Refinements of behavioural abstractions for the supervisory control of hybrid systems

A common approach to controller synthesis for hybrid systems is to first establish a discrete-event abstraction and then to use methods from supervisory control theory to synthesise a controller. In this paper, we consider behavioural abstractions of hybrid systems with a prescribed discrete-event input/output interface. We discuss a family of abstractions based on so called experiments which consist of samples from the external behaviour of the hybrid system. The special feature of our setting is that the accuracy of the abstraction can be carefully adapted to suit the particular control problem at hand. Technically, this is implemented as an iteration in which we alternate trial control synthesis with abstraction refinement. While localising refinement to where it is intuitively needed, we can still formally establish that the overall iteration will solve the control problem, provided that an abstraction-based solution exists at all.


Introduction
The analysis and the control of hybrid systems have become an important subject in modern control theory; see, e.g., Alur et al. (2000) and Tabuada (2009) and the references cited therein. A common approach is to construct a finite-state abstraction of the hybrid system under consideration and then to apply methods known from the domain of discrete-event systems, most notably model checking, reactive synthesis, or supervisory control.
A well established framework to obtain a finite-state abstraction is to strategically construct a finite partition or a finite cover on the continuous state space and to thereby define symbolic dynamics associated with the hybrid system; see e.g. Stiver et al. (1995), Tabuada (2009), Reissig et al. (2017), Pola and Tabuada (2009), Gol et al. (2014), Zamani et al. (2012), and Liu and Ozay (2016). For controller synthesis, this approach is particularly suited when the design of a discrete-event interface is considered part of the synthesis problem. In contrast, if the hybrid plant is equipped with a prescribed discrete-event interface, so called behavioural abstractions are an adequate alternative. In this approach, one seeks to derive a finite-state abstraction directly in terms of the external signals. This is the situation we study in the present paper. 1 The behavioural abstractions proposed by Moor and Raisch (1999) and  are based on the notion of l-completeness from Willems' behavioural systems theory; see, e.g., Willems (1991). By definition, a discrete-time system is l-complete if its infinitetime behaviour can be exactly recovered from all length l samples, l ∈ N 0 , taken from all infinite-length signals. For a system which does not exhibit this property, the strongest l-complete approximation is then introduced as the tightest behavioural over-approximation that is l-complete. In the following, whenever clear from the context, we simply refer to l-complete approximations when we mean strongest l-complete approximations. An lcomplete approximation can be obtained by exhaustively taking samples of length l from the original behaviour and generating the abstraction by superposition of these samples. For the control of hybrid systems with discrete-valued input-and output-signals, l-complete approximations can be used to synthesise controllers that address inclusion-type specifications in these signals. In this situation, the finite external signal range of the hybrid system leads to a finite-state realisation of the l-complete approximation and a variant of Ramadge and Wonham's supervisory control theory Wonham 1987, 1989) is subsequently applied to synthesise a supervisory controller. It is shown by Moor and Raisch (1999) and  that if the supervisor suitably restricts the behaviour of the l-complete approximation, it also accomplishes the control objective for the underlying hybrid system. The applicability of this approach has been demonstrated with case studies in the area of process engineering, including the start-up of a distillation column . Recent methodological extensions have been reported by Schmuck and Raisch (2014), Park and Raisch (2015), and Moor and Götz (2018) to address time-variant systems and partial observation.
The existence of an appropriate supervisor depends on the approximation accuracy, namely, if the abstract model is too coarse, no supervisor may exist that meets the specification. This leads to an iteration of trial synthesis and abstraction refinement, until either a solution to the control problem is established or computational resources are exhausted. Considering l-complete approximations, the construction of a finer abstraction effectively amounts to incrementing the length l of samples taken from the original hybrid system. This can be done uniformly for all samples as, e.g., proposed by Moor and Raisch (1999) or, more efficiently, in a non-uniform way tailored for the particular control problem at hand. For abstractions by symbolic dynamics, Clarke et al. (2003) introduce counterexample guided refinement for the verification of hybrid systems, with a further development to address synthesis by Stursberg (2006). For behavioural abstractions, Moor et al. (2006) introduce the notion of an experiment as a set of non-uniform length samples taken from the original behaviour, with a subsequent discussion that leads to abstractions obtained from experiments. Technically, the resulting abstractions are still l-complete and, hence, they can be safely utilised in an abstraction-based design.
In the present paper, we further develop abstraction-based synthesis by experiments on behaviours. While the study by Moor et al. (2006) is entirely set within Willems' behavioural systems theory, we now make use of explicit state machine realisations reported by Moor and Götz (2018). By a more detailed discussion, we gain some relevant benefits. First, we can literally refer to supervisory control of sequential behaviours with a synthesis algorithm given by Thistle and Wonham (1994a). As a consequence, we can address more general liveness specifications with eventual task completion as a prototypical example. This extends the results from Moor et al. (2006), which are restricted to l-complete safety specifications. Second, the technically involved temporal decomposition of the control problem used by Moor et al. (2006) to guided abstraction refinement can now be replaced by the controllability prefix introduced by Thistle and Wonham (1994b). The latter is an intermediate result of the synthesis procedure and characterises winning states, from which on the control objective can be accomplished. In the case that the synthesis procedure fails and, thus, a refinement of the abstraction is required, intuitively, such a refinement does not need to address any winning states. Likewise, we can identify failing states, from which on no supervisor can possibly satisfy the specification. Again intuitively, this status is retained under refinement and, thus, no refinement should address the behaviour after a failing state. For the iteration of trial controller synthesis and abstraction refinement, it is therefore proposed to refine the experiment only by addressing states that are neither winning nor failing. Since this iteration intentionally generates only specific experiments, it may fail to generate a particular experiment for which controller synthesis would succeed. Here, our main technical result, Theorem 17, guarantees that a successful experiment will be generated provided that such a one exists.
A predecessor of this paper has been presented at the Workshop on Discrete Event Systems; see Yang et al. (2018). The present version has been extended (a) to address iterative refinements in contrast to a single local refinement, (b) to allow for specifications with a Büchi acceptance condition, and (c) to include a formal proof of our main technical result. The remainder of the paper is organised as follows. After introducing elementary notation in Section 2, we summarise the concept of experiments and the behavioural abstractions obtained therefrom in Section 3. Realisations of the hybrid plant and its abstractions are discussed in Section 4. In Section 5 we present the control problem under consideration and derive an abstraction-based solution procedure. Finally, we discuss the proposed abstraction refinement scheme in Section 6. A simple example is used throughout the entire discussion, illustrating the suggested ideas and demonstrating the applicability of the proposed strategy.

Notation
We denote the positive, respectively non-negative, integers by N, respectively N 0 . The cardinality of a finite set A is denoted by |A| ∈ N 0 . Given a set W , referred to as a signal range, and l ∈ N, we denote by W l := { w 1 , . . . , w l |∀k, 1 ≤ k ≤ l : w k ∈ W } the set of sequences over W of length l and we let W + := ∪{W l |l ∈ N}. Introducing the empty sequence ∈ W , we formally define W 0 := { } and write W * := ∪{W l |l ∈ N 0 } = { } ∪ W + for the set of finite sequences over W . For a sequence s ∈ W l ⊆ W * , its length l is denoted |s|. The set of all countably infinite sequences over W is denoted W N 0 , with w ∈ W N 0 commonly interpreted as a discrete time signal w : N 0 → W . Subsets S ⊆ W * are referred to as * -languages, or languages of finite words, in contrast to ω-languages B ⊆ W N 0 , or languages of infinite words.
A sequence r ∈ W * is a prefix of s ∈ W * if there exists t ∈ W * such that r, t = s; we then write r ≤ s. If, in addition, r = s, we say that r is a strict prefix of s and write r < s. Likewise, r ∈ W * is a prefix of a signal w ∈ W N 0 , if there exits v ∈ W N 0 such that r, v = w; we then write r < w. The set of all prefixes of a given sequence s ∈ W * or a given signal w The left-shift operator σ l , l ∈ N 0 , is defined for signals w ∈ W N 0 by σ l w ∈ W N 0 with (σ l w)(k) := w(k + l) for all k ∈ N 0 , and we let σ := σ 1 . For a signal w ∈ W N 0 , the restriction to a finite integer interval D ⊆ N 0 is denoted w| D with, e.g., D = [k 1 , k 2 ) := {k ∈ N 0 |k 1 ≤ k < k 2 } and left-open and/or right-closed intervals defined likewise. When taking restrictions, we drop absolute time and reinterpret w| D as finite sequence, i.e., we identify w| [k 1 ,k 2 ) with w(k 1 ), . . . , w(k 2 − 1) ∈ W k 2 −k 1 .
Taking point-wise images, all operators and maps in this paper are identified with their respective extension to set-valued arguments; e.g., we write σ B for the image {σ w|w ∈ B} of the ω-language B ⊆ W N 0 under the operator σ with domain W N 0 , and, likewise, pre B for the image {pre w|w ∈ B} of B under the operator pre.

Behavioural abstractions
We present a general scheme of system abstraction that allows for a guided refinement, and we do so within Willems' behavioural systems theory. In this framework, a dynamical system is defined as a triple = (T , W, B), where T is the time axis, W is the external signal range, and B ⊆ W T := {w|w : T → W } is the behaviour, i.e., the set of all external signals that the system may generate. It is then proposed to discuss and to categorise dynamical systems in terms of their behaviours. For the present paper, we focus attention on time-invariant systems with an external discrete-event interface. Technically, we consider the discrete time axis T = N 0 and the finite external signal range W , |W | ∈ N, and we interpret ω-languages B ⊆ W N 0 as behaviours. Regarding time invariance, we refer to the following definition from Willems (1991).
Given a system = (N 0 , W, B), a behavioural abstraction is a system = (N 0 , W, B ) with B ⊆ B , i.e., provided that the original system accounts for all possible trajectories the actual phenomenon modelled by can generate, then so does the abstraction . Behavioural abstractions are commonly used for the verification and the synthesis of safety properties, with optional liveness properties being addressed by additional structural requirements. Considering a time invariant system, we ask for a time invariant system abstraction. We refer to Moor et al. (2006) for the following notion of an experiment which we will use to construct a rich family of time-invariant behavioural abstractions.
Definition 2 An experiment over W is a * -language S ⊆ W * . If there exists a uniform upper bound on the length of all sequences in S, we say that S is of bounded length. Moreover, S ⊆ W * is an experiment on a behaviour B ⊆ W N 0 if S accounts for each signal from B in terms of a prefix, i.e., if (pre w) ∩ S = ∅ for all w ∈ B.
Given an experiment S on some behaviour B, Moor et al. (2006) discuss abstractions B S , B ⊆ B S , that can be obtained exclusively from S. To this end, we consider the candidate i.e., B S consists of all those trajectories which at any instance of time continue to evolve on some finite future sequence that matches S; see Fig. 1. It is immediate from the construction that B S is time invariant and that S is an experiment on B S . Moreover, for any behaviourB ⊆ W N 0 we have the following implication: It is shown in Moor et al. (2006), Proposition 7, that B S is the unique smallest behaviour for which the above implication holds. Assuming that the original behaviour B is indeed time invariant, B S is the smallest superset of B that can be characterised exclusively in terms of Here, the prefixes of behaviours are interpreted as infinite computational trees with the empty string as the root at the very left and progress of discrete time towards the right. In the sketch, the trees are abstractly shown as cones; i.e., pre B in dark yellow and pre B S in light green. The bounded-length * -language S is shown as a dark green stripe. In particular, the sketch indicates that any signal from B must pass S, as required by Definition 3. Regarding the abstraction, the signal w ∈ B S shown in the sketch at every instance of time k must have a finite-length future that matches S; see Eq. 1. This is illustrated by the transparent grey copy of S shifted such that the root matches w(k) to indicate that w| [k,k+l) = w| [k,k+l−1] ∈ S the experiment S. Therefore the system S = (N 0 , W, B S ) is referred to as the behavioural abstraction obtained from S under the assumption of time invariance, or in short as the abstraction obtained from S. Moor et al. (2006) and Moor and Götz (2018) provide a comprehensive discussion regarding algebraic properties of experiments and the abstractions obtained therefrom. For the present paper, we pragmatically refer to Eq. 1 as the defining equation and point out some technical consequences relevant for the subsequent discussion. It is immediate from Eq. 1 that, regarding the associated abstraction, we may without loss of generality restrict our considerations to prefix-free experiments, i.e., to experiments that satisfy A prefix-free experiment S is commonly interpreted as a tree with root ∈ pre S, nodes pre S and leaves S. Likewise, it is not restrictive to assume that the experiment is trim in the sense that every sequence s ∈ S contributes to the abstraction, i.e., or, equivalently, S ⊆ pre B S . Thus, whenever convenient, we may restrict our discussion to trim and prefix-free experiments.
For the special case of the experiment S = B| [0,l] with samples with uniform length l + 1, l ∈ N 0 , the abstraction B S obtained from S amounts to the strongest lcomplete approximation proposed by Moor and Raisch (1999) and . The approximation-refinement scheme known from l-complete approximations amounts to incrementing the sample length. This concept of refinement generalises to experiments as follows.
Definition 3 Given two experiments S and S over W , we say that S is a refinement of S if (∀s ∈ S ∃s ∈ S : s ≤ s ) and (∀s ∈ S ∃s ∈ S : s ≤ s ).
We then write S ≤ S .
The first conjunct in Eq. 5 ensures that the refinement accounts for each sample s ∈ S from the original experiment by an extended sample s ∈ S , s ≤ s , including the trivial case of s = s . The second conjunct ensures that no other samples are in the refinement than those obtained by (possibly trivially) extending samples from the original experiment. Figure 2 illustrates a prefix-free experiment S on B where the leaves s ∈ S form a "barrier" through which each trajectory from w ∈ B must pass. In this view, a prefix-free refinement S of S is obtained by pushing the "barrier" to the right. The figure also indicates that a refinement is expected to lead to a tighter abstraction in that it more accurately encodes which trajectories are not within B, e.g, v ∈ B is possibly in B S but cannot be in B S . Technically, we obtain for two experiments S and S on B with S ≤ S that as an immediate consequence of Eq. 1 and the second conjunct in Eq. 5; i.e., it is guaranteed that the abstraction does not become worse and we may optimistically expect it to become better.
For the systematic construction of refinements, we propose to nominate a set R ⊆ S of refinement candidates and observe that S := {s ∈ S|s ∈ R} ∪ { s, w |s ∈ R, w ∈ W, s, w ∈ pre B} (7) Fig. 2 Prefix-free experiment S on B with prefix-free refinement S , S ≤ S . As in Fig. 1, pre B is interpreted as an infinite computational tree with the empty string as the root at the very left, graphically represented as a dark yellow cone. Both bounded length experiments S and S are shown as "barriers" and, as indicated in the sketch, any signal from B must pass both S and S . Being a prefix-free refinement, the sequences in S are obtained by extending specific sequences from S, i.e., pushing the boundary to the right. Referring exclusively to the experiment S, both signals w and v could possibly belong to some behaviour on which S was conducted. Hence, we may expect v ∈ B S although v ∈ B. In contrast, we have v| [0,l) ∈ S for all l ∈ N 0 and, hence, v ∈ B S is indeed an experiment on B with S ≤ S . For the special case of S = B| [0,l] and R = S we obtain S = B| [0,l+1] , which coincides with the refinement of l-complete approximations.

State machine realisations
We further elaborate the proposed scheme of behavioural abstractions in the context of state realisations. Here, we account for a class of transition systems referred to as state machines, which we will utilise for realisations of the plant model, finite state abstractions, and the specification in the control problem under consideration.
Definition 4 A state machine is a quadruple P = (X, W, δ, X 0 ), where X is the state set, W is the external signal range, δ ⊆ X × W × X is the transition relation, and X 0 ⊆ X is the set of initial states. The state machine P is called a finite state machine if |X| ∈ N.
We use the following terminology.
• The external behaviour B ex of full is the projection of B full onto W N 0 , i.e., If a state machine P induces the external behaviour B of a system , P is termed a realization of , denoted ∼ = P . • If |δ(X 0 , s)| ≤ 1 for every s ∈ W * , then P is said to be past-induced; in automata theory, this is also referred to as deterministic. We then write δ 0 (s) ∈ X for s ∈ W * with |δ(X 0 , s)| = 1 to denote the unique state reachable from X 0 via the external sequence s.
In our subsequent discussion of controller synthesis, we assume that the plant is given as a state machine P = (X, W, δ, X 0 ) with unrestricted initial conditions, i.e., X 0 = X, and we note that this assumption implies time invariance for the induced full behaviour as well as for the induced external behaviour. Moreover, we consider the product W = U × Y as external signal space, where U and Y denote the ranges of input symbols and output symbols, respectively, and where we assume that State machines with this property are called I/S/-machines. For the induced external behaviour, it can be seen that the input is free and the output does not anticipate the input, both technical terms defined within Willems' behavioural framework; see Proposition 24 in Moor and Raisch (1999), which refers to Definitions VIII.1 and VIII.4 in Willems (1991). In particular, we will consider supervisory controllers which at any instance of time disable specific input symbols and which in turn accept any output symbol. Technically, all external symbols are organised as pairs w = (u, y) ∈ U × Y = W , with only the U -component considered controllable; this will be followed up in Section 5, including a formal definition of the corresponding control patterns (26). To this end, we address two remarks on how the requirement of a time-invariant I/S/-plant model can be relaxed by a preprocessing stage applicable in the context of controller synthesis with upper-bound behavioural-inclusion specifications.
Remark 5 Formally, Eq. 10 requires that every input symbol can be applied regardless of the current state of the plant. Nevertheless, if we are provided with a state machine P = (X, U × Y, δ, X) which fails to satisfy (10), we consider the substitute model P = (X, U ×Y , δ , X) with Y = Y∪{ ‡} where we define the transition relation δ to issue the distinguished output symbol ‡ ∈ Y whenever an invalid input symbol was applied: Clearly, P satisfies (10). The considered upper-bound behavioural-inclusion specification can then be used to prevent the distinguished output symbol ‡ ∈ Y from occurring in the closed-loop configuration. Now assume that a controller that has been designed for the plant substitute P such that ‡ does not indeed occur in any external closed-loop signal. Whenever P attains a state x ∈ X such that there exists a transition (x, (u, ‡), x) ∈ δ for some u ∈ U , this transition will be prevented by the controller. In our specific setting of W = U × Y , the controller can only directly restrict the U -component of the external symbol. Hence, the controller must at least effectively disable the external symbols whenever the plant attains the state x ∈ X. For the remaining transitions, however, δ matches the original transition relation δ; i.e., Therefore, the supervisor designed for the substitute P will implement exactly the same closed-loop behaviour when applied to the actual plant P .

Remark 6
The situation of restricted initial states is addressed in a similar fashion. Given Here, the distinguished input symbol † is introduced to test whether the state is within the original set of initial states, and, if so, this is confirmed by the distinguished output symbol ‡. Technically, we define the transition relation by We then design a controller for P with a specification that requires (a) that † appears exclusively as the unique first input symbol and (b) that any further closed-loop requirements are only imposed conditionally, subject to ‡ being generated as the very first output symbol. In order to apply the resulting controller to the actual plant, we need an additional device that generates an adequate output symbol when the distinguished input symbol † is applied, i.e., we need to implement the additional transitions introduced by δ . However, by clause (a), this is only necessary for the very first transition taken and, since P has the initial state restricted to X 0 , the additional device is a-priori known to generate ‡ and it does so without affecting any state. From a practical perspective, this can be implemented by intercepting the closed-loop interconnection to hide the very first input symbol † from the plant and by injecting a fake response ‡ to the controller. For any subsequent transitions, the actual plant P matches the substitute P as in our previous Remark 5. Hence, the supervisor will enforce the conditional specification (b) in the adapted closed-loop configuration with the actual plant.
For a discrete-time model of hybrid plant dynamics with a discrete external interface, we consider an I/S/-machine P = (X, U × Y, δ, X) with a state set X ⊆ D × R n , |D| ∈ N, and with finite input-and output-ranges, i.e., |U |, |Y | ∈ N. This is a rather general setting and, for practical applications, one needs to formally derive the transition relation δ from a more detailed model. Since the literature provides a rich variety of models for hybrid dynamics, we demonstrate this step by example.
Example 1 Consider a physical system with linear continuous dynamics and a finite number of linear controllers to implement individual modes of operation. Discretising time by a regular sampling period, we obtain the switched affine system where k ∈ N 0 denotes the discrete time; x : N 0 → R n is the sampled continuous state trajectory; the discrete signal d : N 0 → D selects the mode of operation d(k) at time k; and the square matrix A d ∈ R n×n and the column vector B d ∈ R n are obtained by sampling the closed-loop configuration for mode of operation d ∈ D. We can either directly interpret d as our input signal, or encode additional discrete dynamics by where f : D × U → D is a complete transition function and u : N 0 → U is the discrete input signal. As discrete output, we propose a mode dependant finite partition of the continuous state space, i.e., with g : D × R n → Y . The transition relation δ is then formally defined by With W := U × Y , X := D × R n and unrestricted initial states X 0 := X, the latter completes the construction of an I/S/-machine P = (X, W, δ, X 0 ) with time-invariant induced external and internal behaviour, respectively.
Example 2 In a similar way to the above example, hybrid automata address the situation of a finite number of modes of operation, each with specific continuous dynamics. However, and in contrast to the above example, the generation of events is organised in dependency of the evolution of the continuous state and by referring to so called mode invariants and guard relations. A general and formal definition of hybrid automata semantics is quite involved and interested readers are referred to the literature; see, e.g.,  or Chapter 7 in Tabuada (2009). In the present study, we provide a simple practical example with hybrid automata semantics to which we will refer later in the context of abstraction based controller design. To this end, consider a vehicle which we shall navigate within a rectangular area A : The vehicle is equipped with low-level continuous controllers which implement the modes of operation U := {u nw, u ne, u sw, u se} to drive the vehicle in the respective direction, i.e., north-west, north-east, south-west or south-east. With each mode u ∈ U , we associate a differential inclusion d dt ϕ(t) ∈ F u , where the constant right-hand-side F u ⊆ R 2 is set up as the sum of the respective nominal velocity (−v, v), (v, v), (−v, −v) or (v, −v) ∈ R 2 and a square with diameter d ∈ R, d > 0, as a bounded additive disturbance. Each mode of operation is associated with the entire rectangular area I u := A as the mode invariant. An output event y ∈ Y := {y n, y s, y w, y e} will be generated while the vehicle is inside a guard region, denoted G y n , G y s , G y w , G y e ⊆ R 2 , respectively. To avoid trivial Zeno-behaviour, guards are enabled and disabled according to the mode of operation, e.g., when driving north-west, only the north guard G y n and the west guard G y w are enabled.
For a discrete-time model of the vehicle, we consider the overall state set X := A. On this state set, we define the transition relation δ ⊆ x is within the guard G y ; and (c) the guard G y is enabled by mode u ∈ U . To practically test whether a tuple (x, (u, y), x ) satisfies the above conditions (a)-(c), we observe that the relevant sets I u = A, F u and G y are convex closed polyhedra. This implies that the positions reachable by some qualifying continuous trajectory ϕ amount to the convex closed polyhedron V = {x + λv|v ∈ F u , λ ≥ 0} ∩ A; see, e.g., Halbwachs et al. (1997). Provided that the guard G y is enabled by mode u, we have that (x, (u, y), x ) ∈ δ if and only if x ∈ V ∩ G y . In this context, the transitions in δ are also referred to as logic-time transitions to contrast with the evolution of the continuous state with respect to physical time.
This completes the construction of the I/S/-machine P Referring back to Definition 2, recall that an experiment S must account for all trajectories w ∈ B by some finite prefix s ∈ (pre w) ∩ S. Hence, the construction of an experiment practically amounts to the inspection of specific finite prefixes in pre B. For example, to set up an initial experiment by S := B| [0,l] ⊆ pre B for some l ∈ N we need an implementable test for whether or not s ∈ pre B for all finite sequences s of length l + 1. Likewise, referring to Eq. 7, a refinement of an experiment S w.r.t. the candidates R ⊆ S requires us to test whether or not s, w ∈ pre B for all s ∈ R and w ∈ W . Given an I/S/-machine P = (X, W, δ, X) with the external behaviour B,  propose to base the required test on the following recursively defined sets of compatible states: where r ∈ W * , u ∈ U , y ∈ Y , and the right hand side of Eq. 20 is a one-step forward reachability operator applied to X (r) with (u, y) as a constraint for the external symbols. By construction, X (s) ⊆ X consists of all states the I/S/-machine can attain after generating the finite sequence of external symbols s ∈ W * . Since I/S/-machines do not deadlock, this implies that s ∈ pre B if and only if X (s) = ∅. Hence, for behaviours realised by I/S/machines, setting up and/or refining experiments effectively amounts to a finite iteration of the one-step forward-reachability operator in Eq. 20. The latter type of reachability operator has been intensively investigated over the past two decades and the literature provides a variety of efficient computational methods addressing specific classes of hybrid systems; see, e.g., Alur et al. (2000), Alur et al. (1996), and Lafferriere et al. (2000) for the exact computation of sets of reachable states for a restricted class of continuous dynamics, or, e.g., Althoff et al. (2010), Chutinan and Krogh (1998), Frehse (2008), Henzinger et al. (2000), Maler and Dang (1998), Mitchell et al. (2005), and Reissig (2011) for safe overapproximations for richer classes of continuous dynamics.
Example 3 (cont.) For our vehicle navigation example, all relevant sets are convex closed polyhedra and the differential inclusions have a constant polyhedral right-hand-side. Sets of states reachable by one logic-time transition can hence be computed exactly, e.g., using the software Parma Polyhedra Library (PPL); see Bagnara et al. (2008). We outline the overall computational procedure that is used to construct an initial experiment and a refinement thereof. Consider u nw as the first input symbol being applied in the vehicle navigation example. Then the subsequent output symbol can be either y n or y w since the initial states are not restricted and since G y n and G y w are the only enabled guards. This implies X ((u nw, y s)) = ∅ and X ((u nw, y e)) = ∅. Under the additional hypothesis that we actually observe y w, we conclude that the attained state must be within G y w . Hence, we obtain X ((u nw, y w)) = G y w as compatible states; see Fig. 4. Likewise, we obtain X ((u nw, y n)) = G y n . Repeating the above reasoning for all possible first input symbols, we establish that B| [0,0] = {(u ne, y n), (u ne, y e), (u nw, y n), (u nw, y w), (u se, y s), (u se, y e), (u sw, y s), (u sw, y w)}, and obtain our initial experiment S := B| [0,0] . This experiment encodes the fact that for our vehicle navigation example, only relevant guards are enabled depending on the input symbol. This is expected to be insufficient for the design of a supervisor that solves typical navigation tasks like, e.g., to visit a specific guard region. For illustration purposes, we consider R := {(u nw, y w)} ⊆ S as our refinement candidate. Since X ((u nw, y w)) = G y w from the foregoing discussion, we now need to compute X ( (u nw, y w), (u, y) ) for all u ∈ U and y ∈ Y by applying Eq. 20. Consider the case of u = u ne, i.e., we apply the input symbol u ne when the vehicle position x is initially in X ((u nw, y w)). The continuous time motion of the vehicle is then modelled by a trajectory ϕ : [0, τ ] → I u ne = A with ϕ(0) = x and d dt ϕ(t) ∈ F u ne for all t ∈ (0, τ ). Recall that in our example, all relevant sets are convex closed polyhedra. This implies that all positions reachable by the vehicle are given by see also Fig. 4. Compatible states are then obtained by X ( (u nw, y w), (u ne, y) ) = V ∩ G y with y ∈ Y and are again convex closed polyhedra. More specifically, we have X ( (u nw, y w), (u ne, y n) ) as shown in Fig. 4 and X ( (u nw, y w), (u ne, y) ) = ∅ for Fig. 4 Sets of compatible states for the navigation example y = y n. This procedure can be applied repeatedly for subsequent input symbols. To this end, Fig. 4 shows the sets of compatible states for (u nw, y w), (u ne, y n), (u se, y s) and (u nw, y w), (u ne, y n), (u se, y e) . Coming back to the refinement, we apply the same analysis to X ((u nw, y w)) as above, but now for the remaining choices of the input symbol, i.e., u = u ne, u = u sw and u = u se. As it turns out, the only extensions of our refinement candidate (u nw, y w) by one more pair of an input symbol and an output symbol with a non-empty set of compatible states are the following length-two sequences: (u nw, y w), (u ne, y n) , (u nw, y w), (u se, y s) , (u nw, y w), (u nw, y n) , (u nw, y w), (u nw, y w) , (u nw, y w), (u sw, y s) , (u nw, y w), (u sw, y w) .
Referring to Eq. 7, the refined experiment S is obtained from S := B| [0,0] , Eq. 21, by removing the refinement candidate (u nw, y w) and by including the above six extensions; for a tree representation of S see Fig. 5.
Once an experiment S on the external behaviour B of the plant P has been obtained, it can be used to set up a finite-state realisation of the corresponding abstraction S . Roughly speaking, the realisation tracks the longest suffix of the signal generated so far that matches some prefix within S. Moor and Götz (2018), Lemma 14) Given a prefix-free trim experiment S ⊆ W * , ∈ S = ∅, of bounded length, the abstraction S = (N 0 , W, B S ) obtained under the assumption of time invariance (see Eq. 1) is realised by the state machine P S = (Z S , W, δ S , { }), where Z S := preS consists of the prefixes of S and where the transition relation δ S is defined as follows: (z, w, z ) ∈ Z S ×W ×Z S is in δ S if and only if z = z , w with z the longest suffix of z that is in Z S but not in S; i.e., if and only if z is the unique longest sequence in {r ∈ W * |∃t ∈ W * : t, r = z} ∩ {r ∈ Z S |r ∈ S}. Moreover, P S is reachable, deadlock-free and past-induced. Provided that W is a finite set, P S is a finite state machine.

Theorem 7 (See
Note that for the degenerated cases of ∈ S or S = ∅ we have B S = W N 0 or B S = ∅, respectively, with well known realisations. To provide some intuition regarding the transition relation given by the above theorem, we consider the initial state z 0 := and a signal Fig. 5 Refined experiment S on the external behaviour B for the navigation example w ∈ B S . In particular, there exists l ∈ N 0 such that w| [0,l) ∈ S. By ∈ S, this implies l ≥ 1. Moreover, since S is prefix-free, we have w| [0,k) ∈ S and w| [0,k) ∈ pre S = Z S for all k < l. Now let z k := w| [0,k) for all k ≤ l and observe, for all k < l, that z k is its own longest suffix z qualifying for z ∈ S and z ∈ Z S , and, hence, (z k , w(k), z k+1 ) ∈ δ S . In other words, the state records all past external symbols until z l ∈ S. However, once in state z l ∈ S, no additional external symbols can be recorded with the given state set unless one first drops a sufficient amount of symbols recorded earlier. Technically, we are asking for a suffix z of z l such that z , w(l) ∈ Z S . To see that such a suffix exists, we consider the shortest suffix of z l and we refer to time invariance to obtain , w(l) = w(l) ∈ Z S . For the transition relation proposed in the theorem, we take the longest qualifying z to drop as little as possible of the recorded symbols and, as a conjecture, obtain (z l , w(l), z l+1 ) ∈ δ S with z l+1 := z , w(l) . If we can continue this construction indefinitely and if the conjecture holds true at each stage, we obtain a state trajectory z : N 0 → Z S , z(k) := z k for all k, such that (w, z) is in the full behaviour induced by P S . Note that it is neither obvious that the construction actually can be continued indefinitely, nor, for the converse behavioural inclusion, that any trajectory generated by P S is within B S . The cited reference in Theorem 7 provides technical proofs for both claims and the above theorem.
Example 4 (cont.) For the experiment S from Fig. 5, the realisation P S is obtained by the following construction. The nodes s ∈ pre S in Fig. 5 become the states of P S and the edges in Fig. 5 become transitions with an event label to match the most recent event of the respective target node; see Fig. 6, transitions given in black color. Then, per leaf z ∈ S, we: (a) drop the minimum prefix from the node label z ∈ S to obtain z ∈ {r ∈ Z S |r ∈ S}; and (b) for all w ∈ W such that z := z , w ∈ Z S insert a transition from z to z with label w. For the node z = (u nw, y w), u nw, y w) , we have z = (u nw, y w) with out-going transitions indicated in green color in Fig. 6. For all other nodes z ∈ S, z = (u nw, y w), u nw, y w) , we obtain z = and insert per w ∈ W the transition (z, w, w) ∈ δ S . This amounts to 12 × 8 = 96 transitions, which are omitted in Fig. 6.
We observe for the vehicle navigation example that not only the actual plant P but also the realisation P S of the abstraction is an I/S/-machine. This can always be achieved by suitable trimming, and we can without loss of generality restrict the discussion to experiments such that P S is an I/S/-machine.
and trim S by S := {s ∈ S| pre s ⊆ Z io }.
(25) Then S ⊆ S is an experiment on B.
Proof To show that S is an experiment on B, we pick an arbitrary w ∈ B. Since S is an experiment on B, there exists s ∈ S with s < w. To show that s ∈ S , we pick an arbitrary prefix z ≤ s and an arbitrary u ∈ U and establish the existence of y ∈ Y and z ∈ Z S such that (z, (u, y), z ) ∈ δ S . For our choice, we refer to any state trajectory x such that (w, x) is in the full behaviour induced by P . Since P is an I/S/-machine, there exists another trajectory (w , x ) from the full behaviour such that (w , x )| [0,l) = (w, x)| [0,l) , w (l) = (u, y) and x (l) = x(l) for l = |z| and some y ∈ Y . By B ⊆ B S we obtain the unique state trajectory z such that (w , z ) is in the full behaviour induced by P S . By the definition of δ S we have z (k) = w | [0,k) for all k ≤ l. In particular, we have z (l) = z and, hence, (z, (u, y), z (l + 1)) ∈ δ S .
Applying the above trimming procedure repeatedly, it generates a monotonously decreasing sequence S ⊇ S ⊇ S ⊇ · · · of experiments. For our situation of a finite external signal range and experiments of bounded length, S is a finite set. Hence, a fixpoint S * is attained after finitely many stages of trimming. Then, the definition of Z io implies that the S * is indeed realised by an I/S/-machine. Moreover, the realisation by an I/S/-machine is retained under refinement by Eq. 7.

Supervisory Control
Given a plant model with discrete-event interface, we seek to design a controller that restricts the behaviour to satisfy a prescribed upper bound specification. This type of control problem is addressed by supervisory control theory, as introduced by Wonham (1987, 1989), however, using regular * -languages and finite automata realisations as base models. For the present paper, we refer to an adaption of supervisory control to ωlanguages to address infinite-length signals as discussed by (Thistle and Wonham 1994a;1994b), and we propose to substitute the actual plant by a finite state abstraction obtained from an experiment.
Formally, a supervisor is defined as a causal feedback map f with domain W * that, at any instance of time k ∈ N 0 , maps the present prefix s = w| [0,k) generated by the plant to a control pattern γ = f (s) ⊆ W , with the effect that the subsequently generated symbol must satisfy w(k) ∈ γ , i.e., the plant is restricted to only generate symbols that match the respective control pattern. Most commonly the range Γ of all admissible control patterns is derived from partitioning W into controllable and uncontrollable events. However, to address I/S/-machines as plants, we refer to the product W = U × Y and define Γ := {γ ⊆ U × Y |∅ = γ and ∀(u, y) ∈ γ, y ∈ Y : (u, y ) ∈ γ } as the range of the supervisor, i.e., f : W * → Γ . By this choice, the supervisor imposes its restriction on the input symbol only and accepts any output symbol generated by the plant.
Note also that, by construction, Γ is closed under unions of control patterns and, thus, our setting here is formally covered by the relevant references (Thistle and Wonham 1994a, b).
In the more common setting with a partition into controllable and uncontrollable events, a supervisor could apply a control pattern such that the plant in its current state cannot generate any of the enabled symbols. This form of temporal blocking is undesired and, in general, needs to be addressed by the synthesis procedure. However, for the specific situation of I/S/-machines and our tailored choice of Γ in Eq. 26, temporal blocking is not an issue.
Proposition 10 Given an I/S/-machine P = (X, W, δ, X 0 ) where W = U × Y with input range U and output range Y , any supervisor f : W * → Γ preserves liveness in closed-loop configuration with P .
Proof Consider any (w, x) ∈ B full compliant with f up to time k ∈ N 0 . Then at time k ∈ N 0 the supervisor applies the control pattern γ := f (w [0,k) ) and P is in state x = x(k). By Eq. 26, γ = ∅ and we can pick a symbol w := (u, y) ∈ γ . Since P is an I/S/-machine, there exist y ∈ Y and x ∈ X such that (x, (u, y ), x ) ∈ δ. Referring again to Eq. 26, we obtain w := (u, y ) ∈ γ . To construct the signals x and w , let x (κ) := x(κ) for 0 ≤ κ ≤ k, x (k + 1) = x , w (κ) := w(κ) for 0 ≤ κ < k and w (k) = w . Observe that (x (κ), w (κ), x (κ + 1)) ∈ δ for 0 ≤ κ ≤ k. Since P itself is deadlock-free, the signals can be extended to the entire time axis by taking arbitrary transitions from δ. We then obtain (w , x ) ∈ B full as required.
Restricting consideration to I/S/-machines and the corresponding choice of Γ , Eq. 26, the problem of supervisory control is stated as follows.

Definition 11 Consider a plant
= (N 0 , W, B) realised by an I/S/-machine P = (X, W, δ, X 0 ) with input range U and output range Y , and a specification spec = (N 0 , W, B spec ). For a supervisor f : W * → Γ with Γ from Eq. 26, the closed-loop behaviour is defined by A supervisor f : W * → Γ solves the control problem if it enforces the specification, i.e., if The provided references (Thistle and Wonham 1994a, b) present an algorithmic solution to the above problem for the case that the relevant behaviours are ω-regular and realised by past-induced finite state machines, extended by an acceptance condition. In the context of the present paper, we will substitute the actual plant by the abstraction S obtained from some experiment S with past-induced finite state realisation P S = (Z S , W, δ S , { }). Regarding the specification, we account for past-induced finite realisations with Büchi acceptance condition, i.e., we consider a state machine P spec = (X spec , W, δ spec , {x spec0 }) with a set of accepting states X specM ⊆ X spec and require that signals in the full behaviour visit accepting states infinitely often. The specification spec = (N 0 , W, B spec ) is then formally defined by B spec := {w : N 0 → W |∃x : N 0 → X spec : (w, x) is in the full behaviour of P spec , and x(k) ∈ X specM for infinitely many k ∈ N 0 }.
As a technical consequence of introducing an acceptance condition, it is not restrictive to assume that the transition relation δ spec is full, i.e., for all χ ∈ X spec and all w ∈ W there exists χ ∈ X spec such that (χ , w, χ ) ∈ δ spec . For example, assume that we wish to exclude all closed loop trajectories that exhibit a certain string of symbols from W . We can encode this in a specification state machine with full transition relation where the occurrence of such a string leads into a "dump state", from where no other state can be reached. The assumption of a full transition relation is common in automata theory and it simplifies the subsequent discussion. Supervisory controller synthesis is conducted in the following two steps. First, we extend the abstraction state set to also encode the specification state by the product composition P × := P S × P spec := (Q, W, λ, {q 0 }), where Q = Z S × X spec , q 0 = ( , x spec0 ), and where λ ⊆ Q × W × Q is defined by ((z, χ ), w, (z , χ )) ∈ λ if and only if (z, w, z ) ∈ δ S and (χ , w, χ ) ∈ δ spec . Since δ spec is full, the induced behaviours of P × equal the respective behaviours induced by P S . Moreover, past-inducedness of both components P S and P spec implies past-inducedness of the product P × . With Q M := Z S × X specM ⊆ Q we lift the acceptance condition of the specification accordingly. Note also that, since δ spec is full and since we assume P S to be an I/S/-machine, P × is also an I/S/-machine and, hence, is deadlock-free. Regarding the acceptance condition, however, there can be live-locks; i.e., reachable states with no execution path to attain a state in Q M thereafter. This is addressed by the second step of the synthesis approach, where we refer to the iteration proposed by Thistle and Wonham (1994a, b) in order to identify states in P × which can be controlled to eventually visit some accepting states of Q M and to do so infinitely often. The resulting state set Q win is referred to as the set of winning states -once the closed-loop has generated a prefix that corresponds to a winning state q ∈ Q win , a supervisor can be employed to enforce the specification from then on. In particular, the supervisory control problem has a solution if and only if the initial state of P × is a winning state. Addressing more general acceptance conditions for both the plant and the specification, Thistle and Wonham (1994a, b) obtain the set of winning states by a five-nested fixpoint iteration, which for the specific situation in the present paper collapses to the following simplified algorithm. 2) Initialise the winning states with Q win := ∅.
3) Perform the following one-step controlled backward-reachability analysis:

4) If B
Q win , then update the winning states by Q win := Q win ∪ B and proceed with Step 3. Else, proceed with Step 5. 5) If Q M ∩ D Q win , then update the restriction by D := D ∩ Q win and proceed with Step 2. Else, terminate and report Q win as the result.
We provide some intuition on the above algorithm; see also Fig. 7. The inner loop over Steps 2-4 begins with Q win = ∅ to accumulate in Q win states that can be controlled to reach Q M ∩ D within a finite number of steps. Since during the inner loop Q win grows monotonously and the reachability analysis in Step 3 is monotone in the iterate Q win , finiteness of the state set Q implies that the termination condition B ⊆ Q win is satisfied after finitely many iterations. When proceeding with Step 5 for the first time, Q win holds the states that can be controlled to reach Q M at least once and, until then, to remain within Q win . This is illustrated in Fig. 7 on the left, where the growth of Q win occurs counter-clock-wise. In the figure it is assumed that the top-most transition which does not go to the target Q M can be disabled by a suitable control pattern. As indicated in the figure, we cannot expect Q M ⊆ Q win , i.e., so far there may be states Q win that can indeed only be controlled to reach Q M once. Therefore, Step 5 restricts the effective target by letting D = Q win . Repeating the inner loop again results in a set of winning states, but now they can all be controlled to reach Q M at least twice. This is illustrated in Fig. 7 on the right, where the target has been restricted accordingly. Repeating the outer loop by monotonicity leads to a strictly decreasing restriction D and, by finiteness of Q, the termination condition must be satisfied after a finite number of iterations. At termination in Step 5, any state q ∈ Q win can be controlled to reach Q M ∩ D, and, by Q M ∩ D ⊆ Q win , can be controlled to do so infinitely often.
A supervisor can be obtained from the above algorithm by recording for all q ∈ Q win an arbitrary successful control pattern from Step 3 of the last run of the inner loop. Technically, this defines a map g : Q win → Γ . By past-inducedness of P × , each prefix s ∈ pre B S corresponds to exactly one state in P × which we denote λ 0 (s) ∈ Q. The supervisor f is then defined for s ∈ W * by f (s) = g(λ 0 (s)) if λ 0 (s) ∈ Q win and, else, f (s) = γ dummy ∈ Γ with γ dummy := ∪{γ ∈ Γ }. By construction, this supervisor preserves liveness in closedloop configuration with the abstraction P S (even if it was not an I/S/-machine) it was designed for, and it conditionally enforces the specification once a prefix s ∈ pre B S with λ 0 (s) ∈ Q win has been generated; i.e., we have for the closed-loop behaviour B S,f ; see Definition 11. Since the empty string ∈ pre w corresponds to the initial state q 0 = λ 0 ( ), the right-hand-side of the above inclusion collapses to B spec if we have q 0 ∈ Q win . In this case, we indeed obtain a solution of the control problem for the abstraction. This immediately carries over to the actual plant P ∼ = = (N, W, B): the supervisor f preserves liveness in closed-loop configuration with P by Proposition 10 and we obtain B f ⊆ B S,f ⊆ B spec as an immediate consequence of B ⊆ B S and Definition 11. If, on the other hand, q 0 ∈ Q win , it follows from the detailed study by Thistle and Wonham (1994a, b) that the control problem has no solution for the abstraction P S at hand. In this case, we interpret Q win as an intermediate result which in an overall synthesis approach can be used to guide a local refinement of the abstraction.
Example 5 (cont.) For the vehicle navigation example from the previous section, we consider the specification to navigate the vehicle eventually to the north guard G y n . This can be expressed by a state machine P spec with two states, where one is an accepting state and indicates that y n has occurred at least once. For controller synthesis, we use the abstraction P S obtained from the experiment S shown in Fig. 5. All states (z, χ ) ∈ Q, for which z ∈ Z S = pre S includes a y n symbol, are immediately identified as winning states. Also, states (z, χ ) with z = (u nw, y w) turn out to be winning states, because one can apply the control pattern {(u ne, y)|y ∈ Y } to enforce that the winning state (u nw, y w), (u ne, y n) is attained by the next transition. Likewise, the initial state is a winning state: by applying the control pattern {(u nw, y)|y ∈ Y } we either have (u nw, y n) or (u nw, y w) , both known to be winning states by our previous observations. Thus, the supervisory control problem can be solved based on the abstraction. In contrast, if the control objective was to eventually visit the west guard G y w , the provided abstraction is too coarse for a positive resultalthough intuition suggests that the actual plant can be very well controlled accordingly.

Guided refinements of experiments
We now consider the situation where abstraction-based synthesis of a supervisor as discussed in the previous section has failed, i.e., we are given a plant = (N 0 , W, B) realised by a I/S-machine P and an abstraction S = (N 0 , W, B S ) obtained from an experiment S on B, but applying Algorithm 12 shows that q 0 ∈ Q win for the winning states Q win ⊆ Q of the composed state machine P × = (Q, W, λ, {q 0 }). Provided that we are optimistic about the control problem with the actual plant to exhibit a solution, it is proposed to refine the abstraction and to repeat the synthesis procedure. Referring to Moor and Raisch (1999) and , where the abstraction used is an l-complete approximation, i.e., S = B| [0,l] for some l ∈ N 0 , a refinement can be obtained by substituting l with l + 1. Effectively, this uniformly extends the sampled sequences in length by one more symbol. However, such an extension amounts to testing whether or not the extended sequence is in pre B, and this test is implemented as a one-step reachability analysis conducted on the original system. Since this is considered computationally expensive, we seek to identify specific sequences R ⊆ S that are worth the effort and use Eq. 7 to obtain a refinement of S tailored for the synthesis task at hand. The overall abstraction-based approach then becomes an iteration in which we alternate trial synthesis and abstraction refinement.
1) Initialise the experiment S ⊆ W * by S := B| [0,0] , where B denotes the external behaviour induced by P .
2) Referring to Theorem 7, set up P S to realise the abstraction obtained from S.
3) Run Algorithm 12 on the product P × = P S × P spec to obtain the winning states Q win . 4) If the initial state q 0 of P × is within Q win , report the corresponding supervisor and terminate the iteration. 5) Choose refinement candidates R ⊆ S to obtain a refinement by Eq. 7 to substitute S, and proceed with Step 2.
In the case that the procedure terminates at Step 4, we refer to the discussion of the previous section and recall that the supervisor not only solves the synthesis problem for the abstraction P S but also for the actual plant P . Otherwise, the experiment is refined in Step 5 for the subsequent trial synthesis. The proposed iteration may fail to terminate regardless of the choice for the refinement in Step 5. This is to be expected: since the verification of language inclusion is known to be only semi-decidable even for restricted classes of hybrid systems, the synthesis problem cannot be decidable either. However, we will propose a refinement scheme for Step 5 that ensures termination under the hypothesis of the existence of some experiment for which synthesis succeeds. We are now left to set up sensible refinement candidates R to implement Step 5.
For our analysis, we inspect the composed system P × = (Q, W, λ, {q 0 }) := P S × P spec , with lifted marked states Q M ⊆ Q for the specification acceptance condition and winning states Q win ⊆ Q obtained by the synthesis algorithm. A refinement obtained by extending specific samples s ∈ S then corresponds to extending the transition relation λ at states q = (z, χ ) ∈ Z S × X spec = Q with z = s. Hence, our inspection of P × focuses attention on states in and we will identify two classes of states that in turn characterise sequences s ∈ S that are not worth a refinement. For our formal argument, we consider two more experiments S and S on B such that S ≤ S ≤ S . Here, we assume that S is a successful refinement of S in the sense that there exists a supervisor f such that the closed-loop B S ,f satisfies the specification. We then construct S to refine S in the same way as S except for avoiding refinement at a specific sequence s ∈ S, see to observe that S is indeed an experiment on B and that S ≤ S implies S ≤ S ≤ S . We then show that S is also a successful refinement of S and thereby establish that the synthesis problem can be solved without refinements at the previously identified sequence s ∈ S. For the remainder of this section, we refer to the synthesis problems based on the experiments S and S by the same notational conventions as introduced for S, i.e., we denote the associated abstractions S = (N 0 , W, B S ) and S = (N 0 , W, B S ), the realisations thereof P S = (Z S , W, δ S , { }) and P S = (Z S , W, δ S , { }), the composed state machines P × = (Q , W, λ , {q 0 }) and P × = (Q , W, λ , {q 0 }), the lifted marked states Q M and Q M , and the winning states Q win and Q win as obtained by Algorithm 12, respectively.

Winning states
Once the abstraction S has generated a finite sequence s that drives the composed state machine P × to a winning state, there exists a supervisor that enforces the specification from then on. Intuitively, for such states, no refinement is necessary.
Recall that we have synthesised a supervisor f that enforces the conditional specification (29) with B S as the plant. Moreover, by hypothesis, there exists a supervisor f for the refined abstraction B S such that the closed loop satisfies B S ,f ⊆ B spec . In order to establish the existence of a supervisor that enforces the specification for B S with the relaxed refinement S in Eq. 31, we use the candidate f : W * → Γ defined by if r = u, s, t for all u, t ∈ W * , or, f ( s, t ) if r = u, s, t for some u, t ∈ W * and u chosen to be of minimum length, i.e., f applies the same control patterns as f until the sequence s has been observed and, from then on, behaves as f in ignorance of any symbols generated before s. The intuition here is that if the closed loop formed by B S and f happens to not generate s, then it evolves within B S and, hence, f enforces the specification. If, on the other hand, s is generated, this corresponds to a winning state of P × and, hence, f enforces the specification. We obtain the following lemma.

Lemma 14
Consider three experiments S ≤ S ≤ S over the finite signal range W = U × Y with the respective associated abstractions S = (N 0 , W, B S ), S = (N 0 , W, B S ) and S = (N 0 , W, B S ), and with respective past-induced realisations P S , P S and P S given by Theorem 7. Assume that S relates to S and S as in Eq. 31 for some s ∈ W * that complies with Eq. 32. If there exists a supervisor f such that B S ,f ⊆ B spec , then there also exists a supervisor f such that B S ,f ⊆ B spec .
Proof We prove the existence by the candidate supervisor f given in Eq. 34. To show B S ,f ⊆ B spec , pick any w ∈ B S ,f . We distinguish two cases. First, assume that u, s ∈ pre w for all u ∈ W * . We then have f (r) = f (r) for all r ∈ pre w. Now pick arbitrary k ∈ N 0 and refer to w ∈ B S for the choice of l ∈ N 0 such that (σ k w)| [0,l) ∈ S . Here, the case hypothesis implies (σ k w)| [0,l) = s and, hence (σ k w)| [0,l) ∈ S . Since k ∈ N 0 was arbitrary, we obtain w ∈ B S to conclude with w ∈ B S ,f ⊆ B spec .
For the second case we pick the shortest sequence u ∈ W * such that u, s ∈ pre w. We then have (σ |u| w)(k) = w(|u| + k) ∈ f (w| [0,|u|+k) ) = f ((σ |u| w)| [0,k) ) for all k ≥ |s|. By w ∈ B S ,f ⊆ B S there uniquely exist state trajectories z : N 0 → Z S and x : N 0 → X spec such that (w, (z, x)) is in the full behaviour induced by P × . In particular, we have that x(|u| + |s|) ∈ X spec,s . By time invariance, we obtain w := σ k w ∈ σ k B S ⊆ B S and denote z : N 0 → Z S the unique state trajectory such that (w , z ) is in the full behaviour induced by P S . Here, we observe that z (|s|) = z = s. With x := σ |u| x, we obtain a state trajectory (z , x ) with ((z (k), x (k)), w (k), (z (k + 1), x (k + 1)) ∈ λ for all k ∈ N 0 . By the choice of s in Eq. 32, we observe (z (|s|), x (|s|)) ∈ Q win and, referring to the case hypothesis, we also have w (k) ∈ f (w | [0,k) ) for all k > |s|. Therefore, there exist infinitely many k > |s| such that (z (k), x (k)) ∈ Q M and, hence, x(|u|+k) = x (k) ∈ X specM . This implies w ∈ B spec and concludes the proof of B S ,f ⊆ B spec .

Failing States
Denote Q fail ⊆ Q leaf the set of failing states, i.e., states from which the accepting states Q M are not reachable: Obviously, a state q ∈ Q fail cannot be a winning state and, intuitively, it cannot become a winning state in any refinement. Therefore, a refinement at a failing state is not expected to be relevant for any solution of the control problem. For our formal argument, fix any z = s ∈ S ⊆ Z S with where X spec,s is defined in Eq. 33. By the following proposition, we associate with s a set of failing states in the composed state machine P × based on the refinement S .

Proposition 15
Consider two experiments S ≤ S over W = U × Y with the respective associated abstractions S and S , and with the respective past-induced realisations P S and P S given by Theorem 7. Referring to the composed state machine P × = P S × P spec , let Q fail,s := {ξ ∈ Q |∃t ∈ W * , χ ∈ X spec : ξ = ( s, t , χ)} ⊆ Z S × X spec (37) for some s ∈ W * that complies with Eqs. 35 and 36. Then any trajectory (w , x ) of the full behaviour induced by P × that passes Q fail,s does not satisfy the specification, i.e., if there exists k ∈ N 0 with x(k) ∈ Q fail,s then w ∈ B spec .
Recall that, by hypothesis, there exists a supervisor f that when applied to S enforces the specification, i.e., B S ,f ⊆ B spec . Now consider for some w ∈ B S ,f the unique state trajectory x such that (w , x ) is in the full behaviour induced by P × . We then conclude by the above proposition that x does not pass Q fail,s . Inspecting the definition of Q fail,s and the relaxed refinement S in Eq. 31, this implies that f controls P × such that the set of reachable states is within Z S × X spec ⊂ Z S × X spec This suggests that we may apply f to B S in order to obtain B S ,f = B S ,f ⊆ B spec . We provide a proof for this conjecture and obtain the following lemma.

Lemma 16
Consider three experiments S ≤ S ≤ S over the finite signal range W = U × Y with the respective associated abstractions S = (N 0 , W, B S ), S = (N 0 , W, B S ) and S = (N 0 , W, B S ), and with respective past-induced realisations P S , P S and P S given by Theorem 7. Assume that S relates to S and S as in Eq. 31 for some s ∈ W * that complies with Eqs. 35 and 36. Then Proof For a preliminary observation, denote L s := {r ∈ W * |s ∈ pre r} the set of all sequences that do not pass s. We then have Q ⊂ Q ⊂ Q fail,s∪ (L s × X spec ). By Eq. 31, we further obtain S ∩ L s = S ∩ L s , and, referring to the realisations by Theorem 7, δ S ∩ (L s × W × L s ) = δ S ∩ (L s × W × L s ), and, hence, λ ∩ ((L s × X spec ) × W × (L s × X spec )) = λ ∩ ((L s × X spec ) × W × (L s × X spec )). In other words, the realisations P × and P × coincide when restricting the respective state set to L s × X spec .
We always have B S ,f ⊆ B S ,f directly from Definition 11. For the converse inclusion, pick any closed-loop trajectory w ∈ B S ,f , and let x denote the unique corresponding state trajectory such that (w , x ) is in the full behaviour of P × . For a contradiction, assume that there exists k ∈ N 0 such that x (k) ∈ L s × X spec and we pick the smallest such k. In particular, we have x (k) ∈ Q fail,s . Referring to the input-output structure and the corresponding choice of control patterns, we can then construct a trajectory (w , x ) in the full behaviour of P × such that x | [0,k] = x | [0,k] and w ∈ B S ,f . However, by Proposition 15, we have that x (k) ∈ Q fail,s implies w ∈ B spec to constitute a contradiction to B S ,f ⊆ B spec . Therefore, we have that x (k) ∈ L s × X spec for all k ∈ N 0 . Then, (w , x ) must be in the full behaviour of P × and, hence, w ∈ B S . Together with w ∈ B S ,f this implies w ∈ B S ,f . By the arbitrary choice of w ∈ B S ,f , we conclude B S ,f ⊆ B S ,f .

Main result
Considering the two classes of states identified above, we propose the refinement candidates R = {s ∈ S|∃χ ∈ X spec,s : (s, χ ) ∈ Q fail ∩ Q win } for Step 5 of Algorithm 13 and state our main result.
Theorem 17 Given a time invariant plant = (N 0 , W, B), W = U × Y , realised by an I/S/-machine P = (X, W, δ, X) with finite input range U and finite output range Y , consider the supervisory controller synthesis problem for a specification spec = (N 0 , W, B spec ) realised by a past-induced finite state machine P spec = (X spec , W, δ, X spec0 ) with Büchi acceptance condition X specM ⊆ X spec ; see Eq. 28. Assume that there exists an experiment S * ⊆ W * on B with associated abstraction S * = (N 0 , W, B S * ) and a supervisor f * : W * → Γ such that the closed-loop behaviour B S * ,f * obtained from B S * under supervision f * satisfies the specification; i.e., B S * ,f * ⊆ B spec . Then Algorithm 13 with refinement candidates in Eq. 38 terminates with success after finitely many iterations.
Proof For a proof by contradiction, assume the algorithm does not terminate. Denote S j ⊆ W * the experiment in the j -th iteration with refinement candidates R j ⊆ S j identified by Eq. 38. We then have that S j ≤ S j +1 and S j = S j +1 for all j ∈ N 0 . This implies pre S j pre S j +1 for all j ∈ N 0 . Since the signal range is finite, we can choose a sufficiently large j ∈ N 0 such that (pre S * ) ∩ (pre S j ) = (pre S * ) ∩ (pre S j +1 ). This implies (pre S * ) ∩ S j = (pre S * ) ∩ S j +1 . Referring to the general scheme of refinement Eq. 7, we obtain that (pre S * ) ∩ R j = ∅. We now construct one more experiment on B: such that S * ≤ S , S j ≤ S and R j ⊆ S ; see Fig. 9. We denote the associated behaviour B S , where S * ≤ S implies B S ⊆ B S * . Thus, we can formally interpret B S * as a behavioural abstraction of B S . In particular, the existence of a solution to the control problem for S * implies the existence of a solution for S = (N 0 , W, B S ). We now turn to the ordering S j ≤ S . Since we have identified S as a successful experiment, Lemmata 14 and 16 grant the existence of a third experiment S such that (a) S j ≤ S ≤ S , (b) S j − S ⊆ R j and (c) the control problem exhibits a solution for the abstraction S = (N 0 , W, B S ) obtained from S . By clause (b) and the construction of S we conclude S j = S . Hence, S j itself must be a successful experiment. This constitutes a contradiction and concludes the proof.
Note that the above theorem refers to the existence of a successful experiment S * . However, S * does not need to be known explicitly in order to run Algorithm 13. In other words, Fig. 9 Experiment S with S * ≤ S and R j ⊆ S . All three experiments are again shown as "barriers" in the computational tree preB. By construction, S consists of (a) sequences from S * and (b) extensions of sequences from S * within S j . In particular, S is a refinement of S * . By our choice of a sufficiently large j ∈ N 0 , all refinement candidates R j ⊆ S j must be on the right from S * and therefore, by construction, within S we still have the expected situation of semi-decidability, but we also have the guarantee that the algorithm terminates with success as long as a successful experiment exists.
Example 6 (cont.) Recall that for the vehicle navigation example the abstraction obtained from S in Fig. 5 is too coarse for controller synthesis when the objective is to eventually visit the west guard G y w . The worst case for this control objective is an initial state at the very east of the area A which requires a number of successive u nw and u sw control symbols, where the exact number depends on the with-to-height ratio of the rectangular area. Using a width of w = 30 units versus a height of h = 10 units, a thickness of o = 1 unit for the guards, a nominal velocity of v = 10 and a disturbance of diameter d = 2, a numerical simulation suggests that it can take up to 6 control inputs to reach the guard G y w . Thus, for a successful experiment we expect the longest sequences to be of length 6. On the other hand, any sequence that contains a y w symbol corresponds to a set of winning states in P × and, thus, needs no more refinement.
Running Algorithm 13 with refinement candidates (38) yields a successful experiment S with 33262 sequences of length ranging from 1 to 6. We can also use the a-priori knowledge that it makes no sense to apply the same input symbol twice in row and encode this in the specification automation P spec . Algorithm 13 then also encounters non-trivial sets of failing states and constructs a successful experiment S with only 9020 sequences. Since a winning state must be a predecessor of a winning state, we can prioritise our refinement candidates (38) accordingly, i.e., we prefer to refine sequences in the experiment that correspond to a state q = (z, χ ) ∈ Q with a successor state in Q win . This again reduces the number of sequences constructed by Algorithm 13 to 164. All three figures compare favorable to the strongest 5-complete approximation, which is constructed from the 59304 sequences found in B| [0,5] . so called winning states Q win . Intuitively, sequences in S that correspond to winning states do not need to be increased in length. In contrast to the winning states, we also identify a set of failing states Q fail , i.e., states such that any trajectory that passes through is known to violate the specification under any supervisor. Again, sequences in S that correspond to failing states do not need to be increased in length. To this end, we refine the abstraction S by increasing the sample length only for sequences that correspond neither to winning states nor to failing states to obtain the locally refined experiment S with associated abstraction P S . Iterating abstraction refinement and trial synthesis, we obtain a sequence of experiments S j , j = 1, 2, . . .. By our main technical result, this iteration will not miss out on solutions to the control problem: if there exists an experiment such that the control problem can be solved based on the associated abstraction, then the iteration will also produce a successful experiment S j for some j ∈ N.
Funding Information Open Access funding provided by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommonshorg/licenses/by/4.0/.
Jung-Min Yang received his B.S., M.S., and Ph.D. degrees in electrical engineering from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Korea, in 1993, 1995, and 1999. Since September 2013, he has been with the School of Electronics Engineering, Kyungpook National University, Korea, where he is currently a Professor. His research interests include control of asynchronous sequential machines, systems biology, and control of hybrid systems. His research interests include the control of discrete-event systems and hybrid systems, hierarchical and/or modular control systems, control system abstraction and faulttolerant control. He serves on the Editorial Board of the Journal of Discrete Event Dynamic Systems and Nonlinear Analysis: Hybrid Systems. He is maintainer and principle developer of the discrete-event systems software library libFAUDES, with a particular focus on supervisory control in an industrial application context. Jörg Raisch studied Engineering Cybernetics at Stuttgart University and Control Systems at UMIST, Manchester. He received a PhD and a Habilitation degree, both from Stuttgart University. He holds the chair for Control Systems in the EECS Department at TU Berlin, and he is also an external scientific member of the Max Planck Institute for Dynamics of Complex Technical Systems. His main research interests are hybrid and hierarchical control, distributed cooperative control, and control of timed discrete event systems in tropical algebras, with applications in chemical, medical, and power systems engineering. He was on the editorial boards of the European Journal of Control, the IEEE Transactions on Control Systems Technology, and Automatica. He serves on the editorial boards of Discrete Event Dynamic Systems and Foundations and Trends in Systems and Control.