## Section: Scientific Foundations

### Controller Synthesis

**The Supervisory Control Problem** is concerned with ensuring
(not only checking) that a computer-operated system works correctly.
More precisely, given a specification model and a required property,
the problem is to control the specification's behavior, by coupling
it to a supervisor, such that the controlled specification satisfies
the property [41] . The models used are LTSs, say
G, and the associated languages, say , which make a
distinction between *controllable* and *non-controllable*
actions and between *observable* and *non-observable*
actions. Typically, the controlled system is constrained by the
supervisor, which acts on the system's controllable actions and
forces it to behave as specified by the property. The control
synthesis problem can be seen as a constructive verification
problem: building a supervisor that prevents the system from
violating a property. Several kinds of properties can be ensured
such as reachability, invariance (i.e. safety), attractivity, etc.
Techniques adapted from model checking are then used to compute the
supervisor w.r.t. the objectives. Optimality must be taken into
account as one often wants to obtain a supervisor
that constrains the system as few as possible.

**The Supervisory Control Theory overview**. Supervisory control
theory deals with control of Discrete Event Systems
[41] . In this theory, the behavior of the system
S is assumed not to be fully satisfactory. Hence, it has to be
reduced by means of a feedback control (named Supervisor or
Controller) in order to achieve a given set of
requirements [41] . Namely, if S denotes the
specification of the system and is a safety property that has
to be ensured on S (i.e. S¬ ), the problem consists
in computing a supervisor , such that

where is the classical parallel composition between two
LTSs. Given S, some events of S are said to be uncontrollable
(_{uc} ), i.e. the occurrence of these events cannot be
prevented by a supervisor, while the others are controllable
(_{c} ). It means that all the supervisors satisfying
(1 ) are not good candidates. In fact, the behavior of the
controlled system must respect an additional condition that happens to
be similar to the ioco conformance relation that we previously
defined in
3.3 . This condition is called the *controllability condition* and is defined as follows.

Namely, when acting on S, a supervisor is not allowed to disable
uncontrollable events. Given a safety property , that can be
modeled by an LTS , there actually exists many different
supervisors satisyfing both (1 ) and (2 ). Among all
the valid supervisors, we are interested in computing the supremal
one, ie the one that restricts the system as few as possible. It has
been shown in [41] that such a supervisor always
exists and is unique. It gives access to a behavior of the controlled
system that is called the supremal controllable sub-language of
w.r.t. S and _{uc} . In some situations, it may
also be interesting to force the controlled system to be non-blocking
(See [41] for details).

The underlying techniques are similar to the ones used for Automatic Test Generation. It consists in computing a product between the specification and and to remove the states of the obtained LTS that may lead to states that violate the property by triggering only uncontrollable events.

**Optimal Control.**
We are also interested in the Optimal Control Problem. The purpose of
optimal control is to study the behavioral properties of a system in
order to generate a supervisor that constrains the system to a desired
behavior according to quantitative and qualitative requirements. In
this spirit, we have been working on the optimal scheduling of a
system through a set of multiple goals that the system had to visit
one by one [37] . We have also extended the results
of [44] to the case of partial observation in order
to handle more realistic
applications [38] .

**Control of Structured Discrete Event System.** In many
applications and control problems, LTS are the starting point to model
fragments of a large scale system, which usually consists of several
composed and nested sub-systems. Knowing that the number of states of
the global system grows exponentially with the number of parallel and
nested sub-systems, we have been interested in designing algorithms
that perform the controller synthesis phase by taking advantage of the
structure of the plant without expanding the system. Given a
concurrent system and a *safety property, modeled as a language* ,
also called specification that have to be ensured on this system, we
have investigated in e.g. [2] the computation of the
supremal controllable language contained in the expected language. To
do so, we use a modular centralized approach and perform the control
on some approximations of the plant derived from the behavior of each
component. The behavior of these approximations is restricted so that
they respect a new language property for discrete event systems called
*partial controllability condition* that depends on the safety
property. It is shown that, under some assumptions the intersection
of these ``controlled approximations'' corresponds to the supremal
controllable language contained in the specification with respect to
the plant. This computation is performed without building the whole
plant, hence avoiding the state space explosion induced by the
concurrent nature of the plant.

Similarly, in order to take into account nested behaviors, some techniques based on model aggregation methods [46] , [32] have been proposed to deal with hierarchical control problems. Another direction has been proposed in [31] . Brave and Heimann in [31] introduced Hierarchical State Machines which constitute a simplified version of the Statecharts . Compared to the classical state machines, they add concurrency and hierarchy features. Some other works dealing with control and hierarchy can be found in [35] , [36] . This is the direction we have chosen in the VerTeCs Team [3] .