SUPERVISORY CONTROL OF DISCRETE EVENT SYSTEMS WITH...

SIAM J. CONTROL OPTIM. c© 2006 Society for Industrial and Applied MathematicsVol. 44, No. 6, pp. 2079–2103

SUPERVISORY CONTROL OF DISCRETE EVENT SYSTEMS WITHCTL* TEMPORAL LOGIC SPECIFICATIONS∗

SHENGBING JIANG† AND RATNESH KUMAR‡

Abstract. The supervisory control problem of discrete event systems with temporal logic spec-ifications is studied. The full branching time logic of CTL* is used for expressing specifications ofdiscrete event systems. The control problem of CTL* is reduced to the decision problem of CTL*.A small model theorem for the control of CTL* is obtained. It is shown that the control problemof CTL* (resp., CTL) is complete for deterministic double (resp., single) exponential time. A soundand complete supervisor synthesis algorithm for the control of CTL* is provided. Special cases ofthe control of computation tree logic (CTL) and linear-time temporal logic are also studied.

Key words. discrete event system, supervisory control, temporal logic, computation tree logic,linear-time temporal logic

AMS subject classifications. 93C65, 93B05

DOI. 10.1137/S0363012902409982

1. Introduction. Discrete event systems (DESs) involve discrete-valued quanti-ties that evolve in response to certain discrete qualitative changes, called events. Ex-amples of events include arrival of a customer in a queue, termination of an algorithmin a computer program, loss of a message packet in a communication network, andbreakdown of a machine in a manufacturing system. The theory of supervisory con-trol of DESs was introduced by Ramadge and Wonham [28] for designing controllersso that the controlled system satisfies certain desired qualitative constraints, such asa buffer in a manufacturing system should never overflow, or a message sequence ina communication network must be received in the same order as it was transmit-ted. Many extensions of the basic supervisory control problem such as control withpartial observations, decentralized control, modular control, control of nondetermin-istic systems, and control of infinite behaviors represented by ω-languages, have beenstudied [16].

In the supervisory control framework for discrete-event systems, an uncontrolleddiscrete event system, called plant, is modeled as a state machine, the event set ofwhich is finite and is partitioned into the set of controllable and uncontrollable events.The language generated by such a state machine is used to describe the behavior ofthe plant at the logical level. The control task is formulated as that of the synthesis ofa controller, called a supervisor, which exercises control over the plant by dynamicallydisabling some of the controllable events so that the plant achieves a certain desiredbehavior, called a specification, which is typically expressed as a formal language.

∗Received by the editors June 18, 2002; accepted for publication (in revised form) July 18, 2005;published electronically January 6, 2006. The research was supported in part by the National Sci-ence Foundation under grants NSF-ECS-9709796, NSF-ECS-0099851, NSF-ECS-0218207, NSF-ECS-0244732, NSF-EPNES-0323379, and NSF-0424048, a DoD-EPSCoR grant through the Office of NavalResearch under grant N000140110621, and a KYDEPSCoR grant. This work was performed whilethe authors were with the Department of Electrical and Computer Engineering, University of Ken-tucky.

http://www.siam.org/journals/sicon/44-6/40998.html†GM, R&D and Planning, Warren, MI 48090-9055 ([email protected]).‡Department of Electrical & Computer Engineering Iowa State University, Ames, IA 50011

([email protected]).

2079

2080 SHENGBING JIANG AND RATNESH KUMAR

In this paper, we consider temporal logic [6, 12] as a means to express the controlspecification.

Temporal logic was studied initially to investigate the manner in which temporaloperators are used in natural language arguments [11]. It provided a formal way ofqualitatively describing and reasoning about how the truth values of assertions changeover time. In [27], Pnueli first argued that temporal logic is appropriate for reasoningabout nonterminating concurrent programs such as operating systems and networkcommunication protocols. Now temporal logic is a widely active area of research andhas been used in all aspects of concurrent program design, including specification,verification, and mechanical program synthesis.

Temporal logic is an effective means of control specification, and researchers haveused it for this purpose. For example, [32, 21, 23, 22, 4] used linear-time temporal logic(LTL); [25, 24] used real-time temporal logic (RTTL) and [2] used metric temporallogic (MTL) (both RTTL and MTL are LTL with real time constraints); [1] usedcomputation tree logic (CTL). Temporal logic was also used in [14, 26, 34, 30, 31] forthe study of discrete event systems.

These works on a temporal logic approach for control of discrete event systems arelimited in one way or other. For example, the main focus in [32, 21, 22, 25] was verifi-cation and analysis (no synthesis was performed). In [23, 24], methods were given forthe supervisor synthesis for systems with safety specifications only. In [4] supervisorysynthesis for propositional-LTL formulas is considered; no test for the existence of asupervisor is provided, a supervisor is synthesized based only on a “one-step look-ahead,” and all controllable events are unobservable. In [2], a sound but not complete(see Remark 7) algorithm was given for the synthesis of supervisors for systems withMTL specifications. In [1], the control problem for systems with CTL specificationswas studied. But there are some errors and limitations with the result of [1]. First,the semantics of CTL is defined by using ∗-languages (languages of finite strings [16])in [1]. This is incorrect, since CTL has a branching-time structure and it is known([6], and also Example 1) that CTL and ∗-languages are incomparable. Besides, CTLcan express liveness properties which cannot be expressed by ∗-languages. Second,only state-based supervisors were considered in [1]. (Such a supervisor determinesits control based only on the present state, ignoring the information about the statesequence the plant has visited in the past.) Third, the algorithm presented in [1],which works for a restricted class of CTL formulas and has a linear complexity in thenumber of states in the plant and the length of the CTL formulas, is erroneous (seeRemark 6).

The work on “module checking” [20] can be viewed as dual to a supervisorycontrol problem. The goal there is to have an “open system” (a plant in the settingof supervisory control) so that the “closed system” (the controlled system in thesetting of supervisory control) satisfies the given CTL* specification for all possibleenvironments (supervisors in the setting of supervisory control). Dually, in the settingof supervisory control, the goal is to have an open system so that the closed systemsatisfies the given CTL* specification for at least one possible environment. Dualitylies in the following equivalence: an open system has the property that all the closedsystems (that are induced by the various environments) satisfy a CTL* specificationf if and only if it is not the case that there exists an environment so that the closedsystem satisfies the specification ¬f . Note that the former is a module-checkingproblem whereas the latter is a supervisory control problem.

With the above analogy, our work on supervisory control can be viewed as anextension of the work presented in the setting of module checking. In the setting of

SUPERVISORY CONTROL WITH CTL* 2081

module checking, the state set is partitioned into the system states and the environ-ment states, and any subset of the feasible events can occur when the system is inone of its environment states. This, in our setting of supervisory control, translatesto having

1. states where either all events are controllable (the environment states of mod-ule checking) or all events are uncontrollable (the system states of modulechecking), and

2. the supervisor (the environment in the setting of module checking) is a de-terministic system.

Our setting is more general: all states can have some events that are controllable andothers that are uncontrollable, and the supervisor we design can be a nondeterministicsystem. (See Example 1.)

The setting of “control of reactive systems” [18] has a more ambitious goal: syn-thesize a controller (which disables events in system states) so that the controlledsystem satisfies the given CTL* specification for all possible environments (whichdisables events in environment states). Since it is again possible to disable a set offeasible events in a system state (through a controller), this, in the supervisory controlsetting, translates to having the following:

1. all events are controllable in all states, and2. the supervisor is a deterministic system.

As explained above, such restrictions are not present in the setting of supervisorycontrol. It should be noted that in the setting of “control of reactive systems,” thereare two types of “players,” a controller/supervisor and the environment. The super-visory control setting allows only one type of player, namely, a controller/supervisor,whereas the environment is always the “maximal” one (that never disables any event).Thus there are also some differences between the settings.

The work on “robust satisfaction” [19] does consider nondeterministic environ-ments (i.e., supervisors). But the composition mechanism, through which the systemand the environment interact, brings about additional restrictions, namely,

1. all events in all states are controllable,2. exactly one controllable event is enabled in each state, and3. the environment only “observes” the current state of the system (and not the

particular event executed by the system),

The existence of the first two restrictions can be argued as follows: in the setting of“robust satisfaction,” the environment, based on its present state, generates a uniqueoutput (which is an input for the system) that enables that particular event (andnothing else) in the system. Note that by outputting a certain event, the environmentcan enable that particular event in the system (equivalently, disable others), therebymaking all events controllable in all states of the system. A justification for thethird restriction is that the environment updates its state based on only the outputgenerated by the system, which is a function of only the system’s state. It should benoted that the setting of “robust satisfaction” allows a type of partial observation sincethe interacting systems only observe each others’ outputs, whereas the supervisorycontrol setting we consider assumes a complete observation of events. Thus there arealso some differences between the two settings.

In this paper we study the supervisory control problem for plants possessing un-controllable events with specifications expressed in the full branching time logic ofCTL* and allowing supervisors to be nondeterministic. The reason for allowing non-determinism is that the class of nondeterministic supervisors is more powerful than


that of deterministic ones, as is illustrated by Example 1, which makes it possiblefor a supervisor to exist for a larger class of CTL* specifications. Our approach tosupervisor synthesis is based on reduction to satisfiability: We show that a supervisorexists if and only if a certain CTL* specification is satisfiable, and whenever this holdsa corresponding satisfying model serves as a supervisor. A corollary of this result isthat a deterministic supervisor exists if and only if a deterministic satisfying modelexists. Thus the approach developed here can be used to determine the existence ofa general nondeterministic as well as a deterministic supervisor, and furthermore fol-lowing our approach a supervisor (nondeterministic or deterministic) can be obtainedwhen one exists.

Note that randomized nondeterministic control is commonly used in the settingof stochastic systems (see, for example, [15]), whereas the use of nondeterministicsupervisors in context of discrete-event systems was first explored in [13]. A formaldefinition of a nondeterministic control policy, its representation as a nondeterministicstate machine, and a means to implement it (also see Remark 2) were first introducedin [17]. The nondeterminism in a supervisor state machine is represented by non-deterministic choices and epsilon-transitions. A nondeterministic choice correspondsto randomly choosing one of the control decisions (from among a set of choices de-termined off-line) on an observation, whereas an epslion-transition corresponds torandomly changing the control decision (again in accordance with choices determinedoff-line) without any observation. As explained in [17], a nondeterministic choice canbe implemented by a “coin-toss,” whereas an epsilon-transition can be implementedusing a “random-timer.” The results in [17] indicate that when the desired speci-fication is language based, there is no gain to having nondeterministic control (overdeterministic control) under complete observation of events. However, the situation isdifferent when there is partial observation—a weaker notion of observability is neededfor the existence of the supervisor. Further, this weaker property is algebraically bet-ter behaved than observability (such as it is closed under union). The present paperdemonstrates that even under complete observation of events there is a gain to hav-ing nondeterministic supervisors if the desired specifications are expressed in CTL*(which is more expressive than the language-based specifications).

The paper is organized as follows. First a brief introduction to CTL* is given.Next, the control problem of CTL* is reduced to the decision problem of CTL* anda small model theorem for the control of CTL* is derived. It is further shown thatthe control problem of CTL* (resp., CTL) is complete for deterministic double (resp.,single) exponential time, where a decision problem is said to be complete for a certaincomputation complexity if both the lower and upper complexity bounds of the problemare the same. A sound and complete supervisor synthesis algorithm for the control ofCTL* is provided. Special cases of the control of computation tree logic (CTL) andlinear-time temporal logic (LTL) are also studied. For these special cases we are ableto provide more efficient algorithms. Finally, an illustrative example is given.

2. Introduction to CTL* and tree automaton. CTL* is also called fullbranching time logic because of its branching time structure, i.e., at each moment,there may exist alternate courses representing different possible futures. It was pro-posed in [7] as an unifying framework, subsuming both CTL and LTL, as well as anumber of other logic systems. Here we give a brief introduction to CTL*. For acomplete introduction to temporal logic, see [6].

Let M = (Q,AP,R,L) be a state transition graph (also called the Kripke struc-ture [6]), where Q is the set of states (finite or infinite), AP is a finite set of atomic


proposition symbols, R ⊆ Q × Q is a total transition relation, i.e., for every s ∈ Qthere is a s′ ∈ Q such that R(s, s′), and L : Q → 2AP is a function that labels eachstate with a set of atomic propositions that are true at that state. A path in M isdefined as an infinite sequence of states, π = (s0(π), s1(π), . . .) such that for everyi ∈ {0, 1, . . .}, (si(π), si+1(π)) ∈ R.

Using the atomic propositions and boolean connectives such as conjunction, dis-junction, and negation, we can construct more complex expressions describing proper-ties of states. However, we are also interested in describing the properties of sequences(and more generally of tree structures) of states that the system can visit. Temporallogic is a formalism for describing properties of sequences of states as well as of treestructures of states. Such properties are expressed using temporal operators and pathquantifiers of the temporal logic. These operators and quantifiers can be nested withboolean connectives to generate more complex temporal logic specifications.

The following temporal operators are used for describing the properties along aspecific path:

• X (“next time”): requires that a property hold in the next state of the path.• U (“until”): used to combine two properties. The combined property holds

if there is a state on the path where the second property holds, and at everypreceding state on the path, the first property holds.

• F (“eventually” or “in the future”): used to assert that a property will holdat some future state on the path.

• G (“always” or “globally”): specifies that a property holds at every state onthe path.

• B (“before”): also combines two properties. It requires that if there is a stateon the path where the second property holds, then there exists a precedingstate on the path where the first property holds.

We have following relations among the above operators, where f denotes a temporallogic specification:

• Ff ≡ trueUf ,• Gf ≡ ¬F¬f ,• fBg ≡ ¬(¬fUg).

Thus one can use X and U to express the other temporal operators.

To describe the branching time structure starting at a particular state, two pathquantifiers are used:

• A : for all paths and• E : for some paths.

These two quantifiers are used in a particular state to specify that all the paths orsome of the paths starting at that state have some property. The two quantifiers arerelated by

• A ≡ ¬E¬.

There are two types of formulas in CTL*: state formulas (which are true in aspecific state) and path formulas (which are true along a specific path). Now we givethe definition of CTL* formulas. In the following we assume that p is an atomicproposition, f1 and f2 are state formulas, and g1 and g2 are path formulas.

Syntax. We inductively define a class of state formulas using rules S1–S3 belowand a class of path formulas using rules P1–P3 below:

S1 If p ∈ AP , then p is a state formula.S2 If f1 and f2 are state formulas, then so are ¬f1 and f1 ∧ f2.S3 If g1 is a path formula, then Eg1 and Ag1 are state formulas.


P1 Each state formula is also a path formula.P2 If g1 and g2 are path formulas, then so are ¬g1 and g1 ∧ g2.P3 If g1 and g2 are path formulas, then so are Xg1 and g1Ug2.

CTL* formulas are the state formulas generated by the above rules. The length ofa formula is the number of boolean, temporal, and path quantifier operators in theformula.

The restricted logic CTL is obtained by restricting the syntax to disallow booleancombinations and nestings of temporal operators. Formally, rules P1–P3 are replacedby

P0 If f1 and f2 are state formulas, then Xf1 and f1Uf2 are path formulas.

Then CTL formulas are the state formulas generated by rules S1–S3 and P0.

The logic LTL is obtained by removing rules S2–S3, i.e., LTL formulas are stateformulas in the form of Ag where g is any path generated by rules S1 and P1–P3.Note instead of defining LTL as path formulas (g) as in [6], we define LTL as stateformulas (Ag) as in [3]. This is because for the LTL control problem studied in thispaper, we want all paths starting from the initial state of the plant to satisfy somerequired property which can be expressed by a LTL formula of the form Ag.

Note that the only restriction in CTL is that every temporal operator in theformula is immediately preceded by a path quantifier, whereas the only restrictionin LTL is that except for the path quantifier A appearing at the beginning of theformula no other path quantifiers exist in the formula. CTL and LTL have differentexpressive power. For example, the CTL formula AGEFp cannot be expressed by anyLTL formula, and the LTL formula AFGp cannot be expressed by any CTL formula,but AGp can be viewed as either a CTL formula or an LTL formula.

Semantics. We define the semantics of CTL* with respect to a state transitiongraph M = (Q,AP,R,L). For a state formula f , the notation < M, s >|= f (resp.,< M, s >�|= f) means that f holds (resp., does not hold) at state s in M . For apath formula g, the notation < M,π >|= g (resp., < M,π >�|= g) means that g holds(resp., does not hold) along the path π in M . The relation |= is defined inductivelyas follows:

1. < M, s >|= p if and only if p ∈ L(s) ∀p ∈ AP .2. < M, s >|= ¬f1 if and only if < M, s >�|= f1.3. < M, s >|= f1 ∧ f2 if and only if < M, s >|= f1 and < M, s >|= f2.4. < M, s >|= Eg1 if and only if there exists a path π starting at s such that

< M,π >|= g1.5. < M, s >|= Ag1 if and only if for every path π starting at s, we have <

M,π >|= g1.6. < M,π >|= f if and only if < M, s0(π) >|= f , for any state formula f .7. < M,π >|= ¬g1 if and only if < M,π >�|= g1.8. < M,π >|= g1 ∧ g2 if and only if < M,π >|= g1 and < M,π >|= g2.9. < M,π >|= Xg1 if and only if < M,π1 >|= g1, where π1 = (s1(π), s2(π), . . .).10. < M,π >|= g1Ug2 if and only if there exists a k such that < M,πk >|= g2 and

for all j ∈ {0, 1, . . . , k− 1}, < M,πj >|= g1, where πk = (sk(π), sk+1(π), . . .).

Remark 1. In the above, the CTL* is interpreted over nonterminating paths. Insome cases, we may need to study the systems with terminating behaviors. So thedefinition of CTL* semantics needs to be extended to finite paths. In this paper,we only consider the systems with nonterminating behaviors and hence use only theabove definition.

The following examples show that temporal logic formulas can be used to express


properties such as safety, nonblocking, liveness, and stability.

AGp means that “for all paths (A) starting at the present state, globally (G) at everystate along these paths p is true.” It is a safety property.

AGEFp means that “for all paths (A) starting from the present state, globally (G) forevery state along these paths there exists (E) a path starting from that statesuch that in future (F ) p holds at a state on that path.” It is a nonblockingproperty.

AG(p1 ⇒ AFp2) means that “for all paths (A) starting from the present state, globally(G) for every state s along these paths, if p1 is true at the state s, then p2

will be true at some subsequent state along every path (AF ) starting from thestate s.” It is a liveness property.

AFGp means that “for all paths (A) starting from the present state, eventually (F ) pholds globally G”. It is a property of stability which requires that the systemshould eventually reach a set of states where p holds and stay there forever.

Definition 1. We say that a state formula f is satisfiable provided that for somestate transition graph M and some state s in M we have < M, s >|= f , in which caseM is called a model for f .

The decision problem of a temporal logic formula is to test whether the givenformula is satisfiable. We have following results for the decision problems of CTL*and CTL.

Theorem 1 (see [9, 5]). Given a CTL* formula f , f is satisfiable if and only ifit is satisfiable in a finite state transition graph with number of nodes at most doubleexponential in the length of the formula f .

Theorem 2 (see [6]). The decision problem of CTL* (resp., CTL) is completefor deterministic double (resp., single) exponential time.

Theorem 1 is called the small model theorem for the decision of CTL*. It statesthat a CTL* formula is satisfiable if and only if it is satisfiable in a small finitemodel, where small means that the size of the model is bounded by some functionof the length of the given formula. Theorem 2 states that the lower as well as theupper bound of the complexity of the decision problem for CTL* (resp., CTL) isdeterministic double (resp., single) exponential in the length of the given formula.(By double (resp., single) exponential we mean exp(exp(n)) (resp., exp(n)), whereexp(n) is a function cn for some c > 1.)

To test the satisfiability of a CTL* formula f , we have the following sound andcomplete decision procedure [6, 9, 8], the complexity of which is double exponentialin the length of the specification CTL* formula.

1. Derive a Rabin tree automaton for the CTL* formula f [9]. The numberof states (resp., acceptance condition pairs) of the Rabin tree automaton isdouble (resp., single) exponential in the length of the formula f .

2. Test the emptiness of the Rabin tree automaton [8]. If the Rabin tree au-tomaton is empty, then the CTL* formula f is not satisfiable; otherwise theformula f is satisfiable, and a model for f can be extracted from the Rabintree automaton. The complexity of this step is polynomial in the number ofstates of the Rabin tree automaton and exponential in the number of accep-tance condition pairs of the Rabin tree automaton.

The notion of Rabin tree automaton is described below. For simplicity, we con-sider only the finite automaton on infinite binary trees. The infinite binary tree isthe set T = pr({0, 1}ω). The elements of T are called nodes, and the empty word εis the root of T . For all x ∈ T , x · 0 and x · 1 are the left and right successors of x,


respectively. A path π of the tree T is a subset of T such that the root ε is in π, and∀x ∈ π, one and only one of x · 0 and x · 1 is in π. Note that a path of T correspondsa unique word in {0, 1}ω. Given an alphabet Σ, a Σ-labeled tree (called Σ-tree) is afunction V : T → Σ that maps each node of T to a letter in Σ.

A Rabin tree automaton (on infinite binary Σ-tree) is A = (Q,Σ, δA, q0, F ), whereQ is a finite state set, Σ is a finite alphabet set, δA : Q×Σ → 2Q×Q is the transitionfunction, q0 ∈ Q is the initial state, and F = {(Gi, Ri) | Gi ∪ Ri ⊆ Q, i = 1, . . . , k}is the Rabin acceptance condition. A run r of A on an input Σ-tree V is a Q-labeledtree r : T → Q such that r(ε) = q0 and ∀ x ∈ T , (r(x · 0), r(x · 1)) ∈ δA(r(x), V (x)).We say that A accepts an input Σ-tree V if and only if there exists a run r of A onV such that for each path π of r, there exists a pair (Gi, Ri) in F such that π visitsGi infinitely often and Ri finitely often.

To test the satisfiability of a CTL (a special case of CTL*) formula f , the followingmore efficient sound and complete decision procedure exists [6], the complexity ofwhich is single exponential in the length of the specification CTL formula:

1. Construct a tableau for the CTL formula f , where a tableau is a state tran-sition structure derived for the given temporal logic formula from which amodel of the given formula can be extracted as a subtransition structurewhenever that formula is satisfiable. The number of states of the tableau forthe CTL formula f is exponential in the length of f .

2. Test the tableau for the existence of a model for f . If there does not exista model for f in the tableau, then the CTL formula f is not satisfiable;otherwise the formula f is satisfiable, and a model for f can be extractedfrom the tableau. The complexity of this step is polynomial in the numberof states of the tableau.

3. Supervisory control for CTL* specification. In this section, we studythe supervisory control problem for systems with CTL* temporal logic specifications.From now on, we assume that the uncontrolled discrete event plant P is modeled bya six tuple: P = (X,Σ, δP , x0, AP, LP ), where X is a finite set of states; Σ is a finiteset of event labels that is the disjoint union of Σc, the set of controllable events, andΣu, the set of uncontrollable events; δP : X × Σ → X is a partial function defined ateach state in X for a subset of Σ; x0 ∈ X is the initial state of P ; AP is the finite setof atomic proposition symbols with AP ∩X = ∅; and LP : X → 2AP∪{¬p|p∈AP} is alabeling function such that ∀x ∈ X, ∀p ∈ AP , p ∈ LP (x) ⇒ ¬p �∈ LP (x). Here for astate x, p ∈ LP (x) means that p holds at x, ¬p ∈ LP (x) means that p does not holdat x, and if for some atomic proposition p such that neither p nor ¬p is in LP (x), thenit means that p may or may not hold at x. Note from the definition of the transitionfunction δP that we are assuming P to be deterministic.

A supervisor S is modeled by a six tuple: S = (Y,Σ, δS , y0, AP, LS), where Yis a set of states (finite or infinite); Σ and AP are the same sets as given in P ;δS : Y × Σ → 2Y is a total function defined at each state in Y for each event in Σ;y0 ∈ Y is the initial state of S; and LS : Y → 2AP∪{¬p|p∈AP} is a labeling functionsimilar to that in P such that ∀y ∈ Y , ∀p ∈ AP , p ∈ LP (y) ⇒ ¬p �∈ LP (y). Note fromthe definition of the transition function δS that S is allowed to be nondeterministic.The class of nondeterministic supervisors is more powerful than that of deterministicsupervisors, as illustrated by Example 1.

The controlled plant is obtained by the strict synchronous composition of P andS, denoted by P ||S, which is defined as P ||S = (Z,Σ, δP ||S , z0, AP, LP ||S), where Z =X×Y is the state set; Σ and AP are the same sets as given in P ; and δP ||S : Z×Σ → 2Z


is the state transition function for P ||S. Let σ ∈ Σ and (x, y) ∈ X × Y = Z; then wedefine δP ||S as

δP ||S((x, y), σ) =

{{(δP (x, σ), z) | z ∈ δS(y, σ)} if δP (x, σ) is defined and δS(y, σ) �= ∅;∅ otherwise.

z0 = (x0, y0) ∈ Z denotes the initial state of P ||S, and LP ||S : Z → 2AP∪{¬p|p∈AP} isthe labeling function for P ||S, which is defined as LP ||S(x, y) = LP (x) ∪ LS(y).

We use MP ||S = (Z,R,AP,L) to denote the state transition graph of P ||S, whereZ and AP are the same sets as given in P ||S; R ⊆ Z × Z is the transition relationwith R = {(z, z′) | ∃σ ∈ Σ s.t. z′ ∈ δP ||S(z, σ)}; and L : Z → 2AP is the labelingfunction which is defined as ∀z ∈ Z, L(z) = LP ||S(z) ∩AP .

We require that all the supervisors derived should be control-compatible andpropositionally consistent with respect to the plant. The control-compatibility ofa supervisor requires that when controlling the plant P , the supervisor should neverdisable an uncontrollable transition in P , where a transition is called an uncontrollabletransition if it is labeled by an uncontrollable event. Next, since the propositionallabeling of a state z = (x, y) ∈ Z of P ||S is obtained as LP (x) ∪ LS(y), it is possiblethat the label of z contains p ∈ AP as well as its negation (for example, whenp ∈ LP (x) and ¬p ∈ LS(y)). We exclude such state machines from being a supervisorby requiring the propositional consistency property defined below.

Definition 2. A supervisor S is said to be control-compatible with respect to agiven plant P if for any s ∈ Σ∗, σ ∈ Σu, and z = (x, y) ∈ δP ||S(z0, s) such that σ isdefined at state x of P , it holds that σ is also defined at state y of S. A supervisorS is said to be propositionally consistent with respect to a given plant P if it holds inP ||S that for every state z ∈ Z reachable from z0, we have ∀p ∈ AP, p ∈ LP ||S(z) ⇒¬p �∈ LP ||S(z).

The supervisory control problem for systems with temporal logic specifications isformulated as follows:

Let P be a deterministic nonterminating plant with Σ = Σc∪Σu. Fora given CTL* formula f , find a control-compatible and proposition-ally consistent supervisor S for P such that P ||S is nonterminatingand < MP ||S , z0 >|= f , where MP ||S is the state transition graph ofP ||S and z0 is the initial state of P ||S.

Before solving the above control problem, we give the definition of the controlla-bility of CTL* formulas.

Definition 3. Given a nonterminating plant P , a CTL* formula f is said tobe controllable with respect to P , also called P -controllable, if there exists a control-compatible and propositionally consistent supervisor S such that P ||S is nonterminat-ing and < MP ||S , z0 >|= f .

In Definition 3, the supervisor S need not be finite. Through the small modeltheorem derived below, we demonstrate that if a CTL* formula f is controllable, thenf can be enforced by a finite supervisor. In other words, we don’t impose the finite-ness of a supervisor a priori in the definition of controllability. Also, the supervisoris allowed to be nondeterministic since in some situations only a nondeterministicsupervisor can achieve a given CTL* specification. This is illustrated by the followingexample.

Example 1. The plant P is shown in Figure 1(a), where X = {x0, x1, x2, x3},Σ = Σc = {a, b, c, d, e}, AP = {p1, p2}, LP (x0) = LP (x1) = AP , LP (x2) = {p1,¬p2},and LP (x3) = {¬p1, p2}. (We adopt the following convention for the figures we draw:


p1

p2

,p )

21(p

,p )

21(p

b c

d e

a a

(b)

p1

p2

,p )

21(p

b c

d e

a

(a)

,p )

21(p

,p )

21(p

x0

x1

x2 x3

y0

y1 y2

y3 y4

Fig. 1. Nondeterministic supervisor.

if an atomic proposition p is not labeled at a state x, then it means that p does nothold at x, i.e., ¬p ∈ LP (x).) The specification is described by the CTL formulaEXAGp1 ∧ EXAGp2, where EXAGpi has the following meaning: “Exists (E) apath (starting from the initial state) such that from the next (X) state all paths (A)always (G) satisfy pi.” Note that the given plant does not satisfy the specification sincestarting from the only next state x1, all paths do not always satisfy p1 and p2.

Further, there does not exist a deterministic supervisor that can achieve the speci-fication since AGp1 and AGp2 can not be satisfied simultaneously at state x1. But wecan have a nondeterministic supervisor S to achieve the specification, which is shownin Figure 1(b).

Also note that the ∗-language as well as ω-language of the controlled plant is thesame as that of the uncontrolled plant, i.e., L(P ||S) = L(P ) = a(bd∗ + ce∗) andLω(P ||S) = Lω(P ) = a(bdω + ceω). This implies that the above CTL specification cannot be expressed by a regular ∗-language or a regular ω-language.

Remark 2. A formal treatment of nondeterministic control policy, its representa-tion as a state machine, and its implementation are given in [17]. The essential idea isthat the control action selection of a nondeterministic supervisor is done on-line non-deterministically from among a set of choices determined off-line. Also, the controlaction can be changed on-line nondeterministically (before any new observation) inaccordance with choices determined off-line. (This feature of nondeterministic controlis not being used in the present paper.) The on-line choices, once made, can be usedto affect the set of control action choices in future. A nondeterministic control mapwith above features may be implemented as a control and observation compatible non-deterministic state machine introduced in [17]. (In the context of the present paper,we are assuming a complete observation of events and so only control compatibility isrequired; observation compatibility is automatically guaranteed.) It is further arguedin [17] that to implement a nondeterministic supervisor a mechanism is needed forthe on-line nondeterministic selection of the control action (from the set of choicescomputed off-line), and another mechanism is needed to determine when to nonde-terministically change the control action. For the first purpose, a “coin toss” (with asmany possible outcomes as the number of control action choices) can be used. For thesecond purpose, a “random timer” can be used. In the lack of any new observation,the control action is changed if and when the timer goes off.

In the following, we reduce the problem of the control of CTL* to that of the


decision of CTL*, then use the results for the decision of CTL* to solve the controlproblem of CTL*. We first encode all the controllable sub-trees embedded in the“plant-tree” P by a CTL formula fP defined as follows.

Add new fresh atomic propositions. Extend AP to AP ′ := AP ∪X. Eachstate of the plant is viewed as a new atomic proposition. For each x ∈ X, theproposition x holds at state x and at no other state of P .

Encode the initial state of P using formula f0 defined as

f0 := x0.

This says that in a model for f0, the atomic proposition x0 holds at the initial stateof the model.

Encode the state set of P using formula f1 := f11 ∧ f12 defined as

f11 := AG

( ∨x∈X

x

) ∧x∈X

AG

(x ⇒

∧x′ �=x

¬x′

),

f12 :=∧x∈X

AG

[x ⇒

∧p∈(LP (x)∩AP )

p∧

¬p∈(LP (x)∩AP )

¬p],

and AP = {¬p | p ∈ AP}. In the above, f11 states that if M is a model for f11,then every state in M should be labeled with one and only one atomic propositionx ∈ X; f12 states that if M is a model for f12, then any atomic proposition whichholds (resp., does not hold) at the state x of P should also hold (resp., should nothold) at states in M which are labeled by the proposition x.

Encode the transitions of P using formula f2 defined as

f2 :=∧x∈X

AG

(x ⇒ AX

( ∨x′∈Ix

x′

)),

where Ix = {x′ | ∃σ ∈ Σ such that x′ = δP (x, σ)}. The formula f2 states that if Mis a model for f2, s is a state in M labeled with the atomic proposition x, and s′ is asuccessor of s in M labeled with the atomic proposition x′, then there must exist atransition from x to x′ in P .

Encode the uncontrollable transitions of P using formula f3 defined as

f3 :=∧x∈X

AG

(x ⇒

∧x′∈Iu

x

EXx′

),

where Iux = {x′ | ∃σ ∈ Σu such that x′ = δP (x, σ)}. The formula f3 states that if Mis a model for f3, s is a state in M labeled with the atomic proposition x, and thereexists an uncontrollable transition from state x to another state x′ in P , then theremust exist a successor s′ of s in M such that x′ is labeled at s′.

Encode all uncontrollable sub-trees of P using the formula fP definedas

fP := f0 ∧ f1 ∧ f2 ∧ f3.

Remark 3. From the above definition it follows that fP encodes some informationof the plant P . It should be noted that fP does not contain all the information of P


since from a model M of fP we cannot reconstruct the plant state machine P . Thisis because when we encode the transitions (resp., uncontrollable transitions) of P byf2 (resp., f3), we require only that the state x′ is one step reachable from x, and weignore all other information such as how many transitions exist between x and x′ inP and what are the event labels of these transitions. But the information encoded byfP is enough for the control of P which is shown in Theorem 3 below.

The following lemma shows that fP is satisfied by the plant P .Proposition 1. Let P be a nonterminating plant and MP = (X,RP , AP ′, L′

P )be the state transition graph of P with AP ′ = AP ∪X, RP = {(x, x′) ∈ X×X | ∃σ ∈Σ, x′ = δP (x, σ)}, L′

P (x) = (LP (x) ∩ AP ) ∪ {x} ∀x ∈ X. Then it holds that< MP , x0 >|= fP , where fP is as defined above.

Proof. Since x0 ∈ L′P (x0), obviously < MP , x0 >|= f0. Next, for each state x in

MP , we have• [x ∈ LP (x)]

∧x′ �=x[x′ �∈ LP (x)] ⇒ < MP , x0 >|= f11;

• [∀p ∈ (LP (x) ∩AP ), p ∈ L′P (x)] ∧[∀¬p ∈ (LP (x) ∩AP ), p �∈ L′

P (x)]⇒ < MP , x0 >|= f12;

• [∀x′ ∈ {x′ | (x, x′) ∈ RP },∃σ ∈ Σ, x′ = δP (x, σ)] ⇒ < MP , x0 >|= f2;• [∀x′ ∈ {x′ | ∃σ ∈ Σu, x

′ = δP (x, σ)}, (x, x′) ∈ RP ] ⇒ < MP , x0 >|= f3.Combining the above implications, we obtain < MP , x0 >|= fP .

The following theorem reduces the control problem of CTL* to the decision prob-lem of CTL*.

Theorem 3. Given a CTL* formula f and a deterministic nonterminating plantP encoded by the CTL formula fP , f is P -controllable if and only if the CTL* formulaf ∧ fP is satisfiable.

Proof. For the necessity, suppose there exists a control-compatible and proposi-tionally consistent supervisor S = (Y,Σ, δS , y0, AP, LS) such that < MP ||S , z0 >|= f .Then we can get a model M ′ = (Z,R,AP ′, L′) for f ∧ fP from MP ||S = (Z,R,AP,L)as follows: ∀z = (x, y) ∈ Z, L′(z) = L(z) ∪ {x}. Since < MP ||S , z0 >|= f , itis obvious that M ′ is also a model for f , i.e., < M ′, z0 >|= f . For the formulafP = f0∧f11∧f12∧f2∧f3, we have the following. Since z0 = (x0, y0), x0 ∈ L′(z0), thisimplies < M ′, z0 >|= f0. Since MP ||S can be viewed a subgraph embedded in P , M ′ isalso a subgraph embedded in P . This implies that < M ′, z0 >|= f11∧f2. From the def-inition of LP ||S and the propositional consistency of S, we know that < M ′, z0 >|= f12.Further, from the control-compatibility of S, we have < M ′, z0 >|= f3. Combiningthese, we get < M ′, z0 >|= f ∧ fP , i.e., f ∧ fP is satisfiable.

For the sufficiency, let M = (Q,R,AP ′, L) be a model of f ∧ fP , i.e., ∃q0 ∈ Q,< M, q0 >|= f ∧ fP . We can get a supervisor S = (Y,Σ, δS , y0, AP, LS) from M asfollows: Y ⊆ Q is the set of states which are reachable from q0 in M ; ∀y ∈ Y, ∀σ ∈ Σ,

δS(y, σ) = {y′ | [(y, y′) ∈ R]∧[x′ = δP (x, σ)], where {x′} = L(y′) ∩X and {x} = L(y) ∩X};

y0 = q0; and ∀y ∈ Y, LS(y) = L(y) ∩ (AP ∪ {¬p|p ∈ AP}). Since M is a model offP , it ensures that S is control-compatible with respect to P , and further because Pis deterministic, S is propositionally consistent with respect to P . Also because Pis deterministic, P ||S has the same graph as S, and hence it is nonterminating and< MP ||S , z0 >|= f . So f is P -controllable.

Now from the small model theorem for the decision of CTL* (Theorem 1), wehave the following small model theorem for the control of CTL*.

Theorem 4. Given a CTL* formula f and a deterministic nonterminating plantP , f is P -controllable if and only if there exists a finite state control-compatible


and propositionally consistent supervisor S such that P ||S is nonterminating and< MP ||S , z0 >|= f .

Proof. The sufficiency is obvious. For necessity, from Theorem 3 we know thatif f is P -controllable, then f ∧ fP is satisfiable. Further, from Theorem 1, we havethat if f ∧ fP is satisfiable, then there exists a finite state transition graph M =(Q,R,AP ′, L) such that ∃q0 ∈ Q, < M, q0 >|= f ∧ fP . Using the same method asthat in the proof of Theorem 3, we can obtain a finite state control-compatible andpropositionally consistent supervisor S from M such that P ||S is nonterminating and< MP ||S , z0 >|= f . So the theorem holds.

From Theorem 2, we have the following result for the complexity of control prob-lem for CTL* (resp., CTL).

Theorem 5. The control problem for CTL* (resp., CTL) is complete for de-terministic double (resp., single) exponential time in the length of the specificationformula.

Proof. From Theorem 3 and the definition of fP , whose length is polynomial inthe number of states of P , we know that the control problem for CTL* (resp., CTL)is polynomial-time reducible to the decision problem for CTL* (resp., CTL). FromTheorem 2 we have that the complexity of testing the satisfiability for CTL* (resp.,CTL) has an upper bound of deterministic double (resp., single) exponential timein the length of the specification formula. So the control problem for CTL* (resp.,CTL) is upper bounded by deterministic double (resp., single) exponential time inthe length of the specification formula. This establishes the desired upper bound ofthe complexity of the control problem.

To establish the desired lower bound of the complexity of the control problem, inview of Theorem 2 it suffices to show that the decision problem can be polynomiallyreduced to a control problem. For the decision problem of CTL* (resp., CTL), we canview it as a control problem for the plant P = (X,Σ, δP , x0, AP, LP ) with X = {x0};Σ = Σc = {σ}; x0 = δP (x0, σ); LP (x0) = ∅, where the goal of the control is to finda supervisor that the controlled plant satisfies the given CTL* (resp., CTL) formula.If a supervisor S exists for the above control problem, we can directly use MP ||Sas the model of the given CTL* (resp., CTL) formula. Since the decision problemfor CTL* (resp., CTL) has a lower bound complexity of deterministic double (resp.,single) exponential time in the length of the specification formula, we must have thatthe complexity of the control problem for CTL* (resp., CTL) is lower bounded bydeterministic double (resp., single) exponential time in the length of the specificationformula.

From Theorem 3, we know that an algorithm for the supervisor synthesis forCTL* control can be obtained from the decision procedure of CTL*. Let f be aCTL* specification formula and P be a deterministic nonterminating plant; then asupervisor synthesis algorithm is as follows.

Algorithm 1. Supervisor Synthesis Algorithm for CTL* Control.

1. Test the satisfiability of the CTL* formula f ∧ fP . This step is done by usingthe decision procedure for CTL* as follows:(a) Construct a Rabin tree automaton for the CTL* formula f using the

method given in [9].(b) Construct a tree-automaton for fP directly from the plant P ; this tree

automaton has the same state set as P and has no acceptance conditions.(c) Construct the Rabin tree automaton for f ∧ fP from the synchronous

composition of the above two tree automata.


(d) Test the emptiness of the set of trees accepted by the Rabin tree au-tomaton for f ∧ fP [8]. The set of trees accepted by the tree automatonis empty if and only if f ∧ fP is not satisfiable. If f ∧ fP is satisfiable,then go to next step; otherwise stop the algorithm and output that “nosupervisor exist.”

2. If f ∧ fP is satisfiable, extract a model for the formula f ∧ fP from its non-empty Rabin tree automaton using the result given in [8].

3. Derive a supervisor from the model for the formula f∧fP by using the methodin the proof of Theorem 3.

Remark 4. From Theorem 3, and using an argument similar to the soundnessand completeness of the decision procedure for CTL* [9, 8], we can conclude thatAlgorithm 1 for control synthesis for CTL* is sound and complete. Algorithm 1 has aworst case complexity of double exponential in the length of the CTL* formula f andpolynomial in the size of the plant P . This is because the Rabin tree automaton forthe specification formula f has a number of states that is double exponential in thelength of f and has a number of acceptance condition pairs which is single exponentialin the length of f , and the tree automaton for fP has the same state set as P and hasno acceptance condition, so the final Rabin tree automaton for f ∧ fP has a numberof states which is double exponential in the length of f and linear in the number ofstates of the plant, and it has a number of acceptance condition pairs which is singleexponential in the length of the specification formula f only.

For an easy synchronous composition of tree automata for f and fP , it is re-quired that the two tree automata have the same branching degree. To computethe branching degree of a CTL* formula f , we first express it in its positive nor-mal form by pushing negations as far inward as possible using De Morgan’s law(¬(f1∨f2) ≡ ¬f1∧¬f2, ¬(f1∧f2) ≡ ¬f1∨¬f2) and the dualities (¬AGf1 ≡ EF¬f1,¬A[f1Uf2] ≡ E[¬f1Bf2], etc.). Then the branching degree of f , denoted by df , canbe chosen to be the total number of the existential path quantifier “E” in its positivenormal form. Similarly, we can get the branching degree of fP , denoted by dfP . Thenwe can choose d = df +dfP as the branching degree of the tree automata models for fand fP . Next we give an example to illustrate how to compute the branching degreeof a CTL* formula and how to derive a tree automaton with a required branchingdegree for the encoding fP of P that has the same state set as P .

Example 2. Consider the encoding fP for the plant P of Example 1 and supposenow that Σu = {b}. Suppose the specification is given by f = EXAGp1. Then thereis one E in the formula fP because of the uncontrollable transition from x1 to x2 inP , and there is one E in f . So the required branching degree of the tree automata forf and fP can be chosen to be 1 + 1 = 2.

A tree automaton for fP with the required branching degree of 2 (i.e., the automa-ton on binary trees) can be obtained as follows: A = (X, 2AP∪X , δA, x0, {(X,X)}),where X, AP , and x0 are the same as in P , δA : X × 2AP∪X → 2X

2

is givenas δA(x0, (p1, p2, x0)) = {(x1, x1)}, δA(x1, (p1, p2, x1)) = {(x2, x2), (x2, x3), (x3, x2)},δA(x2, (p1, x2)) = {(x2, x2)}, δA(x3, (p2, x3)) = {(x3, x3)}. Note that the uncontrol-lable transition from x1 to x2 in P is captured in A by requiring that x2 be includedin every state pair in δA(x1, (p1, p2, x1)). It can be verified that any infinite binarytree that is accepted by A satisfies the formula fP .

Remark 5. The supervisory control problem for language-based specifications istypically of two types: (i) the target control problem (where a supervisor is designedso that the controlled language equals the specification language) and (ii) the range


ab

cp1

p2

p2

Fig. 2. A counter example to [1].

control problem (where a supervisor is designed so that the controlled language isbounded by a lower bound and an upper bound specification languages). Obviouslythe range control problem is more general since the two bounds can be the same, inwhich case it is the same as the target control problem. For the range control problem,any supervisor is acceptable as long as the controlled language lies in the specifiedrange. If none exists, then one can consider minimal relaxations of the two bounds sothat a supervisor will exist.

The situation is even more general for a CTL* specification: a pair of LTL for-mulae f and g may be chosen to serve as lower and upper bounds for the ω-languageof the controlled plant. Then the single LTL formula ¬f ∧ g specifies a range forthe controlled ω-language. Of course, more general specifications can be specified inCTL* than just the simple range for ω-language. Similar to the approach taken forthe language range control, here we are seeking any supervisor that enforces the givenCTL* specification. (Algorithm 1 finds one such supervisor.) Now if none exists, thenone would like to consider a minimal relaxation of the given CTL* specification forwhich a supervisor will exist. This topic is not within the scope of the present paperbut may be addressed by introducing an order relation over the class of all CTL*formulas defined over a fixed set of atomic propositions using the simulation preorder.We say f1 ≤ f2 if and only if a model M1 of f1 is simulated by a model M2 of f2.(A simulation relation is a preorder over the set of all models since it is reflexive andtransitive but not antisymmetric.) Minimal relaxations of a specification formula canbe defined with respect to this order relation.

3.1. Supervisory control for CTL specification. If the specification is givenas a CTL formula, we may view it as a CTL* formula and use Algorithm 1 for asupervisor synthesis for CTL control. But this method has a double exponentialcomplexity in the length of the specification formula. From Theorem 3, we know thatthe control problem for a CTL formula f can be reduced to the decision problem forthe formula f ∧ fP . Since fP by its definition is also a CTL formula, f ∧ fP is a CTLformula, and so we can get a supervisor synthesis algorithm for the control of the CTLformula f from the decision procedure for the CTL formula f ∧ fP with a worst-casecomplexity of single exponential in the length of the CTL specification formula (asopposed to double exponential for the more general case of a CTL* specification). Inthe appendix, we present a detailed supervisor synthesis algorithm for CTL control.

Remark 6. In [1], the CTL control problem was also studied. But the authorrestricted the problem by only considering the state-based supervisors and a specialclass of CTL formulas. Also note that the method in [1] gives wrong results even forsome CTL formulas which do belong to the special class of formulas considered in [1].To see this, consider the example shown in Figure 2, where a, b, c all are controllable


a

aa

p3

b

b

c(p1,p2)

(p1,p2)

p4

Fig. 3. An example for the completeness of LTL control.

events. Then the control action of enabling all a, b, c will let EXp1 hold at the initialstate, and the control action of enabling only b and c will let AXp2 hold at the initialstate. In [1], it was claimed that in order to let EXp1 ∧ AXp2 hold at the initialstate, we may take the conjunction of the control actions for EXp1 and AXp2, i.e.,enabling b and c would ensure that EXp1 ∧ AXp2 will hold at the initial state. It isobvious that under this control action, EXp1 does not hold at the initial state. Sothe method in [1] gives a wrong result for the above example.

3.2. Supervisory control for LTL specification. Let us next consider thespecial case of LTL. Recall that LTL is obtained by restricting CTL* in that exceptfor the path quantifier A appearing at the beginning of the formula no other pathquantifiers exist in the formula. If the specification f is given as a LTL formula, thenwe have two different ways to solve the control problem:

1. View the LTL formula as a CTL* formula and directly use Algorithm 1 forthe supervisor synthesis of LTL control.

2. First use a tableau construction method such as the one given in [10] toconvert the LTL formula into a nondeterministic Buchi automaton; next usethe method in [29] to change the nondeterministic Buchi automaton into adeterministic Rabin automaton; next derive a new Rabin automaton from thesynchronous composition of the plant automaton and the specification Rabinautomaton; and finally use the approach in [33] to solve the control problemon this final Rabin automaton.

These two methods have a same worst-case complexity which is polynomial in the sizeof the plant and double exponential in the length of the specification LTL formula.

We next propose a supervisor synthesis algorithm for the control of LTL whichhas a smaller complexity (single exponential in the length of the LTL formula asopposed to double exponential) but it is only sound (and not complete). We firstchange the LTL formula into a CTL formula by inserting the path quantifier A beforeevery temporal operator in the formula and removing any repeated A; then we applyAlgorithm 2 (given in the appendix) for the supervisor synthesis for this CTL formula.From the semantics of CTL and LTL, we know that the supervisor derived does workfor the original LTL formula. The worst-case complexity of this method is the same asthat for Algorithm 2 which is polynomial in the size of the plant and single exponentialin the length of the specification LTL formula.

This method, however, is not complete, i.e., when it answers “no” for the existenceof a supervisor, there may still exist a supervisor that can enforce the given LTLspecification. Consider, for example, the system shown in Figure 3, for which thespecification is given as A[(p1Up3) ∨ (p2Up4)]. Assuming that the event c is the onlycontrollable event, it is obvious that the specification can be enforced if the supervisor


: controllable

: uncontrollable

3 4

2

10

mouse

cat

Fig. 4. Mouse in a maze.

u1c1

u1c1u2c2

u1 u1

x1 x2 x3

x4p0

p2

c3

x0

p1

Fig. 5. Plant model.

disables c at the initial state. But if we transfer the specification into a CTL formulaA(p1Up3)∨A(p2Up4) using the method described above, then it is easy to verify thatno supervisor exists.

Remark 7. The algorithm given in [2] for the control of MTL (LTL together withreal-time constraints) is sound but not complete, which was not clarified there. Sincean LTL formula is also an MTL formula, we can apply the algorithm given in [2] tothe example of Figure 3. The algorithm in [2] will answer “no” for the existence of asupervisor for the above example. But we know that a supervisor does exist, therebydemonstrating the incompleteness of the algorithm given in [2].

4. Illustrative example. In this section, we give a simple example to illustrateour result. This is a traffic control problem of a mouse in a maze. The maze, shownin Figure 4, consists of five rooms connected by various one-way passages, wheresome of them can be closed through control. There is also a cat which alway staysin room 1. The mouse is initially in room 0, but it can visit other rooms by usingone-way passages. Our task is to design a supervisor to control the passages in orderto guarantee that

Spec 1 The mouse never visits room 1 where the cat stays (this is a safetyproperty).

Spec 2 The mouse can go to room 0 for play at any time it wants to (this is anonblocking property).

Spec 3 The mouse shall visit room 2 for food infinitely often (this is a livenessproperty).

Spec 4 The mouse shall never be locked in a room (this is a nonterminatingproperty).

The above problem can be formulated as a supervisory control problem of a dis-crete event system with a CTL specification as follows. The system is modeled asa plant P = (X,Σ, δP , x0, AP, LP ), which is shown in Figure 5, where X = {xi, i =0, 1, 2, 3, 4}; Σ = {c1, c2, c3, u1, u2}, Σc = {c1, c2, c3}; AP = {p0, p1, p2}; LP (x0) =


0s 1s

4s

s2 s3

7s

6s

f,x 0

0x 2x

f,x 2

0s 1s 4s

f,x 0 f,x 2 0x 2x5

s

(b)(a)

s5

3x 4x

f,x 3 f,x 4

Fig. 6. Tableau and model for f ∧ fP .

0s 4s

p0 u1

u1

p2

p0

c 3

s5

Fig. 7. Supervisor for the cat-mouse example.

{p0,¬p1,¬p2}, LP (x1) = {¬p0, p1,¬p2}, LP (x2) = {¬p0,¬p1, p2}, LP (x3) = LP (x4) ={¬p0,¬p1,¬p2}. The specification is given by the CTL formula f = AG¬p1 ∧AGEFp0∧AGAFp2∧AGEXtrue, where the ith conjunct corresponds to the Spec i.

Now we can use Algorithm 2 for the supervisor synthesis of the above controlproblem. We first obtain the tableau T for the formula f ∧ fP , where fP is theCTL formula encoding the plant P (for brevity fP is omitted here). The tableauT = (ST , AP

′, RT , LT ) is shown in Figure 6(a), where for 0 ≤ i ≤ 3, LT (si) ={f} ∪ LT (si+4), and for i > 3,

LT (s4) = {p0,¬p1,¬p2, AG¬p1, AGEFp0, AGAFp2, AGEXtrue,AXAG¬p1, EFp0,

AXAGEFp0, AFp2, AXAGAFp2, EXtrue,AXAGEXtrue,AXAFp2,

x0, EXx2};LT (s5) = {¬p0,¬p1, p2, AG¬p1, AGEFp0, AGAFp2, AGEXtrue,AXAG¬p1, EFp0,

AXAGEFp0, AFp2, AXAGAFp2, EXtrue,AXAGEXtrue,EXEFp0, x2};LT (s6) = {¬p0,¬p1,¬p2, AG¬p1, AGEFp0, AGAFp2, AGEXtrue,AXAG¬p1, EFp0,

AXAGEFp0, AFp2, AXAGAFp2, EXtrue,AXAGEXtrue,EXEFp0,

AXAFp2, x3, EXx2, EXx4};LT (s7) = {¬p0,¬p1,¬p2, AG¬p1, AGEFp0, AGAFp2, AGEXtrue,AXAG¬p1, EFp0,

AXAGEFp0, AFp2, AXAGAFp2, EXtrue,AXAGEXtrue,EXEFp0,

AXAFp2, x4, EXx3}.

Next a model M = (Q,R,AP ′, L) for f ∧ fP is derived and this is shown inFigure 6(b), where Q = {s0, s1, s4, s5} ⊂ ST , R = RT |Q and L = LT |Q, the restrictionof RT and LT , respectively, to Q.

Finally a supervisor S is obtained from M and is shown in Figure 7. It follows


that the mouse moves between rooms 0 and 2 only, and hence obviously the controlledsystem P ||S satisfies the given specification.

5. Conclusion. We studied the supervisory control problem for systems withtemporal logic specifications. The full branching time logic of CTL* is used for ex-pressing the control specifications. The main contributions of the paper are summa-rized as follows:

1. CTL* temporal logic allows the control constraints on the sequences of stateswhich can be also captured by a regular ∗-language or ω-language, as well ason the more general branching structures of states which cannot be capturedby a regular ∗-language or ω-language as shown in Example 1.

2. For the first time a sound and complete supervisory synthesis algorithm forCTL* specifications has been obtained. (Supervisors are allowed to be non-deterministic as this allows for the existence of a supervisor for a larger classof CTL* specifications.)

3. By reducing the control problem to the decision problem, a small modeltheorem for the CTL* control is derived.

4. The computational complexity of the control algorithms have been derived:the control problem for CTL* (resp., CTL) is complete for deterministic dou-ble (resp., single) exponential time in the length of the specification formula.Further, it is polynomial in the number of plant states.

5. Usage of temporal logic specifications does not increase the computationalcomplexity of supervisor synthesis (compared to that of formal language/automata-based specifications).

The last point above requires further clarification. In some cases, a property maybe expressed by either a CTL* formula or by a ∗-language or a ω-language. So forthese cases we can compare our method with that based on finite state automaton. Ifwe use a finite state automaton accepting a ∗-language to give the specification, thenthe supervisor synthesis is polynomial in the product of the number of plant statesand the number of the states of the specification automaton. From the known tableauconstruction methods, we know that the number of states in an automaton model ofa temporal logic formula is exponential in the length of the formula (whenever theformula can be represented by an automaton). So if we start with a temporal logicspecification (that can be also expressed as an automaton) and convert it to an au-tomaton, and apply the existing supervisory control theory results, then the resultingcomputational complexity will be polynomial in the number of plant states and singleexponential in the length of the temporal logic specification formula. This matchesthe complexity of our algorithm, and so there is no loss of computational complexityfrom the approach developed above, yet there is a gain in expressibility since a tem-poral logic formula is more compact. The use of temporal logic shifts the burden fromthe user (who gives the specification) to the supervisor designer (who computes thesupervisor)—computation of supervisor for a temporal logic specification althoughmore involved, has the same complexity.

A. Supervisor synthesis for CTL specification. We assume that the givenCTL formula f is in positive normal form. We use ∼ f1 to denote the formula inpositive normal form equivalent to ¬f1. We begin with a few definitions taken from[6]. The closure of f , cl(f), is the smallest set of formulas containing f and satisfying

• each subformula of f that is a state formula is in cl(f);• if EFf1, EGf1, E[f1Uf2], or E[f1Bf2] is in cl(f), then, respectively,EXEFf1, EXEGf1, EXE[f1Uf2], or EXE[f1Bf2] is in cl(f);


• if AFf1, AGf1, A[f1Uf2], or A[f1Bf2] is in cl(f), then, respectively,AXAFf1, AXAGf1, AXA[f1Uf2], or AXA[f1Bf2] is in cl(f).

The extended closure of f is defined as ecl(f) = cl(f) ∪ {∼ f1|f1 ∈ cl(f)}. Note that|ecl(f)| = O(|f |), where |f | denotes the length of f .

We say that a formula is elementary provided that it is a proposition, is thenegation of a proposition, or is in the form of AXf1 or EXf1. Any other formula isnonelementary. Each nonelementary formula may be viewed as either a conjunctiveα-formula, α = α1 ∧α2, or a disjunctive β-formula, β = β1 ∨β2. Clearly, f1 ∧ f2 is anα formula and f1 ∨ f2 is a β formula. A formula such as AGf1, A[f1Uf2], A[f1Bf2],etc., may be classified as an α or β formula based on its fix-point characterization;e.g., AGf1 = f1∧AXAGf1 is an α formula and EFf1 = f1∨EXEFf1 is a β formula.The classification for all nonelementary formulas is given asα− formula α = α1 ∧ α2,

α = f1 ∧ f2, α1 = f1, α2 = f2,α = A[f1Bf2], α1 =∼ f2, α2 = f1 ∨AXA[f1Bf2],α = E[f1Bf2], α1 =∼ f2, α2 = f1 ∨ EXE[f1Bf2],α = AGf1, α1 = f1, α2 = AXAGf1,α = EGf1, α1 = f1, α2 = EXEGf1;

β − formula β = β1 ∨ β2,

β = f1 ∨ f2, β1 = f1 β2 = f2,β = A[f1Uf2], β1 = f2, β2 = f1 ∧AXA[f1Uf2],β = E[f1Uf2], β1 = f2, β2 = f1 ∧ EXE[f1Uf2],β = AFf1, β1 = f1, β2 = AXAFf1,β = EFf1, β1 = f1, β2 = EXEFf1.

A state transition graph M = (Q,R,AP,L) is called a structure if the relationR is required to be total; otherwise M is called a prestructure. An interior nodeof a prestructure is one with at least one successor. A frontier node is one withno successors. A prestructure M1 = (Q1, R1, AP, L1) is said to be contained in astructure M2 = (Q2, R2, AP, L2) whenever Q1 ⊆ Q2, R1 ⊆ R2, and L1 = L2|Q1,the restriction of L2 to Q1; M1 is said to be cleanly embedded in M2 provided M1 iscontained in M2, and also every interior node of M1 has the same set of successors asits corresponding node in M2.

The following consistency requirements are associated with the labeling functionL of a (pre)structure. Since we consider the control of CTL, the definition of L isextended as L : Q → 2ecl(f), where f is the specification formula. ∀q ∈ Q, we havezero-step consistency rules,

ZS0 p ∈ L(q) ⇒∼ p �∈ L(q);ZS1 α ∈ L(q) ⇒ [(α1 ∈ L(q)) ∧ (α2 ∈ L(q))];ZS2 β ∈ L(q) ⇒ [(β1 ∈ L(q)) ∨ (β2 ∈ L(q))];

one-step consistency rules,OS0 AXp ∈ L(q) ⇒ [∀q′ ∈ Q, ((q, q′) �∈ R) ∨ (p ∈ L(q′))];OS1 EXp ∈ L(q) ⇒ [∃q′ ∈ Q, ((q, q′) ∈ R) ∧ (p ∈ L(q))].

A fragment is a prestructure whose graph is a directed acyclic graph (DAG) suchthat all its nodes satisfy rules ZS0–ZS2 and OS0 and all its interior nodes satisfy ruleOS1.

A formula of the form A[pUp′] or E[pUp′] is called an eventuality formula. SinceAFp′ and EFp′ are special cases of A[pUp′] and E[pUp′], respectively, they are alsoeventuality formulas.


An eventuality formula (AFp′, A[pUp′], EFp′, or E[pUp′]) is said to be fulfilledin a structure M = (Q,AP,R,L) if ∀q ∈ Q:

• AFp′ ∈ L(q) (resp., A[pUp′] ∈ L(q)) implies that there is a finite fragment,called DAG[q,AFp′] (resp., DAG[q,A[pUp′]]), rooted at q and cleanly embed-ded in M such that for all frontier nodes t of the fragment, p′ ∈ L(t), and forall interior nodes u of the fragment, true (resp., p) ∈ L(u);

• EFp′ ∈ L(q) (resp., E[pUp′] ∈ L(q)) implies that there is a finite fragment,called DAG[q, EFp′] (resp., DAG[q, E[pUp′]]), rooted at q and cleanly embed-ded in M such that for some frontier node t of the fragment, p′ ∈ L(t), andthere exists one path from q to t in the fragment such that for all interiornodes u along the path, true (resp., p) ∈ L(u).

An eventuality formula (AFp′, A[pUp′], EFp′, or E[pUp′]) is said to be pseudo-fulfilled in a structure M = (Q,AP,R,L) if ∀q ∈ Q,

• AFp′ ∈ L(q) (resp., A[pUp′] ∈ L(q)) implies that there is a finite fragment,called DAG[q,AFp′] (resp., DAG[q,A[pUp′]]), rooted at q and contained inM such that for all frontier nodes t of the fragment, p′ ∈ L(t), and for allinterior nodes u of the fragment, true (resp., p) ∈ L(u);

• EFp′ ∈ L(q) (resp., E[pUp′] ∈ L(q)) implies that there is a finite fragment,called DAG[q, EFp′] (resp., DAG[q, E[pUp′]]), rooted at q and contained inM such that for some frontier node t of the fragment, p′ ∈ L(t), and thereexists one path from q to t in the fragment such that for all interior nodes ualong the path, true (resp., p) ∈ L(u).

Now we present a supervisor synthesis algorithm for the control of CTL, which isbased on the decision procedure for CTL [6]. The algorithm differs from the decisionprocedure as follows:

• A modular method is used for the tableau construction. It ensures that theworst-case complexity of the algorithm is polynomial in the size of the plant.

• A supervisor, not a model, is finally synthesized.

Let f be the given CTL specification formula, fP be the CTL formula encodingthe given deterministic nonterminating plant P , and AP ′ = AP ∪X be the extendedatomic proposition set. Since we require the controlled plant to be nonterminating,we can assume that f is in the form of f = f ′ ∧ AGEXtrue. Then the algorithm isgiven as follows.

Algorithm 2. Supervisor Synthesis Algorithm for CTL Specification.

1. Test the satisfiability of the CTL formula f ∧ fP . This step is done by usingthe decision procedure for CTL as follows:(a) Construct a tableau T for the CTL formula f ∧ fP . We use a modular

method to obtain the tableau T as follows:i. Construct a tableau Tf for the CTL specification formula f . Tf is

constructed from a bipartite graph T0 = (C∪D,RCD∪RDC , AP, L0),where nodes in C are called states, nodes in D are called prestates,and each node is uniquely identified by its label defined by L0;RCD ⊆ C × D and RDC ⊆ D × C are transition relations; L0 :C ∪ D → ecl(f) is the labeling function. Initially, C, RCD, andRDC are all empty, and D contains a single prestate d labeled withf . Repeat the following until no more nodes and transitions can beadded into T0: let e be a frontier node of T0,• if e ∈ D, then let {Li ⊆ ecl(f) | 1 ≤ i ≤ k} be the set of all

possible labels such that ∀i ∈ {1, 2, . . . , k}, “[Li is a minimal


superset of L0(e)] ∧ [Li satisfies rules ZS0-ZS2] ∧ [∀p ∈ AP ,(p ∈ Li) ∨ (¬p ∈ Li)],” and for each Li create a state ci withL0(ci) = Li, and add ci into C if ci �∈ C, and (e, ci) into RDC ;

• if e ∈ C labeled with the next time formulas

{AXp1, . . . , AXpj , EXp′1, . . . , EXp′k},

then ∀i ∈ {1, . . . , k}, create prestates di labeled with{p1, . . . , pj , p

′i}, and add di into D if di �∈ D, and (e, di) into

RCD.The tableau Tf is obtained as Tf = (Cf , Rf , AP, Lf ), where Cf = C,Rf = RCD ◦RDC , and Lf = L0|C , the restriction of L0 to C.

ii. Derive the tableau T for f ∧ fP from the synchronous composi-tion of the plant P = (X,Σ, δP , x0, AP, LP ) and the tableau Tf =(Cf , Rf , AP, Lf ) as follows: T = (ST , RT , AP ′, LT ), where• ST ⊆ Cf × X is the state set, ST = {(t, x) ∈ Cf × X| Lf (t)

and LP (x) are propositionally consistent}, where “Lf (t) andLP (x) are propositionally consistent” means that ∀p ∈ AP , [p ∈(Lf (t) ∪ LP (x)) ⇒ ¬p �∈ (Lf (t) ∪ LP (x))];

• AP ′ = AP ∪X;• RT ⊆ ST ×ST is the transition relation, RT = {((t, x), (t′, x′)) ∈

ST × ST | (t, t′) ∈ Rf , and ∃σ ∈ Σ s.t. δP (x, σ) = x′};• LT is the labeling function defined as ∀(t, x) ∈ ST×ST , LT ((t, x)) =

Lf (t) ∪ LP (x) ∪ {x} ∪ {EXy| y ∈ X, ∃σu ∈ Σu, y = δP (x, σu)}.(b) Test the tableau T for the existence of a model for f ∧ fP . This is

done by first pruning (see below) the tableau T to ensure that the con-sistency and pseudofulfillment of eventualities are satisfied in T , thenchecking in the pruned tableau T whether there exists a state s0 suchthat {f, x0} ⊆ LT (s0). If there exists such a state, then and only thenf∧fP is satisfiable. If f∧fP is satisfiable, then go to next step; otherwisestop the algorithm and output that “no supervisor exists.”

The pruning of T is achieved by repeatedly applying the followingdeletion rules until no more nodes can be deleted from T :• Delete any state which has no successors.• Delete any state which violates rule OS1.• Delete any state s such that ∃r ∈ LT (s), r is an eventuality formula,

and r is not pseudofulfilled at s.To test the pseudofulfillment of an eventuality formula at each state inT , the following ranking procedure can be used. For an A[pUq] eventu-ality, initially assign rank 1 to all nodes labeled with q and rank ∞to all other nodes. Then for each node s and each formula r suchthat EXr ∈ LT (s), define SUCCr(s) = {s′ | (s, s′) ∈ R, r ∈ LT (s′)}and compute rank(SUCCr(s)) = mins′{rank(s′) | s′ ∈ SUCCr(s)}.Now for each node s of rank ∞ such that p ∈ LT (s), let rank(s) =1 + maxr{rank(SUCCr(s))| EXr ∈ LT (s)}. Since AGEXtrue is con-tained in f , the formula EXtrue is labeled at every node in T . Sothe above procedure is well defined. Repeatedly apply the above rank-ing procedure until stabilization. A node s has a finite rank if andonly if A[pUq] is pseudofulfilled at s in T . Testing for the pseudo-fulfillment of AFq follows from above since it is a special case of


A[pUq]. For testing the pseudofulfillment of E[pUq], a similar proce-dure as above can be applied, with the only modification that rank(s) =1 + minr{rank(SUCCr(s)) | EXr ∈ LT (s)}. Testing for the pseudoful-fillment of EFq is again a special case of E[pUq].

2. Extract a model M for the formula f ∧ fP from the tableau T . M =(Q,R,AP ′, L) is extracted from T = (ST , RT , AP ′, LT ) as follows [6]. Foreach state s in ST and each eventuality q in ecl(f), we construct a directedacyclic graph rooted at s, DAGG[s, q]. If the eventuality q ∈ LT (s), thenDAGG[s, q] = DAG[s, q]; otherwise DAGG[s, q] is taken to be the subgraphconsisting of s and a sufficient set of successors to ensure that one-step con-sistency rules OS0-1 are satisfied. Next we take each DAGG[s, q] and arrangethem in a matrix by putting DAGG[sj , qi] in the ith row and the jth col-umn of the matrix. The matrix has a dimension of m × n, where m (resp.,n) is the number of eventualities (resp., states) in the tableau T . Then weconnect all the DAGGs in the matrix together in the following way: for anyfrontier node s in the ith row, merge it with the corresponding root node sof DAGG[s, qi+1] in the (i+ 1)th row; for any frontier node s in the last row,merge it with the corresponding root node s of DAGG[s, q1] in the first row.We use M = (Q,R,AP ′, L) to represent the above finite state transitiongraph, where Q is the set of states in the graph, R is the transition relationof the graph, and L is the labeling function for each state in the graph whichis a natural extension of LT . M defines a model for f ∧ fP , i.e., ∃q0 ∈ Q suchthat < M, q0 >|= f ∧ fP .

3. Derive a supervisor S from the model M of f ∧fP . Since M = (Q,R,AP ′, L)is a model of f ∧ fP , we know that ∃q0 ∈ Q, < M, q0 >|= f ∧ fP . Wecan get a control-compatible and propositionally consistent supervisor S =(Y,Σ, δS , y0, LS) from M using the same method as given in the proof ofTheorem 3 as follows: Y ⊆ Q is the set of states which are reachable from q0in M ; ∀y ∈ Y, ∀σ ∈ Σ,

δS(y, σ) = {y′ | [(y, y′) ∈ R] ∧ [x′ = δP (x, σ)],

where {x′} = L(y′) ∩X and {x} = L(y) ∩X};

y0 = q0; and ∀y ∈ Y, LS(y) = L(y) ∩ (AP ∪ {¬p|p ∈ AP}).Remark 8. From Theorem 3, and using an argument similar to the soundness

and completeness of the decision procedure for CTL [6], we can conclude that Algo-rithm 2 for control synthesis for CTL is sound and complete. It is easy to check thatAlgorithm 2 has a worst-case complexity of single exponential in the length of thespecification CTL formula f and polynomial in the number of states of the plant P . Itmatches the lower bound complexity of the CTL control problem given in Theorem 5.

REFERENCES

[1] M. Antoniotti, Synthesis and Verification of Discrete Controllers for Robotics and Manufac-turing Devices with Temporal Logic and Control-D Systems, Ph.D. thesis, Department ofComputer Science, New York University, New York, 1995.

[2] M. Barbeau, F. Kabaza, and R. St.-Denis, A method for the synthesis of controllers to han-del safety, liveness, and real-time constraints, IEEE Trans. Automat. Control, 43 (1998),pp. 1543–1559.

[3] E. M. Clarke, O. Grumberg, and D. A. Peled, Model Checking, MIT Press, Cambridge,MA, 1999.


[4] A. R. Deshpande and P. Varaiya, Semantic tableau for control of pltl formulae, in Proceedingsof 35th IEEE conference on Decision and Control, Kobe, Japan, 1996.

[5] E. A. Emerson, Automata, tableaux, and temporal logic, in Proceedings of Conference onLogics of Programs, Lecture Notes in Comput. Sci. 193, R. Parikh, ed., Springer-Verlag,Berlin, 1985, pp. 79–88.

[6] E. A. Emerson, Temporal and modal logic, in Handbook of Theoretical Computer Science,J. van Leeuwen, ed., Elsevier Science Publishers, New York, 1990.

[7] E. A. Emerson and Y. J. Halpern, “Sometimes” and “not never” revisited: On branchingversus linear time temporal logic, J. ACM, 33 (1986), pp. 151–178.

[8] E. A. Emerson and C. S. Jutla, The complexity of tree automata and logics of programs, inProceedings of 29th Annual IEEE-CS Symposium on Foundations of Computer Science,pp. 328–337, 1988.

[9] E. A. Emerson and A. P. Sistla, Deciding full branching time logic, Inform. Control, 61(1984), pp. 175–201.

[10] R. Gerth, D. Peled, M. Vardi, and P. Wolper, Simple on-the-fly automatic verificationof linear temporal logic, in Protocol Specification Testing and Verification, Chapman andHall, London, 1995, pp. 3–18.

[11] G. E. Hughes and M. J. Creswell, Introduction to Modal Logic, Methuen, London, 1977.[12] M. R. Huth and M. D. Ryan, Logic in Computer Science: Modeling and Reasoning about

Systems, Cambridge University Press, Cambridge, UK, 2000.[13] K. Inan, Nondeterministic supervision under partial observations, in Lecture Notes in Control

and Inform. Sci. 199, G. Cohen and J.-P. Quadrat, eds., Springer-Verlag, New York, 1994,pp. 39–48.

[14] J. F. Knight and K. M. Passino, Decidability for a temporal logic used in discrete-eventsystem analysis, Internat. J. Control, 52 (1990), pp. 1489–1506.

[15] P. R. Kumar and P. Varaiya, Stochastic Systems: Estimation, Identification and AdaptiveControl, Prentice–Hall, Englewood Cliffs, NJ, 1986.

[16] R. Kumar and V. K. Garg, Modeling and Control of Logical Discrete Event Systems, KluwerAcademic Publishers, Boston, 1995.

[17] R. Kumar, S. Jiang, C. Zhou, and W. Qiu, Polynomial synthesis of supervisor for par-tially observed discrete event systems by allowing nondeterminism in control, IEEE Trans.Automat. Control, 50 (2005), pp. 463–475.

[18] O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi, Open systemsand reactive environments: Control and synthesis, in Proceedings of 11th Conference onConcurrency Theory, Lecture Notes in Comput. Sci. 1877, Springer-Verlag, New York,2000, pp. 92–107.

[19] O. Kupferman and M. Y. Vardi, Robust satisfaction, in Proceedings of 10th Conference onConcurrency Theory, Lecture Notes in Comput. Sci. 1664, Springer-Verlag, New York,1999, pp. 382–398.

[20] O. Kupferman, M. Y. Vardi, and P. Wolper, Module checking, Inform. Comput., 164 (2001),pp. 322–344.

[21] F. Lin, Analysis and synthesis of discrete event systems using temporal logic, Control TheoryAdv. Tech., 9 (1993), pp. 341–350.

[22] J.-Y. Lin and D. Ionescu, Verifying a class of nondeterministic discrete event systems in ageneralized temporal logic, IEEE Trans. Systems Man Cybernet., 22 (1992), pp. 1461–1469.

[23] J.-Y. Lin and D. Ionescu, Reachability synthesis procedure for discrete event systems in atemporal logic, IEEE Trans. Systems Man Cybernet., 24 (1994), pp. 1397–1406.

[24] J .S. Ostroff, Synthesis of controllers for real-time discrete event systems, in Proceedings of28th IEEE Conference on Decision and Control, Tampa, FL, 1989.

[25] J. S. Ostroff and W. M. Wonham, A framework for real-time discrete event control, IEEETrans. Automat. Control, 35 (1990), pp. 386–397.

[26] K. M. Passino and P. J. Antsaklis, Branching time temporal logic for discrete event systemanalysis, in Proceedings of 1988 Allerton Conference on Communication, Control, andComputing, University of Illinois, Allerton, IL, 1988, pp. 1160–1169.

[27] A. Pnueli, The temporal logic of programs, in Proceedings of 18th Annual Symposium onFoundations of Computer Science, Providence, RI, Nov. 1977, pp. 46–57.

[28] P. J. Ramadge and W. M. Wonham, Supervisory control of a class of discrete event processes,SIAM J. Control Optim., 25 (1987), pp. 206–230.

[29] S. Safra, On the complexity of ω-automata, in Proceedings of 1988 Annual Symposium on theFoundations of Computer Science, White Plains, NY, 1988, pp. 319–327.


[30] K. T. Seow and R. Devanathan, Temporal framework for assembly sequence representationand analysis, IEEE Trans. Robotics Automation, 10 (2), pp. 220–229, 1994.

[31] K. T. Seow and R. Devanathan, A temporal logic approach to discrete event control for thesafety cannonical class, Systems Control Lett., 28 (1996), pp. 205–217.

[32] J. G. Thistle and W. M. Wonham, Control problems in temporal logic framework, Internat.J. Control, 44 (1986), pp. 943–976.

[33] J. G. Thistle and W. M. Wonham, Control of infinite behavior of finite automata, SIAMJ. Control Optim., 32 (1994), pp. 1075–1097.

[34] H. Wong-Toi and D. L. Dill, Synthesizing processes and schedulers from temporal specifica-tions, in Proceedings of the 1990 Computer-Aided Verification Workshop, Lecture Notesin Comput. Sci. 531, Springer-Verlag, New York, 1990, pp. 272–281.

Date post:	27-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

SUPERVISORY CONTROL OF DISCRETE EVENT SYSTEMS WITH...

Documents