Supervisory Control on Concurrent Discrete Event Systems with Variables —

Extended Version Benoit Gaudin Peter H. Deussen

Bericht-Nr. 2006-03 ISSN 1436 – 9915

Benoit Gaudin, Peter H. Deussen

Supervisory Control on Concurrent Discrete Event Systems with Variables Rote Reihe Bericht Nr. 2006-03, ISSN 1436 – 9915 Technische Universit¨at Berlin Fakult¨at IV - Elektrotechnik und Informatik Franklinstraße 28/29, D-10587 Berlin M¨arz 2006 Email: [email protected], [email protected]

Summary This work deals with the supervisory control of Discrete Event Systems (DES). Supervisory control is classically applied to systems modeled by Finite State Machine (FSM). The methods presented in this paper aim at extending previous works in order to efficiently compute supervisors which control systems modeled by concurrent Extended Finite State Machines (EFSM). The link between the classical theory and EFSM is obtained introducing the Parameterized Languages. It is then shown how this can be applied to concurrent systems, whom subsystems exchange information during the synchronizations.

Contents Introduction

7

Chapter I. Basic Concepts I.1. Preliminaries I.2. Languages I.3. Operations over Languages I.4. Finite State Machines

9 9 10 11 13

Chapter II. Classical Supervisory Control on Discrete Event Systems II.1. Controllability II.2. Maximal Controllable Languages II.3. Basic Supervisory Control Problem

19 19 21 23

Chapter III. Supervisory Control of Concurrent Discrete Event Systems III.1. Concurrent Discrete Event System III.2. Partial Controllability III.3. Control of Concurrent Discrete Event Systems

25 25 29 30

Chapter IV. Controllability of Parameterized Languages IV.1. Parameterized Languages IV.2. Controllability IV.3. Supervisory Control on Concurrent Parameterized Languages

35 35 36 37

Chapter V. Extended Finite State Machines V.1. Syntax and Semantics V.2. Operations on Extended Finite State Machines V.3. Supervisory Control of Extended Finite State Machines V.4. Supervisory Control of Concurrent Systems V.5. Abstract Interpretation

43 44 47 57 59 61

Bibliography

65

v

Introduction Given a system and a property, supervisory control on Discrete Event Systems ([17, 2]) consists in computing supervisors which interact with the system such that the obtained controlled system ensures the property. The classical theory ([17, 2]) is applied on systems modeled by one single Finite State Machine (FSM). Regarding on complexity of real systems, this theory is actually hardly applicable. In order to deal with this problem and promote supervisory control techniques for real systems, some works have been led on systems modeled by a composition of subsystems ([16, 15, 5, 1, 6, 10]). Such systems are said to be concurrent and are more appropriate to model the complexity of real systems. Complex systems are also generally modeled using variables. But Finite State Machines are not suitable to model them in a compact way, and—more evidently—FSM do not permit this if the variables take values of infinite domains. For these reasons, Extended Finite State Machines (EFSM) are considered here to model the systems. In [3, 12], the authors provide a method to apply supervisory control on EFSM, in order to avoid reachability of a given set of states. The approach in [12] relies on abstract interpretation (see e. g. [4] or [9] for a comprehensive overview) to deal with infinite domains of possible values of variables. In both [12] and [3], the system to be controlled is modeled by one single EFSM. The main contribution of this work consists in providing a method which permits to efficiently compute a supervisor acting upon a concurrent system whom subsystems are modeled by EFSM. For this purpose, the approach developed in [6] is considered. This approach is totally developed in terms of behaviors of the system. This means that, as in the classical theory, the behaviors of the system instead of its representation as a machine is considered. This behaviors are modeled as languages over an alphabet. Linking EFSM and languages over an alphabet is a priori not so easy, since languages do not permit to take into account the variables of the systems. Some definitions of the behaviors of EFSM already exist (see e.g [12]), but the alphabet of the considered languages are infinite. This allows in particular to easily model exchange of informations between two EFSM running in parallel. Nevertheless, considering infinite alphabets renders the classical results on supervisory control not directly extendable. In this study, we propose a new notion to model the behaviors of EFSM: the parameterized languages. Such a notion permits to easily link the variables of EFSM to

7

8

CHAPTER . INTRODUCTION

classical languages with finite alphabets. Results about supervisory control on languages are then quite easily extended to it. This report is organized as the following. In section I, preliminaries on languages and Finite State Machines are introduced. Section II recalls the classical theory of Supervisory Control and extension to concurrent systems is recalled in Section III. Parameterized Languages which model the behaviors of EFSM are presented in Section IV. Definitions and results linking the supervisory control of parameterized languages and the one of classical languages is provided. In section V, EFSM are defined as well as different compositions of EFSM. Their behaviors are defined in terms of parameterized languages and then the supervisory control of EFSM is based on the classical one. Finally, the method to compute supervisors on systems modeled by concurrent EFSM is provided.

Supervisory Control on Concurrent Discrete Event Systems with Variables

CHAPTER I

Basic Concepts In this chapter, the technical background used in this report is presented. Section I.1 addresses conventions and basic notations from set theory which are not commonly used in the literature. Section I.2 deals with languages, i. e. sets of sequences built up from symbols of some finite alphabet. Operations on languages are presented in Section I.3, in particular projections and reverse projections, as well as parallel compositions of languages. This operations are of major importance throughout this report. A subclass of languages, the so-called regular languages, are generated by Finite State Machines (FSMs), i. e. automata with only a finite set of possible states. FSMs are addressed in Section I.4. Some of the operations originally defined for languages are lifted to FSMs: reverse projection and parallel compositions (together with a specialization called synchronized product) . I.1. Preliminaries To be self contained, we start with repeating some basic definitions from set theory and introduce some convention we will use throughout this report. First, let S = hA, B, . . .i be a structure with components A, B, . . . introduced during the course of this report, e. g. a finite state machine. To simplify the presentation we employ the convention to use AS , BS , . . . to refer to the components of S. If X is a set, then the set of all subsets of X is denoted by (X ) = {Y | Y ⊆ X }. If (Xi )16i6n is a finite family of sets, then the product of these sets is denoted as n

∏ Xi

=Def X1 × X2 × · · · × Xn .

i=1

We write f : X + Y if f is a partial function from X to Y ; total functions are written as f : X → Y as usual. We use the notion f (x)! to denote the fact that f is defined in x ∈ X . Furthermore, if f : X + Y and Z ⊆ X , then by f  Z we denote the restriction of f to Z, i. e. f  Z(x)! ⇔Def f  Z(x) =Def

f (x)! & x ∈ Z f (x), if f  Z(x)!. 9

10

CHAPTER I. BASIC CONCEPTS

In general, we do not distinguish between (partial or complete) functions and sets of argument/value pairs (i. e. y = f (x) and hx, yi ∈ f express the same fact). This permits the application of set operations like ∪ and ∩ to functions. Thus for instance, f  Z = f ∩ (Z ×Y ). I.2. Languages A Discrete Event System (DES) can be modeled by the set of its possible executions. During these execution the occurrence of some events can be observed, and the system can be described as a sequence of events that have occurred. The set of events associated to a system is called the alphabet of the system and is supposed to be finite and denoted Σ. If σ1 and σ2 represent two events, then σ1 .σ2 represents the concatenation of these two events. Any finite sequence of events can then be represented as the concatenation of events s = σ1 · σ2 · · · σn . In the sequel, Σ ∗ denotes the set of finite sequences composed of events from Σ . For s1 , s2 ∈ Σ ∗ , s1 · s2 is also written as s1 s2 . The particular symbol ε (empty sequence) is used to denote the sequence in which none event has been occurred. If S1 , S2 ⊆ Σ ∗ , we use S1 · S2 to denote the set {s1 s2 ∈ Σ ∗ | s1 ∈ S1 & s2 ∈ S2 }. Given a system over an alphabet Σ , its set of behaviors can be represented as a nonempty subset of Σ ∗ . Such a set is called a language over the alphabet Σ 1. Given an alphabet Σ , (Σ ) denotes the set of languages over Σ , that is (Σ ) =Def {L | L ⊆ Σ ∗ } . Given a non empty language L ∈ (Σ ) and a behavior s ∈ L, it can be of interest to consider sequences of Σ ∗ that can be lasted to obtain s. Such a sequence s0 is called a prefix of s and is such that it exists one sequence s00 ∈ Σ ∗ such that s0 s00 = s. For such s and s0 , we will write s0 6 s. Given a language L ⊆ Σ ∗ , we denote by L¯ =Def {s ∈ Σ ∗ | ∃s0 ∈ L & s 6 s0 }

(I.2.1)

the prefix closure of L. A language L is said to be prefix closed whenever L¯ = L. One can note that Σ ∗ is prefix-closed and ε belongs to any prefix-closed language. Given a sequence s ∈ L and Σ 0 ⊆ Σ , L(s, Σ 0 ) denotes the sequences of Σ 0 which complete s in L. Formally, L(s, Σ 0 ) =Def {s0 ∈ (Σ 0 )∗ | ss0 ∈ L}

(I.2.2)

1∅ (empty language) and {ε } have different meanings. The empty language can not indeed represent

the language of a system, while {ε } represents the behavior of a system for which no behavior can be observed. Supervisory Control on Concurrent Discrete Event Systems with Variables

I.3. OPERATIONS OVER LANGUAGES

11

Language Expression. To have a convenient way to introduce particular languages in examples, we use a syntax for language expression defined by the following production system: R ::= s | R · R | Rn | R∗ | R+ | R + R, where s ∈ Σ ∗ and n > 0 is a non-negative integer. If R is a language expression, its language is denoted by (R) and is inductively defined as: (s) =Def {s}, (R1 · R2 ) =Def (R1 ) · (R2 ), (R0 ) =Def {ε }, (Rn ) =Def (R∗ ) =Def

(Rn−1 ) · (R) for n > 0, [

(Rn ),

n>0 +

(R ) =Def (R1 + R2 ) =Def

(R∗ ) \ {ε }, (R1 ) ∪ (R2 ).

We sometimes write R1 R2 instead of R1 · R2 . I.3. Operations over Languages Complex systems are generally obtained by composing subsystems interacting with each others. In order to model such a complex system, not only the subsystems have to be modeled, but also the way that they are composed. Projection and Reverse Projection. In order to define parallel composition of languages we first introduce natural projection over an alphabet. I.3.1. D EFINITION (Projection). Let Σ 0 and Σ be two alphabets such that Σ1 ⊆ Σ2 . The natural projection PΣ1 ,Σ2 : Σ1∗ → Σ2∗ from Σ1 to Σ2 is inductively defined by: PΣ1 ,Σ2 (ε ) =Def ε ;  σ , if σ ∈ Σ2 ; PΣ1 ,Σ2 (σ ) =Def ε , otherwise;

PΣ1 ,Σ2 (sσ ) =Def PΣ1 ,Σ2 (s)PΣ1 ,Σ2 (σ ) for s ∈ Σ1∗ , σ ∈ Σ1 . Projections over an alphabet can be extended to languages. For some language L ∈ (Σ1 ) we define PΣ1 ,Σ2 (L) =

[

{PΣ1 ,Σ2 (s) | s ∈ L} 

The projection operator PΣ1 ,Σ2 removes from a given sequence comprising symbols from Σ1 those events that do not belong to Σ2 . By duality, given two alphabets Σ1 and Rote Reihe Technical Report No. 2006-03

12

CHAPTER I. BASIC CONCEPTS

Σ2 as well as one language L ⊆ Σ2∗ ⊆ Σ1∗ , the natural reverse projection from Σ2 to Σ1 , denoted PΣ−1 . 2 ,Σ 1 : I.3.2. D EFINITION (Reverse Projection). The operator PΣ−1 2 ,Σ 1 alphabets Σ1 and Σ2 such that Σ2 ⊆ Σ1 is defined by

(Σ2∗ ) →

(Σ1∗ ) for

PΣ−1 (L) =Def {s ∈ Σ1∗ | PΣ1 ,Σ2 (s) ∈ L}. 2 ,Σ 1  Intuitively, PΣ−1 (L) can be obtained by interleaving all possible sequences from 2 ,Σ 1 ∗ (Σ1 \ Σ2 ) with sequences from L. I.3.3. E XAMPLE . Let Σ1 = {a, b, c}, Σ2 = {a, b}, and L = {(ab)n | n > 0}. Then PΣ−1 (L) = {c∗ an c∗ bn c∗ | n > 0}. 2 ,Σ 1 

Parallel Composition. The following definition explains how the behaviors of a composed system can be expressed as the composition of the behaviours of its subsystems. The parallel composition of two languages L1 ∈ (Σ1 ) and L2 ∈ (Σ2 ), respectively, yields a language which sequences are obtained from the interleaving of the sequences from L1 and L2 . In these interleavings, events from Σ1 \ Σ2 can occur independently from events of Σ2 \ Σ1 (and vice-versa). On the other hand, shared events from the alphabet Σ1 ∩ Σ2 can only occur if each subsystem allows it. I.3.4. D EFINITION (Parallel Composition). Let us consider languages L 1 ∈ (Σ1 ) and L2 ∈ (Σ2 ) over alphabets Σ1 and Σ2 , respectively, and let Σ = Σ1 ∪ Σ2 . The parallel composition of L1 and L2 is defined as L1 k L2 =Def PΣ−1 (L1 ) ∩ PΣ−1 (L2 ). 1 ,Σ 2 ,Σ  Note that the parallel composition of two languages represents the sequences which projections over Σ1 (resp. Σ2 ) are sequences of L1 (resp. L2 ). With other words, L1 k L2 = {s ∈ Σ ∗ | PΣ ,Σ1 (s) ∈ L1 & PΣ ,Σ2 (s) ∈ L2 }. The parallel composition can be easily extended to any finite number of languages, using associativity. Systems modeled as a composition of languages will be called concurrent systems in the sequel. Supervisory Control on Concurrent Discrete Event Systems with Variables

I.4. FINITE STATE MACHINES

13

I.4. Finite State Machines Regular languages are those languages L ∈ of a Finite State Machine (FSM).

(Σ ) wich can be generated by means

I.4.1. D EFINITION (Finite State Machines). A (deterministic) Finite State Machine (FSM) G is a 4-tuple hΣ , Q, q, δ i, where (a) Σ is the finite alphabet of actions of G. (b) Q is the finite set of states of G, (c) q ∈ Q is the initial state of G, and (d) δ : Σ × Q → Q is a partial transition function.  Note that by chosing δ as a (partial) function we restrict ourself to deterministic FSM. Intuitively, as for languages, a FSMs model the behaviors of a discrete event systems. The language of a FSM G is defined by the repeated application of the transition function δG starting at the initial state qG . To facilitate notations, the function δ (·) is extended to Σ ∗ × Q as given in the definition below: I.4.2. D EFINITION . Let G be a FSM. Then δG is extended to a mapping δ : ΣG∗ × QG → QG by means of the following inductive definition: δ (ε , q) = q; δ (sσ , q) = δG (σ , δ (s, q)), if δ (s, q)! & δG (σ , δ (s, q))!

for all s ∈ ΣG∗ , σ ∈ ΣG , and q ∈ QG . In the following we do not distinguish between the original mapping δG and its extension δ defined above. The set of possible behaviors of an FSM is given by its generated language: L(G) = {s ∈ ΣG∗ | δG (s, qG )!}  Subsystems composition. We start by introducing an operator in(·) which will help us to define the parallel composition of FSMs. Given an event of a concurrent system, this operator returns the set of subsystems which share this event. For this purpose, let us consider a finite family of FSMs G = (Gi )16i6n . Let us further consider some Sn σ ∈ i=1 ΣGi . Then inG (σ ) =Def {i | 1 6 i 6 n & σ ∈ ΣGi }

We write in(·) instead of inG if it is clear from the context to which family G of FSMs it is referred to. I.4.3. D EFINITION (Parallel Composition). Let {Gi }16i6n fbe a finite family of FSMs. The parallel composition of the FSMs Gi is denoted by ni=1 Gi and is defined as the finite state machine G comprising the following components: S (a) ΣG =Def ni=1 ΣGi ; Rote Reihe Technical Report No. 2006-03

14

CHAPTER I. BASIC CONCEPTS

(b) QG =Def ∏ni=1 QGi ; (c) qG =Def hqG1 , qG2 , . . . , qGn i; (d) δG (σ , hq1 , q2 , . . . , qn i)! ⇔Def (∀i ∈ in(σ ))δGi (σ , qi )!, and moreover, if δG (σ , hq1 , q2 , . . . , qn i)! holds true, then δG (σ , hq1 , q2 , . . ., qn i) = hq01 , q02 , . . . q0n i such that  δGi (σ , qi ), if δGi (σ , qi )!; 0 qi =Def qi , otherwise; for 1 6 i 6 n.  The k-operator has an interesting specialization which is referred to as synchronized product. I.4.4. D EFINITION . Let (Gi )16i6n be a family of FSM. In the case that we have ΣGi = ΣG j for 1 6 i, j 6 n we put n

∏ Gi

=Def

i=1

nn

Gi .

i=1

If n = 2, we write G1 × G2 instead of ∏2i=1 Gi .



The synchronized product is interesting since it permits to consider the intersection of the behaviors of each operand: L(G1 × G2 ) = L(G1 ) ∩ L(G2 ) It is then possible to restrict the behavior of one system, composing it in a synchronous manner with another system. I.4.5. D EFINITION (Reverse Projection). Let G be a FSM and let Σ ⊇ ΣG . The reverse projection of G on Σ is a FSM denoted by PΣ−1 (G) with the following compoG ,Σ nents: (a) ΣP−1 (G) =Def Σ ; Σ G ,Σ

(b) QP−1

=Def QG , and in particular

(c) qP−1

=Def qG ;

(d) δP−1

is defined as

ΣG ,Σ (G)

ΣG ,Σ (G)

ΣG ,Σ (G)

  δG (σ , q), if σ ∈ ΣG and δG (σ , q)!; q, if σ ∈ Σ \ ΣG ; δP−1 (G) (σ , q) = Σ G ,Σ  undefined otherwise.

Supervisory Control on Concurrent Discrete Event Systems with Variables



I.4. FINITE STATE MACHINES

15

I.4.6. L EMMA . Let G be a FSM and let Σ ⊇ ΣG . Then PΣ−1 (L(G)) = L(PΣ−1 (G)). G ,Σ G ,Σ P ROOF. According to Definition I.4.2, we prove that for all s ∈ Σ ∗ , δG (PΣ ,ΣG (s), qG )! ⇔ δP−1 (G) (s, qG )! Σ G ,Σ

Note that qG = qP−1

ΣG ,Σ (G)

(I.4.1)

according to Definition I.4.5. We actually are going to

proove that not only Equation (I.4.1) holds, but also that for all s ∈ Σ ∗ such that δG (PΣ ,ΣG (s), qG)!, δG (PΣ ,ΣG (s), qG ) = δP−1 (G) (s, qG ) Σ G ,Σ

(I.4.2)

A proof by induction on the length of s is used to simultaneously show the Equations (I.4.1) and (I.4.2). First, these two equations trivially hold when s = ε . Now let us assume that they also hold for a given sequence s ∈ Σ ∗ and let us show that this is true again for any sσ with σ ∈ Σ . We have to consider the following cases: (a) If σ ∈ / ΣG , then PΣ ,ΣG (sσ ) = PΣ ,ΣG (s). This implies that δG (PΣ ,ΣG (sσ ), qG )! ⇔ δG (PΣ ,ΣG (s), qG)!

which entails by assumption that δG (PΣ ,ΣG (sσ ), qG )! ⇔ δP−1 (G) (s, qG )! and Σ G ,Σ δG (PΣ ,ΣG (sσ ), qG )

= δP−1

ΣG ,Σ (G)

(s, qG ).

Now since σ ∈ / ΣG , DefinitionI.4.5 implies that δP−1 (G) (σ , δP−1 (G) (s, qG ))!, and moreover Σ G ,Σ Σ G ,Σ δP−1 (G) (σ , δP−1 (G) (s, qG )) = δP−1 (G) (s, qG ). Σ G ,Σ Σ G ,Σ Σ G ,Σ

This finally means that δG (PΣ ,ΣG (sσ ), qG )! ⇔ δP−1 (G) (sσ , qG )! and Σ G ,Σ δG (PΣ ,ΣG (sσ ), qG )

= δP−1

ΣG ,Σ (G)

(sσ , qG ).

(b) If σ ∈ ΣG , then PΣ ,ΣG (sσ ) = PΣ ,ΣG (s)σ . Now we have δG (PΣ ,ΣG (sσ ), qG )! ⇔ δG (σ , δG (PΣ ,ΣG (s), qG ))!

which entails by assumption that δG (PΣ ,ΣG (sσ ), qG )! ⇔ δG (σ , δP−1 (G) (s, qG ))!, and Σ G ,Σ δG (PΣ ,ΣG (sσ ), qG )

= δG (σ , δP−1

ΣG ,Σ (G)

(s, qG ))

Rote Reihe Technical Report No. 2006-03

16

CHAPTER I. BASIC CONCEPTS

8 act4 act2

act3

6

act4

act2

7

act2

act2 synchro

3

2

act3 act4

act2 act1

1

act3

4

5

synchro

act3

2 act2

1

act3

synchro

act1

0

1

2

3

act2

act1

act2

0

0 (c) G1 k G2

(b) G2

(a) G1

act2 act1

F IGURE I.1. Finally, according to Definition I.4.5 and since σ ∈ ΣG , we obtain that δG (PΣ ,ΣG (sσ ), qG )! ⇔ δP−1 (G) (σ , δP−1 (G) (s, qG ))! Σ G ,Σ Σ G ,Σ δG (PΣ ,ΣG (sσ ), qG )

= δP−1

ΣG ,Σ (G)

(σ , δP−1

ΣG ,Σ (G)

(s, qG ))

which implies that δG (PΣ ,ΣG (sσ ), qG )! ⇔ δP−1 (G) (sσ , qG )! and Σ G ,Σ δG (PΣ ,ΣG (sσ ), qG )

= δP−1

ΣG ,Σ (G)

(sσ , qG )

This concludes the proof.



As for languages, Definition I.4.3 implies that a shared event can only occur in the global system if it can occur in each of the subsystems that share it. Moreover, a local event (i. e. an event which is not shared) can occur in G whenever it can occur in the subsystem to which it belongs. I.4.7. E XAMPLE . In this example, the parallel composition of FSM G 1 and G2 given in Figures 1(a) and 1(b) is introduced. The alphabet of G1 is ΣG1 = {act 1 , act 2 , synchro} and that one of G2 is ΣG1 = {act 3 , act 4 , synchro}. The set of events shared by G 1 and G2 is {synchro}. The result of the parallel composition of G 1 and G2 is given in Figure 1(c). 

Supervisory Control on Concurrent Discrete Event Systems with Variables

I.4. FINITE STATE MACHINES

17

The link between the parallel composition of FSM (Definition I.4.3) and the parallel composition of languages defined in (Definition I.3.4) is given by the following proposition. I.4.8. P ROPOSITION (see e.g [2]). Let (Gi )16i6n be a family of FSM. Then ! nn nn L Gi = L(G1 ). i=1

i=1

Rote Reihe Technical Report No. 2006-03

CHAPTER II

Classical Supervisory Control on Discrete Event Systems In this chapter supervisory control on Discrete Event Systems is addressed. This theory has been developed by Ramadge and Wonham [13] in the early 80’s. The problem—namely how to define a controller for a discrete event system (DES) that realizes a given control objective in the presence of system events which cannot be influenced—is described in more detail in Section II.1. In particular, the notion of a supervisor is introduced as a function which restricts the possible behaviors of the system to be controlled in order to realize the control objective. We further address the notion of controllability, i. e. a property which ensures the existence of a supervisor. This property basically states that the supervisor is not required to influence uncontrollable events. In general, control objectives cannot be assumed to be controllable. Thus the question arises whether there is a ”next-best alternative, i. e. another control objective which is enclosed in the original one and which restricts the system under control as least as possible. Section II.2 addresses the existence of such a maximal control sub-objective. Finally, in Section II.3 the Basic Supervisory Control Problem is stated it is shown how the maximal control objective described in the previous section defines a solution of this problem. In this chapter, it is assumed that the system under control is modeled by a single, monolithic FSM. II.1. Controllability In this section, we assume that the system to be controlled is modeled by one FSM G, and its behaviors are described by the generated language L(G). The behaviors of G can be unsatisfactory because certain desired properties, called control objectives, do not hold. In such a case, the possible behaviors of the system need to be restricted so that the control objectives are satisfied. This restriction can be obtained by means of a supervisor. Another way to motivate supervisory control is to think of a system which offers a number of functions. For a given concrete purpose not all combinations (i. e. execution sequences) of those functions might be needed. Thus the introduction of supervisory control for given control objectives means to develop an execution script or program that implements the control objectives. 19

20

CHAPTER II. CLASSICAL SUPERVISORY CONTROL ON DISCRETE EVENT SYSTEMS

Set of allowed events

System

Observed behavior

Supervisor

F IGURE II.1. Closed loop system

A supervisor can be formally seen as a function which sends to the system the set of allowed actions after a given observed behavior. The supervision is intended to enable only those behaviors which are described by the control objective. Therefore, controlling a system consists in adding constraints which restrict its behaviors to the expected (or desired) ones. If all possible events of a system are freely disabled by the supervisor, the problem to control the system is obviously a trivial one. It becomes a real problem if there are uncontrollable events such as events from external monitors, exceptions, clock ticks, timeouts, etc. Thus we assume that the alphabet of the system—say Σ —is partitioned into two disjoint sets Σc and Σuc , which are respectively called the set of controllable and uncontrollable events; i. e. Σ = Σc ∪ Σuc , and Σc ∩ Σuc = ∅. Figure II.1 illustrates the relationship between a system and its supervisor. II.1.1. D EFINITION (Supervisor). Let G be a FSM over the alphabet Σ G , where ΣG is partitioned into sets ΣG,c and ΣG,uc of controllable and uncontrollable events, respectively. A supervisor for G is a function S : L(G) → (Σc ). The system obtained by composing the system G and the supervisor S is called the controlled system and is denoted S/G. The behavior of the system S/G is given by the language L(S/G) ∈ (Σ G ) which is recursively defined by: (a) ε ∈ L(S/G); (b) for all s ∈ L(S/G) and σ ∈ Σ such that sσ ∈ L(G) we have sσ ∈ L(S/G) ⇔ σ ∈ S(s).  L(S/G) is clearly a sub language of L(G) which only contains sequences allowed by the supervisor S. Since uncontrollable events can not be prevented from occurring, the generated language of the controlled system must posses a certain property called controllability which characterizes behaviors of controlled systems. Controllability has been introduced in [14]. II.1.2. D EFINITION (Controllability). Let L ⊆ Σ ∗ be a language, let K ⊆ L be another language called control objective, and let Σuc ⊆ Σ . Then K is controllable w. r. t. Σuc and Supervisory Control on Concurrent Discrete Event Systems with Variables

II.2. MAXIMAL CONTROLLABLE LANGUAGES

21

L if ¯ K¯ · Σuc ∩ L ⊆ K.  Note that the empty language as well as L are both controllable by definition. Intuitively, if L represents the uncontrolled behaviors of a system (usually L = L(G) for some FSM G), then K is controllable with respect to Σuc and L if no uncontrollable event permits to leave the set of behaviors of K while remaining into the behaviors of the system. II.1.3. E XAMPLE . To illustrate Definition II.1.2, let us consider the following FSM: I

If Σc = {start, repair}, Σuc = {stop, breackdown}, then • K = {start, start.stop} is uncontrollable; • K = {start, start.breakdown, start.stop} is controllable.

stop start

repair

breakdown



W

O

The following Theorem II.1.4 states that it exists a very strong link between the controllable sub-languages of the system and the possible supervisors that can act upon it. II.1.4. T HEOREM . Let us consider a system G to be controlled and a control objective K with ∅ ⊂ K ⊆ L(G). It exists one supervisor S acting upon G such that L(S/G) = K¯ if and only if K is controllable w. r. t. ΣG,uc and L(G). A proof can be found in [13]. Thus if K is controllable w.r.t ΣG,uc and L(G), then it is possible to defined a supervisor which exactly restricts the behaviors of the system to the ones of the control objective. II.2. Maximal Controllable Languages We now consider the case that the control objective K is uncontrollable w. r. t. Σ G,uc and L(G), i. e. we look for a controllable subset of K. But, it also seems to be of important to restrict as few as possible the set of behaviors of the system. Therefore, in this section we develop the notion of a maximal controllable language, where comparison between languages is classically introduced as set inclusion. Given a prefix-closed language L ⊆ Σ ∗ and Σuc ⊆ Σ , (Σuc , L) denotes the set of sub-languages of L that are controllable w. r. t. Σuc and L, i. e. ¯ (Σuc , L) =Def {M ⊆ L | M¯ Σuc ∩ L ⊆ M} This set is not empty since it always contains L and the empty language. Further let us consider a language K ⊆ L. As already mentioned in the previous paragraph and Rote Reihe Technical Report No. 2006-03

22

CHAPTER II. CLASSICAL SUPERVISORY CONTROL ON DISCRETE EVENT SYSTEMS

illustrated in Example II.1.3, K may be uncontrollable w. r. t. Σuc and L. In this case, we are interested in sublanguages of K that are controllable w. r. t. Σuc and L. The following class of languages is then defined: ¯ (K, Σuc , L) =Def {M ⊆ K | M¯ Σuc ∩ L ⊆ M} = {M ∈ (Σuc , L) | M ⊆ K} . Thus (K, Σuc , L) contains those of sublanguages of K that are controllable w. r. t. Σ uc and L. II.2.1. P ROPOSITION ([17]). Let Σ be an alphabet and let L and K languages such ¯ The set (Σuc , K, L) is non-empty and is closed that K ⊆ L ⊆ Σ ∗ ; further assume L = L. under union. It follows from Proposition II.2.1 that it exists a unique maximal language which is included in K and controllable w. r. t. Σuc and L. II.2.2. D EFINITION . Let Σ be an alphabet and let L and K languages such that K ⊆ ¯ Then L ⊆ Σ ∗ ; further assume L = L. ↑c

(K, Σuc , L) =

[

M

M∈ (Σuc ,K,L)

 Let us now state the following proposition which will be extremely useful in the sequel. II.2.3. P ROPOSITION . Assume prefix-closed languages K, L, L0 ⊆ Σ ∗ over some alphabet Σ such that L ⊆ L0 ⊆ Σ ∗ and ∅ ⊂ K ⊆ L0 hold. A set of uncontrollable events included in Σ is denoted by Σuc . K∈

(Σuc , L0 ) ⇒ K ∩ L ∈

(Σuc , L).

P ROOF. Let us consider K ∈ (Σuc , L0 ) and sσ ∈ Σ ∗ .Σuc such that sσ ∈ (K ∩L).Σuc ∩ L. sσ ∈ (K ∩ L).Σuc ∩ L ⇒ ⇒ ⇒ ⇒

sσ ∈ K.Σuc ∩ L sσ ∈ K.Σuc ∩ L0 & sσ ∈ L (since L ⊆ L0 ) sσ ∈ K & sσ ∈ L (by assumption) sσ ∈ K ∩ L 

Therefore Proposition II.2.1 shows the existence of a supervisor that restricts as few as possible the behaviors from L(G) to K. Notice that Proposition II.2.3 can be extended as the following: Supervisory Control on Concurrent Discrete Event Systems with Variables

II.3. BASIC SUPERVISORY CONTROL PROBLEM

23

II.2.4. C OROLLARY. Let K, L and L0 be prefix-closed languages over an alphabet Σ such that K ⊆ L ⊆ L0 . Let Σuc ⊆ Σ be a set of uncontrollable events. If L ∈ (Σuc , L0 ), then L∩(

↑c

(K, Σuc , L0 )) =

↑c

(K ∩ L, Σuc , L)

P ROOF. (⇒) Let sσ be in ↑c (K ∩ L, Σuc , L)Σuc ∩ L0 . Since ↑c (K ∩ L, Σuc , L) is included into L, we have sσ ∈ LΣuc ∩L0 . Now since L ∈ (Σuc , L0 ), we obtain that sσ ∈ L. Finally, sσ ∈ ↑c (K ∩ L, Σuc , L)Σuc ∩ L which entails that sσ ∈ ↑c (K ∩ L, Σuc , L) thanks to the controllability definition. Now since ↑c (K ∩ L, Σuc , L) is clearly included into K, it is included into ↑c (K, Σuc , L0 ). Moreover, it is also clear that ↑c (K ∩ L, Σuc , L) is included into L.
(⇐) Let sσ be in L ∩ ( ↑c (K, Σuc , L0 )) Σuc ∩ L. It means in particular that sσ ∈ ↑c (K, Σ , L0 )Σ ∩L. According to the definition of controllability, sσ ∈ ↑c (K, Σ , L0 ) uc uc uc and hence sσ ∈ L ∩ ( ↑c (K, Σuc , L0 )). Since L ∩ ( ↑c (K, Σuc , L0 )) is clearly included into K and L and since ↑c (K ∩ L, Σuc , L) is the maximal controllable language, then L ∩ ( ↑c (K, Σuc , L0 )) is included into ↑c (K ∩ L, Σuc , L).  Discussion: Realization of a Supervisor. Definition II.1.1 explains the term supervisor as a mapping S : L(G) → (ΣG,c ), where G is a FSM modelling a system to be controlled, and ΣG,c ⊆ ΣG is a set of controllable events. From a practical point of view this definition is not quite useful because it does not permit a methodology of algorithm to realize a supervisor e. g. as a FSM. Thus when both the system G and the control objective K are modeled by FSMs, then S can be itself implemented as a FSM G(S). While executing G, the supervisor is executed in parallel. In other words, the controlled system is given by S/G = G(S) k G. Hence G(S) restricts the behavior of G by means of synchronizations over shared controllable events. Such a representation of the supervisor is called realization of the supervisor in [2] (and supervisor in [17]). Given two FSM G and G(K) respectively modeling the system to be controlled and the control objective, algorithms are provided in [17] and [2] to construct a FSM modeling the maximal controllable language w. r. t. G(K) and G. This FSM is a realization of a supervisor and is called standard realization of supervisor. To conclude this discussion, let us elaborate on the complexity of the algorithm that compute the standard realization of the BSCP for a system modeled by a FSM G and a control objective modeled by a FSM G(K). Let N denotes the number of states of G and M denotes the number of states of G(K). The number of states of the standard realization of a solution is N × M in the worst case. Moreover, (|ΣG | × N × M) represents the worst case complexity in time for computing the realization. II.3. Basic Supervisory Control Problem Controlling a system G with a supervisor S is done according to a control objective K. In the theory of Ramadge and Wonham, this objective is described by a non empty language over the alphabet of the system. The classical problem of supervisory control Rote Reihe Technical Report No. 2006-03

24

CHAPTER II. CLASSICAL SUPERVISORY CONTROL ON DISCRETE EVENT SYSTEMS

consists in restricting behaviors of G to the ones of K. Formally, finding a supervisor which is least restrictive is a problem stated as follows: II.3.1. P ROBLEM (Basic Supervisory Control Problem). Let G be a FSM. Given a set of uncontrollable events ΣG,uc ⊆ ΣG and two prefix-closed languages K and L such that ∅ ⊂ K ⊆ L(G), the basic supervisory control problem (BSCP) consists in determining a supervisor S such that L(S/G) is maximal in the sense that for all supervisors S 0 such that L(S0 /G) ⊆ K, we have L(S0 /G) ⊆ L(S/G)  According to the previous paragraph, the language L(S/G) =

↑c

(K, ΣG,uc , L(G))

(II.3.1)

is suitable to solve the BSCP. Therefore, a supervisor S which is defined for all s ∈ ↑c (K, Σ G,uc , L(G)) by S(s) =Def {σ ∈ Σ | sσ ∈

↑c

(K, ΣG,uc , L(G))}

satisfies the equation II.3.1. One can note that the values of S over sequences that do not belong to ↑c (K, ΣG,uc , L(G)) are not important to solve the BSCP. Hence ↑c (K, Σ G,uc , L(G)) represents a system which satisfies the control objective. II.3.2. R EMARK . According to the BSCP, the control objective K must be included in L(G). However, the BSCP can be easily extended to the case where K ⊆ | L(G). If S is a solution to the BSCP, then L(S/G) ⊆ K. And since L(S/G) ⊆ L(G), we obtain that (a) L(S/G) ⊆ K ∩ L(G) (b) L(S/G) is maximal in the sense that for all S 0 such that L(S0 /G) ⊆ K ∩ L(G), we have L(S0 /G) ⊆ L(S/G). Therefore, the problem is the same as the previous one since K ∩ L(G) ⊆ L(G). This is important because it is convenient to model control objectives that are not included into the set of behaviors of the system. Of course, given such a control objective, it is theoretically possible to consider the intersection of its behaviors with the system’s ones. However, this computation can be very costly and infeasible in practice because of the complexity of the system. 

Supervisory Control on Concurrent Discrete Event Systems with Variables

CHAPTER III

Supervisory Control of Concurrent Discrete Event Systems As long as the system to be controlled can be modeled within a relatively small state space, the approach described in the previous chapter remains feasible. If however the system to be controlled consists of several concurrently running subsystems, this approach suffers from the so-called state explosion problem, i. e. the exponential growth of the number of states when the number of subsystems increase. In this chapter, we therefore address approaches to generate a supervisor for concurrent systems without actually constructing the composite system only by means of the structure of the respective subsystems. Section III.1 investigates some properties of parallel compositions of FSMs and prepares the notion of partial controllability which is addressed in the Section III.2. Partial controllability can be understood as a localized version of the property of controllability of control objectives. Section addresses then the definition of a supervisor from a partially controllable control objective. It turns out that if events shared by different subsystems are controllable and whenever the language of the control objective is included in that of the composed system, a maximal controllable sublanguage of the control objective can effectively be computed. Finally, situations in which the control objective is not included in the language of the system are considered. We give a simple criterion— called local consistency—which ensures the existence of a maximal controllable sublanguage of the control objective also in this case. III.1. Concurrent Discrete Event System This chapter addresses to control systems composed of several components, sharing common events. To do so, let us consider a system G which behaviors are modeled as a collection of languages (Li )16i6n , each modeling the behaviors of one sub-system Gi . Recall from Definition I.3.1 that the parallel composition of these languages is denoted f as L = ni=1 Li , and that the language of the composed system can be obtained from the reverse projection of the languages of its subsystems. We first have to visit once more the notion of controlled and uncontrolled events.

25

26 CHAPTER III. SUPERVISORY CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

III.1.1. D EFINITION (Shared Events). Given the set of languages L = (L i )16i6n , we denote by ΣL,s (or Σs for short) the set of shared events of L; formally:

ΣL,s =Def

[

(ΣLi ∩ ΣL j ).

i= | j

 As before, the alphabets of the subsystems Li are split into the controllable event set ΣLi ,c and the uncontrollable event set ΣLi ,uc , i.e.f ΣLi = ΣLi ,uc ∪ ΣLi ,c , and ΣLi ,uc ∩ ΣLi ,c = ∅. Then the alphabet of the global system L = ni=1 Li , and the global sets of controllable and uncontrollable events are given by:

ΣL =Def

n [ i=1

ΣLi , ΣL,c =

n [

ΣLi,c , and ΣL,uc = ΣL \ ΣL,c .

i=1

We assume that for all i, j ∈ {1, 2, . . ., n} the following relation holds:

ΣLi ,uc ∩ ΣL j ,c = ∅.

(III.1.1)

event Equation III.1.1 simply means that the components which share a particular S agree about its control status. Under this assumption, we have that Σ L,uc = ni=1 ΣLi ,uc . to be controlled such that its behaviors are modeled as L = fn Let G be the system ∗ be the control objective. The problem under consideration is now Σ L and let K ⊆ L i=1 i the computation of the supremal controllable sub-language ↑c (K ∩ L, ΣL,uc , L) w. r. t. ΣL,uc and L. Since we deal with concurrent systems, the construction of the entire system may not be feasible (due to the state-space explosion resulting from the parallel composition), and the use of classical supervisory control methodologies may be impractical (see e.g. [17] or [2]). It is therefore important to design algorithms which perform the controller synthesis by taking advantage of the structure of G without actually building it. If the control objective concerns more each subsystems than the entire one, efficient modular supervision can be performed. However, such control objectives do not permit to deal with interactions of the subsystems. For example, such control objectives do not permit to model a particular behavioral interleaving between different components or a particular scheduling of actions that belong to different components. So, our aim is to find another methodology for which this locality condition is not required. Rather than deriving local specifications according to each subsystem, the idea consists in approximating the global system according to each subsystem, and enforcing the initial control objective with respect to these approximations leading to the computation of several supervisors. Each of them is assumed to observe the behavior of the whole system and to restrict the set of events that are allowed after a particular execution of the system. From a computational point of view, the system G can be described as follows:

Supervisory Control on Concurrent Discrete Event Systems with Variables

III.1. CONCURRENT DISCRETE EVENT SYSTEM

27

pc 1 (s)


pc 2 (s)


G pc 1

G1

pc 2

G2

s

F IGURE III.1. Supervision Scheme

S

III.1.2. L EMMA . Let (Gi )16i6n be a family of FSM and G = Σ i Gi , then nn

G=

ΣG =

n [

Σ denotes

n

i

fn

−1 i=1 PΣGi ,Σ (Gi ).

ΣGi = ΣP−1

i=1 n

i=1 Gi .

(Gi ) = ∏ PΣ−1 (Gi ). PΣ−1 G ,Σ G ,Σ

i=1

P ROOF. Let G0 =

fn

ΣG ,Σ (G1 ) 1

i=1

i

First notice that we have

= ΣP−1

ΣG ,Σ (G2 ) 2

= · · · = ΣP−1

ΣGn ,Σ (Gn )

= Σ G0 ;

QG = ∏ QGi = GG0 , and in particular qG = hqG1 , qG2 , . . . , qGn i = qG0 . i=1

Thus it remains to show that δG = δG0 does hold. Let q = hq1 , q2 , . . . , qn i and q0 = hq01 , q02 , . . ., q0n i be states of QG (= QG0 ) and let σ ∈ ΣG = ΣG0 . We obtain δG (q, σ )! ⇔ (∀i ∈ in(σ ))δGi (σ , qi )!

⇔ (∀i ∈ in(σ ))δP−1

ΣG ,Σ (Gi ) i

(by Def. I.4.3.(d))

(σ , qi )! & (∀i ∈ {1, 2, . . ., n} \ in(σ ))δP−1

ΣG ,Σ (Gi ) i

(σ , qi )!

(by Def. I.4.5.(d))

⇔ δG0 (q, σ )!

(by Def. I.4.3.(d))

Finally, suppose δG (q, σ )! and δG (q, σ ) = q0 . Futher let i ∈ {1, 2, . . ., n}. Then (a) If δGi (σ , qi )!, then q0i = δGi (σ , qi ). But then δP−1 (Gi )(σ , qi ) = δGi (σ , qi ), thus q0i

= δP−1

ΣG ,Σ (Gi ) i

(σ , qi ).

Σ G ,Σ i

Rote Reihe Technical Report No. 2006-03

28 CHAPTER III. SUPERVISORY CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

(b) If ¬δGi (σ , qi )!, then q0i = qi . Furhter, if i ∈ in(σ ), we have ¬δP−1 (Gi )(σ , qi )!. Σ G ,Σ i

If on the other hand i ∈| in(σ ), we conclude δP−1 (Gi )(σ , qi ) = qi . Σ G ,Σ i

It follows that δG (q, σ ) = δG0 (q, σ ) for all σ ∈ ΣG and q ∈ QG and thus the first equation of the Lemma. For the second equation simply notice that ΣPΣ ,Σ (Gi ) = ΣPΣ ,Σ (G j ) for Gi Gi 1 6 i, j 6 n.  Thus fact, each PΣ−1 (Gi ) can be seen as an approximation of the system G, which G i ,Σ corresponds to all the behavioral knowledge that we may deduce on G from G i knowing that this component is coupled with other components. Further, compared to [16], given a control objective K, instead of performing computations w. r. t. each component Gi (i. e. L(Gi )) in order to enforce PΣG ,ΣGi (K), we have chosen to perform the computations from PΣ−1 (L(Gi )) in order to enforce K in a modG i ,Σ G ular fashion. Hence our problem is to find conditions under which we are able to synthesize a family (Si )16i6n of supervisors such that ! L

n \

Si /PΣ−1 (Gi ) G ,Σ i

i=1

↑c

=

(K ∩ L(G), ΣG,uc , L(G)).

Unfortunately, it is not sufficient to compute a supervisor Si w. r. t. PΣ−1 (Gi ) that reG ,Σ i

stricts the behavior PΣ−1 (L(Gi )) to the supremal controllable sublanguage of K ∩ G ,Σ i

PΣ−1 (L(Gi )) w. r. t. ΣGi ,uc and PΣ−1 (L(Gi )) and to coordinate the supervisors Si acG i ,Σ G i ,Σ cording to the scheme illustrated in Figure III.1 to obtain the supremal controllable sublanguage of K ∩ L(G). As explained in example III.1.3, the result may not be controllable. III.1.3. E XAMPLE . In this example, the system under consideration consists of two subsystems G1 and G2 , respectively given in Figures 2(a) and 2(b). ΣG1 = {u1 } and ΣG2 = {u2 } represent respectively the alphabets of G 1 and G2 . Σ = ΣG1 ∪ ΣG2 denotes the alphabet of the (Gi )). global system. For i = 1, 2 we assume that Σ Gi ,uc = {ui } and that Ki denotes K ∩ L(PΣ−1 i ,Σ −1 ↑c Then (Ki , ΣGi ,uc , L(PΣi ,Σ (Gi ))) equals L(Gi ) = {ε , ui } (except that the alphabet are different). It entails that ↑c

(K1 , ΣG1 ,uc , L(PΣ−1 (G1 ))) ∩ G ,Σ 1

↑c

(K2 , ΣG2 ,uc , L(PΣ−1 (G2 ))) = {ε } G ,Σ 2

This language is not controllable according to Σ uc \ (ΣG1 ,uc ∪ ΣG2 ,uc ) and G1 k G2 , since for instance u1 is controllable and can be triggered after ε in G 1 k G2 . 

The solution we propose consists then in refining the notion of controllability to take into account the fact that uncontrollable events may be local to a component. The prop(Gi ) according to K is called partial controllability erty which is ensured on each PΣ−1 G i ,Σ and is defined in Section III.2. Supervisory Control on Concurrent Discrete Event Systems with Variables

III.2. PARTIAL CONTROLLABILITY

1

29

1 u1

1

1 u1

u2

u2

0

0

0

(a) G1

(b) G2

(c) K

F IGURE III.2.

III.2. Partial Controllability In order to be as general as possible, the systems under consideration in the sequel of this chapter are not assumed to be modeled by FSM but by languages (non necessarily regular). Partial Controllability is defined as follows: III.2.1. D EFINITION (Partial Controllability). Let K ⊆ L ⊆ Σ ∗ be prefix-closed lan0 ⊆ Σ ⊆ Σ be sub-alphabets of Σ . For K 0 ⊆ K, guages over an alphabet Σ , and let Σuc uc if 0 and L, and (a) K 0 is controllable w. r. t Σuc (b) K 0 is controllable w. r. t Σuc and K, 0 , Σ , K, and L. then K 0 is partially controllable with respect to Σuc  uc In practice, L will be the approximation of the language of system to be controlled w. r. t. one of the components and K will be the initial control objective (c.f. Section III.3 and Theorem III.3.1). Now given a sub-behavior K 0 of K, it is allowed to violate the controllability condition by triggering an uncontrollable event σ that is not local (i. e. 0 ), because L only constitutes an approximation of the system and because at σ ∈ Σuc \ Σuc least one of the other supervisors, computed from the other approximations, will prevent these events from occuring. However, we still want to enforce the controllability of K 0 w. r. t. K and ΣGi ,uc . Such a requirement aims at dealing with concurrent systems, as explained in the previous section. Moreover, such a requirement is necessary according to Example III.1.3. 0 , Σ , K and L (e.g. In general, K is not partially controllable with respect to Σuc uc 0 when K is not controllable w. r. t. Σuc and L). However, it can be shown that there exists a supremal sub-language of K for which this property holds. III.2.2. P ROPOSITION ([6]). Let ∅ ⊂ K ⊆ L ⊆ Σ ∗ be prefix-closed languages, and 0 , Σ , L), ⊆ Σuc ⊆ Σ . There exists a unique supremal language, denoted ↑pc (K, Σuc uc 0 , Σ , K and L. Moreover, the equation which is partially controllable w. r. t. Σuc uc

0 Σuc

↑pc

0 (K, Σuc , Σuc , L) =

↑c

(

↑c

0 (K, Σuc , L), Σuc , K)

Rote Reihe Technical Report No. 2006-03

30 CHAPTER III. SUPERVISORY CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

is satisfied. 0 and Σ and language L are meant, If it is clear from the context which alphabets Σuc uc ↑pc ↑pc 0 then we write K instead of (K, Σuc , Σuc , L). 0 , Σ , L). It can then Proposition III.2.2 offers a practical way to compute ↑pc (K, Σuc uc be shown that the required complexity for the computation is in (NK × NL ), where NK (resp NL ) is the number of states of the FSMs generating K (resp. L).

III.3. Control of Concurrent Discrete Event Systems f Given a concurrent DES G = ni=1 Gi built from a family of FSMs (Gi )16i6n and a control objective K, the goal is to compute a controllable sublanguage of K ∩ L(G) w. r. t. L(G) and ΣG,uc , without actually building the system G itself. Based on the concept of (L(Gi )) partial controllability applied to K to the approximations of the language PΣ−1 G i ,Σ G generated by each of its components, the next theorem provides a modular way to compute a sub-language of K that is controllable with respect to the system. f III.3.1. T HEOREM ([7]). Let L = ni=1 Li the composition of languages (Li )16i6n and let K ⊆ ΣL∗ be a prefix-closed language modeling the control objective. For 1 6 i 6 n put Ki = K ∩ PΣ−1 (Li ). Further consider sublanguages Ki0 ⊆ Ki . If for 1 6 i 6 n, Ki0 L ,Σ L i

is partially controllable with respect to ΣLi ,uc , ΣL,uc , Ki and PΣ−1 (Li ), then L i ,Σ L controllable with respect to ΣG,uc and L.

0 i=1 Ki

Tn

is

Hence Theorem III.3.1 provides a modular method to compute a sub-language of K which is controllable w. r. t. L and ΣL,uc without building the actual system L. From a computational point of view, when K and each Li are respectively modeled by FSM denoted GK and Gi , based on the results of Section III.2, the computation of the supremal language Ki ↑pc provides partially controllable control objectives. The complexity of this computation is for each i ∈ {1, 2, . . ., n} in (N × NK ), where N represents the maximum number of states of a subsystem Gi and NK the one of the control objective K. Let us now describe the way a supervisor can be extracted from the previously computed languages and how it can act upon L in order to enforce the control objective K. Tn With the notations of Theorem III.3.1, i=1 Ki ↑pc is controllable with respect to ΣL,uc and L. However, it is not a good solution to perform the intersection of these languages and to derive a supervisor from the result since all the computational advantages of our method would be lost. Thus we derive from each Ki ↑pc a function Si which returns for each execution trace of L (which is also a trace of PΣ−1 (Li )) the set of events which extend s L ,Σ L i

to a trace of Ki ↑pc . This function Si can be seen as a partial supervisor which ensures on PΣ−1 (Li ) the partial controllability property w. r. t. ΣLi ,uc , ΣL,uc , Ki and PΣ−1 (Li ). FurL i ,Σ L Li ,ΣL thermore, following the concept of modularity described in [18], for a given behavior, only events enabled by all the partial supervisors Si are effectively enabled. With other Supervisory Control on Concurrent Discrete Event Systems with Variables

III.3. CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

31

words, the global supervisor acting upon L is given by S(s) =Def

n \

Si (s).

i=1

The supervisor architecture is summarized in Figure III.1. The methodology described above provides a way to compute a controllable subT language of K ∩ L. According to Theorem III.3.1, we have that 16i6n Ki ↑pc is a controllable sub-language of ↑c (K ∩ L, ΣL,uc , L). However, it may happen that this language is not the maximal permissive one. We are now going to present some conditions under which Theorem III.3.1 gives access to the supremal solution. First, it is worthwhile noting that uncontrollable shared events are not adequate to perform local computations. In order to ensure the partial controllability of Ki w. r. t. ΣLi ,uc , ΣL,uc , and PΣ−1 (Li , a partial supervisor might need to disable a shared unconL i ,Σ L trollable event, even if this event is not fireable in the global system (this is due to the fact that we are working on approximations and thus with local informations). Hence we restrict the class of the concurrent DES to the class of concurrent DES which do not share uncontrollable events. Formally, this means that ΣL,s ⊆ ΣL,c where the set of fn shared events ΣL,s of L = i=1 Li is given in Definition III.1.1. The following Lemma III.3.2 shows that under this new assumption, ↑c (K ∩ L, ΣL,uc , L) fulfills the Definition III.2.1.(a). f III.3.2. L EMMA . Let L = ni=1 Li be the system composed from the family (Li )16i6n and let K ⊆ Σ ∗ a non empty prefix-closed language modeling a control objective. If ΣL,s ⊆ ΣL,c is satisfied, then ↑c (K ∩ L, ΣL,uc , L) is controllable w. r. t. ΣLi ,uc and PΣ−1 (Li ). L ,Σ L i

Based on this lemma, we are now able to prove the following theorem. f III.3.3. T HEOREM . Let L = ni=1 Li be the system composed from the family (Li )16i6n and let K ⊆ Σ ∗ a non empty prefix-closed language modeling a control objective. Assume ΣL,s ⊆ ΣL,c . For 1 6 i 6 n, we put Ki = K ∩ PΣ−1 (Li ). If K ⊆ L, then L ,Σ L i

n \

↑pc

(Ki , ΣLi ,uc , ΣL,uc , L(PΣ−1 (Li )) = L

↑c

(K ∩ L, ΣL,uc , L)

i=1

Theorem III.3.3 states that whenever the language of the control objective is included into that one of the system, our method computes the supremal controllable sub-language of K w.r.t. L and ΣL,uc . When K and each Li are respectively modeled by FSM denoted GK and Gi , we recall that the complexity of our method is in (n × N × NK ). This has to be opposed to the complexity (N n × NK ) of computing ↑c (K ∩ L(G), Σ G,uc , L(G)) when G is given as a single unstructured FSM. Finally note that to check whether K ⊆ L(G) it is sufficient to check that K ⊆ PΣ−1 (L(Gi )) for all G i ,Σ G i ∈ {1, 2, . . ., n}. Hence, it is not necessary to compute L(G). Rote Reihe Technical Report No. 2006-03

32 CHAPTER III. SUPERVISORY CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

In some situations, modeling the specification by a language that is included in the language of the system may lead to a language which is too large to be efficiently represented. Moreover, the validation that the control objective K in included in the language of the system may be difficult insofar as L(G) is not known in all cases. One can for instance think of a specification which requires that the system triggers particular event—say a—only once. This control objective can be modeled by a FSM with two states. However, if we request its to be included into that of the system to be controlled, we would have expand it to take into account each occurrence of a in the whole system. To alleviate these problems (size, inclusion and difficulty of modeling), we now introduce a new condition under which our methodology yields to the supremal controllable sub-language of K w.r.t. L and ΣG,uc . This condition does not require that the (language of the) control objective is included in the language of the system and permits to consider objectives which are relatively independent of the system. This condition is called local consistency and is given in Definition III.3.5. But first, we introduce the notion of consistency (recall from Equation (I.2.2) that K(s, Σ ) denotes the set {s0 ∈ Σ ∗ | ss0 ∈ K}). III.3.4. D EFINITION . Let Σ 0 ⊆ Σ be two alphabets and let K ⊆ Σ ∗ be a non empty 0 = Σ ∩ Σ 0 . K is said prefix-closed language. Let us consider alphabets Σuc ⊆ Σ and Σuc uc to be consistent with respect to Σuc and PΣ ,Σ 0 if 0 PΣ ,Σ 0 (s0 )σ ∈ K(s, Σuc ) ⇒ s0 σ ∈ K(s, Σuc ). 0 . does hold for all s ∈ K, s0 ∈ K(s, Σuc ), and for all σ ∈ Σuc



This definition enables to describe certain interleavings between the local uncontrol0 in the definition) and global uncontrollable events (Σ ). In particular, lable events (Σuc uc among other aspects, this condition ensures that if there is a local uncontrollable event that is admissible after executing a sequence s from K, then this event is admissible 0 . whenever K triggers an uncontrollable event which belongs to Σ uc \ Σuc f III.3.5. D EFINITION . Let us consider a system L = ni=1 Li composed from the languages (Li )16i6n and let K be a prefix-closed language over ΣL . K is said to be locally consistent w. r. t. ΣL,uc and L if K ∩ PΣ−1 (Li ) is consistent with respect to ΣL,uc and L i ,Σ L  PΣL ,ΣLi for all i ∈ {1, 2, . . ., n}. Intuitively, K is locally consistent with respect to ΣG,uc and L, if the possible interleavings between the local and global uncontrollable events w. r. t. to each approximation of the system are taken into account in the control objective K. Roughly speaking, it means that K respects the interleaving between the local and global uncontrollable events as long as they happen in the approximations. III.3.6. E XAMPLE . In this example, the system G under consideration consists of two subsystems G1 and G2 respectively given in Figures 3(a) and 3(b). The alphabet of G1 and G2 are respectively ΣG1 = {a, u1 , u01 } and ΣG2 = {b, u2 , u02 }. The corresponding uncontrollable sets of Supervisory Control on Concurrent Discrete Event Systems with Variables

III.3. CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

33

events are ΣG1 ,uc = {u1 , u01 } and ΣG2 ,uc = {u2 , u02 }. Σ denotes ΣG1 ∪ ΣG2 and Σuc denotes ΣG1 ,uc ∪ ΣG2 ,uc . Several control objectives are introduced in Figures 3(c) to 3(f). The control objective K is actually locally consistent with respect to Σ and G. In this example, this is quite obvious since all the uncontrollable events interleave with each others. By the way, this is not the case for the control objective K 0 . K10 = K 0 ∩ L(PΣ−1 (G1 )) is indeed not consistent with respect to Σ uc and G 1 ,Σ 0 0 0 PΣ ,ΣG1 · PΣ ,ΣG1 (u2 )u1 ∈ K1 (abu2 ) but u2 u1 ∈ / K10 (abu2 ). The behaviors of the control objective which do not belong to the system play an important role in ensuring local consistency. If we now consider the control objective K 00 , it very looks (G1 )), then PΣ ,ΣG1 (u02 )u01 does not like K 0 , but it is locally consistent. If K100 denotes K 00 ∩ L(PΣ−1 G 1 ,Σ actually belongs to K100 (abu2 ) since u01 can not be triggered after the sequence a in G 1 . Finally, one can check that K 000 also represents a locally controllable language with respect to Σ and G. 

f III.3.7. T HEOREM . Let L = ni=1 Li be the system composed from the family (Li )16i6n and let K ⊆ ΣL∗ a non empty prefix-closed language modeling a control objective. Let Ki = K ∩ PΣ−1 (Li ) for 1 6 i 6 n and assume ΣL,s ⊆ ΣL,c . If K is locally consistent, then L ,Σ L i

n \

↑pc

(Li )) = (Ki , ΣLi ,uc , ΣL,uc , PΣ−1 L

↑c

(K ∩ L, ΣL,uc , L)

i=1

Theorem III.3.7 states that the local consistency of the control objective K together with ΣL,s ⊆ ΣL,c is a sufficient conditions under which the proposed approach solves the Basic Supervisory Control Problem. Now, given prefix-closed languages K and L, when K and each Li are respectively modeled by FSM denoted GK and Gi , the complexity of checking local consistency is (n × N 2 × NK2 ), where NK denotes the number of states of the FSM generating K and N is the maximum number of states of the n subsystems Gi . Moreover, as previously mentioned, the complexity of computing ↑c (K ∩ L(G), ΣG,uc , L(G)) with our method is (n × NK × N). Therefore, whenever our method can be applied, its overall complexity is (n × N 2 × NK2 ).

Rote Reihe Technical Report No. 2006-03

34 CHAPTER III. SUPERVISORY CONTROL OF CONCURRENT DISCRETE EVENT SYSTEMS

u02 u2 6 3

u01

0

u01

9 u01 u2

11

u01 10

u02 7

8

u1

4

2

u1

u2

1 a

u02

3

(a) G1

u2 3 b 1 a

1 b 0

0

0

(b) G2

(c) K

7

8

7

8

7

u1

u02

u01

u02

u01

5

u02

5

u1 2

u1

u2

5 u2

5 u2

3 b 1 a

3 b 1 a

3 b 1 a

0

0

0

(d) K 0

(e) K 00

(f) K 000

F IGURE III.3.

Supervisory Control on Concurrent Discrete Event Systems with Variables

CHAPTER IV

Controllability of Parameterized Languages An efficient method to solve the basic supervisory control problem has been introduced in the previous sections. This method relies on modeling the system and the control objective by languages or FSMs. For practical applications it is however convenient (and sometimes necessary) to deal with more powerful modeling formalisms. To that purpose, Extended Finite State Machines (EFSM) will be considered in the sequel. The EFSM model permits to deal with variables of the system and then with infinite state systems as variables may range over infinite domains. Consider a system—modeled e. g. by an EFSM—which depends on a number of variables that control its execution. Thus any particular setting of these variables causes the system to produce another set of possible execution sequences, or—stated differently—the semantics of the system consists in a mapping from the initial values of the variables into a set of execution sequences possible under these initial settings. This is the intuition behind parameterized languages: they are mappings from a domain D of values (of variables) into a language L of execution sequence comprising events of the system under consideration. The necessary formal machinery for parameterized languages is provided in Section IV.1. The remaining sections of this chapter address the lift of the theory presented so far to the case of parameterized languages. In particular, Section IV.2 deals with controllability, while IV.3 addresses the case of concurrent systems (i. e. parallel compositions of parameterized languages). IV.1. Parameterized Languages To describe the behavior of an EFSM E with values ranging over a data domain D, the notion of a parameterized language is introduced as a mapping of values from the domain D into a set of sequences executable E if these values are taken as initial values for the variables which occur in E. Currently, we impose no restriction on the domain D, but once we start talking about abstract interpretation in Section V.5 we will have to assume that D is a countable set (i. e. isomorphic to the set of non-negative integers). 35

36

CHAPTER IV. CONTROLLABILITY OF PARAMETERIZED LANGUAGES

IV.1.1. D EFINITION . A parameterized language L over an alphabet Σ and a domain D is a function L : D → (Σ ). The set of parameterized languages over Σ and D is denoted (Σ , D); its members are referred to as (Σ , D)-languages. A (Σ , D)language which associates ∅ to one of the value in D is called an empty parameterized language.  Therefore, a parameterized language can be seen as a compact way to describe a set of languages. Let us now lift a number of set operations to (Σ , D)-languages. IV.1.2. D EFINITION (Parameterized Language). Let L1 and L2 be two (Σ , D)languages. Then the union (intersection) of L1 and L2 is denoted by L1 ∪ L2 (L1 ∩ L2 , respectively) and is defined by (L1 ∪ L2 )(d) =Def L(d) ∪ L2 (d) (L1 ∩ L2 )(d) =Def L(d) ∩ L2 (d) for all d ∈ D. Moreover, inclusion of L1 into L2 is defined as L1 ⊆ L1 ⇔Def (∀d ∈ D)L1 (d) ⊆ L2 (d). Other set operations and predicates like \, ⊂, etc. are defined analogeously.



IV.2. Controllability In the sequel, we are interested in extending supervisory control theory to parameterized languages. To that purpose, controllability over a (Σ , D)-language is defined. (Σ , D)-languages). Let L, L0 ∈ IV.2.1. D EFINITION (Controllability of (Σ , D) for some alphabet Σ and a domain D and let Σuc ⊆ Σ be a set of uncontrollable events. Assume L0 ⊆ L. Then L0 is set to be controllable with respect to Σuc and L if for all d ∈ D, L0 (d) is controllable w. r. t. Σuc and L(d). The set of controllable (Σ , D)-languages w. r. t. Σ and L is denoted (Σuc , L).  The (Σ , D)-languages model the behaviors of systems which depend on variables. Definition IV.2.1 states that whatever the initial values of the variables, the behavior generated by the system must be controllable. (Σ , D)-languages L0 and L with L0 ⊆ L IV.2.2. T HEOREM . For all non-empty there exists one unique supremal (Σ , D)-language included into L 0 which is controllable with respect to Σuc and L0 . This language is denoted ↑c (L0 , Σuc , L) and is defined for all d ∈ D by ↑c

(L0 , Σuc , L)(d) =

↑c

(L0 (d), Σuc , L(d)).

P ROOF. By the definition of ↑c (L0 , Σuc , L) and definition of controllability, 0 uc , L) is clearly controllable w. r. t Σuc and L and is also included into L. To verify that ↑c (L0 , Σuc , L) is supremal observe that ↑c (L0 , Σuc , L)(d) is supremal in the set (Σuc , L(d)) by Proposition II.2.1 for all d ∈ D.  ↑c (L0 , Σ

Supervisory Control on Concurrent Discrete Event Systems with Variables

IV.3. SUPERVISORY CONTROL ON CONCURRENT PARAMETERIZED LANGUAGES

37

Hence, a supremal controllable (Σ , D)-language included in a (Σ , D)language L always exists (whenever L is not empty) and is defined from the ↑c (·, ·, ·) operator. In the sequel, we are interested in the supervisory control of concurrent systems (Σ , D)obtained from composition of smaller systems which behavior is given by languages. IV.3. Supervisory Control on Concurrent Parameterized Languages (Σ , D)-languages. This compoLet us now introduce the parallel composition of sition aims at modeling the behavior of subsystems which synchronize on actions which are shared between these systems. As in the case of parallel composition over languages, projection over a sub alphabet is introduced first. IV.3.1. D EFINITION . Let Σ1 ⊆ Σ2 be two alphabets and let D be a domain. The reverse projection function from Σ1 to Σ2 is an operator PΣ−1 : (Σ1 , D) → (Σ2 , D) 1 ,Σ 2 defined by (L)(d) =Def PΣ−1 (L(d)) PΣ−1 1 ,Σ 2 1 ,Σ2 (L(d)) denotes the classical projection of L(d) from Σ1 to Σ2 (Definiwhere PΣ−1 1 ,Σ 2 tion I.3.1).  The reverse projection operator allows defining parallel composition. IV.3.2. D EFINITION . Let (Σi )16i6n be a family of alphabets, Σ = ni=1 Σi , D be a domain, and let (Li )16i6n be a family of parameterized languages, such that Li ∈ (Σi , D). The parallel composition of (Li )16i6n is defined by S

nn i=1

Li =

n \

PΣ−1 (Li ). i ,Σ

i=1

 IV.3.3. R EMARK . Note that since for all d ∈ D, PΣ−1 (Li )(d) = PΣ−1 (Li (d)), an equivalent i ,Σ i ,Σ fn definition of i=1 Li is ! nn nn (Li (d)) . Li (d) = i=1

i=1

for all d ∈ D.



Definition IV.3.2 is an extention of the Definition I.3.4 to parameterized languages. We are now going to lift the definitions for supervisory control of concurrent languages as given in Section III.2 to parameterized concurrent languages. 0 ⊆ Σ ⊆ Σ be three alphabets, and let D be a domain. IV.3.4. D EFINITION . Let Σuc uc Let K ⊆ L, be two (Σ , D)-languages. If for some (Σ , D)-language K 0 ⊆ K we have

Rote Reihe Technical Report No. 2006-03

38

CHAPTER IV. CONTROLLABILITY OF PARAMETERIZED LANGUAGES 0 and L, and (a) K 0 is controllable with respect to Σuc 0 (b) K is controllable with respect to Σuc and K,

0 , Σ , K, and L. then K 0 is partially controllable with respect to Σuc uc



IV.3.5. P ROPOSITION . Let K ⊆ L ⊆ Σ ∗ be a non-empty (Σ , D)-languages, (Σ , D)-language, denoted by 0 , Σ , K and L, namely Σuc uc

0 ⊆ Σ . Then there exists a unique maximal Σuc uc ↑pc (K, Σ 0 , Σ , L), which is partially controllable w.r.t uc uc ↑pc

0 (K, Σuc , Σuc , L) =

↑c

(

↑c

0 (K, Σuc , L), Σuc , K).

0 , Σ , L) is well defined and is partially controllable w. r. t. P ROOF. First ↑pc (K, Σuc uc Σuc , K and L. Let d ∈ D. We have

0 , Σuc

↑pc

0 (K, Σuc , Σuc , L) =

⇔

↑pc

↑c

(

↑c

0 (K, Σuc , L), Σuc , K)

0 (K(d), Σuc , Σuc , L(d)) =

↑c

(

↑c

0 (K(d), Σuc , L(d)), Σuc , K(d)) for all d ∈ D.

0 , L(d)), Σ , K(d)) is partially From Proposition III.2.2, we know that ↑c ( ↑c (K(d), Σuc uc 0 controllable w. r. t Σuc , Σuc , K(d) and L(d). Therefore, by Definition III.2.1, we obtain that

(a) (b)

↑pc (K, Σ 0 , Σ , L)(d) uc uc ↑pc (K, Σ 0 , Σ , L)(d) uc uc

0 and L(d). is controllable w.r.t Σuc is controllable w.r.t Σuc and K(d).

Since this holds for all d ∈ D, with Definition IV.2.1 it follows that ↑pc (K, Σ 0 , Σ , L) is controllable w.r.t Σ 0 and L. uc uc uc ↑pc (K, Σ 0 , Σ , L) is controllable w.r.t Σ and K. uc uc uc ↑pc 0 0 , Σ , K and L. which means that (K, Σuc , Σuc , L) is partially controllable w.r.t Σuc uc 0 , Σ , L) is maximal. To that purpose, let us conNow let us show that ↑pc (K, Σuc uc 0 , Σ , K and L. (Σ , D)-language K 0 which is partially controllable w. r. t. Σuc sider a uc 0 , Σ , L). Let d ∈ D. According the DefiniWe now have to show that K 0 ⊆ ↑pc (K, Σuc uc 0 , Σ , L) as given in Proposition III.2.2, ↑pc (K, Σ 0 , Σ , L)(d) is the tion of ↑pc (K, Σuc uc uc uc 0 , Σ , K(d) and L(d). Since K 0 (d) is maximal partially controllable language w. r. t. Σuc uc 0 , Σ , K(d) and L(d), we obtain that also a partially controllable language w. r. t. Σuc uc

(a) (b)

K 0 (d) ⊆

↑pc

0 (K, Σuc , Σuc , L)(d).

And since this holds for all d ∈ D, we deduce that K 0 ⊆

↑pc (K, Σ 0 , Σ , L). uc uc



In the same way, results of Section III.3 can be extended as follows. To prepare the theorems we need some additional apparatus: Let (Σi )16i6n be a family of alphabets S such that Σ = i Σi and each Σi is partitioned into disjoint subsets Σi,uc and Σi,c . We say that Σ is consistent w. r. t. the control status of events if we have

Σi,uc ∩ Σ j = Σ j,uc ∩ Σi . Supervisory Control on Concurrent Discrete Event Systems with Variables

IV.3. SUPERVISORY CONTROL ON CONCURRENT PARAMETERIZED LANGUAGES

39

for 1 6 i, j 6 n. The set of shared events is recalled to equal

Σs =Def

Σi ∩ Σ j

[ 16i, j6n, i= | j

IV.3.6. T HEOREM . Let (Σi )16i6n be a family of alphabets and let Σ = ni=1 Σi . Assume subsets Σi,uc ⊆ Σi , that Σ is consistent w. r. t. the control status of events and let f S Σuc = ni=1 Σi,uc . Furthermore, let L = ni=1 Li be a family of parameterized languages such that Li ∈ (Σi , D) for some domain D and for 1 6 i 6 n. Let K ∈ (Σ , D) be a non-empty parameterized language modelling a control objective, and put Ki = (Li ). Then if for all 1 6 i 6 n a language Ki0 ⊆ Ki is partially controllable w. r. t. K ∩ PΣ−1 i ,Σ Tn 0 Σi,uc , Σuc , Ki and PΣ−1 (L ), then i 1=1 Ki is controllable w. r. t. Σuc and L. , Σ i S

P ROOF. According to Definition IV.1.2 we have n \ i=1

Ki0

!

(d) =

n \

Ki0 (d)

i=1

for all d ∈ D, thus by Theorem III.3.1 K 0 = ni=1 Ki0 (d) is controllable w. r. t. Σuc and L(d). Since this holds for all d ∈ D, we conclude that K 0 is controllable w. r. t. Σuc and L, and hence the result holds.  T

Given a control objective, Theorem IV.3.6 provides a method to compute a supervisor in an efficient way. However, the computed supervisor may not be maximal permissive. Theorem IV.3.7 gives a sufficient condition to ensure maximal permissiveness. IV.3.7. T HEOREM . Let (Σi )16i6n be a family of alphabets and ΣS= i Σi . We assume that Σ is consistent w. r. t. the fcontrol status of events. Put Σuc = ni=1 Σi,uc and Σc = Σ \ Σuc . Furthermore, let L = ni=1 Li be a family of parameterized languages such that Li ∈ (Σi , D) for some domain D and for 1 6 i 6 n. Let K ∈ (Σ , D) be a nonempty parameterized language modelling a control objective, and put Ki = K ∩PΣ−1 (Li ). i ,Σ If Σs ⊆ Σc and K ⊆ L, then S

\

↑pc

(Li )) = (Ki , Σi,uc , Σuc , PΣ−1 i ,Σ

↑c

(K, Σuc , L)

16i6n

Rote Reihe Technical Report No. 2006-03

40

CHAPTER IV. CONTROLLABILITY OF PARAMETERIZED LANGUAGES

P ROOF. We compute for all d ∈ D, ! n \

↑pc

(Ki , Σi,uc , Σuc , PΣ−1 (Li )) (d) = i ,Σ

n  \

↑pc

(Ki , Σi,uc , Σuc , PΣ−1 (Li ))(d) i ,Σ

i=1

i=1

=

n \



(Def. IV.1.2) ↑pc

(Li (d))) (Ki (d), Σi,uc , Σuc , PΣ−1 i ,Σ

i=1

(Prop. IV.3.5, Th. IV.2.2) =

↑c

(K(d), Σuc , L(d))

=

↑c

(K, Σuc , L)(d) (Def.

(Th. III.3.3)

↑c (·, ·, ·) (Th.

IV.2.2)) 

Theorem IV.3.7 is not fully satisfactory since it implies that the control objective has to be included into the set of behaviors of the system. For that reason, a new condition is now introduced. IV.3.8. D EFINITION . Let Σ 0 ⊆ Σ be two alphabets and let K ⊆ Σ ∗ be a (Σ , D)0 0 language. Let us consider alphabets Σuc ⊆ Σ and Σuc = Σuc ∩ Σ . K is said to be consistent 0 , Σ , and P w. r. t. to Σuc uc Σ ,Σ 0 if K(d) is consistent w. r. t. to Σuc and PΣ ,Σ 0 for all d ∈ D  (compare with Definition III.3.4). IV.3.9. D EFINITION . Let us consider parameterized languages (L i )16i6n S over alf phabets (Σi )1 6 i 6 n such that for all i Li ∈ (Σi , D), L = ni=1 Li , and Σ = ni=1 Σi . K ∈ (Σ , D) is said to be locally consistent with respect to Σuc ⊆ Σ and L if K ∩ PΣ−1 (L  i ) is consistent with respect to Σuc and PΣ ,Σi for all i ∈ {1, 2, . . ., n}. i ,Σ consistent w. r. t. the IV.3.10. T HEOREM . Let (Σi )16i6nSbe a family of alphabets Sn n controls status of events, and let Σ = Σ . Put Σ = Σ uc i=1 i i=1 i,uc and Σc = Σ \ Σuc . fn Furthermore, let L = i=1 Li be a family of parameterized languages such that Li ∈ (Σi , D) for some domain D and for 1 6 i 6 n. Let K ∈ (Σ , D) be a non-empty parameterized language modeling a control objective, and put Ki = K ∩ PΣ−1 (Li ). If i ,Σ Σs ⊆ ΣG,c and K is locally consistent, n \

↑pc

(Ki , Σi,uc , Σuc , PΣ−1 (Li )) = i ,Σ

↑c

(K ∩ L, Σuc , L).

i=1

Supervisory Control on Concurrent Discrete Event Systems with Variables

IV.3. SUPERVISORY CONTROL ON CONCURRENT PARAMETERIZED LANGUAGES

P ROOF. Let d ∈ D. We compute n \ i=1

↑pc

!

(Ki , Σi,uc , Σuc , PΣ−1 (Li )) (d) = i ,Σ

n  \

↑pc

(Ki , Σi,uc , Σuc , PΣ−1 (Li ))(d) i ,Σ

i=1

=

n \

41



(Def. IV.1.2) ↑pc

(Li (d))) (Ki (d), Σi,uc , Σuc , PΣ−1 i ,Σ

i=1

(Prop. III.2.2, Th. IV.2.2) =

↑c

(K(d) ∩ L(d), Σuc , L(d))

= SupC(K ∩ L, Σuc , L)(d)

(†) (Th. IV.2.2)

where the validity of step (†) follows from Theorem III.3.7, since K and thus K(d) is assumed to be locally consistent. 

Rote Reihe Technical Report No. 2006-03

CHAPTER V

Extended Finite State Machines Let us now introduce Extended Finite State Machines (EFSM). An EFSM can be seen as an FSM with transitions that are labeled by guards and assignments to variables ranging over some domain D. The syntax and semantics of EFSMs are introduced in Section V.1. In the same way in which a FSM generates a language, an EFSM generates a parameterized language. Our definition given below is however a bit different from the one which is usually used. This study aims at dealing with system modeled as a composition of EFSM. Therefore it is necessary to identify variables which are used to exchanges parameters between the components of such a composition. Section V.2 addresses operations on EFSMs, in particular the reverse projection and—most important—the parallel composition of EFSMs (with the specialization of the synchronized product). We introduce also another type of parallel compositions, the so-called free parallel composition (with a specialization called free synchronized product). Parallel composition of EFSMs is performed by synchronization over shared events, and it is required that the parameter values of these shared events are equal in all sub-components that participate in the synchronization action. The latter requirement is dropped in the free version of the parallel composition, meaning that synchronization is carried out without the exchange of parameter values. Supervisory control of systems given by (single, monolithic) EFSM is addressed in Section V.3. The concurrent case is the topic of Section V.4. An algorithm to generate a supervisor for a (single, monolitic) EFSM is given in Section V.3, and Section V.4 deals with the concurrent case. Finally, we give a very brief introduction to what is called abstact interpretation in Section V.5. Abstract interpretation provides a tool to work with computations in infinite domains (here: the state space of an EFSM) and can be employed for a feasable approach for the generation of a supervisor for a concurrent infinite state system.

43

44

CHAPTER V. EXTENDED FINITE STATE MACHINES

V.1. Syntax and Semantics As already mentioned an EFSM comprises on a FSM which defines the control structure of the modeled system. Transitions of this control structure however depend now on the values of variables of the EFSM; more precisely, a Boolean expression over these variables (called a guard is assigned to each transition. The transition is allowed to occur only if the guard evaluates to true for the actual values of the variables. If a transition occurs, it might change the values of certain variables. The following definition explains the components of an EFSM. V.1.1. D EFINITION (Extended Finite State Machine). An Extended Finite State Machine (EFSM) over some set D of values (called a domain in the sequel) is a tuple E = hΣ , Q, q, T,V, G, Ai, where

Σ is a finite alphabet, Q is a set of states, q ∈ Q is an initial state, T ⊆ Σ ×Q×Q is a transition relation such that if there are transitions hσ , q, q 1 i ∈ T and hσ , q, q2 i ∈ T , then q1 = q2 (i. e. T can be viewed as a partial function from Σ × Q to Q). (e) V is a finite set of variables containing a set VR of variables whom assignment in E is said to be relevant. (f) G : T → ((V → D) → B) is a guard assignment, (g) A : T → ((V → D) → (VR → D)) is a variable state transition assignment

(a) (b) (c) (d)

We further define (E) =Def hΣ , Q, q, δ i to be the finite state machine defining the control structure of E. Here, the transition function δ : Σ × Q → Q is defined as

δ (σ , q) =Def



q0 , if hσ , q, q0 i ∈ T ; undefined otherwise.

Note that δ is well-defined because of (d).



If one EFSM E is composed with others EFSM, then some of its variables may be affected by them. The way this happens may not appear in the definition of E. The affected variables may for instance change values although no action occurs en E. The assignment of such variables is then not described in a relevant manner by the system. These variables are the ones of VE \VR . and are in particular useful to model parameters of communication between EFSM.

Supervisory Control on Concurrent Discrete Event Systems with Variables

V.1. SYNTAX AND SEMANTICS

45

c, X2 := X2 + 1

1

d, X1 > 10 ∧ X2 < 0, X1 := −1; X2 := −1

b, X2 < 0, X1 := X1 + 1 a,X1 > 0 ∧ X2 < 0, X1 := 0

0

F IGURE V.1. An example of EFSM: E

V.1.2. E XAMPLE . Let us now consider an example of EFSM E. This EFSM is depicted in Figure V.1. Its characteristics are given by

Σ Q qinit T V VR

= = = = = =

{a, b, c, d} {0, 1} 0 {(a, 0, 1), (b, 1, 1), (c, 1, 1), (d, 1, 0)} {X1 , X2 } {X1 , X2 } (= V )

Moreover, the guard function G and assignment function A are defined by Transition t

G(t)

Transition t

A(t)

(a, 0, 1)

X1 > 0 ∧ X2 < 0

(a, 0, 1)

X1 := 0

(b, 1, 1)

X2 < 0

(b, 1, 1)

X1 := X1 + 1

(c, 1, 1)

True

(c, 1, 1)

X2 := X2 + 1

(d, 1, 0)

X1 > 10 ∧ X2 < 0

(d, 1, 0)

X1 := −1; X2 := −1

Let us consider θ : {X1 , X2 } → N2 defined by θ (X1 ) = 3 and θ (X2 ) = −1. G(ha, 0, 1i)(θ ) = True and A(ha, 0, 1i)(θ ) = θ 0 with θ 0 (X1 ) = 0 and θ 0 (X2 ) = −1. Hence, if θ models the initial values of variables X1 and X2 in E, then the event a can occur and the values of the variables are modified according to θ0 . 

We are now discussing the semantics of an EFSM which is defined in terms of parameterized languages. To prepare the definition of the language of an EFSM, we introduce variable states as well as transformations of variable states by the occurence of transitions. This leads to an extension of the δ -function used in the definition of FSMs which acts not only on states of the EFSM but also on the values of the variables of Rote Reihe Technical Report No. 2006-03

46

CHAPTER V. EXTENDED FINITE STATE MACHINES

the EFSM. This new version of δ is then extended again to work with event sequences instead of single events. V.1.3. D EFINITION (Variable States and State Transformations). Let E be an EFSM over the domain D. Any mapping θ : VE → D is called a variable state. The set of variable states of E is denoted by ΘE (D). For t ∈ TE we define a partial function δt : ΣE × QE × (ΘE (D)) + QE × (ΘE (D)) as follows: δhq1 ,σ ,q2 i (σ 0 , q, Θ )! ⇔Def q1 = q & σ = σ 0 & (∃θ ∈ Θ ) GE (hσ , q1 , q2 i)(θ )

and if δhq1 ,σ ,q2 i (σ , q1 , Θ )!, then δhq1 ,σ ,q2 i (σ 0 , q, Θ ) =Def hq2 , Θ 0 i

with

Θ 0 = {θ 0 ∈ Θ (D) | (∃θ ∈ Θ ) GE (hσ , q1, q2 i)(θ ) & A(hσ , q1 , q2 i)(θ )  VR = θ 0  VR }. We further define δE

=Def

[

δt ,

t∈TE

and extend δE inductively to work with sequences from ΣE∗ : δE (q, ε , Θ ) =Def hq, Θ i  



δE (q, sσ , Θ ) =Def q0 , Θ 0 , if δE (q, s, Θ )! & δE (q, s, Θ ) = q00 , Θ 00 &



δE (q00 , σ , Θ 00 )! & δE (q00 , σ , Θ 00 ) = q0 , Θ 0

for all σ ∈ ΣE and s ∈ ΣE∗ .





Note that δE is well-defined because of Definition V.1.1.(d). We are now ready to define the language of an EFSM. V.1.4. D EFINITION . Let E be an EFSM over the domain D. The language generated by E is a parameterized language over Σ and ΘE (D), LE : ΘE (D) → ΣE∗ defined by LE (θ ) = {s ∈ ΣE∗ | δE (qE , s, {θ })!}  Definition V.1.4 introduces the behavior of an EFSM E: it is a parameterized language LE ∈ (ΣE , ΘE (D)) for some domain D. An initial variable state θ ∈ ΘE (D) thus determines the possible execution sequences LE (θ ) of E. V.1.5. E XAMPLE . Let us consider again the EFSM E given in figure V.1. We assume that V = VR again. The parameterized language L E is then a function, and for instance, if θ : {X1 , X2 } → N with θ (X1 ) = (3) and θ (X2 ) = (0), then LE (θ ) = {ε } Supervisory Control on Concurrent Discrete Event Systems with Variables

V.2. OPERATIONS ON EXTENDED FINITE STATE MACHINES

47

This is due to the fact that X2 > 0 is needed to trigger event a from the initial state. if

θ (X1 ) = (3) and θ (X2 ) = (−1), then we also have

LE (θ ) = {ε , a, a.b∗ .c+ } ∪ {a.(b)n .d | n > 10} In this case, since initially X1 > 0∧X2 < 0, then event a can be triggered and the system enters in state 1 of the EFSM. Since event a occurred, then X1 := 0 while X2 = −1. Now from state 1, some b can occur, followed by occurrences of event c. But as soon as event c occurred, others events can not occurred any more. This is due to the fact that if c occurs, then X 2 is incremented and is no more strictly negative. However, this condition is required to trigger others events from state 1. Finally, after event a and some b occur, event d can also occurs if at least ten b occurred before. And if one d occurs, then X1 = −1 and then no more event can be triggered. 

V.2. Operations on Extended Finite State Machines Reverse Projection. We now define a reverse projection operation P −1 acting on the class of EFSMs. As in the case of the simpler formalism of FSM, the reverse projection σ is of an EFSM E to an alphabet Σ ⊇ ΣE is carried out by adding self-loops q − → q to each state q of E and for each simple σ ∈ Σ \ ΣE . These new transitions have trivial guard assignments (yielding always true) trivial variable state transitions which do not alter the variable values of the projected EFSM. V.2.1. D EFINITION . (Reverse Projection) Let E be an EFSM and let Σ ⊇ Σ E be an (E) comprising alphabet. The reverse projection of E according to Σ is an EFSM PΣ−1 E ,Σ of the following components: (a) ΣP−1 (E) =Def Σ ; Σ E ,Σ

(b) QP−1

=Def QE ;

(c) qP−1

=Def qE ;

(d) TP−1

=Def TE ∪ {hσ , q, qi ∈ ΣP−1

(e) VP−1

=Def VE ;

(f) GP−1

is defined for all t ∈ TP−1

ΣE ,Σ (E)

ΣE ,Σ (E)

ΣE ,Σ (E) ΣE ,Σ (E) ΣE ,Σ (E)

ΣE ,Σ (E)

GP−1

ΣE ,Σ (E)

(g) AP−1

ΣE ,Σ (E)

ΣE ,Σ (E)

(t)(θ ) =Def

is defined for all t ∈ TP−1



(t)(θ ) ,Σ (E)

AP−1 ΣE

Please note that

=Def

ΣE ,Σ (E)

× QP−1

ΣE ,Σ (E)

| σ ∈ Σ \ ΣE };

and θ ∈ Θ (D) by

GE (t)(θ ); if t ∈ TE true; otherwise

ΣE ,Σ (E)



× QP−1

and θ ∈ Θ (D) by

AE (t)(θ ); if t ∈ TE θ ; otherwise

(PΣ−1 (E)) = PΣ−1 ( (E)). E ,Σ E ,Σ Rote Reihe Technical Report No. 2006-03



48

CHAPTER V. EXTENDED FINITE STATE MACHINES

Now let us show that the reverse projection of an EFSM E gives an EFSM that generates the reverse projection language of LE . V.2.2. L EMMA . Let E be an EFSM and Σ be an alphabet such that Σ E ⊆ Σ

PΣ−1 (LE ) = LP−1 E ,Σ

ΣE ,Σ (E)

.

P ROOF. The proof is carried out by means of induction over the length of sequences s ∈ ΣE∗ . First note that ε ∈ PΣ−1 (LE )(θ ) and ε ∈ LP−1 (E) (θ ). Now let s ∈ E ,Σ (L(E))(θ ) ∩ LP−1 PΣ−1 E ,Σ

Σ E ,Σ

Σ E ,Σ

(E) (θ ) and let σ ∈ Σ . To see that sσ is in the first of the consid-

ered languages if and only if it is in the second one, we need to distinguish two cases: (a) σ ∈ ΣE . In this case the main argument is that σ is enabled in E after the firing of the sequence s exactly if σ is enabled in PΣ−1 (E) after the execution of s (which E ,Σ is possible in both cases because of the induction hypothesis). More precisely, we have

sσ ∈ PΣ−1 (LE )(θ ) ⇔ sσ ∈ PΣ−1 (LE (θ )) E ,Σ E ,Σ

(Def. IV.3.1)

⇔ sσ ∈ {s0 ∈ Σ ∗ | PΣ ,ΣE (s0 ) ∈ LE (θ )}

(Def. I.3.2)

⇔ PΣ ,ΣE (sσ ) ∈ LE (θ ) ⇔ PΣ ,ΣE (s)PΣ ,ΣE (σ ) ∈ LE (θ ) ⇔ PΣ ,ΣE (s)σ ∈ LE (θ ) ⇔ s ∈ LP−1

ΣE ,Σ (E)

⇔ s ∈ LP−1

ΣE ,Σ (E)

⇔ sσ ∈ LP−1

(Def. I.3.1)

(θ ) & δE (σ , q, Θ 0 )! s. t. q, Θ (θ ) & δP−1

ΣE ,Σ (E)

Σ E ,Σ

 0

(Def. I.3.1, σ ∈ ΣE ) = δP−1 (s, qE , {θ }) ΣE ,Σ

(Induction hypothesis, Def. V.1.4)

 0 0 ( σ , q, Θ Θ )! s. t. q, = δP−1 (s, qE , {θ }) (E) Σ E ,Σ

(since σ ∈ ΣE .)

(θ )

(Def. V.1.4)

(b) σ ∈ Σ \ ΣE . This is shown pretty much in the same way as the above case, except that we have to take into account the self-loops which are added to E by Supervisory Control on Concurrent Discrete Event Systems with Variables

V.2. OPERATIONS ON EXTENDED FINITE STATE MACHINES

49

the projection function PΣ−1 . To present all the details we compute E ,Σ sσ ∈ PΣ−1 (LE )(θ ) ⇔ sσ ∈ PΣ−1 (LE (θ )) E ,Σ E ,Σ

(Def. IV.3.1)

⇔ sσ ∈ {s0 ∈ Σ ∗ | PΣ ,ΣE (s0 ) ∈ LE (θ )}

(Def. I.3.2)

⇔ PΣ ,ΣE (sσ ) ∈ LE (θ )

 ⇔ PΣ ,ΣE (s) ∈ LE (θ ) & δE (σ , q, Θ 0 )! s. t. q, Θ 0 = δP−1 (s, qE , {θ }) Σ E ,Σ

⇔ s ∈ LP−1

ΣE ,Σ (E)

⇔ sσ ∈ LP−1

(θ ) & δP−1

ΣE ,Σ (E)

ΣE ,Σ (E)



(σ , q, Θ )! s. t. q, Θ 0

0



(Def. V.1.4)

= δP−1 (s, qE , {θ }) Σ E ,Σ

/ ΣE ) (Induction hyphothesis and since σ ∈

(θ )

(Def. V.1.4) 

This concludes the proof.

Parallel Composition and Synchronous Product. We are now going to define the parallel composition of a number of EFSM (Ei )16i6n . It happens that our original definition of an EFSM E is not sufficient since it does not indicate syntactically which variables are used to exchange values between synchronized EFSMs. Thus we extend the structure E by a communication variable assignment γE : ΣE + VE . V.2.3. R EMARK . Using a single variable γ E (σ ) instead of a tuple of variables for communication is actually a shortcut to simplify the definition of the synchronized product. If we allow variables to range over tuples of values from D (i. e. we assume that D contains tuples from S D1 × D2 × · · · × Dn , where ni=1 Di ⊆ D), this simplification does not restrict the generality of our definition. 

Let E = (ESi )16i6n be a family of EFSMs. As already done for FSM we use an operator inE : ni=1 ΣEi → {1, 2, . . ., n} to obtain the component in which an event σ occurs, i. e. inE (σ ) =Def {i : 1 6 i 6 n & σ ∈ ΣEi }. Further, let outE (σ ) =Def {1, 2, . . ., n} \ inE (σ ). Again we write in(·) instead of inE (·) if confusion is not possible. V.2.4. D EFINITION . (Parallel Composition) Let (Ei )16i6n be a family of EFSMs over the domain D such that for all i, j ∈ {1, 2, . . ., n} with i = | j we have VEi ∩VE j = ∅ and σ ∈ ΣEi ∩ ΣE j ⇒ (γEi (σ )! ⇔ γE j (σ )!). The parallel composition of (Ei )16i6n is then f an EFSM denoted by ni=1 Ei comprising the following components (with E =kni=1 Ei ): S (a) ΣE = ni=1 ΣEi ; (b) QE =Def ∏ni=1 QEi ; (c) qE =Def hqE1 , qE2 , . . ., qEn i ; Rote Reihe Technical Report No. 2006-03

50

CHAPTER V. EXTENDED FINITE STATE MACHINES

(d) The set of transitions of E is given by



σ , hq1 , q2 , . . . , qn i, q01 , q02 , . . ., q0n ∈ TE

 ⇔Def (∀i ∈ in(σ )) σ , qi , q0i ∈ TEi & (∀ j ∈ out(σ ))q j = q0j (e) VE = ni=1 VEi ; (f) The guard assignment of E is defined as




GE σ hq1 , q2 , . . . , qn i, q01 , q02 , . . ., q0n (θ ) ^ 

⇔Def GEi ( σ , qi , q0i )(θ  VEi ) & S

i∈in(σ )

^

i, j∈in(σ ),γEi (σ )!





γEi (σ ) = γE j (σ ) ,

where θ ∈ ΘE (D) ranges of course over the union of variables from the components Ei . (g) Finally, the variable state transition function is given by 




(θ ) AE σ hq1 , q2 , . . . , qn i, q01 , q02 , . . . , q0n [ [ 

=Def AEi ( σ , qi , q0i )(θ  VEi ) ∪ θ  VE j i∈in(σ )

16 j6n, j∈ | in(σ )

(h) γE (σ ) =Def γE1 (σ ) for all σ ∈ ΣE .  Definition V.2.4.(f) ensures that the values of the communication parameters γEi (σ ) have to be equal for all components Ei . Communication is thus implemented by synchronous handshake. V.2.5. E XAMPLE . Let us consider the concurrent system, given by figure V.4 whom subsystems E 1 and E 2 are respectively given by figures V.2 and V.3. ΣE1 = {a, b, σ , σ 0 } and ΣE2 = {u, c, σ , σ 0 } and let us denote Σ = ΣE1 ∪ ΣE2 . Actually Figures V.2 and V.3 represent respectively PΣ−1 (E1 ) and PΣ−1 (E2 ). E1 and E2 are easily obtained by removing each loop transition on each E 1 ,Σ E 2 ,Σ state. The global set of variables for the system is V = {X1 , X2 , X3 , X4 , X5 , X6 , X10 , X20 , X30 , X40 , X50 }. The sets of relevant variables for E 1 and E 2 are respectively VR1 = {X1 , X2 } and VR2 = {X50 }. The alphabets of E 1 and E 2 are respectively Σ1 = {a, b, σ , σ 0 } and Σ2 = {c, σ , σ 0 }. In E 1 , the variables associated to event σ 0 are X3 and X4 (i.e γE 1 (σ 0 ) = {X3 , X4 }) and the ones associated to event σ are X5 and X6 . No other variables and events are linked in E 1 . In E 2 , the variables associated to the event σ are X10 and X20 , while the ones associated to the event σ 0 are X30 and X40 . The parallel composition of E1 and E2 is provided in Figure V.4. It is required in E1 k E2 that X3 and X10 are equal when the event a occurs. Finally, since X3 is equal to X1 + X2 during this synchronization (see the guard of (σ , 1, 2) in E 1 ), it entails that X50 is equal to X1 + X2 after this synchronization. Hence information about variables of E 1 are transmitted to variables of E2 .

Supervisory Control on Concurrent Discrete Event Systems with Variables

V.2. OPERATIONS ON EXTENDED FINITE STATE c,u MACHINES

51 σ

b X1 > 0 c,u

3

X3 = X1 + X2 ∧ X4 = 3X2 X1 := X1 − 1

2

1

a σ0

c,u

a X1 > 0 ∧ X2 < 0 X1 := X1 + 1

0 c,u

F IGURE V.2. Subsystem E 1

c X50 < 0 X50 := X50 + 1

a,b 1

σ

X50 = | X10 0 X5 := X10

u, σ 0 0 a,b

F IGURE V.3. Subsystem E 2 

V.2.6. D EFINITION (Synchronous Product). Let (Ei )16i6n be a family of EFSM such | j, then VEi ∩VE j = ∅. Then we define that for 1 6 i, j 6 n we have ΣEi = ΣE j and if i = the synchronous product of these EFSM as n

∏ Ei i=1

=Def

nn

Ei .

i=1

In the case of n = 2 we write E1 × E2 instead of ∏2i=1 Ei .



Alternatively, by setting γEi (σ ) to undefined we would also be able to define the free synchronized product. This is interesting to model synchronizations between two systems which do not exchange any information. Rote Reihe Technical Report No. 2006-03

52

CHAPTER V. EXTENDED FINITE STATE MACHINES

5 b X1 > 0

u c X50 < 0 X50 := X50 + 1 3

4 b X1 > 0

a

a

u

6 c X50 < 0 X50 := X50 + 1

c X50 < 0 X50 := X50 + 1

2

σ

u

X10

=

X3 ∧ X20

= X4 ∧ X5 = X1 + X2 ∧ X6 = 3X2 ∧ X50 = | X10 , 0 0 X1 := X1 − 1, X5 := X1

1 σ0

X3 = X30 ∧ X4 = X40

a X1 > 0 ∧ X2 < 0 X1 := X1 + 1

0

F IGURE V.4. E 1 k E 2 Supervisory Control on Concurrent Discrete Event Systems with Variables

V.2. OPERATIONS ON EXTENDED FINITE STATE MACHINES

53

Free Parallel Composition and Free Synchronous Product. In the case of FSMs, the behavior of the synchronous product E1 × E2 corresponds to the common behaviors of E1 and E2 . Unfortunately this is not true with EFSM under consideration here, because of the necessity to synchronize not only on common actions but also on common values of the variables associated with those actions. This restricts the possible execution sequences. In general we have L(E1 × E2 ) ⊆ L(E1 ) ∩ L(E2 ). In [8] and [11], another definition of the synchronized product is given. This definition based on the idea to use events of the form hσ , θ (γEi (σ ))i for synchronization, i.e. pairs of system actions and associated values from the domain D which are exchanged during communication. With this definition, the behavior of the synchronous product E 1 × E2 corresponds to the common behaviors of E1 and E2 . However, we essentially now use infinite alphabets ΣEi × D for synchronization. Unfortunately, this generalization prevents from using classical and well-known results about languages, which are themselves intensively used in the supervisory control theory. Thus, additional composition operations are used in this study called free parallel composition and free synchronous product. V.2.7. D EFINITION (Free Parallel Composition). Let (Ei )16i6n be a family of EFSMs over the domain D as described in Definition V.2.4. The free parallel composition fn e of (Ei )16i6n is denoted by i=1 Ei and is defined in exactly the same way than the parallel fn product i=1 Ei except that Definition V.2.4.(f) is replaced by fn (f0 ) For E = ei=1 Ei , the guard assignment is defined as ^






G( σ , qi , q0i )(θ  VEi ) (θ ) ⇔Def G σ , hq1 , q2 , . . . , qn i, q01 , q02 , . . . , q0n i∈in(σ )



V.2.8. R EMARK . Regarding Definition V.2.4 and Definition V.2.7, it is clear that the lanf fn guage generated by ni=1 Ei is included into the one of ei=1 Ei . In other words, Lfni=1 Ei ⊆ Lefn

i=1 Ei



V.2.9. D EFINITION (Free Synchronous Product). Let (Ei )16i6n be a family of EFSM such that for 1 6 i, j 6 n we have ΣEi = ΣE j and if i = | j then VEi ∩ VE j = ∅. Then we define the free synchronous product of these EFSM as n

n

fE i ∏

=Def

i=1

e E2 instead In the case of n = 2 we write E1 ×

n e

Ei .

i=1 e 2i=1 Ei . of ∏



Now let us show that the free synchronized product has indeed the desired properties: Rote Reihe Technical Report No. 2006-03

54

CHAPTER V. EXTENDED FINITE STATE MACHINES

V.2.10. L EMMA . Let (Ei )16i6n be a family of EFSM over the same domain D such e ni=1 Ei , that ΣEi = ΣE j for 1 6 i, j 6 n and if i = | j then VEi ∩VE j = ∅. Then with E = ∏ LE (θ ) =

n \

LEi (θ  VEi ).

i=1

for all θ ∈ ΘE (D). P ROOF. We show that for all s ∈ ΣE∗ ,

δE (s, qE , {θ })! ⇔

n ^

δEi (s, qEi , {θ  VEi })!, and

i=1



δE (s, qE , {θ }) = q, Θ 0



⇔ (∀i ∈ {1, . . ., n}) δEi (s, qEi , {θ  VEi }) = *

qi ,

[

0

(θ  VEi )

θ ∈Θ 0

+!

,

with q = hq1 , q2 , . . . , qn i. The proof is carried out by induction over the lenth of s. For s = ε , then both the Equivalences (V.2.1) and (V.2.1) are obviously satisfied, hence assume (V.2.1) and (V.2.1) to be satisfied by some s ∈ ΣE∗ and, under this assumption, suppose δE (s, qE , {θ })! and put

δE (s, qE , {θ }) = δEi (s, qEi , {θ  VEi }) =



 q, Θ 0 , and * qi ,

[

θ 0 ∈Θ 0

+

(θ 0  VEi )

for 1 6 i 6 n

Supervisory Control on Concurrent Discrete Event Systems with Variables

V.2. OPERATIONS ON EXTENDED FINITE STATE MACHINES

55

for q = hq1 , q2 , . . . , qn i, and let q0 = hq01 , q02 , . . ., q0n i. Then for all σ ∈ ΣE the following computation can be carried out (note that in(σ ) = {1, 2, . . ., n} which significantly simplifies the conditions given in Definition V.2.4):





δE (σ , q, Θ 0 )! ⇔ (∃t = σ , q, q0 ∈ TE )δt (σ , q, Θ 0 )!





(Def. V.1.3 for δE )

⇔ (∃t = σ , q, q ∈ TE )(∃θ ∈ Θ )GE (t)(θ ) 0

0

0

 ⇔ (∃t = σ , q, q0 ∈ TE , ∃θ 0 ∈ Θ 0 ) ⇔ (∃θ 0 ∈ Θ 0 )

n ^ i=1

⇔

n ^ i=1

δEi (σ , qi ,

0

n ^ i=1

(Def. V.1.3 for δt )


GEi (ti )(θ 0  VEi ) & ti = σ , qi , q0i ∈ TEi (Def. V.2.1.(f))

 (∃ti = σ , qi , q0i ∈ TEi )δti (σ , qi , {θ 0  VEi })!

[ θ 0 ∈Θ 0

(Def.s V.2.1.(d), V.1.3 for δti )

(θ 0  VEi ))! (Def. V.1.3 for δEi and since i = | j ⇒ VEi ∩VE j = ∅)

Rote Reihe Technical Report No. 2006-03

56

CHAPTER V. EXTENDED FINITE STATE MACHINES

b, X3 = | 5, X3 := X3 + 1

1

a, X3 := X3 − 2

d, X3 > 0 0

F IGURE V.5. An example EFSM : K

To maintain the second part of the induction hypothesis now assume δ E (σ , q, Θ 0 )!. Then

 δE (σ , q, Θ 0 ) = q0 , Θ 00



  ⇔ (∃t = σ , q, q0 ∈ TE )δt (σ , q, Θ 0 ) = q0 , Θ 00 (Def. V.1.3 for δE )


0 0 0 00 00 0 ⇔ (∃t = σ , q, q ∈ TE , ∃θ ∈ Θ , ∃θ ∈ Θ ) AE (t)(θ )  VR,E = θ 00  VR,E (Def. V.1.3 for δt ) ! n [



  0 0 0 0 0 00 00 AEi ( σ , qi , qi )(θ  VEi )  VR,E = θ 00  VR,E ⇔ (∃t = σ , q, q ∈ TE , ∃θ ∈ Θ , ∃θ ∈ Θ ) i=1





⇔ (∃t = σ , q, q ∈ TE , ∃θ ∈ Θ , ∃θ ∈ Θ ) ∀i AEi ( ⇔

n ^ i=1

⇔

n ^ i=1

⇔

n ^ i=1

0

0

0

00

00



σ , qi , q0i

(Def. V.2.4)



0

)(θ  VEi ) = θ 00  VEi (i = | j ⇒ VEi ∩VE j = ∅)




(∃ti = σ , qi , q0i ∈ TEi , ∃θ 0 ∈ Θ 0 , ∃θ 00 ∈ Θ 00 ) AEi (ti )(θ 0  VEi ) = θ 00  VEi





| j ⇒ VEi ∩VE j = ∅ again.) (Def. V.2.1.(d) and since i = * +!

[

 (∃ti = σ , qi , q0i ∈ TEi ) δti (σ , qi , (θ 0  VEi )) = θ 0 ∈Θ 0

δEi (σ , qi ,

[

(θ 0  VEi )) =

θ 0 ∈Θ 0

*

q0i ,

[ θ 00 ∈Θ 00

+!

q0i ,

[

(theta00  VEi )

θ 00 ∈Θ 00

(Def. V.1.3 for δti )

(θ 00  VEi )

(Def. V.1.3 for δEi ) 

Let us now consider an example. V.2.11. E XAMPLE . Let us consider again the EFSM E given in figure V.1, as well as the e K. following EFSM K. And now let us consider the product between E and K denoted E × Supervisory Control on Concurrent Discrete Event Systems with Variables

V.3. SUPERVISORY CONTROL OF EXTENDED FINITE STATE MACHINES

57

b, X2 < 0 ∧ X3 = | 5, X1 := X1 + 1, X3 := X3 + 1

1

a,X1 > 0 ∧ X2 < 0, X1 := 0, X3 := X3 − 2 0

F IGURE V.6. Product G × K

e K is obtained from E and K by composing F(E) and F(K) (i.e composing the FSM G× representing the structural part of E and K), and labeling the transitions as the following: • the guards are given by the conjunctions of the guards of both E and K (according to DefinitionV.2.7.(f0 )). • the assignment function are obtained by applying the assignment functions of both E and K (according to Equation V.2.4.(g)).



To conclude this section, we lift Lemma III.1.2 to work with EFSMs: V.2.12. L EMMA . Let (Ei )16i6n be a family of EFSM such that for i = | j, VEi ∩VE j = S ∅. Let Σ denotes 16i6n ΣEi . We have n

n

n e

i=1

Ei =

n e

i=1

n

PΣ−1 (Ei ) = ∏ PΣ−1 (Ei ). E ,Σ E ,Σ G i

i=1

i

P ROOF. The Lemma follows directly from the respective definitions in the same way as the proof of Lemma III.1.2 taking into account the definitions of guard assignments and variable state transitions. We skip the obvious but tedious details.  V.3. Supervisory Control of Extended Finite State Machines In this section, we address the control of EFSMs. Since the behavior of an EFSM is defined to be a parameterized language, then operators on EFSM must be mapped to that one described in the theory of supervisory control on parameterized languages which has been presented in Section V.5. We are now going to introduce a way to validate the controllability of a control objective and to compute a supervisor. Actually, this last point bases on the work presented in [12], and uses abstract interpretation to deal with infinite domains of the variables. Given a system and a control objective, modeled by EFSMs E and K, respectively, the following algorithm computes a supervisor ensuring the control objective: Rote Reihe Technical Report No. 2006-03

58

CHAPTER V. EXTENDED FINITE STATE MACHINES

V.3.1. A LGORITHM . Assume ΣE = ΣK . To compute a supervisor for E and K, perform the following steps: e K; (a) compute E × (b) for all states hq1 , q2 i ∈ QE ×K e = QE × QK and for all events σ ∈ ΣE,uc : (i) if it exists one transition t = hσ , q1 , q01 i ∈ TE (ii) then the state hq1 , q2 i must be prevented from being reachable with a corresponding variable state θ which prevents σ from being triggered e K, although it allows σ to be triggered in E. It means that if in E × t 0 = hσ , hq1 , q2 i, hq01 , q02 ii ∈ TE ×K e , then the set hhq1 , q2 i, Θ i with 0 Θ = {θ ∈ ΘE ×K e (D) | ¬GE ×K e (t )(θ ) & GE (t)(θ  VE )}

must be prevented from being reachable. e K an EFSM E which re(c) Use techniques described in [12] to obtain from E × strains the behaviors of E to prevent hhq1 , q2 i, Θ i from being reachable.

Note that although the control objective is given by an EFSM, due to the virtue of e it is assumed to synchronize with the components of the system to be the operator × controlled ony by means of shared events, but not by the exchange of values from the domain D. It is also important to understand here that the obtained supervisor is not necessarily maximal. Although the existence of a maximal solution is given by Theorem IV.3.10, the obtained solution is not maximal, in particular because of approximation techniques on infinite domains based on abstract interpretation. V.3.2. E XAMPLE . Let us now consider again EFSM E and K respectively given by figures V.1 and V.5. The product of this two EFSM, called K 0 is given by figureV.6. Now let assume that E possesses uncontrollable events Σ uc = {b}. K is here considered as e E is considered as the control a control objective to control the system E. Or rather K 0 = K × objective. In this case, K 0 can not represent a valid supervisor for E since the generated behavior of K 0 is uncontrollable with respect to Σ uc and E. Let us now consider that E is extended in order that X3 ∈ VE (in fact X3 is a useless variable of E). Assume for example that initially, X1 = 3, X2 = −1 and X3 = 5. Then, as explained in example V.1.5, if θ (X1 ) = 3, θ (X2 ) = −1 and θ (X3 ) = 5 then the language generated by E is given by LE (θ  VE ) = {ε , a, a.b∗ .c+ } ∪ {a.(b)n .d | n > 10} And the language generated by K 0 is LK 0 (θ ) = {ε , a, a.b} Hence LK 0 (θ ) is uncontrollable with respect to Σ uc and LE (θ  VE ) since a.b.b ∈ LK 0 (θ ).Σuc ∩ LE (θ  VE ) and a.b.b ∈ / LK 0 (θ ) Of course, it exists other values of X1 , X2 , and X3 for which uncontrollability arises (this set is even infinite). Moreover, because of the infinity of the domain of values, it seems relevant to work on the EFSM instead of enumerating the set of possible values for the variables. Supervisory Control on Concurrent Discrete Event Systems with Variables

V.4. SUPERVISORY CONTROL OF CONCURRENT SYSTEMS

59

To that aim, the guards of the transitions are restricted in order to prevent some states from being reachable with respect to certain values of the variables. This can be performed using techniques described in [12]. Abstract interpretation is used to ensure that the computation can be effectively performed. Considering the previous example, the following EFSM represents a valid supervisor for E, ensuring K 0 . 1

b, X2 < 0, X1 := X1 + 1, X3 := X3 + 1 a,X1 > 0 ∧ X2 < 0 ∧ X3 > 7, X1 := 0, X3 := X3 − 2

0

F IGURE V.7. Supervisor ensuring K 0 on E This solution restricts the guards on transitions (and in particular the one of the transition with label a), which ensures that state 1 of K 0 can not be reached with undesirable values of X3 . But the computation of such a solution requires using particular techniques to deal with infinity of the domain of variables. Let us see now why such techniques are necessary. We denote t0 = (a, 0, 1) and t1 = (b, 1, 1) the two transitions of K 0 . As explained above K 0 is not controllable with respect to Σ uc and E, and to avoid this problem, the state 1 must not be reached in K 0 with X3 = 5. However, this configuration can be reached by triggering • either event a from state 0 with X3 = 7, • or event b from state 1 with X3 = 4. Hence the guards of t0 and t1 must be reduced as the following: X1 > 0 ∧ X2 < 0 ∧ X3 ∈ / {7} for t0 and X3 ∈ / {4, 5} ∧ X2 > 0 for t1 But, since b is an uncontrollable event, restricting the guards of t 1 has no effect on the system. Therefore, the state 1 must not be reached in K 0 with X3 = 4. Hence the guards of t0 and t1 must be reduced as the following: 0

0

GK (t0 ) = X1 > 0 ∧ X2 < 0 ∧ X3 ∈ / {6, 7} and GK (t1 ) = X3 ∈ / {3, 4, 5} ∧ X2 > 0 And the problem still remains in state 1 with event b. Iterating such a way on an infinite domain does not allow to converge. Therefore, convergence techniques on infinite domains such as abstract interpretation are needed here. 

V.4. Supervisory Control of Concurrent Systems The topic of this section is modular supervisory control on concurrent systems, i. e. f how to compute a supervisor without generating the parallel composition E = ni=1 Ei of the components (Ei )16i6n of a concurrent system. Unfortunately, the methods describe Rote Reihe Technical Report No. 2006-03

60

CHAPTER V. EXTENDED FINITE STATE MACHINES

in the previous chapters can only be applied when the behavior of the concurrent system to be controlled fcorresponds to the parallel composition of the bahaviors of its subsystems, i. e. LE = ni=1 LEi , and it is in general not the case. More precisely, considering a control objective given by an EFSM K, it is desired to compute a supervisor which e E. However, Theorem III.3.1 can not be restricts the behavior of E to the one of K × directly applied to concurrent EFSM since does not hold in general.

LK ×E ⊆ LK ∩ e

n \

(LEi ), PΣ−1 E ,Σ E i

i=1

V.4.1. TfHEOREM . Let (Ei )16i6n be a family of EFSM acting on the same domain D and let E = ni=1 Ei . Let us further consider an EFSM H over the domain D with ΣH = ΣE . Let us assume that for 1 6 i 6 n, VEi ∩ VH = ∅ and if i = | j, then VEi ∩ VE j = ∅. For 1 6 i 6 n, ΣEi ,uc and ΣEi ,c respectively denote the sets of uncontrollable and controllable events of ΣEi . Suppose that (Ei )16i6n is consistent with the control status of events. S Moreover ΣE,uc = ni=1 ΣEi ,uc and ΣE,c = Σ \ Σuc . Finally, Ki0 ⊆ LH ×P e −1 (Ei ) denotes a Σ E ,Σ E i

partially controllable language w. r. t. to ΣEi ,uc Σuc , LH ×P e −1

ΣE ,ΣE (Ei ) i

n \

and PΣ−1 (Ei ). E ,Σ E i

Ki0 ∩ LE

i=1

is controllable with respect to Σuc and LE . P ROOF. First, since f LH ×( e e E ) = LH ∩ ( i

i

\ i

LP−1

ΣE ,Σ (Ei ) i

)

then Theorem IV.3.6 can be applied. We obtain that ∩i Ki0 is controllable w.r.t Σuc and f Lef E . However, we are not here interested in controlling ei Ei , but ki Ei . i

i

Remark V.2.8 together with proposition II.2.3, imply that w.r.t Σuc and L(ki Ei ).

0 i=1 Ki ∩LE

Tn

is controllable 

Given a control objective, Theorem V.4.1 states that the model of a supervisor ensuring it, can be computed. The supervisor may possesses behaviors which do not make part of the one of system. Nevertheless, this supervisor accomplishes correctly its goal while it runs in parallel of the system. V.4.2. E XAMPLE . Let us consider the concurrent system given in example V.2.5, as well as the global control objective given in Example V.8. The EFSM obtained in Figure V.10 is actually not only controllable but also partially controllable. Since u is the only uncontrollable e K is clearly partially controllable too. According to Theorem event of the system, PΣ−1 (E 1 ) × E ,Σ 1

Supervisory Control on Concurrent Discrete Event Systems with Variables

V.5. ABSTRACT INTERPRETATION

61

e K and the EFSM given in Figure V.10 represents V.4.1, the parallel composition of PΣ−1 (E 1 ) × E 1 ,Σ a supervisor which ensures the behaviors described by the control objective K. c

X1000 < X2000 000 X1 := X1000 + 1

1

Σ \ {c} X1000 < 10, X1000 := 0

a X1000 := 0 0

Σ \ {a, c}

F IGURE V.8. Control Objective K 

V.5. Abstract Interpretation In this last section of the report, we are going to give some intuition of what abstract interpretation is. Abstract interpretation has been originally introduced in [4]; a comprehensive survey can be found in [9]. Abstract interpretation provides a theory to perform computations with infinite sets in the case that those computations can not be effectively performed by a machine in general. This is based on two concepts: abstraction of the sets to deal with, and use of widening operators to ensure convergence when necessary. Very rare systems with infinite state or value spaces possess properties that allow to deal with them automatically. But in general, seemingly very simple operations can be infeasible in general. For example, consider the problem to determine whether two infinite sets of integers possess common values? This question seems to be very simple, but the answer is not so clear since enumerating the values of the sets is not possible in this case. The idea of abstract interpretation consists in abstracting the sets under consideration, moving all sets and operation in a new simpler space. Of course, this move must be done very carefully, using operators with good properties (Galois connections). Moreover, the price to pay for abstraction is the approximation of the solution. But despite everything, this techniques is of great help in dealing with infinite domains. Rote Reihe Technical Report No. 2006-03

62

CHAPTER V. EXTENDED FINITE STATE MACHINES

c X50 < 0 ∧ X1000 < X2000 X50 := X50 + 1, X1000 := X1000 + 1

a X1000 := 0

σ

b a,b X1000 < 10 X1000 := 0

1,1

X50 = | X10 ∧ X1000 0 X5 := X10 , X1000

< 10 := 0

0,1

1,0

σ

X50 = | X10 0 X5 := X10

u, σ 0 X1000 := 0 u,

a,b X1000 < 10 X1000 := 0

σ0

X1000 < 10 X1000 := 0

0,0

a X1000 := 0

b

F IGURE V.9. P2−1 (E 2 ) × K More formally, the principle is the following: if D is a domain, and D 0 is another domain, then it is sometimes possible to describe an abstraction function A such that A : D → D0 . If this abstraction function (together with a materialization function from D 0 to D) are a Galois connection (which more or less means that inclusion is preserved when using abstraction and materialization functions), then convergence of abstracted sequences in D0 have a material counterpart in D: if (Xn )n is a sequence of sets in D and if X denotes the limit of (A(Xn ))n in D0 , then the limit of (Xn )n in D is included in the materialization of X . In other words, to deal with a sequence of sets over an infinite domain, it can be convenient to work in an abstracted domain and then obtain a solution which corresponds to an approximated solution in the materialized domain. But such a method requires that the abstracted sequence converges in all cases. Unfortunately, such a requirement is undesirable restrictive. That is the reason why the abstracted domain D 0 is generally Supervisory Control on Concurrent Discrete Event Systems with Variables

V.5. ABSTRACT INTERPRETATION

63

a X1000 := 0

σ

b c X50 < 0 ∧ X1000 < X2000 ∧ X1000 < 9 X50 := X50 + 1, X1000 := X1000 + 1

a,b X1000 < 10 X1000 := 0

1,1

X50 = | X10 ∧ X1000 0 X5 := X10 , X1000

< 10 := 0

0,1

1,0

σ

X50 = | X10 0 X5 := X10

u, σ 0 X1000 := 0 u,

a,b X1000 < 10 X1000 := 0

σ0

X1000 < 10 X1000 := 0

0,0

a X1000 := 0

b

F IGURE V.10. A partially controllable EFSM infinite too and that an additional technique have to be applied to ensure convergence: the widening. Let us for example consider the set of following first values of one sequence of intervals of integers: [0], [0, 1], [0, . . ., 2], [0, . . ., 3], [0, . . ., 4] An approximate the limit of the sequence could be [0, ∞]. Of course, this is somewhat coarse since only the fifth first elements of the sequence are considered. However, it is always possible to optimize this approach and this gives quite good results in general. An operator that defines such an over-approximation of the limit is called a widening operator. This operator ensures that any limit (or at least an approximation of it) can be effectively computed by an algorithm. Therefore, the idea of abstract interpretation is (a) moving from the concrete set of sets to an abstracted one which is more ”simple. (b) performing computation using widening operator into this abstracted set. Rote Reihe Technical Report No. 2006-03

64

CHAPTER V. EXTENDED FINITE STATE MACHINES

(c) come back to the original concrete set using the materialization function. Then the solution computed into the abstracted set gives an approximation of the one of the concrete set. One can be noticed that using an abstraction is not necessary since the convergence is ensured thanks to the widening operator. Hence, it could be sufficient to define a widening operator over the materialized domain. That is true, but as mentioned above the abstracted domain is assumed to be simpler and can be of good help in some cases (and in particular to define some relevant widening operators). Let us consider again the problem of determining whether two infinite sets share values. For example, let us consider the sets S1 = {1, 34, 321, 76434, 874583465, . . .}and S2 = {−1034 , −873485637535321, −784673534, −4751 . . .} where ”. . .” means that there is an infinite sequence of values (increasing for S 1 and decreasing for S2 ). Abstracting these sets using intervals, we obtain A(S1 ) = [1, . . ., ∞] and A(S2 ) = [−∞, −4751] And in the case of intervals, we have the property that two intervals are disjoint if the maximum of one is smaller than the minimum of the other. This very simple property on interval allows to easily obtain that A(S1 ) and A(S2 ) are disjoint. Now one property about abstract interpretation ensures that S1 and S2 themselves are disjoint. To conclude, lots of work exist about abstract interpretation. Relevant and non trivial abstracted domains are studied, as well as corresponding widening operators.

Supervisory Control on Concurrent Discrete Event Systems with Variables

Bibliography [1] K. Akesson, H. Flordal, and M. Fabian. Exploiting modularity for synthesis and verification of supervisors. In Proc. of the IFAC, barcelona, Spain, July 2002. [2] C. Cassandras and S. Lafortune. Introduction to Discrete Event Systems. Kluwer Academic Publishers, 1999. [3] Y.-L Chen and F. Lin. Safety control of discrete event systems using finite state machines with parameters. pages 975–980, Arlington, VA, June 2001. [4] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 238–252, Los Angeles, California, 1977. ACM Press, New York, NY. [5] M. H. De Queiroz and J. Cury. Modular control of composed systems. In Proceedings of the American Control Conference, pages 4051–4055, Chicago, Illinois, June 2000. [6] B. Gaudin and H. Marchand. Modular supervisory control of a class of concurrent discrete event systems. In Workshop on Discrete Event Systems, WODES’04, September 2004. [7] B Gaudin and H. Marchand. Supervisory control of concurrent discrete event systems. Technical Report PI-1593, IRISA Rennes, 2004. [8] B. Jeannet, T. Jron, V. Rusu, and E. Zinovieva. Symbolic test selection based on approximate analysis. In 11th Int. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’05)Volume 3440 of LNCS, Edinburgh (Scottland), April 2005. [9] N. D. Jones and F. Nielson. Abstract interpretation: A semantic-based tool for program analysis. In S.Abramsky, D.M. Gabbay, and T.S.E. Maibaum, editors, Semantic Modelling, vol. 4 of Handbook of Logic in Computer Science, pages 527–636. Clarendon Press, Oxford, 1995. [10] J. Komenda, J.H van Schuppen, B Gaudin, and H. Marchand. Modular supervisory control with general indecomposable specification languages. In Proc. of the 44th IEEE Conference on Decision and Control and Control (CDC’05) and European Control Conference ECC 2005, Sevilla (Spain), 2005. [11] T. Le Gall, B. Jeannet, and H. Marchand. Contrle de systmes symboliques, discrets ou hybrides. Technical Report 1683, IRISA, January 2005. [12] T. Le Gall, B. Jeannet, and H. Marchand. Supervisory control of infinite symbolic systems using abstract interpretation. In Proc. of the 44th IEEE Conference on Decision and Control and Control (CDC’05) and European Control Conference ECC 2005, Sevilla (Spain), December 2005. [13] P. J. Ramadge and W. M. Wonham. The control of discrete event systems. Proceedings of the IEEE; Special issue on Dynamics of Discrete Event Systems, 77(1):81–98, 1989. [14] P. J. Ramadge and W.M. Wonham. Supervision of discrete event processes. In Proc. of 21st IEEE Conf. Decision and Control, pages 1228–1229, Orlando, FL, December 1982. [15] K. Rohloff and S. Lafortune. The control and verification of similar agents operating in a broadcast network environment. In 42nd IEEE Conference on Decision and Control, Hawaii, USA, December 2003.

65

66

CHAPTER V. BIBLIOGRAPHY

[16] Y. Willner and M. Heymann. Supervisory control of concurrent discrete-event systems. International Journal of Control, 54(5):1143–1169, 1991. [17] W. M. Wonham. Notes on control of discrete-event systems. Technical Report ECE 1636F/1637S, Department of Electrical and Computer EngineeringUnivertsity of Toronto, July 2003. [18] W. M. Wonham and P. J. Ramadge. Modular supervisory control of discrete event systems. Mathematics of Control Signals and Systems, 1:13–30, 1988.

Supervisory Control on Concurrent Discrete Event Systems with Variables