Specification and Reactive Synthesis of Robust Controllers by Pandya, Paritosh K. & Wakankar, Amol
Specification and Reactive Synthesis of Robust
Controllers
Paritosh K. Pandya1 and Amol Wakankar2
1 Tata Institute of Fundamental Research, Mumbai 400005, India.
pandya@tifr.res.in
2 Homi Bhabha National Institute, Mumbai 400094, India.
amolk@barc.gov.in
Abstract. This paper investigates the synthesis of robust controllers
from logical specification of regular properties given in an interval tempo-
ral logic QDDC. Our specification encompasses both hard robustness and
soft robustness. Here, hard robustness guarantees invariance of commit-
ment under user specified relaxed (weakened) assumptions. A systematic
framework for logically specifying the assumption weakening by means of
a formula, called Robustness criterion, is presented. The soft robustness
pertains to the ability of the controller to maintain the commitment for
as many inputs as possible, irrespective of any assumption. We present a
uniform method for the synthesis of a robust controller which guarantees
the specified hard robustness and it optimizes the specified soft robust-
ness. The method is implemented using a tool DCSynth, which provides
soft requirement optimized controller synthesis. Through the case study
of a synchronous bus arbiter, we experimentally show the impact of hard
robustness criteria as well as soft robustness on the ability of the synthe-
sized controllers to meet the commitment “as much as possible”. Both,
the worst-case and the expected case behaviors are analyzed.
1 Introduction
In this paper we consider automatic synthesis of robust controllers from regular
specification given using an interval temporal logic QDDC (Quantified Discrete
Duration Calculus) [13]. A regular property D conceptually specifies a deter-
ministic finite automaton A(D) over finite words. The property holds at a point
in behavior if the past of the point is accepted by A(D). Such properties hold
intermittently in the behaviour. QDDC is a highly succinct and powerful logic
for specifying regular properties [11]. Formally, QDDC has the expressive power
of regular languages.
A controller specification consists of a pair of QDDC formulas (DA, DC)
giving the specification of assumption and commitment, respectively. A stan-
dard correctness criterion, termed BeCorrect [3], mandates that in all the be-
haviour of the synthesized controller, the commitment DC should hold invari-
antly provided the assumption DA holds invariantly. This can be denoted as
(pref (DA)⇒ pref (DC )). Here pref (D) holds at a point in behaviour if the reg-
ular property D has been invariantly true in the past.
ar
X
iv
:1
90
5.
11
15
7v
1 
 [c
s.L
O]
  2
7 M
ay
 20
19
Robustness pertains to the ability of DC holding even when DA does not
hold invariantly in the past [3]. A relaxed assumption Rb(DA) specifies weaker
condition than pref (DA) and a robust specification can be given by the for-
mula (Rb(DA)⇒ DC ) that should be satisfied invariantly. Thus, DC should
hold whenever the relaxed assumption Rb(DA) holds. We term this as hard ro-
bustness. For example, given integer parameters k and b, the relaxed assump-
tion LenCntInt(DA, k, b) holds at a point i if the assumption DA is violated
at most k times in the interval [i − (b + 1), i] spanning b previous cycles from
the current point i. The controller synthesized under the relaxed assumption
LenCntInt(DA, k, b) would be more robust as it will tolerate upto k assumption
violations in recent past.
As a complementary notion of robustness, we propose soft robustness,
which pertains to the ability of a controller to meet DC even when the relaxed
assumption Rb(DA) does not hold. The controller synthesis technique should
try to satisfy DC “as much as possible” irrespective of the assumption [4]. Note
that soft robustness is a global optimization problem [1]. For example, the com-
mitment DC may be such that satisfying DC at a current point may prevent it
from holding at most points in future. Hence the controller must choose not to
satisfy it at the current point.
We structure the formulation of relaxed assumption Rb(DA) (used to provide
hard robustness) as a pair (Rb(A), DA) where DA is the concrete assumption for-
mulated by the user. Robustness criterion Rb(A), which is a QDDC formula
over a fresh proposition A, specifies a generic method of relaxing any assump-
tion DA. A notion of cascade composition Rb(A)  Ind(DA, A) (formalized
in this paper using logic QDDC), gives us the desired relaxed assumption for-
mula Rb(DA). We develop a theory of robustness criteria and its impact on the
robustness of resulting controllers by defining dominance relation between them.
We show that logic QDDC can be used to conveniently and systematically
formulate a wide variety of robustness criteria Rb(A). The interval logic modal-
ities, bounded counting constraints and second order quantification features of
logic QDDC are particularly helpful in the formulation of various robustness
criteria. We provide a list of several useful robustness criteria, spanning some
existing as well as novel notions.
Thus, we have a logic based specification of hard robustness. We can or-
der these robustness criterion by their weakness (in logical implication order).
We show that a weaker robustness criterion specifies a more robust controller.
Hence, to get improved hard robustness, the designer must relax the concrete
assumption DA with the weakest robustness criterion for which the controller
remains realizable. We will illustrate this design aspect in our case studies.
Using the framework of soft requirement guided synthesis implemented in a
tool DCSynth [18], we give a method to synthesize robust controller which guar-
antees the hard robustness and it optimizes the soft robustness. Tool DCSynth
uses techniques from optimal control of Markov Decision Processes [1, 14] for
optimizing the expected value of soft robustness.
We show the impact of hard and soft robustness on the ability of the syn-
thesized controller to maintain the desired commitment DC for as many inputs
as possible. We give the case studies of a Synchronous bus arbiter (and a Mine
pump controller specification in Appendix B). Our experiments show that soft
robustness greatly improves the expected value of the commitment holding on
random independent and identically distributed (iid) inputs. Moreover, hard ro-
bustness gives the worst case guarantees on meeting the commitments. Indeed
we get multiple controllers with the same expected value of the commitment
DC over random (iid) inputs. But these controllers satisfy DC for incomparable
sets of inputs (under the subset ordering). These controllers guarantee DC under
diverse relaxed assumptions, thus providing distinct hard guarantees. Thus, our
synthesis technique, combining the hard and the soft robustness, seems useful.
The rest of the paper is arranged as follows. Section 2 describes syntax and
semantics of the Logic QDDC and the necessary definitions for robust controller
synthesis. Section 3 gives the syntax of DCSynth specification and brief outline
of synthesis method. Section 4 introduces the theory of robust specifications and
its controller synthesis. Section 5 describes Arbiter case study and the corre-
sponding experimental results. In Section 6, we conclude the paper with major
contribution and related work.
2 Quantified Discrete Duration Calculus (QDDC) Logic
Let PV be a finite non-empty set of propositional variables. Let σ a non-empty
finite word over the alphabet 2PV . It has the form σ = P0 · · ·Pn where Pi ⊆ PV
for each i ∈ {0, . . . , n}. Let len(σ) = n + 1, dom(σ) = {0, . . . , n}, σ[i, j] =
Pi · · ·Pj and σ[i] = Pi.
The syntax of a propositional formula over variables PV is given by:
ϕ := false | true | p ∈ PV | !ϕ | ϕ && ϕ | ϕ || ϕ
with &&, ||, ! denoting conjunction, dis-junction and negation, respectively. Op-
erators such as ⇒ and ⇔ are defined as usual. Let Ω(PV ) be the set of all
propositional formulas over variables PV . Let i ∈ dom(σ). Then the satisfaction
of propositional formula ϕ at point i, denoted σ, i |= ϕ is defined as usual and
omitted here for brevity.
The syntax of a QDDC formula over variables PV is given by:
D := 〈ϕ〉 | [ϕ] | [[ϕ]] | D ^ D | !D | D || D | D && D
ex p. D | all p. D | slen ./ c | scount ϕ ./ c | sdur ϕ ./ c
where ϕ ∈ Ω(PV ), p ∈ PV , c ∈ N and ./∈ {<,≤,=,≥, >}.
An interval over a word σ is of the form [b, e] where b, e ∈ dom(σ) and
b ≤ e. Let Intv(σ) be the set of all intervals over σ. Let σ be a word over 2PV
and let [b, e] ∈ Intv(σ) be an interval. Then the satisfaction relation of a QDDC
formula D over Σ and interval [b, e] written as σ, [b, e] |= D, is defined inductively
as follows:
σ, [b, e] |= 〈ϕ〉 iff b = e and σ, b |= ϕ,
σ, [b, e] |= [ϕ] iff b < e and ∀b ≤ i < e : σ, i |= ϕ,
σ, [b, e] |= [[ϕ]] iff ∀b ≤ i ≤ e : σ, i |= ϕ,
σ, [b, e] |= {{ϕ}} iff e = b+ 1 and σ, b |= ϕ,
σ, [b, e] |= D1^D2 iff ∃b ≤ i ≤ e : σ, [b, i] |= D1 and σ, [i, e] |= D2,
with Boolean combinations !D, D1 || D2 and D1 && D2 defined in the expected
way. We call word σ′ a p-variant, p ∈ PV , of a word σ if ∀i ∈ dom(σ),∀q 6= p :
q ∈ σ′[i]⇔ q ∈ σ[i]. Then σ, [b, e] |= ex p. D ⇔ σ′, [b, e] |= D for some p-variant
σ′ of σ and (all p. D)⇔ (!ex p. !D).
Entities slen , scount and sdur are called terms. The term slen gives the
length of the interval in which it is measured, scount ϕ where ϕ ∈ Ω(PV ),
counts the number of positions including the last point in the interval under
consideration where ϕ holds, and sdur ϕ gives the number of positions exclud-
ing the last point in the interval where ϕ holds. Formally, for ϕ ∈ Ω(PV )
we have slen(σ, [b, e]) = e − b, scount(σ, ϕ, [b, e]) = ∑i=ei=b {1, if σ, i |= ϕ,0, otherwise.
}
and
sdur(σ, ϕ, [b, e]) =
∑i=e−1
i=b
{
1, if σ, i |= ϕ,
0, otherwise.
}
We also define the following derived constructs: pt = 〈true〉, ext =!pt, 〈〉D =
true^D^true, []D = (!〈〉!D) and pref(D) =!((!D)^true). Thus, σ, [b, e] |= []D
iff σ, [b′, e′] |= D for all sub-intervals b ≤ b′ ≤ e′ ≤ e and σ, [b, e] |= pref (D) iff
σ, [b, e′] |= D for all prefix intervals b ≤ e′ ≤ e.
Finally, we define σ, i |= D iff σ, [0, i] |= D, and σ |= D iff σ, [0, len(σ)−1] |= D
and L(D) = {σ | σ |= D}, the set of behaviours accepted by D. Let D be valid,
denoted |=dc D, iff L(D) = (2PV )+.
Theorem 1. [13] For every formula D over variables PV we can construct
a Deterministic Finite Automaton (DFA) A(D) over alphabet 2PV such that
L(A(D)) = L(D). We call A(D) a formula automaton for D or the monitor
automaton for D. uunionsq
A tool DCVALID implements this formula automaton construction in an efficient
manner by internally using the tool MONA [8]. It gives minimal, deterministic
automaton (DFA) for the formula D. We omit the details here. However, the
reader may refer to several papers on QDDC for detailed description and exam-
ples of QDDC specifications as well as its model checking tool DCVALID [11–13].
2.1 Supervisors and Controllers
Now we consider QDDC formulas and automata where variables PV = I∪O are
partitioned into disjoint sets of input variables I and output variablesO. We show
how Mealy machines can be represented as special form of Deterministic finite
automata (DFA). Supervisors and controllers are Mealy machines with special
properties. This representation allows us to use the MONA DFA library [8] to
efficiently compute supervisors and controllers in our tool DCSynth.
Definition 1 (Output-nondeterministic Mealy Machines). A total and
Deterministic Finite Automaton (DFA) over input-output alphabet Σ = 2I × 2O
is a tuple A = (Q,Σ, s, δ, F ), as usual, with δ : Q× 2I × 2O → Q. An output-
nondeterministic Mealy machine is a DFA with a unique reject (or non-
final) state r which is a sink state i.e. F = Q − {r} and δ(r, i, o) = r for all
i ∈ 2I , o ∈ 2O. uunionsq
Intuition is that the transitions from q ∈ F to r are forbidden (and kept
only for making the DFA total). Language of any such Mealy machine is prefix-
closed. Recall that for a Mealy machine, F = Q − {r}. A Mealy machine is
deterministic if ∀s ∈ F , ∀i ∈ 2I , ∃ at most one o ∈ 2O s.t. δ(s, i, o) 6= r.
An output-nondeterministic Mealy machine is called non-blocking if ∀s ∈ F ,
∀i ∈ 2I ∃o ∈ 2I s.t. δ(s, i, o) ∈ F . It follows that for all input sequences a non-
blocking Mealy machine can produce one or more output sequence without ever
getting into the reject state.
For a Mealy machineM over variables (I,O), its language L(M) ⊆ (2I×2O)∗.
A word σ ∈ L(M) can also be represented as pair (ii, oo) ∈ ((2I)∗, (2O)∗) such
that σ[k] = ii[k] ∪ oo[k],∀k ∈ dom(σ). Here σ, ii, oo must have the same length.
We will not distinguish between σ and (ii, oo) in the rest of the paper. Also, for
any input sequence ii ∈ (2I)∗, we will define M [ii] = {oo | (ii, oo) ∈ L(M)}.
Definition 2 (Controllers and Supervisors). An output-nondeterministic
Mealy machine which is non-blocking is called a supervisor. An deterministic
supervisor is called a controller. uunionsq
The non-deterministic choice of outputs in a supervisor denotes unresolved de-
cision. The determinism ordering below allows supervisors to be refined into
controllers.
Definition 3 (Determinism Order and Sub-supervisor). Given two su-
pervisors Sup1, Sup2 we say that Sup2 is more deterministic than Sup1, denoted
Sup1 ≤det Sup2, iff L(Sup2) ⊆ L(Sup1). We call Sup2 to be a sub-supervisor
of Sup1. uunionsq
Note that being supervisors, they are both non-blocking, and hence ∅ ⊂ Sup2[ii] ⊆
Sup1[ii] for any ii ∈ (2I)∗. The supervisor Sup2 may make use of additional
memory for resolving and pruning the non-determinism in Sup1.
Definition 4 (Must Dominance). Given a supervisor Sup and a QDDC for-
mula D, both over input-output alphabet (I,O), let the set of must-satisfying in-
puts MustInp(Sup,D) = {ii ∈ (2I)+ | ∀oo. ((ii, oo) ∈ L(Sup) ⇒ (ii, oo) |=dc
D)}. Given two supervisors Sup1, Sup2 and a QDDC formula D, we say that
Sup2 must dominates Sup1 w.r.t. D, denoted by Sup1 ≤Dmust Sup2, iff
MustInp(Sup1, D) ⊆ MustInp(Sup2, D). uunionsq
The following proposition states that any arbitrary resolution of non-determinism
in supervisors preserves the must-guarantees.
Proposition 1. Sup1 ≤det Sup2 implies that Sup1 ≤Dmust Sup2 for any D ∈
QDDC. uunionsq
For technical convenience, we define a notion of indicator variable for a
QDDC formula (regular property). The idea is that the indicator variable w wit-
nesses the truth of a formula D at any point in execution. Thus, Ind(D,w) =
pref(EP (w) ⇔ D). Here, EP(w) = (true^〈w〉), i.e. EP (w) holds at a point if
variable w is true at that point. Hence, w will be true exactly on those points
where D is true. These indicator variables can be used as auxiliary propositions
in another formula using the notion of cascade composition  defined below.
Definition 5 (Cascade Composition). Let D1, . . . , Dk be QDDC formulas
over input-output variables (I,O) and let W = {w1, . . . , wk} be the corresponding
set of fresh indicator variables i.e. (I ∪ O) ∩W = ∅. Let D be a formula over
variables (I∪O∪W ). Then, the cascade composition and its equivalent QDDC
formula are as follows:
D  〈Ind(D1, w1), . . . , Ind(Dk, wk)〉 = D ∧
∧
1≤i≤k
pref(EP (wi)⇔ Di)
This composition gives a formula over input-output variables (I,O ∪W ). uunionsq
Cascade composition provides a useful ability to modularize a formula using aux-
iliary propositions W which witness regular properties given as QDDC formulas.
Example 1. Let Rb(A) = (scount !A <= 3) which holds at a point provided
the proposition A is false at most 3 times in entire past. Let formula D’ =
true^<!req>^(slen=1) || true^<ack> which holds at a point provided ei-
ther the current point satisfies ack or the previous point does not satisfy req.
Then, Rb(A)  Ind(D’,A) is equivalent to the formula (scount !A <=3) &&
pref(EP(A) <=> D’). This states that at each point, A holds provided D’ holds,
and the whole formula holds provided count of !A in past is at-most 3. Thus the
whole formula holds provided D’ is false at most 3 times in the entire past. uunionsq
3 DCSynth Specification and Controller Synthesis
This section gives a brief overview of the soft requirement guided controller
synthesis method from QDDC formulas. More details can be found in the original
paper [18]. The method is implemented in a tool DCSynth. This method and
the tool will be used for robust controller synthesis in the subsequent sections.
Definition 6. A supervisor Sup realizes invariance of QDDC formula D over
variables (I,O), denoted as Sup realizes inv D, provided L(Sup) ⊆ L(D). Re-
call that, by the definition of supervisors, Sup must be non-blocking. The super-
visor Sup is called maximally permissive provided for any supervisor Sup′
such that (Sup′ realizes inv D) we have Sup ≤det Sup′. Thus, no other supervi-
sor with larger languages realizes the invariance of D. This Sup is unique upto
language equivalence of automata, and the minimum state maximally permissive
supervisor is denoted MPS(D). uunionsq
A well-known greatest fixed point algorithm for safety synthesis over A(D) gives
us MPS(D) if it is realizable. We omit the details here (see [18]).
Proposition 2 (MPS Monotonicity). Given QDDC formulas D1 and D2
over variables (I,O) such that |=dc (D1 ⇒ D2), we have:
– MPS(D2) ≤det MPS(D1), and
– If MPS(D1) is realizable then MPS(D2) is also realizable. uunionsq
A DCSynth specification is a tuple (I,O,Dh, Ds) where I and O are the
set of input and output variables, respectively. Formula Dh, called the hard re-
quirement, and formula Ds, called the soft requirement, are QDDC formulas over
the set of propositions PV = I ∪ O. The objective in DCSynth is to synthesize
a deterministic controller which (a) invariantly satisfies the hard requirement
Dh, and (b) optimally satisfies Ds for as many inputs as possible.
The DCSynth specification (I,O,Dh, Ds) is said to be realizable iffMPS(Dh)
is realizable (i.e. it exist). The synthesis method first computes MPS(Dh). In
the next step a sub-supervisor of MPS(Dh) which satisfies Ds for “as many in-
puts as possible” is computed. This is formalized using a notion of H-optimality
w.r.t. the soft requirement Ds. Let H be a natural number called horizon. We
construct a sub-supervisor of MPS(Ds) by pruning non-deterministic choice of
outputs by retaining only the outputs which give the highest expected count of
(intermittent) occurrence of Ds over the next H steps of execution. This count is
averaged over all input sequences of length H. A well known value-iteration al-
gorithm due to Bellman [1], adapted from optimal strategy synthesis for Markov
Decision Processes, gives us the required sub-supervisor. Book [14] gives a proof
of H-optimality of the value iteration algorithm and resulting supervisor. This
construction is implemented in our tool DCSynth. See [18] for details of the algo-
rithm and its symbolic BDD based implementation. The resulting sub-supervisor
is denoted by MPHOS(Dh, Ds, H). As MPHOS is obtained by pruning non-
deterministic outputs in MPS, we have the following proposition [18].
Proposition 3. MPS(Dh) ≤det MPHOS(Dh, Ds, H) uunionsq
Using Proposition 1, this shows that MPHOS retains all the must-guarantees
of MPS(Dh). Hence, MPHOS(Dh, Ds, H) invariantly satisfies Dh and by con-
struction it is H-optimal w.r.t Ds. Note that MPHOS(Dh, Ds, H) itself can
be non-deterministic as from a state and on a given input there may be more
than one choice of H-optimal output. All of these optimal choices are retained
in MPHOS, giving the maximally permissive H-optimal sub-supervisor of
MPS(Dh) w.r.t. Ds. Any controller obtained by arbitrarily resolving the non-
determinism in MPHOS(Dh, Ds, H) is also H-optimal. In tool DCSynth, we
allow users to specify a preference ordering Ord on the set of outputs 2O. Any su-
pervisor Sup can be determinized by retaining only the highest ordered output
amongst those permitted by Sup. This is denoted DetOrd(Sup). In tool DC-
Synth, the output ordering is specified by giving a lexicographically ordered list
of output variable literals. This facility is used to determinizeMPHOS(Dh, Ds, H)
and MPS(Dh) supervisors as required.
Example 2. For a supervisor Sup over variables (I, {o1, o2}), an output ordering
can be given as list (o1 > !o2), Then, the determinization step will select the
highest allowed output in from (o1 = true, o2 = false), (o1 = true, o2 = true),
(o1 = false, o2 = false), (o1 = false, o2 = true) in that order. This choice is
made for each state and each input. uunionsq
In summary, given a DCSynth specification (I,O,Dh, Ds), a horizon valueH and
a preference ordering ord on outputs 2O, the tool DCSynth outputs maximally
permissive supervisors MPS(Dh) and MPHOS(Dh, Ds, H) as well as deter-
ministic controllers DetOrd(MPS(D
h)) and Detord(MPHOS(D
h, Ds, H)).
4 Specification and Synthesis of robust controllers
This section introduces the notion of robustness and controller synthesis from
Robust Specification. The reader is urged to re-look at the explanation and moti-
vation for robust specification given in the Introduction section 1. We define the
Robust specification as a triple (DA, DC , Rb(A)), where the QDDC formulas
DA and DC specify regular properties over input-output alphabet (I,O) rep-
resenting the assumption and the commitment. Moreover, Rb(A) is a formula
over an indicator variable A. Formula Rb(A) is called a Robustness criterion.
It specifies a generic method for relaxing any arbitrary assumption formula DA.
Given a robustness criterion Rb(A) and concrete assumption formula DA, we
make use of the cascade composition (see Definition 5) to get the relaxed assump-
tion under which the commitment must hold. The desired relaxed assumption is
given by
Rb(A) Ind(DA, A)
which results in a QDDC formula over the input-output variables (I,O ∪ {A}).
See Example 1.
The Robust specification (DA, DC , Rb(A)) gives us the DCSynth specification
below, which is denoted by RbSpec(DA, DC , Rb(A)).
(I, (O ∪ {A}), ((Rb(A) Ind(DA, A)) ⇒ DC), DC) (1)
The hard requirement states that the commitment DC must hold whenever the
relaxed assumption Rb(A) Ind(DA, A) holds. Moreover, it specifies DC as the
soft-requirement. The controller must be optimized so that the soft requirement
holds for as many inputs as possible, irrespective of the assumption.
4.1 Synthesis from Robust Specification
The robust controller synthesis method supported by tool DCSynth is as follows.
– The user provides the Robust specification (DA, DC , Rb(A)). The user also
provides a horizon value H.
– The corresponding DCSynth specification is automatically obtained as out-
lined in Equation 1. The tool DCSynth is used to obtain MPS and MPHOS
supervisors as described in Section 3. These supervisors are denoted as
MPS(DA, DC , Rb(A)) and MPHOS(DA, DC , Rb(A), H) respectively. Both
these supervisors may be output non-deterministic. The reader should re-
call that the MPS supervisor only guarantees the hard-robustness, whereas
the MPHOS supervisor further improves MPS by optimizing the soft-
robustness (while retaining hard-robustness guarantee).
– The user specifies an output order ord as a prioritized list of output literals.
This is used to get the deterministic controllersDetord(MPS(DA, DC , Rb(A)))
and Detord(MPHOS(DA, DC , Rb(A), H)), respectively.
4.2 Designing and Comparing Robustness Criteria
A key element of our robust specification (DA, DC , Rb(A)) is the robustness
criterion Rb(A). It provides a generic method of relaxing the assumption DA. In
this section we study how to compare two robustness criteria. We also formulate
some methods for systematic design of robustness criteria.
Given robustness criteria Rb1(A) and Rb2(A), we say that Rb1(A) implies
Rb2 provided |=dc Rb1(A)⇒ Rb2(A). This gives us the implication ordering
on robustness criteria. The following theorem shows that implication ordering
improves the worst case guarantee of DC holding but it makes supervisors less
realizable.
Theorem 2. Let |=dc Rb1(A)⇒ Rb2(A). Then for all QDDC formulas DA, DC ,
we have
(a) MPS(DA, DC , Rb
1(A)) ≤DCmust MPS(DA, DC , Rb2(A)).
(b) If the specification (DA, DC , Rb
2(A)) is realizable then the specification
(DA, DC , Rb
1(A)) is also realizable.
Proof. For 1 ≤ i ≤ 2, we have MPS(DA, DC , Rbi(A)) equals MPS(φi) where
φi = ((Rb
i(A) ∧ pref(EP (A)⇔ DA))⇒ DC). Now, as |=dc Rb1(A)⇒ Rb2(A),
we have |=dc (Rb2(A)⇒ DC) ⇒ (Rb1(A)⇒ DC) and hence |=dc ((Rb2(A) ∧
D) ⇒ DC) ⇒ ((Rb1(A) ∧ D) ⇒ DC) for any formula D. Thus |=dc φ2 ⇒
φ1. Then, by Proposition 2, we have MPS(φ1) ≤det MPS(φ2). From this, by
applying proposition 1, we get the desired result MPS(φ1) ≤DCmust MPS(φ2).
We also get (b). uunionsq
Error-Types: Defining Intervals with Assumption Errors. Let proposi-
tion A designate points in behaviour where assumption is satisfied. In terms of
this, we define Erroneous intervals by giving Error-type formulas. For examples,
intervals with at least three violations of A can be given by (scount !A >=3).
– Intervals where A does not hold at the end-point.
LocalErr(A) = (true^<!A>)
– Intervals having more that k assumption violations (!A).
CountErr(A,k) = (scount !A > k).
– Burst error interval is an interval where the assumption proposition A re-
mains false invariantly. So, the intervals where there is burst error of length
more than k is given by the formula BurstErr(A,k) = ([[!A]] && slen >= k).
The intervals containing a subinterval with BurstError(A,k) are given by
HasBurstErr(A,k) = (<>(BurstErr(A,k))).
– We define an interval to be a recovery interval, if A is invariantly true in
that interval. Its length is called recovery period. Intervals where all recovery
periods are of length less than b is denoted by
HasNoRecovery(A,b) = ([]([[A]] => slen < b-1))
Given an error-type formula Err (one of the above items), we define recovery
error as the intervals having underlying error Err, but without a recovery
interval of length b.
RecoveryErr(b,Err) = (Err && HasNoRecovery(A,b))
Each formula in the above list is called an Error-type formula.
Proposition 4. For all Error-type formulas Err,Err1 and Err2 we have
(a) |=dc BurstErr(A, k)⇒ HasBurstErr(A, k)
(b) |=dc HasBurstErr(A, k)⇒ CountErr(A, k)
(c) If j < k then |=dc CountErr(A, k)⇒ CountErr(A, j ) and
|=dc HasBurstErr(A, k)⇒ HasBurstErr(A, j )
(d) |=dc RecoveryErr(b,Err)⇒ Err
(e) If |=dc Err1 ⇒ Err2 then
|=dc RecoveryErr(b,Err1 )⇒ RecoveryErr(b,Err2 )
Proof. These implications hold straightforwardly using the QDDC semantics.
For example, RecoveryErr(b,Err) = HasNoRecovery(A, b) && Err (by defini-
tion). This logically implies Err giving us (d). We omit the remaining proofs. uunionsq
Error-Scope: Restricting the Occurrence of Errorneous Intervals Let
Err be any of the Error-type formulas giving erroneous intervals. We now specify
the restrictions on occurrence of these errors by suitable QDDC formulas. These
are called Error-scope formulas. They are parameterized by Err.
– The error never occurs in past for any interval.
NeverInPast(Err) = !<>Err.
– Error does not occur in any suffix interval.
NeverInSuffix(Err) = !(true^Err)
– Error does not occur in past in any interval of b or less cycles.
NeverInPastLen(b,Err) = !<>(slen <= b-1 && Err)
– Error does not occur in an interval spanning last b or less cycles.
NeverInSuffixLen(b,Err) = !(true^((slen<=b-1) && Err))
Proposition 5. For any Error-type formula Err,Err1 and Err2 we have
(a) |=dc NeverInPast(Err) ⇒ NeverInSuffix (Err)
(b) |=dc NeverInPastLen(b,Err) ⇒ NeverInSuffixLen(b,Err)
(c) |=dc NeverInPast(Err) ⇒ NeverInPastLen(b,Err)
(d) |=dc NeverInSuffix (Err) ⇒ NeverInSuffixLen(b,Err)
(e) For any scope formula SCP (Err) defined above, we have
if |=dc Err1 ⇒ Err2 , then |=dc SCP(Err2 )⇒ SCP(Err1 )
Proof. The proofs of these implications are immediate from definitions using
QDDC semantics. For example, (true^Err) implies (true^Err^true) which equals
〈〉Err by QDDC. Hence, NeverInPast(Err) which equals !〈〉Err implies !(true^Err)
which equals NeverInSuffix (Err). This gives us (a).
As a second example, NeverInPast(Err) = (!〈〉(Err)) (by definition), which
implies !〈〉((slen ≤ (b − 1 )) && Err). This, by definition, equals the formula,
NeverInPastLen(b,Err). Hence we get (c). We omit the remaining proofs. uunionsq
Table 1. Robustness criteria Rb(A) defined using Error-types and Error-Scope formu-
las. There may use additional integer parameters K,B.
Robustness Definition
Criterion of Rb(A)
AssumeFalse(A) (false)
BeCorrect(A) NeverInPast(LocalErr(A))
BeCurrentlyCorrect(A) NeverInSuffix(LocalErr(A))
ResCnt(A,K,B) (NeverInPast(RecoveryErr(B, CountErr(A,K))))
ResCntInt(A,K,B) (NeverInSuffix(RecoveryErr(B, CountErr(A,K))))
ResBurst(A,K,B) (NeverInPast(RecoveryErr(B, HasBurstErr(A,K))))
ResBurstInt(A,K,B) (NeverInSuffix(RecoveryErr(B, HasBurstErr(A,K))))
LenCnt(A,K,B) (NeverInPastLen(B,CountErr(A,K)))
LenCntInt(A,K,B) (NeverInSuffixLen(B,CountErr(A,K)))
LenBurst(A,K,B) (NeverInPastLen(B,HasBurstErr(A,K)))
LenBurstInt(A,K,B) (NeverInSuffixLen(B,HasBurstErr(A,K)))
AssumeTrue(A) (true)
We combine various Error-type formulas with Error-scope formulas (defined
above) to obtain a wide variety of Robustness Criteria. These are tabulated in
Table 1. These provide users with diverse ways of achieving robust specification.
We give a brief intuitive description of some of the defined criteria.
– Criterion BeCorrect(A) holds at a point if !A never occurs in its past. By
contrast BeCurrentlyCorrect(A) holds at a point (irrespective of the past)
if A holds at the point. Thus, the later is implied by the former.
– Criterion LenCntInt(A,K,B) with integer parameters K,B holds at a point
i provided in last B cycles from i, violation !A occurs at most k times. The
past beyond last B cycles does not affect its truth.
– A resilient controller recovers from past errors provided A holds continuously
for B cycles (such an interval is called a recovery interval). The criterion
ResCntInt(A,K,B) holds at a point provided after the last recovery interval
the count of violation of A is at most k.
– A burst error of length K is said to occurs if !A occurs continuously for K
points. Criterion LenBurstInt(A,K,B) holds at point i provided in last B
cycles before i there is no burst error of length K.
The robustness criteria can be ordered by implication ordering which also
improves the hard robustness of the synthesized controller (See Theorem 2).
Figure 1 gives the implication ordering between the robustness criteria of Table 1.
Hence, in specification (DA, DC , Rb(A)), the user must use the weakest criterion
(under the implication ordering) from the Figure 1 which makes the specification
realizable.
AssumeTrue
LenBurstInt
LenCntInt ResBurstInt
BeCurrentlyCorrect
ResCntInt
ResBurst↔LenBurst
LenCnt
ResCnt
BeCorrect
AssumeFalse
Fig. 1. Implication order on the robustness criteria of Table 1. Here A → B denotes
the validity |=dc A⇒ B.
Theorem 3. All the implications given in Figure 1 are valid.
Proof. The proofs of these implications follow easily from the definitions of the
robustness criteria by using propositions 4 and 5. As an example, we prove that
|=dc BeCorrect(A)⇒ BeCurrentlyCorrect(A).
Formula BeCorrect(A) equals (by definition) NeverInPast(LocalErr(A)), which
by Proposition 5(a) implies NeverInSuffix (LocalErr(A)) which by definition equals
BeCurrentlyCorrect(A), thus proving the claim.
As a second example, we prove that |=dc ResCntInt(A) ⇒ ResBurstInt(A).
We have |=dc HasBurstErr(A, k) ⇒ CountErr(A, k) by Proposition 4(b). Thus,
|=dc RecoveryErr(b,HasBurstErr(A, k)) ⇒ RecoveryErr(b,CountErr(A, k)) by
Prop 4(e). Then, using Prop. 5(e) and instantiating SCP by NeverInSuffix , we
get |=dc NeverInSuffix (RecoveryErr(b,CountErr(A, k))) ⇒
NeverInSuffix (RecoveryErr(b,HasBurstError(A, k))). This proves the result. We
omit the remaining proofs. uunionsq
5 Case Study: A Synchronous Bus Arbiter
An n-cell synchronous bus arbiter has inputs {reqi} and outputs {acki} where
1 ≤ i ≤ n. In any cycle, a subset of {reqi} is true and the controller must set one
of the corresponding acki to true. The arbiter commitment, ArbCommit(n, k),
is the conjunction of the following four properties.
Mutex(n) = trueˆ〈 ∧i6=j ¬(acki ∧ ackj) 〉
NoLoss(n) = trueˆ〈 (∨ireqi)⇒ (∨jackj) 〉
NoSpurious(n) = trueˆ〈 ∧i (acki ⇒ reqi) 〉
Response(n, k) = (∧1≤i≤n (Resp(reqi, acki, k)) where
Resp(req, ack, k) = trueˆ(([[req]] && (slen = (k − 1))) ⇒
trueˆ(scount ack > 0 && (slen = (k − 1)))
(2)
In QDDC, The formula trueˆ〈P 〉 holds at a point i in execution if the P
holds at that point. Thus, the formula Mutex(n) gives mutual exclusion of ac-
knowledgments; NoLoss(n) states that if there is at least one request then there
must be an acknowledgment; and NoSpurious(n) states that acknowledgment
is only given to a requesting cell. Formula trueˆ(([[req]] && (slen = (k − 1)))
states that in the last k cycles req is invariantly true. Similarly, the formula
trueˆ(scount ack > 0 && (slen = (k − 1))) states that in last k cycles the ack
has been true at least once. Then, the formula Resp(req, ack, k) states that if req
has been continuously true in last k cycles, there must be at least one ack within
last k cycles. So, Response(n, k) says that each cell requesting continuously for
last k cycles must get an acknowledgment within last k cycles.
A controller can invariantly satisfy ArbCommit(n, k) if n ≤ k. Tool DCSynth
gives us a concrete controller for the instance (Dh = ArbCommit(6, 6), Ds =
true). It is easy to see that there is no controller which can invariantly satisfy
ArbCommit(n, k) if k < n. Consider the case when all reqi are continuously
true. Then, it is not possible to give response to every cell in less than n cycles
due to mutual exclusion of reqi.
To handle such desirable but unrealizable requirement we make an assump-
tion. Let the proposition Atmost(n, i) be defined as ∀S ⊆ {1 . . . n}, |S| ≤ i. ∧j /∈S
¬reqj . It states that at most i out of total n requests can be true simulta-
neously. Then, the arbiter assumption is the formula ArbAssume(n, i) =
true^〈Atmost(n, i)〉, which states that Atmost(n, i) holds at the current cycle.
So the specification for the synchronous arbiter is an assumption-commitment
pair (ArbAssume(n, i), ArbCommit(n, k)), which is denoted by Arbiter(n, k, i).
Figure 2 in Appendix A gives the textual syntax for the robust specification
(Arbiter(4, 3, 2)) with BeCurrentlyCorrect(A) criterion in tool DCSynth.
Expected Case Performance We can measure the performance of a synthe-
sized controller Cnt in meeting a regular requirement D by evaluating ED(Cnt),
the expected value of D holding in the behaviours of Cnt in long run under ran-
dom (i.e. iid) inputs [1]. The tool DCSynth allows ED(Cnt) to be computed as
outlined below.
The product Cnt×A(D) of the controller with the deterministic recognizer
A(D) for formula D gives us a deterministic recognizer automaton which is in
a final state precisely on inputs where Cnt satisfies the property D. We can
translate this into a Discrete Time Markov Chain, denoted Munif (Cnt×A(D)),
by assigning uniform discrete probabilities to all the inputs from any state. In
constructing this Markov chain, we have assumed that the inputs are iid, i.e.
they occur independently of the past, and all inputs are equally likely. Standard
techniques from Markov chain analysis allow us to compute the Expected value of
being in accepting states in long runs of Munif (Cnt×A(D)), which also gives us
ED(Cnt). A leading probabilistic model checking tool MRMC implements this
computation [7]. In DCSynth, we provide a facility to compute Munif (Cnt ×
A(D)) in a format accepted by the tool MRMC. Hence, using MRMC, we are
able to compute ED(Cnt) uunionsq
5.1 Experimental Results
The synchronous bus arbiter case study specifies the assumption-commitment
pair (DA, DC) for an Arbiter(n, k, i) consisting of n-cells with response time
requirement of k cycles, under the assumption that at most i requests occur
in each cycle. We denote by detMPS(Arb) and detMPHOS(Arb) the MPS
and the MPHOS for Arbiter(4, 3, 2) determinized under the default output
ordering a1 > a2 > a3 > a4. We use H = 50 in synthesizing the MPHOS.
Controllers were synthesized for various robustness criteria, and their perfor-
mance was measured as the corresponding expected values EDC (detMPS(Arb))
and EDC (detMPHOS(Arb)). Table 2 provides these values under the columns
titled E(Arb−MPS) and E(Arb−MPHOS), respectively.
Similarly, for a case study of a Minepump Controller specification (omitted
here for brevity but it can be found in Appendix B), we synthesized the deter-
minized MPS and MPHOS controllers under the default output PumpOn and
various robustness criteria. We measured the performance of these controllers as
the expected values EDC (detMPS(MP )) and EDC (detMPHOS(MP )). Table
2 provides these values under the columns titled E(MP −MPS) and E(MP −
MPHOS), respectively.
In all the above cases, the tool DCSynth performs efficiently by giving the
required controllers for Arbiter within 1 seconds and for Minepump within 3
seconds. The detailed statistics for each of the example can be found in Appendix
A and B. All these experiments were done on Ubuntu 18.04 system with Intel
i5 64 bit, 2.5 GHz processor and 4 GB memory.
An examination of Table 2 is quite enlightening. We state our main finding.
– In both the case studies, the robustness criterion AssumeTrue leads to unre-
alizable specification whereas all other criteria give realizable specifications.
– In both the case studies, for the MPS controllers, the Expected value of
commitment DC increases with the implication ordering given in Figure 1.
The value ranges from 0 to 83% for the Arbiter and 0 to 99% for the Mine
pump. Thus, the robustness criterion has a major effect on the performance
of the synthesized MPS controller. Also, for many robustness criteria, the
Expected DC value is 0. This happens as these criteria (defined using the
Error-Scope formulas NeverInPast) are non-recoverable – once the criterion
becomes false it remains false in future. Hence, it is desirable to use recov-
erable criteria defined using the Error-scope formulas NeverInSuffix .
– The MPHOS controller which improves the MPS controller by optimiz-
ing the soft requirement DC has an overwhelming impact on the expected
value of DC . In both the case studies, the value is above 99% irrespective of
Table 2. Expected Value of Commitment DC holding in Long Run for Controllers
synthesized under various Robustness Criteria and integer parameters (K,B).
Arbiter(4,3,2) Minepump(8,2,6,2)
Robustness E(ARB− E(ARB− Robustness E(MP− E(MP−
Criterion MPS) MPHOS) Criterion MPS) MPHOS)
AssumeFalse
0.000000
0.998175
AssumeFalse
0.000000
0.997070
BeCorrect BeCorrect
ResCnt(1,3) ResCnt(2,8)
LenCnt(1,3) LenCnt(2,8)
ResBurst(1,3) ResBurst(2,8)
LenBurst(1,3) LenBurst(2,8)
ResCntInt(1,3) 0.544309 ResCntInt(2,8)
0.000966
ResBurstInt(1,3) 0.669069 ResBurstInt(2,8)
LenCntInt(1,3) 0.768066 LenCntInt(2,8) 0.0027342
LenBurstInt(1,3) 0.835205 LenBurstInt(2,8) 0.004514
BeCurrentlyCorrect 0.687500 0.992647 BeCurrentlyCorrect 0.997070
the robustness criterion. Thus, soft-robustness vastly improves the expected
performance of the controller and should be preferred over MPS.
– We often get MPHOS controllers with the same/similar expected value of
DC for several robustness criteria. It should be noted that these are different
controllers providing distinct hard-robustness guarantees. For example, in
the Arbiter(4, 3, 2) case study, the controllers BeCurrentlyCorrect is must-
incomparable with all the others, whereas for Minepump(8, 2, 6, 2), this is
must equivalent but not identical with any of the other other controllers.
Hence, the circumstances (relaxed assumptions) under which they guarantee
DC are quite different. This shows that a combination of the hard and the
soft robustness, as supported by our tool DCSynth, is useful.
– We have also experimented with various default output orderings. Default
values have quite small impact on the expected values of DC in MPHOS.
However, they significantly impact the no. of states in resulting controller.
6 Contributions and Related Work
A robust controller should continue to function (i.e maintain its commitment)
under failure of environmental/plant assumptions. When such failures are tran-
sient, the controller should be able to recover from the failure by reestablishing
the commitment in bounded time [4, 10].
The main contribution of this paper is a logical framework of hard robustness
for specifying and relaxing (weakening) assumptions under which a controller
works. A formula based technique for relaxing any user specified regular as-
sumption is developed. As the experiments show, such weakening has a marked
impact on the Expected value of Commitment. Soft robustness pertains to the
ability of the controller to maintain commitment “as much as possible” irrespec-
tive of any assumption; this is an optimization problem. We have proposed a
method for synthesizing a controller which guarantees the hard robustness, and
it optimizes the soft robustness. With case studies, we have shown the impact
of hard and soft robustness on both the worst case and the expected behaviour
of the controller. These experiments show that the combination of hard and
soft robustness, as proposed here, is beneficial. Logic QDDC, based on Dura-
tion Calculus of Zhou et al [19], provides a very powerful vocabulary for stating
robustness properties.
Several authors have investigated the notion of robustness [4, 6, 10]. Bloem
et al [4] provide a classification of different robustness notions; including the
BeCorrect and BeCurrentlyCorrect criteria. They term our soft robustness
as “Never Give Up” notion. Ehler et al [6] and Bloem [2] address the notion
of resilience; an ability to recover from errors in bounded error-free period. We
have shown that many such notions can be specified in our framework. We also
give a method to compare robustness notions by an implication order and we use
a must dominance order to compare the worst case behaviour of corresponding
supervisors. Moreover, a uniform synthesis method is applied to these defined
notions.
Traditional reactive synthesis has only focused on “correct-by-construction”
from LTL properties. Recent work increasingly considers regular properties (see
Belta et al [17]). Controller Synthesis from regular properties was pioneered by
Ramadge and Wonham [9,15,16]. Ehler et al [5] compares the supervisory control
with the reactive synthesis framework. Here we enhance the Ramadge-Wonham
framework to robustness.
References
1. R. E. Bellman. Dynamic Programming. Princeton Univ. Press, 1957.
2. R. Bloem, B.o¨nighofer, and C. Wang. Shield synthesis: - runtime enforcement for
reactive systems. In TACAS, pages 533–548, 2015.
3. R. Bloem, K. Chatterjee, K. Greimel, T. A. Henzinger, G. Hofferek, B. Jobstmann,
B. Ko¨nighofer, and R. Ko¨nighofer. Synthesizing robust systems. Acta Inf., 51(3-
4):193–220, 2014.
4. R. Bloem, R. Ehlers, S. Jacobs, and R. Ko¨nighofer. How to handle assumptions in
synthesis. In Proceedings 3rd Workshop on Synthesis, SYNT, pages 34–50, 2014.
5. R. Ehlers, S. Lafortune, S. Tripakis, and M. Y. Vardi. Supervisory control and
reactive synthesis: a comparative introduction. Discrete Event Dynamic Systems,
27(2):209–260, Jun 2017.
6. Ru¨diger Ehlers and Ufuk Topcu. Resilience to intermittent assumption violations in
reactive synthesis. In Martin Fra¨nzle and John Lygeros, editors, 17th International
Conference on Hybrid Systems: Computation and Control (part of CPS Week),
HSCC’14, Berlin, Germany, April 15-17, 2014, pages 203–212. ACM, 2014.
7. J. Katoen, I. S. Zapreev, E. M. Hahn, H. Hermanns, and D. N. Jansen. The ins
and outs of the probabilistic model checker mrmc. Performance Evaluation, 2011.
Advances in Quantitative Evaluation of Systems.
8. N. Klarlund and A. Møller. MONA Version 1.4 User Manual, 2001. Notes Series
NS-01-1. Available from http://www.brics.dk/mona. Revision of BRICS NS-98-3.
9. S. Lafortune, K. Rudie, and S. Tripakis. 30 years of the ramadge-wonham theory
of supervisory control: A retrospective and future perspectives. DCD Workshop,
2017.
10. Rupak Majumdar, Elaine Render, and Paulo Tabuada. Robust discrete synthesis
against unspecified disturbances. In Proceedings of the 14th International Con-
ference on Hybrid Systems: Computation and Control, HSCC ’11, pages 211–220,
New York, NY, USA, 2011. ACM.
11. R. M. Matteplackel, P. K. Pandya, and A. Wakankar. Formalizing timing diagram
requirements in discrete duration calulus. In SEFM, pages 253–268, 2017.
12. P. K. Pandya. Model checking CTL*[DC]. In TACAS, pages 559–573, 2001.
13. P. K. Pandya. Specifying and deciding quantified discrete-time duration calculus
formulae using dcvalid. In RTTOOLS (affiliated with CONCUR 2001), 2001.
14. Martin L. Puterman. Markov Decision Processes: Discrete Stochastic Dynamic
Programming. John Wiley & Sons, Inc., New York, NY, USA, 1st edition, 1994.
15. P. Ramadge and W. Wonham. Supervisory control of a class of discrete event
processes. SIAM Journal on Control and Optimization, 25(1):206–230, 1987.
16. Peter J. G. Ramadge and W. Murray Wonham. The Control of Discrete Event
Systems. In In Proceedings of IEEE, volume 77, pages 81–98, 1989.
17. Dogan Ulus and Calin Belta. Reactive control meets runtime verification: A case
study of navigation. CoRR, abs/1902.04024, 2019.
18. Amol Wakankar, Paritosh K. Pandya, and Raj Mohan Matteplackel. DCSYNTH:
A tool for guided reactive synthesis with soft requirements. CoRR, abs/1903.03991,
2019.
19. Chaochen Zhou and Michael Hansen. Duration Calculus A Formal Approach to
Real-Time Systems. Springer, 2004.
A Arbiter DCSynth Specification and Robust controllers
This section gives the DCSynth specification for BeCurrentlyCorrect robust
specification of Arbiter and robust controller synthesis form this specification.
Fig. 2. Arbiter specification in DCSynth
#qsf ”arbiter”
interface{
input r1, r2, r3, r4;
output a1, a2, a3, a4, A,C;
constant n=3;
}
definitions{
// Specification 1: The Acknowlegments shold be exclusive
dc exclusion(){
trueˆ<(a1 =>!(a2 || a3 || a4)) && (a2 =>!(a1 || a3 || a4)) &&
(a3 =>!(a1||a2||a4)) && (a4=>!(a1||a2||a3)))>;
}
dc noloss(){
trueˆ<(r1 || r2 || r3 || r4) =>(a1 || a2 || a3 || a4)>;
}
//If bus access (ack) should be granted only if there is a request
dc nospuriousack(a1, r1){
trueˆ<(a1) =>(r1)>;
}
//n cycle response i.e. slen=n-1
dc response(r1,a1){
trueˆ(slen=n-1 && [[r1]]) =>trueˆ(slen=n-1 && (scount a1 >= 1));
}
dc ArbAssume 4 2(){
trueˆ<(!r1 && !r2 && !r3 && !r4) || (r1 && !r2 && !r3 && !r4) ||
(!r1 && r2 && !r3 && !r4) || (!r1 && !r2 && r3 && !r4) ||
(!r1 && !r2 && !r3 && r4) || (r1 && r2 && !r3 && !r4) ||
(r1 && !r2 && r3 && !r4) || (r1 && !r2 && !r3 && r4) ||
(!r1 && r2 && r3 && !r4) || (!r1 && r2 && !r3 && r4) ||
(!r1 && !r2 && r3 && r4) >;
}
dc guranteeInv(){
exclusion() && noloss(HH2O, HCH4, PUMPON) && nospuriousack(a1,r1) &&
nospuriousack(a2,r2) && nospuriousack(a3,r3) && nospuriousack(a4,r4) &&
nospuriousack(a5,r5);
}
dc guranteeResp(){
response(r1,a1) && response(r2,a2) && response(r3,a3) &&
response(r4,a4) && response(r5,a5);
}
dc ArbCommit 4 3(){
guranteeInv() && guranteeResp() ;
}
}
indefinitions{
A : ArbAssume 4 2();
C : ArbCommit 4 3();
}
hardreq{
useind A, C;
BeCurrentlyCorrect(A) =>EP(C);
}
softreq{
useind C;
(C);
}
Comparison based on Must Dominance This section shows the com-
parison of supervisors MPS and MPHOS for various robust specifications
(DA, DC , Rb(A)), using must dominance measure formulated in definition 4.
As the supervisors are finite state mealy machines and a commitment DC
is a regular property, we can use validity checking of QDDC to check whether
Sup1 ≤DCmust Sup2 for supervisors Sup1 and Sup2. In tool DCSynth, we provide a
facility to decide must-dominance between two supervisors. The tool also gives a
counter example if must dominance fails. Following are the major observations.
– MPS supervisors for Arbiter(4, 3, 2) are found to follow exactly the same
robustness order as given by theoretical result in Figure 1. The ”==” indi-
cates that the supervisors are identical, whereas ”=” indicates that they are
must equivalent but not identical.
– MPHOS supervisors does not have theoretical order. However, it is observed
for Arbiter(4, 3, 2) that MPHOS supervisor for BeCurrentlyCorrect spec-
ification becomes incomparable with all other supervisors. All the other su-
pervisors become identical as shown in Figure 3. We use ”==” to indicate
that the supervisors are identical, whereas ”=” indicates that they are must
equivalent but not identical.
BeCurrentlyCorrect

LenCntInt == LenBurst ==
ResCntInt == ResBurstInt ==
AssumeFalse = BeCorrect == ResCnt ==
LenCnt == ResBurst == LenBurst

Fig. 3. Robustness order for Must Dominance between MPHOS for Arbiter(4, 3, 2).
A.1 Expected Case performance
Expected values of various robust controllers are given in Table 3. It is evident
that expected values of meeting the commitment using hard robustness (given
as MPS in column 2) as well as soft robustness (given as MPHOS in column 4)
are useful and maximize the holding of commitments.
A.2 Tool Performance
In this section we provide the detailed statistics on synthesis of various robust
supervisors/controllers for Arbiter examples. Table 4 provides the details for
Arbiter example. Appendix B (Table 7) provides the Minepump specification
and related dominance and performance study.
The Table 4 provides the number of states and time required to synthe-
size the Monitor Automaton, the corresponding MPS, MPHOS and Controller
Table 3. Expected Values of meeting the commitments for various robust controllers
of Arbiter(4,3,2). The default output order to determinize the supervisor is a1 > a2 >
a3 > a4.
Arbiter(4,3,2) MPS MPHOS
E(C) E(A) E(C) E(A)
AssumeFalse 0.00000 0.687500 0.998175 0.687500
BeCorrect 0.000000 0.687500
0.998175 0.687500
ResCnt(1,3) 0.000000 0.687500
LenCnt(1,3) 0.000000 0.687500
ResBurst(1,3)
0.000000 0.687500
LenBurst(1,3)
ResCntInt(1,3) 0.544309 0.687500
0.998175 0.687500
ResBurstInt(1,3) 0.669069 0.687500
LenCntInt(1,3) 0.7680663 0.687500
0.998175 0.687500
LenBurstInt(1,3) 0.835205 0.687500
BeCurrentlyCorrect 0.687500 0.687500 0.992647 0.687500
(using default value). It is evident that the Monitor construction from QDDC
specification and the bounded horizon computation of MPHOS based on soft re-
quirements takes most of the time. It can also be noted that MPHOS for most of
the robust specifications (e.g. BeCorrect, KBLenCnt, KBLenBurst, KBResCnt,
KBResBurst) having different behaviour in MPS specification becomes identical
for MPHOS specification (See Controller stats in Table 4). This shows the effect
of soft requirements in synthesis of optimal controller.
A.3 Simulation of Robust Controllers
The robust controllers synthesized are encoded as Lustre models. We give the
simulation (on same inputs) traces of Arbiter(4, 3, 2) example using Lustre sim-
ulator. It can be seen how each one of them generator different output trace for
the same inputs.
Fig. 4. Simulation of MPS BeCorrect for Arbiter(4,3,2)
Fig. 5. Simulation of MPS BeCurrentlyCorrect for Arbiter(4,3,2)
Fig. 6. Simulation of MPS LenCntInt for Arbiter(4,3,2)
A.4 Automata synthesized for 2 cell arbiter
Fig. 8 gives the monitor automaton for 2-cell arbiter (See section 5.1) for n-cell
arbiter specification. Each transition is labeled by 4 bit vector giving values of
req1, req2, ack1, ack2.
Fig. 9 gives the MPS automaton for the 2-cell arbiter computed from the
safety monitor automaton of Fig. 8. (There is an additional reject state. All
missing transitions are directed to it. These are omitted from the diagram for
simplicity.) Note that this is a DFA whose transitions are labelled by 4-bit vectors
representing alphabet 2{req1,req2,ack1,ack2}. As defined in Definition 1, the DFA
also denotes an output-nondeterministic Mealy machine with input variables
(req1, req2) and output variables (ack1, ack2). The automaton is nondeterminis-
tic in output as from state 1, on input (1, 1) it can move to state 2 with output
(1, 0), or to state 3 with output (0, 1). The reader can verify that the automaton
is non-blocking and hence a controller.
Fig. 7. Simulation of MPS ResBurstInt for Arbiter(4,3,2)
Fig. 8. Safety Monitor Automaton: 2 Cell Arbiter
In 2-cell arbiter example, with soft requirements 〈ack1, ack2〉 which give ack1
priority over ack2, we obtain the MPHOS controller automaton of Fig. 9(b) from
the MPS of Fig. 9(a). Note that we minimize the automaton at each step.
Fig. 9. Supervisors for Arbhard(2, 2) (a): MPS (b): MPHOS determinized
Table 4. DCSynth Statistics for synthesis of various Robust Arbiter example
Arbiter(4, 3, 2). Parameters Used: Disc Factor = 0.900000, H = 50, Type = Avg-Max,
Delta = 0.000100
Synthesis (States/Time)
Sr Robustness Monitor MPS MPHOS Controller
No Criterion Stats Stats Stats Stats
MPS
AssumeFalse 83/0.085 82/0.001649 1/0.056157 2/0.000066
BeCorrect 125/0.062 91/0.001059 11/0.060316 9/0.001715
BeCurrentlyCorrect 116/0.076 49/0.001497 49/0.020199 8/0.009847
ResCnt(1,3) 333/0.093 143/0.002115 63/0.076879 39/0.018669
ResCntInt(1,3) 390/0.097 194/0.003133 92/0.110108 40/0.044147
ResBurst(1,3) 249/0.096 125/0.002435 45/0.071756 25/0.009753
ResBurstInt(1,3) 291/0.079 167/0.003822 65/0.098957 27/0.024754
LenCnt(1,3) 291/0.097 134/0.002498 54/0.072853 32/0.013871
LenCntInt(1,3) 335/0.085 166/0.005103 101/0.086818 33/0.016391
LenBurst(1,3) 249/0.068 125/0.001902 45/0.067751 25/0.009520
LenBurstInt(1,3) 273/0.066 143/0.002874 78/0.072999 25/0.007139
AssumeTrue Unrealizable
MPHOS
AssumeFalse 83/0.078 82/0.000963 62/0.331783 45/0.007677
BeCorrect 125/0.084 91/0.001706 62/0.345245 45/0.007486
BeCurrentlyCorrect 116/0.060 49/0.001021 44/0.161940 30/0.004811
ResCnt(1,3) 333/0.085 143/0.002007 62/0.391268 45/0.007501
ResCntInt(1,3) 390/0.088 194/0.002743 62/0.466318 45/0.008130
ResBurst(1,3) 249/0.072 125/0.001617 62/0.371823 45/0.007497
ResBurstInt(1,3) 291/0.070 167/0.002580 62/0.449197 45/0.007509
LenCnt(1,3) 291/0.102 134/0.002341 62/0.380235 45/0.007851
LenCntInt(1,3) 335/0.065 166/0.002191 62/0.509995 45/0.014236
LenBurst(1,3) 249/0.083 125/0.002779 62/0.374552 45/0.007500
LenBurstInt(1,3) 273/0.090 143/0.002446 62/0.378385 45/0.007507
AssumeTrue Unrealizable
B Mine pump DCSynth Specification and Robust
controllers
In this section we illustrate the effect of soft requirements on the quality of the
synthesized controllers with a case study of a mine pump controller specification
[13]. The controller has two input sensors: high water level sensor HH2O and
methane leakage sensor HCH4 ; and one output, PumpOn to keep the pump on.
The objective of the controller is to safely operate the pump in such a way that
the water level never remains high continuously for more that w cycles.
Thus, minepump controller has input and output variables ({HH2O,HCH4}, {PumpOn}).
We have following assumptions on the mine and the pump.Their conjunction
is denote MineAssume(, ζ, κ).
- Pump capacity: ([]!(slen =  && ([[PUMPON && HH2O]]^〈HH2O〉))). If
pump is continuously on for at least + 1 cycles, when water level is high,
then water level will not be high at the end (i. e. + 1 cycles).
- Methane release: [](([HCH4]^[!HCH4]^〈HCH4〉)⇒ (slen > ζ)) and []([[HCH4]]⇒
slen < κ). The minimum separation between the two leaks of methane is ζ
cycles and the methane leak cannot persist for more than κ cycles.
The commitments are:
- Safety conditions: [[(HCH4 || !HH2O)⇒ !PumpOn)]] saying that if there
is a methane leakage or absence of high water, then pump should be off; and
[]([[HH2O]] && slen < w) stating that it is not possible that the water level
continuously remains high for w cycles.
The conjunction of commitments is denoted MineCommit(w).
It is to be noted that all the assumption and commitments formulas are
made intermittent by restricting the scope of each formula to the most re-
cent interval of n cycles i.e. formula is satisfied or violation is decided based
on the recent past instead of whole past. This is done by using formula us-
ing KBOUNDED(D,n) macro (See Figure B.4) defined as ((slen < K =>
(D)) && (true^slen = K => true^(slen = K && (D)))). This is important for
robust specification, because if we consider the whole past then even a single vi-
olation of formula will keep it unsatisfiable always without allowing it to recover
ever. The Minepump specification MinePump(w, , ζ, κ) is given by the assump-
tion, commitment pair (MineAssume(, ζ, κ),MineCommit(w)). Appendix B.4
gives the textual source of (MinePump(8, 2, 6, 2)) for BeCurrentlyCorrect ro-
bust specification used by the DCSynth tool.
B.1 Must Dominance betweeen various robust Controllers
Comparision based on Must Dominance We use ”==” to indicate that the
supervisors are identical, whereas ”=” indicates that they are must equivalent
but not identical. For Minepump(8, 2, 6, 2) case study some of the supervisors
become identical as given in Appendix B Figure 10.
– MPHOS supervisors does not have theoretical order. However, forMinepump(8, 2, 6, 2)
the complete robustness order collapses and all supervisors becomes must
equivalent. Although, they are not identical (See Appendix Figure 11). The
nonInt represents that all the non intermittent specification i.e. ResCnt,
LenCnt, ResBurst and LenBurst.
BeCurrentlyCorrect
LenBurstInt
LenCntInt
ResCntInt==ResBurstInt
ResCnt == LenCnt == ResBurst==LenBurst
BeCorrect
Fig. 10. Robust synthesis criteria hierarchy for Must Dominance between MPS.
AssumeFalse=BeCorrect= ( nonInt==)=(ResCntInt==ResBurstInt)=
LenCntInt=LenBurstInt =BeCurrentlyCorrect
Fig. 11. Robust synthesis criteria hierarchy for Must Dominance between MPHOS.
B.2 Expected Case Performance
Expected values of various robust controllers are given in the Table 5 and 6. It is
evident that expected values of meeting the commitment using hard robustness
(given as MPS in column 2) as well as soft robustness (given as MPHOS in
column 4) are useful and maximize the holding of commitments.
B.3 Tool Performance
Table 7 provides the detailed statistics for synthesizing various robust controllers.
It can be seen that monitor automaton computation and MPHOS computation
takes the maximum time and total for computing the controller is 3 seconds.
Table 5. Expected Values of meeting the commitments for various robust controllers
of Minepump case study with default PumpOn
Minepump(PumpOn) MPS MPHOS
E(C) E(A) E(C) E(A)
AssumeFalse 0.00000 0.012257 0.997070 0.014441
BeCorrect 0.000000 0.0122567 0.997070 0.014441
ResCnt(2,8)
0.000000 0.012257 0.997070 0.014441
ResBurst(2,8)
LenCnt(2,8)
LenBurst(2,8)
ResCntInt(2,8)
0.000966 0.013247 0.997070 0.014441
ResBurstInt(2,8)
LenCntInt(2,8) 0.0027342 0.013318 0.997070 0.014441
LenBurstInt(2,8) 0.004514 0.013321 0.997070 0.014441
BeCurrentlyCorrect 0.997070 0.014441 0.997070 0.014441
Table 6. Expected Values of meeting the commitments for various robust controllers
of Minepump case study with default PumpOff
Minepump (PumpOff) MPS MPHOS
AssumeFalse 0.997070 0.024903 0.997070 0.024903
BeCorrect 0.997070 0.024904 0.997070 0.024904
ResCnt(2,8)
0.997070 0.024904 0.997070 0.024904
ResBurst(2,8)
LenCnt(2,8)
LenBurst(2,8)
ResCntInt(2,8)
0.997070 0.024662 0.997070 0.024662
ResBurstInt(2,8)
LenCntInt(2,8) 0.997070 0.024206 0.997070 0.024206
LenBurstInt(2,8) 0.997070 0.023268 0.997070 0.023268
BeCurrentlyCorrect 0.997070 0.024293 0.997070 0.024293
Table 7. DCSynth Statistics for synthesis of various Robust Minepump example
Minepump(8, 2, 6, 2). Parameters Used: Disc Factor = 0.900000, H = 50, Type = Avg-
Max, Delta = 0.000100
Synthesis (States/Time)
Sr Robustness Monitor MPS MPHOS Controller Stats
No Criterion Stats Stats Stats PumpOn PumpOff
MPS
AssumeFalse 5268/0.413 5267/0.051886 1/0.203156 2/0.000059 2/0.000042
BeCorrect 6299/0.460 5390/0.051482 61/0.203690 21/0.003270 47/0.002950
BeCurrentlyCorrect 6102/0.416 905/0.025670 30/0.020076 2/0.000397 25/0.000496
LenBurst(2,8) 7689/0.489 5404/0.055062 45/0.209456 22/0.000437 37/0.000461
LenBurstInt(2,8) 12169/0.754 6067/0.086382 342/0.210206 219/0.009601 51/0.008175
LenCnt(2,8) 7689/0.495 5404/0.055288 45/0.208896 22/0.000849 37/0.000442
LenCntInt(2,8) 11971/0.813 6671/0.088817 420/0.232484 257/0.012043 71/0.011698
ResBurst(2,8) 7689/0.469 5404/0.057592 45/0.209711 22/0.000633 37/0.000431
ResBurstInt(2,8) 13723/0.870 8430/0.098644 469/0.288897 306/0.013445 88/0.007452
ResCnt(2,8) 7689/0.468 5404/0.055485 45/0.208627 22/0.000719 37/0.000672
ResCntInt(2,8) 13723/0.883 8430/0.100492 469/0.287158 306/0.008003 88/0.007359
MPHOS
AssumeFalse 5268/0.413 5267/0.051461 2/1.215522 2/0.000054 2/0.000068
BeCorrect 6299/0.468 5390/0.053660 61/1.246768 2/0.000471 47/0.001097
BeCurrentlyCorrect 6102/0.413 905/0.025486 30/0.133132 2/0.000500 25/0.000490
LenBurst(2,8) 7689/0.532 5404/0.053116 44/1.229908 2/0.000566 37/0.000478
LenBurstInt(2,8) 12169/0.764 6067/0.085852 76/1.237215 2/0.000996 51/0.001041
LenCnt(2,8) 7689/0.516 5404/0.053728 44/1.239951 2/0.000705 37/0.000455
LenCntInt(2,8) 11971/0.786 6671/0.089755 116/1.374660 2/0.001376 71/0.001521
ResBurst(2,8) 7689/0.523 5404/0.053781 44/1.322684 2/0.000595 37/0.000748
ResBurstInt(2,8) 13723/0.875 8430/0.100483 156/1.817073 2/0.002108 88/0.002476
ResCnt(2,8) 7689/0.479 5404/0.053901 44/1.230389 2/0.000566 37/0.000452
ResCntInt(2,8) 13723/0.884 8430/0.104372 156/1.810811 2/0.002319 88/0.001283
B.4 Mine pump Specification Source
Fig. 12. Mine pump specification in DCSynth
#qsf ”minepump”
interface{
input HH2Op, HCH4p;
output PUMPONp monitor x, A monitor x, C monitor x;
constant w = 8, epsilon=2 , zeta=6, kappa=2;
}
definitions{
//Methane release assumptions
dc methane1(HCH4){
KBOUNDED([]([HCH4]ˆ[!HCH4]ˆ<HCH4 >=>slen>zeta ), n);
}
dc methane2(HCH4){
KBOUNDED([]([[HCH4]] =>slen<kappa ), n);
}
//Pump capacity assumption
dc pumpcap1(HH2O, PUMPON){
KBOUNDED([]!(slen=epsilon && ([[PUMPON && HH2O]] ˆ<HH2O >)),n);
}
dc MineAssume 2 6 2(HH2O, HCH4, PUMPON){
methane1(HH2O, HCH4, PUMPON) && methane2(HH2O, HCH4, PUMPON) &&
pumpcap1(HH2O, HCH4, PUMPON);
}
//safety condition
dc req1(HH2O, HCH4, PUMPON){
KBOUNDED(([[( (HCH4 || !HH2O) =>!PUMPON)]]),n);
}
dc req2(HH2O, HCH4, PUMPON){
KBOUNDED((!([] ([[HH2O]] && (slen = w)))),n)
}
dc MineCommit 8(HH2O, HCH4, PUMPON){
req1(HH2O, HCH4, PUMPON) && req2(HH2O, HCH4, PUMPON);
}
indefinitions{
A : MineAssume 8(HH2Op, HCH4p, PUMPONp);
C : MineCommit 8(HH2Op, HCH4p, PUMPONp);
}
hardreq{
MineAssume 2 6 2(HH2Op, HCH4p, PUMPONp) =>
MineCommit 8(HH2Op, HCH4p, PUMPONp);
hardreq{
useind A, C;
BeCurrentlyCorrect(A) =>EP(C);
}
softreq{
useind C;
(C);
}
