This paper proposes a technique for the synthesis of high quality controllers from logical specification in an interval temporal logic Quantified Discrete Duration Calculus (QDDC). The specification consists of hard and soft requirements. We compute the controller which guarantees that hard requirements hold invariantly. Moreover, it intermittently but maximally meets the soft requirement as much as possible. We show that this soft requirement guided synthesis provides a useful ability to specify and efficiently synthesize high quality controllers. The technique is also useful in dealing with conflicting requirements. The proposed technique is implemented in a tool DCSynth. We illustrate our approach using a case study of a synchronous bus arbiter specification and we experimentally show the effect of soft requirements on the quality (worst case and expected case behaviour) of the synthesized controller.
Introduction
In reactive synthesis, the aim is to algorithmically construct a controller (say a Mealy Machine) from a given temporal logic specification of its behaviour. There is considerable research work on reactive synthesis and there are several tools which experiment with reactive synthesis [9] . This paper introduces a method and a tool DCSynth which allows synthesis of controllers from regular properties (requirements) given in the logic Quantified Discrete Duration Calculus (QDDC) [15, 16] . Regular properties can conceptually be specified by a deterministic finite state automaton (DFA). At any point in the execution, a regular property holds provided the past behaviour upto the point is accepted by its DFA. The study of synthesis of controllers for such properties was pioneered by Ramadge and Wonham [19, 20] and it constitutes an important and practically applicable technique [13] .
In this paper, we propose the use of a highly succinct and powerful logic QDDC for specifying regular properties. QDDC is an interval temporal logic which has exactly the expressive power of regular languages with a known translation to deterministic finite automata (DFA) over finite words [15, 16] . It can succinctly express safety and bounded liveness properties of systems. Its bounded counting, second order quantification and regular expression like primitives allow complex quantitative properties to be specified elegantly and modularly [14, 17] . e.g. the QDDC formula []( ([[req]] && slen = n) => (scount ack > 0)) holds for a behaviour provided in any observation interval of length n + 1 cycles, if req is invariantly true then there should be at least one acknowledgment. Such properties are particularly relevant to specifying quality and performance attributes (latencies, resource usage etc) of controllers. We claim that the logic QDDC provides a natural vocabulary for such description. The synchronous bus arbiter in Section 4 and the minepump example in Appendix D illustrate this aspect. In this paper, we propose to use QDDC for controller synthesis. We propose a specification format and a controller synthesis method/tool called DCSynth for automatic construction of high quality controllers.
We shall use the term supervisor for a non-blocking mealy machine which may non-deterministically produces one or more (but not zero) output for each input. A controller is a deterministic supervisor. A formal definitions for these terms can be found in Appendix A.
A DCSynth specification is a tuple (I, O, D h , D s ) with QDDC formulas over a set of input and output propositions (I, O). Here D h and D s give the hard and the soft requirement respectively. A key synthesis goal is to construct a controller which ensures that the QDDC formula D h (equivalently a regular property) holds invariantly during any behaviour. Recall that a formula holds at a point in a behaviour if the past of the behaviour satisfies the formula. Ramadge and Wonham [19, 20] investigated the synthesis of maximally permissive supervisor for a regular specification. The well known safety synthesis algorithm applied to the DFA for D h gives us the desired maximally permissive supervisor [6] . This supervisor is denoted by M P N C(D h ). In case no such supervisor (and hence controller) exists, the algorithm returns that the specification is unrealizable. We implement this construction in our tool DCSynth.
Note that any controller which is obtained by arbitrarily resolving the outputnondeterministic choices in M P N C(D h ) gives a correct-by-construction controller. This results in several controllers with distinct behaviours and qualities. Thus, just correct-by-construction synthesis is not sufficient [3] ; some guidance must be provided to the synthesis method to choose amongst possible controllers. Moreover, sometimes there are desirable requirements which cannot be met invariantly. But controller should try to meet them intermittently but "as much as possible". (Think of desired default value of output unless mandatory requirements dictate otherwise.) Sometimes a specification contains conjunction of conflicting requirements. In this case, all the requirements cannot be simultaneously met. Given a set of conflicting requirements, the user may wish to resolve the conflict by making them soft. Specification of scheduling, performance and quality constraints over controllers are often such desirable properties.
In this paper we investigate the role of the soft requirement D s as a guidance mechanism in controller synthesis and we show its utility in obtaining high quality controllers. D s indicates a desirable regular property, which the controller must try to satisfy "as much as possible", in a best effort manner, even if in cannot be satisfied invariantly. In DCSynth, we formalize this as a controller which maximizes the Expected value of the count of D s holding in next H moves, where this count is averaged over all input sequences of length H. Such a controller is called H-optimal for D s . Thus, technically, we are in the framework of receding-horizon optimal control of Markov Decision Processes. (The stochasticity comes from the distribution of input sequences provided by the environment of the controller.) The classical value iteration algorithm due to Bellman [2] allows us to compute this H-optimal controller. Thus, our synthesis method gives a controller which (a) invariantly satisfies D h and (b) it is H-optimal for D s amongst all controllers meeting condition (a).
The above synthesis method is efficiently implemented into a tool DCSynth. An efficient representation of Deterministic Finite Automata using BDDs, originally introduced by the tool MONA [11] , is used for both automata and supervisors. We adapt the safety synthesis algorithm and the value iteration algorithms to work symbolically over this MONA DFA representation. Moreover, being in the realm of regular properties, we are able to minimize automata and supervisors, giving significantly efficient synthesis and small controllers. The full paper gives detailed algorithms and the implementation details (See Appendix E) [23] , which are omitted here because of the lack of space.
We present a case study of a synchronous bus arbiter to illustrate our specification and synthesis tool. A wide variety of design choices pertaining to the correctness and the quality can be formulated using different mixes of hard and soft requirements. We demonstrate that the use of soft requirement results in considerably enhanced quality of the controller. The quality of a controller can be measured in terms of its worst case guarantee and its Expected behaviour. Tool DCSynth provides facilities for measuring both of these. DCSynth is available for download at [23] , where the details of experiment reported here and full version of the paper are also available.
In summary, the main contributions of this paper are as follows:
-We present a method and a tool DCSynth for the synthesis of controllers from QDDC requirements. This extends the past work [16] on model checking interval temporal logic with synthesis abilities. -The tool DCSynth allows guided synthesis of controllers based on soft requirements which are met "as much as possible" in a H-optimal fashion. Conceptually, this enhances the Ramade-Wonham framework to optimal controller synthesis. -DCSynth makes use of BDD-based Semi-symbolic DFA automata of the MONA tool to represent automata, supervisors and controllers. All controller synthesis algorithms are implemented to work symbolically on this representation . DCSynth uses eager minimization at all stages of controller synthesis for efficient and more scalable implementation. -DCSynth provides facility to compare both the worst case and expected case behaviours of two controllers. We give experimental results and show the impact of soft goals on the quality of the synthesized controller.
The rest of the paper is arranged as follows. Section 2 describes syntax and semantics of the Logic QDDC. Section 3 gives the syntax of DCSynth specification and an outline of the controller synthesis method. Section 4 describes Arbiter case study and the corresponding experimental results. In Section 5, we conclude the paper along with some related work.
Quantified Discrete Duration Calculus (QDDC) Logic
Let Σ be a finite non-empty set of propositional variables. A word σ over Σ is a non-empty finite sequence of the form P 0 · · · P n where P i ⊆ Σ for each i ∈ {0, . . . , n}. Let len(σ) = n + 1, dom(σ) = {0, . . . , n}, σ[i, j] = P i · · · P j and
The syntax of a propositional formula over Σ is given by:
and operators such as ⇒ and ⇔ are defined as usual. Let Ω Σ be the set of all propositional formulae over Σ. Let i ∈ dom(σ). Then the satisfaction relation σ, i |= ϕ is defined inductively as follows:
, and σ, i |= −ϕ iff i > 0 and σ, i − 1 |= ϕ. The satisfaction of boolean combinations ! (not), && (and), || (or) is defined in a natural way. The syntax of a QDDC formula over Σ is given by: 
with Boolean combinations !D, D 1 || D 2 and D 1 && D 2 defined in the expected way. We call word σ a p-variant, p ∈ Σ, of a word σ if ∀i ∈ dom(σ), ∀q = p : [See [16] ] For every formula D we can construct a DFA A(D) over alphabet 2 Σ such that L(A(D)) = L(D). We call A(D) a formula automaton for D.
A tool DCVALID implements this formula automaton construction in an efficient manner by internally using the tool MONA [11] . It gives minimal, deterministic automaton (DFA) for the formula D. However, the reader may refer to several papers on QDDC for detailed description and examples of QDDC specifications as well as its model checking tool DCVALID [14] [15] [16] . puting a greatest fixed point over the automaton A(D h ) = S, 2 I∪O , δ, F using the standard safety synthesis algorithm [8] . We first compute the largest set of winning states G ⊆ F with the following property:
DCSynth Controller Synthesis
Then algorithm ComputeWINNING(A(D h ), I , O) iteratively computes G as follows: G=F; do G1=G; G=Cpre(A ( D h ),G1) while (G != G1); If initial state s / ∈ G, then the specification is unrealizable. Otherwise, M P N C(D h ) is obtained by making G the set of final states, retaining all the transitions in A(D h ) between states in G and redirecting the remaining transitions of A(D h ) to a unique reject state r which is made a sink state.
The product
gives the supervisor on which H-optimal controller synthesis is carried out, for a given H, using the well-known value-iteration algorithm of Bellman [2] . In this algorithm a function V al(s, p) is computed iteratively to assign a value to each state s of A Arena automaton. Here 0 ≤ p ≤ H denotes the iteration number. Constant 0 ≤ γ ≤ 1 is the discounting factor which can be taken as γ = 1 in this paper for simplicity.
Having computed V al(s, H), the set of H-optimal outputs O max is obtained as follows: For each state s ∈ A Arena and each input i ∈ 2 I ,
Note that O max is a set as more than one output o may satisfy the argmax condition. Now, supervisor A Arena is pruned by to retain only the transitions with optimal outputs in set O max . This gives us Maximally permissive H-Optimal supervisor for D s . The computation of this supervisor is denoted by GODSC(A Arena , H). This supervisor is denoted by GODSC(D h , D s , H). 4. The non-deterministic choice of outputs in above GODSC is resolved in favour of highest ordered output under the ordering < ord . This gives us the final deterministic controller Cnt.
The controller Cnt mandatorily satisfies D h invariantly, and it intermittently, but H-optimally, satisfies D s . At all stages of above synthesis, the automata and the supervisors A(D h ),
and Cnt are all represented as semi-symbolic automata (SSDFA) using the MONA [11] DFA data structure. In this representation, the transition function is represented as a multi-terminal BDD. MONA DFA library provides a rich set of automata operations including product, projection, determinization, minimization over the semi-symbolic DFA. We adapt the greatest fixed point computation of M P N C(D h ) as well as the value iteration algorithm over A Arena to work symbolically over SSDFA. Moreover, at each stage of computation, the automata and supervisors are aggressively minimized. Appendix E gives details of the MONA DFA data structure and its use in symbolically computing the controller in an efficient manner.
Assumptions and Controller Types
In most of the synthesis examples, we can formulate a desired regular property C, termed commitment, which the controller should satisfy for as many input sequences as possible. Ideally, this property should be satisfied invariantly. But this may be unrealizable, and a suitable assumption A on the behaviour of environment may have to be made for C to hold. Given this pair (A, C) of QDDC formulas over input-output variables (I, O), we specify four standard controller specifications (I, O, D h , D s ) as follows.
Type
Type 0 controller gives the best guarantee but it may be unrealizable. Type 1 controller provides a firm but conditional guarantee. The Type 2 controller tries to achieve C in H-optimal fashion irrespective of any assumption where as Type 3 Controller provides firm conditional guarantee and it also tries to satisfy C in H-optimal fashion even when the assumption does not hold.
Case Studies and Experiments
The synchronous bus arbiter specification below as well as the minepump controller specification in Appendix D are given as pair (A, C) of assumption and commitment.
Synchronous Bus Arbiter
An n-cell synchronous bus arbiter has inputs {req i } and outputs {ack i } where 1 ≤ i ≤ n. In any cycle, a subset of {req i } is true and the constroller must set one of the corresponding ack i to true. The arbiter commitment, ArbCommit(n, k), is the conjunction of the following four properties.
In QDDC, the formula trueˆ P holds at a cycle i in execution if the proposition P holds at cycle i. Thus for the current cycle i, formula M utex(n) gives mutual exclusion of acknowledgments; N oLoss(n) states that if there is at least one request then there must be an acknowledgment; and N oSpurious(n) states that acknowledgment is only given to a requesting cell. Formula trueˆ(([[req]] && (slen = (k−1))) states that in the past of the current point, there are at least k cycles and in last k cycles req is invariantly true. Similarly, the formula trueˆ(scount ack > 0 && (slen = (k − 1))) states that in the past of the current point there are at least k cycles and in last k cycles the count of ack is at least 1. Then, the formula Resp(req, ack, k) states that if req has be continuously true in last k cycles, there must be at least one ack within last k cycles. So, Response(n, k) (in equation 1) says that each cell requesting continuously for last k cycles must get an acknowledgment within last k cycles.
A controller can invariantly satisfy ArbCommit(n, k) if n ≤ k. Tool DCSynth gives us a concrete controller for the instance (D h = ArbCommit(6, 6), D s = true). It is easy to see that there is no controller which can invariantly satisfy ArbCommit(n, k) if k < n. Consider the case when all req i are continuously true. Then, it is not possible to give response to every cell in less than n cycles due to mutual exclusion of req i .
To handle such desirable but unrealizable requirement we make an assumption. Let the proposition Atmost(n, i) be defined as ∀S ⊆ {1 . . . n}, |S| ≤ i. ∧ j / ∈S ¬req j . It states that at most i requests are true simultaneously. Then, the arbiter assumption is the formula ArbAssume(n, i) = [[ Atmost(n,i)]], which It states that Atmost(n, i) holds invariantly in past.
The synchronous arbiter specification Arb(n, k, i) is the assumption-commitment pair (ArbAssume(n, i), ArbCommit(n, k)). The four types of controller specifications can be derived from this pair. Figure C in Appendix C gives, in textual syntax of tool DCSynth, the specification T Y P E3(Arb(5, 3, 2)).
Experiments
The synchronous bus arbiter specification above as well as the minepump controller specification in Appendix D are given as pair (A, C) of assumption and commitment. The controllers for the four types of specifications given in Section 3.1 can be synthesized using the tool DCSynth. In Table 1 , we provide data on performance of DCSynth for synthesizing these controllers. We have used the default value to determize the GODSC in both examples to resolve the non-determinism (if present). For Arbiter example the default value denoted by ArbDef = (ack1 >> ack2 >> ack3 >> ack4 >> ack5) is used which states that try to give acknowledgment to every cell, whenever possible (i.e. when GODSC is non-deterministic in outputs) and lower numbered acknowledgments have higher priority. For Minepump example default value of PumpOn and PumpOff(i.e. !(PumpOn)) is used for determinization. The tool uses optimizations outlined in Appendix E, where the gains due to symbolic optimizations are also profiled. It may be noted that several other synthesis tools, which are targeted at a different class of liveness properties like LTL and GR1, are unable to deal with our examples. (See Appendix F Table 4 for a comparison.)
We now consider the crucial question of comparing the performance of the four types of controllers synthesized, for arbiter and the minepump examples.
Expected Case Performance Given a controller Cnt we can translate it to a Discrete Time Markov Chain, denoted M unif (Cnt), by assigning uniform discrete probabilities to all the inputs from any state. In constructing this Markov chain, we have assumed that the inputs are iid, i.e. they occur independently of the In DCSynth, we provide a facility to compute M M unif (Cnt, C) in a format accepted by the tool MRMC. Hence, using MRMC, we are able to compute the Expected Value of C holding in long runs on random (iid) inputs, in the behaviours of the controller Cnt.
The last column of Table 1 gives the expected value of C holding for the controllers of various types for the Arbiter and the Minepump examples. The results are quite enlightening.
In both examples, without using soft-requirements, the obtained controllers have 0 expected value of C holding. This is because of the strong assumptions used to guarantee C, which themselves have expected value 0. Once, the assumption fails, the synthesis algorithm has no incentive to try to meet C.
On the other hand, with soft requirement C in TYPE2 and TYPE3 controllers, the H-optimal controller obtained have the expected value of C holding above 98%. This startling increase in the expected value shows that H-optimal synthesis is very effective in figuring out controllers which meet the desirable property C.
Worst Case Performance as Must-Dominance While the expected case behaviour of a controller is a critical quality parameter, its worst case guarantee is also important. Intuitively, a TYPE3(A,C) controller not only provides good expected case behaviour, but it also guarantees (by construction) the invariance of A ⇒ C. No such theoretical guarantee can be given for T Y P E2(A, C) controller. So what worst case guarantee can such controller provide in practice?
Definition 1 (Must Dominance). Given supervisors Sup 1 , Sup 2 and QDDC formula C, over input-output alphabet
In this case, we say that Sup 2 must-dominates Sup 1 w.r.t. C.
Clearly a must-dominating supervisor guarantees C strictly for more inputs (however unlikely these are.)
Let GODSC i (A, C) denote the H-optimal GODSC supervisor computed by DCSynth for the specification T Y P E i (A, C). Theoretically, the following lemma holds. We omit its straight-forward proof. C) ). In general, GODSC 2 (A, C)) is incomparable with GODSC 1 (A, C) and GODSC 3 (A, C). However, for specific (A, C) additional must-dominance relations may hold.
Since Sup 1 , Sup 2 are finite state Mealy machines, and C is a regular property, an automata theoretic technique can automatically check whether Sup1 ≤ C dom Sup 2 . We omit the details of this technique and refer the reader to the full version of this paper. Tool DCSynth implements this technique and we can determine must-dominance between two supervisor for any given C. In case the must-dominance does not hold, the tool provides a counter example.
For the Arbiter and the Minepump specifications, we use DCSynth to establish must dominance between various GODSC types. The comparison is for the commitment C of the examples considered. The results are as follows.
1. GODSC1(Arb(5, 3, 2)) < C dom GODSC2(Arb(5, 3, 2)) = C dom GODSC3(Arb(5, 3, 2)) 2. GODSC1(M P (8, 2, 6, 2)) < C dom GODSC3(M P (8, 2, 6, 2)) < C dom GODSC2(M P (8, 2, 6, 2))
For the Arbiter, the TYPE2 and TYPE3 GODSC are not only must equivalent, but the tool gives identical supervisors. So surprisingly, the H-optimal controller of TYPE2 already provides all the must-guarantees of TYPE3 controller. (But this result is not theoretically guaranteed). In Minepump example, the TYPE2 controller provides superior must-guarantees to the TYPE3 controller.
Discussion and Related Work
We have presented a method and a tool DCSynth for guided synthesis of controllers from hard and soft requirements which are regular properties specified in logic QDDC. Case studies show that combination of hard and soft requirements gives a useful ability to deal with unrealizable, conflicting and default requirements. The ability to measure the controller performance using expected value and must dominance is used to shows the overwhelming effectiveness of soft guided H-optimal controller in meeting commitments.
-Reactive synthesis from Linear Temporal Logic (LTL) specification has been widely studied and considerable theory [1, 3] and tools exists [4, 7] . The leading tools such as Acacia+ [4] and BoSy [7] mainly focus on the future fragment of LTL. By contrast, this paper focuses on invariance of complex regular properties (denoted by AG D h , see [15] ) for which a maximally permissive supervor (M P N C) can be synthesized. In supervisory control, a richer property class AGEF D h is considered for which also M P N C can be synthesized (see [6] ). Future version of DCSynth will support such properties. Reidweg et al [22] discuss other subclasses of Quantified Mu-Calculus for which M P N C can be computed. -Most synthesis tools have focused on correct-by-construction synthesis from hard requirements. For example, none of tools in recent SYNTCOMP17 [9] address the issue of guided synthesis. Key focus of our technique is to optimize M P N C to get H-optimal supervisor for the soft requirement D s . While we have assumed that inputs are iid, the method can easily accomodate a finite state Markov model governing occurrence of inputs. Ding et al [5] , Wongpiromsarn et al [25] as well as Raman et al [21] have explored the use of receding horizon model predictive control for temporal logic properties. -DCSynth uses an efficient BDD-based symbolic representation, inherited from tool MONA [11] , for storing automata, supervisors and controllers. The use of eager minimization (see [24] for implementation details) allows us to handle much more complex properties as compared to other tools (See Appendix F).
A Regular Properties, Supervisors and Controllers
Now we consider automata where alphabet Σ = I ∪ O is partitioned into input variables I and output variables O. It is sometimes convenient to convert the formula automaton above (which is a recognizer) into a Mealy Machine as follows. Intuition is that for all input sequences the Mealy machine can produce some output sequence without ever getting into the reject state.
Definition 3 (Controllers and Supervisors). An output-nondeterministic
Mealy machine which is non-blocking is called a supervisor. An deterministic supervisor will be called a controller.
See Figure 2 in Appendix B for an example of a output-nondeterministic Mealy machine which is non-blocking. The advantage of representing outputnondeterministic Mealy machines and controllers as DFA is that well established BDD based DFA libraries such as those in tool MONA can be used to represent and manipulate the controllers. This is exploited in tool DCSynth.
Definition 4.
A supervisor A realizes invariance of QDDC formula D, denoted A realizes inv D, provided L(A) ⊆ L(D). Recall that A being a Mealy machine, L(A) is prefix-closed; and being a supervisor, A is non-blocking. A supervisor A is called maximally permissive (or minimally restrictive) provided no other supervisor with a larger language realizes inv D.
Definition 5 (Indicating Monitor). Given DFA A(D) in Theorem 1, it can be converted into a deterministic Mealy machine A Ind (D, w) with indicator output w such that the two automata have the same set of states, transitions. On each transition of A Ind , the output w = 1 iff target state of the corresponding transition in A(D) is an accepting state. Thus, for any behavior σ ∈ (2 Σ ) + of A(D), we have a unique behaviourσ ∈ (2 I∪O∪{w} ) ∞ of A Ind such thatσ ⇓ w = σ and for all i ∈ dom(w) we have w ∈σ[i] iff σ[0, i] ∈ L(A(D)).
It is easy to observe that every indicating monitor in Definition 5 is a deterministic controller. Fig. 1 gives the safety monitor automaton for 2-cell arbiter. For the DCSynth specification ({req 1 , req 2 }, {ack 1 , ack 2 }, ARBHARD(n, k), ack 1 , ack 2 ). Each transition is labeled by 4 bit vector giving values of req 1 , req 2 , ack 1 , ack 2 . Fig. 2 gives the MPNC automaton for the 2-cell arbiter computed from the safety monitor automaton of Fig. 1 . (There is an additional reject state. All missing transitions are directed to it. These are omitted from the diagram for simplicity.) Note that this is a DFA whose transitions are labelled by 4-bit vectors representing alphabet 2 {req1,req2,ack1,ack2} . As defined in Definition 2, the DFA also denotes an output-nondeterministic Mealy machine with input variables (req 1 , req 2 ) and output variables (ack 1 , ack 2 ). The automaton is nondeterministic in output as from state 1, on input (1, 1) it can move to state 2 with output (1, 0), or to state 3 with output (0, 1). The reader can verify that the automaton is non-blocking and hence a controller.
B Examples: Synthesis for 2 cell arbiter
In 2-cell arbiter example, with soft requirements ack1, ack2 which give ack1 priority over ack2, we obtain the GODSC controller automaton of Fig. 3 from the MPNC of Fig. 2 . Note that we minimize the automaton at each step. 
C DCSynth Tool Usage
The tool DCSynth uses a specification file. See the specification file named Arbiter.qsf shown in Figure C below for Arbiter example given in Section 4. This file contains the set of input and output alphabets in interface section. The definitions/macros required for specifying hard and soft requirements are contained in definitions section. This is followed by a section called indefinitions, to specify the required indicating monitor for a given formula (or corresponding automaton). Finally the section called hardreq and softreq define the hard and soft requirements respectively using the definitions and indicating monitors. The steps to synthesize a controller from the specification file is as follows. 
D Case Study: Mine pump Specification
In this section we illustrate the effect of soft requirements on the quality of the synthesized controllers with a case study of a mine pump controller specification [16] . The controller has two input sensors: high water level sensor HH2O and methane leakage sensor HCH4 ; and one output, PumpOn to keep the pump on. The objective of the controller is to safely operate the pump in such a way that the water level never remains high continuously for more that w cycles.
Thus, minepump controller has input and output variables ({HH2O, HCH4}, {P umpOn}). We have following assumptions on the mine and the pump.Their conjunction is denote M ineAssume( , ζ, κ). slen < κ). The minimum separation between the two leaks of methane is ζ cycles and the methane leak cannot persist for more than κ cycles.
The commitments are:
-Safety conditions: true^ ((HCH4 || !HH2O) ⇒ !P umpOn)) saying that if there is a methane leakage or absence of high water in current cycle, then pump should be off; and !(true^([[HH2O]] && slen = w)) stating that it is not possible that the water level continuously remains high for w cycles.
The conjunction of commitments is denoted M ineCommit(w).
The minepump specification M ineP ump(w, , ζ, κ) is given by the assumption, commitment pair (M ineAssume( , ζ, κ), M ineCommit(w)). The four types of DCSynth specifications of Section 3.1 can be derived from this. Appendix D.1 gives the textual source of T Y P E3(M ineP ump(8, 2, 6, 2)) specification used by the DCSynth tool. [11] . It was used to efficiently compute formula automaton for MSO over finite words. We denote this representation as Semi-Symbolic DFA (SSDFA). In this representation, the transition function is encoded as multi-terminal BDD (MTBDD). The reader may refer to original papers [11, 12] for further details of MTBDD and the MONA DFA library.
D.1 Mine pump Specification Source
Here, we briefly describe the SSDFA representation, and then consider controller synthesis on SSDFA. Figure 6(a) gives an explicit DFA. Its alphabet Σ is 4-bit vectors giving value of propositions (req 1 , req 2 , ack 1 , ack 2 ) and set of states S = {1, 2, 3, 4}. Being a safety automaton it has a unique reject state 4 and all the missing transitions are directed to it. (State 4 and transitions to it are omitted in Figure 6 (a) for brevity.) (For technical reasons there is an additional state 0 which may be ignored here and state 1 may be treated as the initial state). Each state s points to shared MTBDD node encoding the transition function δ(s) : Σ → S with each path ending in the next state. Each circular node of MTBDD represents a decision node with indices 0, 1, 2, 3 denoting variables req 1 , req 2 , ack 1 , ack 2 . Solid edges lead to true co-factors and dotted edges to false co-factors.
MONA provides a DFA library implementing automata operations including product, complementation, projection and minimization on SSDFA. Moreover, automata may be constructed from scratch by giving list of states and adding transitions one at a time. A default transition must be given to make the automaton total. Tools MONA and DCVALID use eager minimization while converting formula into SSDFA.
We use SSDFA to efficiently synthesize the MPNC and GODSC for the DC-Synth specification (I, O, D h , D s ), without actually expanding the specification automata into game graph. The use of SSDFA leads to significant improvement in the scalability and computation time of the tool.
E.1 Computing Maximally Permissive Non-deterministic Controller (MPNC)
Recall the synthesis method in Section 3. Let the hard requirement automaton be A(D h ) = S, 2 I∪O , δ, F . We construct the maximally permissive supervisor by iteratively applying Cpre(A(D h ), X) to compute set of winning states G, as outlined in
Step (2) Here r is the unique reject state introduced to make the automaton total. We consider the following two methods. In Table 2 we give experimental results comparing the computation of M P N C(D h ) using the two algorithms. It can be seen that the symbolic algorithm can be faster by several orders of magnitude. This is because we do not construct the MPNC from scratch; instead we only redirect some links in MTBDD of A(D h ) which is already computed. The Minepump specification used in the represents the specification T Y P E0(Arb(n, k, n)) and Arb sof t (n, k) represents the example T Y P E2(Arb(n, k, n)). (i, o) ). Hence we can abbreviate the transition as δ(s, (i, o)).
Example Hard Requirement
Now to compute GODSC we again have two methods: one is enumerative and other is symbolic method. We give the algorithm and associated complexity results for one value iteration (i.e. for VALpre followed by O max computation as given
Step (3) of the synthesis method of Section 3. Let Q be the set of states of A Arena .
-Enumerative Method : As given in Step (3) of synthesis method, for each state s we need to enumerate all paths starting from s to get V al(s), which will take time of the order of 2 |I∪O| × k, where k is the number of soft requirements (In this paper k is assumed to be 1). Similar complexity will be required to compute o max . Hence, As the algorithm terminates after H iterations the total time complexity of entire algorithm for H iteration is |Q| × 2 |I∪O| × H (for k = 1). -Symbolic method: For this optimization to be applicable we assume that in MTBDD representation of A Arena , all the input variables occur before the output variables O and the indicating variable w (in general it can be a set if k > 1). A node in MTBDD is called a frontier node if it is labelled with an output or a witness variable, and all its ancestors are labelled with input variables. (In Figure 6( where time taken to insert a transition in A godsc is assumed to be constant. Hence total time for entire algorithm is A godsc is O(d + |Q|) × n where d is total number of paths in MTBDD of A Arena (here k is assumed to be 1).
It may also be noted that in worst case, the total number of MTBDD paths d is of size O(2 |I∪O| ) and two algorithms have comparable complexity. But in most cases, the total number of MTBDD paths d 2 |I∪O| and the symbolic algorithm is more efficient. Table 3 shows experimental evaluation of time taken for computing GODSC(A Arena , 1) using the two technique. The results for one iteration is used to eliminate the dependence on the number of iterations H. Table 3 . GODSC synthesis with only 1 iteration: Enumeration vs Symbolic method. For A sof t , its number of states and time (in sec) to compute it from soft requirement formulae are given. For GODSC(A Arena , 1), its number of states and the time to compute it from A Arena are given. Note that the size of A(D s ) for soft requirement true is 1. In the table State and T ime represent the number of states and time (in sec) for computation of corresponding automaton. En and Sy represent the computation time in enumerative method and symbolic method respectively. The Example Arb hard (n, k) represents the specification T Y P E0(Arb(n, k, n)) and Arb sof t (n, k) represents the example T Y P E2(Arb(n, k, n)).
Example

Soft Requirement
A In above table we have explored the different version of Minepump based on different soft requirements (shown in colume 2 of table) with same hard requirement as M ineAssume => M ineCommit. It can be argued that these controllers have different quality attributes. For example, MPV1 gives rise to a controller that aggressively gets rid of water by keeping pump on whenever possible. MPV3 saves power by keeping pump off as much as possible. On the other hand, MPV2 aggressively keeps pump on but it opts for a safer policy of not keeping pump on for two cycles even after methane is gone(here mpsr indicates that pump is kept off iff there was methane present is last two cycles).
F Comparison with Other tools
In Table 4 we have compared the performance of DCSynth with few leading tools for LTL synthesis but without any soft requirement as these tools does not have support for it. The examples in QDDC are manually translated into bounded LTL properties for giving them as input to Acacia+ [4] and BoSy [7] . We have only considered examples with hard requirements as these tools do not support soft requirements. The online version of BoSy tool was used which enforces a maximum timeout of 600 seconds. For other tools, a local installation on Linux (Ubuntu 16.04) system with Intel i5 64 bit, 2.5 GHz processor and 4 GB memory was used with a time out of 3600 seconds. In this comparison DCSynth was used with symbolic algorithm for both MPNC and GODSC computation. Note that for these examples the GODSC algorithm will always terminate after 1 iteration only, as the examples do not have soft requirements, so DCSynth chooses one of the possible outputs from the MPNC. Table 4 . Comparison of Synthesis in Acacia+, BoSy and DCSynth, in terms of controller computation time and memory and number of states of the controller automaton. M inepump as well as Arb tok (n) specifications can be found full version [ As the comparison table above shows, the DCSynth approach seems to outperform the state-of-the-art tools in scalability and controller computation time. This is largely due to the pragmatic design choices made in the logic QDDC and tool DCSynth.
It can also be seen that BoSy often results in controller with fewer states. BoSy is specifically optimized to resolve non-determinism to get fewer states. In our case, the tool is optimized to satisfy maximal number of soft requirements. It would be interesting to merge the two techniques for best results.
