Analysis and Control of Partially Observed Discrete-Event Systems via Positively Constructed Formulas

: This paper establishes a connection between control theory for partially observed discrete-event systems (DESs) and automated theorem proving (ATP) in the calculus of positively constructed formulas (PCFs). The language of PCFs is a complete first-order language providing a powerful tool for qualitative analysis of dynamical systems. Based on ATP in the PCF calculus, a new technique is suggested for checking observability as a property of formal languages, which is necessary for the existence of supervisory control of DESs. In the case of violation of observability, words causing a conflict can also be extracted with the help of a specially designed PCF. With an example of the problem of path planning by a robot in an unknown environment, we show the application of our approach at one of the levels of a robot control system. The prover Bootfrost developed to facilitate PCF refutation is also presented. The tests show positive results and perspectives for the presented approach.


Introduction
The class of discrete-event systems (DESs) is a wildly used modeling formalism for a large variety of man-made complex objects [1][2][3].Logical DESs, as a subclass of DESs, represent system evolution in terms of states changing in response to the occurrence of some events at non-predetermined time instants.A logical DES is commonly represented as a finite-state automaton, the transitions of which from state to state are labeled with the letters of some finite alphabet and correspond to events occurring in the system.Sequences of such transitions form the words of a regular language that describes the behavior of the system from the high-level, or symbolic, point of view.Consequently, system properties may be described as statements over these formal expressions.
One of the most popular ways to deal with logical DESs containing events that may be switched off is the supervisory control theory (SCT) [4].SCT was developed as a tool for restricting DES behavior according to a set of constraints defined by some specification.For example, logical DESs are extensively exploited nowadays in mobile robots and robot group control, e.g., [5][6][7].A detailed description of SCT is presented in, e.g., [1,8,9].
It is well known that formal logic aims at dealing with symbolic structures, such as formal languages, by formulating their properties as theorems that must be proven.Thus, studying logical DESs is naturally embraced by the paradigm of automated theorem proving (ATP).ATP represents an implementation of a natural human reasoning process with the help of formal logic and special computer programs called provers.Developed to help mathematicians in producing and verification of formal mathematical proofs, nowadays it is useful in program analysis, system verification, etc., providing results in a wide range of areas.The latest examples include proving the 400-year-old Kepler conjecture on sphere packing [10] and the correctness of the seL4 operating system kernel [11], not to mention earlier proof of the four-color theorem in graph theory [12] and the verified C compiler CompCert [13].A modern domain of ATP application is robotics, where it helps mostly in planning [14] and decision making [15].For example, in [16] for planning and control in swarm robotics, the PDDL language is used, which is based on the classical STRIPS-style ATP.In [17], theorem proving is applied for verification of the framework for modeling the controllers of autonomous robots, combined with the automatic generation of C++ code.
We suggest a new way to study and design logical DESs that is based on ATP in the calculus of positively constructed formulas (PCFs).PCFs are first-order formulas that do not contain the negation symbol in their syntax [18,19].The language of PCFs is a complete first-order language, providing a powerful tool for qualitative analysis of dynamical and intelligent systems.Its applications include telescope orientation [20], elevators group control [21], pursuing goals [22], and achieving targets [23].To facilitate the inference search in the PCF language, a prover Bootfrost is developed [24].The most important features of the PCF calculus and its prover implementation are the following: • Large block data structures for representing formulas and inference rules; • Absence of necessity to remove existence quantifiers with a skolemization procedure, which decreases the complexity of the inference; • Compatibility with application-specific heuristics and general logical inference control heuristics; • Clarity of the logical inference, which helps to find formalization errors; • Support for the equality predicate; • Modifiability of semantics to support nonclassical logics.
In modern ATP, wide usage of proof assistants, noted in [25], such as Isabelle/HOL in [10], HOL Light and Isabelle in [11], or Coq in [12], instead of fully automated provers, is caused by the fact that significant user input is often required to clarify a difficult situation that has stumbled the inference.In addition to its other advantages, the prover Bootfrost combines the power of automated reasoning with the ability to implement user-designed strategies.
Our previous papers addressed how the basic problems of the supervisory control theory (SCT) [4] for logical DESs can be solved using the PCF-based technique.The issues considered so far include controllability checking to determine if a formal language restricting DES functioning may be guaranteed by a supervisor, a supremal controllable sublanguage of a given specification language construction, or a monolithic supervisor realization (e.g., [26]).This paper deals with partially observed DESs, in which the occurrence of some events is unavailable for observation.In this case, the property called observability of a formal language determines those specifications on DES functioning that may be ensured by supervisory control.Some effective tests for observability have been already suggested, e.g., in [27,28], where the former considers the observation function in the form of a mask, and the latter is based on the algebraic operations on processes that represent DESs.For regular languages, a fixed-point test for observability from [29] can be effectively implemented.The test employs the operator that is also associated with the algorithm for computing the infimal prefix-closed and observable superlanguage of a given language.It is used in [29] to find a solution for the supervisory control and observation problem in its general case, i.e., when a supervisor should provide a language lying in some predefined range of languages.
This paper extends the use of PCF calculus and ATP in SCT problems.Namely, it will be shown how the polynomial time algorithm for testing observability from [1] may be implemented with PCFs.If observability is violated, then the conflicting strings can also be found with the help of another PCF that will be also presented.The main advantage of the presented PCF-based approach and the employment of the ATP technique is the declarative description of the used algorithms.In this case, the programmer only describes (declares) the properties of the required result, and the solution (method) is provided by the logical programming system, as a result of searching for the logical conclusion of some goal statement.This is a step up from programming in imperative languages (e.g., C/C++, Java, etc.), as the programmer does not have to worry about the low-level details of the program.
There are some tools developed for the analysis and design of controlled DESs in the framework of SCT.Among them are TCT [30], DESUMA/UMDES [31,32], Supremica [33], and others.Having user-friendly graphical interface and high-performance algorithms, Supremica supports extended finite-state machines where transitions are labeled with guards and actions in addition to events [34].The guards and actions reference variables, which can be declared over finite integer ranges or as enumerated type.Although a PCFbased tool for SCT is a developing project, our approach suggests that both guards and actions may be expressed in the form of logical statements of any kind.Unlike focusing on large-scale industrial examples like in [35][36][37], the usage of PCFs and the PCF calculus for DES control suggests exploiting logical tools for knowledge representation and processing.
The contribution of this work consists in presenting a theoretical base of the original logical approach to handling partially observed DESs.An ATP-based technique of DES specifications testing for observability is presented with the usage of PCF representation of logical DESs.This paper's structure is the following.After the necessary preliminaries on the PCF calculus provided in the next section, in Section 3, we state the problem of the supervisory control of partially observed DESs and present a PCF for observability checking.Section 4 provides a PCF extracting conflicting strings.In Section 5, the PCFbased implementation of the supervisory control of DESs is described.Section 6 is dedicated to the prover Bootfrost and its main features.Section 7 provides a case study for the pathfollowing problem for a mobile robot.In the conclusion, we discuss the presented approach and outline directions for our future work.

The PCF Calculus
The calculus of positively constructed formulas (PCFs) is based on the refutation of the negation of an original statement which is to be proved.The main idea is the following: if the negation of the statement is proved to be false, then the statement itself is true.The language of PCFs is a special variant of the language of first-order logic (FOL), which consists of first-order formulas (FOFs) built out of atomic formulas, or atoms, with the help of operators &, ∨, ¬, →, ↔, quantifier symbols ∀ and ∃, and constants True and False.We suppose the reader is familiar with the concepts of atom, literal, and term, understood in the usual sense.
) are denoted as ∀ X A : F and ∃ X A : F, respectively, keeping in mind that the ∀-quantifier corresponds to the disjunction of all subformulas, and ∃-quantifier corresponds to their conjunction.If F = ∅, then the above formulas turn to the form ∀ X A : ∅ ≡ ∀ X A → False and ∃ X A : ∅ ≡ ∃ X A&True, since the empty disjunction is understood as False, whereas the empty conjunction is understood as True.Let ∀ X A and ∃ X A be abbreviations of such formulas.If X = ∅ then ∀A : F and ∃A : F are analogous abbreviations.The set of atoms A is called a conjunct.Variables from X, bound by corresponding quantifiers, are called ∀-variables and ∃-variables, respectively.In ∀ X A, a variable from X that does not appear in the conjunct A is called an unconfined variable.Note that ∀∅ ≡ ∀∅ : ∅ ≡ ∀True → False ≡ False.Definition 1 (Positively constructed formulas (PCF)).Let X be a set of variables and A a conjunct.Then, the following holds:
A PCF starting with ∀∅ is called a PCF in the canonical form.Any PCF can be represented in the canonical form.If F is a noncanonical ∃-PCF, then ∀∅ : F is the canonical PCF, since ∀∅ : F ≡ True → F ≡ F. If F is a noncanonical ∀-PCF, then the canonical PCF is ∀∅ : {∃∅ : F} ≡ True → True&F ≡ F. Type quantifiers ∀∅ and ∃∅ are used to regularize PCFs, i.e., to transform them to the canonical form.
The term "positively" comes from the fact that according to the definition, PCFs contain no negation operator (¬).This is also true for the semantics of language; negation is "concealed" in the implications that are meant following universal quantifiers.Note that any FOFs can be represented as PCFs, since the PCF language is a special notation of classical FOFs, as well as the conjunctive normal form, the disjunctive normal form, etc.The converting algorithm is presented in [38].
For easier reading, a PCF may be represented graphically as a tree structure.For example, consider a PCF representation of a FOF F = ¬ ∀x∃yP(x, y) → ∃zP(z, z) .
∀x : ∅ ∃y : P(x, y) The root ∀∅ of a PCF tree is called a PCF root.Each PCF root's child ∃ X A is called a PCF base, the conjunct A is called a base o f f acts, and a PCF rooted from the base is called a base sub f ormula.The PCF base children ∀ Y B are called questions to the parent base.The subtrees of the questions are called consequents.If a question has no consequent, then the question is referred to as goal question, and it is identical to False.

The Inference Rule
The only axiom of the PCF calculus is ∀∅ : ∅, i.e., False.The inference rule ω in the PCF calculus is based on the search for so-called answering substitutions, i.e., such substitutions of variables in terms that satisfy certain conditions.

Definition 2 (Answer).
A question ∀ Y D : Υ to a base ∃ X A has an answer θ if and only if θ is a substitution Y → H ∞ ∪ X and Dθ ⊆ A, where H ∞ is Herbrand universe based on constant and function symbols that occur in corresponding base subformulas.
If a question has an answer to its base, then the base subformula is split by this question.In the case of a goal question, we say that the base subformula is refuted because split(B, ∀ Y D) = ∅.The refuted base subformula B is removed from the set of base subformulas Φ since Φ \ {S} ∪ ∅ = Φ \ {S}.When all bases subformulas in Φ have been refuted, the formula F is also refuted since ∀∅ : ∅ ≡ False.
Any finite sequence of PCFs F , ωF , ω 2 F , . . ., ω n F , where ω s F = ω(ω s−1 F ), ω 1 = ω, ω n F = ∀, is called an in f erence of F in the PCF calculus (with the axiom ∀).An answer to the goal question refutes the corresponding base.When all bases of the PCF are refuted, then the PCF F is reduced to ∀, i.e., False.This means that F as the negation of the statement under consideration is unsatisfiable; therefore, the statement itself is true.The details on the PCF calculus may be found in [18,19,21,39].In [19], the correctness and completeness of the PCF calculus with functional symbols was proven.

Partially Observable DESs
Consider a discrete event system (DES) in the form of a generator G = (Q, Σ, δ, q 0 , Q m ) of a formal language [4].Here, Q is the set of states q; Σ the set of events; δ: Σ × Q → Q the transition function; q 0 ∈ Q the initial state; Q m ⊂ Q the set of marked states.Let L(G) be a language generated by G, and L m (G) be a language marked by G.The Ramadge-Wonham supervisory control framework assumes the existence of a means of control G presented by a supervisor [4].Let Σ c be a controllable event set, The supervisor switches control patterns so that the supervised discrete event systems achieve a control objective described by some regular language K.
Let G be partially observable, i.e., a set Σ o of observable events is distinguished from all events, Σ uo = Σ \ Σ o , Σ c ∩ Σ uo = ∅.The observation function is usually defined as the natural projection P : Σ * → Σ * o , which erases unobservable events for s ∈ Σ * P(sσ) = P(s)σ if σ ∈ Σ o and P(sσ) = P(s) if σ ∈ Σ uo .The supervisor only observes events from Σ o and, based on this information, disables events in Σ c .Denote L(J/G) a language generated by the closed-looped behavior of the plant and the supervisor.In this paper, for simplicity of presentation, the marked language and related problems, such as the construction of nonblocking supervisory control, are not considered.
Supervisory control and observation problem (SCOP).Given a plant G over an alphabet Σ, a language L A ⊆ L(G), a language L E ⊆ L(G), and sets The less complex problem consists in finding such control patterns that the language marked by the supervisor is equal to some desired language.Thus, the special case of SCOP is constructing such a supervisor that L(J/G) = K where K is called a specification language.We refer to this problem as basic SCOP (BSCOP).The notions of controllable and observable languages are essential in solving this problem.Let L be a set of all strings that are prefixes of words of L, i.e., L = {s|s ∈ Σ * and ∃t ∈ Σ * : s • t ∈ L}.Definition 5. A language K is called controllable (with respect to L(G) and Σ uc ) if KΣ uc ∩ L(G) ⊆ K. Here, KΣ uc is a shortened expression denoting concatenations of all the strings from K with any of the symbols from the set Σ uc .Definition 6.The K is observable (with respect to L(J) and P) if ∀s, t ∈ Σ * (P(s If observability holds true, this means that no event should be enabled and disabled simultaneously to satisfy specification K.The opposite situation is called a conflict. Supervisor existence criterion for BSCOP sounds as follows: given K ⊆ L(G), there exists a supervisor J such that L(J/G) = K iff K is controllable and observable with respect to L(G) and P.
The PCF-based procedure for checking controllability was suggested in [26].It also allows one to construct supremal controllable sublanguage of uncontrollable specification such that it may be chosen as a new specification and be ensured by a proper supervisor.In the rest of the paper, we show how PCFs allow testing regular language for observability and implementing supervisory control.

Checking Observability via PCFs
There are several algorithms exist to check if the regular language K is observable.Among them is the algorithm from [1] that is polynomial with respect to the size of the automata generating K.The main idea of the algorithm is constructing an automaton for tracking two words s 1 , s 2 of K which have the same projection P(s 1 ) = P(s 2 ) but such that s 1 σ ∈ K while s 2 σ / ∈ K. Strings s 1 and s 2 are then called conflicting because they demand different control actions from the supervisor.Let the regular language K be recognized by the finite-state automaton H.The algorithm from [1] suggests to consider two copies of the automaton H and one copy of the automaton G and to design an automaton T with the states of the form (h 1 , h 2 , q), where and the single state dead.The existence of the state dead denotes the unobservability of K, because in this case, there exist a set of strings s i ∈ K, i = 1, 2, 3, and some event σ such that s 2 = s 3 and P(s 1 ) = P(s 2 ), , the observability condition is violated.We prove that the above algorithm may be realized with the help of ATP in the PCF calculus.For this, some preliminary procedures are required, in particular, we determine what transitions are defined in each state of automata involved, namely G and H, using logical inference only.The following list of predicates will be exploited in this procedure: a predicate Q X (_) that corresponds to all states of the automaton X, a predicate E X (_) that defines all events of the automaton X, and terms δ X (q i 1 , σ i , q i 2 ) that determine transitions from the state q i 1 of automaton X to the state q i 2 labeled with an event σ i .Let the term F X (q i , σ j ) mean that there is a transition from the state q i of the automaton X labeled by the event σ j .Let NoF X (q i , σ j ) mean the opposite, i.e., that there is no such transition.For an automaton X, consider the PCF F PrepX (1) with the base During the inference search for F PrepX , the following strategy is used: First, all possible answers to the first question are being searched for, thus atoms NoF X (q i , σ j ) are added into the base.Then, answers to the second question add proper atoms F X (q i , σ j ) into the base while removing respective atoms NoF X (q i , σ j ).The inference of PCF F PrepX for any finite automaton X ends due to exhaustion of answering substitutions since the sets used for searching for substitutions are finite.
The operator * , used for the deletion of the redundant atoms NoF X (q i , σ j ) added by the first question, demonstrates the essential feature of the calculus of PCFs, namely, the possibility of nonmonotonic inference.In particular, after applying the inference rule ω, the atoms that participated in the matching search with the atoms marked with * in question should be removed from the base.In general, the operator * affects the property of completeness of the PCF calculus, but for the problem considered in this paper, the inference using * is always complete.
Denote by B ′ PrepX the base obtained as a result of the inference search of , and E uo (σ k ) define controllable and observable events.The predicate T(_, _, _) will be used to construct states of the automaton T Obs , while the predicate δ T (_) will construct transitions of T Obs , and ) is equal to the phrase "there is a transition labeled (σ 1 ,σ 2 ,σ 3 ) from the state (q 1 H , q 2 H , q G ) to the state (t 1 H , t 2 H , t G ) of the automaton T Obs ".To test observability, we employ a PCF F Obs (2) that constructs the testing automaton T Obs .The questions of F Obs are listed as formulas R 1 − R 6 below.
Proposition 1.Given a partially observable DES G and a regular language K recognized by a finite-state automaton H, let in the PCF F Obs (2 Then, the inference of F Obs always terminates, and the language K is unobservable if and only if the resulting base B ′ Obs contains an atom dead(q 1 H , q 2 H , q G , σ).
Proof.To prove the proposition, we consider each question of the PCF F Obs to show that violation of observability leads to the appearance of the atom dead(q 1 H , q 2 H , q G , σ) in the base of F Obs .The question R 1 adds into the base an atom T(q 1 H , q 1 H , q G ) that serves as a starting point for the inference since no question except the last one may be answered without finding in the base a proper substitution for the term T(_, _, _).
Questions R 2 − R 4 are aimed at constructing states and transitions of the automaton T obs , wherein R 2 is responsible for processing observable events, while R 3 and R 4 are responsible for processing unobservable events occurrences.T obs is constructed in such a way as to ensure s 2 = s 3 and P(s 1 ) = P(s 2 ), thus implementing the main idea of the rules for constructing T obs from [1].Each state of the desired automaton T Obs has the form (h 1 , h 2 , q), where the first two components of the triple are some states of automaton H, and q is the state of automaton G, i.e., h Thus, we consider a set of strings s i ∈ K, i = 1, 2, 3 corresponding to transitions between these states.An observable event σ allows answering to the question R 2 that results in adding into the base B obs a transition of T obs labeled by a triple (σ, σ, σ).If event σ is unobservable, then two transitions are constructed: The first one is determined by the question R 4 , labeled by a triple (ε, σ, σ) to ensure s 2 = s 3 , s 2 σ ∈ K, s 3 σ ∈ L(G).The second transition is constructed by the question R 3 , which is labeled by a triple (σ, ε, ε) to ensure P(s 1 ) = P(s 2 ), s 1 σ, s 2 σ ∈ K.
The question R 5 checks if a controllable event e violates the observability condition at the current state (X 1 , X 2 , Q) of T obs achieved by a set of strings s i ∈ K, i = 1, 2, 3. Indeed, let there be a substitution {σ → e, q 1 σ) become True simultaneously.This means that for s i ∈ K, i = 1, 2, 3, and for the event e, we have s 1 e ∈ K, s 3 e ∈ L(G), while s 2 e / ∈ K.By construction of T obs , s 2 = s 3 , and P(s 1 ) = P(s 2 ), and such a combination means a violation of observability.Given such a substitution, the answer to the question R 5 adds the atom dead(q 1 H , q 2 H , q G , σ) into the base.It contains the information about the state and event where the observation conditions are violated.The question R 5 cannot be answered if observability is not violated by some controllable event e.
The question R 6 is the goal question an answer to which terminates the inference search.It may be answered only if the base contains the atom dead(q 1 H , q 2 H , q G , σ); thus, if it has been answered, then the language K is unobservable.
The inference of the PCF F Obs is always finite since no functional symbols are used (only calculated ones), and all sets used for searching for substitutions are finite.The inference always ends with either a refutation of the base by answering the goal question R 6 , i.e., adding the atom dead into the base, or an exhaustion of options for searching of answering substitutions.
Example 1.Consider a DES presented by the generator G in Figure 1 and specification language K generated by the automaton H in Figure 2. Let Σ uo = {u, v, c, e}, Σ c = Σ.It may be noted that the strings s = uv and t = ε are those that cause the conflict in the system G.Indeed, the occurrence of event a leads to the situation when P(s) = P(t), sa ∈ K but ta / ∈ K, which violates the observability condition.Table 1 illustrates the process of adding new atoms to the base that define the states and transitions of the automaton T Obs serving for observability check.As one can see, the minimum inference for PCF F Obs with the base corresponding to the automata in Figures 1 and 2 consists of four steps.Since inference is random in nature, its length may vary.The choice of questions and answers occurs according to the chosen strategy (see Section 6), but whether the strategy will lead to the contradiction in a short or long way is unknown a priori.Table 1 shows the inference constructed by the prover Bootfrost, consisting of eight steps.The entire automaton T Obs and all possible conflicts can be constructed by removing the goal question R 6 from PCF F Obs .Figure 3 shows a part of automaton T Obs constructed by the inference presented in Table 1.
Table 1.PCF F Obs refutation progress for checking observability using automaton T Obs .
Additions into the Base

Conflict Extracting
To examine partially observable systems, observer automata are often employed.There are standard methods of constructing such automata, so we direct readers to refer to the literature, e.g., [1].One of the methods consists in changing all unobservable events with the silent τ event and converting the resulting nondeterministic automaton to a deterministic one.

Example 2.
In Example 1, the observer in Figure 4 shows that the event a in the state {1, 2, 3} causes the conflict.Indeed, to satisfy specification H in Figure 2, the event a must be disabled at state 1 but must be enabled at state 3.If the specification language proved to be unobservable using PCF F Obs , conflicting strings may be extracted from the automaton T obs with the help of another PCF, and we name it F Con f (Equation ( 3)).The PCF F Con f processes the final version B ′ Obs of the base B Obs obtained during the observability checking so set B Con f = B ′ Obs .

{4,
Proposition 2. Given a partially observable DES G and a regular language K recognized by a finitestate automaton H, let in the PCF F Con f (3) B Con f = B ′ Obs , where B ′ Obs is the final version of the base of the PCF F Obs after the end of its inference.Then, the inference of F Con f always terminates, and the last added atom next(q H 0 , q H 0 , q G 0 , , e) contains conflicting strings as its forth and fifth arguments.

Proof. The question R
Con f 1 in the PCF F Con f is the only question that can be answered after the start of the inference.It uses the argument values of dead(q 1 H , q 2 H , q G , σ) and δ T (. . ., s 1 , s 2 , s 3 , q 1 H , q 2 H , q G ) to obtain the last symbols of the required conflicting strings s con f 1 and s con f 2 .As stated in the observability checking algorithm, s 2 = s 3 in all terms δ T (. . ., s 1 , s 2 , s 3 , q 1 H , q 2 H , q G ). Sequential answers to the second question R Con f 2 occur according to transitions of the automaton T obs contained in the base B Con f as atoms δ Having started in the state T(q 1 H , q 2 H , q G ) of T obs , the inference ends in the state Q T 0 .During the inference, the atoms next(q are being added into the base where, by construction of T obs , s 1 and s 2 accumulate suffixes of conflicting words.When the initial state Q T 0 of the automaton T obs will be achieved with some substitution {σ → e, q 1 H → , where s con f 1 and s con f 2 are the strings causing the conflict in case of occurrence of the event e. Example 3.For the conflict in Example 1, the inference of F Con f consists of two steps.When the inference terminates the arguments of the atom next(_) in the base store the information required, in particular, the string s 1 = uv, the string s 2 = εε = ε, and the conflict event a. Table 2 shows the inference of F Con f in Example 1.
Table 2.The inference of the PCF F Con f .

Controlled System Design
Let Γ : Q → 2 Σ be the active event function (also known as feasible event function); Γ(q) is the set of all events e for which δ(q, e) is defined.Γ(q) is also called the active event set (or feasible event set) of G at q [1].In the case of systems with complete observations, the supervisor can be viewed as the recognizer H of K, i.e., an automaton that marks K or as the recognizer H ′ of its supremal controllable sublanguage K ′ of the specification K.Control actions for the string s generated by the plant are directly obtained from the active event set Γ(δ J (q J 0 , s))] of the supervisor automaton after the string s has been read.A supervisor J thus ensures J(s) = [Σ uc ∩ Γ(δ(q 0 , s))] ∪ {σ ∈ Σ c : sσ ∈ K}.It is known that a closed-looped behavior of the plant and the supervisor may be realized by the parallel composition of the corresponding automata, i.e., L(J/G) = L(H||G).Now, our goal is to implement supervisory control in the case of partial observation of events in G to solve BSCOP.For this, in the case of observable and controllable specification, one often employs an observer automata.Let H Obs be an observer for automaton H. Let s be a current string of DES G and let t = P(s) be a current observed string available.Let x obs be the current state of H Obs after the execution of t.Since observer H Obs states in general are sets of states of H, this means that after the last event in t automaton H could be in any one of the states in the set x obs .Then, we have that J P (t) = x∈x obs [Γ H Obs (x)], where Γ H Obs is the active event function of H Obs .As stated in [1], in order to use the same technique that was used for the case of complete observation of events, it is enough for each state x obs to add self-loops for the unobservable events that are feasible in corresponding x ∈ x obs in H.

The resulting automaton H ′
Obs guarantees the desired result L(J P /G) = L(H ′ Obs ||G) for a supervisor J P .
Let B loops = B H ∪ B H Obs ∪ {unObs( ē)}.The predicate unObs(_), having a list of elements as an argument, is used to define all unobservable events of H.To obtain an element of a list ē, the computable predicate ∈ is used.Details on the realization of lists in PCF prover Bootfrost are presented in Section 6.3.During the inference search of the PCF F loops (4), new transition atoms δ Obs ( q, σ, q) corresponding to auxiliary loops for unobservable events σ feasible in states x of H corresponding to x obs of H Obs are added to the base B loops .
In PCF formalization, the behavior of the system under the supervisory control may be described by the PCF F BSCOP (5).The predicate L J P /G (_, _) is employed to store words of the controlled language L J P /G as its first argument.A state to which this string brought the system is stored as the second argument.Although the language L(J P /G) is a restricted version of L(G), we use a new predicate L J P /G (_, _) to emphasize that the language constructed is a result of teamwork of the plant and the supervisor.The base B BSCOP consists of sets of atoms corresponding to the transitions of the plant and the supervisor, correspondingly, and contains initial atom L J P /G (ε, 1).
∀σ, s, q, q ′ , qJ , q′ J L J P /G (s, q), δ G (q, σ, q ′ ), The single question of F BSCOP may be interpreted as follows.If the system is at the state q and an event σ occurs, then according to the δ G , the system is switched to the specified state q ′ , and σ is added to the current string of events s stored as the first argument of the predicate L J P /G (_, _).The rule works only on those strings that are allowed by the supervisor, i.e., atoms δ H ′ Obs (_, _, _) limit the answers that could be found with atoms δ G (_, _, _).

Example 4.
In Example 1, let Σ uo = {u, c, e}, Σ c = Σ, i.e., the event u is now considered observable.The corresponding observer is presented in Figure 5.It may be seen that no event must be disabled and enabled simultaneously.In this case, the logical inference search of the PCF F Obs performed by Bootfrost terminates due to exhaustion of all possible substitutions.When the inference search is stopped, the predicates in the base of F Obs define the states and transitions of the automaton T Obs , but none of them are the dead(_) atom.
Table 3 shows a few steps of the inference of PCF F BSCOP in Example 1, with the observer in Figure 5 modified with the PCF F loops (4).Table 3.The first steps of the PCF F BSCOP inference constructing L(J P /G).

Base Atoms Used
The representation of DESs with the help of PCFs allows one to use information coming from the environment, as well as data on the functioning of the system itself in the process of constructing the logical inference.This can be realized by special logical rules represented in PCF in the form of event processing questions.Answering them triggers subinferences, in which the events coming from the environment serve as parameters used in calculations or other decisions.To implement this inference search behavior, formulas use the # label to indicate that the labeled term is a call to an external function.
Here, we utilize # in PCF F # BSCOP (6) that presents a version of F BSCOP obtaining an event from outside.Note the atom E(σ # ) in the base of F # BSCOP where σ # is the result of calling the function get_random_event(), which provides a random event that can occur in the current state.
∀σ, s, q, q ′ , qJ , q′ J L J P /G (s, q), δ G (q, σ, q ′ ), δ H ′ Obs ( qJ , σ, q′ J ), q ∈ qJ , E * (σ) Example 5. Table 4 shows the first steps of the inference of PCF F # BSCOP in Example 4. Note the difference in the last lines of Tables 3 and 4. Unlike F BSCOP , PCF F # BSCOP does not generate words of the same length, thus simulating the real system behavior.Base Atoms Used s q σ q ′ qJ q′ The PCF F T# BSCOP (7) presents an extended version of PCF F # BSCOP that allows to not only process events coming from outside but also take into account the knowledge available in the system.The usage of F T# BSCOP is explained in Section 7.

The Prover for Refutation PCFs
To facilitate inference searches in the PCF calculus, a prover named Bootfrost is developed.The source code of the project, written in the Rust programming language, documentation, and examples, including those presented in this paper, can be found on the GitHub page [24].
A number of modern approaches have been implemented in Bootfrost: perfect sharing of terms that significantly saves memory on some tasks; indexing of the fact base; and automatic, semiautomatic, and manual modes of logical inference searching.Rust's rich type system and the ownership model guarantee memory safety and thread safety.Also, there is no runtime or garbage collector in Rust.These features give the opportunity to realize safe and efficient systems.The prover design is based on a transaction system that allows one to log and roll back any changes that occur during the logical inference.Thus, all algorithms used are taken into account.In addition, this version of the prover is specialized for guarded PCFs.Although this limits the class of problems to be solved, nevertheless, in applied problems and problems describing dynamic systems, only such formulas are usually used.Guarded PCFs are the formulas in typical quantifier conditions in which all variables controlled by the quantifier occur in the conjunct.For example, ∀x, yA(x), B(y) is a subformula with guarded variables because variables x, y occur in the conjunct A(x), B(y), and ∀x, yA(x), B(x) is a subformula with unguarded variables because variable y does not occur in the conjunct A(x), B(x).
The prover was tested using problems from the TPTP library [40] to empirically verify its soundness.About 9000 problems were selected in the First-Order Formula format, and among them, 1001 with guarded variables.None of the problems that had no solution were solved, which is considered as the main criteria of any prover's soundness at the CADE ATP System Competition (https://tptp.org/CASC/,accessed on 25 April 2024).
Strategies employed in Bootfrost are divided into three main groups: question selection strategies, answer selection strategies, and evaluated terms and commands.

Question Selection Strategies
At each step of the inference, the prover must select a question for which it will be looking for an answer.A special procedure for the question selection is used in Bootfrost.It scores each question by several criteria.Such criteria can be configured by the user, but there is a default strategy that scores a question as follows: 1.
Is the question a goal?Goal questions are scored highest because answering them terminates the inference.

2.
How many steps ago in the inference was the question answered for the last time?
The most distant questions are scored the highest.Such an approach provides a high level of diversity by restricting the usage of the same question several times in a row.

3.
How many times has the question been answered before?Questions with the lowest value are scored the highest.

4.
What is the level of the question branching?The ones with the lowest value are scored the highest.
This general strategy sorts questions by the score from the highest to the lowest.Then, a special method tries to answer questions from the list using an answer selection strategy (see the next subsection).If an answer is found, the formula is transformed according to the inference rule ω, and the transition to the next step is performed.

Answer Selection Strategies
There are two answer selection strategies in the Bootfrost prover, called the First appropriate answer and the Best answer.
The First appropriate answer strategy selects the first found answer that satisfies a given criteria.Such an approach leads to effective usage of the memory and CPU resources.The criteria can be configured, and the default criteria is a trivial function returning true, which leads to selecting the first answer found.
The Best answer strategy selects the best answer from the set of all possible answers.Thus, this strategy finds all possible answers and then selects the best of them according to a special selection function, which can be configured by the user.The default function just selects an answer with the lowest total weight of all terms involved.A term weight is the amount of nodes in a tree representing the term; for example, the term A(e) has weight 2, and the term A(e, f (e)) has weight 4.
Another auxiliary procedure used for answer searching is a starting point selection.There are two variants of where to start the search: "from the last" and "from scratch".The "From the last" method means that the next search for an answer to the question will begin at the point where the prover stopped during the previous searching procedure."From scratch" means that the procedure for finding answers starts from scratch, i.e., without taking into account previous search results.This approach is applicable for nonmonotonic inferences and in similar situations where the previous history of the inference can change over time and become irrelevant.For example, the "from scratch" method is used for constructing the sublanguage K ↑C of an uncontrollable specification K [26].In the PCF F Sub , for providing a sublanguage construction, a special operator * is employed.If a question with an atom marked with the * operator has an answer, then after applying the inference rule the atoms in the base that participated in the matching search with the marked atom should be removed from the base.The operator * can be also modeled by the command "remove-fact", described in the next section.

Evaluated Terms and Commands
Evaluated terms (ETerms) are terms treated by the prover not as syntactical structures but as functions that must be evaluated.For now, Eterms implemented in the prover are arithmetical operations, compare operations, list operations (in, notin, first, last, concatenation, length), and solve.The main framework of term evaluation is as follows: a special procedure retrieves terms by IDs from the environment; then, these terms are performed; and then, for the resulting term, using the perfect sharing structure, the ID is calculated, and this ID is returned as the result.
Evaluated terms that are performed immediately after the inference rule ω application are called commands.For example, "remove-fact" is a command.ETerms and commands are classified as strategies because their main purposes are modifying the process of logical inference searching and extending the logical capabilities of PCF.By the commands, it is possible to model the nonmonotonic inference.
Another feature in the task description syntax for the Bootfrost prover is the ability to use lists as arguments of terms.The following computable operations are implemented: List elements can be other terms and lists, and the above operations handle them only syntactically, without considering the possibility of unification of terms.

Complexity Evaluation
Let us say some words on the complexity of the algorithms involved.We consider the procedure of construction automaton T obs for checking the observability of the specification language during refutation of PCF F Obs (Section 3).
As an elementary operation of PCF refutation, we consider the search for a unifying substitution for an atom.This assumption holds because the formula F Obs under consideration has a fairly simple structure (i.e., belongs to the Horn class) and an algorithm for finding the inference can be provided for it.For example, the algorithm may be chosen in the form of a cycle of traversing questions from top to bottom of the PCF's tree structure and comparing the atoms of the questions with the atoms of the base, while attempting to unify these atoms.For example, for answering question R 4 , the terms H take values from the set Q H , variables q G , t G take values from the set Q G , and variable σ take value from the set Σ o .So, for complexity, we have the following expression: Let us consider the worst case of possible inference search options.For a given formula, one of the options is the exhaustion of all substitutions, while the answers to the second and third questions do not exist.Another option is that the answer to the second, and consequently, the third target question is carried out after enumerating all triplets of states in the last steps of the inference.Thus, we do not take into account the complexity of answering the second and third questions because they participate in the inference only once, as well as the first question.The computational complexity of answering question R 5 may be evaluated as

Case Study
As an example, we consider the problem of robot's path planning in an unknown environment.We use the model from [41,42] simplified in the part of the path-following controller and extended by additional states and events, including unobservable ones.

Problem Statement
Suppose that the robot should follow a given reference path, leaving it to avoid collisions with encountered obstacles and returning to it after completing avoidance maneuvers.Let the robot's dynamics in the horizontal plane be described [43] by equations where (x, y) are the coordinates of the robot in a global reference frame {U}, ψ B is the yaw angle; u and v are the surge and sway speeds, and ω is the yaw rate (Figure 6).
Assuming that u is always nonzero, we define side-slip angle β = arctan(v/u) and a reference frame {W}, which is obtained by rotating {B} around the yaw axis through angle β.Subsequently, the kinematic Equation ( 8) can be rewritten as where is the absolute value of the total velocity vector [u v] T .The goal is to develop a path-planning solution that meets kinematic constraints given by minimum turning radius R min and lies no closer than a safe distance D s from obstacles.
We assume that the robot is equipped with a multibeam forward-looking sonar (FLS) installed onboard in the horizontal plane in order to detect obstacles in the forward direction.The data obtained from the FLS can be presented as a set of pairs (α i , ρ i ), where α i is the beam angle counted from the robot's heading direction (−π/2 < α ≤ α i ≤ α < π/2), ρ i is the distance to an obstacle in the beam direction, i = 1, N b , N b is the number of beams.If no obstacles are detected in the direction of beam i, or ρ i is greater than the detection range ρ d , then ρ i = ∞.
Let I L ≜ {i : α i ≤ 0} and I R ≜ {i : α i > 0} be the sets of left and right beams of the FLS, respectively.For each obstacle point Q i , i = 1, N b , we define the maximum turning radius [41,44] as It can be used to evaluate the robot's ability to bypass the point Q i at a safe distance D s (Figure 7), taking into account the kinematic constraint R min : if R min ≤ R i max , the robot can safely bypass the obstacle point Q i .Define also R L max = min i∈I L R i max , R R max = min i∈I R R i max , and ρ min = min i∈I L ∪I L ρ i .
Figure 7.The maximum turning radius R i max (borrowed from [41]).
The main component of the proposed approach is DES G msn (Figure 8), which is designed to detect situations that require updating the current path.Since, unlike [41], we do not employ a path-following controller to drive the robot along the generated paths, a situation may happen in which the robot finds itself in the wrong position or faced with some obstacle.State WPD corresponds to such a situation, and an unobservable event eER denotes transitions to this state.State RPF is the initial state.The description of all possible system states is the following:  The set of system events with their triggering conditions is shown in Table 5. Events ALi, ARi denote switching to the obstacle avoidance modes from the other modes, i = 1, 4. They are composite, i.e., determined by several atomic events.It is convenient to define composite events by logical formulas, such as those presented in Table 5.For example, event eAL1 determines switching to the mode of obstacle avoidance from the obstacle's left side and it is the result of occurring of event eOLNF with one of the events eORN, eORNF, or eON.
In Figure 8, transitions caused by uncontrollable events are shown by red arrows (eRPR, eNOR, eNOL, eOF, eOL), while unobservable events are shown by green arrows (eER).
Changing the DES state entails building a new path for the robot.Entering states DOL or DOR generates a path to avoid the detected obstacle using a modification [41] of the waypoint guidance algorithm [44].Entering state NRP constructs a path that connects the robot's current position with the reference path for what the path planning algorithm from [41] is used, which is based on Dubins curves [45].

System Constraints and Analysis
Let the specification for the problem above be provided by the automaton H msn depicted in Figure 9.The desired robot behavior strategy can be expressed as follows: while DES G msn is designed to ensure that the robot avoids places from which it is impossible to get out using the obstacle avoidance algorithms implemented (this is guaranteed by the rules related to obstacle avoidance modes), the specification language K msn imposes additional constraints, which are interpreted as "do not change once chosen obstacle avoidance direction until the robot returns to the reference path" (left-or right-hand rule, which is ensured by the prohibition of transitions eAL3 and eAR3, and transitions ePRF) and "rebuild the path only if it is vital" (realized by the prohibition of transitions eEAP).Before designing a supervisor as a controller that ensures specification K msn , first, the supervisor existence criterion must be checked.By refuting the special PCF developed for controllability checking in [26], the prover Bootfrost established controllability of K msn .The observability of K msn is checked via inspection of automaton T H msn constructed using the PCF F Obs (2) (Section 3).T H msn consists of 20 states and 45 transitions and does not contain the dead state, which means observability of K msn .T H msn may be found in supplementary materials at [24].
Once the specification K msn is proved to be controllable and observable, a supervisor may be designed as described in Section 5. To realize its control action, we employ the PCF F T# BSCOP (7), which allows processing events coming from outside and taking into account the knowledge available in the system.To handle composite events, predicate T # can be taken in the form The first question of PCF T( ē) is a general form of a question processing a composite event in the system.The number of such questions in the instantiated PCF equals the number of composite events in the system.In the case of G msn , there are eight such questions for all eALi and eARi, and in each of them, the predicate Comp( t) is computed according to Table 5 using corresponding propositional formulas.Below is a part of the instantiated form of T # in our example:

Simulation Results
The path-following and obstacle avoidance mission was realized at the robotic test bed by a LEGO Mindstorm EV3 robot with a differential drive.The robot moves due to the movement of two separately controlled wheels; therefore, Equation (9) turns to the following kinematic scheme: where ω L , ω R are the corresponding angular speeds of rotation of the wheels, r is the radius of the wheel, and l is the distance between the wheels.The employed configuration of the EV3 robot has 2r = 56 mm and l = 100 mm.To detect obstacles, the robot was equipped with a LIDAR with a viewing sector [−60  The results of the preliminary computer simulation are shown in Figures 10 and 11.The robot moved along the predefined preference path denoted by a green arrow until it faced an obstacle.During the obstacle detouring maneuver, the obstacle on the right was lost, so DES G msn entered the SOL state.Then, a failure was detected by the event eER, which led G msn into the NRP state and immediately back to DOR due to an obstacle on the right.Figure 11 shows changes in state G msn corresponding to changes in the robot's functioning modes.A new path was generated in the DOR, NRP, and other states, which is denoted by the dots on the line in Figure 11.To explain the prover implementation, consider inference steps resulting in the sequence of the first state changes in Figure 11.In the initial state RPF, the get_event() function returned two atomic events eORNF and eON, which were passed as a list to the subinference of the T # formula when its first question was checked.The subinference triggered the question containing eAR1.Instead of s, the list {eORNF, eON} was substituted and the formula for subinference was triggered: and is refuted in one step by answering the third question.Therefore, the constant True was returned to the formula T # , making an answer to its first question possible.Thus, the atom eAR 1 ({eORNF, eON}) was added to the base.Then, by answering the question that corresponds to the question ∀x Comp(x) of the formula T # , inference control is returned to the original formula F T# BSCOP .Instead of σ, eAR 1 was substituted in the consequent of its first question.Then, the atom E(eAR 1 ) was added into the base B BSCOP , which allowed answering the second question and adding the atom L J P /G msn (ε • eAR 1 , DOR) into the base.This addition caused a message to the main thread, which informed the program about the change in the DES's state.
The corresponding seminatural experiments were carried out on a robotic stand (Figure 12), which is described in detail in [46].Due to changes in the obstacle's configuration and a number of uncontrollable factors affecting the robot dynamics, the trajectory of the robot is different compared with the one obtained in the computer simulation.However, the proper processing of the unobservable fault event eER led the implemented DES G msn to WPD state, which allowed the robot to avoid a collision with the obstacle.

Discussion
This paper continues the work of developing a new way of formalizing and solving control problems for the important class of dynamic systems known as DESs.The PCF calculus provides powerful tools for dealing with sophisticated control problems, and above, it was shown how the PCF inference helps check the observability of regular languages.
Close to our research is an approach for testing the diagnosability of DESs based on their logical representation [47].In [47], conjunctive normal forms (CNFs) are exploited to study the diagnosability properties of DESs.Automata transitions are described as a set of clauses and when the well-known resolution method is applied to test whether failure events can be detected in a finite number of observable events.Keep in mind that CNF is less expressive compared with PCF, which means to represent automata underlying DESs, we leave the problem of the diagnosability of DESs and the intriguing comparison with the CNF-based approach for future research.
Moreover, the representation of DESs with the help of PCFs allows one to use information coming from the environment, as well as data on the functioning of the system itself, in the process of constructing the logical inference.This feature may help greatly in problems of supervisory controller synthesis and implementation for safety PLCs (programmable logic controllers) [48], where extended finite-state automata (EFA) are exploited.Transitions in an EFA may contain guards (i.e., logical conditions) over the variables and updates (i.e., assignments) to the variables.A simple guard, used in EFA, may replace a large automaton expressing the same requirement.In PCF, guards can be realized by event processing questions serving as special logical rules.Answers to them trigger subinferences, in which the events coming from the environment are used in calculations or other kinds of data processing.
Another promising direction of the PCF calculus's theoretical and practical development is embracing temporal logic and temporal-logic-based controls of DESs [49].Since early papers, linear time temporal logic (LTL) has been proposed for specifying and verifying the safety and liveness properties of systems (e.g., [50,51]).LTL formulas allow formalizing such statements as "nothing bad will ever occur" and "something good such as accomplishment of tasks will occur regularly", so they cover a useful range of control specifications about finishing tasks regularly without compromising safety [49].In subsequent years, computational tree logic (CTL) and epistemic temporal logic have been applied to deal with more sophisticated properties of DESs, e.g., property of stability which requires that the system should eventually reach a set of states where some statement holds and stay there forever [52][53][54].
It should be noted that the Bootfrost prover has not yet been formally verified by any specific testing software.Its applications currently lie in the areas of SCT problems mentioned in this and our previous articles, as well as in several case studies.In the future, it is planned to better demonstrate the validity of the work and the broad applicability of the presented approach.We will continue to develop the PCF-based approach so that it becomes a full-fledged tool capable of solving a wide range of tasks.In future works, its application to constructing supervisors for decentralized and distributed DESs will be suggested.Moreover, if the specification language is either not controllable or not observable, one may be interested in finding the less restricting controllable and observable sublanguage of the specification.While there are effective algorithms to construct the supremal controllable sublanguage of the given language, the supremal observable sublanguage does not exist.Only a maximal observable sublanguage may be found, which is not unique in general.Finding these languages and implementing them in control systems using the PCF approach is the line of our future research.Results obtained will be embedded at the different levels of the hierarchical control system for mobile robots.

•
Evaluated function ā ++ b-concatenation of lists ā and b; • Evaluated predicate a \in b-the membership of element a to list b; • Evaluated predicate ā \subseteq b-whether ā is a sublist of b; • Evaluated function sort ( ā)-sorting list items in ascending order; • Computed function dedup( ā)-deletion of repeating elements of the list;

•
RPF-reference path following; • DOL-detouring the detected obstacle from its left sid; • DOR-detouring the detected obstacle from its right side; • NRP-navigation to the reference path; • SOL-searching for an obstacle on the left; • SOR-searching for an obstacle on the right; • WPD-wrong position diagnosing; • CNP-computing a new path.

Figure 8 .
Figure 8. DES G msn for the path-following mission.

Figure 9 .
Figure 9. Specification H msn for DES G msn .

Figure 10 .
Figure 10.The result of computer modeling of the path-following and obstacle avoidance mission with the supervised partially observed DES G msn .

Figure 11 .
Figure 11.The changes in the state of G msn .The marks on the line indicate moments when a new path is generated.

Figure 12 .
Figure 12.Simulation at the robotic test bed.The fault event eER led to WPD state, and a collision with the obstacle was avoided.

Table 4 .
The first steps of the PCF F # BSCOP inference constructing L # (J P /G).

Table 5 .
Events of the DES G msn .