Linear-Time Temporal Logic Control of Discrete Event Models of Cooperative Robots

A Discrete Event System (DES) is a discrete state space dynamic system that evolves in accordance with the instantaneous occurrence, at possibly unkown times, of physical events. Given a DES, its behavior (the sequence of displayed events) may not satisfy a set of logical performance objectives. The purpose of Supervisory Control is to restrict that behavior in order to achieve those objectives. Linear-Time Temporal Logic (LTL) is an extension of Propositional Logic which allows reasoning over an infinite sequence of states. We will use this logical formalism as a way to specify our performance objectives for a given DES and build a supervisor that restricts the DES’ behavior to those objectives by construction. Several simulated application examples illustrate the developed method.


Linear-Time Temporal Logic Control of Discrete Event Models of Cooperative Robots
Bruno Lacerda, Pedro Lima Institute for Systems and Robotics Instituto Superior Técnico Lisbon, Portugal {blacerda, pal}@isr.ist.utl.ptAbstract-A Discrete Event System (DES) is a discrete state space dynamic system that evolves in accordance with the instantaneous occurrence, at possibly unkown times, of physical events.Given a DES, its behavior (the sequence of displayed events) may not satisfy a set of logical performance objectives.The purpose of Supervisory Control is to restrict that behavior in order to achieve those objectives.Linear-Time Temporal Logic (LTL) is an extension of Propositional Logic which allows reasoning over an infinite sequence of states.We will use this logical formalism as a way to specify our performance objectives for a given DES and build a supervisor that restricts the DES' behavior to those objectives by construction.Several simulated application examples illustrate the developed method.
Index Terms-Discrete Event Systems, Supervisory Control, Linear-Time Temporal Logic

I. INTRODUCTION
I N recent years there has been a considerable interest in Discrete Event Systems (DES), whose discrete states change in response to the occurrence of events from a predefined event set.Examples of such systems can be found in communication networks, computer programs, operating systems, manufacturing processes and robotics.One of the main fields of study is Supervisory Control, introduced in [9] and further developed in [2], which focuses on the restriction of a DES behavior in order to satisfy a set of performance objectives.This restriction is, in many cases, performed in an ad-hoc manner, but with the continuing growth of this type of systems, a more generalized framework is needed.In this work, we present a framework to restrict a DES behavior specifying its performance objectives with Linear-Time Temporal Logic (LTL).Using this approach, we guarantee that the required behavior is achieved by construction.Furthermore, in many cases, the specification of the performance objectives using LTL is almost immediate, allowing the supervision of more complex systems.A great deal of work has been done recently in a slightly different context: controlling continuous state space time-driven linear systems with LTL specifications ( [1], [7], [10] ).In this context, a discretization of the linear system is needed before the LTL specification can be enforced, obtaining a discrete space system.The system is then refined to a hybrid system.This approach is mainly used to perform robot motion planning (enforcing a robot to go to certain places and avoid certain obstacles).Our approach is different because we will be concerned with, given a team of robots where we assume that each one can perform a number of tasks individually, coordinating their behavior so that they reach a given objective.For this purpose DES models are more suitable and reduce the involved complexity by comparison to hybrid systems models.LTL enables the formulation of complex sentences by compact logical sentences.The work in divided in three main Sections: In Section 2 we introduce the notions of Discrete Event System and Supervisory Control, explaining how one can see a Finite State Automaton as a DES.In Section 3 we define Linear-Time Temporal Logic and mention a method to build a Büchi automaton that accepts exactly the ω-language of the infinite sequences that satisfy a given formula ϕ.Finally, in Section 4 we congregate all the theory defined throughout this work to present our method of supervisory control and give some operational examples of applications of the presented method.The developed approach is illustrated with simulation examples that are deployed along the paper.

A. Preliminaries
Definition 1 (Discrete Event System): A Discrete Event System is composed of a discrete set X of possible states and a finite set E = {e 1 , ..., e m } of possible events.At a given time t ≥ 0 , the DES is in a given state x ∈ X, which is all the information needed to characterize the system at that time instant.The state of a DES can only be changed by the occurence of an event e ∈ E and these events occur both instanteneously and asynchronously.
The set X is called the state-space of the DES and the set E is called the event-space of the DES.Both these sets must be discrete and E must be finite.We can interpret the state as the task the system if performing at a given moment, such as a robot moving forward, a machine being idle or a computer running a program.The events are interpreted as physical phenomenons, such as a robot's sensor detecting something, a new job arriving to a machine or a program crashing.
Example 1 (Transporting robots): Consider two robots, each one holding one end of a bar.Their objective is to transport the bar to another place.To simplify, assume that the robots can only move a constant distance forward or stop.This situation can be modeled as a DES with X = {Both robots stopped, Robot 1 moving and Robot 2 stopped, Robot 1 stopped and Robot 2 moving, Both robots moving} and A sequence of events in this DES can be ((M ove 1 , t 1 ), (Stop 1 ,t 2 ), (M ove 1 ,t 3 ), (M ove 2 , t 4 ), (Stop 1 ,t 5 ), (Stop 2 , t 6 )), t 1 < t 2 < ... < t 6 .
In this example, one of the robots can move forward to a position where it is too far from the other one, making the bar fall.

B. Modeling Logical DES
There are three levels of abstraction usually considered in the study of DES, Untimed (or logical) DES models, Deterministic Timed DES Models and Stochastic Timed DES Models.
The theory of Supervisory Control is defined over Logical DES Models, so in this work we will introduce Finite State Automata as our modeling framework.
Definition 2 (Finite State Automaton): where: is the set of marked states Deterministic FSA (DFA) and Nondeterministic FSA (NFA) are equivalent, as proven in [5].The following definitions will be made for DFA, but the generalization for NFA is straightforward.f (x, e) = y means that there is a transition labeled by event e from state x to state y.Γ(x) is the set of all events e for which f (x, e) is defined.Note that Γ is uniquely defined by f , it was included in the definition for convenience.We also extend f from domain X × E to domain X × E * in the following recursive manner: Now, we are in conditions to define the languages generated and marked by a DFA.As we will see, the objective of Supervisory Control is to restrict these languages to the strings we consider "legal" for our system.
Definition 3 (Generated and Marked Languages): Let G = (X, E, f, Γ, x 0 , X m ) be a DFA.We define The notion of marked language is used to model "complete tasks" of a DES.We will now introduce three operations over DFA that are very useful in DES modeling and necessary to perform supervision.Definition 4 (Acessible Part): Let G = (X, E, f, Γ, x 0 , X m ) be a DFA.The accessible part of G is the DFA Ac(G) = (X ac , E, f ac , Γ ac , x 0 , X ac,m ) where The accessible part of a DFA is simply its restriction to the states that can be reached from the initial state.f ac is the restriction of f to domain X ac × E and Γ ac is the restriction of Γ to domain X ac .It is clear that The product composition is also called the completely synchronous composition.In this composition, the transitions of the two DFA must always be synchronized on a common event e ∈ E 1 ∩ E 2 .This means that an event occurs in The parallel composition is also called the synchronous composition.In this composition, an event in E 1 ∩E 2 (common event) can only be executed if the two DFA both execute it sinultaneously.An event in (E 2 \ E 1 ) ∪ (E 1 \ E 2 ) (private event) can be executed whenever possible.If E 1 = E 2 , then the parallel composition reduces to the product, since all transitions must be synchronized and if E 1 ∩ E 2 = ∅, then there are no synchronized transitions and G 1 G 2 models the concurrent behavior of G 1 and G 2 (in this case we call Example 2 (Transporting Robots): The DES of Example 1 can be modeled by the FSA shown in Figure 1.
Another way of modeling this system is using parallel composition, which is very useful when our system has several components operating concurrently.It allows us to model each component separately and then get the FSA that  It is easy to see that G 1 G 2 is the FSA represented in Figure 1.
Example 3 (Robotic Soccer): Consider a team of n robots playing a soccer game.The objective is to reach a situation in which one of the robots is close enough to the goal to shoot and score.When a robot does not have the ball in its possession, it has two options: • Move to the ball until it is close enough to take its possession, or • Get ready to receive a pass from a teammate.When a robot has the possession of the ball, it can: • Shoot the ball (if it is close enough to the goal), or • Take the ball to the goal, if there is no opponent blocking its path, or • Choose a teammate to pass the ball and, when it is ready.
to receive, pass it For simplicity, we assume that, when a robot shoots the ball, the team loses its possession (we do not differentiate the situation where the robot scores from the situation where the robot does not score since the team will lose the ball's possession in both) and that the opponents do not steal the ball (they are only able to block paths, at which point our robot will try to pass to a teammate).Figure 3 depicts a possible FSA R i model for robot i.An FSA model for the whole team is given by T = R 1 R 2 ... R n .Note that the pass(i, j) event must be synchronized between robot i (the passing robot) and robot j (the receiving robot).Note that, when we write start_passing(i, j), pass(i, j) and pass(j, i) in a transition, we are representing n−1 events, since j = 1, ..., n, j = i.

III. SUPERVISORY CONTROL
As we have seen in previous examples, sometimes our DES model has some behaviors that are not satisfactory.Let's assume we have a DES modeled by FSA G. G models the "uncontrolled behavior" of the DES and is called the plant.Our objective is to modify the plant's behavior, i.e., restrict its behavior to an admissible language L a ⊆ L(G), using control.
To do this, we start by partitioning the event set E in two disjoint subsets E c is the set of controllable events, i. e., the events that can be prevented from happening and E uc is the set of uncontrollable events , i.e., the events that cannot be prevented from happening.This partition is due to the fact that, in general, there are events that make a DES change its state that are not of the "responsibility" of the DES itself.
Example 4: We list the set of controlled and uncontrolled events in previous examples.
• In Example 2, we assume that the robots can only move a constant distance forward.Hence, after a robot starts moving, the decision to stop is not its responsibility, it always stops after it moves the predefined distance. - • In Example 3 the events close_to_ball, close_to_goal and blocked_path are caused by changes in the environment around the robots and not by the robots themselves.
Therefore, they are considered uncontrollable events.The controllable events correspond to the actions available to each robot.
-E c = {move_to_ball(i), get_ball(i), kick_ball(i), move_to_goal(i), start_passing(i, j), start_receiving(i), pass(i, j) : i, j = 1, ..., n, j = i} -E uc = {close_to_ball(i), blocked_path(i), close_to_goal(i) : i = 1, ..., n} Next, we introduce the notion of a DES G = (X, E = E c ∪ E uc , f, Γ, X 0 , X m ) controlled by a supervisor S. Formally, a supervisor is a function S : L(G) → 2 E that, given s ∈ L(G) outputs the set of events G can execute next (enabled events).We only allow supervisors S such that, when event e ∈ E uc is active in the plant G, it is also enabled by S. That is, a supervisor must always allow the plant to execute its uncontrollable events.
Definition 7 (Admissible Supervisor): We will check the admissibility of our supervisors S in a case-by-case basis.
Definition 8 (Controlled DES): such a way that, after generating a string s ∈ L(G), the set of events that S/G can execute next (enabled events) is S(s) ∩ Γ(f (x 0 , s)).
The way S/G operates is represented in Figure 4 and is as follws: s is the string of all events executed so far by G, which is observed by S. S uses s to determine what events should be enabled, that is, which events can occur after the generation of s.Let S/G be a CDES and e one of its events.The language generated by S/G, L(S/G), is defined as follows: and se ∈ L(G) and e ∈ S(s) then se ∈ L(S/G).and the language marked by S/G, L m (S/G), is Thus, given a plant G and an admissible language L a ⊆ L(G), we want to find a supervisor S such that L(S/G) = L a (in this work we will be focused on generated languages and will not be concerned with marked languages).
In this framework, the supervisor is usually implemented by an FSA R, such that L(R) = L a .R is refered to as the standard realization of S. The most common method to build R is to start by building a simple FSA H spec that captures the essence of the natural language specification and then combine it with G, using either product or parallel composition.We choose parallel composition if the events that appear in G but not in H spec are irrelevant to the specification that H spec implements or product composition when, on the other hand, the events that appear in G but not in H spec should not happen in the admissible behavior L a .
Having the ) that represent the plant and the standard realization of S respectively (note that E R ⊆ E G ), the feedback loop of supervisory control is implemented as follows: Let G be in state x and R be in state y following the execution of string s ∈ L(S/G).G executes an event e that is currently enabled, i.e., e ∈ Γ G (x) ∩ Γ R (y).R also executes the event, as a passive observer of G. Let x = f G (x, e) and y = f R (y, e) be the new states of G and R respectively, after the execution of e.The set of enabled events of G after string se is now given by Γ ) So, from now on, we will refer to a supervisor S and its standard realization R interchangeably.
Next, we address modular supervision, a mean of reducing the complexity of the controlled DES model.
Definition 10 (Modular Supervision): Let S 1 , ..., S n , n ∈ N be admissible supervisors for DES G = (X, E = E c ∪ E uc , f, Γ, x 0 , X m ) and s ∈ L(G).We define the (admissible) modular supervisor as It is obvious, by definition 7 that S mod12...n is admissible for G.In Figure 5 we represent modular supervision with 2 supervisors.In modular control, an event is enabled by S mod12...n if and only if it is enabled for all S i , i = 1, ..., n.Remark 1 (Multiple Specifications): When our admissible behavior is composed of multiple specifications, that is, when L a = L a,1 ∩ ... ∩ L a,n , where L a,i represents a given specification we want our plant G to satisfy, we will build n supervisors S i , i = 1, ..., n such that L(S i /G) = L a,i and use modular control to implement a supervisor S mod1...n such that L(S mod1...n /G) = L a .
Example 5 (Transporting Robots): As we have mentioned, it is possible for one robot to move forward to a position where it is too far from the other, making the bar fall.One way to avoid this is to impose alternation between the robots' motion: one robot moves forward while the other is stopped, holding the bar.Then the other robot moves forward while the one that moved before is stopped, holding the bar, etc.So, we have 4 specifications: Regarding Example 3, one may define the following specifications, which are useful to improve the team's performance in a soccer game for each Robot i: • Spec 1, i -If another teammate goes to the ball, robot i will not go to the ball until it is kicked by some robot in the team; • Spec 2, i -Robot i will not get ready to receive a pass, unless one of its teammates decides to pass it the ball and, in this case, it will be ready to receive the pass as soon as possible.Spec 1, i guarantees that only one robot moves to the ball at a time and that, when the team has the ball, no robot moves to it and Spec 2, i guarantees that no robot will be ready to receive a pass when none of its teammates wants it to receive a pass and that when a robot wants to pass the ball, another one will get ready to receive it as soon as possible .

IV. LINEAR-TIME TEMPORAL LOGIC AND BÜCHI AUTOMATA
In this Section we introduce Linear-Time Temporal Logic (LTL).We start by defining the syntax and semantics of LTL and then refer the translation from LTL formulas to Büchi Automata.

A. Linear-Time Temporal Logic
LTL is an extension of Propositional Logic which allows reasoning over an infinite sequence of states.LTL is widely used for verification of properties of several concurrent systems (for example, safety and liveness), especially software systems.In the following, Π is a set of propositional symbols.
Definition 11 (Syntax): The set L LT L (Π) of LTL formulas over Π is defined inductively as follows: In Definitions 12 and 13, we define the LTL semantics.Definition 12 (Local Satisfaction): Let σ : N → 2 Π , t ∈ N, p ∈ Π and ϕ, ψ ∈ L LT L (Π).The notion of satisfaction ( ) is defined as follows: • σ(t) true and σ(t) f alse; • σ ϕ if and only if σ(0) ϕ.Now, we give a brief explanation of each operator defined: • The X operator is read "next", meaning that the formula it precedes will be true in the next state; • The operator U is read "until", meaning that its first argument will be true until its second argument becomes true (and the second argument must become true in some state, i.e., an ω-string where ϕ is always satisfied but ψ is never satisfied does not satisfy ϕU ψ); • The operator R, which is the dual of U , is read "releases", meaning that its second argument must always be true until its first argument becomes true (in this case, an ωstring where ψ is always satisfied satisfies ϕRψ, because the definition does not require the existence of t ).There are two other commonly used temporal operators, F and G, usually defined by abbreviation.
Definition 14 (Abbreviations): Let p ∈ Π and ϕ, ψ ∈ L LT L (Π).We define the following abbreviations: • The F operator is read "eventually", meaning that the formula it precedes will be true in a future state; • The G operator is read "always", meaning the formula it precedes will be true in all future states.

B. Büchi Automata
Büchi Automata are used to describe ω-languages, i.e., languages of infinite strings 1 (ω-strings).Büchi automata have the same structure as FSA, The characteristic that sets them apart is their semantics, since for Büchi Automata one defines generated and marked ω-languages instead of generated and marked languages.
To define the generated and marked ω-languages by a Büchi Automaton, we need to introduce the notion of valid state labeling.
Definition 15 (Valid State Labeling): Let B = (X, E, f, Γ, X 0 , X m ) be a Büchi automaton and σ ∈ E ω an ω-string.A valid state labeling for B and σ is a function ρ : N → X such that: We denote P (B, σ) as the set of all possible valid state labelings for B and σ.
A valid state labeling for B and σ is an ω-string over the state set of B, where ρ(i) is one of the possible states B can be in (in the deterministic case, the state where B is), while applying its transition function to σ i .If, for some i ∈ N, event σ(i + 1) is not active for any of the possible states B can be in, that is, no such function exists.
Definition 16 (Generated ω-Language by Büchi Automata): Let B = (X, E, f, Γ, X 0 , X m ) be a Büchi automaton.We define the ω-language generated by B as The generated ω-strings by B are the ones for which there exists a valid state labeling.
Definition 17 (Marked ω-Language by Büchi Automata): Let B = (X, E, f, Γ, X 0 , X m ) be a Büchi automaton.We define the ω-language marked by B as exists ρ ∈ P (B, σ) such that inf (ρ) ∩ X m = ∅} where, for χ ∈ X ω , inf (χ) ⊆ X is the set of all x ∈ X that appear infinite times in χ.The marked ω-strings by B are the ones generated by "runs" of B that visit at least one of the marked states infinite times.Now, we state the Theorem that allows us to perform Supervisory Control over a DES given a set of LTL formulas stating our performance objectives.The proof of this theorem is constructive and yields a method to construct the Büchi Automaton that marks the sequences that satisfy a given formula ϕ. [11] presents the most immediate proof of the theorem and [4] describes a most efficient method for the translation, which is used to calculate the examples we will present later.

V. SUPERVISOR SYNTHESIS
In this Section, we explain how to define the LTLbased supervisor for a plant G and a set of LTL formulas ϕ 1 , ..., ϕ n , n ∈ N. As we have seen, the first step in building a standard realization of a supervisor S, such that L(S/G) = L a is to construct an FSA H spec that captures the essence of our natural language specification.The construction of H spec can be very error -prone and, in general, not obvious.On the other hand, translating natural language to LTL formulas is, in most cases, straightforward.Thus, we can define our performance objectives in LTL and use the Büchi Automaton referred in Theorem 1 to solve our problem in a much more user -friendly way.
Note that, in order to restrict L(G) to L a , we will be constructing LTL formulas over the set of propositional symbols E (G's event set), i.e., we will be interested in formulas ϕ ∈ L LT L (E).Since we assume the occurence of events in a DES to be asynchronous, at each state exactly one event can occur.This allows us to assume σ : N → E in Definition 12 and substitute condition σ(t) p if and only if p ∈ σ(t) by σ(t) e if and only if σ(t) = e, for t ∈ N and e ∈ E. Thus, given a Büchi automaton B ϕ , we can delete all events that are not singletons in B ϕ 's event set and redefine B ϕ 's transition function accordingly.
Since a Büchi automaton's structure is the same as an NFA, we consider B ϕ as an NFA.Next, we need to find the equivalent DFA, H ϕ , of B ϕ .This must be done because, if we build a supervisor from B ϕ , it will disable some events that should not be disabled, due to the nondeterministic choices that are made when an event occurs at a given state and there is more than one state we can go to, e.g., if f (x, e) = {y, z} we want the enabled events in state f (x, e) to be Γ(y) ∪ Γ(z) but if we nondeterministically jump to state y we will not be enabling the events in Γ(z) \ Γ(y).This problem is solved by using the equivalent DFA, thus keeping track of all the states B ϕ can be in and enabling all the events that are active in at least one of those states.As seen in [5], finding the equivalent DFA of an NFA is an exponential operation, but, in general, the LTL formulas that are relevant to perform supervision yield small Büchi automata.Despite that, the complexity issue is a major one when applying this theory, as we will see in the next Section.Then, we obtain the supervisor S ϕ = G H ϕ or S ϕ = G × H ϕ , depending on our supervision problem.Using this method, we guarantee that for all s ∈ L(S ϕ /G), there exists σ ∈ E ω such that sσ ϕ, i.e., the generated language of the CDES S/G is always in conformity with the specification given by ϕ.Since the generated language by a CDES is a set of finite strings, this is the best we can have in this framework.We can now describe the method we will use for supervision.Given a plant G and a set of formulas {ϕ 1 , ..., ϕ n }, n ∈ N representing the specifications we want G to fulfill, we build the supervisors S ϕ1 , ..., S ϕn , as explained above, and perform modular supervision, as explained in Section III.The use of modular supervision gives us a gain in efficiency ( [9]) and, in addition, allows us to translate the formulas ϕ 1 , ..., ϕ n to Büchi automata one by one, which also allows a significant improvement in the efficiency of the method: If r 1 , ..., r n is the size (number of operators) of ϕ 1 , ..., ϕ n respectively, then • If we had not opted for modular control, to enforce all the specifications given by ϕ 1 , ..., ϕ n we would need to build a Büchi automaton B ϕ for formula ϕ = n i=1 ϕ i It is easy to see that ϕ has, at most, size r = ( n i=1 r i ) + n − 1 where the n − 1 factor is due to the n − 1 "and" (∧) operators we added to ϕ.Hence, B ϕ would have, at most, the following number of states (we have seen that the translation from an LTL formula to a Büchi automaton yields an automaton whose number of states is exponential in the size of the formula): - • Using modular supervision, we need to build n Büchi automata B ϕ1 , ..., B ϕn , which, altogether, have at most the following total number of states: - 2 ri which is clearly better than the previous option's worst case scenario.

VI. EXAMPLES
In this section, we present some applications of the framework defined throughout this work.We will build supervisors for the DES in Examples 2 and 3 that enforce the specifications we gave in natural language in Examples 5 and 6.To build these examples, some functions were implemented in Matlab.These functions can be found in http://islab.isr.ist.utl.pt/ltldes_examples.zip: • A function that receives a NFA and outputs its equivalent DFA; • A function that receives two FSA and outputs their product composition; • A function that receives two FSA and outputs their parallel composition; • A function that receives a set of LTL formulas and translates them to Büchi automata (this function uses the implementation described in [4] to build the Büchi automaton, which is written in C and adapts a Matlab function written for the implementation described in [7] to take the output of the C function and turn it into a viable Matlab structure); • A function that, given a plant and n supervisors, simulates the feedback loop of modular control; • A function that congregates all of the above.This function receives a plant and n LTL formulas, creates the supervisors and simulates the feedback loop of modular control.Example 7 (Transporting Robots): Let's return to the transporting robots example and let G be the FSA represented in Example 2. In Example 5 we defined 4 specifications that prevent the robots from moving to a position where they are too far from the other, making the bar fall.Spec i can be translated to LTL by formula ϕ i , where Looking at these formulas, one can see that the events that can be disabled are M ove 1 and M ove 2 .Hence, an admissible supervisor will be obtained.We construct the DFA H ϕi , i = 1, 2, 3, 4 from the Büchi automata, as explained before.In Figure 6 we represent the Büchi automaton obtained from ϕ 2 .Next, we obtain the 4 supervisors S i = G H ϕi .In Figure   8, we represent the automaton G × S 1 × S 2 × S 3 × S 4 which, as we have seen, represents the controlled system.One should notice that our controlled system is not minimum, i.e., there is a 5 states DFA that implements the robot alternation.This is one drawback of this method: in general the controlled system is not the smallest it could be.
Example 8 (Robotic Soccer): Regarding Example 6, it is easier to represent Spec 1, i, i = 1, ..., n by only one formula ) Formula ϕ 1 enforces that, after one robot moves to the ball (which means the team does not have the ball in its Fig. 8. Automaton representation of the controlled system, with the robot alternation implemented possession), all the robots will not move to the ball until one of them shoots it (which means that the team lost the ball possession).
Spec 2, i is represented by formulas ϕ 2,i , i = 1, ..., n, where Formula ϕ 2,i enforces that a robot's first action cannot be getting ready to receive a pass and that, only when one of its teammates chooses it as a receiver, it gets ready to receive the ball and it gets ready as soon as possible.
These formulas do not refer to uncontrollable events, so checking that an admissible supervisor is yield is immediate.
The controlled system was tested for 3 robots.The plant has 729 states, the supervisor obtained by ϕ 1 has 100 states (the great reduction in the number of states is due to the fact that the plant allows more than one robot to have the ball in its possession and it is ϕ 1 that disallows this kind of situation) and the supervisors obtained by ϕ 2,i , i = 1, 2, 3 have 1458 states each.Next, we give two examples of output of the simulation.One should notice that when when one robot is chosen by a teammate to receive a pass, it gets ready to receive it immediately and that robots only go to the ball when it is not in the team's possession (i.e. when it is kicked) and only go one at a time.In Simulations 1 and 2 we emphasize these situations respectively.In Simulation 3 we show the uncontrolled behavior of the system.The lack of restrictions imposed for this system allows it to regularly evolve to a deadlock situation.VII.CONCLUSION In this work, we defined a method to perform supervisory control of Discrete Event Systems using Linear-Time Temporal Logic.We introduced all the necessary theory to understand how the method works and gave some examples of application.Analyzing the examples, one can conclude that, with this method, the specification of supervisors for systems with an arbitrary number of components that must coordinate themselves is almost straightforward: all the formulas are written for an arbitrary n ∈ N. Unfortunately, this advantage is somewhat shadowed by the high complexity of the method: despite writing the formulas for an arbitrary number of components, when performing the simulations we witnessed the great increase of the number of states, both in the plant and in the supervisors, which only allows the application of the method for systems with a relatively small number of components.
There are several paths one can follow to improve the method we just presented.The most obvious one is to try to reduce its complexity.Another improvement is to increase the method's expressive power, for example by using CTL (a temporal logic that is incomparable with LTL) or CTL * (a temporal logic that contains both LTL and CTL) [6] as a way to specify the supervisors or by identifying each state of the DES model with a set of propositions that are satisfied in that state and build our LTL specification over those propositions, instead of building it over the DES' event set.One major advantage of this option is that it allows for more than one proposition to be satisfied at each state of the DES, unlike the method we presented, where only one is satisfied.One can also model the DES itself as a set of LTL formulas, as seen in [8], avoiding the construction of any automaton by hand (which can be very error-prone).Another option is to define a similar logic to LTL, but with its semantics defined over finite string, avoiding the need to use Büchi Automata.A final suggestion is to develop this theory in order to cover other aspects of Supervisory Control.For example, being concerned with marked languages and deal with blocking issues or introduce the notion of unobservable events [2].

Fig. 4 .
Fig. 4. The feedback loop of supervisory control

Fig. 5 .
Fig. 5.The feedback loop of modular supervisory control

Fig. 6 .
Fig.6.Büchi automaton marking the ω -strings that satisfy ϕ 2 7 we represent the supervisor S 2 .Note that the states reached after an event M ove 1 happens do not have the event M ove 2 in their active event set.The modular supervisor S mod1234

Fig. 7 .
Fig. 7.The supervisor S 2 , obtained by formula ϕ 2 implements the robot alternation.The controlled system only allows 2 types of strings, M ove 1− Stop 1 − M ove 2 − Stop 2 − M ove 1 − Stop 1 − M ove 2 − Stop 2 − ... or M ove 2 − Stop 2 − M ove 1 − Stop 1 − M ove 2 − Stop 2 − M ove 1 − Stop 1 − ....In Figure8, we represent the automaton G × S 1 × S 2 × S 3 × S 4 which, as we have seen, represents the controlled system.One should notice that our controlled system is not minimum, i.e., there is a 5 states DFA that implements the robot alternation.This is one drawback of this method: in general the controlled system is not the smallest it could be.Example 8 (Robotic Soccer): Regarding Example 6, it is easier to represent Spec 1, i, i = 1, ..., n by only one formula