Supremal Marker-Controllable Subformula of a Given Canonical Temporal-Safety Formula

The existence of marker-progressive supervisory control – about ensuring constant marker progress under specified temporal safety for a class of fair discrete-event systems (DES’s) – is a new control problem formulation that has been studied in terms of DES marker-controllability of a linear-time temporal logic (LTL) safety formula given in canonical form. In this paper, provided it exists, the supremal marker-controllable subformula of a given canonical temporal-safety formula for the fair DES model considered is characterized as the weakest fixpoint of some monotone operator Ω. In the case where the DES model is finite state and the complete specification for constant marker progress under temporal safety is a formula of a decidable LTL fragment, it is shown that this fixpoint can be computed as the limit of the (finite) sequence of iterations of computing operator Ω in the syntax of LTL. Marker-progressive control synthesis by fixpoint computation can therefore be made in the same natural-language motivated algebra of LTL as writing the specification, providing the unique opportunity to exploit not only the role of fair events in DES’s, but also the human readability of LTL formulas and the associated, syntax-based calculational approach that is transparent; such fixpoint computation is illustrated with four examples. A discussion examines and illuminates the significance of this paper and its potential impact on the logic foundation of supervisory control; it includes making comparisons with related work, and explaining a straightforward generalization of DES marker-controllability that directly extends the proposed fixpoint computation to cover the full specification hierarchy of canonical LTL.


I. INTRODUCTION
T HE rapid advancement in the Internet, robotics, and artificial intelligence has accelerated the pace of reimagining our living space as one supported by a cyber-physical world of innovative applications. These applications are deployed in ubiquitous electronic devices and robots, offering capabilities of smart service systems that enhance not only the productivity but also the welfare and well-being of humans in everyday life and work. Arguably limited only by human imagination, these applications -in domains such as home and office automation, transportation, and manufacturing -can be modeled and controlled as discreteevent systems (DES's) at some level of design focus using a systems and control design approach. To support this approach, the DES field of supervisory control, founded in the 1980's [1], [2], has been enriched to-date in various ways in the control literature. That these applications are amenable to DES modeling is because a DES is a model of state evolution induced by the abrupt transitional occurrence of various discrete qualitative changes called events [3]. Events are characteristic of an application's core design focus, such as 'lights turned on' and 'window blinds lowered' for a home service robot [4]. The objective of supervisory control theory is to understand and control systems of the discreteevent type; being behaviorally non-continuous in time, such systems cannot generally be modeled and controlled in continuous or discrete time differential-equations.
In the field of supervisory control, this paper continues the study, initiated in [5], of a new supervisory control problem formulation in linear-time temporal logic (LTL) [6]. Introduced in [5], the concept of marker-controllable safety formula in LTL is shown to play a fundamental role in the existence of marker-progressive supervisory control for fair DES's. Marker-progressive control is about ensuring constant marker progress in a DES under specified temporal safety. The fair DES model considered is one whose infinite evolution is directed by event-occurrence conditions governing the subset of system events designated as 'fair'. Over an event space in a rudimentary language, the founding DES theory of nonblocking control [1] and its generalization to multitasking [7] are shown in [5] to be conceptually unified, extended, and refined by the LTL theory of marker-progressive control over a state space under DES event fairness [5]. Besides, the founding theory [1], its extensions [3], [8] including [7], and generally the DES control literature to date, are not augmented with greater transparency and structure endowed by the richer setting of fair DES's and canonical LTL, in a uniform framework [6], [9] as adopted in this paper and its predecessor [5]. Under the canonical formula classification [9], two key classes crystallize the notion of marker-progressive control, namely response and safety. The former, in specifying constant progress of markers, is about 'regular completion of tasks' and the latter is about 'no bad occurrences', as respectively expressed in canonical form by the infinite oftenity and invariance of past formulas.
Based on the theoretical foundation laid in [5] (and summarized in Section II), in this paper, provided it exists, the supremal marker-controllable 'subformula' of a given canonical LTL safety formula studied in [5] for the fair DES model considered is shown to be characterized as the weakest fixpoint of a certain monotone operator Ω (see Corollary 1, as developed in Section III). Considering the case where the DES is finite state and the fragment (or sublanguage) of LTL used for safety and marker-response specification is decidable, it is shown that this weakest fixpoint can be computed, in the syntax of LTL, as the limit of some (finite) iteration sequence of Ω (see Theorems 1 and 2, as developed in Section IV). With regard to operator fixpoint and successive iteration for supremal control synthesis, the approach of this paper is developed principally in the same vein as the approach for multitasking control [7], which extends that [2] for nonblocking control [1]. Importantly, it provides the unique opportunity for control synthesis by fixpoint computation to be made in the same natural-language motivated algebra of LTL as writing the specification, exploiting not only the role of fair events in DES's, but also the human readability of LTL formulas and the associated, syntax-based calculational approach that is transparent. In the case considered, together with DES logic modeling, four examples are worked out to some detail, to illustrate the iterative weakest Ω-fixpoint computation, synthesizing the supremal marker-controllable safety formula with syntax-based calculations in LTL over Ω (Section V). A discussion (Section VI) with technically related work and beyond examines and illuminates the significance of this paper and its potential impact on the logic foundation of supervisory control. For a general review of related but different DES control research using temporal logic, refer to [5] for one recent perspective. Finally, a conclusion is presented (Section VII).

II. MARKER-CONTROLLABLE FORMULAS
The theoretical LTL control foundation [5] needed for this paper is summarized in this section.

DES Model Structure
Consider the model G of a DES in the form of a basic transition system pΠ, Q, Σ, δ, θq. Π denotes the finite state variable set which is typed; the type of each state variable v P Π indicates the domain Rangepvq over which the variable ranges. Q denotes the state set, defined by the cross product of the ranges of the variables in Π, i.e., Q def " Â vPΠ Rangepvq, such that every state q P Q is unique in terms of its assignment of domain values to all state variables in Π. Σ denotes the finite event set with the subset of uncontrollable events Σ u -events that cannot be disabled by a supervisor; ΣzΣ u is the subset of controllable events that can be. δ : ΣˆQ Ñ Q is a (deterministic) state transition function that is partial. θ is the initial conditiona Boolean valued formula that characterizes the set of initial states Q 0 Ď Q of G, such that q P Q 0 provided (the value assignment by) q P Q satisfies θ. It is assumed that Q 0 ‰ H, Σ ‰ H due to nontrivial system modeling.

LTL and DES -Syntax & Semantics
LTL [6] is a language of predicate logic that is augmented with a temporal operator set to facilitate reasoning over sequences of states. These sequences are producible by DES G along its state trajectories or interpretations. Each interpretation I is a 'labeling' of a string ep1qep2q¨¨¨epkq¨¨g enerated by G with epkq P Σ, in that I def " q 0´q1q k¨¨¨, where q 0 P Q 0 (an initial state) and for k ě 1, q k " δpepkq, q k´1 q. With k ě 0, the k-prefix of I is q 0´q1´¨¨¨´qk , and denoted by I pkq . A state q P Q is said to be terminal (in G) if p@σ P Σqpδpσ, qq is not definedq. An interpretation I is finite (in length) and said to be terminating if it ends in a state q k that is terminal, i.e., I " I pkq ; otherwise, it is infinite and said to be non-terminating, i.e., I " I p8q . Note that I p0q " q 0 . Two interpretations or, respectively, their k-prefixes, are defined to be equal (or the same) if the two have the same sequence of states and label the same string.
This paper assumes reader familiarity with LTL [6] with regard to the construction of LTL formulas and the sound LTL proof system (of axioms and theorems) for syntaxbased or symbolic reasoning. As reviewed in [5], the formula construction is over a finite set of atomic propositions expressed in terms of state variables in Π of DES G (over their domains) and system transition logics, using temporal operators and Boolean connectives. The system transition logics and temporal operators will be defined later. The symbols used for basic connectives and, and-ing (or logical product), not, and quantifier 'there exists' are, respectively, (a dot), ś ,´(an overhead bar), and D. The symbols for derived connectives or, or-ing (or logical sum), implies, equals, and quantifier 'for all' are, respectively,`, ř , Ñ, ", and @. Also included are the propositional constants, namely validity true and inconsistency f alse. The symbol for abbreviation or syntactic equality is ", to relate formulas that are 'always equal'.
The satisfaction relation´|ù I pkq ω¯P ttrue, f alseu (read: 'I at its state q k satisfies ω', or simply 'I satisfies ω' if k " 0, since I p0q def " I) defines the semantics of an arbitrary LTL formula ω at state q k pk ě 0q along an arbitrary interpretation I of DES model G. In addition to the standard rules for Boolean connectives, LTL uses satisfaction relation rules for temporal operators to inductively evaluate the satisfaction of an arbitrary I pkq pk ě 0q over an LTL formula. Below, the rules are defined for the basis sets talways , next , until Uu, thas-always-been , previously , since Su of future and past operators, by which a formula constructed with no future (past) operators is called a past (future) formula, and more specifically called a state formula if it contains no future or past operators. If ω is a state formula, then over I pkq and in state q k , |ù I pkq ω iff |ù q k ω, with p|ù q k ωq P ttrue, f alseu (read: 'q k satisfies ω') defining the semantics of the state formula ω in state q k . The rule for operator  requires the following event-transition logic to account for a trajectory I that is finite. Definition 1 (The σ-Transition Logic): Given σ P Σ, for an arbitrary state trajectory I of DES G, I " q 0´q1´¨¨¨q k¨¨¨, the function τ : σ Ñ pI Ñ ttrue, f alseuq is a system σ-transition logic, defined at q k P Q such that |ù I pkq τ σ iff pDI pk`1q q q k`1 " δpσ, q k q. Now, given LTL formulas ω, ω 1 , ω 2 : 1) |ù I pkq ω iff for all j ě k, |ù I pjq ω.
To model DES transitional behavior in LTL formulas more compactly, system dynamic event-operators and eventtransition operators are used. Below, the former operators are defined in terms of either the σ-transition logic in Definition 1 or the following logic; in turn, each latter operator is defined in terms of a former. Definition 2 (The Conditioned σ-Transition Logic): Given an arbitrary LTL formula ψ over DES G and σ P Σ, for an arbitrary state trajectory I of G, I " q 0´q1´¨¨¨´qk¨¨¨, and an arbitrary I 1 P IpGq, I 1 " I pkq´q 1 k`1¨¨¨( if it exists), the function τ x : pσ, ψq Ñ pI Ñ ttrue, f alseuq is a system ψ-conditioned transition logic, defined at q k P Q such that |ù I pkq´τ x|σ pψq " τ σ¨p @I 1 , I 1 pk`1q ‰ I pk`1q q |ù I 1pkq ψ¯. The logic τ x|σ pψq may be called the transition of event σ in the next ψ-barred neighborhood.
Then given arbitrary LTL formulas ψ, φ over DES G and σ P Σ, the system dynamic event-operators  σ ,  σ ,  x|σ p., .q over an arbitrary state trajectory I of G, I " q 0´q1´¨¨¨´qk¨¨¨, are defined as follows: The respective system uncontrollable and conditioned eventtransitions τ u , τ x p.q are characterized as follows: The system dynamic event-transition operators  u ,  u ,  x p., .q are characterized as follows: Let T be a unary temporal operator. Then T n , for n ě 0, is defined over an arbitrary formula ω as follows: T n pωq " n times hkkkkkkkkkikkkkkkkkkj T pT pT p¨¨¨T p ωq¨¨¨qqq.
The model operational premise is this: From every nonterminal state that DES G is in, one event will occur and transition the DES into another state.
Only interpretations or state trajectories that refer to the actual behavior of DES G are of interest; these are legal and constitute the legal set IpGq, on which the notion of Gvalidity of an LTL formula ω, denoted by G |ù ω, is defined: In LTL semantics, for an arbitrary set IpGq, ω 1 " ω 2 denotes G |ù pω 1 " ω 2 q. Define always-implies ñ such that ω 1 ñ ω 2 denotes G |ù pω 1 Ñ ω 2 q; therefore pω 1 " ω 2 q " pω 1 ñ ω 2 q¨pω 2 ñ ω 1 q. In addition, let ω 1 « ω 2 , ω 1 ⇝ ω 2 denote G |ù pω 1 " ω 2 q, G |ù pω 1 Ñ ω 2 q, respectively, where the connectives «, ⇝ are said to be the anchored versions of ", ñ, respectively. VOLUME 4, 2016 3 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Let Σ F " Σ C Y Σ J denote the set of fair events, where Σ C denotes the strongly fair set of compassionate events, and Σ J denotes the weakly fair set of just events. Definition 3 (The σ-Definition Logic): Given σ P Σ, for an arbitrary state q P Q of DES G, the function ξ : σ Ñ pq Ñ ttrue, f alseuq is a system σ-definition logic, defined such that |ù q ξ σ iff pDq 1 P Qqq 1 " δpσ, qq. Then the DES model G considered is said to be fair [6, p. 256] (with respect to Σ F Ď Σ u ), where Σ F " Σ C Y Σ J such that, for every state trajectory I of G, I P IpGq iff I satisfies the event-fairness formulas: (Weak fairness) The characterization above may assume that Σ C X Σ J " H without loss of generality. The event-fairness formulas constitute the legal conditions that model the set IpGq.

Control of Fair DES's
In supervisory control, the trajectory set of interest for fair DES G is I f pGq, given by I f pGq " IpGq Y I # pGq, where I # pGq " tI pkq | I P IpGq, finite k ě 0, and I pkq R IpGqu is the legally prefix-admissible set; IpGq X I # pGq " H.
An LTL formula φ is an invariant if φ " ψ, where ψ is some past formula; and this ψ is called the kernel of φ if it has no operator  in its outermost scope. The DES theory of supervisory control centers around the invariant and its kernel.
Bring in the specification pair pP, Mq over DES G to denote where P is the kernel of some arbitrary invariant, and M " tM 1 , M 2 ,¨¨¨, M m u is the system marker set, where each M i P M p1 ď i ď mq is an arbitrary past formula specifying a system marker condition. In their respective forms [6], [9], P is a canonical LTL safety formula and M i is a canonical LTL response formula. An arbitrary invariant φ over DES G is said to be (with respect to G): For the specification pair pP, Mq, the set of all Mcontrollable temporal-safety formulas whose invariants are not weaker than P is introduced: where ψ ψ is the kernel of an invariant that is P -history bounded , . -.
If M " H, then CpP, Hq " $ & % ψ is controllable, where ψ ψ is the kernel of an invariant that is P -history bounded , . -.
In this case, let CpP q def " CpP, Hq. Proposition 1: Consider the kernel P of an arbitrary invariant over fair DES G with system marker set M, and assume CpP, Mq ‰ H. Then CpP, Mq is closed under arbitrary or-ings. Specifically, CpP, Mq contains a (unique) supremal element (which is hereby denoted by sup C pP, Mq).
Proof: See [5]. Note that, in logic terms, sup CpP, Mq « f alse provided CpP, Mq " H. Thus, in general, sup CpP, Mq P CpP, Mq Y tf alseu. Provided CpP, Mq ‰ H, sup CpP, Mq is the supremal or weakest M-controllable subformula of P .
Based on the foregoing technical summary, the synthesis of sup CpP, Mq as the weakest fixpoint of a monotone operator may now be formulated and investigated. p@I P IpGqqp@k ě 0q |ù I pψ " χq, |ù I pkq pχ Ñ ψq, and |ù I pkq ψ Ñ pDI 1 P IpGqq |ù I 1 ψ or |ù I 1 pjq χ, for I 1 pkq " I pkq and some j ě k. Intuitively, where χ is an LTL progress formula, the relation G » means an LTL safety formula ψ exists that bounds exactly the progress specified by χ in DES G, in that, every state trajectory of I f pGq satisfying χ, satisfies ψ, and each prefix of an arbitrary state trajectory of IpGq satisfying ψ either can be extended to or is a state trajectory of I f pGq satisfying χ. The LTL formula ψ is said to be the exact 'delimiting safety-closure' or 'prefixing' formula for χ.
The relation G » above is closely related to the notion of topological closure of an LTL formula χ studied in [10], [11]. While the latter notion captures the strongest safety formula that is not stronger than χ, the former relation captures a safety formula that exists as the exact delimitation of χ, which is of control interest in this paper. Besides, this relation admits finite state trajectories possibly present in DES G, and prefix state trajectories that may result due to control. The ensuing results studied are believed to be quite new and of theoretical interest in the LTL context of supervisory control. Proof: Consequent P3.1 follows from the definition of G » and the following reasoning: Consider an arbitrary I P IpGq and an arbitrary index k ě 0. Since Y¨P " Y¨Y¨P , it follows that: $ & % |ù I pψ " Y¨P q, |ù I pkq pY¨P Ñ ψq, and |ù I pkq ψ Ñ pDI 1 P IpGqq |ù I 1 ψ or |ù I 1 pjq Y¨P , for I 1 pkq " I pkq and some j ě k. implies $ & % |ù I pψ " Y¨ψq, |ù I pkq pY¨P Ñ ψq, and |ù I pkq ψ Ñ pDI 1 P IpGqq |ù I 1 ψ or |ù I 1 pjq Y¨ψ, for I 1 pkq " I pkq and some j ě k. implies $ & % |ù I pψ " Y¨ψq, |ù I pkq pY¨ψ Ñ ψq, and |ù I pkq ψ Ñ pDI 1 P IpGqq |ù I 1 ψ or |ù I 1 pjq Y¨ψ, for I 1 pkq " I pkq and some j ě k. Consequent P3.2 follows from Proposition 2 and Consequent P3.1. 1) To prove that ψ is pM, ψq-condition invariant: By This implies that there is a k ě 0 such that |ù I pkq ψ and |ù I pkq m ÿ i"1 M i ; and so where I 2 is I 1 or I 1 pjq , for I 1 P IpGq, I 1 pkq " I pkq , and some j ě k, it follows that for all such I 1 , |ù I 1pk`1q ψ, and for all I 2 , It follows that the relation ψ 2) To prove that ψ is M-alive under conditional invariance: Note that the result is implied by the relation G ».
3) To prove that ψ is P -history bounded: Note that, as implied by the relation G », p@I P IpGqqp@k ě 0q |ù I pkq ψ Ñ pDI 2 q |ù I 2 ˜P¨m ź i"1 M i¸, where I 2 is I 1 or I 1 pjq , for I 1 P IpGq, I 1 pkq " I pkq , and some j ě k. Thus p@I P IpGqq p@k ě 0q |ù I pkq pψ Ñ P q, and the result follows. Proof: Consider the kernel ψ of an arbitrary invariant over fair DES G with system marker set M " tM 1 , M 2 ,¨¨¨, M m u. The proof then proceeds as follows.
(If) Because ψ is pM, ψq-condition invariant, it follows that, for each I P IpGq and each k ě 0, such that |ù I pkq ψ or, equivalently, |ù I pkq ψ, there exists an I 1 P IpGq, I 1 pkq " I pkq , such that either: |ù I 1 ψ, or: for some j ě k, |ù I 1 pjq ˜ψ¨m Since ψ is also M-alive under conditional invariance, it follows that Since |ù I 2˜˜ψ¨m ź i"1 M i¸Ñ ψ¸for an arbitrary I 2 that is I P IpGq or its prefix I pkq pk ě 0q, the result follows.
(Only if) The result follows by Proposition 4 (with P " ψ).  Proof: It is a definitional fact that the controllability of ψ implies ψ is initially satisfied. The result then follows by logical reasoning when applying Proposition 6 and this fact to the definition of M-controllability. Proposition 8: Consider the kernels ψ 1 , ψ 2 of two arbitrary invariants over fair DES G with system marker set M " tM 1 , M 2 ,¨¨¨, M m u. If, for all i p1 ď i ď 2q, Proof: The result follows by logical reasoning over the definition of G ».

B. AN OPERATOR Ω CHARACTERIZING sup CpP, Mq
Two modularity results of interest are first presented. Proposition 9: Consider the kernels ψ 1 , ψ 2 of two arbitrary invariants over fair DES G. If, for all i p1 ď i ď 2q, ψ i is controllable, then pψ 1` ψ 2 q is controllable.
Proof: By logical reasoning over the constituents in the controllability definition of ψ i p1 ď i ď 2q, it can be shown that pψ 1` ψ 2 q is controllable. The result then follows by the fact that pψ 1` ψ 2 q « pψ 1` ψ 2 q. Proposition 10: Consider the kernels ψ 1 , ψ 2 of two arbitrary invariants over fair DES G with system marker set M " Proof: Given that ψ i p1 ď i ď 2q is M-directing. By logical reasoning when applying Propositions 6 and 8, it can be shown that pψ 1` ψ 2 q is M-directing. The result then follows by the fact that pψ 1` ψ 2 q « pψ 1 ψ 2 q. By mathematical induction, the results in Propositions 9 and 10 can be extended to more than two invariants. Now, consider the specification pair pP, Mq, where system marker set M " tM 1 , M i¸a nd R be the set of LTL formulas, each of the form pY m¨ P 1 q, where P 1 is the kernel of some invariant that is P -history bounded. LTL formulas in this form are temporal-response formulas (under «) [6]. Define the operator Ω : R Ñ R according to Operator Ω is well defined in that, inferring from Proposition 1 that is proved in [5], the set Cp.q Y tf alseu is closed under arbitrary or-ings. Note that, based on the definition of M-controllability, the proof of Proposition 1 may also, in essence, follow from the result extensions of Propositions 9 and 10. Proposition 11: Consider the kernel ψ of an arbitrary invariant over fair DES G with system marker set M. Then Proof: If CpP, Mq " H, the result is trivially true. If CpP, Mq ‰ H, then to prove that the result is also true, first show that given the kernel ψ of an arbitrary invariant such that ψ is not f alse over DES G with system marker set M, ψ is M-controllable and ψ is P -history bounded iff This follows by Proposition 7, Ω (1), and the fact that since ψ is not f alse, ψ is controllable provided sup Cpψq « ψ. It then follows by Proposition 2 that ψ « Y m¨ ψ, thereby completing the proof.
Proposition 11 characterizes CpP, Mq Y tf alseu as the set of fixpoints of Ω. Since, for every ψ P CpP, MqY tf alseu, ψ ⇝ sup CpP, Mq, the following corollary is immediate. Corollary 1: sup CpP, Mq is the weakest fixpoint of Ω.

A. ITERATION OF Ω & COMPUTING sup CpP, Mq
In view of Corollary 1, consider computing sup CpP, Mq by iteration of Ω along the following sequence of formulas: Proposition 12: Given the sequence tK j u (2) for the specification pair pP, Mq, the (logic-theoretic) limit K « lim jÑ8 K j exists such that sup CpP, Mq ⇝ K. Proof: Let S « sup CpP, Mq, L « Y m¨ P . It is clear that Ω is monotone, i.e., for X, Y P R: If X ⇝ Y , then ΩpXq ⇝ ΩpY q. Now, the following is true: Base case: Induction case (for j ě 1, established by monotone Ω): Now, the following is also true: Base case: S « ΩpSq ⇝ L " K 0 . Induction case (for j ě 1, established by monotone Ω): The sequence tK j u (2) is said to converge if there exists an index i ě 0 such that p@j ě iqK j « K i . Proposition 13 states the necessary and sufficient condition for its convergence. Proposition 13: Under the sequence tK j u (2) for the specification pair pP, Mq, Proof: Under tK j u (2) for pP, Mq, the proof proceeds as follows: This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication.
(If) Trivially, K j « K i for j " i. Given that ΩpK i q « K i , it remains to show by mathematical induction that, p@j ě iqK j`1 « K i , as follows: Base case pj " iq: K i`1 « ΩpK i q « K i . Induction case: Assume for j " k, K pk`1q « K i . Then for j " k`1, K pk`1q`1 « ΩpK pk`1q q « ΩpK i q « K i .

Proposition 14:
Consider the sequence tK j u (2) for the specification pair pP, Mq. If at iteration i`1 pi ě 0q, By Proposition 13 and from the proof of Proposition 12 that K j`1 ⇝ K j for all j ě 0, the limit K « K i . Thus by Proposition 12, sup CpP, Mq ⇝ ϕ. Together with the fact that K i « ϕ, it follows by Proposition 11 that ϕ P CpP, Mq Y tf alseu. Therefore, ϕ ⇝ sup CpP, Mq, and combining, sup CpP, Mq « ϕ. Hence the result.
Inferring from Proposition 13 on Proposition 14, the desired result is obtained if Ω (1) can be iteratively computed to convergence along the sequence tK j u (2).
To iterate Ω along tK j u for computing the desired LTL formula sup CpP, Mq, the key question of this paper may now be posed: Under what condition(s) is tK j u (2) (syntactically) convergent to sup CpP, Mq?
This tK j u-convergence question is studied in the case of finite state DES G, where all variables in Π range over finite domains [12].

B. SYNTACTIC COMPUTABILITY OF Ω
To answer the tK j u-convergence question requires a syntactic computability result for Ω (1) in tK j u (2).
Some facts about the decidability of LTL are first stated. An LTL fragment of interest and its formulas are said to be decidable if, over DES G, the satisfaction relation and hence G-validity of these formulas are provable to be true or f alse. Propositional and monodic LTL refer to LTL's respective propositional and monodic (predicate) fragments. The propositional fragment of LTL restricts formulas to syntactic constructions from Boolean variables and propositions (with a unique truth value -true or f alse), with no quantifier added. The monodic fragment [13] of LTL restricts its temporal part to formulas of the following construction: Every constituent of a monodic formula that is a formula of the form T 1 ψ or ψ 1 T 2 ψ 2 , where T 1 , T 2 are temporal operators, has at most one free variable; a free variable x in a constituent being one that occurs at least once in the constituent without being introduced by a quantification pDxq or p@xq. Roughly speaking, a monodic subfragment is decidable if its nontemporal part is restricted to some decidable fragment of predicate logic. Propositional LTL is decidable [12], [14], and so are various subfragments of the monodic fragment [13], [15] of LTL, each subsuming and is therefore more expressive than propositional LTL.
In the case of finite state (or finite domain) DES G, despite the claim of adequacy inferred from [14] that modeling the DES and specification can be expressly made in propositional LTL [14], such modeling may, in principle, also be made in one decidable subfragment of monodic LTL.
At this juncture, it may well be noted that, because the states of DES G are defined as unique, every state q P Q can be simply characterized by the proposition p q " ź viPΠ pv i " a i q for some a i P Rangepv i q -a state formula which is a decidable predicate such that |ù q p q and p@q 1 P Qztquq |ù q 1 p q .
In view of the various known decidable LTL fragments that the specification pair pP, Mq can be expressed in, the syntactic computability result of Theorem 1 that follows immediately after Lemma 1 below is quite general for the case of finite state DES's. Lemma 1: Consider the case that DES G is finite state. Then for an arbitrary decidable LTL formula χ over G, there exists a decidable ψ which is the kernel of some invariant, such that ψ G » χ. Proof: A transition system model G 1 exists for an arbitrary decidable LTL formula χ over DES G, such that Clearly, IpG 1 q Ď I f pGq. Now, the closure of IpG 1 q, denoted by clorIpG 1 qs, is the smallest temporal-safety set such that IpG 1 q Ď clorIpG 1 qs, and is defined by . By a modest generalization of the case [10], [11] where A˚" H, the result remains that clorIpG 1 qs is expressible by an LTL safety formula. And note that it is always the case that Given that DES G is finite state, it thus follows that IpG 1 q is a temporal safety also expressible by some LTL safety formula ψ, such that ψ is the kernel of some invariant and: p@I P IpGqqp@k ě 0q |ù I pψ " χq, |ù I pkq pχ Ñ ψq, and |ù I pkq ψ Ñ pDI 1 P IpGqq |ù I 1 ψ or |ù I 1 pjq χ, for I 1 pkq " I pkq and some j ě k. Accordingly, a decidable ψ exists which is the kernel of some invariant, such that ψ The required syntactic computability result may now be presented. Theorem 1: Consider the case that DES G is finite state and the specification pair pP, Mq is decidable. Then operator Ω VOLUME 4, 2016 7 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. (1) is syntactically computable in the sequence tK j u (2) (for the specification pair).
Proof: Define  u˚" ź ně0  n u , called the conjunctive or product closure of  u . Given an arbitrary decidable ψ j as the kernel of some invariant over DES G, the weakest solution (in R) of two 'simultaneous equations' on, respectively, the conditions of Σ u -invariance and ψ j -history boundedness: Theorem 20] or, equivalently, R "  u˚p ψ j q. Over DES G, a model with finite state set Q and a deterministic state transition function, it can be shown for the decidable  u˚p ψ j q, with the aid of the syntax-based, iterative computing method in [16], that where, for some P 1 i that is the kernel of some invariant, for some r ě 0, such that σ p i P Σ u p0 ď p ď rq and, for an arbitrary I P IpGq and an arbitrary k ě 0, This is because each such P 1 i exists such that This P 1 i is constructed such that pT i Ñ P 2 i q " pT i Ñ P 1 i q or, equivalently, T i¨ P 2 i " T i¨P 1 i for the given or a previously computed kernel P 2 i of some invariant, and such that it is logically in the form: where H 1 i is some past formula and state set , thus implying that the contrapositive of (4). Now, let -and refer to it as the embedded kernel of  u˚p ψ j q (3). Then P j`1 is the weakest solution that is an invariant (a past formula, whose kernel is P j`1 ). Along with Proposition 1 that Cpψ j q, i.e., Cpψ j , Hq, contains a unique supremal or weakest controllable (canonical safety) subformula of ψ j if Cpψ j q ‰ H, it then follows that Cpψ j q ‰ H, such that sup Cpψ j q « P j`1 iff G |ù P j`1 .
In the sequence tK j u (2) for the specification pair pP, Mq, K 0 is the pair pP, Mq. Given that pP, Mq is decidable, K 0 is decidable. Now, assume K j pj ě 0q is decidable. Then, since DES G is finite state, by Lemma 1, a decidable ψ j , for which  u˚p ψ j q is also decidable over DES G, can be found such that ψ j G » K j , with sup Cpψ j q in K j`1 given by where the kernel P j`1 (6) in (7) can be computed by the following syntax-based method: Define an operator H as follows: HpRq " ψ j¨u pR 0 q, where R 0 is 'kernelized' R, i.e., R 0 is always equal to R but with every product component pτ σ Ñ P 1 q, σ P Σ u , replaced by P 1 that is the kernel of some invariant. Then, procedurally identical to the syntax-based method in [16] for computing  u˚p ψ j q over DES G, compute via finite iteration of operator H along the monotone decreasing sequence: (5)]. To converge to the form (6), it suffices to construct, at iteration k`1, some state formulas p 1 1,s , p 1 2,s such that or every pτ σ Ñ H 1¨ p 2 s q present following past formula expansion [6, p. 219] and LTL reasoning, where σ P Σ u , H 1 is some past formula and p 2 s is some state formula, and such that they are logically in the form: ) .
Since  u˚p ψ j q is decidable, so is kernel P j`1 . It follows that K j`1 « Y m¨s up Cpψ j q is decidable. Therefore, by mathematical induction, K j is decidable for all j ě 0. This implies Ω (1) is syntactically computable in tK j u (2).

C. CONVERGENCE OF Ω-ITERATION TO sup CpP, Mq
The key result of this section answers the tK j u-convergence question. Theorem 2: Consider the case that DES G is finite state and the specification pair pP, Mq is decidable. Then the sequence tK j u (2) over DES G for pP, Mq converges after a finite number of iterations i to the limit K i , ϕ This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Proof: In the sequence tK j u (2) over DES G, K 0 « Y m¨ P , ψ 0 G » Y m¨ P , and so by Proposition 2, Since Ω (1) is syntactically computable in tK j u (2) by Theorem 1, K j « Y m¨s up Cpψ j´1 q exists for all j ě 1.
Thus, for all j ě 0, since sup Cpψ j q ⇝ ψ j , it follows that sup Cpψ 0 q ⇝ P , and for all j ě 1, Because the state set of DES G is finite, the resulting state trajectory set I f pGq is finite, as immediate from the (standard) description of finite state G and elementary combinatorics. In syntactically computing the component formula sup Cpψ j q under tK j u (2), each iteration j`1 therefore removes some n j ě 0 state trajectories from the subset L j Ď I f pGq of DES state trajectories satisfying ψ j , successively reducing L j by n j trajectories, and to an empty set provided sup Cpψ j q « f alse. Therefore, there exists a j " i ě 0, This means ΩpK i q « K i at iteration i`1 with i ě 0, where, in letting ψ i " ϕ so that ϕ G » K i , the result follows by Propositions 13 and 14.

D. COMPUTATION OF DELIMITING SAFETY CLOSURE
Lemma 1 is an important supporting result on existence of the exact delimiting safety-closure formula for an LTL formula over the DES model. Its proof, however, does not furnish a general procedure for determining or constructing the formula. In pointing a general direction for finding such a delimiting safety-closure formula in the case of finite state DES G and an arbitrary decidable specification pair pP 1 , Mq, it is noted that, under DES state-uniqueness, the ψ that exists by Lemma 1, for which ψ G » Y m¨ P 1 , i.e., ψ is the exact delimiting safety closure formula for Y m¨ P 1 , can be logically expressed in the general form: In general, formula D is called the conditional stateforbiddance refinement on P 1 by ψ under invariance to assure exact delimitation of Y m¨ P 1 . It assumes one of the three possible cases, DSF-1 to DSF-3, as explained below. Under the first two cases, at least one state trajectory I P I f pGq satisfies Y m¨ P 1 . Below, the cases are described based on the definition of G ».
In Case DSF-1, starting from an initial DES state, D on P 1 under invariance lets P 1 stay true without the DES entering any state identified as forbidden in the consequent state formula C i , whenever the corresponding antecedent past formula A i is true. This refinement of D on P 1 is such that no state trajectory I P I f pGq satisfying Y m¨ P 1 does not satisfy pD¨P 1 q, every pD¨P 1 q-satisfied I P IpGq satisfies Y m¨ P 1 , and every pD¨P 1 q-satisfied prefix I pkq of an arbitrary I P IpGq can be extended to (i.e., is a prefix of) some I 1 P IpGq satisfying pD¨P 1 q or its prefix I 1 pjq pj ě kq satisfying Y m¨ P 1 . DSF-2) D " true. In Case DSF-2, every P 1 -satisfied I P IpGq satisfies Y m¨ P 1 , and every P 1 -satisfied prefix I pkq of an arbitrary I P IpGq can be extended to some I 1 P IpGq satisfying P 1 or its prefix I 1 pjq pj ě kq satisfying Y m¨ P 1 . Note that, by Proposition 5, the former condition defines the Mliveness under conditional invariance while the latter defines the pM, P 1 q-condition invariance, both of invariant P 1 . DSF-3) D " f alse. In Case DSF-3, no state trajectory I P I f pGq satisfies Y m P 1 , i.e., no I P IpGq or its prefix I pkq that is P 1 -satisfied satisfies Y m .

V. LOGIC MODELING & WORKED EXAMPLES
In logic modeling of DES G, transition relations [6] axiomatize the DES's possible transitions by abbreviating eventtransition logics in terms of state variables in Π. For the purpose of mathematical computation by logic reasoning, DES G is axiomatized by an LTL formula κ G that is a product of DES G's initial condition, transition relations of events in Σ, and event-fairness formulas (the legal conditions) of those in Σ F , such that for every state trajectory I of G, The DES model G is usually a modular (synchronous) composition of a finite number of component process models G 1 , G 2 ,¨¨¨, G n pn ě 1q of the same type (in terms of model structure). The overall model runs by events interleaving and synchronization of shared events among its component processes. An event σ is said to be shared between processes G j and G k pj ‰ kq if σ P Σ j XΣ k . Let G " G 1 ∥ G 2 ∥¨¨¨∥ G n represent a modular DES, where G i " pΠ i , Q i , Σ i , δ i , θ i q and their (finite) state variable sets are mutually disjoint, i.e., for j ‰ k, Π j X Π k " H. Then the synchronous operator ∥ for DES G with (finite) event set Σ " 2) the transition relation of an arbitrary σ P Σ expressed in the form: where G i p1 ď i ď nq is every process with σ P Σ i that is defined at some state in Q i , such that for every state pair pq i,j , q i,k q P Q iˆQi , q i,k " δ i pσ, q i,j q. By the asynchrony of occurrences of σ R Σ i 1 pi 1 ‰ iq in every such G i with G i 1 , τ σ¨ p q " τ σ¨pq , @q P Q i 1 . Note that the transition relation model above is a modular generalization and a slight logical variant of that in [6] which was first used in [17] for LTL control synthesis. The transition relation form may be expanded into a logical sum of product terms, each term of the form h¨t, where h, t are state formulas. Possible natural system dynamics that help simplify a relation include the following: 1) Inaccessibility of h-satisfied state (in state set Q " Q 1Q 2ˆ¨¨¨ˆQn ). This may arise due to event synchronization under DES G's state transition function with respect to θ. Such an inaccessibility constraint is of the form h " f alse (if it exists).
After applying every inaccessibility constraint and reexpressing into the original product form, the new transition relation is obtained: where i p1 ď i ď nq is the index of every process involved in the original transition relation, such that pq i,j 1 , q i,k 1 q P Q iQ i , where q i,k 1 " δ i pσ, q i,j 1 q, is every remaining state pair. Equivalently, where i is the index of any process involved in the new transition relation above.
2) Guaranteed accessibility of t-satisfied state (next). This is due to event singularity at h-satisfied state, in that σ P Σ is the only event defined at every such state. Such an accessibility constraint is of the form h¨t " h (if it exists).
Next, the natural structure of DES G, by design, may be such that, under the invariance of some kernel ψ starting from an initial state, the DES, in reaching some state q d P Q, must have evolved from some state q s P Q upstream. This structural attribute, if it exists, induces an accessibility constraint of the form ψ¨p q d ⇝ p qs or, equivalently, ψ¨p qs ⇝ p q d . Because of their logical truth over every k-prefix of an arbitrary DES state trajectory, such accessibility constraints, along with the LTL proof system [6], may be used in logic calculations to help simplify an LTL formula for DES G.
With each component process G i p1 ď i ď nq itself a DES model, the model operational premise (regarding event occurrences) applies locally to G i , albeit subject to the same premise being applied to modular DES G which is necessarily constrained by synchronization of shared events between the component processes. The events that are fair in each G i are as fair in modular DES G.
In what follows, four worked examples are provided to mainly illustrate the synthesis results of syntactic computability (Theorem 1) and convergence (Theorem 2), with each example DES model axiomatized as described above.
In these examples, the first three of which are adapted from [2] while the last is adapted from [5], propositional LTL is used; each example DES G is finite state and has one initial state. An edge-labeled directed graph is used to represent a finite state DES model G i . In this graph, a node denotes a DES state; a σ-labeled edge, directing a node denoting a state q P Q i to a node denoting a state q 1 P Q i , denotes the transition of event σ P Σ i from q to q 1 , as defined by δ i pσ, qq " q 1 . The node with an entering arrow denotes the initial state. As appropriate to each example, a characterizing proposition or a denoting symbol for a DES state is written beside its node. Besides, in these examples, a given DES G, whether monolithic pn " 1q or modular pn ě 2q, has every component process G i associated with one marker condition in the overall system marker set M. As each system marker condition is specified by a state formula for G i , a darkened node can be and is used to identify each state in G i satisfying the associated marker condition.
For these examples, accordingly, Theorem 2 ensures a finite number of iterations computing ΩpK j q, starting from j " 0 along the sequence tK j u (2) over DES G to obtain sup CpP, Mq. Let P 0 " P . At iteration j`1, with K j « Y m¨ P j , first find the kernel ψ j that exists by Lemma 1, such that ψ j G » K j , where ψ j " pD j¨Pj q (8) and D j assumes one of the three possible cases, DSF-1 to DSF-3, as discussed earlier. Then apply the syntax-based method contained in the proof of Theorem 1, to obtain sup Cpψ j q in ΩpK j q as follows: Using the transition relation modeling of DES G as the axiomatic basis, perform syntax-based calculations accordingly to obtain the successive P j`1 -the embedded kernel of  u˚p ψ j q. In completing iteration j`1, determine sup Cpψ j q in ΩpK j q as either P j`1 or f alse, according to (7).
In general solution form, sup CpP, Mq « pD¨P q, where D is an iteration outcome of tK j u-convergence. In the interesting case where D is neither always equal to true nor f alse, it means that for each component formula of the product D added in one iteration of Ω to ensure supremal controllability of temporal safety, there is in general another component of D added in the subsequent iteration to establish the required G »-relation, so as to, as explained by Proposition 4, the fact that pD¨P q is initially satisfied, and the formal definition of M-directingness, thwart the violation of M-directingness that adding the former component otherwise causes. For the DES G depicted in Fig. 1, the (unique state) propositions over state set Q are related as follows: Initial condition θ " p 0 . With event set Σ " tα 1 , α 2 , βu, the transition relations are as follows: " p 1`p2`p3`p4 (By event singularity).
Finally, it is given that Σ u " tβu, Σ F " H. Consider the specification pair pP, Mq: P " p 3 , M " tp 3`p4 u; and therefore Y m " pp 3`p4 q.
G |ù Y m by the transition structure of and operational premise for the DES G. Hence any invariant over G is Malive under conditional invariance. In the following computation, each exact delimiting safety-closure formula ψ (under G ») for the given and successive pair pP 1 , Mq is both determined with ψ " P 1 (a case DSF-2), by observation that invariant P 1 is pM, P 1 q-condition invariant, and by applying Proposition 5.
To compute the embedded kernel P 1 of  u˚p P q, let R 0 " P . Then: Since G |ù P 1 r7 pθ Ñ P 1 q « trues, , p 1 « P 1 , and P 1 is controllable, In this example of a simple manufacturing system, M1, M2 are DES models of two machines connected in tandem. Each machine Mi p1 ď i ď 2q is either idling (Ii) or working (Wi). In its idling state, the machine takes (αi) a workpiece from one buffer for processing and transitions to its working state. Once finished with processing in its working state, it deposits (βi) the finished piece into another buffer that transitions it back to its idling state. Only the buffer in between the two machines is shown. Of unit size, this buffer is modeled by B defining the propositions E (buffer empty), F (buffer full), such that M1 ∥ B ∥ M2 is M1 ∥ M2 with state characterization enriched by these propositions.
Consider the specification pair pP, Mq with P " pP 1P 2 q: M " tI 1 , I 2 u; and therefore Y m " The first product component of the temporal-safety part pP 1¨P 2 q may be paraphrased as follows: 'Machine M1 is not to have deposited another workpiece into Buffer B whenever, previously, the buffer is full while it is working.' The second component may be paraphrased as follows: 'Machine M2 is not to have acted to take another workpiece from Buffer B whenever, previously, the buffer is empty while it is idling.' In short, the former specifies no overflow and the latter specifies no underflow for Buffer B. Paraphrasing Y m , each machine must regularly process workpieces to completion, one at a time, taking from and depositing into their respective buffers. G |ù Y m by the transition structure of and operational premise for each component process G i p1 ď i ď 2q, and the fact that under ∥, it remains that τ σ ı f alse for each σ P Σ. Hence any invariant over G is M-alive under conditional invariance. In the following computation, each exact delimiting safety-closure formula ψ (under G ») for the given and successive pair pP 1 , Mq is both determined with ψ " P 1 (a case DSF-2), by reasoning that invariant P 1 is pM, P 1 q-condition invariant, and by applying Proposition 5. The reasoning for condition invariance in each instance is that although the respective temporal-safety part P 1 specifies a maintenance of P 1 , the imposed sequencing or ordering among events in G 1 , G 2 that results permits all the events in the DES G to occur infinitely often.
To compute the embedded kernel P 1 of  u˚p P 1¨P 2 q, let R 0 " pP 1¨P 2 q. Then: R 1 " HpR 0 q " pP 1¨P 2 q¨ u pR 0 0 q " pP 1¨P 2 q¨ u pP 1¨P 2 q " pP 1¨P 2 q¨ u pP 1 q¨ u pP 2 q " pP 1¨P 2 q¨F¨W 1 , since: 12 VOLUME 4, 2016 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication.
Finally, it is given that Σ u " tc 2 , c 7 , m 4 u, Consider the specification pair pP, Mq: The specification states that the cat and the mouse must never be in the same room simultaneously, and each must regularly return to the room it initially occupied. G |ù Y m by the transition structure and compassionate events of, and the operational premise for, the individual component processes CAT, MOUSE, coupled with the fact that under ∥, it remains that τ σ ı f alse for each σ P Σ. In the following computation, each exact delimiting safety-closure formula (under G ») for the given and successive specification pair is determined to be a case DSF-2 and a case DSF-1, respectively. VOLUME 4, 2016 13 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication.  Four accessibility constraints are found to be useful in the following calculations for formula simplification, as listed below: To compute the embedded kernel P 1 of  u˚p P q, let R 0 " P . Then: pτ c7 Ñ pi, jq ‰ p1, 3q¨pi, jq ‰ p3, 1qq pτ m4 Ñ pi, jq ‰ p4, 0qq r7 τ c2¨ pi " jq " τ c2¨p i, jq " p1, 2q, τ c7¨ pi " jq " τ c7¨p pi, jq " p1, 3q`pi, jq " p3, 1qq , τ m4¨ pi " jq " τ m4¨p i, jq " p4, 0qs.

D. EXAMPLE 4
>ŽŽƉ >ŽŽƉ For the DES G depicted in Fig. 4, the states are unique, initial condition θ " p q0 , and it is given that Σ u " H; therefore Σ F " H.
With Σ u " H, clearly P is controllable, since G |ù P because pθ Ñ P q « true. However, P is not pM, P qcondition invariant; this condition fails at state q 12 . In the absence of strong fairness in events σ 05 , σ 06 , it is also not M-alive under conditional invariance; this condition fails for the legal state trajectory that stays forever traversing in Loop X formed by the state-transition sequence q 6´q7q 8´q9´q10´q0´q3´q2´q1´q6 (see Fig. 4), satisfying P but violating p q4 . It also fails for any legal trajectory satisfying P that enters and stays forever traversing in Loop Y formed by the state-transition sequence q 5´q4´q3´q2´q1´q5 (see Fig. 4), violating p q7 . For P to be violating either condition, P is not M-directing, and hence is not M-controllable.
where past formula D, constructed by some human ingenuity, is a logical product of three formulas as shown in Table 1. Now, G |ù pD¨P q r7 pθ Ñ pD¨P qq « trues. Fig. 4, Loops X, Y in the DES G are called M-incomplete loops; in general, an M-incomplete loop is with respect to a state trajectory of a DES that enters and stays traversing therein forever, without meeting at least one marker condition in system marker set M infinitely often. By their execution to exit M-incomplete loops in a DES, strategically defined fair events play a crucial role in Mcontrollability that is of pragmatic importance in simplifying supervisor design. Take for instance: If events σ 5 , σ 6 were or could be made compassionately fair, the refinement D on P would have been reduced to p q11 , leading to a simpler sup CpP, Mq as the supremal M-controllable subformula of P . But as it is, the absence of fairness in events σ 5 , σ 6 (that are controllable) leads to constructing a formula sup CpP, Mq that is more complex. This is because the exact delimiting safety-closure formula ψ for Y m¨ P required in the LTL control synthesis also needs to 'emulate' the necessary but missing event fairness. This is done by ψ " D¨P , with the invariance of the synthesized formula D (see Table 1) constraining the DES further around every existent M-incomplete loop under the invariance of P , essentially specifying a breakout to exit the loop in the temporal loop limit.

Depicted in
Interestingly, with the supremal M-controllable subformula of P existing in the complex form constructed, the realization of a supervisor [5] in practice requires an a priori arbitrary setting of x, y in D (explained in the note under Table 1) to possibly different, finite positive numbers. Optimality of supervision, as defined by sup CpP, Mq, becomes purely a theoretical condition because any such supervisor realization is suboptimal; however, the loss of optimality or permissiveness is due, reciprocally, only to each of x, y being finitely set with regard to permitting the maximum number of consecutive cycles the DES can traverse in the respective Mincomplete loops under supervision. The setting of x, y may be made to a finite numerical extent that this loss is deemed immaterial.

A. DES MODELING & A SYNTHESIS ALTERNATIVE
Fair DES model G, by the sets of labeled strings of finite and infinite length arising from the pair pI # pGq, IpGqq, is a state augmented version of the 'live' DES model due to [18]. Besides, unlike the latter model, the legal evolution of DES G is explicitly described, over its model structure, by fairness formulas of events in the fair event set Σ F . This makes the fair model G conceptually cleaner and more explainable from the design and synthesis perspective -a unique feature that will be elaborated and made clear by the end of Section VI.
The 'live' DES model is adopted in [18], [19] for progressive control that is more arbitrary and realizes an ωlanguage (i.e., a set of strings of infinite length, as opposed to a language which refers to a set of strings of finite length), for which state-of-the-art algorithms for synthesis of controllers in ω-automata (accepting ω-languages termed regular) are available. One might then suggest that an alternative to this paper is to use propositional LTL -the widely used fragment of LTL that is translatable [20], [21] to ω-automata -as a DES modeling and specification language over a finite state space, and then proceed in principle as follows, to perform controller synthesis that is not syntax-based or in state space: 1) Construct some ω-automaton model for a given fair DES G. This ω-automaton is defined using a deterministic state transition function over the event set Σ (and hence is termed deterministic). Its construction (see [22, Ch. 5: Sec. 5.1.6 & Rem. 5.44]) entails translating from the LTL formula κ G that axiomatizes G's transition structure (in terms of initial condition and transition relations of events in Σ) and its fair evolution (in terms of fairness formulas of events in the fair event set Σ F ). 2) Translate a specified LTL formula of finite length (in terms of the number of symbols) into some deterministic ω-automaton. 3) Apply an appropriate ω-automata-based controller synthesis algorithm. However, current such controller synthesis algorithms, the earliest of which is given in [19], are about deadlock-free or infinite progressive control, not the more structured markerprogressive control that admits and in fact unifies both types of controlled behavior, finite [1] and infinite [18], [19], in a common framework. The opinion held herein is that, from the design perspective, what matters most is having a unified framework for finding an understandable control solution that conforms to correctly stated specifications, not whether the resultant controlled behavior is infinite (or deadlock-free, meaning it has no deadlocks) or otherwise -for, that is a solution output, not a problem input. The term 'deadlock' used in [19] means entering a state that is terminal or made terminal (under control), and carries a negative connotation; this paper is of the opinion that, provided the specification is correctly stated, a terminal state that exists and can be entered in a controlled behavior is part of the solution, such as a graceful system cessation. Insisting on infinite control 1 at the outset as a problem objective might therefore distort the intended control solution. Given a DES that has no terminal state (that it can transit into from an initial state), if one wishes to check if the controlled behavior due to a specification pair pP, Mq is infinite, one only needs to check that, for the supremal control solution obtained with ϕ as its kernel, the solution invariant ϕ is ptf alseu, ϕq-condition invariant. In the case that the DES under a control solution can enter an unexpected terminal state, the principled approach then is to reflect on and iteratively refine, as needed, the system design and specification.

B. INFINITE CONTROL
Used in the respective frameworks -specifically [ [5] is analogous to relative ω-closure [18], [19], in the sense that each concept characterizes the solvability or existence of controls in conjunction with their associated basis concept of controllability. The associated basis concept used in [19] is called ω-controllability; it refines the standard concept of controllability [1], used in [18,Prop. 3.1] in the originating language form [1] and in [5,Def. 20 & Thm. 3] in an LTL form [5], with a characterization in terms of some controllability prefix, and is shown to reduce to the standard concept under relative ω-closure [19,Prop. 4.4] (for a specification given by an ω-sublanguage of the DES). However, in general, the union of relative ω-closed sublanguages (of the DES) is not relative ω-closed, although that of ω-controllable sublanguages is ω-controllable, thus implying that the supremal ω-controllable and relative ωclosed sublanguage does not exist in general [19], [23]. This contrasts with the optimality result for the specification pair pP, Mq that the LTL control synthesis method (2) is based on: Inferring from Proposition 1, sup C pP, Mq exists which the method (2) computes, such that it is the supremal Mcontrollable subformula of P provided sup CpP, Mq ff f alse.
In fact, for the specification pair pP, Mq considered, relative ω-closure is technically stronger or more restricting than M-directingness in general; to intuitively explain this technicality in the context of an arbitrary specification pair pψ, Mq, where ψ ñ P , relative ω-closure of the DES ω-sublanguage equivalent of the pair pψ, Mq only permits entering any M-incomplete loop that the DES will exit under the invariance of ψ, either by itself or after a finite number of cycles (of the loop) specified by ψ under invariance. This is not the only case permitted with M-directingness of ψ; as evident by Proposition 6 and a reading of the relation G » therein according to definition, the concept also allows the DES to enter and stay in each M-incomplete loop that it may not exit by itself, if not for the arbitrary number of cycles in the temporal loop limit posed by ψ under invariance. This is illustrated in Example 4 by the supremal M-controllable solution ϕ obtained for some ψ " ϕ, where some practical design implications are also discussed, and will be elaborated further below in connection to related work.
Despite the differences, for common problem settings, one may, in practice, apply either the LTL control synthesis method (2) or an appropriate ω-automata-based synthesis algorithm available. Then, where a non-trivial solution exists, the former method yields a (satisfiable) supremal markercontrollable formula. For the ω-automaton equivalent of specification pair pP, Mq, after limiting it suitably to represent a regular ω-sublanguage that is relative ω-closed, the latter algorithms in [19], [24], [25] each uses the resultant ω-automaton to compute a controllability state subset over a finite state automaton (to be controlled), which it then uses, if the subset is nonempty, to compute the supremal ω-controllable sublanguage [19] as an ω-automaton; as the computed sublanguage is also relative ω-closed [18,Prop. 3.2], it is hence a (specification-conforming) control solution. An algorithm in [23] uses a reactive synthesis approach that also yields an ω-automaton as solution. However, due to the stronger concept of relative ω-closure as discussed above, a stronger solution may result for the latter algorithms, depending on the relative ω-closed sublanguage of the given specification that is selected a priori; such a selection may not be straightforward, be it from a regular ω-sublanguage specification not known a priori to be ω-closed, or from the nonempty supremal ω-controllable sublanguage first com-puted that only ascertains the existence of infinite control [19,Thm. 5.3]. In contrast, a supremal LTL control solution obtained may at times turn out to be purely theoretical, in that it is not practically realizable or implementable as a supervisor. Consider such a supremal LTL control solution obtained and discussed in Example 4. Its solution form, however, can serve as a transparent basis for selecting a posteriori a suitably permissive but necessarily suboptimal solution for practical supervisor realization, which in this example corresponds to an ω-automaton control solution (whose regular ω-controllable language is relative ω-closed).
Clearly, though related, the concepts of M-directingness and relative ω-closure have resulted in different treatments to handling M-incomplete loops under the invariance of P , for control synthesis of the specification pair pP, Mq on, respectively, its LTL formula and equivalently translated ω-automaton. Related is the DES dynamics or evolution induced by the fair event set, which provides a more concrete means to explaining DES behavior, especially with regard to whether the DES can guarantee exiting, by itself, any M-incomplete loop it may enter. The basic role of fair events in driving DES behavior, with implications for control synthesis, is, however, abstracted out in the original infinite or ω-language control theory [18], [19].
To aid further comparison, define a (weakly) controlforcible event as one that must eventually occur if it is infinitely often control-enabled and defined in an automaton. Then in [25], a finite state automaton is assumed to satisfy an additional condition called state fairness, asserting that every event is control-forcible. Over an automaton endowed with such control dynamics, the synthesis algorithm in [25] computes a controllability state subset in polynomial instead of exponential time by that in [24]. However, such an approach might inadvertently accommodate what, at the design outset, is infeasible regarding the control dynamics of some events.

C. FINITE CONTROL (IN THE LIMIT)
Last but not least, consider the, perhaps, simplest infinite control problem, where the fair event set is not accounted for, and the DES model and specification are expressible by finite non-terminal state automata 3 -accepting the language, say L, hence termed regular, of the DES, and its sublanguage, say E, that is L-closed 4 , respectively -in the limits, or these regular languages in the limits [27,Sec. 6]. The problem instances in Examples 1 to 3 consider DES models and specifications that are, language-wise, correspondingly expressible as such under the condition that the fair event set, which is not empty in the case of Example 3, is not accounted for. This is because, in these examples, the DES G has no terminal state (that it can transit into, starting from an initial state), and the specification given by the pair pP, Mq, where M " tM 1 , M 2 ,¨¨¨, M m u, is under the following modeling restriction: The j-prefix of every state trajectory I 1 P IpGq satisfying P can be extended to some I P IpGq, M i¸t hat is logically stronger than (the LTL formula denoted by) the specification pair pP, Mq. The correspondence, however, is only up to those DES modeling and specification in the limits. As explained earlier, the LTL control synthesis method (2) does not specially seek an infinite control solution as that is not an objective of the problem it addresses, unlike the finite state automata-based algorithm in [27]. Besides, like nonblocking (finite) control synthesis [1], [2], the synthesis algorithm in [27] seeks the most 'optimistic' control solution without accounting for the fair event set. This means that, keeping specified safety uncompromised, the infinite control solution sought permits the DES to enter any M-incomplete loop, so long as the DES can logically transition out of it -although it need not happen at runtime -and proceed onto a state trajectory I P IpGq satisfying P¨˜m ź i"1 M i¸. This approach of optimistically admitting M-incomplete loops by the algorithm in [27] produces a generally more permissive solution than that by the method (2), whenever both yield an infinite control solution for the same problem instance. As a result, whether more or as permissive, the former's solution may not always be truly specification-conforming, due to the possibility of the control solution permitting the DES to entering an Mincomplete loop and staying in there forever.
As it turns out, if the nonblocking synthesis algorithm [2] yields a control solution that does not render terminal any state which it permits the DES to reach, then the problem instance addressed is equivalent to that which the algorithm in [27] can address with the same solution. Such is indeed the case for Examples 1 to 3 that originated in [2]. The reader may therefore treat the control solutions presented in [2] for these examples as those yielded by the algorithm in [27].
With that said, for each of the Examples 1 to 3, it is coincidental that the LTL control synthesis method (2) and the finite state automata-based algorithm in [27] yield, automaton-wise, the same supremal control solution, with the latter yielding the so-called complete or live supremal controllable ω-sublanguage as a finite (non-terminal) state automaton in the limit. On why the solutions coincide, firstly, applying either the method (2) or the algorithm in [27], supremal infinite control solutions exist. Secondly, with the aid of, automaton-wise, the same control solutions presented as automata in [2], it can be observed that, for Example 1 (see [2,Sec. 7 Fig. 7.5]), although there is one M-incomplete loop, formed by transitions of only event c 7 due to the model CAT (see Fig. 3) which the solution by the algorithm in [27] admits, the LTL control solution synthesized permits the DES to also enter this loop, since the fair event c 2 P Σ C is there to help guarantee exiting this loop.

D. MARKER-PROGRESSIVE CONTROL & BEYOND
In an overall remark, the preceding discussions under common problem settings should be regarded as reconciliatory. After all, though technically related, LTL and ω-languages are different formalisms with their own independent analysis frameworks, and so are the problem settings and objectives in general, as formulated in these frameworks. In the former is about (state-based) logic control of fair DES's while in the latter is about (event-based) ω-language control of 'live' DES's.

1) On Specification Correctness Guarantee
That said, the discussion on the concept of M-directingness has exposed the necessity to exit or 'break out' of Mincomplete loops to guarantee specification correctness, meaning, to ensure that a controlled DES can never trace out a state trajectory in runtime that violates the specification it is designed for. This necessity was previously hidden under the concept of relative ω-closure for infinite controlled behavior [18], [19]. Formulated in a unified behavioral framework, this necessity carries over to finite controlled behavior [1], unearthing a fundamental insight about specification-correctness guarantee. Now, it is hitherto almost conventional thinking that a controlled DES meeting a specification (in terms of language containment) provides specification-correctness guarantee. But a DES in runtime is 'generative' of strings (of events) [1], not all of which are 'accepting' in the standard automata-theoretic sense [26]. The unintuitive insight unearthed is this: In synthesizing finite controlled behavior, it is necessary but not sufficient in general to guarantee specification correctness, if a controlled DES meeting a language specification is achieved by optimal control synthesis [2] in finite state automata [26] based on the founding nonblocking control theory [1], or by that slightly modified based on related work [27], with nonblocking control understood as always permitting a DES to transition and enter or reenter a state of the marker state set that is a special case of the system marker set (see [5, M (2)]). This guarantee insufficiency is due to the optimal control synthesis [2], [27] being carried out optimistically without modeling and accounting for DES fairness dynamics, thus possibly allowing M-incomplete loops that exist in the DES with no loop exit assurance to be admitted. Note then, that, for Example 3, the LTL control solution yielded by the synthesis method (2) guarantees specification correctness with the cooperation of fair event c 2 P Σ C . But the same cannot be said of the automaton solution [2, Sec. 7.3: Fig. 7.5] yielded by the synthesis algorithm in [2] or [27]; as discussed earlier, this solution is, automaton-wise, no different from the corresponding LTL control solution, but it is the same solution the synthesis algorithms [2], [27] yield regardless of whether event c 2 is a fair event of the compassionate type or not.
Clearly, the cause of not guaranteeing specification correctness by nonblocking control synthesis [2] is its synthesized control solutions in finite state automata [26] possibly admitting M-incomplete loops, with no exit assurance of such loops. This cause may have ramifications for the nonblocking control framework [1], [2] and its subsequent developments (e.g., [8], [27], [28]) to-date.

2) Supervisory Control Unified in Transparent LTL Synthesis
Besides bringing into focus the issue of specificationcorrectness guarantee in the cited literature on finite controlled behavior, a more obvious and undeniable fact is that all the aforementioned research efforts are based on formal languages and automata which are rather elementary. Inherent therefore is formal language control giving little regard to human designer considerations, fundamental of which are clearer system dynamics modeling in terms of evolution characterizable by fair events, and transparency of synthesis along with solution readability in LTL, all of which are desirable in engendering a higher level of explainability that might, for instance, help a human designer decide if a solution is right, and not just getting it right. By applying the mathematical method (2), these fundamental considerations are fulfillable for marker-progressive control synthesis of fair DES's. As illustrated by examples, the synthesis transparency of this method is enhanced by an equational style of logic reasoning it supports, referred to as calculational logic [29], in the readable syntax of LTL that applies LTL syntactic logic rules [6] in an algebraic style, manipulating and presenting LTL formulas in 'a sequence of substitutions of equals for equals'. This reasoning style is akin to calculations in many fields of mathematics, including linear algebra, modern algebra, and calculus; its use motivates formal workings that human analysts can freely make in their own line of logic reasoning as long as it is correct, rendering the mathematical problem solving of control synthesis more transparent in general.
As carefully illustrated by examples, applying the LTL control synthesis method (2) currently involves working out by hand and, in some cases, it requires human ingenuity. But the process is demonstrably transparent and the solution obtained is a readable LTL formula. These, along with explicitly engaging the role of fair events for guaranteed marker-liveness, are needed for a more holistic mathematical treatment of understandable control design in general, setting this paper uniquely apart.
Admittedly, the method (2) is presently not computeralgorithmic, as its current development is not primarily motivated by problem solving using algorithms and software tools. But in some respects, it has conceptually unified and extended the aforementioned research efforts under canonical LTL for the specification pair pP, Mq considered. This specification pair may seem limited to some, but in the generic realm of supervisory control -largely of accomplishing tasks regularly without violating safety -it is about the most general that a control designer can practically think of.

3) Extension to General-Progressive Supervisory Control
That said, to handle specification beyond the specification pair pP, Mq, let N " tN 1 , N 2 ,¨¨¨, N m u be some system asymptote set, where each N i P N p1 ď i ď mq is an arbitrary past formula specifying a system asymptote condition. That each asymptote condition N i P N is to be stable, in the sense of being eventually met and maintained henceforth in DES G, is specified by N i , an LTL formula in canonical temporal-persistence form [6], [9]. Then the LTL control foundation [5] and associated synthesis results of this paper are directly extendible from the specification pair pP, Mq, to the pair pP, MˆN q denoting the LTL formula P¨Z m , where is an LTL formula of the canonical reactivity class -the most general class situated topmost in the complete hierarchy of canonical classes of LTL formulas [6], [9]; the formula Z m may be called the most general reactivity formula of MˆNrank m. In essence, this extension, to general-progressive supervisory control that covers the full specification hierarchy of canonical LTL, is anchored on the following two main concept generalizations: The first is generalizing M-directingness of P to MN -directingness, such that P is said to be MˆN -directing if P is initially satisfied, pMˆN , P q-condition invariant, i.e., G |ù ˜ x˜ P, P¨m The second is generalizing M-controllability of P to MˆN -controllability, such that P is said to be MˆNcontrollable if P is controllable and MˆN -directing. Note that the extension to general-progressive control is prescriptively a simple scale-up, in that the results for pP, MˆN q are obtainable from those for pP, Mq as presented in this paper and its predecessor [5], by replacing Y m with Z m , and every M-related concept with the corresponding pMˆN q-related concept defined above.
Note also that pM i` N i q "`N i Ñ M i˘.
One may therefore think of general-progressive supervisory control as temporal-safety or invariance control of P to bring 20 VOLUME 4, 2016 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. about marker-progressive (or M-progressive) responses to asymptotic instability (or N -instability) triggers. Interestingly, by interpreting the specified triggers as arising conditionally from a system operating environment, it becomes conceptually clearer that DES G is a behavioral model of a system in an environment. Finally, in the special case of finite state DES G and specification pair pP, MˆN q, where P " true, MˆNrank m " 1, and M, N are sets of state formulas, the general-progressive control problem reduces to a version of the reactive synthesis problem [30], [31] that is extended to admit uncontrollable events [23], and unified to subsume finite reactive behavior [32]. This resultant reactive synthesis problem may be efficiently solved by adapting a two-player game approach [30], [33]. However, it entails a formal investigation and is, in any case, beyond the scope of this paper.

4) Towards Computer-Algorithmic Synthesis in Future Work
Finally, the research direction pursued in this paper and its predecessor [5] is relatively new; not unexpectedly, this paper lags the related literature in algorithmic complexity studies, among others. Certainly, making the LTL control synthesis method (2) computer-algorithmic (or automated) -fully or partially, to help construct supremal marker-controllable formulas which are satisfiable, is a challenging subject for future research; so is making the method's generalization to specification pair pP, MˆN q automated. Already, the complexity of satisfiability of propositional LTL in finite state DES's is PSPACE-complete, as inferred from [14]. Synthesis complexity is thus expected to be analyzed only for interesting problem subclasses of practical interest in a future comparative study with existing related research. The synthesis efforts include deriving axiomatic modeling constraints due to the natural dynamics and structure of a given DES for logic simplification purposes, and constructing the exact delimiting safety-closure formula in compact form for a given specification pair.

VII. CONCLUSION
This paper has presented an existence characterization of supremal marker-controllable safety formula for fair DES's. This new LTL characterization result of Corollary 1 should be of theoretical interest, and lends itself to an algebraic syntax-based framework for transparent control synthesis in the 'regular' case of finite state DES's and specification pairs given by decidable LTL formulas. Future research of interest includes finding subclasses of infinite state DES's for which tK j u (2) converges, extending the main synthesis results of Theorems 1 and 2.
In conclusion, DES's and their controls span a wide range of modern engineering systems that are human-designed. It is thus advantageous to develop a mathematical controltheoretic framework supporting human readable specification and transparent control synthesis in the same naturallanguage motivated algebra. Together with the predecessor paper [5], this paper is a step in this direction, for fair DES's and marker-progressive control readily extendible to general-progressive control in the algebra of canonical LTL [6]. Importantly, this line of research has given new insights into supervisory control, and provided the basis for further progress in the field.
Looking ahead, on the horizons are no doubt new unique opportunities in DES control theory research. Anchoring on the well-organized hierarchy of canonical classes of LTL formulas [6], [9], the goal (and hope) is to continue the high-level and more structured control-theoretic development in future research endeavors, bringing new control-theoretic findings on board in the process.