## Section: Scientific Foundations

### Control synthesis

**The supervisory control problem** is concerned with ensuring
(not only checking) that a computer-operated system works correctly.
More precisely, given a specification model and a required property,
the problem is to control the specification's behavior, by coupling
it to a supervisor, such that the controlled specification satisfies
the property [30] . The models used are LTSs and the
associated languages, which make a distinction between *controllable* and *non-controllable* actions and between *observable* and *non-observable* actions. Typically, the
controlled system is constrained by the supervisor, which acts on
the system's controllable actions and forces it to behave as
specified by the property. The control synthesis problem can be
seen as a constructive verification problem: building a supervisor
that prevents the system from violating a property. Several kinds
of properties can be ensured such as reachability, invariance (i.e.
safety), attractivity, etc. Techniques adapted from model checking
are then used to compute the supervisor w.r.t. the objectives.
Optimality must be taken into account as one often wants to obtain a
supervisor
that constrains the system as few as possible.

**Supervisory control theory overview**. Supervisory control
theory deals with control of Discrete Event Systems. In this theory,
the behavior of the system $S$ is assumed not to be fully
satisfactory. Hence, it has to be reduced by means of a feedback
control (named Supervisor or Controller) in order to achieve a given
set of requirements [30] . Namely, if $S$ denotes the
specification of the system and $\Phi $ is a safety property that has
to be ensured on $S$ (i.e. $S\neg \vDash \Phi $), the problem consists
in computing a supervisor $\mathcal{C}$, such that

$\begin{array}{c}\hfill S\parallel \mathcal{C}\phantom{\rule{0.277778em}{0ex}}\vDash \phantom{\rule{0.277778em}{0ex}}\Phi \end{array}$ | (1) |

where $\parallel $ is the classical parallel composition between two
LTSs. Given $S$, some events of $S$ are said to be uncontrollable
(${\Sigma}_{uc}$), i.e. the occurrence of these events cannot be
prevented by a supervisor, while the others are controllable
(${\Sigma}_{c}$). It means that all the supervisors satisfying
(1 ) are not good candidates. In fact, the behavior of the
controlled system must respect an additional condition that happens to
be similar to the $ioco$ conformance relation that we previously
defined in
3.3 . This condition is called the *controllability condition* and is defined as follows.

$\begin{array}{c}\hfill \mathcal{L}(S\parallel \mathcal{C}){\Sigma}_{uc}\phantom{\rule{0.277778em}{0ex}}\cap \phantom{\rule{0.277778em}{0ex}}\mathcal{L}\left(S\right)\phantom{\rule{0.277778em}{0ex}}\subseteq \phantom{\rule{0.277778em}{0ex}}\mathcal{L}(S\parallel \mathcal{C})\end{array}$ | (2) |

Namely, when acting on $S$, a supervisor is not allowed to disable uncontrollable events. Given a safety property $\Phi $, that can be modeled by an LTS ${A}_{\Phi}$, there actually exist many different supervisors satisyfing both (1 ) and (2 ). Among all the valid supervisors, we are interested in computing the supremal one, ie the one that restricts the system as few as possible. It has been shown in [30] that such a supervisor always exists and is unique. It gives access to a behavior of the controlled system that is called the supremal controllable sub-language of ${A}_{\Phi}$ w.r.t. $S$ and ${\Sigma}_{uc}$. In some situations, it may also be interesting to force the controlled system to be non-blocking (See [30] for details).

The underlying techniques are similar to the ones used for Automatic Test Generation. It consists in computing a product between the specification and ${A}_{\Phi}$ and to remove the states of the obtained LTS that may lead to states that violate the property by triggering only uncontrollable events.