Syntax-based synthesis for temporal-safety supervision

Automatica 41 (2005) 1965 – 1972 www.elsevier.com/locate/automatica

Brief paper

Syntax-based synthesis for temporal-safety supervision夡 Kiam Tian Seow School of Computer Engineering, Nanyang Technological University, 50 Nanyang Avenue, Singapore 639798, Singapore Received 8 July 2003; received in revised form 18 February 2005; accepted 26 May 2005 Available online 18 August 2005

Abstract This paper presents a supremal-control generalization of a temporal version of supervisory control for temporal-safety in discreteevent systems. The generalization is an outcome of the development of a temporal logic equations approach formulated using unary transformer concepts borrowed mainly from the predicate and predicate transform theory of Dijkstra and Scholten. The proposed syntaxbased approach has not hitherto been formally augmented to the temporal logic framework, and is shown to parallel and to generalize the boolean equations approach proposed in the existing predicate control theory of Kumar, Garg and Marcus. A detailed example, which cannot be handled by the existing predicate control theory, demonstrates how the natural language basis of temporal logic for requirement specification and syntax-based control synthesis can be unified in a common logic framework. 䉷 2005 Elsevier Ltd. All rights reserved. Keywords: Discrete-event systems; Control synthesis; Temporal logic

1. Introduction Temporal logic (Manna & Pnueli, 1992) is a useful formalism for specifying qualitative control requirements of discrete-event systems (DES’s). The well-known advantages of this formalism are its expressiveness and readability that facilitate the specification and explanation of control requirements in a natural language fashion. A number of research efforts on supervisory control using various versions of temporal logic (e.g., Barbeau, Kabanza, & St.-Denis, 1998; Lin, 1991; Lin & Ionescu, 1990; Ostroff & Wonham, 1990; Thistle & Wonham, 1986) have been motivated by these advantages. In this paper, we present a temporal logic approach to supervisory control in the control-theoretic sense of Ramadge and Wonham (1987a). The approach is further motivated by the opportunity for syntax-based control synthesis 夡 This paper was not presented at any IFAC meeting. This paper was recommended for publication in revised form by Associate Editor Xiren Cao under the direction of Editor I. Petersen. E-mail address:[email protected]

0005-1098/$ - see front matter 䉷 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.automatica.2005.05.011

using the temporal proof system (Manna & Pnueli, 1992) and techniques of logic reasoning (Ross & Wright, 1988). It extends and elaborates recent work on a temporal logic version (Seow, 2002; Seow & Devanathan, 1996) of the original supervisory control theory (Ramadge & Wonham, 1987a). The control requirement considered is a temporal-safety formula (Manna & Pnueli, 1992) that can be translated into the canonical form
P (read: always P or invariance of P), where P is a past formula. The temporal-safety class is the base class of a hierarchy of temporal classes with recognizable canonical forms in a safety-progress classification (Manna & Pnueli, 1992). This class of control requirements is of basic significance to supervisory control, since a supervised DES invariably satisfies some safety formula attributable to the actions of supervision. The new development in this paper generalizes the temporal theory of state-feedback control for temporal-safety (Seow & Devanathan, 1996) using a temporal-logic equations approach for the synthesis of supremal control. Supremal control, in essence, is a good control approximation which is close to the ideal optimal (Seow & Devanathan, 1996) that often may not exist. It refers to a weakest control

1966

K.T. Seow / Automatica 41 (2005) 1965 – 1972

solution that resides within the reachability of past formula P, i.e., within which every state that is reached under control satisfies P. To find such solutions, the temporal-logic equations approach utilizes the concepts of unary transformer borrowed from predicate theory (Dijkstra & Scholten, 1990; Kumar, Garg, & Marcus, 1993). The boolean equations approach introduced in Kumar et al. (1993) is based on such transformer concepts, and it has resulted in the derivation of a closed-form formula—a weakest control solution—as an extremal solution of a suitable set of boolean equations characterizing the predicate concept of
u -invariance and the boundary condition(s) of reachability within a given predicate. The work reported herein may be viewed as an attempt to augment temporal logic with a parallel (or similar) meta-operator framework which, to the best of our knowledge, has not hitherto been formalized in the temporal logic literature. Quite importantly, as will be shown, incorporating the concepts of transformer (also called operator in our terminology) of this existing approach yields a temporal logic-based synthesis algorithm for supremal control. The syntax-based synthesis algorithm follows from an extremal closed-form solution of a suitable set of temporallogic equations characterizing the temporal concept of
u invariance and the boundary condition of reachability within a given past formula. The synthesis algorithm computes dynamic state-feedback control solutions which are maximally permissive. The control is dynamic in the sense that, in general, in conforming to some past formula, not all event strings that lead to the same state will necessarily result in the same control action at that state. This can be seen as a generalization of the predicate-based algorithm developed in Ramadge and Wonham (1987b, p. 1211, Proposition 8.1) which computes static state-feedback control solutions. Thus, while the temporal logic equations approach may be a modest augmentation to temporal logic, it provides a fundamental basis that extends the applicability of temporal logic for syntax-based control synthesis of temporalsafety. On conceptually related work, in the language approach, a closed-form formula for the supremal controllable (prefix) closed language with respect to a closed language has been derived in Kumar (1991, p. 44, Theorem 3.3.16). In the predicate approach, a closed-form formula for the supremal controllable predicate has been derived in Kumar et al. (1993, p. 241, Theorem 4.12). An equivalent formulation has been derived in Li and Wonham (1993, p. 1218, Proposition 8). These supremal control results are conceptually parallel to the temporal results in this paper, in the sense that the respective formalisms of predicate logic (Kumar et al., 1993; Li & Wonham, 1993) and prefix-closed languages (Kumar, 1991; Ramadge & Wonham, 1987a) can be said to characterize different language versions of the same notion of safety. Further discussions with other related syntax-based and temporal logic approaches may be found in Seow (2002).

2. Background 2.1. DES model The DES G to be controlled—called the plant—is modelled by a basic transition system. Let G given by def

G = (, Q,
, , )

(1)

denote the DES (or plant) G, where  denotes the state variable set which is typed; the type of each variable u ∈  indicates the domain Range(u) over which the variable ranges; Q denotes the state set, defined to be the product of def
the ranges of the variables in , i.e., Q = ui ∈ Range(ui ), such that a state q ∈ Q is uniquely characterized by an instantiation of the values of each u ∈ ;
denotes the finite event set partitioned into two disjoint sets, viz., the set of controllable events
c and the set of uncontrollable events
u ;  :
× Q → Q is a deterministic and partial state transition function such that for each q ∈ Q, (, q) is defined for some  ∈
;  is the initial condition, a boolean valued formula that characterizes the set of initial states Q0 ⊂ Q of G, i.e., any state q0 ∈ Q0 provided q0 satisfies  (denoted by q0 ). 2.2. Temporal logic for DES The temporal logic adopted for the proposed framework is linear time temporal logic (LTL) (Manna & Pnueli, 1992). LTL is a language of predicate logic augmented with a temporal operator set to facilitate reasoning over sequences of states. There are two groups of temporal operators, viz., past and future, that abstract the sequence of states implying the passage of time in terms of (temporal) past and future, respectively. The future temporal operators include  (next),
(always), ♦ (eventually), U (until) and W (unless). The past operators include (previously), (has-always-been), (once), S (since) and B (back-to). 2.2.1. Syntax The LTL formulae are constructed from a finite set of propositional symbols P, the boolean connectives ∧ (and) and ¬ (not), and the temporal operators which can be classified into unary and binary operator sets, Tu and Tb , respectively. Let T ∈ Tu and Tb ∈ Tb . The formula formation rules are: (1) every propositional symbol ps ∈ P is a formula; (2) if , 1 and 2 are formulae, so are ¬, 1 ∧ 2 , T() and 1 Tb 2 . The language also includes propositional constants true (validity) and false (inconsistency) defined, respectively, by the abbreviations (≡): true ≡ ¬ ∨  and false ≡ ¬ ∧ .

K.T. Seow / Automatica 41 (2005) 1965 – 1972

In addition, the following abbreviations are used; about which related connectives ∨ (or), → (implies) and ↔ (equals) are, respectively, defined: 1 ∨ 2 ≡ ¬(¬1 ∧ ¬2 ), 1 → 2 ≡ ¬1 ∨ 2 and 1 ↔ 2 ≡ (1 → 2 ) ∧ (2 → 1 ).

2.2.2. Semantics A string over an event set
can be viewed as a mapping e : def

{0, . . . , i, . . . , . . .} →
such that e = e(0)e(1) · · · e(i) · · ·, where e(i) ∈
. Then, in the context of DES G, e is an event string generated by G provided there exists a ‘labelling’ of the string by states I : {0, . . . , i, . . . , . . .} → Q such that def

I = I (0) − I (1) − · · · − I (i) − · · · , where I (i) = qi ∈ Q, for which (1) I (0) = q0 (the initial label is an initial state); (2) I (i + 1) = (e(i), I (i)). Such a labelling I is an arbitrary state trajectory or interpretation of G. The k-suffix of I is qk − qk+1 · · · qi · · ·, k  0, and denoted by I (k) . Note that I (0) = I . The LTL formulae expressed over a given DES G are interpreted over models of the form (I, ), where  : {0, . . . , k, . . . , . . .} × P → {true, false} is a binary function that evaluates a propositional symbol ps in k-th state I (k), i.e., 

(k, ps ) =

true if ps holds in qk ∈ Q, false otherwise.

The model (I, ) is understood, and so we simply write qk ps if a propositional symbol ps holds (i.e., is satisfied) in (k) state qk ∈ Q. We write I  if the k-suffix of an arbitrary trajectory I satisfies formula . It should be clear that the evaluations of a propositional symbol ps over a k-suffix I (k) (k) and in kth state I (k) are semantically equivalent, i.e., I ps iff qk ps . In addition to the standard rules for boolean connectives, LTL uses the following rules for temporal operators that establish the satisfaction of a suffix trajectory over a LTL formula: for a state index k, k  0, a propositional symbol ps , formulae , 1 and 2 , • • • • • • • •

(k)

I ps iff (k, ps ) = true; (k) (k+1) I  iff I ; (k) (j ) I
 iff for all j  k, I ; (k) (j ) I 1 U2 iff there is a j, j  k, such that I 2 and (i) for all i, k  i < j , I 1 ; (k) (k) (k) I 1 W2 iff I
1 or I 1 U2 ; (k) (k−1) I  iff k > 0 and I ; (k) I I (k)   iff (k = 0) or  ; (k) (j ) I w iff for all j, 0  j  k, I .

1967

A LTL formula  is said to be satisfiable if it is satisfied by some I or I (k). The definitions of all other temporal operators, of no immediate relevance to this paper, may be found in Manna and Pnueli (1992) and Seow (1997). Where appropriate, we write “under
, w1 ↔ w2 ” to mean ⵫
(w1 ↔ w2 ). Let I(G) be the set of interpretations defined over a DES G. Since we are interested only in all interpretations that constitute a DES model G, the notion of G-validity of a formula , denoted G, is important: G iff (∀I ∈ I(G), I ). By the soundness of the temporal proof system (Manna & Pnueli, 1992), a theorem , denoted ⵫ , that is established either generally or with respect to (the axioms of) G, is G-valid. Hence where it is clear in the context, we use the general theorem notation ⵫ w (or simply w) to denote Gw. 2.3. State feedback supervision Formally, a state feedback supervisor for DES model G is a map f : I(G) → , where  = { | :
→ {0, 1}}, such that for each suffix trajectory I (k) = qk − qk+1 − qk+2 − · · ·, its -component f at qk ∈ Q is defined as f (qk ) = (). At qk ∈ Q, an event  ∈
c is said to be enabled if () = 1, and disabled if () = 0. For all events  ∈
u , () = 1. Only an enabled event can occur. The supervisor issues a new control pattern in response to new state values (i.e., state information) due to a discrete state change triggered by an event occurrence in the DES, and is hence termed a state feedback supervisor. 2.4. Control of the safety class This section summarizes the terminology and fundamental results for temporal-safety control, as reported in Seow (2002) and Seow and Devanathan (1996). 2.4.1. Terminology Definition 1 (-Transition). :  → (Q → {0, 1}) is a system transition logic (function) defined along any trajectory I ∈ I(G), I = q0 − q1 · · · − qk − qk+1 − · · ·, at qk ∈ Q by  1 if ( ∈
) and qk+1 = (, qk ),

 (qk ) = 0 otherwise.  

c and u denote ∈
c  and ∈
u  , respectively. Definition 2. For  ∈
, (j )

(j −1)

I • I (  ∧ P ).  (P ) iff (j > 0) and  I (j ) I (j ) •   (P ) iff  (  → P ).

 Operators c and u are used to denote ∈
c 
and ∈
u  , respectively. The former operator is the

1968

K.T. Seow / Automatica 41 (2005) 1965 – 1972

(temporal) ‘strongest controllable postcondition’, and the latter is the ‘weakest liberal uncontrollable precondition’. 2.4.2. Basic concepts and results The notion of an invariant, of which a past formula, i.e., a formula that contains no future operators, is an important special case, is first defined and discussed. Definition 3 (Invariant). An arbitrary formula R is called an invariant iff there exists a past formula p such that ⵫ [
R ↔
p]. Remark 4. Note that trivially, R could be taken to be p. A significant implication of the invariant concept is that, in general, when ⵫ [
R ↔
p], in order to ensure the invariance of p, the invariant R that the supervisor uses (if it exists) need not be congruent to the past formula p, i.e., it is possible that ⵫ ¬
[R ↔ p]. This will be demonstrated in the proof of Theorem 20. An invariant R is said to be initially satisfied provided ⵫ R. Definition 5 (
u -Invariance). An invariant A is said to be
u -invariant (with respect to G) iff G 
(A → u (A)). Intuitively, by Definition 5, that an invariant A is
u invariant means that whenever it is true, it will remain true under the evolution of an uncontrollable event. The following considers a safety formula of the canonical form
P , where P is a past formula. Definition 6 (Invariance Controllability).
P is said to be controllable (with respect to G) iff G  P W{¬P ∧ c (P )}. Definition 6 intuitively says that
P is controllable with respect to DES G provided that from an initial state, past formula P always remains true along an arbitrary trajectory of DES G unless it becomes false through a controllable event-transition. Proposition 7.
P is controllable (with respect to G) iff G  P ∧
{ P → u (P )}.

3. Unary operator theory A temporal theory of unary operators T ∈ Tu that utilizes unary transformer concepts borrowed from predicate theory (Dijkstra & Scholten, 1990; Kumar et al., 1993) has been developed (Seow, 1997). Though in a different context, these operator properties and associated existence results for the extremal solution of a ‘temporal logic’ invariance equation parallel those given in Kumar et al. (1993) and Dijkstra and Scholten (1990). An invariance equation is of the form ⵫
[T1 (R) → T2 (R)] for T1 , T2 ∈ Tu , where R is a ‘variable’ to be solved for. The following definitions of operator properties are directly relevant to the exposition of this paper. Definition 10. Consider T ∈ Tu . T is said to be monotone if ⵫
 [P → Q] →
[T(P ) → T(Q)]; disjunctive ( P ) ↔ if ⵫
(T 
∈
∈ T(P )); and conjunctive if ⵫
(T( ∈ P ) ↔ ∈ T(P )). ( denotes an arbitrary indexing set.) Lemma 11. Consider T ∈ Tu . T conjunctive implies that T is monotone. Definition 12. The
conjunctive closure of T, written as T∗ , is defined to be n  0 Tn , where T0 is defined to be an identity operator and Tn , for n > 0, is defined such that for n times

   an arbitrary P, ⵫
[T (P ) ↔ T(T(T(· · · T( P ) · · ·)))]. n

Definition 13 (Duality). Consider a disjunctive T ∈ Tu and arbitrary P , R. Then the dual of T, denoted by T⊥ , is related to T by the following:

⵫
(T(P ) → R) ↔
(P → T⊥ (R)).

P are re-

Lemma 14. If T is disjunctive, then its dual T⊥ is conjunctive.

P is
u -invariant

Definition 15. Consider T ∈ Tu , P. The restriction of T to P, denoted by T|P , is an operator defined by: ⵫
(T|P (R) ↔ T(P ∧ R) ∧ P ) for each R.

Controllability of
P and
u -invariance of lated by the following. Corollary 8.
P is controllable iff and initially satisfied.

invariant is necessary in order to extend the proposed study to supremal-controllability, as subsequent development in this paper would show.

Remark 9. The definition of an invariant reported herein is more general than that in Seow and Devanathan (1995, 1996), and results in a slightly different formulation, viz., the
u -invariance of past formula P first formulated in Seow and Devanathan (1995, 1996) is referred herein and in Seow (1997, 2002) as the
u -invariance of past formula P instead. The more general definition of an

Logically, the proofs of all unary operator results are quite similar to those of the corresponding results in the predicate approach (Kumar et al., 1993), and may be found in Seow (1997). Herein, we only show the proof of a principle which is the extremal solution to the following two simultaneous equations (in R), viz., (CE) and (SE). A similar proof style

K.T. Seow / Automatica 41 (2005) 1965 – 1972

is used for every result developed under the unary operator theory. CE ⵫
(T(R) → R), SE ⵫
(R → V ), where T ∈ Tu is disjunctive and V is an arbitrary constant. An arbitrary disjunctive (unary) operator T in (CE) represents some form of system evolution. Intuitively, taking the two equations together, any such operator T in (CE) over a disjunctive component of R always maintains the truth of R, and hence the given V, the bound of R as specified in (SE). As a subsequent section will show, the synthesis result for supremal control of DES’s follows from the extremal solution to an ‘instance’ of this pair of equations. Solving for an extremal R that has such system invariance properties, (CE) and (SE), is first presented in this section, and should be of more general interest. The following two lemmas (Seow, 1997), stated without proof, are needed to establish the principle. Note that for ⊥ economy of notations, T⊥ ∗ stands for (T )∗ . Lemma 16. Let T ∈ Tu be monotone. ⵫
(P → T(P )) ↔
(P → T∗ (P )). Lemma 17. Consider a disjunctive T ∈ Tu . T⊥ ∗ is conjunctive and monotone. Define an extremal operator ↑ such that V ↑ is a weakest solution (in R ) of the simultaneous equations, (CE) and (SE), in the sense that for any solution A of these two equations, ⵫
(A → V ↑ ). Hence the following principle. Theorem 18 (Supremum Principle). Given that T ∈ Tu is disjunctive in Eq. (CE). Then V ↑ exists for Eqs. (CE) and (SE) such that ⵫
[V ↑ ↔ T⊥ ∗ (V )]. Proof. We first show that T⊥ ∗ (V ) is a solution (in R) of (CE).

1 ⵫
( n  0 (T⊥ )n (V ) → n  1 (T⊥ )n (V )) by PR
⊥ ⊥ n 2 ⵫
(T⊥ ∗ (V ) → T ( n  0 (T ) (V ))) by 1, definition 1 of T⊥ ∗ and PR ⊥ ⊥ 3 ⵫
(T∗ (V ) → T⊥ (T⊥ ∗ (V ))) by 2, definition of T∗ and PR ⊥ ⊥ 4 ⵫
(T(T⊥ ∗ (V )) → T∗ (V )) by 3, Definition 13 of T and PR 5 ⵫ T⊥ ∗ (V ) is a solution (in R of (CE)) by 4. Next, we show that T⊥ ∗ (V ) is a solution (in R) of (SE).

1 ⵫
( n  0 Tn (V ) → n=0 Tn (V )) by PR 1 ‘PR’ (Ostroff, 1989) stands for Propositional Reasoning and any logic rule or theorem quoted under this generic label ‘PR’ include those found in Ross and Wright (1988).

1969

⊥ 2 ⵫
(T⊥ ∗ (V ) → V ) by 1, definition of T∗ and PR ⊥ 3 ⵫ T∗ (V ) is a solution (in R) of (SE) by 2.

Finally, we show that T⊥ ∗ (V ) is a weakest solution (in R) of (CE) and (SE). Assume that A is any solution (in R) of (CE) and (SE). 1 ⵫
(T(A) → A) since A is a solution of (CE) 2 ⵫
(A → T⊥ (A)) by 1 and Definition 13 of T⊥ 3 ⵫ T⊥ is monotone by disjunctive T, Lemmas 14, 11 and PR 4 ⵫
(A → T⊥ ∗ (A)) by 2, 3, Lemma 16 and PR 5 ⵫
(A → V ) since A is a solution of (SE) 6 ⵫ T⊥ ∗ is monotone by Lemma 17 ⊥ 7 ⵫
(T⊥ ∗ (A) → T∗ (V )) by 5, 6 and PR ⊥ 8 ⵫
(A → T∗ (V )) by 4, 7 and PR 9 ⵫ T⊥ ∗ (V ) is a weakest solution (in R) of (CE) and (SE) by 8. Rewriting Step 9 using the definition of V ↑ , the result follows.
4. Supremal control In supremal control, the focus is to find a weakest control solution that resides within the reachability of P , i.e., P . 4.1. Weakest
u -invariant formula—closed-form It has been established in Corollary 8 that a safety formula
P is controllable if and only if P is
u -invariant and initially satisfied. Thus, to weaken the concept to supremalcontrollability of
P , we need to find a weakest formula R which is an invariant (of Definition 3) not weaker than P , is
u -invariant and also initially satisfied. Hence the following formal definition. Definition 19 (Supremal-Controllability).
P is supremalcontrollable2 iff there exists a weakest invariant R such that R is initially satisfied and

⵫
(R → u (R)), ⵫
(R → P ) both hold. Consider the following two equations (in R). CE-INV ⵫
(R → u (R)) (Characteristic Equation) SE-INV⵫
(R → P ) ( P -Maximal Boundary) 2 Here, the word is hyphenated to conceptually distinguish the definition from supremal controllable subspaces, viz., characterizations that are both supremal (with respect to set inclusion or logical weakness) and controllable (with respect to a DES), as defined in existing language and predicate approaches.

1970

K.T. Seow / Automatica 41 (2005) 1965 – 1972

Solving the simultaneous equations, as in the proof of Theorem 20, yields a closed-form formula for ( P )↑ that denotes a weakest invariant R. Theorem 20. Invariant ( P )↑ exists for Eqs. (CE-INV) and (SE-INV) such that G 
[( P )↑ ↔ u∗ ( P )]. Proof. It can be easily shown that the dual of u is u . Thus, (CE-INV) ≡ ⵫
( u (R) → R). Since u is disjunctive and P is a constant, the result follows directly from Theorem 18 by putting
(V ↔ P ). Also, we have:
P ↔
( P ) by definitions of
and ↔

( P ) by T3: ⵫
[
p ↔

p], FX0 (Manna & Pnueli, 1992, p. 217):
⵫
p → p and PR ↔
i  0 i ( P ) by definition that
≡ ∗
↔
i  0 iu ( P ) by the fact that ⵫
(i ( P ) → iu ( P )) and PR ↔
u∗ ( P ) by Definition 12 of conjunctive closure, i.e., ⵫ [
u∗ ( P ) ↔
P ]. Therefore, ( P )↑ is an invariant by Definition 3. Hence the theorem.
In this case, invariant ( P )↑ is the supremal
u invariance of past formula P which is defined as a weakest solution in R satisfying both Eqs. (CE-INV) and (SE-INV). Theorem 21.
P is supremal-controllable iff G  P ↑ , where P ↑ is defined by ⵫
[P ↑ ↔ u∗ (P )]. Proof. Since P ↑ denotes u∗ (P ) as stated, it follows by the fact ⵫ [u∗ ( P ) ↔ u∗ (P )] and PR that ⵫ ( P )↑ ↔ P ↑ . Thus, by Definition 19, Theorem 20 and the proven fact that ⵫ [( P )↑ ↔ P ↑ ], the result follows.
Finally, as Theorem 21 indicates, the formula of interest is in the simpler form of P ↑ . The next section presents an algorithm to compute it. 4.2. Supremal control computation Under
, define the sequence of formulae by R0 ↔ P ,

Rj +1 ↔ H(Rj ), j = 0, 1, 2, . . . ,

(2)

where

⵫
(H(R) ↔ P ∧ u (R)). This leads to the following result. Proposition 22. The sequence defined by (2) is monotone decreasing, in the sense
that for any j  0, ⵫
(Rj +1 → Rj ) and ⵫
(P ↑ ↔ ∞ j =0 Rj ).

Proof. By PR and definition of u , for n  0, 

n n i ⵫
H (P ) ↔ u (P ) . i=0

Note that for n  0, ⵫
(Rn ↔ Hn (P )). Thus by PR, for any j  0, ⵫
(Rj +1 → Rj ) and hence the sequence (2) is monotone decreasing. By Theorem 21 and PR, it follows that under
, P ↑ ↔
∞ j =0 Rj .
Remark 23. By Proposition 22, the sequence defined by (2) is an algorithm to compute P ↑ —a dynamic (weakest) control solution. It can be seen as a generalization of the predicate-based algorithm developed in Ramadge and Wonham (1987b, p. 1211, Proposition 8.1) which computes a static (weakest) control solution. The sequence defined by (2) is in general infinitely long. However, if the DES G is finite state, then for propositional temporal logic formulae, a bound b exists for which Rb+1 ↔ Rb (under
), since such formulae are expressively equivalent to finite automata. Such a bound is a function of the size of the DES state space and the length of the temporal logic formula.

5. Example: cat and mouse As an illustration of how a supremal control problem may be solved, we consider a simple traffic flow problem (Ramadge & Wonham, 1987b). We also demonstrate how the natural language basis of temporal logic may assist in formalizing a requirement specification for syntax-based control synthesis in a common logic framework. A cat and a mouse dwell in a maze as shown in Fig. 1. The gates, ⵬ ⵫, are used exclusively by the cat, the gates, −) (−, by the mouse, and can be traversed only in the direction shown. By taking the rooms as states, the transition structures for the cat and the mouse can be modelled as shown in Fig. 2. As usual, the initial state of each structure is labelled with an entering arrow (→•). All events except event c7 are controllable (i.e., can be allowed by opening the respective gate—‘enabled’, or disallowed by closing it—‘disabled’, via an external agent) and indicated by a dash across the eventtransition. More formally, the elements of the CAT–MOUSE DES model G can be described as follows: •
= {ck , ml : 1  k  7, 1  l  6}, where an event ck /ml represents the instantaneous movement of the cat/mouse from one room to another through the respective gate. • Q = {(i, j ) : 0  i  4, 0  j  4}, where the value of i ∈  indicates the room the cat is occupying and that of j ∈  indicates the room the mouse is occupying at an arbitrary state q ∈ Q. • q0 = (2, 4) (initial state). •
u = {c7 }.

K.T. Seow / Automatica 41 (2005) 1965 – 1972

1971

The control requirement
P is not controllable with respect to DES G. To see this, consider the following trajectory I ∈ I(G): q0 ∈Q

q3 ∈Q

q4 ∈Q

   m5 c3 c1    c7    I = (2, 4) −→(2, 3) −→(0, 3) −→ (1, 3) −→ (3, 3) −→· · ·. By observation, it is clear that (3)

I ( [

(j  = 1) → (i  = j )]

→ c7 [ Fig. 1. Maze for cat and mouse.

(j  = 1) → (i  = j )])

is false since up to state q3 ∈ Q of I ∈ I(G), i  = j , but in transiting via the only uncontrollable event c7 ∈
u to state q4 ∈ Q, it becomes that i = j , although j has never been equal to 1 in all previous states (i.e., state qi ∈ Q, 0  i  3). Therefore, controllability (of
P ) fails because there is an I ∈ I(G) which violates (makes false) the formula P ∧
[ P → u (P )] which must be G-valid (i.e., holds for all I ∈ I(G)) for controllability to hold (see Proposition 7). To prove the supremal-controllability of
P , we first use Algorithm (2) to compute P ↑ . Then, by systematic syntactic manipulation (Seow & Devanathan, 1999), it can be shown that under
, R0 ↔ P

Fig. 2. Transition structures for cat and mouse.

Suppose the control requirement is informally stated as follows: The mouse must be protected from the cat unless the mouse has previously committed an offence. In other words, the mouse’s ‘safety’ would no longer be assured if it has once committed an offence! Now, assume that the mouse is protected from the cat provided it is never in the same room as the cat. Also, the mouse’s entrance into Room 1 is viewed as the one and only ‘offence’. Then the control requirement may be re-stated more concretely as follows: The cat and the mouse must not be in the same room unless the mouse has been to Room 1 previously. Before formalizing this requirement in terms of the variables of the CAT–MOUSE DES model, consider the following corollary (Seow, 1997), stated without proof. Corollary 24. For arbitrary P1 , P2 , ⵫ [P1 W P2 ↔
( (¬P2 ) → P1 )]. The requirement stated informally above paraphrases formula (i  = j )W (j = 1). Therefore, by Corollary 24, we can formalize, in a canonical form, the requirement as
P , where past formula P denotes [

(j  = 1) → (i  = j )].

↔[

(j  = 1) → (i  = j )].

R1 ↔ H(R0 ) ↔ P ∧ u (P ) ↔ P∧ Ac7

   ( c7 →{ (j  = 1)→[(i, j )  = (1, 3)]∧[(i, j ) = (3, 1)]}) . R2 ↔ H(R1 ) ↔ P ∧ u (R1 ) ↔ P ∧ Ac7 ↔ R1 . Hence, by Proposition 22 and PR,

⵫
[P ↑ ↔ P ∧ ( c7 → { (j = 1) → [(i, j )  = (1, 3)] ∧ [(i, j )  = (3, 1)]})]. It is obvious that P ↑ is initially satisfied. Hence, by Theorem 21, supremal-controllability of
P holds. Remark 25. This example highlights the control synthesis of a more general specification that, apparently, cannot be addressed by the existing predicate approach (Kumar et al., 1993; Ramadge & Wonham, 1987b). The predicate framework is apparently a lower-level paradigm which does not support useful operators such as Unless W, Weak previously , Has-always-been and the associated reasoning mechanism to naturally describe the control requirement for control synthesis. Moreover, the results based on predicate

1972

K.T. Seow / Automatica 41 (2005) 1965 – 1972

theory can be viewed as a special case in the proposed approach. 6. Conclusion This paper presents a temporal logic approach to syntaxbased (supremal) control synthesis for temporal-safety. The approach is an outcome of augmenting a temporal logic control framework with an equations approach developed using concepts of unary (predicate) transformers (Dijkstra & Scholten, 1990; Kumar et al., 1993). Compared to the boolean equations approach proposed in the existing predicate control theory of Kumar et al. (1993), the research effort is shown to parallel in terms of the utilization of unary transformer concepts, and to generalize in terms of the predicate notion of a ‘fixed state set’ being elevated to a larger class of specifications under the invariance of a past formula. A detailed example, which cannot be handled by the existing predicate control theory as discussed in Remark 25, shows how the natural language basis of temporal logic for requirement specification and syntax-based control synthesis can be unified in a common framework. It would be ideal to automate as much as possible the synthesis process as illustrated in the example of Section 5. Thus, one important direction for further work would be to implement a computer synthesis program or perhaps, adapt the STeP software (Manna & STEP Group, 1995)— a temporal logic theorem prover and verifier based on the same version of temporal logic—to support automated or semi-automated synthesis.

References Barbeau, M., Kabanza, F., & St.-Denis, R. (1998). A method for the synthesis of controllers to handle safety, liveness, and realtime constraints. IEEE Transactions on Automatic Control, 43(11), 1543–1559. Dijkstra, E. W., & Scholten, C. S. (1990). Predicate calculus and program semantics. New York: Springer. Kumar, R. (1991). Supervisory synthesis techniques for discrete event dynamical systems. Ph.D. thesis, Faculty of the Graduate School, The University of Texas at Austin, USA. Kumar, R., Garg, V. K., & Marcus, S. I. (1993). Predicate and predicate transformers for supervisory control of discrete event dynamical systems. IEEE Transactions on Automatic Control, 38(2), 232–247. Li, Y., & Wonham, W. M. (1993). Control of vector discrete event systems I—the base model. IEEE Transactions on Automatic Control, 38(8), 1214–1227 (Correction in Vol. 39, p. 1771). Lin, F. (1991). Analysis and synthesis of discrete event systems using temporal logic. In Proceedings of the IEEE international symposium on intelligent control (pp. 140–145). Arlington, VA, USA. Lin, J.-Y. & Ionescu, D. (1990). A generalized temporal logic approach for control problems of a class of nondeterministic discrete event systems. In Proceedings of the 29th IEEE international conference on decision and control (pp. 3440–3445). Honolulu, Hawaii, USA.

Manna, Z., & Pnueli, A. (1992). The temporal logic of reactive and concurrent systems: specification. New York: Springer. Manna, Z., & the STEP Group. (1995). STeP: The Stanford Temporal Prover (Educational Release), User’s Manual. Technical Report STANCS-TR-95-1562, Computer Science Department, Stanford University. Ostroff, J. S. (1989). Appendix A: Formal overview of temporal logic and Appendix B: Temporal logic theorems and rules. In Temporal logic for real time systems, advanced software development series (pp. 155–171, 172–183). New York: Research Studies Press Ltd., Wiley. Ostroff, J. S., & Wonham, W. M. (1990). A framework for real-time discrete event control. IEEE Transactions on Automatic Control, 35(4), 386–397. Ramadge, P. J., & Wonham, W. M. (1987a). Supervisory control of a class of discrete event processes. SIAM Journal of Control and Optimization, 25(1), 206–230. Ramadge, P. J., & Wonham, W. M. (1987b). Modular feedback logic for discrete event systems. SIAM Journal of Control and Optimization, 25(5), 1202–1218. Ross, K. A., & Wright, C. R. B. (1988). Discrete mathematics (2nd ed.) chapter 2.2: Propositional Calculus. Englewood Cliffs, NJ: PrenticeHall (Tables on Logical Equivalences, Logical implications and Rules of inference). Seow, K. T. (1997). A temporal logic approach to supervisory control of discrete-event systems. Doctor of Philosophy (Ph.D.) thesis, School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore. Seow, K. T. (2002). Existence characterizations of temporal-safety supervisors. IEEE Transactions on Automatic Control, 47(10), 1779–1783. Seow, K. T., & Devanathan, R. (1995). A temporal logic approach to discrete event control. In Proceedings of the IEEE international conference on robotics and automation (pp. 1435–1440). Nagoya, Japan. Seow, K. T., & Devanathan, R. (1996). A temporal logic approach to discrete event control for the safety canonical class. Systems and Control Letters, 28(4), 205–217. Seow, K. T., & Devanathan, R. (1999). Control computation and complexity of temporal-safety in discrete-event systems. In Proceedings of the American control conference (pp. 1976–1980). San Diego, CA, USA. Thistle, J. G., & Wonham, W. M. (1986). Control problems in a temporal logic framework. International Journal of Control, 44(4), 943–976. Kiam Tian Seow received the B.Eng. (Hons) degree from The National University of Singapore, Singapore, in 1990 and the M.Eng. and Ph.D. degrees from Nanyang Technological University (NTU), Singapore, in 1993 and 1998, respectively, all in electrical engineering and computer science. In February 2003, he joined the School of Computer Engineering, NTU, where he currently is an Assistant Professor. He has held visiting research appointments with the Systems Control Group, University of Toronto, ON, Canada, in 1997, the Korea Advanced Institute of Science and Technology, Daejeon, Korea, in 2002, the Nippon Telegraph and Telephone Corporation (NTT) Communication Science Laboratories, Kyoto, Japan, in 2003, and the Institute of Information Science, Academia Sinica, Taipei, Taiwan, in 2005. His research interests include intelligent agents and multiagent systems, supervisory control of discrete-event systems and temporal logic, with emphasis on their mutual connections and applications. Dr. Seow is an Elected Member of Sigma Xi, The Scientific Research (Honor) Society, USA (since 2005), and is listed in Marquis Who’s Who in Science and Engineering (7th edition, 2003).