fbSAT: Automatic Inference of Minimal Finite-State Models of Function
  Blocks Using SAT Solver by Chukharev, Konstantin & Chivilikhin, Daniil
fbSAT: Automatic Inference of Minimal
Finite-State Models of Function Blocks?
Konstantin Chukharev1,2 and Daniil Chivilikhin1
1 Computer Technologies Laboratory, ITMO University, St. Petersburg, Russia
2 JetBrains Research, St. Petersburg, Russia
{kchukharev,chivdan}@itmo.ru
Abstract. Finite-state models are widely used in software engineer-
ing, especially in control systems development. Commonly, in control
applications such models are developed manually, hence, keeping them
up-to-date requires extra effort. To simplify the maintenance process, an
automatic approach may be used, allowing to infer models from behavior
examples and temporal properties. As an example of a specific control
systems development application we focus on inferring finite-state models
of function blocks (FBs) defined by the IEC 61499 international standard
for distributed automation systems.
In this paper we propose a method for FB model inference from be-
havior examples, based on reduction to Boolean satisfiability problem
(SAT). Additionally, we take into account linear temporal properties using
counterexample-guided synthesis. In contrast to existing approaches, sug-
gested method is more efficient and produce minimal finite-state models
both in terms of number of states and guard conditions. We also present
the developed tool fbSAT which implements the proposed method, and
evaluate it in two case studies: inference of a finite-state model of a
Pick-and-Place manipulator, and reconstruction of randomly generated
automata.
Keywords: SAT · Finite-state automata · LTL · Counterexample-guided
inductive synthesis · Function blocks · IEC 61499
1 Introduction
The non-trivial process of industrial control system development may be reduced
to the development of a finite-state automaton or a system of interconnected
automata. The behavior of the controller may be represented using the deter-
ministic finite-state model, allowing to describe how the system reacts to input
actions and which output actions it produces. Such models are extensively used
in program testing [2, 26] and verification [6, 24]. One practical example of the
finite-state models usage is the international standard for distributed automation
systems development IEC 61499 [38], which defines the control systems as net-
works of interconnected function blocks (FBs), specified by their interfaces and
? Full version with all appendices is available at http://rain.ifmo.ru/~chivdan/
papers/2019/fbSAT.pdf [11]
ar
X
iv
:1
90
7.
03
28
5v
1 
 [c
s.F
L]
  7
 Ju
l 2
01
9
2 K. Chukharev, D. Chivilikhin
implementations (control algorithms). Since the standard uses an event-driven
execution model, the FB interface contains input/output events in addition to
input/output data.
In practice, most finite-state models for control applications are developed
manually – this is a tedious and error-prone approach. Furthermore, there is
a problem of maintaining the models up-to-date and consistent during the
changes in system parameters, architecture, and logic. An alternative to the
manual process is automatic synthesis from the given execution scenarios and/or
temporal properties [3, 7, 17, 20, 22, 34, 35]. Inferred models can be used for
model-based testing, verification and can even replace the original controller.
In this paper we propose a method for automatic inference of minimal finite-
state FB models from execution scenarios and linear temporal logic (LTL) proper-
ties [25]. The proposed approach is based on the reduction of the original problem
to the Boolean satisfiability problem (SAT) [5].
2 Problem Statement
Fig. 1. Function block example
A function block (FB) is characterized by its
interface and control algorithm. The interface
defines input/output events (sets EI and EO)
and input/output variables (sets X and Z)
which can be, e.g., Boolean, integer or real-
valued (Fig. 1). In this paper we consider
Boolean input/output variables only. The con-
trol algorithm is represented by a Moore finite-
state machine, extended with guard conditions, and called execution control chart
(ECC). A complete formal definition of an ECC can be found in [15]. Here we
use a simplified one: each state is associated with an output event from EO
and an algorithm that defines modification of output variable values, and each
transition is marked with an input event from EI and a guard condition – a
Boolean formula over input variables. Later we will refer to such a machine simply
as an automaton.
An execution scenario is a sequence of scenario elements si =
〈
eI [x¯], eO[z¯]
〉
,
where each element consists of an input action eI [x¯] and an output action eO[z¯].
An input action is a pair of an input event eI ∈EI and a tuple of input variable
values x¯=
〈
x1, . . . , x|X|
〉
(xi ∈X) later called input, whereas an output action
is a pair of an output event eO ∈ EO ∪ {ε} and a tuple of output variable
values z¯ =
〈
z1, . . . , z|Z|
〉
(zi ∈ Z) later called output. An empty output event
ε is necessary to represent the absence of an output action, e.g., in the case
when an automaton does not react to the input action. A positive scenario is an
execution scenario representing a desired behavior of an automaton. Commonly,
such scenarios are obtained by simulating an existing model. An example of a
set S of two scenarios s1 and s2 is shown below:
s1 = [〈R[10], ε[0]〉 ; 〈R[01], B[1]〉 ; 〈R[11], A[0]〉 ; 〈R[11], A[1]〉 ; 〈R[01], B[1]〉] ,
s2 = [〈R[01], B[1]〉 ; 〈R[01], ε[1]〉 ; 〈R[11], A[0]〉 ; 〈R[00], ε[0]〉 ; 〈R[01], A[1]〉] .
(1)
fbSAT: Automatic Inference of Minimal FB Models 3
An automaton is said to satisfy the scenario s∈S if, while sequentially receiving
input actions from the scenario elements of s, the automaton produces exactly
the same sequence of output actions as in s.
An LTL specification L is a set of LTL formulas describing the temporal
properties of a finite-state model. An LTL formula is an expression which may
contain propositional variables (in our case – input/output events/variables
of the ECC), logical operators (e.g., ∧,∨,¬,→), and temporal operators (e.g.,
X – “next”, U – “until”, G – “globally”, F – “in future”). An LTL specification
can be verified using a model checker tool. In order to take into account liveness
properties we use a closed loop [37] verification with formal model of a plant [8].
Ultimately, the problem addressed in this paper is to find the most general
automaton that satisfies all positive scenarios from a given set S+ and complies
with a given LTL specification L. Commonly, high generalization of models is
achieved through minimizing their number of states and/or transitions [3, 22, 34].
In this work we additionally explicitly consider complexity of guard conditions:
generalization is achieved by minimizing the sought automaton in terms of its
size and the total complexity of its guard conditions. We define the size of an
automaton as the number of its states, and the guard condition complexity as
the size of the parse tree of the corresponding Boolean formula.
3 Related Work
There exists a large body of work on SAT-based synthesis of circuits, bit-vector
programs, domain-specific programs, etc. However, in this work we are interested
specifically in synthesis of finite-state machines: state-based models are compre-
hensible, their formal verification is relatively simple, and they can be directly
used in control applications for controller logic implementation.
The problem of finding a minimal deterministic finite-state machine from
behavior examples is known to be NP-complete [21], and the complexity of
the LTL synthesis problem is double exponential in the length of the LTL
specification [31]. Despite this, synthesis of various types of finite-state models
from behavior examples and/or formal specification has been addressed by many
researchers including [3, 6, 7, 17, 20, 22, 28, 30, 33, 34, 40] with methods based on
heuristic state merging, evolutionary algorithms and SAT-solvers. In the context
of this paper we are interested in exact methods, so we direct our attention to
SAT-based methods.
Extended Finite-State Machine (EFSM ) is the model most similar to the
ECC considered in this paper – it combines a Mealy and a Moore automaton
extended with conditional transitions. Transitions are labeled with input events
and Boolean formulas over the input variables, and automaton states have
associated sequences of output actions. Several approaches based on translation
to SAT [34, 39] have been proposed for inferring EFSMs from behavior examples
and LTL properties. In [34] LTL properties are accounted for via an iterative
counterexample prohibition approach.
The BoSy tool [16, 17] implements bounded synthesis of a transition system
(a type of automaton similar to EFSM and ECC) from given LTL properties.
4 K. Chukharev, D. Chivilikhin
Synthesis is bounded in the sense that the number of states does not exceed a
given bound. Apart from the SAT-based approach, a more efficient solution based
on a Quantified SAT (QSAT) encoding is developed. Transition systems inferred
with the SAT-based encoding are explicit (guard conditions include all input
variables), whereas the QSAT-based encodings yields symbolic models (guard
conditions are Boolean formulas over input variables). BoSy ensures that found
solutions are minimal w.r.t. the number of states, however it does not allow
minimizing guard conditions, which tend to be large and incomprehensible. An
approach to make generated solutions simpler is suggested in [18], where the
SAT-based encoding is augmented with constraints for minimizing the number
of cycles in the transition system. However, guard conditions complexity is not
addressed. Furthermore, BoSy does not support behavior examples. Though they
can be modeled with LTL formulas, this approach is inefficient even for behavior
examples of moderate size. Other LTL synthesis techniques, e.g. G4LTL-ST [7]
and Strix [27], have the same drawbacks in application to the considered problem:
no guard conditions minimization and lack of support for behavior examples.
In [9], the fbCSP method is proposed for inferring an FB model from given
execution scenarios by means of translation to the Constraint Satisfaction Prob-
lem (CSP). However, fbCSP has the following restrictions. Guard conditions
are generated in complete form – corresponding Boolean formulas depend on
all input variables. Such models do not generalize to unseen data. This is coun-
tered by greedy guard conditions minimization, but it does not guarantee the
result minimality. In [8] fbCSP is extended with a counterexample prohibition
procedure similar to [34] to account for LTL properties. Guard conditions are
represented with fixed-size conjunctions of positive/negative literals of input
variables. The drawback of this approach is that it does not allow constructing
models when temporal properties are poorly covered with behavior examples.
In [10] the two-stage approach of fbCSP is developed further: on the first
stage, a base model is inferred with a translation to SAT, and on the second stage
its guard conditions are minimized via a CSP-based approach, in which guard
condition Boolean formulas are represented with parse trees. By introducing a
total bound on the number of nodes in these parse trees and solving a series of
CSP problems, the method finds a model with minimal guard conditions w.r.t.
the base model identified on the first stage. Global minimality of guard conditions
is not guaranteed due to the two-stage implementation: minimal guards may
correspond to another base model, not the one found on the first stage. The same
argument applies against any approach based on state machine minimization [23].
In addition, LTL properties are not supported.
Overall, none of the existing methods allow simultaneously and efficiently
accounting for (1) behavior examples, (2) LTL properties, and (3) minimality of
synthesized automata in terms of both number of states and guard conditions
complexity. The approach proposed in this paper extends [10] and contributes
to the state-of-the-art SAT-based state machine synthesis: it supports positive
behavior examples, realizes counterexample-guided synthesis to account for LTL
properties, and produces models minimal both in terms of the number of states
fbSAT: Automatic Inference of Minimal FB Models 5
and guard conditions complexity. Though our approach is implemented for FB
model identification, it can be easily applied for inference of other types of state
machines.
4 Proposed Approach
In this section we develop our framework for inferring minimal FB models from a
given set of positive scenarios and an LTL specification. In Sect. 4.1 we describe
a convenient storage structure for execution scenarios – scenario tree. In Sect. 4.2
we describe the process of verifying an LTL specification using a model checker
tool, which produces a counterexample for each violated LTL formula. Obtained
counterexamples are converted into negative scenarios representing the undesired
behavior, which we want to prohibit. In Sect. 4.3 we describe the reduction of the
FB model inference problem to SAT. The proposed reduction consists of three
parts: encoding of the automaton structure, encoding of the guard conditions
structure, and encoding of the mapping between the negative scenario tree and the
automaton. Additionally, we supplement the proposed reduction with cardinality
constraints allowing to bound the guard conditions complexity. In Sect. 4.4 we
describe the process of inferring a minimal FB model both in terms of the number
of states and guard conditions complexity.
4.1 Scenario Tree Construction
A scenario tree T is a prefix tree that contains all scenarios from the given
set S. A path from the root to a leaf corresponds to a scenario from S. Each
tree node and its incoming edge correspond to a scenario element: a node is
marked with an output action, while an edge is marked with an input action.
The only exception for this is the root of the tree, marked only with an auxiliary
output action consisting of auxiliary output event INITO and zero output. An
example of a scenario tree constructed from scenarios (1) is shown in Fig. 2,
where EI = {R}, EO = {A, B}, |X|= 2, |Z|= 1. Further, we will refer to the key
features of a scenario tree as follows: V is a set of tree nodes; ρ ∈ V – root
of the tree; tp(v) ∈ V – parent of node v 6= ρ; tie(v) ∈ EI – input event on
the incoming edge of node v 6= ρ; toe(v) ∈ EO ∪ {ε} – output event in node v,
ε is an empty event; V (active) = {v ∈V \ {ρ} | toe(v) 6= ε} – set of active tree
nodes; V (passive) = {v ∈V \ {ρ} | toe(v) = ε} – set of passive tree nodes; U – set
of unique inputs encountered in scenarios; tin(v) ∈U – input on the incoming
edge of node v 6= ρ; tov(v, z) ∈ {True, False} – value of output variable z in
node v. The root ρ has no parent, thus tp(ρ), tie(ρ), and tin(ρ) are undefined. A
positive scenario tree is a scenario tree built from positive scenarios, without any
extension to the above definition.
4.2 Negative Scenarios
Recall that an LTL specification can be verified using a model checker tool, which
produces a counterexample for each violated LTL formula. We use a symbolic
model checker NuSMV [13]. For safety properties, a counterexample is a finite
6 K. Chukharev, D. Chivilikhin
INITO
z¯=〈0〉
eO=ε
z¯=〈0〉
eO=B
z¯=〈1〉
eO=A
z¯=〈0〉
eO=A
z¯=〈1〉
eO=B
z¯=〈1〉
eO=B
z¯=〈1〉
eO=ε
z¯=〈1〉
eO=A
z¯=〈0〉
eO=ε
z¯=〈0〉
eO=A
z¯=〈1〉
R[1
0] R[01] R[11] R[11] R[01]
R[01]
R[01] R[11] R[00] R[01]
Fig. 2. Scenario tree constructed from scenarios (1)
sequence of states. For liveness properties, a counterexample is an infinite but
periodic sequence of states, which can be represented in a lasso-shaped form as
a finite prefix followed by a loop, i.e. a finite sequence of states ending with a
loop-back [14]. Each state is associated with a set of variables and their values.
Note that output-related variables in each state relate to the input in the previous
state, e.g., if the first counterexample state is associated with
〈
e1[x¯1], o1[z¯1]
〉
and
second with
〈
e2[x¯2], o2[z¯2]
〉
, then o2[z¯2] is a reaction to e1[x¯1].
A negative scenario is an execution scenario representing an undesired behav-
ior. A counterexample can be flattened into a negative scenario by merging the
input and output actions from the successive states into scenario elements. Note
that an output action of the first state remain unused, as it is assumed that it
unconditionally zeroes all output variables and does not produce output event.
Fig. 3 shows a counterexample and corresponding negative scenario.
e1[x¯1]
o0[z¯0]
e2[x¯2]
o1[z¯1]
e3[x¯3]
o2[z¯2]
e4[x¯4]
o3[z¯3]
loop-back
e1[x¯1]
o1[z¯1]
e2[x¯2]
o2[z¯2]
e3[x¯3]
o3[z¯3]
loop-back
Fig. 3. Counterexample (left) and corresponding negative scenario (right)
A negative scenario tree is a scenario tree built from negative scenarios.
The key difference from a positive scenario tree is that it is non-deterministic
and contains loop-backs – unmarked edges to ancestral nodes, representing an
undesired looping behavior. Note that node can have multiple loop-backs, from
different negative scenarios. We denote all loop-backs from the node v as t̂l(v).
All other tree features are the same as defined in Sect. 4.1, but marked with a
hat symbol, e.g., v̂ ∈ V̂ , t̂p(v), t̂ie(v).
4.3 FB Model Inference Using SAT Solver
We propose a method for inferring an FB model based on the reduction to SAT.
The reduction consists in formally describing a deterministic automaton A of
size C by constructing a Boolean formula in conjunctive normal form that is
satisfiable if and only if there exists an automaton which satisfies given positive
scenarios S+ and does not satisfy given negative scenarios S−. Note, that for all
constraints presented not in CNF we apply a Tseytin transform, and to encode
integer variables in SAT we use a sparse encoding [19].
The proposed reduction consists of three parts. First, we declare an encoding
for the structure of an automaton of size C and for the mapping between the
fbSAT: Automatic Inference of Minimal FB Models 7
positive scenario tree T + and the automaton A. Constraints described here
ensure that the sought automaton is (1) deterministic and (2) satisfies the
positive scenarios. Second, we encode the guard conditions structure, i.e. the
structure of parse trees of corresponding Boolean formulas. Additionally, we
declare cardinality constraints allowing to bound the guard conditions complexity,
i.e. the total number of meaningful parse tree nodes. Third, we encode the
mapping between the negative scenario tree T − and the automaton A, and
prohibit the undesired behaviors represented by T −.
Automaton Structure Encoding. The goal is to infer an automaton with C
states. We assume that each automaton state has at most K outgoing transitions.
Further in this section we assume that c∈ [1..C], k∈ [1..K], e∈EI , o∈EO, u∈U ,
p∈ [1..P ], unless stated otherwise. Further, we assume that K =C, because it is
the safest minimum value that does not prohibit the inference of an automaton,
which may happen for smaller values of K due to over-constraining. However,
lowering this value greatly reduces the size of the reduction, which is likely to
significantly increase the solving efficiency.
To begin with, we declare a variable τc,k ∈ [0..C] denoting the destination
state of the k-th transition from the state c. Note, that τc,k = 0 denotes the
absence of a transition. W.l.o.g. we state that absent transitions are last:
τc,k = 0 =⇒ τc,k+1 = 0
Additionally, we emulate an automaton transition function by declaring a
variable λc,e,u ∈ [0..C], which denotes the state into which the automaton jumps
from the state c upon receiving an input action e[u]. Note, that λc,e,u = 0 means
that automaton stays in the same state. Formally, this variable is defined as
follows: ∨
k∈[1..K]
(
λc,e,u = τc,k ∧ ξc,k = e ∧ ffc,u = k
)
Each transition is marked with an input event. Variable ξc,k ∈ EI ∪ {ε}
denotes an input event on the k-th transition from the state c. Note, that ξc,k = ε
denotes the absense of an input event, which happens only when transition is
absent, i.e.:
τc,k = 0 ⇐⇒ ξc,k = ε.
Also, each transition has an associated guard condition represented by a
Boolean formula over input variables. When the Boolean formula evaluates to
True on some input u, we call this situation “guard condition fires on input u”.
Variable ϑρc,k,u denotes whether the k-th transition from state c fires on u.
According to the IEC 61499 standard, each state has a transitions priority: the
automaton follows the first fired transition or remains in the same state if no
transition fired. Variable ffc,u ∈ [0..K] denotes the number of a transition from
the state c, which fires first on input u. Note, that ffc,u = 0 denotes that no
transition has fired at all. Additionally, we declare variables nfc,k,u indicating
8 K. Chukharev, D. Chivilikhin
that transtions 1..k from the state c have not fired on input u. The relations
between those variables are defined by following constraints:
ffc,u = k ⇐⇒ ϑρc,k,u ∧ nfc,k−1,u
nfc,k,u ⇐⇒ ¬ϑρc,k,u ∧ nfc,k−1,u
¬nfc,k,u =⇒ ¬nfc,k+1,u
ffc,u = 0 ⇐⇒ nfc,K,u
Each state has an associated output action. Recall that each output action
consists of an output event and an algorithm that can change output variable
values. Variable ωc ∈EO denotes an output event in the state c. It is defined to
be the same as in all active tree nodes mapped into this state:
ω1,toe(ρ) ∧
∧
v∈V (active)
(
µv,c =⇒ ωc,toe(v)
)
Values of output variables are not defined by each state, but may be changed
by each state’s algorithm. Note that we consider simple algorithms where new
output variable values depend only on their previous values and the state, and
therefore, for each output variable, an algorithm has two branches – what the
outcome will be if the previous value was False (variables d0c,z (c∈ [1..C], z ∈Z))
or True (variables d1c,z). The initial state zeroes all output variables, while the
other states (c∈ [2..C]) mimic the behavior from the tree:
¬d01,z ∧ ¬d11,z ∧
∧
v∈V (active)
cv,c→

¬d0c,z, if ¬tov(tp(v), z) ∧ ¬tov(v, z)
d0c,z, if ¬tov(tp(v), z) ∧ tov(v, z)
¬d1c,z, if tov(tp(v), z) ∧ ¬tov(v, z)
d1c,z, if tov(tp(v), z) ∧ tov(v, z)
Additionally, we declare auxiliary symmetry-breaking constraints [35], which
force the automaton states to be enumerated in the order they are visited by the
breadth-first search (BFS) algorithm launched from the initial state. Variable tbfsi,j
(i, j ∈ [1..C]) indicates the existence of transition from the state i to j. Variable
pbfsc ∈ [0..C] denotes the “parent” of the state c in the BFS traverse tree. We omit
an in-depth description of BFS constraints defined as follows:
∧
i,j∈[1..C]
(
tbfsi,j ⇐⇒
∨
k
τi,k = j
)
∧
∧
1≤i<j≤C
pbfsj = i ⇐⇒ ∧
1<q<i
¬tbfsq,j

Positive Scenario Tree Mapping Encoding. Roughly speaking, the goal is
to organize a mapping between the positive scenario tree T + and the automaton
A – specifically, a surjective mapping of tree nodes into automaton states. Figure 4
shows a local mapping of three tree nodes, one of which is passive (white), i.e.
has an empty output event ε, into two automaton states. Dashed lines connecting
nodes with states represent the described mapping.
fbSAT: Automatic Inference of Minimal FB Models 9
Tree
Automaton
Fig. 4. Tree – automaton
mapping example
Consider an automaton of size C, where states
are enumerated from 1 to C. In order to represent a
mapping between a tree node v ∈V and an automaton
state c∈ [1..C], we introduce the notion of “color” by
saying that “tree node v is colored in c”. Conceptually,
this mapping denotes a satisfying state in which the
automaton finishes processing the sequence of scenario
elements formed by the path from ρ to v.
Variable µv ∈ [1..C] (v ∈ V ) denotes the color of
the tree node v. Since the tree root ρ maps into the
initial automaton state, variable µρ,1 must be True. Coloring of active vertices
forces the automaton to have the corresponding transition:∧
i,j∈[1..C]
(
µtp(v) = i ∧ µv = j =⇒ λi,tie(v),tin(v) = j
)
Additionally, we declare a “reverse” constraint:∨
k∈[1..K]
(τi,k = j) ⇐⇒
∨
v∈V (active)
(
µtp(v) = i ∧ µv = j
)
(2)
Note, that (2) forces the automaton transitions to be covered by the positive
scenario tree, and forbids the uncovered ones. This greatly speeds up the solution
process by reducing the search space, but in some cases, e.g., during the CEGIS,
we deliberately search for the uncovered transitions, so we turn off (2).
Basic Algorithm. Constraints declared so far already allow to infer a computa-
tional automaton, i.e. able to process input actions and react on them by emitting
output actions. Denote by basic(S+, C) the procedure of inferring an automaton
of size C satisfying positive scenarios S+. The procedure consists of (1) building a
positive scenario tree, (2) declaring constraints encoding the automaton structure
and scenario tree mapping, and (3) delegating to the SAT-solver.
Guard Conditions Structure Encoding. So far, guard conditions were rep-
resented in the form of truth tables, which are not easily human-interpretable,
and are not usable in control system development software such as nxtSTUDIO,
where guard conditions must be represented with Boolean formulas. Therefore,
we supplement the reduction with an encoding of parse trees of arbitrary Boolean
formulas over input variables as described further.
We define each parse tree to have P nodes, each either a Boolean operator
node, a terminal node representing an input variable, or a none-typed node. Note
that we define the size of the parse tree as the number of typed nodes in it.
Variable δc,k,p ∈{α,∧,∨,¬,	} denotes the type of the p-th parse tree node on
the k-th transition from the state c, where t=α denotes a terminal node, ∧, ∨,
and ¬ denote logic operators, and 	 denotes a none-typed node. The latter are
needed to represent nodes not included in the tree. Only terminal nodes have an
associated terminal number, represented by a variable θc,k,p ∈ [0..X]:
δc,k,p =α ⇐⇒ θc,k,p 6= 0
10 K. Chukharev, D. Chivilikhin
Variables pic,k,p ∈ [0..(p−1)] and σc,k,p ∈ [0, (p+1)..P ] denote the parent/child
of the p-th node in the parse tree on the k-th transition from the state c. For “∧”
and “∨” nodes we assume that the second child is adjacent to the first one:
δc,k,p ∈{∧,∨} ∧ σc,k,p = ch =⇒ pic,k,ch+1 = p
Only typed nodes, expect the root, have a parent:∧
p∈[2..P ]
(δc,k,p =	 ⇐⇒ pic,k,p 6= 0)
Parent and child variables are connected by the following constraint:∧
1≤p<ch≤P
(σc,k,p = ch =⇒ pic,k,ch = p)
Each parse tree node has a Boolean value represented by variable ϑc,k,p,u.
Variable ϑρc,k,u defined earlier is just a shortcut for the root node value:
ϑρc,k,u≡ϑc,k,1,u
None-typed nodes have False values:
δc,k,p =	 =⇒
∧
u∈U
¬ϑc,k,p,u
Terminals have values from the associated input variables:
θc,k,p =x =⇒
∧
u∈U
(ϑc,k,p,u ⇐⇒ tiv(u, x))
Values of non-terminal nodes are calculated according to their types and children
values:
δc,k,p = “∧” ∧ σc,k,p = ch =⇒
∧
u∈U
(ϑc,k,p,u ⇐⇒ ϑc,k,ch,u ∧ ϑc,k,ch+1,u)
δc,k,p = “∨” ∧ σc,k,p = ch =⇒
∧
u∈U
(ϑc,k,p,u ⇐⇒ ϑc,k,ch,u ∨ ϑc,k,ch+1,u)
δc,k,p = “¬” ∧ σc,k,p = ch =⇒
∧
u∈U
(ϑc,k,p,u ⇐⇒ ¬ϑc,k,ch,u)
Additionally, we declare other auxiliary symmetry-breaking constraints, which
force parse tree nodes to be enumerated in BFS order. Essentially, they are almost
identical to BFS constraints for automaton states, but declared for each parse
tree separately, and the main definition is tbfsj,i ⇐⇒ pic,k,j = i, and for brevity we
omit their complete definition.
Cardinality Constraints. Additionally, we declare an upper bound for the
total size of all guard conditions, i.e. the total number of typed parse tree nodes N ,
by imposing a cardinality constraint on the nodetype variable:
∑
c∈[1..C],k∈[1..K],p∈[1..P ]
¬δc,k,p,	≤N .
In order to encode this relation in SAT, we use a technique from [4]. Briefly, this
technique consists in declaring a totalizer, which encodes the sum in unary form,
and a comparator, which bounds this sum. For brevity, we omit formal definitions
of resulting constraints which can be found in [4].
fbSAT: Automatic Inference of Minimal FB Models 11
Extended Algorithm. Denote by extended(S+, C, P,N) the procedure for
inferring an automaton which has C states, P nodes in each guard condition
parse tree and at most N total nodes in all parse trees, and satisfies positive
scenarios S+. The procedure consists of (1) building a positive scenario tree, (2)
declaring constraints encoding the automaton structure, scenario tree mapping
an guard conditions structure, and, if parameter N is specified, a totalizer and a
comparator encoding the relation “total size of guard conditions is less than or
equal to N ”, and (3) delegating to the SAT-solver.
Negative Scenario Tree Mapping Encoding. The mapping of the negative
scenario tree is similar to the positive case, but the key difference is in the
influence flow – the positive tree affects the automaton structure, which in turn
defines the satisfaction of negative tree nodes.
In order to distinguish between the positive and negative mapping, we declare
variable µ̂v ∈ [1..C] (v ∈ V̂ ) representing the satisfying states of the negative
tree nodes (a sequence of satisfying states corresponds to a possible behavior
of the automaton), where µ̂v = 0 denotes the absense of such satisfying state.
The negative tree root is satisfied by the initial automaton state: µ̂ρ̂ = 1. For
other nodes we declare the following propagation rules. Consider an active node
v ∈ V̂ (active) and its parent t̂p(v) satisfied by state i∈ [1..C] – node v is satisfied
by the state, into which the automaton jumps upon receiving an input action
from node v:
µ̂t̂p(v) = i =⇒
(
µ̂v = j ⇐⇒ λi,t̂ie(v),t̂in(v) = j
)
Consider a passive node v ∈ V̂ (passive) and its parent t̂p(v) satisfied by state
c∈ [1..C] – node v is satisfied by c only if the automaton stays in the same state
upon receiving an input action from node v:
µ̂t̂p(v) = c ∧ λc,t̂ie(v),t̂in(v) = 0 =⇒ µ̂v = c
µ̂t̂p(v) = c ∧ λc,t̂ie(v),t̂in(v) 6= 0 =⇒ µ̂v = 0
If some node v is not satisfied, then its children are also not satisfied: µ̂tp(v) =
0 =⇒ µ̂v = 0. Finally, in order to prohibit the undesired behavior represented by
loopbacks, we simply force the start and the end of each loop to be colored in
different colors: ∧
l∈t̂l(v)
(µ̂v = c =⇒ µ̂l 6= c)
Another important caveat is that the negative tree may contain inputs that
are missing in the positive tree. Denote the set of such inputs as Û∗= Û \ U . To
take them into account, we redeclare all variables and constraints involving u∈U
to use û∈ Û instead. New variables are marked with a hat symbol, e.g., µ̂, λ̂, ϑ̂ρ.
For brevity, we omit definition of these constraints, as they are essentially the
same as already defined.
12 K. Chukharev, D. Chivilikhin
Complete Algorithm. Let us denote by complete(S+,S−, C, P,N) the
procedure for inferring an automaton which has C states, guard conditions
represented with parse trees of size at most P and with total number of parse
tree nodes N , and satisfies both positive and negative scenarios S+ and S−. The
procedure consists of (1) building both positive and negative scenario trees, (2)
declaring all described constraints, including cardinality constraints if parameter
N is specified, and (3) delegating to the SAT-solver.
Infer
Verify
no solution
solution A
SAT,A CEs
UNSAT
no CEs
Fig. 5. CEGIS loop
Counterexample-Guided Inductive Synthesis.
In order to make the inferred automaton not only
satisfy given positive scenarios, but also comply with
LTL specification, we use a counterexample-guided in-
ductive synthesis (CEGIS) iterative approach [1]. Each
CEGIS iteration consists of inferring an automaton A,
verifying an LTL specification L using a model checker, and supplementing
the negative scenario tree with obtained counterexamples, if any. The process
shown in Fig. 5 repeats until there are no more counterexamples, thus the in-
ferred automaton is said to comply with the given LTL specification. Denote
by complete-cegis(S+, C, P,N) the procedure implementing CEGIS, where
arguments are the same as in the complete algorithm.
4.4 Minimal Model Inference
The proposed method requires automaton parameters – number of states C,
maximal size of each guard condition parse tree P and total size of guard
conditions N – to be known a priori. To automate the inference of minimal
models we use an iterative approach.
Algorithm 1: basic-min(S+)
Input: positive scenarios S+
Output: automaton A with minimal
number of states Cmin
for Cmin = 1 to ∞ do
A← basic(S, Cmin)
if A 6= null then break
return Abest
Basic-min Algorithm. In order to quickly es-
timate the minimal number of states, we iterate C
starting from 1 and use basic(S+, C) algorithm
until we find a solution – satisfying automaton A
with Cmin states. Let us denote this process as
basic-min(S+) (Algorithm 1).
Algorithm 2: extended-min(S+, P )
Input: scenarios S+, parse tree size P
Output: automaton A with minimal
number of states Cmin and
guard conditions of size Nmin
A′← basic-min(S+)
Cmin← getNumberOfStates(A′)
repeat
A← extended(S, Cmin, P,N)
if A 6= null then
Abest←A
N← getGuardsSize(Abest)−1
until A= null
return Abest
Extended-min Algorithm. Assuming that
parameter P is known and C is estimated using
the basic-min algorithm, we minimize the au-
tomaton in terms of N as follows. We declare an
upper bound for the total number of parse tree
nodes N and use the extended algorithm, de-
creasing N successively until there is no smaller
solution. The last inferred automaton has Cmin
states and its guard conditions have Nmin parse
tree nodes in total. Let us denote this process as
extended-min(S+, P ) (Algorithm 2).
fbSAT: Automatic Inference of Minimal FB Models 13
Extended-min-ub Algorithm. Ultimately, an automatic way of determining
an appropriate value of parameter P is desirable. The solution exists when P
is large enough to capture the necessary guard conditions complexity. The
simplest strategy is to iterate P starting from 1 and use extended-min(S+, P )
until the solution, i.e. the automaton with N =N∗min, is found for some P
∗.
However, there may exist some value P ′>P ∗ for which the corresponding N ′min
is even smaller than N∗min. Therefore, in order to obtain the globally minimal
automaton in terms of N , we shall continue the search process for P >P ∗ up
to a theoretical upper bound as described in Appendix A , where we define
the extended-min-ub(S+, w) algorithm, which allows to automatically infer
the minimal automaton in terms of C, P and N from the given set of positive
scenarios S+. Parameter w≥ 0 is a heuristic threshold plateau width. When
w= 0, the algorithm is equivalent to the simplest strategy of searching P until
the first SAT. When w=∞, the algorithm continues to iterate P until an upper
bound, resulting in the globally minimal Nmin. Other values enable a heuristic
providing a trade-off between minimality and execution time.
Complete-min-cegis Algorithm. Consider an automaton A produced by
the complete-cegis algorithm. If we start minimizing the total size of guard
conditions N , the automaton will most likely stop complying with the LTL
specification, though the already obtained negative scenarios will still not be
satisfied. Therefore, we propose to maintain a minimal model on each CEGIS
iteration. We begin with a model produced by extended-min-ub(w= 2) and
start a CEGIS loop. The UNSAT result indicates that N is tool small for an
automaton to comply with the given LTL specification, hence we increase it and
continue the CEGIS. Let us denote this process as complete-min-cegis(S+).
4.5 The fbSAT Tool
We implemented all proposed methods in a command-line tool fbSAT written
in Kotlin. The source code as well as sample input data are available online [12]
(www.github.com/ctlab/fbSAT). fbSAT takes as input the scenarios and the
parameters necessary for the specified method, and infers an automaton satisfying
given scenarios. As a backend, fbSAT is able to use any SAT solver. In our work
we use the CryptoMiniSat [32] SAT solver, utilizing its ability in incremental
SAT solving, greatly descreasing total solving time, as our minimization problems
are inherently incremental.
5 Case study: Pick-and-Place manipulator
The experimental evaluation of proposed methods was done on a case study
devoted to the inference of a finite-state model of the controller for a Pick-and-
Place (PnP) manipulator [29] shown in Fig. 6. We also performed an evaluation
on random automata (Appendix C ). Experiments were conducted on a computer
with an Intel(R) CoreTMi5-7200U CPU @ 2.50 GHz and 8 GB of RAM.
14 K. Chukharev, D. Chivilikhin
I II
III
IV
V 1 2 3
Fig. 6. Pick-and-Place manipulator
The PnP manipulator consists of two hor-
izontal pneumatic cylinders (I, II), one verti-
cal cylinder (III), and a suction unit (IV) for
picking up work pieces. When a work piece
appears on one of the input sliders (1, 2, 3),
the horizontal cylinders position the suction
unit on top of the work piece, the vertical
cylinder lowers the suction unit where it picks up the work piece and then moves
in to the output slider (V). The control system is implemented using IEC 61499
FBs in nxtSTUDIO. The controller is a basic FB with 10 input and 7 output
variables. A more detailed description of the system is given in Appendix B . The
purpose of this case study was to infer a finite-state model of this controller FB.
The process of capturing scenarios for the Pick-and-Place manipulator controller
is described in [9]. We used sets of scenarios of various sizes: 1, 10, 39 and 49
scenarios in each.
Inference of automata with minimal guard conditions from scenarios.
In the first set of experiments we compare methods that infer models from
scenarios with explicit regard of guard conditions size. Our method was compared
to the two-stage approach from [10], where on the first stage a basic automaton
model is inferred with a SAT solver, and then this model’s guard conditions
are minimized with a CSP solver w.r.t. given scenarios. Note that the two-stage
method has already been shown in [10] to be superior to EFSM-tools [34].
We apply the proposed extended-min-ub method to infer an automaton
with the minimal number of states Cmin and total size of guard conditions Nmin.
Three values of the w parameter are used: w= 0 for the case when first solution
found is considered final, w= 2 for the case with the proposed heuristic applied,
and w=∞ for the “without heuristic” case. Results are summarized in Table 1,
where for the two-stage method from [10]: Cmin – minimal number of states,
Tmin – minimal number of transitions, Nsum – size of guard conditions; and for
extended-min-ub: w – maximum local minima width, P – maximum guard
condition size, T – number of transitions, Nmin – minimal total size of guard
conditions. Results indicate that extended-min-ub produces compact automata.
Table 1. Inference of automata with minimal guard conditions from scenarios
S |T |+ Two-stage [10]
extended-min-ub
(w= 0) (w= 2) (w=∞)
t, s. Cmin Tmin Nsum t, s. P ∗ T ∗ N∗min t, s. P T Nmin t, s. P T Nmin
S(1) 24 8 6 8 15 2 3 8 14 3 3 8 14 4 3 8 14
S(10) 234 3.4 8 17 36 16 3 18 38 78 5 16 25 120 5 16 25
S(39) 960 13 8 15 32 26 3 18 38 138 5 16 25 205 5 16 25
S(49) 2939 36 8 18 60 396 5 18 44 6335 6 16 39 24457 6 16 39
Comparison with LTL synthesis tools. We considered LTL synthesis tools
BoSy [17] and G4LTL-ST [7], which accept LTL specifications as input. Com-
parison was only done for synthesis from scenarios, which were converted to
LTL formulas. For BoSy we considered a simplified version of scenario S(1), for
fbSAT: Automatic Inference of Minimal FB Models 15
which passive elements were removed, leaving only 8 scenario elements. The
input-symbolic version of BoSy was the only one that worked for this example,
generating a solution with 9 states and 17 transitions in 273 sec. For G4LTL-ST
we selected the number of unroll steps equal to the length of the largest sce-
nario. For S(1) a solution with 10 states (though with verbose guard conditions)
was found in 10 sec. Larger sets of scenarios required 16 unroll steps, and runs
failed with a memory limit of 8 GB. As expected, experiments showed that
LTL synthesis tools are not well-suited for inference of models from finite-length
scenarios. Experiments with LTL properties were not considered due to (1) poor
performance on scenarios, and (2) lack of support for general-form NuSMV plant
model, which is crucial for synthesis from liveness properties.
Inference of automata from scenarios and LTL properties. The third
set of experiments is devoted to CEGIS. In order to enable use of liveness LTL
properties, verification of candidate models with NuSMV was performed in
closed loop [37] with a manually prepared formal model of the plant – PnP
manipulator. This model defines plant state and its actions implied by controller
commands. The set of considered LTL properties (see Appendix B ) includes
safety properties ϕ1–ϕ6 (controller does not lead the system to an unsafe state)
and liveness properties ϕ7 – ϕ10 (something useful eventually happens). Properties
ϕ1–ϕ7 are fixed and used in all experiments, while use of ϕ8–ϕ10 varies. We
concentrate on these last properties, which define that whenever a WP is placed
on some input slider, it will eventually be removed. Note that for the original
PnP system [29] only ϕ8 is satisfied, and ϕ9–ϕ10 are false (the controller is not
wait-free for sliders 2 and 3 – if a WP is always present on slider 1, WPs from
sliders 2 and 3 will never be picked up). Therefore, we consider the property for
each input slider separately, assuming that WPs never appear on other input
sliders.
Three algorithms are compared: proposed complete-min-cegis, complete-
cegis (without minimization of N), and the CEGIS-extension of fbCSP [8].
EFSM-tools [34], BoSy [17] and G4LTL-ST [7] were not considered here, first of
all due to poor performance on scenarios only. Apart from running time t and N ,
we measure Nsc (for the automaton built from scenarios using complete-min-ub
with w= 2) and the number of CEGIS-iterations (#iter). Inferred solutions were
checked in simulation testing with nxtSTUDIO: uploaded to the simulation model
of the system and checked for compliance with desired behavior. Experimental
results are summarized in Table 2.
Table 2. Results of CEGIS experiments for PnP controller inference
LTL properties Scenarios Nsc
complete-min-cegis complete-cegis fbCSP+LTL [8]
t, s. #iter N t, s. #iter N t, s. #iter N
G(pp1→F(vp1))
S(1) 14 42 233 16 7 20 32 >12h >500 –
S(10) 25 342 60 28 103 30 152 613 10 40
S(39) 25 458 39 28 156 117 151 1019 2 41
G(pp2→F(vp2)) S(2) 14 142 522 16 30 139 36 >12h >500 –
G(pp3→F(vp3)) S(3) 14 317 1063 16 64 262 35 >12h >500 –
16 K. Chukharev, D. Chivilikhin
Solutions found with CEGIS methods are always larger than ones constructed
from scenarios only (in terms of N). Then, complete-min-cegis always finds
the smallest solutions and is always faster than [8]. Most interestingly, complete-
min-cegis allows efficiently constructing models for scenarios S(1), S(2), S(3) –
these scenarios do not “cover” corresponding liveness properties of interest (e.g.
G(pp1→F(vp1))) in the sense that the scenario describes only a single processing
of a WP. The existing method [8] failed on these cases, while the proposed
approach succeeds with ease. Lastly, complete-cegis allows constructing models
fast, but loosing the guard conditions minimality.
6 Conclusion and Future Work
We have proposed a SAT-based approach for inference of minimal FB models from
execution scenarios and LTL properties, and implemented it in the tool fbSAT.
The proposed approach is the only one that allows direct minimization of guard
conditions complexity of synthesized automata. In particular, the extended-
min-ub algorithm is guaranteed to find the solution with globally minimum
complexity of guard conditions. Experiments showed that the suggested approach
outperforms existing ones and demonstrates predictable scalability on random
instances. Additionally, we have reimplemented basic reduction for SMT, and the
initial results have shown that SMT solvers are not efficient when solving naively
encoded SAT problems. Nevertheless, the use of more sophisticated encoding
under the QF_UF theory looks promising from the look to others work in this
field.
Future research may include synthesis of modular automata, applying other en-
codings of integer variables and cardinality constraints, and using SMT encodings
for high-order abstractions.
Acknowledgements This work was funded by the Government of Russian
Federation (Grant 08-08).
References
1. Abate, A., David, C., Kesseli, P., Kroening, D., Polgreen, E.: Counterexample
guided inductive synthesis modulo theories. In: Computer Aided Verification. pp.
270–288. Springer International Publishing, Cham (2018)
2. Apfelbaum, L., Doyle, J.: Model based testing. In: Softw. Qual. Week Conf. pp.
296–300 (1997)
3. Avellaneda, F., Petrenko, A.: FSM inference from long traces. In: Formal Methods.
pp. 93–109. Springer (2018)
4. Bailleux, O., Boufkhad, Y.: Efficient CNF encoding of boolean cardinality con-
straints. In: Principles and Practice of Constraint Programming – CP 2003. pp.
108–122. Springer Berlin Heidelberg, Berlin, Heidelberg (2003)
5. Biere, A., Heule, M., van Maaren, H., Walsh, T.: Handbook of satisfiability: Volume
185 frontiers in artificial intelligence and applications (01 2009)
6. Buzhinsky, I., Vyatkin, V.: Automatic inference of finite-state plant models from
traces and temporal properties. IEEE Trans. Ind. Informat. 13(4), 1521–1530 (2017)
fbSAT: Automatic Inference of Minimal FB Models 17
7. Cheng, C.H., Huang, C.H., Ruess, H., Stattelmann, S.: G4ltl-st: Automatic gen-
eration of plc programs. In: Computer Aided Verification. pp. 541–549. Springer
International Publishing, Cham (2014)
8. Chivilikhin, D., Buzhinsky, I., Ulyantsev, V., Stankevich, A., Shalyto, A., Vyatkin,
V.: Counterexample-guided inference of controller logic from execution traces
and temporal formulas. In: 23rd IEEE International Conference on Emerging
Technologies and Factory Automation. pp. 91–98 (2018)
9. Chivilikhin, D., Ulyantsev, V., Shalyto, A., Vyatkin, V.: CSP-based inference
of function block finite-state models from execution traces. In: 2017 IEEE 15th
International Conference on Industrial Informatics (INDIN). pp. 714–719 (2017)
10. Chivilikhin, D., Ulyantsev, V., Shalyto, A., Vyatkin, V.: Function block finite-state
model identification using SAT and CSP solvers. IEEE Transactions on Industrial
Informatics pp. 1–1 (2019)
11. Chukharev, K., Chivilikhin, D.: fbSAT: Automatic inference of minimal finite-state
models of function blocks, http://rain.ifmo.ru/~chivdan/papers/2019/fbSAT.
pdf, [Online]
12. Chukharev, K., Chivilikhin, D.: fbSAT: Automatic inference of minimal finite-state
models of function blocks, http://www.github.com/ctlab/fbSAT, [Online]
13. Cimatti, A., Clarke, E., Giunchiglia, F., Roveri, M.: NuSMV: a new symbolic model
checker. International Journal on Software Tools for Technology Transfer 2(4),
410–425 (2000)
14. Clarke, E.M., Grumberg, O., Peled, D.: Model checking. MIT press (1999)
15. Dubinin, V., Vyatkin, V.: Towards a formal semantic model of IEC 61499 function
blocks. In: IEEE Int. Conf. Ind. Informat. pp. 6–11 (2006)
16. Faymonville, P., Finkbeiner, B., Rabe, M.N., Tentrup, L.: Encodings of bounded
synthesis. In: Tools and Algorithms for the Construction and Analysis of Systems.
pp. 354–370 (2017)
17. Faymonville, P., Finkbeiner, B., Tentrup, L.: BoSy: An experimentation framework
for bounded synthesis. In: Computer Aided Verification. pp. 325–332. Springer,
Cham (2017)
18. Finkbeiner, B., Klein, F.: Bounded cycle synthesis. In: Computer Aided Verification.
pp. 118–135. Springer International Publishing, Cham (2016)
19. Gent, I.P.: Arc consistency in SAT. In: ECAI (2002)
20. Giantamidis, G., Tripakis, S.: Learning Moore machines from input-output traces.
In: FM 2016: Formal Methods. pp. 291–309. Springer, Cham (2016)
21. Gold, M.: Complexity of automaton identification from given data. Information
and Control 37(3), 302–320 (1978)
22. Heule, M., Verwer, S.: Exact DFA identification using SAT solvers. In: Int. Collo-
quium Conf. on Grammatical Inference. pp. 66–79 (2010)
23. Klenze, T., Bayless, S., Hu, A.J.: Fast, flexible, and minimal ctl synthesis via smt.
In: Computer Aided Verification. pp. 136–156. Springer International Publishing,
Cham (2016)
24. Lee, E., Kim, Y.G., Seo, Y.D., Seol, K., Baik, D.K.: RINGA: Design and verification
of finite state machine for self-adaptive software at runtime. Information and
Software Technology 93, 200–222 (2018)
25. Manna, Z., Pnueli, A.: Temporal verification of reactive systems (1995)
26. Marsso, L., Mateescu, R., Serwe, W.: TESTOR: A modular tool for on-the-fly
conformance test case generation. In: TACAS 2018. pp. 211–228. Springer, Cham
(2018)
18 K. Chukharev, D. Chivilikhin
27. Meyer, P.J., Sickert, S., Luttenberger, M.: Strix: Explicit reactive synthesis strikes
back! In: Computer Aided Verification. pp. 578–586. Springer International Pub-
lishing, Cham (2018)
28. Neider, D., Topcu, U.: An automaton learning approach to solving safety games
over infinite graphs. In: Tools and Algorithms for the Construction and Analysis of
Systems. pp. 204–221. Springer Berlin Heidelberg, Berlin, Heidelberg (2016)
29. Patil, S., Vyatkin, V., Sorouri, M.: Formal verification of intelligent mechatronic
systems with decentralized control logic. In: IEEE Conf. Emerg. Technol. Factory
Autom. pp. 1–7 (2012)
30. Petrenko, A., Avellaneda, F., Groz, R., Oriat, C.: Fsm inference and checking
sequence construction are two sides of the same coin. Software Quality Journal
(2018)
31. Rosner, R.: Modular synthesis of reactive systems (1992), PhD thesis.
32. Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic
problems. In: Theory and Applications of Satisfiability Testing - SAT 2009, 12th In-
ternational Conference, SAT 2009, Swansea, UK, June 30 - July 3, 2009. Proceedings.
pp. 244–257 (2009)
33. Tsarev, F., Egorov, K.: Finite state machine induction using genetic algorithm
based on testing and model checking. In: Conf. Comp. Genetic Evol. Comput. pp.
759–762. ACM (2011)
34. Ulyantsev, V., Buzhinsky, I., Shalyto, A.: Exact finite-state machine identification
from scenarios and temporal properties. International Journal on Software Tools
for Technology Transfer 20(1), 35–55 (2018)
35. Ulyantsev, V., Zakirzyanov, I., Shalyto, A.: BFS-based symmetry breaking predi-
cates for DFA identification. In: Language and Automata Theory and Applications.
pp. 611–622. Springer, Cham (2015)
36. Ulyantsev, V.I., Tsarev, F.N.: Extended finite-state machine induction using sat-
solver. IFAC Proceedings Volumes 45(6), 236 – 241 (2012), 14th IFAC Symposium
on Information Control Problems in Manufacturing
37. Vyatkin, V., Hanisch, H.M., Pang, C., Yang, C.H.: Closed-loop modeling in future
automation system engineering and validation. IEEE Transactions on Systems,
Man, and Cybernetics, Part C: Applications and Reviews 39(1), 17–28 (2009)
38. Vyatkin, V.: IEC 61499 as enabler of distributed and intelligent automation: State-
of-the-art review. IEEE Trans. Ind. Informat. 7(4), 768–781 (2011)
39. Walkinshaw, N., Taylor, R., Derrick, J.: Inferring extended finite state machine
models from software executions. Empirical Software Engineering 21(3), 811–853
(2016)
40. Zakirzyanov, I., Morgado, A., Ignatiev, A., Ulyantsev, V., Marques-Silva, J.: Efficient
symmetry breaking for SAT-based minimum DFA inference. In: Language and
Automata Theory and Applications. pp. 159–173. Springer International Publishing,
Cham (2019)
fbSAT: Automatic Inference of Minimal FB Models 19
Appendix A Automatic search for best value of P
In this appendix we describe in detail the process of searching for the best
value of P in the sense of minimizing the corresponding Nmin obtained using
extended-min algorithm.
Consider P =P ′; ideally, we expect that all guard conditions will be of size 1,
and only one of them will be of size P ′. Also, ideally, there are exactly Tmin guards,
therefore, the ideal minimal total size of guard conditions is N ′min =Tmin − 1 + P ′′.
Let us denote by Nbestmin the best, i.e. the most minimal value found so far.
Ultimately, we are looking for N ′min <N
best
min , thus Tmin − 1 + P ′<Nbestmin , from
where the upper bound for P is P ′≤Nbestmin − Tmin.
The process of searching P up to the upper bound can take an extensive
amount of time. Hence, we propose the following heuristic. Consider the two
successive values P ′ and P ′′=P ′ + 1, and the corresponding values N ′min and
N ′′min. The equality N
′
min =N
′′
min indicates the local minimum (plateau). As we
go further by incrementing the value of P ′′, the remaining equality extends
the plateau width. By choosing the critical plateau width w, on which to stop
incrementing P , we provide a trade-off between the execution time and global
minimality of the solution. In practice, an arbitrary choice of w= 2 showed good
performance in our initial studies. It is worth noting that with this heuristic
applied, our proposed method remains exact in the sense that inferred automata
still satisfy given positive scenarios S+.
Let us denote by extended-min-ub(S+, w) the minimization process de-
scribed above. It is depicted by Algorithm 3 and consists of two stages. First, we
estimate the automaton parameters Cmin and Tmin using basic-min∗ algorithm.
Note that by basic-min∗ we denote the algorithm which combines the basic-min
and the minimization of T using the same technique as in extended-min for N .
Second, we iterate P starting from 1 and use the extended-min algorithm to
infer an automaton. We stop the search in two cases: if current P is greater than
the upper bound (Nbestmin − Tmin), or if current local minumum width is greater
than the arbitrary threshold w.
Algorithm 3: extended-min-ub
Input: positive scenarios S+, maximum plateau width w
Output: automaton A with minimal number of states Cmin and guard
conditions size Nmin
Abasic← basic-min(S)
Tmin← getNumberOfTransitions(Abasic)
Cmin← getNumberOfStates(Abasic)
Nbestmin←Nprevmin ←Plow←∞
for P = 1 to ∞ do
if P > (Nbestmin − Tmin) then break // up bound reached
if (P − Plow)>w then break // max width reached
A← extended-min(S, Cmin, P)
if A 6= null then
Nmin← getTotalGuardsSize(A)
if Nmin<Nbestmin then Nbestmin← Nmin // update best found N
if Nmin 6=Nprevmin then Plow←P // update local minimum
Nprevmin ←Nmin
return A
20 K. Chukharev, D. Chivilikhin
Appendix B Description of Pick-and-Place manipulator
variables and properties
The controller of the PnP system uses the following signals from the plant
represented by Boolean input variables:
– c1Home/c1End – is horizontal cylinder I in fully retracted/extended position;
– c2Home/c2End – is horizontal cylinder II in fully retracted/extended position;
– vcHome/vcEnd – is vertical cylinder III in fully retracted/extended position;
– pp1pp2/pp3 – is a WP present on input slider 1/2/3;
– vac – is the vacuum unit IV on.
The following commands can be issued by the controller to the plant:
– c1Extend/c1Retract – extend/retract cylinder I;
– c2Extend/c2Retract – extend/retract cylinder II;
– vcExtend – extend cylinder III;
– vacuum_on/vacuum_off – turn the vacuum unit on/off.
Considered LTL properties for the controller use additional predicates de-
pending on input and output variables:
– vp1= c1Home∧ c2Home∧ vcEnd∧ vac∧ pp1 – a WP has been picked up from
input slider 1;
– vp2= c1Home ∧ c2End ∧ vcEnd ∧ vac ∧ pp2 – a WP has been picked up from
input slider 2;
– vp3= c1End ∧ c2End ∧ vcEnd ∧ vac ∧ pp3 – a WP has been picked up from
input slider 3;
– lifted – becomes true when vp1 ∨ vp2 ∨ vp3, turns false when dropped;
– dropped= lifted∧c1Home∧c2Home∧vcEnd∧¬vacuum_on∧vacuum_off –
indicates that a previously lifted WP has been dropped to the output slider;
– allHome= c1Home ∧ c2Home ∧ vcHome – all cylinders are in home position.
The set of considered temporal properties is described in Table 3. An example
of an automaton generated from scenarios S(1) and LTL specification ϕ1–ϕ8 is
shown in Fig. 8.
Appendix C Case Study: Random Automata
In order to test our framework fbSAT on more instances, we perform an evalua-
tion on randomly generated automata in this case study.
The first step is to generate random automata. We chose the automaton
parameters similar to the parameters of the model inferred in the “Case Study:
PnP Manipulator” (Sect. 5): number of states C = 8, number of transitions T
up to C2, one input and one output event, |X|= 10 input and |Z|= 7 output
variables. Also, we selected an additional value |X|= 5 to compare with simpler
models.
The second step is to simulate execution scenarios. We start in the initial
automaton state and consequently choose a random input event and random
input variable values. The automaton reacts on these input actions and produces
fbSAT: Automatic Inference of Minimal FB Models 21
Table 3. Temporal properties for the Pick-and-Place system
Property Description
Fixed part
ϕ1 G(¬(c1Extend ∧ c1Retract)) cylinder I must not be issued commands to extendand retract simultaneously
ϕ2 G(¬(c2Extend ∧ c2Retract)) similar property for cylinder II
ϕ3 G(¬(vacuum_on ∧ vacuum_off)) similar property for the vacuum unit
ϕ4 G(¬vcHome ∧ ¬vcEnd→ c1Home ∨ c1End)
if the vertical cylinder is in the intermediate po-
sition, cylinder I must be either in home or end
position
ϕ5 G(¬c1Home ∧ ¬c1End→ vcHome ∨ vcEnd)
if cylinder I is in the intermediate position, the
vertical cylinder must be either in home or end
position
ϕ6
G(all_home ∧ ¬pp1 ∧ ¬pp2 ∧ ¬pp3 ∧
¬lifted→X(¬c1Extend ∧¬c2Extend ∧
¬vcExtend))
if all cylinders are in home position and no WP
should be processed, no commands to move any
cylinders should be issued
ϕ7 G(lifted→F(dropped)) if a WP is lifted from the input slider it musteventually be dropped to the output slider
Variable part
ϕ8 G(pp1→F(vp1)) if a WP appears on input slider 1 it must be even-tually lifted
ϕ9 G(pp2)→F(vp2)) if a WP appears on input slider 2, it must beeventually lifted
ϕ10 G(pp3)→F(vp3)) if a WP appears on input slider 3, it must beeventually lifted
output actions, forming an execution scenario. We performed a simulation of
two sets of scenarios: (1) 10 scenarios of length 100 each, and (2) 50 scenarios
of length 50 each. Note that this random walk corresponds to a situation when
the plant has random dynamics. Hence, these randomly simulated instances are
most likely harder than real-world instances, since real-world plants (such as the
PnP manipulator) do not have random dynamics.
The next step is to infer the minimal automaton from the simulated scenarios
using the extended-min algorithm. And the final step is to validate the inferred
automaton. We use the “forward check” validation approach from [36] consisting
in generating a large validation set of scenarios and checking whether the inferred
automaton satisfies them. The metric here is the percentage p of satisfied scenarios.
We expect to confirm that high coverage of target automata by scenarios leads
to good validation results.
Table 4. Results for the Random Automata Case Study
|S| |s| |X| t¯± σ p¯,% 100%p
10 100 5 48± 38 72 7 of 30
10 100 10 535± 692 30 0 of 31
50 50 5 148± 54 98 41 of 56
50 50 10 991± 702 95 5 of 10
22 K. Chukharev, D. Chivilikhin
The results are presented in Table 4, where |S| is the number of scenarios,
|s| – length of each scenario, |X| – number of input variables, t¯ – mean solving
time (in seconds), σ – standard deviation, p¯ – mean “forward check” validation
percentage, 100%p – number of instances with 100% validation. Additionally, the
results are shown in Fig. 7, where on the left the distribution of execution time is
shown, and on the right – the distrubution of “forward check” percentage. Both
plots are grouped by number of scenarios |S| and number of input variables |X|.
Experimental results (Fig. 7) indicate that with sufficient coverage of the
target automaton by execution scenarios (in this case, 50 scenarios of length 50
each), our approach allows to identify the exact behavior of the automaton with
high probability. However, inference from large sets of scenarios requires sufficient
computational resources.
10
102
103
5 10
Input variables, |X|
Ti
m
e,
 
s
0
25
50
75
100
5 10
Input variables, |X|
Va
lid
at
io
n 
pe
rc
en
t, 
%
Scenarios
10
50
Fig. 7. Distribution plots for Random Automata Case Study
fbSAT: Automatic Inference of Minimal FB Models 23
1 / INITO
c1Extend → 0
c1Retract → 0
c2Extend → 0
c2Retract → 0
vcExtend → 0
vacuum_on → 0
vacuum_off → 0
2 / CNF
c1Extend → 1
c1Retract → 0
c2Extend → 0
vcExtend → 0
1:REQ/pp1
3 / CNF
c2Extend → 0
vcExtend → 1
2:REQ/c1End & vcHome
4 / CNF
c1Extend → 0
c1Retract → 1
c2Extend → 0
c2Retract → 1
vcExtend → 0
1:REQ/vcHome & vac
1:REQ/c1Home
5 / CNF
c2Extend → 0
vcExtend → 1
vacuum_on → 1
vacuum_off → 0
2:REQ/vcEnd
2:REQ/pp1
1:REQ/c1Home & vac
1:REQ/c1End
6 / CNF
c2Extend → 0
vcExtend → 1
vacuum_on flip
vacuum_off → 1
2:REQ/vcEnd
1:REQ/vcEnd
Fig. 8. Generated automaton example; “flip” indicates flip of corresponding output
variable
