Abstract. DCSYNTH is a tool for the synthesis of controllers from safety and bounded liveness requirements given in interval temporal logic QDDC. It investigates the role of soft requirements (with priorities) in obtaining high quality controllers. A QDDC formula specifies past time properties. In DCSYNTH synthesis, hard requirements must be invariantly satisfied whereas soft requirements may be satisfied "as much as possible" in a best effort manner by the controller. Soft requirements provide an invaluable ability to guide the controller synthesis. In the paper, using DCSYNTH, we show the application of soft requirements in obtaining robust controllers with various specifiable notions of robustness. We also show the use of soft requirements to specify and synthesize efficient runtime enforcement shields which can correct burst errors. Finally, we discuss the use of soft requirements in improving the latency of controlled system.
Introduction
A temporal logic formula implicitly specifies the allowed sequence of inputs and outputs. In reactive synthesis the aim is to construct a controller (say a Mealy Machine) which explicitly computes the value of the output sequence for any given input sequence, in an online fashion, such that the requirement is met. Reactive synthesis is typically a much harder problem than the monitor synthesis. Considerable research has been carried out on the reactive synthesis problem and there are several tools which implement and experiment with reactive synthesis [6] .
During development systems are often under specified and several different controllers with distinct behaviors may all meet the specification. In this case "guidance" must be provided to the synthesizer to choose amongst them. A critical parameter in acceptance of automatic synthesis technique is the quality of the synthesized controller [1, 2] . Thus, just correct-by-construction synthesis is not sufficient.
Requirements are typically structured as a set of assumptions A and a set of commitments (guarantees) C. Much of the research has addressed "Be-Correct" goal [2] for synthesis which states that if assumptions hold for throughout the behavior then commitment holds for the behavior. For safety formulas this would take the form G A ⇒ G C.
Robustness pertains to the ability of the controller to meet commitments even when (some) environmental assumptions are violated, and the ability of the controller to recover from transient environmental errors. Laying down such criteria, Bloem et. al. have defined "don't-be-lazy" and "never-give-up" as desirable synthesis goals [2] . Other criteria include various notions of resilience [5] .
A related problem is synthesis of run time enforcement shield [3, 5, 11, 12] for critical correctness properties. The diagram 4 depicts the use of shield, which receives both input I and output O from a (occasionally incorrect) controller. The aim of the shield is to generate modified output O which always meets the requirement Req(I, O ) even if system output intermittently fails to meet Req(I, O). Moreover, O must deviate from O "as little as possible" [3] . Bloem et. al. proposed a notion k-shield for "as little as possible" whereas Wu et. al. [11] proposed an alternative notion of "safety shield" which tolerates burst errors. This paper describes a tool DCSYNTH which allows synthesis of controllers from safety and bounded liveness requirements given in interval temporal logic QDDC. The paper mainly investigates the role of soft requirements (with priorities) in obtaining high quality controllers. A QDDC formula specifies past time properties, and it holds at a position in behavior if the past satisfies the property. Its (bounded) counting and regular expression like primitives allow complex quantitative properties to be specified elegantly. In DCSYNTH synthesis, hard requirements must be invariantly satisfied whereas soft requirements may be satisfied "as much as possible" in a best effort manner by the controller. In DCSYNTH specification, the soft requirements (which are QDDC formulas) can be given weights and the tool selects from all permissible outputs which meet the hard requirements, the one which satisfies a maximal subset of soft requirements, in a "locally optimal fashion". We present the case studies of bus arbiter and mine pump specification to illustrate the use of soft requirements in synthesis specification.
Soft requirements provide a powerful and practically useful ability to guide the controller synthesis. In the paper, we show the application of soft requirements in obtaining robust controllers with various specifiable notions of robustness. We also show the use of soft requirements to specify and synthesize efficient run time enforcement shields which can correct burst errors. Finally, we discuss the use of soft requirements in improving the latency of controlled system. The main contributions of this paper are as follows:
-We present a tool DCSYNTH for synthesis of controllers from QDDC requirements. This extends the past work [8] on model checking interval temporal logic with synthesis abilities. -The tool DCSYNTH allows guided synthesis of controllers based on soft requirements which are met "as much as possible" in a locally optimal fashion. To our knowledge DCSYNTH is amongst the first reactive synthesis tool to support soft requirement guided synthesis. -We show application of mixture of hard and soft requirements to specify various notions of robustness. This includes "never-give-up" and "don't-be-lazy" criteria of Bloem et. al. [2] as well as k, b-resilience criterion of Ehler et. al. [5] . DCSYNTH is able to automatically synthesize robust controller from such specification. We give experimental results to evaluate the applicability of our tool for such robust synthesis. -We show application of hard and soft requirements to specify shields.
We show how variants of shields of Bloem et. al. and Wu et. al. can be specified and automatically synthesized. We give detailed experimental results and comparison with past work to illustrate that DC-SYNTH is able to synthesize very compact shields which tolerate burst errors. -Soft goals impact the latency of the controller. An associated tool, CTLDC, allows measurement of worst case latencies using symbolic techniques for finding longest and shortest paths [9] . We give experimental results to show how soft requirements indirectly impact the latencies.
The remainder of this paper is organized as follows. Section 2 gives a motivating example of synchronous bus arbiter with hard and soft requirements. Logic QDDC as well as DCSYNTH syntax are introduced in Section 3. Section 4 gives the guided synthesis method from given DCSYNTH specification. Experimental results in synthesizing controllers using the DCSYNTH tool are also reported. Section 5 deals with robustness and Section 6 deals with shield synthesis. Both these include experimental results. We conclude with Section 7 on experiments examining impact of soft requirements on controller latencies. The tool is available for download from http://www.tcs.tifr.res.in/~pandya/dcsynth/dcsynth.html. The input files for all the experiments reported in this paper as well as corresponding outputs of the tool DCSYNTH are also available there for examination.
Motivating Example
In this section we llustrate the main advantage of guided reactive synthesis with soft requirement with an example of synchronous bus arbiter.
An n-cell synchronous bus arbiter with req i as inputs and ack i as corresponding outputs (where 1 ≤ i ≤ n), is a circuit that arbitrates between a subset of requests at each cycle by setting one of the acknowledgments true. Hard requirements include the following three invariant properties.
In QDDC [[P ] ] denotes that proposition P is invariantly true. Thus, M utex gives mutual exclusion of acknowledgments. N oLoss states that if there is at least one request then there must be an acknowledgment. N ospurious states that acknowledgment is only given to a requesting cell.
In literature GR(1) synthesis has been used to specify fairness between cells of arbiter [4] . We consider here other variants with concrete bounds on the arbiter response.
-We can specify response time of k cycles as a bounded liveness property: let Resp(req, ack, k) denote that if request has been high for last k cycles there must have been at least one acknowledgment in the last k cycles (next section gives the QDDC formula for this). Let ArbResp(n, k) state that for each cell i and for all observation intervals the formula Resp(req i , ack i , k) holds.
-Consider the following specification with only hard requirements and no soft requirements,
DCSYNTH can synthesize a controller say ArbCntrl hard (n, k) for given values of n, k. -Moreover, we can also include soft requirements giving priority to cells, e.g. (ARBHARD(6, 6), ack6, ack2 ) which gives acknowledgment ack 6 as first preference and ack 2 as second preference as far as these don't conflict with the hard response requirements. Table. 1 gives experimental results for synthesis with several such soft requirements. -If we use ARBHARD(6, 2) in place of ARBHARD(6, 6) the specification becomes unrealizable as expected (as we cannot guarantee response within two cycles for all 6 cells). The tool reports this with a diagnostic counter-strategy. -However, we can specify the requirements of response in 2 cycles as soft requirements with priority as Arb sof t (6, 2) where
Using DCSYNTH we get a controller called ArbCntrl sof t (6, 2) which "tries" to give every cell acknowledgment within 2 cycles as far as possible with highest priority given to cell 6, followed by cell 5, and so on. Table. 1 gives the time taken compute this controller. Table. 5 gives a detailed account of the robust behavior of this complex arbiter. The latency measurement of ArbCntrl sof t (6, 2) using tool CTLDC shows that the worst case response time for cell 6 is 2 cycles, for cell 5 is 3 cycles and for all other cells it is ∞. -Consider an Arb hard (n, k) like arbiter working under the assumption Assume(n, i) which states that in current cycle at most i requests are true simultaneously. Consider the arbiter specification with no soft requirement as follows.
Synthesis of various robust arbiters which function even in presence of intermittent violation of the assumption is reported in Table. 3. -Section 6 gives experimental results in specifying and synthesizing run time enforcement shields from diverse specifications (see Table. 4).
Above examples show that DCSYNTH can fruitfully use soft requirements to synthesize better performing, more robust controllers as well as shields.
QDDC and DCSynth Specification
We now give the QDDC formula Resp(req, ack, k) for the response time of the arbiter. We refer the reader to §A in Appendix for a discussion on the logic QDDC [8] .
We define Resp(req, ack, k) = (true^( [[req] ]&&(slen=k-1))=> (true^(slen=k-1&&(true^<ack>^true))). In QDDC the only temporal modality is the chop operator (^) and is interpreted over a word σ and a closed interval [ 
The term slen = k holds for an interval [i, j] if j − i = k and scount p, where p is a propositional formula, counts the number of positions in the interval where p holds. Thus, as true holds for any word and any interval, Resp states that if req holds throughout the last k positions in the word then at least at one of the last k positions ack should hold.
With [] being for all sub-intervals operator, the formula ArbResp(n, k) says that Resp(req, ack, k) must be true for all intervals and for all the cells from 1 to n.
The tool DCSYNTH takes a DCSYNTH spec as input and outputs a controller. Formally, a DCSYNTH spec is a tuple 
The soft requirements are specified as lexicographically ordered list of propositions P 1 , · · · , P l where each P i is a propositional formula over I ∪ O ∪ W . Each P i represents a soft requirement with priority higher than all P j 's, 1 ≤ i < j ≤ l. Example 1. A DCSYNTH spec for an n cell arbiter with soft requirement of k cycle response ArbResp(n, k) for all the cells is as follows: let I =
Let L = w 6 , w 5 , . . . , w 1 which gives the higher numbered cell the higher priority. Then
4 Guided Reactive Synthesis Algorithm
, a DCSynth spec, we synthesize a controller as below.
states that at every point in execution, the value of w i equals the truth-value of D s i . We construct a language equivalent symbolic DFA, called A Hard+Ind , for the formula D hard ∧ D Ind using tools DCVALID and MONA. From [8] , it is known that for every QDDC formula D, we can effectively construct a equivalent finite state automaton A(D), such that a word is accepted by A(D) iff it satisfies formula D. Tool DCVALID implements this procedure. -A safety monitor automaton A mon is obtained by computing the prefix closure of A Hard+Ind . This automaton has the alphabet 2 I∪O∪W . The automaton is reduced to its minimal deterministic form. This automaton forms the arena on which further synthesis is carried out. -The Maximally Permissive Non deterministic Controller (MPNC) is computed from the safety automaton using standard safety synthesis algorithm. This algorithm iteratively removes those states from which there exists an input combination for which all output combinations lead to bad states. The resulting automaton is again represented as a symbolic automaton A mpnc . If the initial state gets pruned in construction, the specification is unrealizable. A counter-strategy in tree form is displayed as explanation of unrealizability. -Note that in A mpnc each edge is labelled by a bit vector giving truth values of variables I ∪ O ∪ W . The value of witness variable w i ∈ W specifies whether QDDC formula D s i holds for all behaviours leading to this transition.
-For each state s and each input combination ip ∈ 2 I , we select output cum witness variable combination op ∈ 2 O∪W such that δ(s, ip ∪ op) is a valid transition of MPNC and val ip∪op ( P 1 , . . . , P l ) is lexicographically maximal amongst all such op. Here, val ip∪op ( P 1 , . . . , P l ) is l-bit vector with i-th bit representing truth (1 or 0) of P i under ip ∪ op. If there are more than one choice of op giving the same maximal value, we choose one arbitrarily. This gives the Locally Optimal Deterministic Controller (LODC) which satisfies the lexicographically maximal subset of soft requirements at each step. This greedy strategy does not guarantee global optimality. -The LODC can then be encoded as controller in any target language.
We provide the encoding of LODC to LUSTRE/SCADE or NuSMV, which allows us to do simulation and model checking on the generated controller.
Example 2. Synthesis of 2 Cell Arbiter with Soft Requirements giving high priority to lower numbered request. Fig. 1 gives the safety monitor automaton for 2-cell arbiter for following specification
Each transition is labeled by 4 bit vector giving values of req 1 , req 2 , ack 1 , ack 2 . Fig. 2 (a) gives the MPNC automaton for the 2-cell arbiter computed from the safety monitor automaton of Fig. 1 . In the example, the soft requirements are ack 1 , ack 2 which give ack 1 priority over ack 2 . We obtain the pruned LODC controller automaton of Fig. 2 (b) from the MPNC of Fig. 2 (a). Note that we minimize the automaton at each step. Tool Implementation Internally, the monitor automaton, MPNC and LODC are all stored as symbolic DFA. The transition table of the DFA is represented as MTBDD using the DFA library of tool MONA [7] . Internal data structures and algorithms can be found in the full version of the paper (see Appendix B). 
Experimental Results
Several case studies for synthesis have been carried out using DCSYNTH. Table. 1 enlists the results of two of the case studies: (a): controllers for bus arbiter in §2 with various soft and hard requirements, and (b): a minepump controller for the specification M IN EP U M P (cf. Appendix. C.1 for details). The controller operates a pump to get rid of water based on water level and methane presence (which prevents pump from being used). Soft requirements impact the quality of the pump controller. For example, for the soft requirement !PumpOn the controller will try to keep pump off as much as possible. On the other hand, the soft requirement PumpOn agressively gets rid of water by keeping the pump on whenever possible. The analysis of worst case time for the controllers to get rid of water with different soft requirements is given in §7. 
!PumpOn >> !Alarm 83 0.04 9.1
Robustness
We consider various notions of robustness. Table. 2 summarizes the robustness that we consider along with hard and soft requirements to obtain robust controllers.
-Be-Correct If assumption has held invariantly so far then commitment must hold now.
-Be-Currently-Correct If assumption holds intermittently, the commitment must hold whenever assumption holds. -Degraded-Performance Let Ad ⊆ A and Cd ⊆ C, where Ad,Cd denote reduced set of assumptions and commitments which specify degraded behaviour of system when fewer assumptions hold. -Never-Give-Up In addition to Be-Correct, all the commitments are asserted as soft requirements. This makes the controller synthesizer attempt to make them true even when assumptions do not hold, and for as many inputs as possible. -Greedy Here commitments are given as soft goals ignoring the assumptions. The synthesis algorithm tries ot make as many commitments true as possible at each step in a greedy fashion.
Resilient synthesis requires synthesis of controller which works under weaker assumptions than Be-Correct notion in order to tolerate errors in assumptions. For example, Be-Currently-Correct requires commitment to hold at now if assumption holds now irrespective of whether it has held in past. Several other notions of resilience are given below. A notion of k, b-resilience was proposed by Ehler and Topcu [5] , and further adapted by Bloem as k-robustness [3] . Table 2 . Robust synthesis notions and their specifications.
In the table A denotes conjunction of assumptions and C denotes conjunction of commitments. Thus, !A denotes violation of at least one assumption.
Robustness Criterion
Hard
-k-Bounded If in past assumptions have been violated at most k times so far then commitment must be met. -k, b-Resilient A subinterval where assumption is continuously true for b or more cycles is called a recovery period. Formula KBREZ(A) in Table. 2 states that between any two recovery periods, the maximum number of assumption violations is at most k. A controller which guarantees commitments C at every point where past satisfies KBREZ(A) is called k, b-resilient (see [5] ). -k, b-Variant If in past in any period of length b the assumption has been violated at most k times then the commitment must hold.
Note that criterion such as Never-Give-Up can be combined with Resilient synthesis. Moreover, designer may selectively apply these criteria to specific assumptions and commitments. DCSYNTH permits full flexibility in making such choices. Table. 3 gives the synthesis of arbiter specifications under various notions of robustness in DCSYNTH for the assumptions Assume(n, i) and commitments ARBHARD(n, k) for the specification Arb hard assume (n, k, i) in Equation. 5. 
The simulation of controller produced for Never-Give-Up Strategy is given is Figure 3 . The assumtions starts violating after step 15, where more than request are true simultaneously, but the controller tries to meet as many requirements as possible. A safety shield is a run time enforcer that can be attached to a reactive system design R to detect the property violations by the design and correct them run time [3, 11] . Fig. 4 gives the schematic of a safety shield for R.
Shield Synthesis
We assume the definitions of a reactive system design and their serial composition Definition 1 (Safety shield). [3, 11] Let R be a reactive system design and let D be a safety specification, both over (I, O). Then a safety shield for R and D is a reactive system S over (I, O ) satisfying:
as seldom as possible.
The word "deviates" assumes different meaning in the literature. For example, in [3] Bloem et. al. proposed K-shield which can disagree with the design for at most K consecutive steps provided the design recovers immediately after an error and does not violate the specification for next K cycles. Since the shield is allowed a window of K cycles to deviate from the design output in the event of an output error by the design it is not suited to handle burst errors. In [11] Wu et. al. proposed a burst error shield which is resilient to burst error and matches the design output whenever it meets the specification. However, this strategy of matching the design output until a violation occurs makes the synthesis algorithm "non-conservative" in the sense that it may fail to generate a shield even if specification is realizable.
To overcome these issues we propose conservative shield synthesis. The conservative shield synthesis differs from K-shield synthesis in two key respects: it does not impose any restriction on the design output and it can handle burst errors. It also differs from Wu et. al. as, unlike them, we will always synthesize a shield whenever the specification is realizable.
Shield synthesis criteria can be specified using hard and soft requirements. DCSYNTH can then synthesize the desired shield. We give examples of variants of K-shield and Burst error shield, and call the "conservative".
-Conservative K-shield.
• Input:
• Soft requirement: None -Conservative burst error shield.
• Soft requirement: ∧ o∈O (true^<o=o'>) with all of formulas assigned same priority. We emphasize the importance soft requirements here, it forces a conservative burst error shield to try and match the design output as often as possible. This is because when all the soft requirements are assigned same priority DCSYNTH will try to synthesize a controller selecting an output which meets the hard requirement as well as a maximal set of soft requirements at every step.
.
We have rerun the experiments in [11] in our framework, and the results are as tabulated in Table. 4. For the sake of comparison we use the input files of Wu et. al.
[10] as inputs to DCSYNTH 1 . As the table suggests, in most of the cases the shield that we synthesize compares favorably with the corresponding shield synthesized in [3] and [11] both in terms of size and time taken for the synthesis. For instance, for the guarantee AMBA G5+6+9e64+10 our tool synthesize a shield significantly faster and with smaller no. of states than the existing tools [3, 11] .
Quantitative Latency Measurement
Soft requirements are often used as directives to the synthesis algorithm which impact the "latency" of the controller. We give a notation to allow users to specify what is latency. Model checking technique, implemented in tool CTLDC [9] , can then measure the worst case latency. Table. 5 gives worst case latency measurements carried out using tool CTLDC for various controllers synthesized using DCSYNTH. The results illustrate the impact of soft goals on controller behaviour as well as controller latency under various scenarios. For example, Arb sof t (6, 2) "tries" to give acknowledgement within 2 cycles with higher priority assigned to higher numbered cell (see the description in §2). Note that response time is one more than that in the column Computed Response in the Table. The worst case latency measurement shows that req6 has response time of 1 cycle whereas req5 has response time of 2 cycles. For all other cells the response time is ∞ since cells 6 and 5 can consume all the cycles. Note that when req6 is absent throughout the response time of cell 4 changes from ∞ to 3 cycles as shown in the 4 th row of the Table. 5. This points to the robustness of the synthesized controller. For the M IN EP U M P case study rows 8,9,10 give the maximum amount of time (in cycles) for which the water level can remain high (indicated by the variable HH2O) without violating the assumptions (indicated by AssumptionOk). Here, M IN EP U M P (req) denotes M IN EP U M P specification with soft requirement req as given in Appendix C.1. For example, soft requirement MPV3 is !PumpOn which tries to keep pump off as much as possible where as soft requirement MPV1 is PumpOn which tries to keep pump on as much as possible. As a result M IN EP U M P (M P V 1) gets rid of water in 4 cycles compared to 8 cycles for M IN EP U M P (M P V 3).
A Logic QDDC
Let Σ be a finite non empty set of propositional variables. A word σ over Σ is a finite sequence of the form P 0 · · · P n where P i ⊆ Σ for each i ∈ {0, . . . , n}. Let len(σ) = n+1, dom(σ) = {0, . . . , n} and ∀i ∈ dom(σ) :
The syntax of a propositional formula over Σ is given by:
and operators such as ⇒ and ⇔ are defined as usual. Let Ω Σ be the set of all propositional formulas over Σ. Let i ∈ dom(σ). Then the satisfaction relation σ, i |= ϕ is defined inductively as follows:
and the satisfaction relation for the rest of the boolean combinations defined in a natural way.
The syntax of a QDDC formula over Σ is given by: 
We call word σ a p-variant, p ∈ Σ, of a word σ if ∀i ∈ dom(σ), ∀q = p :
Example 3. Let Σ = {p, q} and let σ = P 0 · · · P 7 be such that ∀0 ≤ i < 7 : P i = {p} and
Example 4. Let Σ = {p, q, r} and let σ = P 0 · · · P 10 be such that ∀0 ≤ i < 4 : P i = {p}, ∀4 ≤ i < 8 : P i = {p, q, r} and ∀8 ≤ i ≤ 10 :
because for i ∈ {8, 9, 10} the condition ∃0 ≤ i ≤ 10 :
Entities slen , scount , and sdur are called terms. The term slen gives the length of the interval in which it is measured, scount ϕ where ϕ ∈ Ω Σ , counts the number of positions including the last point in the interval under consideration where ϕ holds, and sdur ϕ gives the number of positions excluding the last point in the interval where ϕ holds. Formally, for ϕ ∈ Ω Σ we have
In addition we also use the following derived constructs:
A formula automaton for a QDDC formula D is a deterministic finite state automaton which accepts precisely language L = {σ | σ |= D}.
B The Algorithm Implementation
The example shows the explicit state representation of the state space to produce the controller for demonstration purpose.
The algorithms are actually designed to work on symbolic data structure to represent the transistion function for each automaton. We use Multi-Terminal BDD(MTBDD) to represent the all the automaton.
The psuedocode of our algorithm is given in the following section. The monitor automaton A mon is obtained by GenMonitorAutomaton(), based on the procedure implemented in a tool DCVALID.
The algorithm for construction of A mpnc from A mon , is implemented by the function GenMPNC(). To illustrate this function, we first define the function C step : S × 2 S → {1, 0} as follows: V: S → {1, 0} be a value function over S Initialize V(s)=1 ∀s ∈ G, otherwise V(s) = 0
A mpnc = Created from A mon by keeping only the states s ∈ G and transitions (s, t) s.t. s ∈ G and t ∈ G. Now, we give construction of A lodc from A mpnc , which is implemented by the function GenLODC(). GenLODC() determinizes the automaton such that for any input a unique output can be selected.
We define the function evaluateSoftReq( P 1 ,..,P l , input output valuation), which takes list of soft requirements and input-output valuation as input and returns the weighted value of the soft requirements being satisfied by the valuation.
We also define lookupTable:I → (O × S × Integer), which contains for each input, the output value and the next state, that maximizes the satisfaction of soft requirements. Similarly a function initLookup: lookupTable × val → lookupTable initializes the lookupTable to some minimal value val for each input valuation..
Algorithm 3 GenLODC:
Input: A mpnc , I, O, P 1 ,..,P l Output: A lodc . S = set of states in A mpnc , initLookup(lookupTable, -1) initializes the lookupTable by the -1 for each input. FOR every state s ∈ S DO FOR every valuation (i,o,w) of (I ∪ O ∪ W) val = evaluateSoftReq( P 1 ,..,P l , (i,o,w)) IF val > lookupTable(i) THEN lookupTable(i) = {val, o, next state} Create the Automaton A lodc with updated transitions with valuation for each input and the corresponding output valuation given in lookupTable for each state.
Complexity Results: The algorithms work directly on this symbolic representaion, including function C step used inside GenMPNC. For the algorithn GenMPNC, the worst case complexity is O (N 2 .|BDD|) , where N is the number of states in monitor automaton A mon . This can be derived from the fact that the maximum number of iterations to reach a fix-point is (N − 1), and in each iteration there can be O(N ) step for each state which are marked as good. Each such state may requires O(|BDD|) steps to determine whether the state is winning or not (determined by function C step ). |BDD| represents the size of the MTBDD datastructure in terms of the number of BDD nodes.
The function C step is an important function as it is the core function used to find the winning region. We implement this function over MTBDD data structure without actually creating a game graph.
We give the outline of our algorithm as follows:
We assume that safety monitor automaton A mon is given as a dfa M = (Q, Σ, δ, G) where G ⊆ Q is the set of accepting states. Σ = 2 (I∪O∪W ) is the alphabet and δ : Q × Σ → Q with Q − G being the reject states. We assume that δ is encoded as MTBDD as in MONA.
In MTBDD the bdd nodes can be categorized as internal nodes or the terminal node. The terminal node represent the destination state of the transition. The internal nodes represent the decision on some variable v ∈ (I ∪ O ∪ W ).
Our algorithm start by labelling each terminal node with a value and then propagating this value to the bdd node corresponding to source state to see whether the source state belong to the winning region or not.
1. We starts by labeling each terminal node. Every terminal node is labelled as 1 if it belongs to accepting states, otherwise it is labelled as 0. 2. then we label the internal bdd nodes whose successors are already labelled as follows: if the internal node represents the decision on an input variable then its lable is minimum of its successors. Otherwise (representing decision on output or indicatior variable), the internal node is labeled by maximum of its sucessor. 3. step 2 is performed recursively until we get the bdd node corresponding to sources (starting) state labeled with 0 or 1. If bdd node for source state is labelled as 1 then it is inside the winning region based on current labeling of terminal nodes. If bdd node for source state is labelled as 0 then it's not in the winning region and can be removed during construction of MPNC. Similarly the worst case complexity for GenLODC could be calculated as O(N.l.(2 |I∪O∪W | )), where N is the number of states in MPNC, l is the number of soft requirements. This can be derived from the fact that maximum number of states in LODC can be equal to MPNC in case MPNC itself is a deterministic automaton. For each state in LODC we have to compute its locally optimal output, which depends on the number of soft requirements to be computed.
Although in worst case |BDD| can be O(2 |I∪O∪W | ), but in most of the practical examples the size of MTBDD is much smaller, and therefore the tool performs much better that the worst case estimation.
In Section B.1 we give an algorithm for GenLODC to exploit the shared bdd nodes in MTBDD. The results show the considerable improvement over the naive explicit path enumeration based algorithm.
B.1 LODC Optimization
We have also developed an algorithm to efficiently compute the LODC from MPNC. Following section gives the brief overview of algorithm.
Outline of Optimization Algorithm We assume that MPNC is given as a dfa M = (Q, Σ, δ, r) where r is the unique reject state. Σ = 2 (I∪O) is the alphabet and δ : Q × Σ → Q with r being the SINK state. We assume that δ is encoded as multi terminal BDD as in MONA. Being MPNC it is assumed that
Problem Given MPNC M and soft goals a sequence of literals (l 1 , l 2 , . . . , l r ) where l i = o or l i = ¬o for o ∈ O, aim is to construct LODC N by choosing exactly one of permitted outputs which maximizes the value of soft goal list (considered lexicographically ordered). Note that LODC satisfies the condition
We assume that in the bdd representation all O occur after I. The BDD node which is either terminal or labelled by output variable such that all its ancestors are input labelled is called a frontier node. See the example below. In the Figure B .1, bdd nodes marked 0,1,2,3 correspond to variables req1, req2, ack1 and ack2. Nodes marked 2 are the frontier nodes. Note that 4 is the reject state. For the leftmost frontier node marked (2), we can see that ack1 = true as well as ack1 = f alse, ack2 = f alse lead to reject state 4 (these are infeasible paths), where as ack1 = f alse, ack2 = true leads to good state 1. Hence ack1 = f alse, ack2 = true is the unique feasible path. Now consider the second rightmost frontier node marked (2) . It has two feasible paths P 1 = (ack1 = true, ack2 = f alse) going to target state 3 and P 2 = (ack1 = f alse, ack2 = true) going to target state 2.
Step 1 Our algorithm works by assigning to each frontier node N an output valuation, a reward value to each frontier node and the target state. Note that under given soft goal list, an optimal value can be assigned to a frontier node purely by choosing an output path, from all feasible outputs (i.e. outputs which don't end in reject node r), one which maximizes the value of the softgoal list. This path ends in the target state. Example 5. For example, in above figure for the second rightmost frontier node marked (2b) has It has two feasible paths P 1 = (ack1 = true, ack2 = f alse) going to target state 3 and P 2 = (ack1 = f alse, ack2 = true) going to target state 2. Given soft goal (ack1, ack2), path P 1 has higher lexicographic value and must be selected as optimal. Thus, the node can be marked with optoutput = (ack1 = true, ack2 = f alse), optvalue = (1, 0) and optstate = 3.
Step 2 we can systematically enumerate all the paths to frontier nodes (mentioning only source state and the value of variables which occur on the path). It is clear that for any two such paths originating from the same source state the value of at least one of the input variables is different, hence we get distinct cases. (There can be identical input paths starting from different states. see example below.) For each such path, we set the output and next state to the output valuation and target state of the frontier node.
Example 6. For the second rightmost frontier node marked (2-b), we have a unique input path req1 = true, req2 = true which originates from state 1. In conjunction with above above example, we get the scade transition state=1 AND req1 AND req2 -> ack1=true, ack2=true, state=3
For the third leftmost state marked (2-a) there are three input paths with req1 = true, req2 = f alse originating in states either 1,2 or 3.
The psuedocode of our algorithm is given as follows: 
C Case studies
In this section we give few sythesis case studies in our logic formalism. We show the controller synthesis from the logic specification and the effect of soft requirements on the sythesized controller. We also compare the sythesized controllers based on our performance measurement algorithm. Performance parameters therefore gives the quantitative matrics of betterness of one controller over the other and can be used as the formal guarantees for the sythesized controller with respect to the soft requirements.
C.1 MinePump
In this section we present the detailed specification of a minepump controller. We first specify some useful generic properties which would used for requirement specification in case studies.
-lag(P, Q, n): specifies that in any observation interval if P holds continuously for n+1 cycles and persists then Q holds from (n+1) th cycle onwards and persists till P persists. This specification is represented by following formula.
-tracks(P, Q, n): in any observation interval if P is continuously true for n cycles then Q persists as long as P persists or for n cycles whichever is shorter.
{P} <=n= {Q}
-sep(P, n): any interval which begins with a falling edge of P and ends with a rising edge of P then the length of the interval should be at least n cycles.
-ubound(P, n): in any observation interval P can be continuously true for at most n cycles.
[
]([[P]] => slen < n)
Case Study Description: Imagine a minepump which keeps the water level in a mine under control for the safety of miners. The pump is driven by a controller which can switch it on and off. Mines are prone to methane leakage trapped underground which is highly flammable. So as a safety measure if a methane leakage is detected the controller is not allowed to switch on the pump under no circumstances. The controller has two input sensors -HH2O which becomes 1 when water level is high, and HCH4 which is 1 when there is a methane leakage; and can generate two output signals -ALARM which is set to 1 to sound/persist the alarm, and PUMPON which is set to 1 to switch on the pump. The objective of the controller is to safely operate the pump and the alarm in such a way that the water level is never dangerous, indicated by the indicator variable DH2O, whenever certain assumptions hold. We have the following assumptions on the mine and the pump.
-Sensor reliability assumption: ppref (DH2O ⇒ HH2O) where ppref (D) = ¬((¬D)^ext). If HH2O is false then so is DH2O. -Water seepage assumptions: tracks(HH2O, DH2O, w). The minimum no. of cycles for water level to become dangerous once it becomes high is w. -Pump capacity assumption: lags(P U M P ON, !HH2O, epsilon). If pump is switched on for at least epsilon + 1 cycles then water level will not be high after epsilon cycles. -Methane release assumptions: sep(HCH4, zeta) and ubound(HCH4, kappa). The minimum separation between the two leaks of methane is zeta cycles and the methane leak cannot persist for more than kappa cycles. -Initial condition assumption: init(<!HH2O> && <!HCH4>, slen = 0). Initially neither the water level is high nor there is a methane leakage.
The commitments are:
-Alarm control: lags(HH2O, ALARM, delta) and lags(HCH4, ALARM, delta) and lags(!HH2O && !HCH4, !ALARM, delta). If the water level is dangerous then alarm will be high after delta cycles and if there is a methane leakage then alarm will be high after delta cycles. If neither the water level is dangerous nor there is a methane leakage then alarm should be off after delta cycle. -Safety condition: ppref (!DH2O && (HCH4 ⇒!P U M P ON )). The water level should never become dangerous and whenever there is a methane leakage pump should be off.
We can automatically synthesize a controller for the values say w = 8, epsilon = 2, zeta = 10, kappa = 1, and delta = 1. The complete textual DCSynth specification of minepump is given is figure 14.
Soft goals and Performance measurement We could also synthesize the minepump controllers with each one of the following as a soft requirement giving three different controllers. (Note that these requirements are mutually contradictory. So they are not given together.) -MPV1: Keep the pump switched on whenever possible (specified by soft requirement P U M P ON ). -MPV2: Keep pump off if there is a methane leak in last 2 cycles otherwise switch on the pump (specified by soft requirement (CH4 Last2Cyc => !P U M P ON ), where CH4 Last2Cyc indicates that there was a methane leak within last 2 cycles). -MPV3: Keep pump off as much as possible i. e. delay the switching on the pump as much as possible (specified by soft requirement !P U M P ON ).
We have measured the performance of the three synthesized controllers each, taking into account one soft requirement at a time. The performance is measured in terms the maximum amount of time (in cycles) for which the water level can remain high without violating the assumptions and the detailed results are tabulated in Table. 5.
Simulation of Synthesized Minepump Controllers
The controllers are encoded as Lustre specification and Lustre V4 tools are used for simulation. The example simulation for these three variants of Minepump is shown in figures 11, 12 and 13 respectively.
D Experimental results and Performance Evaluation
This section is divided into two subsections. One deals with the performance of the tools and its comparision with the other state of the art tools. The implementation of tool DCSYNTH is based on the algorithms presented in Section B. The second section deals with the performance evaluation of synthesized controller. This allows the comparision of controllers produced for the same hard requirement with different soft-requirements based on user defined performance measure specified as maxlen of a QDDC formula. Table 6 shows how DCSynth fares against Acacia+, which is a leading tool for synthesis of controllers from temporal logic specification. Acacia+ can handle LTL and PSL specification as well as quantitative synthesis with mean payoff objectives. In contrast, our tool can only handle past time temporal properties but it can handle soft requirements which other tools like Acacia+ cannot. Table 6 compares the performance of DCSYNTH against Acacia+ for examples with only hard safety requirements. It is noteworthy that controllers for complex specifications such as M IN EP U M P could be synthesized with DCSYNTH. Table 1 gives the results of synthesis using DCSYNTH for specifications which include soft requirements.
In the table 6 the example Arb tok (n) indicates the n cell arbiter, with a token circulating between them. Apart from the three invariant specifications (ARBINV) for the arbiter given in section 2 it specifies the requirement that if a cell has the request line true and it also has the token then it would surely get an acknowledgment. The specification also says that the initially token is with cell 0, in next cycle token is owned by cell 1, then 2 and so on till it reaches the last cell. At this time the token comes back to cell 0.
Similarly MP indicates the minepump example without soft requirement specification as given in section C.1. 
