Section: Scientific Foundations

Control synthesis

The supervisory control problem is concerned with ensuring (not only checking) that a computer-operated system works correctly. More precisely, given a system model and a required property, the problem is to control the model's behavior, by coupling it to a supervisor, such that the controlled system satisfies the property  [28] . The models used are LTSs and the associated languages, where one makes a distinction between controllable and non-controllable actions and between observable and non-observable actions. Typically, the controlled system is constrained by the supervisor, which can block on the system's controllable actions in order to force it to behave as specified by the property. The control synthesis problem can be seen as a constructive verification problem: building a supervisor that prevents the system from violating a property. Several kinds of properties can be enforced such as reachability, invariance (i.e. safety), attractivity, etc. Techniques adapted from model checking are used to compute the supervisor. Optimality must be taken into account as one often wants to obtain a supervisor that constrains the system as few as possible.

Supervisory control theory overview. Supervisory control theory deals with control of Discrete Event Systems. In this theory, the behavior of the system S is assumed not to be fully satisfactory. Hence, it has to be reduced by means of a feedback control (named Supervisor or Controller) in order to achieve a given set of requirements  [28] . Namely, if S denotes the model of the system and Φ a safety property to be enforced on S, the problem consists of computing a supervisor 𝒞 such that


where is the classical parallel composition of LTSs. Given S, some events of S are said to be uncontrollable (Σ uc ), i.e., the occurrence of these events cannot be prevented by a supervisor, while the others are controllable (Σ c ). It means that all the supervisors satisfying (1 ) are not good candidates. The behavior of the controlled system must respect an additional condition that happens to be similar to the ioco conformance relation previously defined in  3.3 . This condition is called the controllability condition and it may be stated as

(S𝒞)Σ uc (S)(S𝒞)(2)

Namely, when acting on S, a supervisor is not allowed to disable uncontrollable events. Given a safety property Φ, that can be modeled by an LTS A Φ , there actually exist many different supervisors satisyfing both (1 ) and (2 ). Among all the valid supervisors, we are interested in computing the supremal one, ie the one that restricts the system as few as possible. It has been shown in  [28] that such a supervisor always exists and is unique. It gives access to a behavior of the controlled system that is called the supremal controllable sub-language of A Φ w.r.t. S and Σ uc . In some situations, it may also be interesting to force the controlled system to be non-blocking (See  [28] for details).

The underlying techniques are similar to the ones used for Automatic Test Generation. They consist of computing the product of the system model and A Φ and to remove the states of the product that may lead to subsequent states violating the property by triggering only uncontrollable events.