition 6. Let S realizes inv D denote that a supervisor S realizes invari-
ance of QDDC formula D over variables (I,O). Define S realizes inv D pro-
vided L(S) ⊆ L(D). Recall that, by the definition of supervisors, S must be
non-blocking. A supervisor S for a formula D is called maximally permissive
iff S ≤det S′ holds for any supervisor S′ such that S′ realizes inv D. This S
(when it exists) is unique upto language equivalence of automata, and the mini-
mum state maximally permissive supervisor is denoted as MPS(D). uunionsq
Now, we discuss how MPS(D) for a given QDDC formula D is computed.
1. Language equivalent DFA A(D) = 〈S, 2I∪O, δ, F 〉 is constructed for formula
D (Theorem 1). The standard safety synthesis algorithm [12] over A(D)
gives us the desired MPS(D) as outlined in the following steps.
2. We first compute the largest set of winning states G ⊆ F with the following
property: s ∈ G iff ∀i∃o : δ(s, (i, o)) ∈ G. Let Cpre(A(D), X) = {s | ∀i∃o :
δ(s, (i, o)) ∈ X}. Then we iteratively compute G as follows:
G=F;
do
G1=G;
G=Cpre(A(D),G1);
while (G != G1);
3. If initial state s /∈ G, then the specification is unrealizable. Otherwise,
MPS(D) is obtained by declaring G as the set of final states and retaining
all the transitions in A(D) between states in G and redirecting the remaining
transitions of A(D) to a unique reject state r which is made a sink state.
Proposition 1. For a given QDDC formula D the above algorithm computes
the maximally permissive supervisor MPS(D). uunionsq
The proposition follows straightforwardly by combining Theorem 1 with the
correctness of standard safety synthesis algorithm [12]. We omit a detailed proof.
4.2 Maximally Permissive H-Optimal Supervisor (MPHOS)
Given a supervisor S and a desired QDDC formulaD which should hold “as much
as possible” (both are over input-output variables (I,O)), we give a method for
constructing an “optimal” sub-supervisor of S, which maximizes the expected
value of count of D holding in next H moves when averaged over all the inputs.
First consider AArena = S ×A(Ind(D,w)) which is a supervisor over input-
output variables (I,O∪{w}). It augments S by producing an additional output w
which witnesses the truth of D. It has the property: L(AArena) ↓ (I∪O) = L(S).
Also for σ ∈ L(AArena) and i ∈ dom(σ) we have w ∈ σ[i] iff σ[0 : i] |= D. Thus,
every transition of AArena is labelled with w iff D holds on taking the transition.
Let the weight of transitions labelled with w be 1 and 0 otherwise. Thus, for
o ∈ 2(O∪{w}) let wt(o) = 1 if w ∈ o and 0 otherwise. Technically, this makes
AArena a weighted automaton.
In the supervisor AArena = (Q,Σ, s, δ,Q − {r}), where r is the unique re-
ject state, we define for (q ∈ Q) 6= r and i ∈ 2I , set LegalOutputs(q, i) =
{o | δ(q, i) 6= r}. We also define a deterministic selection rule as function f s.t.
f(q, i) ∈ LegalOutputs(q, i) and a non-deterministic selection rule F as function
F s.t.F (q, i) ∈ {O ⊆ LegalOutputs(q, i) | O 6= ∅}. Let H be a natural num-
ber. Then H-horizon policy pi is a sequence F1, F2, . . . , FH of non-deterministic
selection rules. A deterministic policy will use only deterministic selection rules.
A policy is stationary (memory-less) if each Fi is the same independently of i.
Given a state s, a policy pi and an input sequence ii ∈ (2I)H (of length
H), we define L(AArena, ii, s) as all runs of AArena over the input ii starting
from state s and Lpi(AArena, ii, s) as all runs over input ii starting from s and
following the selection rule Fi at step i. Each run has the form (ii, oo). Let
V alue(ii, oo) = Σ1≤i≤#ii wt(oo[i])). Thus, V alue(ii, oo) gives the count of D
holding during behaviour fragment (ii, oo). Then, we define VMINpi(s, ii) =
min{V alue(ii, oo) | (ii, oo) ∈ Lpi(AArena, ii, s)}, which gives the minimum
possible count of D among all the runs of S under policy pi on input ii, starting
with state s. We also define, VMAX(s, ii) = max{V alue(ii, oo) | (ii, oo) ∈
L(AArena, ii, s)}, which gives the maximum achievable count. Note that VMAX
is independent of any policy.
Given a horizon value (natural number) H, AArena and a non-deterministic
H-horizon policy pi, we define utility values V alAvgMinpi(s) and V alAvgMax(s)
for each state s of AArena as follows.
V alAvgMax(s) = Eii∈(2I)H VMAX(s, ii)
V alAvgMinpi(s) = Eii∈(2I)H VMINpi(s, ii)
Thus, intuitively, V alAvgMax(s) gives the maximal achievable count of D from
state s, when averaged over all inputs of length H. Similarly, V alAvgMinpi(s)
gives the minimal such count for D under policy pi, when averaged over all inputs
of lengthH. Our aim is to construct a horizon-H policy pi∗ = argmaxpi V alAvgMinpi(s).
This will turn out to be a stationary policy given by a selection rule F ∗. This
rule can be implemented as a supervisor denoted by MPHOS(AArena, H). We
now give its construction.
The well known value iteration algorithm allows us to efficiently compute
V alAvgMax(s) as recursive function V al(s,H) below.
V al(s, 0) = 0
V al(s, p+ 1) = Ei∈2I maxo∈2(O∪{w}) : δ(s,(i,o)) 6=r
{wt(o) + V al(δ(s, (i, o)), p)}
We omit the straightforward proof that V al(s,H) = V alAvgMax(s) (see [24]).
Having computed this, the optimal selection rule F ∗ giving stationary policy
pi∗ is given as follows: For each state s ∈ AArena and each input i ∈ 2I ,
F ∗(s, i) = argmaxo∈2O{wt(o) + V al(s,H)
| δAArena(s, (i, o)) = s′ ∧ s′ 6= r}
Note that F ∗(s, i) is non-deterministic as more than one output o may satisfy
the argmax condition. The following well-known lemma states that stationary
policy pi∗ using the selection rule F ∗ is H-optimal.
Lemma 1. For all states s of AArena, V alAvgMinpi∗(s) = V alAvgMax(s)
always holds. Therefore, for all states s of AArena and for any H-horizon policy
pi, V alAvgMinpiH(s) ≤ V alAvgMinpi
∗
(s) also holds. uunionsq
We omit the proof of these well known properties from optimal control of Markov
Decision Processes (see [24]).
Supervisor AArena is pruned to retain only the transitions with the out-
puts in set F ∗(s, i) (as these are all equally optimal). This gives us Maximally
permissive H-Optimal sub-supervisor of AArena w.r.t. D. This supervisor is de-
noted by MPHOS(AArena, H) or equivalently MPHOS(S,D,H). The follow-
ing proposition follows immediately from the construction of MPHOS(S,D,H)
and Lemma 1.
Proposition 2. 1. S ≤det MPHOS(S,D,H), for all H.
2. MPHOS(S,D,H) is maximally permissive H-optimal sub-supervisor of S.
3. If MPHOS(S,D,H) ≤det S′ then S′ is H-Optimal. uunionsq
4.3 From Supervisor to Controller
A controller Cnt can be obtained from a supervisor S by resolving output non-
determinism in S. We give a rather straightforward mechanism for this. We
allow the user to specify an ordering Ord on the set of output variables 2O. A
given supervisor S is determinized by retaining only the highest ordered output
among those permitted by S. This is denoted DetOrd(S). The output ordering
is specified by giving a lexicographically ordered list of output variable literals.
This facility is used to determinize MPHOS and MPS supervisors as required.
Example 2. For a supervisor S over variables (I, {o1, o2}), an example output
order can be given as lexicographically ordered list (o1 > !o2). Then, for any
transition the determinization step will try to select the highest ordered output
(which is allowed by S) from the list {(o1 = true, o2 = false), (o1 = true, o2 =
true), (o1 = false, o2 = false), (o1 = false, o2 = true)}. uunionsq
4.4 DCSynth Specification and Controller Synthesis
A DCSynth specification is a tuple (I,O,Dh, Ds), where I and O are the
set of input and output variables, respectively. Formula Dh called the hard re-
quirement and formula Ds called the soft requirement are QDDC formulas over
the set of propositions PV = I ∪O. Let H be a natural number called Horizon.
The objective in DCSynth is to synthesize a deterministic controller which (a)
invariantly satisfies the hard requirement Dh, and (b) it is H Optimal w.r.t. Ds
amongst all the controllers satisfying (a).
Given a specification (I,O,Dh, Ds), a horizon value H (a natural number)
and a total ordering Ord on the set of outputs 2O, the controller synthesis in
DCSynth can be given as Algorithm 1.
Algorithm 1 ControllerSynthesis
Input: S = (I,O,Dh, Ds). Horizon H, Output ordering Ord
Output: Controller Cnt for S.
1. Amps = MPS(Dh)
2. Amphos = MPHOS(Amps, Ds, H)
3. Cnt = Detord(Amphos).
4. Encode the automaton Cnt in an implementation language.
Step 1 uses the MPS construction given in Section 4.1. Step 2 uses the MPHOS
construction given in Section 4.2 whereas Step 3 uses the determinization method
of Section 4.3.
Proposition 3. The controller Cnt output by Algorithm 1 invariantly satisfies
Dh, and it intermittently, but H-optimally, satisfies Ds.
Proof. By Proposition 1, Amps realizes inv Dh. Then, by Proposition 2, Amphos
and Cnt are sub-supervisors of Amps and hence they also realize inv Dh. More-
over, by Lemma 1, we get that Amphos is H-optimal w.r.t. Ds. Hence, by Propo-
sition 2, we get that Cnt which is a sub-supervisor of Amphos is also H-Optimal
with respect to Ds. uunionsq
At all stages of above synthesis, the automata/supervisors A(Dh), A(Ds), Amps
and Amphos and Cnt are all represented as semi-symbolic automata (SSDFA)
using the MONA [15] DFA data structure. In this representation, the transition
function is represented as a multi-terminal BDD. MONA DFA library provides
a rich set of automata operations including product, projection, determinization
and minimization over the SSDFA. The algorithms discussed in Sections 4.1, 4.2
and 4.3 are implemented over SSDFA. Moreover, these algorithms are adapted to
work without actually expanding the specification automata into game graph.
At each stage of computation, the automata and supervisors are aggressively
minimized, which leads to significant improvement in the scalability and compu-
tation time of the tool. Appendix D gives the details of SSDFA data structure
and its use in symbolic computation of supervisors in efficient manner.
5 Case Studies and Experiments
For a DCSynth specification, Dh and Ds can be any QDDC formulas. While
invariance of Dh is guaranteed by the synthesis algorithm, the quality of the
controller is controlled by optimizing the outputs for which the soft requirement
Ds holds. For example, Ds may specify outputs which save energy, giving an
energy efficient controller. The soft requirement can also be used to improve
the robustness [3] of the controller (see [30]). Below, we consider specifications
structured as assumptions and commitments, and their optimized robustness
using our soft requirement guided synthesis.
5.1 Types of Controller Specification
For many examples, the controller specification can be given as a pair (A,C)
of QDDC formulas over input-output variables (I,O). Here, commitment C is
a formula specifying the desired behaviour which must ideally hold invariantly.
But this may be unrealizable, and a suitable assumption A on the behaviour of
environment may have to be made for C to hold. In case the assumption A does
not hold, it is still desirable that controller satisfies C, intermittently but “as
much as possible”. Given this assumption-commitment pair (A,C), we specify
four types of derived controller specifications (I,O,Dh, Ds) as follows.
Type Hard Requirement Dh Soft Requirement Ds
Type0 C true
Type1 (A⇒ C) true
Type2 true C
Type3 (A⇒ C) C
Type0 controller gives the best guarantee but it may be unrealizable. Type1 con-
troller provides a firm but conditional guarantee. Type2 controller tries to achieve
C in H-optimal fashion irrespective of any assumption and Type3 Controller
provides firm conditional guarantee and it also tries to satisfy C in H-optimal
fashion even when the assumption does not hold.
5.2 Performance Metrics: Measuring quality of controllers
For the same assumption commitment pair (A,C), we can synthesize diverse
controllers using different specification types, horizon values and output order-
ings. In order to compare the performance of these different controllers, we define
two metrics – i) Expected Case Performance measure to compare average case
behaviour, and ii) Must Dominance to compare the guaranteed behaviour.
i) Expected Case Performance: Given a controller Cnt over input-output alpha-
bet (I,O) and a QDDC formula (regular property) C over variables I ∪ O, we
can construct a Discrete Time Markov Chain (DTMC), denoted Munif (Cnt,C),
whose analysis allows us to measure the probability of C holding in long runs
(steady state) of Cnt under random independent and identically distributed(iid)
inputs. This value is designated as Eunif (Cnt,C). The construction of the desired
DTMC is as follows. The product Cnt×A(C) gives a finite state automaton with
the same behaviours as Cnt. Moreover, it is in accepting state exactly when C
holds for the past behaviour. (Here A(C) works as a total deterministic monitor
automaton for C without restricting Cnt). By assigning uniform discrete prob-
abilities to all the inputs from any state, we obtain the DTMC Munif (Cnt,C)
along with a designated set of accepting states, such that the DTMC is in ac-
cepting state precisely when C holds. Standard techniques from Markov chain
analysis allow us to compute the probability (Expected value) of being in the set
of accepting states on long runs (steady state) of the DTMC. This gives us the
desired value Eunif (Cnt,C). A leading probabilistic model checking tool MRMC
implements this computation [14]. In DCSynth, we provide a facility to compute
Munif (Cnt,C) in a format accepted by the tool MRMC. Hence, using DCSynth
and MRMC, we are able to compute Eunif (Cnt,C).
ii) Guaranteed Performance as Must-Dominance: Consider two supervisors S1,
S2 and a regular property C. Define that Si guarantees C for an input sequence
ii, provided for every output sequence oo ∈ Si[ii] produced by Si on ii we have
that (ii, oo) satisfies C. We say that S2 must dominance S1 with respect to the
property C provided for every input sequence ii, if S1 guarantees C then S2 also
guarantees C. Thus, S2 provides a superior must guarantee of C than S1.
Definition 7 (Must Dominance). Given two supervisors S1, S2 and a prop-
erty (formula) C over input-output alphabet (I,O), the must dominance of S2
over S1 is defined as S1 ≤Cdom S2 iff MustInp(S1, C) ⊆ MustInp(S2, C),
where MustInp(Si, C) = {ii ∈ (2I)+ | ∀oo ∈ (2O)+.((ii, oo) ∈ L(Si) ⇒
(ii, oo) |= C}. uunionsq
We establish must dominance relations among MPHOS supervisors of various
types of specifications discussed in Section 5.1.
Lemma 2. For any QDDC formulas A and C, and any horizon H, the following
must dominance relations will hold (for any given H)
1. MPHOS1(A,C)) ≤Cdom MPHOS3(A,C)) ≤Cdom MPHOS0(A,C))
2. MPHOS2(A,C)) ≤Cdom MPHOS0(A,C))
where, MPHOSi(A,C) denote the maximally permissive H-optimal supervisor
AMPHOS of Algorithm 1 for the specification Typei(A,C).
Proof. By definition, MPHOS0(A,C) invariantly satisfies C for all input sequences.
Hence, MustInp(MPHOS0(A,C), C) = (2I)∗, which immediately gives us that S ≤Cdom
MPHOS0(A,C)) for any supervisor S.
Now we prove the remaining relation MPHOS1(A,C)) ≤Cdom MPHOS3(A,C)). Let
S =MPS(A⇒ C). Then, MPHOS1(A,C)) =MPHOS(S, true,H) = S. The second equal-
ity holds as soft requirement true does not cause any pruning of outputs in H-
optimal computation. By definition MPHOS3(A,C) = MPHOS(S,C,H). By Propo-
sition 2, S ≤det MPHOS(S,C,H) which gives us the required result. uunionsq
Note that in general, MPHOS2(A,C) is theoretically incomparable with MPHOS1(A,C)
and MPHOS3(A,C), as MPHOS2(A,C) is a supervisor that does not have to meet
any hard requirement, but it optimally meets the soft requirements irrespective
of the assumption. However, for specific (A,C) instances, some additional must-
dominance relations may hold between MPHOS2(A,C) and the other supervisors.
5.3 Case Studies: Mine-pump and Arbiter Specifications
We have carried out experiments with i) the Mine-pump specification presented
in this section, and ii) an Arbiter specification given in Appendix A.1.
Mine-pump: The Mine-pump controller (see [21]) has two input sensors: high
water level sensor HH2O and methane leakage sensor HCH4 ; and one output,
PUMPON to keep the pump on. The objective of the controller is to safely operate
the pump in such a way that the water level never remains high continuously
for more that w cycles. Thus, Mine-pump controller specification has input and
output variables ({HH2O,HCH4}, {PUMPON}).
We have following assumptions on the mine and the pump. Their conjunc-
tion is denote MineAssume(, ζ, κ) with integer parameters , ζ, κ. Being of the
form []D each formula states that the property D (described in text) holds for
all observation intervals in past.
- Pump capacity: ([]!(slen =  && ([[PUMPON && HH2O]]^〈HH2O〉))). If the pump
is continuously on for  cycles with water level also continuously high, then
water level will not be high at the + 1 cycle.
- Methane release: [](([HCH4]^[!HCH4]^〈HCH4〉) ⇒ (slen > ζ)) and []([[HCH4]] ⇒
slen < κ). The minimum separation between the two leaks of methane is ζ
cycles and the methane leak cannot persist for more than κ cycles.
The commitments are as follows. The conjunction of commitments is denoted
by MineCommit(w) and they hold intermittently in absence of assumption.
- Safety conditions: true^〈((HCH4 || !HH2O)⇒ !PUMPON))〉 states that if there is
a methane leak or absence of high water in current cycle, then pump should
be off in the current cycle. Formula !(true^([[HH2O]] && slen = w)) states that
the water level does not remain continuously high in last w + 1 cycles.
The Mine-Pump specification denoted by MinePump(w, , ζ, κ) is given by the
assumption-commitment pair (MineAssume(, ζ, κ),MineCommit(w)). The four
types of DCSynth specifications of Section 5.1 can be derived from this. Figure
3 in Appendix B gives the textual source of Type3(MinePump(8, 2, 6, 2)) spec-
ification used by the DCSynth tool.
Arbiter: Due to space limitations, the detailed specification of the arbiter,
briefly discussed as Example 1 in Section 1, is given in Appendix A.1. The
arbiter is denoted as Arb(n, k, r), where n denotes the number of clients, k is the
Table 1. Synthesis from Mine-pump(8,2,6,2) and Arb(5,3,2) specifications in DCSynth.
The last column gives the expected value of commitment in long run on random inputs.
DCSynth Specification Synthesis (States/Time)
Sr Controller Output MPS MPHOS Controller Expected
No type Ordering Stats Stats Stats Value
Mine− pump(8, 2, 6, 2)
1 Type0 - Unrealizable
2 Type1 PUMPON 70/0.00045 70/0.00254 21/0.00220 0.0
3 Type2 PUMPON 1/0.00004 10/0.00545 10/0.00033 0.99805
4 Type3 PUMPON 70/0.00045 75/0.044216 73/0.00081 0.99805
5 Type1 !(PUMPON) 70/0.00045 70/0.00254 47/0.00230 0.0
6 Type2 !(PUMPON) 1/0.00004 10/0.00545 10/0.00019 0.99805
7 Type3 !(PUMPON) 70/0.00045 75/0.044216 73/0.00082 0.99805
Arb(5, 3, 2)
1 Type0 - Unrealizable
2 Type1 ArbDef 13/0.000226 13/0.004794 11/0.007048 0.0
3 Type2 ArbDef 1/0.00001 207/1.864346 201/0.058423 0.9930985
4 Type3 ArbDef 13/0.000213 207/1.897907 201/0.057062 0.9930985
response time (time for which a client should keep the request high continuously
to get the guaranteed access) and r is the maximum number of request that can
be true simultaneously.
5.4 Experimental Evaluation
Given an assumption-commitment pair (A,C) the four types of DCSynth spec-
ifications can be derived as given in Section 5.1. Given any such specification,
a horizon value H, and an ordering of outputs, a controller can be synthesized
using our tool DCSynth as described in Section 4.4. For the Mine-pump in-
stance MinePump(8, 2, 6, 2), we synthesized controllers for all the four derived
specification types with horizon value H = 50 and output ordering PUMPON .
These controllers choose to get rid of water aggressively by keeping the pump on
whenever possible. Similarly, controllers were also synthesized with the output
ordering !PUMPON . These controllers save energy by keeping the pump off
whenever possible. Note that, in our synthesis method, hard and soft require-
ments are fulfilled before applying the output orderings.
For the Arbiter instance Arb(5, 3, 2) also, controllers were synthesized for
all the four derived specification types with horizon value H = 50 and output
ordering ArbDef = (a1 > a2 > a3 > a4 > a5). This ordering tries to give
acknowledgment such that client i has priority higher than client j for all i < j.
In Table 1 we give the performance of the of tool DCSynth in synthesizing
these controllers. The table gives the time taken at each stage of the synthesis
algorithm, and the sizes of the computed supervisors/controllers. The experi-
ments were conducted on Linux (Ubuntu 16.04) system with Intel i5 64 bit, 2.5
GHz processor and 4 GB memory.
Experimental Evaluation of Expected Case Performance: The last column of
Table 1 gives the expected value of commitment holding in long run for the
controllers of various types for both Mine-pump and Arbiter instances. This
value is computed as outlined in Section 5.2. The results are quite encouraging.
It can be observed from Table 1 that in both the examples, the controllers for
Type1 (i.e., when soft-requirements are not used) specifications have 0 expected
value of commitment C. This is because of the strong assumptions used in guar-
anteeing C, which themselves have expected value 0. In such a case, whenever
the assumption fails, the synthesis algorithm has no incentive to try to meet C.
On the other hand, with soft requirement C in Type2 and Type3 specifica-
tions, the H-optimal controllers have the expected value of C above 99%. This
remarkable increase in the expected value of Commitment shows that H-optimal
synthesis is very effective in figuring out controllers which meet the desirable
property C as much as possible, irrespective of the assumption.
Experimental Evaluation of Must-Dominance: Given supervisors S1, S2 for an
assumption-commitment pair (A,C), since both S1, S2 are finite state Mealy
machines and C is a regular property, an automata theoretic technique can au-
tomatically check whether S1 ≤Cdom S2. We omit the details of this technique
here, which is presented in Appendix C Proposition 4. This technique is imple-
mented in our tool DCSynth. In case S1 ≤Cdom S2 does not hold, the tool provides
a counter example.
For our case studies, we experimentally compare must dominance of super-
visors MPHOSi(A,C) as defined in Lemma 2. Recall that MPHOSi(A,C)
denotes the maximally permissive H-optimal supervisor for the specification
Typei(A,C). The results obtained (with H = 50) are as follows.
1. Mine-pump instance Minepump(8, 2, 6, 2) denoted by MP (8, 2, 6, 2)):
MPHOS1(MP (8, 2, 6, 2)) <
C
dom MPHOS3(MP (8, 2, 6, 2)) =
C
dom MPHOS2(MP (8, 2, 6, 2))
2. Arbiter instance Arb(5, 3, 2):
MPHOS1(Arb(5, 3, 2)) <
C
dom MPHOS2(Arb(5, 3, 2)) =
C
dom MPHOS3(Arb(5, 3, 2))
MPHOS3 must dominates MPHOS1 as expected, as MPHOS3 is a sub-
supervisor of MPHOS1. What is interesting and surprising is that in both the
case studies Arbiter and Mine-pump, the MPHOS2 and MPHOS3 supervisors
are found to be syntactically identical. This is not theoretically guaranteed, as
Type2 and Type3 supervisors are must-incomparable in general. Thus, in these
examples, the H-optimal MPHOS2 already provides all the must-guarantees of
the hand-crafted MPHOS3 hard requirements. The H-optimization of C seems
to exhibit startling ability to guarantees C without human intervention. It will
be our attempt to validate this with more examples in future. So far we have
considered commitment as soft requirement. In general, the soft requirement
can be used to optimize MPS w.r.t. any regular property of interest, where as
the hard requirements gives the necessary must guarantees. Such soft require-
ments may embody performance and quality goals. Hence, it is advisable to use
the combination of hard and soft requirement based on the criticality of each
requirement.
6 Discussion along with Related Work
Reactive synthesis from Linear Temporal Logic (LTL) specification is a widely
studied area [3] and a considerable number of tools [5, 11] supported by the-
oretical foundations are available. The leading tools such as Acacia+ [5] and
BoSy [11] mainly focus on the future fragment of LTL. In contrast, this paper
focuses on invariance of complex regular properties, denoted by inv Dh where
Dh is a QDDC formula. For such a property, a maximally permissive supervisor
(MPS) can be synthesized. Formally, logics LTL and QDDC have incomparable
expressive power. There is increasing evidence that regular properties form an
important class of requirements [9,18,19]. The IEEE standard PSL extends LTL
with regular properties [1]. Wonham and Ramadge in their seminal work [25,26]
first studied the synthesis of maximally permissive supervisors from regular prop-
erties. In their supervisory control theory, MPS can in fact be synthesized for a
richer property class AGEF Dh [10]. Tool DCSynth can be easily extended to
support such properties too. Riedweg et al [28] give some sub-classes of Quan-
tified Mu-Calculus for which MPS can be computed. However, none of these
works address soft requirement guided synthesis.
Most of the reactive synthesis tools focus on correct-by-construction synthe-
sis from hard requirements. For example, none of the tools in recent competition
on reactive synthesis, SYNTCOMP17 [13], address the issue of guided synthesis
which is our main focus. In our approach, we refine the MPS (for hard require-
ments) to a sub-supervisor optimally satisfying the soft requirements too. Since
LTL does not admit MPS, it is unclear how our approach can extend to it.
In quantitative synthesis, a weighted arena is assumed to be available, and
algorithms for optimal controller synthesis for diverse objectives such as Mean-
payoff [4] or energy [6] have been investigated. In our case, we first synthesize
the weighted arena from given hard and soft requirements. Moreover, we use
H-optimality as the synthesis criterion. This criterion has been widely used
in reinforcement learning as well as optimal control of MDPs [2, 24]. In other
related work, techniques for optimal controller synthesis are discussed by Ding
et al [9], Wongpiromsarn et al [32] and Raman et al [27], where they have explored
the use of receding horizon model predictive control along with temporal logic
properties.
Since our focus is on the quality of the controllers, we have also defined met-
rics and measurement techniques for comparing the controllers for their guar-
anteed (based on must dominance) and expected case performance. For the ex-
pected case measurement, we have assumed that inputs are iid. However, the
method can easily accommodate a finite state Markov model governing the oc-
currences of inputs.
DCSynth uses an efficient BDD-based symbolic representation, inherited
from tool MONA [15] for storing automata, supervisors and controllers. The
use of eager minimization (see Appendix D for implementation details) allows
us to handle much more complex properties (see Appendix E).
7 Conclusions
We have presented a technique for guided synthesis of controllers from hard and
soft requirements specified in logic QDDC. This technique is also implemented in
our tool DCSynth. Case studies show that combination of hard and soft require-
ments provides us with a capability to deal with unrealizable (but desirable), con-
flicting and default requirements. In context of assumption-commitment based
specification, we have shown with case studies that soft requirements improve
the expected case performance, where as hard requirements provide certain (but
typically conditional) guarantees on the synthesized controller. Hence, the com-
bination of hard and soft requirements as formulated in Type3 specifications
offers a superior choice of controller specification. This is confirmed by theoeti-
cal analysis as well as experimental results. In the paper, we have also explored
the experimental ability to compare the controller performance using expected
value and must dominance metrics. This helps us in designing better performing
controllers.
References
1. Iec 62531:2012(e) (ieee std 1850-2010): Standard for property specification lan-
guage (psl). IEC 62531:2012(E) (IEEE Std 1850-2010), pages 1–184, June 2012.
2. R. E. Bellman. Dynamic Programming. Princeton Univ. Press, 1957.
3. R. Bloem, K. Chatterjee, K. Greimel, T. A. Henzinger, G. Hofferek, B. Jobstmann,
B. Ko¨nighofer, and R. Ko¨nighofer. Synthesizing robust systems. Acta Inf., 51(3-
4):193–220, 2014.
4. R. Bloem, K. Chatterjee, T. A. Henzinger, and B. Jobstmann. Better quality in
synthesis through quantitative objectives. In CAV, pages 140–156, 2009.
5. A. Bohy, V. Bruye`re, E. Filiot, N. Jin, and J. Raskin. Acacia+, a tool for LTL
synthesis. In CAV, pages 652–657, 2012.
6. Patricia Bouyer, Nicolas Markey, Mickael Randour, Kim G. Larsen, and Simon
Laursen. Average-energy games. Acta Informatica, 55(2):91–127, Mar 2018.
7. Gaurav Chakravorty and Paritosh K. Pandya. Digitizing interval duration logic. In
Computer Aided Verification, 15th International Conference, CAV 2003, Boulder,
CO, USA, July 8-12, 2003, Proceedings, pages 167–179, 2003.
8. Z. Chaochen, C. A. R. Hoare, and A. P. Ravn. A calculus of durations. Inf. Process.
Lett., 40(5):269–276, 1991.
9. Xu Chu Ding, Mircea Lazar, and Calin Belta. LTL receding horizon control for
finite deterministic systems. Automatica, 50(2):399–408, 2014.
10. R. Ehlers, S. Lafortune, S. Tripakis, and M. Y. Vardi. Supervisory control and
reactive synthesis: a comparative introduction. Discrete Event Dynamic Systems,
27(2):209–260, Jun 2017.
11. P. Faymonville, B. Finkbeiner, and L. Tentrup. Bosy: An experimentation frame-
work for bounded synthesis. In CAV, pages 325–332, 2017.
12. Erich Gra¨del, Wolfgang Thomas, and Thomas Wilke, editors. Automata Logics,
and Infinite Games: A Guide to Current Research. Springer-Verlag New York,
Inc., New York, NY, USA, 2002.
13. S. Jacobs and et. al. The 4th reactive synthesis competition (SYNTCOMP 2017):
Benchmarks, participants & results. CoRR, abs/1711.11439, 2017.
14. J. Katoen, I. S. Zapreev, E. M. Hahn, H. Hermanns, and D. N. Jansen. The ins
and outs of the probabilistic model checker mrmc. Performance Evaluation, 2011.
Advances in Quantitative Evaluation of Systems.
15. N. Klarlund and A. Møller. MONA Version 1.4 User Manual, 2001. Notes Series
NS-01-1. Available from http://www.brics.dk/mona. Revision of BRICS NS-98-3.
16. N. Klarlund, A. Møller, and M. I. Schwartzbach. MONA implementation secrets.
International Journal of Foundations of Computer Science, 13(04):571–586, 2002.
17. Shankara Narayanan Krishna and Paritosh K. Pandya. Modal strength reduction
in quantified discrete duration calculus. In FSTTCS 2005: Foundations of Software
Technology and Theoretical Computer Science, 25th International Conference, Hy-
derabad, India, December 15-18, 2005, Proceedings, pages 444–456, 2005.
18. S. Lafortune, K. Rudie, and S. Tripakis. 30 years of the ramadge-wonham theory
of supervisory control: A retrospective and future perspectives. DCD Workshop,
2017.
19. R. M. Matteplackel, P. K. Pandya, and A. Wakankar. Formalizing timing diagram
requirements in discrete duration calulus. In SEFM, pages 253–268, 2017.
20. P. K. Pandya. Model checking CTL*[DC]. In TACAS, pages 559–573, 2001.
21. P. K. Pandya. Specifying and deciding quantified discrete-time duration calculus
formulae using dcvalid. In RTTOOLS (affiliated with CONCUR 2001), 2001.
22. P. K. Pandya. The saga of synchronous bus arbiter: On model checking quantitative
timing properties of synchronous programs. Electr. Notes Theor. Comput. Sci.,
65(5):110–124, 2002.
23. P. K. Pandya. Finding extremal models of discrete duration calculus formulae
using symbolic search. Elect. Notes Theor. Comp. Sc., 128(6):247–262, 2005.
24. Martin L. Puterman. Markov Decision Processes: Discrete Stochastic Dynamic
Programming. John Wiley & Sons, Inc., New York, NY, USA, 1st edition, 1994.
25. P. Ramadge and W. Wonham. Supervisory control of a class of discrete event
processes. SIAM Journal on Control and Optimization, 25(1):206–230, 1987.
26. Peter J. G. Ramadge and W. Murray Wonham. The Control of Discrete Event
Systems. In In Proceedings of IEEE, volume 77, pages 81–98, 1989.
27. Vasumathi Raman, Alexandre Donze´, Dorsa Sadigh, Richard M. Murray, and San-
jit A. Seshia. Reactive synthesis from signal temporal logic specifications. In
Proceedings of the 18th International Conference on Hybrid Systems: Computation
and Control, HSCC ’15, pages 239–248, New York, NY, USA, 2015. ACM.
28. Ste´phane Riedweg and Sophie Pinchinat. Quantified mu-calculus for control syn-
thesis. In Mathematical Foundations of Computer Science 2003, 28th International
Symposium, MFCS 2003, Bratislava, Slovakia, August 25-29, 2003, Proceedings,
pages 642–651, 2003.
29. Babita Sharma, Paritosh K. Pandya, and Supratik Chakraborty. Bounded validity
checking of interval duration logic. In Tools and Algorithms for the Construc-
tion and Analysis of Systems, 11th International Conference, TACAS 2005, Held
as Part of the Joint European Conferences on Theory and Practice of Software,
ETAPS 2005, Edinburgh, UK, April 4-8, 2005, Proceedings, pages 301–316, 2005.
30. A. Wakankar, P. K. Pandya, and R. M. Matteplackel. DCSYNTH: guided reactive
synthesis with soft requirements for robust controller and shield synthesis. CoRR,
abs/1711.01823, 2017.
31. A. Wakankar, P. K. Pandya, and R. M. Matteplackel. DCSynth 1.0. TIFR, Mum-
bai, 2018. http://www.tcs.tifr.res.in/~pandya/dcsynth/dcsynth.html.
32. Tichakorn Wongpiromsarn, Ufuk Topcu, and Richard M. Murray. Receding horizon
temporal logic planning. IEEE Trans. Automat. Contr., 57(11):2817–2830, 2012.
33. Chaochen Zhou and Michael Hansen. Duration Calculus A Formal Approach to
Real-Time Systems. Springer, 2004.
A Other Case Studies
In this section we present 3 more case studies:
1. n-client shared resource arbiter (several different specifications),
2. alarm annunciation system.
A.1 Arbiter
An n-client resource (e.g. bus) arbiter is a circuit with r1, . . . , rn as inputs (ri high
indicates ith client request access to resource) and ack1, . . . , ackn (ai indicates
arbiter has granted the ith client access to the resource) as the corresponding
outputs. Arbiter arbitrates among a subset of requests at each cycle by setting
one of the acknowledgments (ai’s) true. Hard requirements on the arbiter include
the following three invariant properties.
Mutex(n) = trueˆ〈 ∧i 6=j ¬(ai ∧ aj) 〉, 1 ≤ i ≤ n
NoLoss(n) = trueˆ〈 (∨iri)⇒ (∨jaj) 〉, 1 ≤ i ≤ n
NoSpurious(n) = trueˆ〈 ∧i (ai ⇒ ri) 〉, 1 ≤ i ≤ n
ARBINV (n) = Mutex(n) ∧NoLoss(n) ∧NoSpurious(n).
(1)
Thus, Mutex gives mutual exclusion of acknowledgments, NoLoss states that
if there is at least one request then there must be an acknowledgment and
Nospurious states that acknowledgment is only given to a requesting cell.
In the literature various arbitration schemes for the arbiter have been pro-
posed, here we consider the following schemes.
– k-cycle response time: let Resp(r, a, k) denote that if request has been high
for last k cycles there must have been at least one acknowledgment in the last
k cycles. Let ArbResp(n, k) state that for each cell i and for all observation
intervals the formula Resp(ri, ai, k) holds.
Resp(r, a, k) = trueˆ(([[r]] && (slen = (k − 1))) ⇒
trueˆ(scount a > 0 && (slen = (k − 1)))
ArbResp(n, k) = (∧1≤i≤n (Resp(ri, ai, k))
ArbCommit(n, k) = ARBINV (n) ∧ArbResp(n, k)
(2)
Based on k-cycle response we can define various arbiter specification with
different properties as follows:
• Then specification Arbhard(n, k) is the following k-cycle response time
DCSynth specification.
Arbhard(n, k) = ({r1, . . . , rn}, {a1, . . . , an}, ArbCommit(n, k), 〈〉) (3)
• The specification Arbhard above, invariantly satisfy ArbCommit(n, k) if
n ≤ k. Tool DCSynth gives us a concrete controller for the instance
(Dh = ArbCommit(6, 6), Ds = true). It is easy to see that there is
no controller which can invariantly satisfy ArbCommit(n, k) if k < n.
Consider the case when all requests ri are continuously true. Then, it is
not possible to give response to every cell in less than n cycles due to
mutual exclusion of acknowledgment ai.
To handle such desirable but unrealizable requirement we make an as-
sumption. Let the proposition Atmost(n, i) be defined as
∀S ⊆ {1 . . . n}, |S| ≤ i. ∧j /∈S ¬rj .
It states that at most i requests are true simultaneously. Then, the ar-
biter assumption is the formulaArbAssume(n, i) = [[ Atmost(n,i)]],
which states that Atmost(n, i) holds invariantly in past.
The synchronous arbiter specification Arb(n, k, i) is the assumption-
commitment pair (ArbAssume(n, i), ArbCommit(n, k)). The four types
of controller specifications can be derived from this pair. Figure 4 in Ap-
pendix C gives, in textual syntax of the specification for Type3(Arb(5, 3, 2)),
in tool DCSynth. The DCSynth specification for Type3(Arb(n, k, i)) is
denoted by ArbhardAssume given as follows:
ArbhardAssume(n, k, i) = ({r1, . . . , rn}, {a1, . . . , an},
pref (ArbAssume(n, i))⇒ EP (ArbCommit(n, k)),
〈ArbCommit(n, k)〉 )
(4)
• k-cycle response time as soft requirement: we specify the requirement of
response in k cycles as a soft requirement 3 as below.
Arbsoft(n, k) = ({r1, . . . , rn}, {a1, . . . , an}, ARBINV (n),
〈Resp(rn, an, k) : 2n, . . . , Resp(r1, a1, k) : 21〉 )
(5)
– Token ring arbitration: a token is circulated among the masters in a round
robin fashion. The token is modeled using the variables toki’s (1 ≤ i ≤
n). Exactly one of toki’s will hold at any time and if toki is true then we
mean that masteri holds the token. The arbiter asserts acknowledgement ai
whenever request ri and toki are true, i. e. priority is accorded to the request
of the master which holds the token.
TokInit(n) =< tok1 && (∧2≤i≤n!toki) > ˆ true
TokCirculate(n) = [](∧1≤i≤n(toki ˆ (slen = 1) <=>
(slen = 1) ˆ toki%n+1))
TokResp(n) = ∧1≤i≤n[[(ri && toki) => ai]]
Token(n) = TokInit(n) ∧ TokCirculate(n) ∧ TokResp(n).
(6)
Let ARBTOKEN(n) = ARBINV (n) ∧ Token(n). Then Arbtok(n) is the
following DCSynth specification.
Arbtok(n) = ({r1, . . . , rn}, {a1, . . . , an}, ARBTOKEN(n), 〈〉, 〈〉) (7)
3 Note that soft requirement in this example is a lexicographical list of several QDDC
formulas. The tool DCSynth implements a MPHOS computation using weighted
requirements (See D.2 for details)
A.2 Alarm Annunciation System
The next case study is Alarm Annunciation System(AAS) used in a process
control system for annunciation for various alarms in the control room. The
Alarm Annunciation involves the standard Automatic Ring-Back Sequence for
all the digital inputs meant for alarm annunciation and provide the necessary
outputs. The specification of Automatic Ring-Back Sequence is given in Table
2. All digital inputs representing alarm conditions are scanned periodically.
Table 2. Automatic Ring-Back Sequence for Alarm Annunciation
Input Lamp Output Audio Output
Normal to Alarm Fast Flashing Normal Alarm Hooter On
Acknowledged Lamp On Normal Alarm Hooter Off
Alarm to Normal Slow Flashing Ringback Hooter On
Reset Lamp Off Ringback Hooter Off
As shown in the Table 2 that Automatic Ring-Back Sequence specification
takes the alarm signal as input. The high value of signal represents the alarm
state, otherwise the signal is said to be in normal state. Other inputs are Ac-
knowledgment, Reset and Silence inputs, which are controller by the operator.
There are three output elements: Lamp, Normal Hooter and Ringback Hooter.
There is a Lamp corresponding to each alarm signal, whereas Hooters are com-
mon to all alarm signals. Lamp can either be Fast Flashing, Slow Flashing,
Steady On or Off states. We have encoded the requirements in DCSynth to syn-
thesize the controller. The Silence input can be used by the operator to switch
off Hooters.
Result of Synthesis : As discussed in the previous case study soft requirements
helped in specification of requirements concisely. The controller synthesized has
8 states. We could simulate the controller and verified the correctness.
A.3 Synthesis of 2 client arbiter
Fig. 1 gives the monitor automaton for 2-client arbiter (See section A.1) for n-
cell arbiter specification. Each transition is labeled by 4 bit vector giving values
of r1, r2, a1, a2.
Fig. 2 gives the MPS automaton for the 2-cell arbiter computed from the
safety monitor automaton of Fig. 1. (There is an additional reject state. All
missing transitions are directed to it. These are omitted from the diagram for
simplicity.) Note that this is a DFA whose transitions are labelled by 4-bit vectors
representing alphabet 2{r1,r2,a1,a2}. As defined in Definition 2, the DFA also
denotes an output-nondeterministic Mealy machine with input variables (r1, r2)
Fig. 1. Safety Monitor Automaton: 2 Cell Arbiter
Fig. 2. Supervisors for Arbhard(2, 2) (a): MPS (b): MPHOS determinized
and output variables (a1, a2). The automaton is nondeterministic in output as
from state 1, on input (1, 1) it can move to state 2 with output (1, 0), or to state
3 with output (0, 1). The reader can verify that the automaton is non-blocking
and hence a controller.
In 2-cell arbiter example, with soft requirements 〈ack1, ack2〉 which give ack1
priority over ack2, we obtain the MPHOS controller automaton of Fig. 2(b) from
the MPS of Fig. 2(a). Note that we minimize the automaton at each step.
B Specification of Mine-pump and Arbiter example in
DCSynth
The specification of Arbiter(5,3,2) and MinePump(8,2,6,2) is DCSynth syntax
is given is Figure 3 and 4 respectively.
C DCSynth Tool Usage and performance evaluation
The tool DCSynth uses a specification for Arbiter Arbiter.qsf shown in Figure
4. This file contains the set of input and output alphabets in interface section.
The definitions/macros required for specifying hard and soft requirements are
contained in definitions section. This is followed by a section called indefinitions,
to specify the required indicating monitor for a given formula (or corresponding
automaton). Finally the section called hardreq and softreq define the hard and
soft requirements respectively using the definitions and indicating monitors. The
steps to synthesize a controller from the specification file is as follows.
– First we generate the DFAs for Dh, Ds and the required input/output par-
titioning file using qsf command, e.g. for Arbiter example, we use qsf Ar-
Fig. 3. Mine-pump specification in DCSynth
#qsf ”minepump”
interface{
input HH2Op, HCH4p;
output PUMPONp monitor x, ga monitor x;
constant w = 8, epsilon=2 , zeta=6, kappa=2;
}
definitions{
//Methane release assumptions
dc methane1(HCH4){
[]([HCH4]ˆ[!HCH4]ˆ<HCH4 >=>slen>zeta );
}
dc methane2(HCH4){
[]([[HCH4]] =>slen<kappa );
}
//Pump capacity assumption
dc pumpcap1(HH2O, PUMPON){
([]!(slen=epsilon && ([[PUMPON && HH2O]] ˆ<HH2O >)));
}
dc MineAssume 2 6 2(HH2O, HCH4, PUMPON){
methane1(HH2O, HCH4, PUMPON) && methane2(HH2O, HCH4, PUMPON) &&
pumpcap1(HH2O, HCH4, PUMPON);
}
//safety condition
dc req1(HH2O, HCH4, PUMPON){
trueˆ<( (HCH4 || !HH2O) =>!PUMPON)>;
}
dc req2(HH2O, HCH4, PUMPON){
(!(true ˆ([[HH2O]] && (slen = w))))
}
dc MineCommit 8(HH2O, HCH4, PUMPON){
req1(HH2O, HCH4, PUMPON) && req2(HH2O, HCH4, PUMPON);
}
indefinitions{
ga : MineCommit 8(HH2Op, HCH4p, PUMPONp);
}
hardreq{
MineAssume 2 6 2(HH2Op, HCH4p, PUMPONp) =>
MineCommit 8(HH2Op, HCH4p, PUMPONp);
}
softreq{
useind ga;
(ga);
}
biter.qsf to generate files named Arbiter.hardreq.dfa, Arbiter.softreq.dfa
and Arbiter.io as per step 1 of synthesis method in section 4.
– We then use the command synth2 Arbiter.hardreq.dfa Arbiter.softreq.dfa
Arbiter.io synth.config to synthesize the supervisors as per step 2 and 3
Fig. 4. Arbiter specification in DCSynth
#qsf ”arbiter”
interface{
input r1, r2, r3, r4, r5;
output a1, a2, a3, a4, a5, ga3;
constant n=3;
}
definitions{
// Specification 1: The Acknowlegments shold be exclusive
dc exclusion(){
trueˆ<(a1 =>!(a2 || a3 || a4 || a5)) && (a2 =>!(a1 || a3 || a4 || a5)) &&
(a3 =>!(a1||a2||a4||a5)) && (a4=>!(a1||a2||a3||a5)) && (a5=>!(a1||a2||a3||a4)))>;
}
dc noloss(){
trueˆ<(r1 || r2 || r3 || r4 || r5) =>(a1 || a2 || a3 || a4 || a5)>;
}
//If bus access (ack) should be granted only if there is a request
dc nospuriousack(a1, r1){
trueˆ<(a1) =>(r1)>;
}
//n cycle response i.e. slen=n-1
dc response(r1,a1){
trueˆ(slen=n-1 && [[r1]]) =>trueˆ(slen=n-1 && (scount a1 >= 1));
}
dc ArbAssume 5 2(){
[[ (!r1 && !r2 && !r3 && !r4 && !r5) || (r1 && !r2 && !r3 && !r4 && !r5) ||
(!r1 && r2 && !r3 && !r4 && !r5) || (!r1 && !r2 && r3 && !r4 && !r5) ||
(!r1 && !r2 && !r3 && r4 && !r5) || (!r1 && !r2 && !r3 && !r4 && r5) ||
(r1 && r2 && !r3 && !r4 && !r5) || (r1 && !r2 && r3 && !r4 && !r5) ||
(r1 && !r2 && !r3 && r4 && !r5) || (r1 && !r2 && !r3 && !r4 && r5) ||
(!r1 && r2 && r3 && !r4 && !r5) || (!r1 && r2 && !r3 && r4 && !r5) ||
(!r1 && r2 && !r3 && !r4 && r5) || (!r1 && !r2 && r3 && r4 && !r5) ||
(!r1 && !r2 && r3 && !r4 && r5) || (!r1 && !r2 && !r3 && r4 && r5) ]];
}
dc guranteeInv(){
exclusion() && noloss(HH2O, HCH4, PUMPON) && nospuriousack(a1,r1) &&
nospuriousack(a2,r2) && nospuriousack(a3,r3) && nospuriousack(a4,r4) &&
nospuriousack(a5,r5);
}
dc guranteeResp(){
response(r1,a1) && response(r2,a2) && response(r3,a3) &&
response(r4,a4) && response(r5,a5);
}
dc ArbCommit 5 3(){
guranteeInv() && guranteeResp() ;
}
}
indefinitions{
ga3 : ArbCommit 5 3();
}
hardreq{
ArbAssume 5 2() =>ArbCommit 5 3();
}
softreq{
useind ga3;
(ga3);
}
of synthesis method in section 4. The file synth.config is used to provide the
configuration parameters like the number of iterations for H-optimal super-
visor. The command produces the supervisors MPS.dfa and MPHOS.dfa.
– We then determinize the MPHOS.dfa using default values with command
synth deterministic MPHOS.dfa default.io to get a controller called
Controller.dfa. The file default.io contains the ordered list of output lit-
erals e.g. if we have two outputs o1 and o2, then the list {!o1,o2} says that
try to determinize the MPHOS.dfa with following priority for the output
{!o1,o2}>>{!o1,!o2}>>{o1,o2}>>{o1,!o2}.
– To measure the expected value of the soft requirement being satisfied, the
command aut2mrmc Controller.dfa default.io index is used. The in-
dex parameter is the index of indicator variable (for the soft requirement)
in the Controller.dfa. The command produces Controller.tra and Con-
troller.lab files which can be imported in tool MRMC to compute the ex-
pected value.
– Apart from expected case performance, the tool also facilitates the method
for checking must dominance between two given supervisors S1 and S2. As
supervisors are finite state mealy machines and a commitment C is a regular
property, we can use validity checking of QDDC to check whether S1 ≤Cdom S2
as formulated in the following proposition. In tool DCSynth, we provide a
facility to decide must-dominance between two supervisors. The tool also
gives a counter example if must-dominance fails.
Proposition 4. Let D(Si) denote QDDC formulas with same language as
the supervisors Si and let C be regular property over input-output alphabet
(I,O). Then, S1 ≤Cdom S2 iff
|=qddc ∀I ([∀O. D(S1) ∧ C)] ⇒ [∀O.(D(S1) ∧ C)])
We use this facility to compare supervisors obtained from different types of
specifications discussed in Section 5.1
D Synthesis with Semi-Symbolic DFA
An interesting representation for total and deterministic finite state automata
was introduced and implemented by Klarlund et al in the tool MONA [15]. It
was used to efficiently compute formula automaton for MSO over finite words.
We denote this representation as Semi-Symbolic DFA (SSDFA). In this repre-
sentation, the transition function is encoded as multi-terminal BDD (MTBDD).
The reader may refer to original papers [15, 16] for further details of MTBDD
and the MONA DFA library.
Here, we briefly describe the SSDFA representation, and then consider con-
troller synthesis on SSDFA. Figure 5(a) gives an explicit DFA. Its alphabet
Σ is 4-bit vectors giving value of propositions (r1, r2, a1, a2) and set of states
S = {1, 2, 3, 4}. This automaton has a unique reject state 4 and all the miss-
ing transitions are directed to it. (State 4 and transitions to it are omitted in
Figure 5(a) for brevity.)
Fig. 5. Amps for Arbhard(2, 2) (a): External format (b): SSDFA format
Figure 5(b) gives the SSDFA for the above automaton. Note that states are
explicitly listed in the array at top and final states are marked as 1 and non-
final states marked as −1. (For technical reasons there is an additional state
0 which may be ignored here and state 1 may be treated as the initial state).
Each state s points to shared MTBDD node encoding the transition function
δ(s) : Σ → S with each path ending in the next state. Each circular node
of MTBDD represents a decision node with indices 0, 1, 2, 3 denoting variables
r1, r2, a1, a2. Solid edges lead to true co-factors and dotted edges to false co-
factors.
MONA provides a DFA library implementing automata operations includ-
ing product, complement, projection and minimization on SSDFA. Moreover,
automata may be constructed from scratch by giving list of states and adding
transitions one at a time. A default transition must be given to make the automa-
ton total. Tools MONA and DCVALID use eager minimization while converting
formula into SSDFA.
Remark 1: DFA in Figure 5 also denotes a Output-nondeterministic Mealy
machine with input alphabet (r1, r2) and output alphabet (a1, a2). Automaton
is nondeterministic in its output as δ(1, (1, 1, 1, 0)) = 2 and δ(1, (1, 1, 0, 1)) = 3.
We use SSDFA to efficiently synthesize the MPS and MPHOS for the DC-
Synth specification (I,O,Dh, Ds), without actually expanding the specification
automata into game graph. The use of SSDFA leads to significant improvement
in the scalability and computation time of the tool.
D.1 Computing Maximally Permissive Supervisor (MPS)
Recall the synthesis method in Section 4. Let the hard requirement automaton
be A(Dh) = 〈S, 2I∪O, δ, F 〉. We construct the maximally permissive supervisor
by iteratively applying Cpre(A(Dh), X) to compute set of winning states G, as
outlined section 4.1. This requires efficient implementation of Cpre(A(Dh),X )
over SSDFA A(Dh). The symbolic algorithm for Cpre marks, (a) each leaf node
representing state s by truth value of s ∈ X, (b) each decision node associated
with an input variable with AND of its children’s value, and (c) each deci-
sion node associated with output variable with OR of its children’s value. The
computation is carried out bottom up on MTBDD and takes time |MTBDD|,
where |MTBDD| is the number of BDD nodes in it. In contrast the enumera-
tive method for implementation of Cpre would have taken time of the order of
2|I∪O|.
Next we compute the automaton MPS(Dh) = 〈G∪{r}, 2I∪O, G, δ′〉 by only
retaining transitions between the winning states G. Here r is the unique reject
state introduced to make the automaton total. We consider the following two
methods.
– Enumerative method: MPS(Dh) is constructed from A(Dh) by adding a
transition at a time as follows: for any s ∈ G if δ(s, (i, o)) ∈ G then
(s, (i, o), δ(s, (i, o)) ∈ δ′. Clearly, this algorithm has time complexity |S| ×
2|I∪O|. Finally, we make Amps total by adding all the unaccounted transitions
from any state to the reject state r.
– Symbolic method: in this method, the MTBDD of A(Dh) is modified so that
each edge pointing to a state in S−G is changed to go to the reject state r.
Note that this makes states in S− (G∪{r}) inaccessible. Now this modified
SSDFA is minimized to get rid of inaccessible states and to get smaller MPS.
The time complexity of this computation is O(|MTBDD|) for modifying the
links and N.t.log(N) for minimization where N is number of states and t is
the size of alphabet in A(Dh).
In Table 3 we give experimental results comparing the computation ofMPS(Dh)
using the two algorithms. It can be seen that the symbolic algorithm can be faster
by several orders of magnitude. This is because we do not construct the MPS
from scratch; instead we only redirect some links in MTBDD of A(Dh) which is
already computed. The Mine-pump specification used in the Table 3 is given in
Section 5.3.
D.2 Computing H-Optimal Supervisor (MPHOS)
In this step we compute the MPHOS from MPS. For a given maximally permis-
sive supervisor MPS, a QDDC formula D and an integer parameter H. We get
the H-optimal sub-supervisor of MPS called MPHOS by iteratively computing
V al(s, p+1) from V al(s, p) for 0 ≤ p < H as outlined in Section 4.2 4. This step
can be denoted by VALPre(AArena).
Remark 2: For AArena a transition has the form δ(s, (i, o, v)) with i ∈
2I , o ∈ 2O, v ∈ 2{w}. However, from the definition of Ind(Ds, w), the value of w is
uniquely determined by (s, (i, o)) in the corresponding automatonA(Ind(Ds, w)).
Hence we can abbreviate the transition as δ(s, (i, o)). uunionsq
4 Note that the tool DCSynth in general allows a lexicographical list of soft require-
ment, it is basically a lexicographical list of several QDDC formulas. The tool DC-
Synth implements a MPHOS computation based on this lexicographical (or with
explicit weight to each soft requirement) list by using the weight for each transition
as the sum of weights of all the soft requirement being satisfied on that transition.
The tool also allows the discounting factor γ which is used to give higher weight to
the requirements being satisfied in near future
Table 3. MPS Synthesis: Enumeration vs symbolic method (time in seconds). For
A(Dh) we give number of states and time to compute it from the QDDC hard require-
ment formula. For MPS(Dh) we give its number of states and time to compute it using
the two methods. St, Ts, En and Sy represent total no. of states, time in seconds, enu-
merative method and symbolic method respectively. The Example Arbhard(n, k) rep-
resents the specification Type0(Arb(n, k, n)) and Arbsoft(n, k) represents the example
Type2(Arb(n, k, n)).
Example Hard Requirement
A(Dh) MPS(Dh)
St Ts St Ts Ts
(En) (Sm)
Arbhard(4, 4) ARBHARD(4, 4) 177 0.04 126 0.025563 0.002033
Arbhard(5, 5) ARBHARD(5, 5) 2103 0.43 1297 0.59 0.04
Arbhard(6, 6) ARBHARD(6, 6) 31033 9.22 16808 42.75 0.91
Arbsoft(4, 2) ARBINV (4) 3 0.016 2 6.2E-4 7.6E-5
Arbsoft(5, 3) ARBINV (5) 3 0.020 2 1.9E-3 1.2E-4
Minepump(8, 2, 10, 1) MineAssume(2, 10, 1) 271 0.08 211 1.4E-2 5.8E-3
⇒ ArbCommit(8)
Now to compute MPHOS we again have two methods: one is enumerative
and other is symbolic method. We give the algorithm and associated complexity
results for one value iteration (i.e. for VALpre followed by Omax computation.
Let Q be the set of states of AArena.
– Enumerative Method : As given in Step (3) of synthesis method, for each
state s we need to enumerate all paths starting from s to get V al(s, p + 1)
from V al(s, p), which will take time of the order of 2|I∪O|×k, where k is the
number of soft requirements (In this paper k is assumed to be 1). Similar
complexity will be required to get the list of transitions with maximum
values denoted as omax (Note that there can be multiple transitions with
same omax, all such transitions will be included in MPHOS). Hence, As the
algorithm terminates after H iterations the total time complexity of entire
algorithm for H iteration is |Q| × 2|I∪O| ×H (for k = 1).
– Symbolic method: For this optimization to be applicable we assume that in
MTBDD representation of AArena, all the input variables occur before the
output variables O and the indicating variable w (in general it can be a set
if k > 1). A node in MTBDD is called a frontier node if it is labelled with
an output or a witness variable, and all its ancestors are labelled with in-
put variables. For example, in Figure 5(b), these are nodes labelled 2 (they
happen to occur at same level in this example). For each frontier node enu-
merate each path pi within the MTBDD below the frontier node (this fixes
values of (o, w) ∈ 2O × 2W occurring on pi as well as next state s′). Update
the optimal omax as well as next state so based on wt(o, v) for paths seen so
far. This takes time O(df ×k) where df is the number of paths in MTBDD
below the frontier node f . This optimal output omax(f) as well as next state
so for each value iteration is stored in each frontier node f . The total time
taken is O(doutput ×H) where doutput = Σf∈Fr df and Fr is the set of all
frontier nodes. H is the number of steps in value iterations.
In second step, for each state s ∈ Q, enumerate each path from state s to
a frontier node f . This fixes the valuation of input x. Insert a transition
δmphos(s, (x, omax)) = so to Amphos. Let the total number of paths up to
frontier nodes be dinput. Then the second step takes time O(dinput + |Q|)
where time taken to insert a transition in Amphos is assumed to be constant.
Hence total time for entire algorithm is Amphos is O(d + |Q|) ×H where d
is total number of paths in MTBDD of AArena (here k is assumed to be 1).
It may also be noted that in worst case, the total number of MTBDD paths
d is of size O(2|I∪O|) and two algorithms have comparable complexity. But in
most cases, the total number of MTBDD paths d  2|I∪O| and the symbolic
algorithm turns out to be more efficient.
D.3 Computing a Controller using default value
The controller can be computed from MPHOS for a given default value order ord,
using the similar algorithm as given for MPHOS computation. Here we assume
that the default values provided are the soft requirements and H is equal to 1.
So the MPHOS computation algorithm will try to choose those transitions with
outputs that locally satisfy the default values given in ord. As the ord provides
default values for every output variable, so there will always be a unique output
that will maximally satisfy the default value. Hence, the output will always be
a deterministic Mealy machine i.e., we will get a controller.
E Comparison with Other tools
In Table 4 we have compared the performance of DCSynth with few leading tools
for LTL synthesis. The examples in QDDC are manually translated into bounded
LTL properties for giving them as input to Acacia+ [5] and BoSy [11]. We have
only considered examples with hard requirements as these tools do not support
soft requirements. The on-line version of BoSy tool was used which enforces a
maximum timeout of 600 seconds. For other tools, a local installation on Linux
(Ubuntu 16.04) system with Intel i5 64 bit, 2.5 GHz processor and 4 GB memory
was used with a time out of 3600 seconds. In this comparison DCSynth was used
with symbolic algorithm for both MPS and MPHOS computation. Note that for
these examples the MPHOS algorithm will always terminate after 1 iteration
only, as the examples do not have soft requirements, so DCSynth chooses one
of the possible outputs from the MPS based on default output order. We have
provided default output order for all types of arbiter example as a1 > . . . > ai
and for Mine-pump example it is PumpOn.
As the comparison table above shows, the DCSynth approach seems to out-
perform the state-of-the-art tools in scalability and controller computation time.
Table 4. Comparison of Synthesis in Acacia+, BoSy and DCSynth, in terms of con-
troller computation time and memory and number of states of the controller automaton.
Minepump as well as Arbtok(n) specifications can be found in Appendix A.1.
Acacia+ BoSy DCSynth
Hard Requirement time(Sec) Memory / time(Sec) Memory / time(Sec) Memory /
States States States
Arbhard(4, 4) 0.4 29.8/ 55 0.75 -/4 0.08 9.1/ 50
Arbhard(5, 5) 11.4 71.9/ 293 14.5 -/8 5.03 28.1/ 432
Arbhard(6, 6) TOa - TO - 80 1053.0/ 4802
Arbtok(7) 9.65 39.1/ 57 TO - 0.3 7.3/ 7
Arbtok(8) 46.44 77.9/ 73 - - 2.2 16.2/ 8
Arbtok(10) NCb - - - 152 82.0/ 10
Mine-pump NC - TO - 0.06 50/ 32
Experiments with BoSy are using online version.
a TO=timeout(DCSynth and Acacia+ 3600secs, BoSy 600secs)
b NC=synthesis inconclusive
This is largely due to the pragmatic design choices made in the logic QDDC and
tool DCSynth.
It can also be seen that BoSy often results in controller with fewer states.
BoSy is specifically optimized to resolve non-determinism to get fewer states. In
our case, the tool is optimized to satisfy maximal number of soft requirements.
It would be interesting to merge the two techniques for best results.
F Measuring latency using Model Checking
Plethora of synthesis algorithms and optimizations give rise to diverse controllers
for the same requirement. In comparing the quality of these different controllers,
an important measure is their worst case latency. Latency can be defined as
time (number of steps) taken to achieve some desired behaviour. In our frame-
work, for latency specification, user must give a QDDC formula Dp charac-
terizing execution fragments of interest. For example the QDDC formula Dp
= [[req && !ack]] specifies fragments of execution with request continuously
true but with no acknowledgment. Given a DFA (controller) M , the latency
goal MAXLEN(Dp,M) computes sup{e − b | ρ, [b, e] |= Dp, ρ ∈ Exec(M)},
i. e. it computes the length of the longest interval satisfying Dp across all the
executions of M . Thus, it computes worst case latency for achieving behaviour
Dp in M . For example, given a synchronous bus arbiter controller Arb, goal
MAXLEN([[req && !ack]], Arb) specifies the worst case response time of
the arbiter Arb. Tool CTLDC, which like DCSynth and DCVALID is member
of DCTOOLS suite of tools, provides efficient computation of MAXLEN by
symbolic search for longest paths as formulated in article [23]. This facility will
be used subsequently in the paper to compare the worst case response times
achieved by various controllers synthesized under different criteria.
Table 5. Worst Case Response Time Analysis using CTLDC using Response Formula
MAXLEN([[reqi && !acki]]) computation. The value of H is specified only for Arb
soft
Sr.No Arbiter Variant Horizon (H) Computed Response
Response for ith cell Value (in cycles)
1 Arbhard(5, 5) - 1 ≤ i ≤ 5 5
2 ArbhardAssume(5, 3, 2) - i = 1 2
3 2 ≤ i ≤ 5 3
4 Arbsoft(5, 3) (H = 1) 1 ≤ i ≤ 4 ∞
5 i = 5 3
6 Arbsoft(5, 3) (H = 2) 1 ≤ i ≤ 3 ∞
7 4 ≤ i ≤ 5 3
8 Arbsoft(5, 3) (H >= 3) 1 ≤ i ≤ 2 ∞
9 3 ≤ i ≤ 5 3
Table. 5 gives worst case latency measurements carried out using tool CTLDC
for various controllers synthesized using DCSynth. For Arbiter examples, worst
case response time (maximum number of cycles a request remains true con-
tinuously, without an acknowledgment) is measured using a CTLDC formula
MAXLEN([[reqi && !acki]]), for each cell i of various arbiters discussed in sec-
tion 5. We use arbiter variants with 5 cells (i.e. 1 ≤ i ≤ 5) for our experiments.
– The specification Arbhard and ArbhardAssume do not have soft requirements,
therefore guided synthesis will choose an arbitrary output from the con-
structed MPS, without any value iteration (i.e. H = 1). The results for these
are described as follows
• Arbhard(5, 5) has worst case response time for each cell as 5 cycles, this
would happen when all the request lines are continuously on and the
controller gives acknowledgment to each cell in round robin fashion.
• ArbhardAssume(5, 3, 2) has worst case response for first cell is 2 cycles,
whereas for all the other cells it is 3 cycles, provided the assumptions
are met. If assumptions are not met, then 3 cycle response cannot be
guaranteed (If request from all 5 cells is on continuously). Assumption
put a constraint that at most 2 requests can be on at any point of time.
– For the specification Arbsoft(5, 3) the response requirement is that all the
cell should get an acknowledgment within 3 cycles if the request is con-
tinuously true (it would be unrealizable if we use only hard requirement).
However, a controller which satisfies these requirements as much as possible
was generated using DCSynth.
• For example, Arbsoft(5, 3) “tries” to give acknowledgment within 3 cycles
with higher priority assigned to higher numbered cell (see the description
in Section 5). However, when all the requests are on simultaneously then
req5 gets the highest priority and hence can always have worst case
response time of 3 cycles, but req1 given the lowest priority may end
up with worst case response time of ∞ (when the request from higher
number cell is always true).
• Another important observation is that DCSynth may generates differ-
ent controllers for different horizons (value iterations) given for MPHOS
computation. More intuitively, as the value of horizon tends to ∞, the
controller produced reaches closer to the global optimality. This effect
can be seen from row number 4–9, where the horizon moves from 1 to
more than 2. For horizon 1, DCSynth produces a locally optimal con-
troller and hence the controller produced only guarantees the response
time for the highest priority cell (i.e. cell no. 5, see row number 5). For
all other cells the worst case response is ∞. When the horizon bound is
increased to 2, the controller produced meets the response requirements
for 2 cells (i.e. cell no. 4 and 5, see row number 7). Finally, when the
bound is increase to 3 or more, the controller produced guarantees the
worst case response for 3 cells (i.e. cell no. 3, 4 and 5 see row number
9). It can be seen that the maximum number of cells that can meet the
3 cycle response will be 3, in worst case. Therefore, increasing horizon
beyond 3 does not change the result.
