SUPERVISORY CONTROL OFDISCRETE-EVENT SYSTEMS

W.M. WonhamSystems Control Group

Dept. of Electrical & Computer EngineeringUniversity of Toronto

and

Kai CaiDept. of Electrical & Information Engineering

Osaka City University

Revised 2017.05.01

This monograph may be reproduced for the purpose of research, private

study, classroom distribution, or review, provided the source and the

author are indicated thereon. The monograph, or any substantial part

thereof, is not to be produced or reproduced for commercial use.

c⃝copyright by W.M. Wonham, 1997-2017

Foreword

This monograph is based on the first author’s lectures at the University ofToronto during the sessions 1987-88 through 2016-17, as well as at Washing-ton University (St. Louis) in May 1988, the Indian Institute of Technology(Kanpur) in February 1989, Bilkent University (Ankara) in May 1989, theUniversidade Federal de Santa Catarina (Florianopolis) in February 1993,the Centro de Investigacion y de Estudios Avanzados (Guadalajara, Mex-ico) in February 1997, the University of Stuttgart in May 1998, the BanarasHindu University in February 2000, December 2001, and February 2006, Zhe-jiang University in May-June 2006-2011, the Sapienza Universita di Roma inOctober 2011, and Xidian University (Xi’an) in May 2013 and 2015. The ma-terial on control theory originated with the U. of T. doctoral theses of PeterRamadge (1983), Feng Lin (1987), and subsequently many others, togetherwith joint publications with the first author.

The material has also been used by the second author for his lectures atOsaka City University during 2015-2017.

The software package TCT (for untimed DES) has been developed mostrecently by Renyuan Zhang; while the package TTCT for timed DES wasdeveloped by Christian Meder and Ali Saadatpoor.

W.M.W. and K.C.2017.05.01

i

ii

Contents

Foreword i

Introduction vii

TCT: General Information xiii

1 Algebraic Preliminaries 11.1 Posets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Equivalence Relations . . . . . . . . . . . . . . . . . . . . . . . 81.4 Equivalence Kernel and Canonical Factorization . . . . . . . . 141.5 Application: Internal Model Principle . . . . . . . . . . . . . . 281.6 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 50

2 Linguistic Preliminaries 512.1 Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512.2 Nerode Equivalence and Right Congruence . . . . . . . . . . . 532.3 Canonical Recognizers . . . . . . . . . . . . . . . . . . . . . . 552.4 Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652.5 Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692.6 Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . 762.7 Causal Output Mapping and Hierarchical Aggregation . . . . 812.8 Chains of Regular Languages . . . . . . . . . . . . . . . . . . 902.9 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 98

3 Supervision of Discrete-Event Systems: Basics 993.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993.2 Representation of Controlled Discrete-Event Systems . . . . . 100

iii

iv CONTENTS

3.3 Synchronous Product, Shuffle, and Meet . . . . . . . . . . . . 1043.4 Controllability and Supervision . . . . . . . . . . . . . . . . . 1183.5 Supremal Controllable Sublanguages and Optimal Supervision 1223.6 Implementation of Supervisory Controls by Automata . . . . . 1293.7 Design of Supervisors Using TCT . . . . . . . . . . . . . . . . 1363.8 Forced Events . . . . . . . . . . . . . . . . . . . . . . . . . . . 1473.9 Mutual Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . 1533.10 Supervisor Reduction . . . . . . . . . . . . . . . . . . . . . . . 1553.11 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 156

Appendix 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

4 Decentralized and Distributed Supervision of Discrete-EventSystems 1614.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1614.2 Conjunction of Supervisors . . . . . . . . . . . . . . . . . . . . 1624.3 Naive Decentralized Supervision: Deadly Embrace . . . . . . . 1654.4 Decentralized Supervision: Small Factory . . . . . . . . . . . . 1684.5 Decentralized Supervision: Big Factory . . . . . . . . . . . . . 1694.6 Decentralized Supervision: Transfer Line . . . . . . . . . . . . 1734.7 Decentralized Supervision: AGVs in a Manufacturing Workcell 1804.8 Decentralized Supervision by Natural Projection . . . . . . . . 2124.9 Reasoning about Nonblocking . . . . . . . . . . . . . . . . . . 2194.10 Synchronization and Event Hiding . . . . . . . . . . . . . . . . 2264.11 Distributed Supervision by Supervisor Localization . . . . . . 2294.12 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 233

5 Hierarchical Supervision of Discrete-Event Systems 2355.1 Hierarchical Control Structure . . . . . . . . . . . . . . . . . . 2355.2 Two-Level Controlled Discrete-Event System . . . . . . . . . . 2385.3 High-Level Control Structure . . . . . . . . . . . . . . . . . . 2425.4 Command and Control . . . . . . . . . . . . . . . . . . . . . . 2485.5 Hierarchical Consistency . . . . . . . . . . . . . . . . . . . . . 2535.6 Hierarchical Supervision of Transfer Line . . . . . . . . . . . . 2595.7 Hierarchical Supervision with Nonblocking . . . . . . . . . . . 2655.8 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 278

Appendix 5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Appendix 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Appendix 5.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

CONTENTS v

Appendix 5.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

6 Supervisory Control With Partial Observations 2996.1 Natural Projections and Normal Languages . . . . . . . . . . 2996.2 Observable and Relatively Observable Languages . . . . . . . 3156.3 Feasible Supervisory Control . . . . . . . . . . . . . . . . . . . 3266.4 Infimal Closed Observable Sublanguages . . . . . . . . . . . . 3446.5 Supervisory Control and Normality . . . . . . . . . . . . . . . 3496.6 Control of a Guideway . . . . . . . . . . . . . . . . . . . . . . 3626.7 Nondeterminism, Quasi-Congruences, and the Observer Prop-

erty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3686.8 Efficient Coordination in Decentralized

Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3876.9 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 395

7 State-Based Control of Discrete-Event Systems 3977.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3977.2 Predicates and State Subsets . . . . . . . . . . . . . . . . . . . 3987.3 Predicate Transformers . . . . . . . . . . . . . . . . . . . . . . 3997.4 State Feedback and Controllability . . . . . . . . . . . . . . . 4017.5 Balanced State Feedback Controls and Modularity . . . . . . . 4067.6 Dynamic State Feedback Control . . . . . . . . . . . . . . . . 4097.7 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 412

Appendix 7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

8 Supervision of Vector Discrete-Event Systems 4218.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4218.2 Vector Discrete-Event Systems . . . . . . . . . . . . . . . . . . 4228.3 VDES Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . 4258.4 Linear Predicates . . . . . . . . . . . . . . . . . . . . . . . . . 4288.5 State Feedback and Controllability of VDES . . . . . . . . . . 4298.6 Reachability and Loop-Freeness . . . . . . . . . . . . . . . . . 4338.7 Loop-Freeness and Optimal Control . . . . . . . . . . . . . . . 4378.8 Example: FACT#5 . . . . . . . . . . . . . . . . . . . . . . . 4408.9 Memory and Dynamic State Feedback Control for VDES . . . 4448.10 Modular Dynamic State Feedback Control for VDES . . . . . 4468.11 Example: FACT#2 . . . . . . . . . . . . . . . . . . . . . . . 4478.12 Modeling and Control of a Production Network . . . . . . . . 451

vi CONTENTS

8.13 Representation of Optimal Control by a Control VDES . . . . 4578.14 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 469

Appendix 8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

9 Supervisory Control of Timed Discrete-Event Systems 4819.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4819.2 Timed Discrete-Event Systems . . . . . . . . . . . . . . . . . . 4829.3 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4879.4 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4909.5 Time Bounds as Specifications . . . . . . . . . . . . . . . . . . 4909.6 Composition of TDES . . . . . . . . . . . . . . . . . . . . . . 4919.7 Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4939.8 Controllability of TDES . . . . . . . . . . . . . . . . . . . . . 4949.9 Supremal Controllable Sublanguages and Optimal Supervision 5019.10 Example 4: Endangered Pedestrian . . . . . . . . . . . . . . . 5039.11 Example 5: Timed Manufacturing Cell . . . . . . . . . . . . . 5079.12 Modular Supervision of Generalized TDES . . . . . . . . . . . 5169.13 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5209.14 Notes and References . . . . . . . . . . . . . . . . . . . . . . . 521

Bibliography 523

Appendix: Supervisory Control of a Mine Pump 561

Index 582

Introduction

The control of discrete-event systems (DES) is a research area of currentvitality, stimulated by the hope of discovering general principles commonto a wide range of application domains. Among the latter are manufactur-ing systems, traffic systems, database management systems, communicationprotocols, and logistic (service) systems. The contributing specialities arenotably control, computer and communication science and engineering, to-gether with industrial engineering and operations research.

With this variety of supporting disciplines, it is no surprise that the DESresearch area embraces a corresponding variety of problem types and model-ing approaches. It is fair to say that no single control-theoretic paradigm isdominant, nor is it necessarily desirable that matters should be otherwise.

From a formal viewpoint, a DES can be thought of as a dynamical system,namely an entity equipped with a state space and a state-transition structure.In particular, a DES is discrete in time and (usually) in state space; it isasynchronous or event-driven: that is, driven by events other than, or inaddition to, the tick of a clock; and it may be nondeterministic: that is,capable of transitional ‘choices’ by internal chance or other mechanisms notnecessarily modeled by the system analyst.

The present monograph is devoted to a simple, abstract model of con-trolled DES that has proved to be tractable, appealing to control specialists,and expressive of a range of control-theoretic ideas. It was introduced inthe control literature by P.J. Ramadge and the first author in 1982; in thismonograph it will be referred to as supervisory control theory (SCT). SCTsupports the formulation of various control problems of standard types, likethe synthesis of controlled dynamic invariants by state feedback, and theresolution of such problems in terms of naturally definable control-theoreticconcepts and properties, like reachability, controllability and observability.SCT is automaton-based, or dually language-based, depending on whether

vii

viii

one prefers an internal structural or external behavioral description at thestart. Briefly, a DES is modeled as the generator of a formal language, thecontrol feature being that certain events (transitions) can be disabled by anexternal controller. The idea is to construct this controller so that the eventsit currently disables depend in a suitable way on the past behavior of thegenerating DES. In this way the DES can be made to behave optimally withrespect to a variety of criteria, where ‘optimal’ means in ‘minimally restric-tive fashion’. Among the criteria are ‘safety’ specifications like the avoidanceof prohibited regions of state space, or the enforcement of service priorities;and ‘liveness’ specifications, at least in the weak sense that distinguishedtarget states always remain reachable.

As a practical matter, in the present state of SCT software technology,DES and their specifications and controllers must be representable by finitetransition structures (FTS), although there is no intrinsic restriction to FTSin the theory itself. In the FTS setup the computations for many of the con-trol solutions entail only polynomial effort in the model’s state size. However,complex controlled DES are directly modeled as product structures of simplercomponents; so each time a new component is adjoined (with state space sizeN, say) the state size of the product FTS is multiplied by N; and thus the sizeof the model increases exponentially with the number of components. Thesituation is actually worse in the case of control with partial observations: inmost versions of this problem, the computational effort is exponential (ratherthan polynomial) in the model size itself, for instance owing to the necessityof converting from a nondeterministic FTS to its deterministic counterpartin terms of ‘uncertainty subsets’.

While exponential complexity is not inevitably disastrous (after all, sales-men continue to travel) it is surely a strong incentive to refine the approach.For this, two well known and universal systemic strategies can be invoked,each of them already familiar in control theory. The first is to create suit-able architecture: that is, to exploit horizontal and vertical modularity, or inthis context decentralized and hierarchical control. The second is to exploitinternal regularity of algebraic or arithmetic structure if it happens to bepresent.

Thus a specialization of the SCT base model to ‘vector’ DES (VDES)allows the exploitation of vector-additive arithmetic state structure: for in-stance, when dealing with sets of similar objects of which the number ina given state may be incremented or decremented by various events (ma-chines in a factory workcell, entering a busy state or a breakdown state). For

ix

modeling and analysis in this domain Petri nets have been widely utilized,especially by computer and communications specialists, but there seems littleneed to adopt the arcane terminology of nets to treat what after all are juststandard control problems in a specialized state framework. Of course, in-sights from the extensive literature on Petri nets can and should be exploitedwhenever advantageous.

Taking a different approach, one may seek to generalize the SCT modelin directions of greater realism and modeling flexibility. For instance, a gen-eralization to ‘timed transition models’ incorporates real-time features alongwith modeling enhancements like program variables, their transformations,and transition guards. Another, deep and rather technical, generalizationin the spirit of temporal logic (due to both Peter Ramadge and John This-tle) brings in languages over sets of infinite strings and addresses issues of‘eventuality’, or liveness in the long run.

While the present text does not cover all the topics just listed, it providesan introduction to, and preparation for research in, control of DES in thestyle described. Two software packages are available as project tools: TCT,for untimed DES, and TTCT, for both timed and untimed systems. Theseare linked to the website

http://www.control.utoronto.ca/DES

It should be stressed that these tools are used only as auxiliary teachingaids; the theoretical content of the text is independent of them. They providebasic procedures for the systematic computation of examples, but could bereplaced by any other tools of comparable functionality that the reader mightprefer.

Numbering convention: In each section, theorems, propositions, exam-ples, exercises, etc. are numbered sequentially: e.g. Theorem 1, Proposi-tion 2, Example 3, Exercise 4, etc. When referring to a theorem (proposi-tion, etc.) in a different section, chapter#.section#.theorem# is cited; forinstance, Theorem 3.5.8 refers to Theorem 8 in Section 5 of Chapter 3.

Introductory exercise: Elevator modeling and simulationPart 1: Write a simple simulation program for a single-cage elevator in a6-story building. The elevator should respond to both external and inter-nal calls, in a ‘reasonable’ way which matches your experience. No specialbackground knowledge is assumed about DES or elevators.

x

Simulation runs are generated by allowing calls to occur randomly. Theelevator state can be taken to be the floor at which the cage is currentlylocated, together with the current pattern of unserviced calls and such otherinformation that you deem relevant. Cage transitions between adjacent floorscan be assumed instantaneous.

The display may be quite simple, say in the form of a table, as shown.Here the cage is at Floor 3, and there are unserviced calls to Floors 1 and 5that have originated inside the cage, along with external up-calls at Floors0, 1, 4 and down-calls at Floors 2, 4.

FLOOR CAGE-LOCATION INCALLS EXCALLSUP EXCALLSDN

5 x4 x x3 x2 x1 x x0 x

In the presence of unserviced calls the cage location should change byone level at each stage, following which new x’s in the CALLS columns mayappear and old ones disappear.

Include a brief description of your approach and your control logic.Part 2: Develop an automaton model of the system in Part 1, including acomplete specification of the state set and transition structure. For instance,the state set could take the form

Q = F ×H × (U0× ... × U4)× (D1× ... ×D5)× (I0× ... × I5)

where F = 0, 1, ..., 5 is the floor set, H = up, rest, down is the cageheading set, and Ui,Di, Ii represent 2-state switches (‘buttons’) with statesets set, reset for external up-calls, external down-calls, and inside-cage-calls. Thus ui = set ∈ Ui indicates the presence of an up-call at floor i;ui will be switched back to reset when the call is serviced. The state sizeis |Q| = 6 × 3 × 25 × 25 × 26 = 1179648. Write f ∈ F for the currentfloor, h ∈ H for the current heading, u, d, i for the button vectors (thusu = (u0, ..., u4) ∈ U0× ... × U4), and calls = (u, d, i). Then

hnext = δH((calls)next, f, h)

xi

fnext = δF (hnext, f)

for suitable functions δH , δF . Define callsnext as a suitable (in part, random)function of the current values (calls, f, h), so the computation sequence is

(calls, f, h) 7−→ callsnext

(callsnext, f, h) 7−→ hnext

(hnext, f) 7−→ fnext

Part 3: Check systematically whether or not your simulation code from Part1 is an implementation of your automaton model in Part 2. If the automatonmodel were developed first, would it be helpful in writing the code?Part 4: Discuss possible performance specifications for your elevator (e.g.‘Every call is eventually serviced.’). Sketch a proof that your automatonmodel satisfies them.

xii

TCT : GENERAL INFORMATION

TCT is a program for the synthesis of supervisory controls for discrete-eventsystems. Generators and recognizers are represented as standard DES in theform of a 5-tuple

[Size, Init, Mark, Voc, Tran]

Size is the number of states (the standard state set is 0,...,Size-1), Init isthe initial state (always taken to be 0), Mark lists the marker states, Voc thevocal states, and Tran the transitions. A vocal state is a pair [I, V ] representingpositive integer output V at state I. A transition is a triple [I, E, J ] representinga transition from the exit (source) state I to the entrance (target) state J andhaving event label E. E is an odd or even nonnegative integer, depending onwhether the corresponding event is controllable or uncontrollable.

exit I J entranceevent E

All DES transition structures must be deterministic: distinct transitions fromthe same exit state must carry distinct labels.

SYNTHESIS PROCEDURES

DES = create(DES)is a new discrete-event system (DES). Option 1 allows fast userinput via a sequence of prompts, resulting in direct creation of a.DES file. Option 2 allows the user to create a text (.ADS) filewith any ASCII text editor; this file can be converted to a .DESfile using the TCT procedure FD.

xiii

xiv

DES2 = selfloop(DES1,[SELF-LOOPED EVENTS])

is DES1 augmented by a selfloop (q, E, q) for each listed eventE, at each state q where a transition (q, E, q′) is not alreadydefined. The event E can be chosen freely and needn’t belongto the alphabet of DES1.

DES2 = trim(DES1)

is the trim (reachable and coreachable) substructure of DES1.

DES = sync(DES1,DES2,. . . ,DESk)

is the (reachable) synchronous product of DES1,DES2,. . . ,DESk.Not for use with vocalized DES.

DES = meet(DES1,DES2,. . . ,DESk)

is the meet (reachable cartesian product) ofDES1,DES2,. . . ,DESk. DES need not be coreachable. Not foruse with vocalized DES.

DES3 = supcon(DES1,DES2)

is a trim generator for the supremal controllable sublanguage ofthe marked legal language generated by DES2 with respect tothe plant DES1. DES3 provides a proper supervisor for DES1.Not for use with vocalized DES.

DES2 = force(DES1,[FORCIBLE EVENTS],[PREEMPTABLE EVENTS],

[TIMEOUT EVENT])

is DES1 modified by the insertion of a new timeout event whosedisablement forces an event in the forcible list to preempt everyevent in the preemptable list. Not for use with vocalized DES.

DES3 = mutex(DES1,DES2, [EXCLUDED-STATE-PAIRS])

xv

is formed from the product of DES1 and DES2, by excluding statepairs listed as [[I1,J1],[I2,J2],...], plus all state pairs from whichthey are reachable along an uncontrollable path; and then takingthe reachable substructure of the result. DES3 is reachable andcontrollable, but need not be coreachable. For the correspondingcontrol data, compute DES = sync(DES1,DES2), then DAT =condat(DES,DES3). If DES3 is trim, it provides a proper super-visor for the mutual exclusion problem; if not, a solution is SUP= supcon(DES,DES3). Not for use with vocalized DES.

DAT2 = condat(DES1,DES2)

returns control data DAT2 for the supervisor DES2 of the con-trolled system DES1. If DES2 represents a controllable language(with respect to DES1), as when DES2 has been previously com-puted with supcon, then DAT2 will tabulate the events that areto be disabled at each state of DES2. In general condat canbe used to test whether the language represented by DES2 iscontrollable with respect to DES1: just check that the disabledevents tabled in DAT2 are themselves controllable (have odd-numbered labels). To Show DAT call SA. condat is not for usewith vocalized DES.

DES3 = supreduce(DES1,DES2,DAT2)

is a reduced supervisor for plant DES1 which is control-equivalentto DES2, where DES2 and control data DAT2 were previouslycomputed using supcon and condat. Also returned is an esti-mated lower bound slb for the state size of a strictly state-minimalreduced supervisor. DES3 is strictly minimal if its reported statesize happens to equal the slb.

LOC1,LOC2,. . . ,LOCm= localize(PLANT,PLANT1,. . . ,PLANTm,SUPER)

xvi

is the set of localizations of SUPER to the m independent com-ponents PLANT1,...,PLANTm of PLANT. Independence meansthat the alphabets of PLANT1,...,PLANTm must be pairwise dis-joint. Optionally, correctness of localization is verified and re-ported as ControlEqu(...) in MAKEIT.TXT. localize is mainlyfor use when SUPER is a decentralized supervisor with author-ity over PLANT1,...,PLANTm, and PLANT is their synchronousproduct. localize is not for use with vocalized DES.

DES2 = minstate(DES1)is a minimal state DES that generates the same closed andmarked languages as DES1, and the same string mapping inducedby vocalization (if any). DES2 is reachable, but not coreachableunless DES1 is coreachable.

DES2 = complement(DES1, [AUXILIARY-EVENTS])is a generator of the marked language complementary to themarked language of DES1, with respect to the extended alphabetcomprising the event labels of DES1 plus those in the auxiliary-event list. The closed behavior of DES2 is all strings over theextended alphabet. The string mapping induced by vocalization(if any) is unchanged.

DES2 = project(DES1, [NULL/IMAGE EVENTS])is a generator of the projected closed and marked languages ofDES1, under the natural projection specified by the listed Nullor Image events. In decentralized control, DES2 could be anobserver’s local model of DES1. Not for use with vocalized DES.

DES2 = relabel(DES1, [OLD-NEW EVENT LABEL PAIRS])is a generator for the relabeled closed and marked behaviors ofDES1, where the relabeling of languages maps each listed DES1event label (alphabet element) into a specified label of DES2;unlisted DES1 labels are unchanged, while some DES2 labels maycoincide with unlisted DES1 labels. Not for use with vocalizedDES.

DES2 = vocalize(DES1, [STATE-OUTPUT PAIRS])

xvii

has the same closed and marked behaviors as DES1, but withuser-selected state output at the entrance state corresponding toeach selected (exit state, event input) pair.

DES2 = outconsis(DES1)has the same closed and marked behaviors as DES1, but is output-consistent in the sense that nonzero state outputs are unambigu-ously controllable or uncontrollable. A vocal state with outputV in the range 10...99 may be split into siblings with outputsrespectively V1 or V0 in the range 100...991.

DES2 = hiconsis(DES1)has the same closed and marked behaviors as DES1, but is hi-erarchically consistent in the sense that high-level controllableevents may be disabled without side effects. This may requireadditional vocalization together with changes in the control sta-tus of existing state outputs. hiconsis incorporates and extendsoutconsis.

DES2 = higen(DES1)is defined over the state-output alphabet of (vocalized) DES1,and represents the closed and marked state-output (or ‘high-level’) behaviors of DES1. For instance, starting with a ‘low-level’ vocalized model GLO, the sequence

OCGLO = outconsis(GLO)HCGLO = hiconsis(OCGLO)HCGHI = higen(HCGLO)

returns a DES pair (HCGLO, HCGHI) that is hierarchically con-sistent: controllable languages in HCGHI can be synthesized, viathe state-output map, as controllable languages in HCGLO.

DES3 = supnorm(DES1,DES2, [NULL/IMAGE EVENTS])

xviii

is a trim DES which represents the supremal sublanguage of thelegal language represented by DES2, that is normal with respectto the marked behavior of the plant generator DES1 and thenatural projection specified by the NULL/IMAGE event list. Notfor use with vocalized DES.

DES3 = supscop(DES1,DES2, [NULL/IMAGE EVENTS])

is a trim DES which represents the supremal normal solution tothe Supervisory Control and Observation Problem (SCOP), corre-sponding to the plant DES1, legal language DES2, and specifiednatural projection. In this solution, only observable controllableevents may be disabled. Not for use with vocalized DES.

DES3 = suprobs(DES1,DES2,[NULL/IMAGE EVENTS])

is a trim DES which represents the supremal relatively observablesublanguage of the language represented by DES2, with respectto the plant DES1, and specified natural projection. Not for usewith vocalized DES.

DES3 = supconrobs(DES1,DES2,[NULL/IMAGE EVENTS])

is a trim DES which represents the supremal controllable and rel-atively observable sublanguage of the legal language representedby DES2, with respect to the plant DES1 and specified naturalprojection. In this solution, any controllable event, observable ornot, is subject to disablement. Not for use with vocalized DES.

DES2 = supqc(DES1,[NULL/IMAGE EVENTS])

is a possibly nondeterministic DES with ‘silent’ transitions (la-belled ‘e’) which represents DES1 reduced by canonical (i.e.supremal) quasi-congruence with respect to the specified naturalprojection. The user may select whether or not to print the cor-responding state partition in MAKEIT.TXT; the printout omitssingleton cells. Not for use with vocalized DES.

DES2 = supsqc(DES1,[NULL/IMAGE EVENTS])

xix

is a possibly nondeterministic DES with ‘silent’ transitions (la-belled ‘e’) which represents DES1 reduced by canonical (i.e.supremal) strong quasi-congruence with respect to the specifiednatural projection. The user may select whether or not to printthe corresponding state partition in MAKEIT.TXT; the printoutomits singleton cells. Not for use with vocalized DES.

DES2 = allevents(DES1)is a marked one-state DES self-looped with all the events ofDES1. DES2 can be used as specification for the supervisorycontrol of DES1 with respect to the sole criterion of nonblock-ing.

(DES3,DES4) = natobs(DES1,DES2)returns a natural projection DES3 of DES1, where the projec-tion is a natural observer with (allevents) image representationDES4. The event list of DES4 is an economical extension of the“seed” event list supplied by the user in the form of an alleventsrepresentation DES2.

true/false = nonconflict(DES1,DES2)tests whether DES1, DES2 are nonconflicting, namely whetherall reachable states of the product DES are coreachable. Not foruse with vocalized DES.

true/false = isomorph(DES1,DES2)tests whether DES1 and DES2 are identical up to renumberingof states (but with initial state held fixed at 0); if so, their statecorrespondence is displayed.

true/false = (s)observ(DES1,DES2,[NULL/IMAGE EVENTS])tests whether Lm(DES2) is (strongly) (DES1,P)-observable, forthe specified natural projection P. If observability fails, a diagnos-tic is provided with state(s) and event(s) where failure occurs.Not for use with vocalized DES.

xx

UTILITIES

DES2 = BFS(DES1)is DES1 with its state set recoded by breadth-first search fromstate 0. BFS recoding can facilitate drawing a transition dia-gram, or in compensating for previous recodings introduced byoutconsis or hiconsis.

DES2 = edit(DES1)is obtained from DES1 by user-selected modifications.

ScreenDisplay = show(DES)SE displays an existing DES, SA a DAT (condat) table, SX aTXT (text) file. Tables can be browsed with Page keys. The fileMAKEIT.TXT keeps a record of user files as they are generated.

TextFile = FE(DES)/FA(DAT)is an ASCII text file PDS/PDT for printing or offline conversionto another format.

DESFile = FD(ADS)FD converts an ADS file or group of files, formed using Create(option 2), to the corresponding DES file(s).

UserDirectory = UDis a listing of the current user subdirectory.

GIF = CE(DES)CE converts a DES file to a GIF file for graphical display

LabeledTransitionGraph = DE(GIF)DE displays a GIF file obtained from CE, as a labeled transitiongraph; marker states are denoted by a double circle.

Chapter 1

Algebraic Preliminaries

This chapter provides a brief introduction to partially ordered sets (posets),lattices, the lattice of equivalence relations, and derived concepts such asthe factorization of a function through its equivalence kernel. These ideascapture, in a primitive but useful way, the general notion of ‘information’ ina feedback control loop together with that of ‘dynamic observer’ by whichsuch information is extracted. An application is sketched to the InternalModel Principle of regulation theory, in a relatively unstructured setting ofplain sets and functions.

1.1 Posets

Partially ordered sets or ‘posets’ play a basic role in system theory; for in-stance, such structures are needed to support certain concepts of optimiza-tion. Posets lead to lattices, of which the lattice of subsets (of a fixed set) andthe lattice of equivalence relations (on a fixed set) will be of key importancein the theory of formal languages.

Let X be a set. A binary relation on X is a subset of X × X, thecartesian product of X with itself. Let ≤ be a binary relation on X. We useinfix notation (as usual) and, for x, y ∈ X, write x ≤ y to mean that theordered pair (x, y) ∈ X ×X belongs to the relation ≤. The relation ≤ is a

1

2 CHAPTER 1

partial order (p.o.) on X if it is

reflexive : (∀x ∈ X)x ≤ x

transitive : (∀x, y, z ∈ X)x ≤ y & y ≤ z ⇒ x ≤ z

antisymmetric : (∀x, y ∈ X)x ≤ y & y ≤ x⇒ x = y

Elements x, y ∈ X are comparable if either x ≤ y or y ≤ x. A p.o. is a totalordering if every two elements of X are comparable. In a p.o. in general, itneedn’t be the case that two arbitrary elements x, y ∈ X are comparable; ifx, y are not comparable, we may write x <> y.

If ≤ is a partial order on X, the pair (X,≤) is a poset (or partially orderedset). If ≤ is understood, one speaks of ‘the poset X’.

Example 1(i) Let X = R (the real numbers), or X = N := 0, 1, 2, ... (the naturalnumbers), or X = Z := ...,−1, 0,+1, ... (the integers), with ≤ the usualordering.

(ii) Let X = N+ := 1, 2, 3, ... and define x ≤ y iff1 x|y (x divides y), namely(∃k ∈ N+)y = kx.

(iii) Let X = Z × Z. Let x = (x1, x2) and y = (y1, y2) belong to X. Definex ≤ y iff x1 ≤ y1 and x2 ≤ y2. Thus (7,-2) ≤ (9,-1), but (7,2) <> (-10,3).

(iv) Let A be a set and let X = Pwr(A) be the set of all subsets of A (thepower set) of A. Thus x, y, ... ∈ X are subsets of A. Define x ≤ y iff x ⊆ y.

(v) With n fixed, let X = Sn×n be the set of n× n symmetric matrices withreal elements. For P,Q ∈ X define P ≤ Q iff the matrix Q − P is positivesemidefinite.

(vi) Let X, Y be posets. Define a relation ≤ on X × Y by the recipe:

(x1, y1) ≤ (x2, y2) iff x1 ≤ x2 in X and y1 ≤ y2 in Y

Exercise 2: Verify that the definition in Example 1(v) really does turnX into a poset. By considering P and Q as quadratic forms, interpret therelation P ≤ Q in geometric terms. What is the picture if P <> Q?

1‘iff’ stands for ‘if and only if’.

1.1 3

Exercise 3: In Example 1(vi) check that (X × Y,≤) is actually a poset. Itis the product poset of X and Y .

From now on we assume that X is a poset. Let x, y ∈ X. An elementa ∈ X is a lower bound for x and y if a ≤ x and a ≤ y. An element l ∈ X isa meet (or greatest lower bound) for x and y iff

l ≤ x & l ≤ y [i.e. l is a lower bound for x and y]

& (∀a ∈ X)a ≤ x & a ≤ y ⇒ a ≤ l

[i.e. l beats every other lower bound for x and y]

Exercise 4: Check that if l, l′ are both meets for x and y then l = l′: ameet, if it exists, is unique. If it exists, the meet of x, y is denoted by x ∧ y.

Dually, an element b ∈ X is an upper bound for x, y iff x ≤ b and y ≤ b.An element u ∈ X is a join (or least upper bound) of x and y if

x ≤ u & y ≤ u & (∀b ∈ X)x ≤ b & y ≤ b⇒ u ≤ b.

If the join of x and y exists it is unique, and is written x ∨ y.

Example 5(i) Let X = Pwr(A) and x, y ∈ X. Then x∧ y = x∩ y (set intersection) andx ∨ y = x ∪ y (set union). Thus the meet and join always exist.

(ii) Let X = Z× Z, and let x = (x1, x2), y = (y1, y2) ∈ X. Then

x ∧ y = (minx1, y1,minx2, y2),x ∨ y = (maxx1, y1,maxx2, y2).

Again the meet and join always exist.

(iii) Let X = Sn×n. In general P ∨Q and P ∧Q do not exist.

Exercise 6: Explain this situation with a 2 × 2 counterexample, and drawthe picture.

Hint: Consider P = 0, Q =

[0 11 0

].

4 CHAPTER 1

Exercise 7: Investigate the existence of meet and join for the poset (N+, ·|·)defined in Example 1(ii).

The following extensions of our notation are often useful. Write x ≥ yfor y ≤ x; x < y for x ≤ y & x = y; x > y for x ≥ y & x = y. Notice that, ingeneral, the negation of x ≤ y is (either x > y or x <> y). Also let ⊥ standfor bottom element (if it exists): namely ⊥ ∈ X and ⊥ ≤ x for all x ∈ X.Similarly let ⊤ stand for top element: ⊤ ∈ X and ⊤ ≥ x for all x ∈ X.

Hasse Diagrams

A Hasse diagram for the poset (X,≤) is a directed graph with nodescorresponding to elements x ∈ X and edges to pairs (x, y) with x < y. Edgesare drawn as rising lines and are usually displayed only for ‘neighboring’ x, y.For A = α, β, γ and X = Pwr(A) the Hasse diagram is shown in Fig. 1.1.

α

α, β

⊤ = α, β, γ

⊥ = ∅

β γ

β, γα, γ

Fig. 1.1. Hasse Diagram: X = Pwr(A)

In the Hasse diagram of Fig. 1.2, a, b are both lower bounds for x, y, butx and y have no greatest lower bound: x ∧ y doesn’t exist. However, a ∧ bexists and is ⊥. Dually a ∨ b doesn’t exist, but x ∨ y = ⊤.

1.2 5

b

y

a

x

⊤

⊥Fig. 1.2. Hasse Diagram: X = ⊤, x, y, a, b,⊥

Exercise 8: Investigate the existence of ⊥ and ⊤ in (N,≤), (N+, ·|·), (Z,≤)and (Pwr(A),⊆).

Exercise 9: Define the poset X = (N, ·|·) according to x ≤ y iff x|y, i.e.(∃k ∈ N)y = kx. Thus x|0 (x ∈ N) but not 0|x if x = 0. Show that ⊥ = 1and ⊤ = 0.

1.2 Lattices

A lattice is a poset L in which the meet and join of any two elements alwaysexist; in other words the binary operations ∨ and ∧ define functions

∧ : L× L→ L, ∨ : L× L→ L

6 CHAPTER 1

It is easy to see that, if x, y, z ∈ L and if ⋆ denotes either ∧ or ∨ consistentlythroughout, then

x ⋆ x = x (⋆ is idempotent)x ⋆ y = y ⋆ x (⋆ is commutative)

(x ⋆ y) ⋆ z = x ⋆ (y ⋆ z) (⋆ is associative)

So for any k one can write x1⋆x2⋆· · ·⋆xk, say, without ambiguity, namely themeet and join are defined for arbitrary nonempty finite subsets of elementsof L.

In addition one has the easily verified relationships

x ∧ (x ∨ y) = x ∨ (x ∧ y) = x (traditionally called ‘absorption’)x ≤ y iff x ∧ y = x iff x ∨ y = y (‘consistency’)

Exercise 1: Verify the above relationships.

Exercise 2: In any lattice

y ≤ z ⇒ (x ∧ y ≤ x ∧ z) & (x ∨ y ≤ x ∨ z) (∧ and ∨ are monotone)

x ∧ (y ∨ z) ≥ (x ∧ y) ∨ (x ∧ z)x ∨ (y ∧ z) ≤ (x ∨ y) ∧ (x ∨ z) (distributive inequalities)

x ≤ z ⇒ x ∨ (y ∧ z) ≤ (x ∨ y) ∧ z (modular inequality)

Exercise 3: Investigate the lattices X = Pwr(A) and X = Z × Z to seewhether the distributive inequalities, or the right side of the modular in-equality, can be strengthened to equality.

If in a given lattice, the distributive inequalities are actually always equal-ities, the lattice is distributive; if the right side of the modular inequality isactually always equality, the lattice is modular. Clearly every distributivelattice is modular.

Let (L,∧,∨), or simply L, be a lattice and let S be a nonempty, andpossibly infinite, subset of L. To generalize the notion of meet (greatestlower bound) of the elements of S, define l := inf(S) to mean that l is anelement of L with the properties:

(∀y ∈ S)l ≤ y & (∀z ∈ L)((∀y ∈ S)z ≤ y) ⇒ z ≤ l

1.2 7

Notice that it is not required that l belong to S. Similarly, the notion of joinis generalized by defining an element u = sup(S) in dual fashion. It shouldbe clear that inf(S), sup(S) are always unique. If S is finite, then inf(S) andsup(S) reduce to the meet and join as defined above for a finite number ofelements of L, and hence always exist because L is a lattice; but if S is aninfinite subset, it need not be true that inf(S) or sup(S) exist. The latticeL is complete if, for any nonempty subset S of L, both inf(S) and sup(S)exist (as elements of L). Thus one easily verifies that L = (Pwr(A),∩,∪) iscomplete, but that L = (Z× Z,∧,∨) is not complete.

Exercise 4: Let V be a finite-dimensional linear vector space and let X =S(V ) be the set of linear subspaces of V . For subspaces x and y of V , definex ≤ y iff x ⊆ y (subspace inclusion). Verify that (X,≤) is a completelattice, where ∧ is subspace intersection and ∨ is subspace addition (i.e.vector addition extended to subspaces). Show that X is modular but notdistributive.

Exercise 5: L = (Q[0, 1], inf, sup), the rational numbers in [0,1] with theusual real-analysis definitions of inf and sup, is not complete; while L =(R[0, 1], inf, sup), the real numbers in [0,1], is complete.

Exercise 6: If L and M are lattices, show that the product poset L×M isa lattice as well. It is the product lattice of L and M . Show that L ×M iscomplete iff L,M are both complete.

Whether or not L is complete, if sup(L) (or ⊤) happens to exist then theempty subset S = ∅ ⊆ L can be brought within the scope of our definitionof inf(S) by the convention

inf(∅) = sup(L)

Similarly, if inf(L) (or ⊥) exists then one may define

sup(∅) = inf(L)

These odd-looking conventions are, in fact, forced by ‘empty set logic’, ascan easily be checked.

Exercise 7: Adjoin to the (incomplete) lattice (Z,≤) two new elements−∞, +∞ to form Z := Z ∪ −∞,+∞. Extend ≤ to Z according to

x < +∞ if x ∈ Z ∪ −∞−∞ < x if x ∈ Z ∪ +∞

8 CHAPTER 1

Show that (Z,≤) is complete and identify ⊥, ⊤.

Exercise 8: Show that, if inf(S) exists (in L) for every subset S ⊆ L, thenL is complete. Hint: Let S+ := x ∈ L|(∀y ∈ S)x ≥ y. Show thatsup(S) = inf(S+).

Let L = (X,≤) be a lattice and Y ⊆ X. We say that M := (Y,≤) is asublattice of L if Y is closed under the meet and join operations of L.

Exercise 9: Referring to Exercise 5, show that Q[0, 1] is an incompletesublattice of the complete lattice R[0, 1].

Exercise 10: For L = (X,≤) a lattice and Y ⊆ X an arbitrary subset,show that there is a (unique) smallest subset Z ⊆ X such that Y ⊆ Z andM = (Z,≤) is a sublattice of L. M is the sublattice of L generated by Y .Hint: First show that the intersection of an arbitrary nonempty collectionof sublattices of L is a sublattice.

1.3 Equivalence Relations

Let X be a nonempty set, and E ⊆ X ×X a binary relation on X. E is anequivalence relation if

(∀x ∈ X)xEx (E is reflexive)(∀x, x′ ∈ X)xEx′ ⇒ x′Ex (E is symmetric)(∀x, x′, x′′ ∈ X)xEx′ & x′Ex′′ ⇒ xEx′′ (E is transitive)

Instead of xEx′ we shall often write x ≡ x′(mod E).For x ∈ X let [x] denote the subset of elements x′ that are equivalent to

x:

[x] := x′ ∈ X|x′Ex ⊆ X

The subset [x] is the equivalence class (or coset) of x with respect to theequivalence relation E. By reflexivity x ∈ [x], i.e. every coset is nonempty.The following proposition states that any two cosets either coincide or aredisjoint.

1.3 9

Proposition 1

(∀x, y ∈ X) either [x] = [y] or [x] ∩ [y] = ∅

ProofLet x, y ∈ X. Assuming [x] ∩ [y] = ∅, let u ∈ [x] ∩ [y], so that uEx

and uEy. We claim that [x] ⊆ [y]. If x′ ∈ [x] then x′Ex. Since xEu(by symmetry) we have x′Eu (by transitivity) and so (again by transitivity)x′Ey, namely x′ ∈ [y], proving the claim. Similarly [y] ⊆ [x], and therefore[x] = [y]. 2

We write |E| for the cardinality (number of cosets) of E.Let P be a family of subsets of X indexed by α in some index set A:

P = Cα|α ∈ A, Cα ⊆ X

The family P is a partition of X if

(∀α ∈ A)Cα = ∅ (each subset Cα is nonempty)X =

∪Cα|α ∈ A (the Cα cover X)

(∀α, β ∈ A)α = β ⇒ Cα ∩ Cβ = ∅ (subsets with distinct indices arepairwise disjoint)

The second of these conditions could be written (∀x ∈ X)(∃α ∈ A)x ∈ Cα.The subsets Cα are the cells of P.

Thus for the equivalence relation E we have proved that the collection ofdistinct cosets [x] (each of them indexed, say, by some representative memberx) is a partition of X. Conversely for a partition P of X, as above, we maydefine an equivalence relation E on X by the recipe

xEy iff (∃α ∈ A)x ∈ Cα & y ∈ Cα

namely x and y are equivalent iff they belong to the same cell of P. It is easilychecked that E as just defined really is an equivalence relation on X. Withthis correspondence in mind we shall often speak of equivalence relations andpartitions interchangeably, and use the term ‘cell’ in preference to ‘coset’ or‘equivalence class’.

Let E(X), or simply E, be the class of all equivalence relations on (orpartitions of) X. We shall assign a p.o. to E in such a way that E becomesa complete lattice, as follows:

(∀E1, E2 ∈ E)E1 ≤ E2 iff (∀x, y ∈ X)xE1y ⇒ xE2y

10 CHAPTER 1

In other words E1 ≤ E2 iff, whenever x ≡ y(mod E1) then x ≡ y(mod E2);that is, every cell of E1 is a subset of some (and therefore exactly one) cellof E2. If E1 ≤ E2 one may say that E1 refines E2, or E1 is finer than E2, orE2 is coarser than E1. If E1 ≤ E2, clearly |E1| ≥ |E2|.

Exercise 2: Verify that ≤ really does define a p.o. on E; that is, ≤ isreflexive, transitive and antisymmetric.

Proposition 3In the poset (E,≤) the meet E1∧E2 of elements E1 and E2 always exists,

and is given by

(∀x, x′ ∈ X)x ≡ x′(mod E1 ∧ E2)

iff x ≡ x′(mod E1) & x ≡ x′(mod E2)

Proof (Outline)Write E := E1 ∧ E2 as just defined. Then E really is an equivalence

relation on X, that is E ∈ E. Next, E ≤ E1 and E ≤ E2. Finally if F ∈ E

and F ≤ E1, F ≤ E2 then F ≤ E. 2

Exercise 4: Supply all the details in the above proof.

The meet may be described by saying that E1∧E2 is the coarsest partitionthat is finer than both E1 and E2. In general |E1 ∧ E2| ≤ |E1| · |E2|. Thesituation is sketched in Fig. 1.3.

The definition of join is more complicated to state than the definition ofmeet.

Proposition 5In the poset (E,≤) the join E1 ∨E2 of elements E1, E2 always exists and

is given by(∀x, x′ ∈ X)x ≡ x′(mod E1 ∨ E2)

iff (∃ integer k ≥ 1)(∃x0, x1, ..., xk ∈ X)x0 = x & xk = x′

& (∀i)1 ≤ i ≤ k ⇒(xi ≡ xi−1(mod E1) or xi ≡ xi−1(mod E2)

)Exercise 6: Prove Proposition 5.

1.3 11

Fig. 1.3. Meet of Two Partitions———————— boundaries of E-cells- - - - - - - - - - - - - boundaries of F -cells(E ∧ F )-cells are formed by intersecting E-cells and F -cells

The definition of join amounts to saying that x and x′ can be chainedtogether by a sequence of auxiliary elements x1, ..., xk−1, where each link inthe chain represents either equivalence (mod E1) or equivalence (mod E2).In case k = 1, either x ≡ x′(mod E1) or x ≡ x′(mod E2). The join may bedescribed by saying that E1 ∨ E2 is the finest partition that is coarser thanboth E1 and E2. The situation is sketched in Fig. 1.4.

We have now established that (E,≤) is a lattice, the lattice of equivalencerelations (or partitions) on X. Finally we show that the lattice E is complete.

Proposition 7Let F ⊆ E be a nonempty collection of equivalence relations on X. Then

inf(F) exists; in fact

(∀x, x′ ∈ X)x(inf(F))x′ iff (∀F ∈ F)xFx′

Also sup(F) exists; in fact(∀x, x′ ∈ X)x(sup(F))x′

iff (∃ integer k ≥ 1)(∃F1, ..., Fk ∈ F)(∃x0, ..., xk ∈ X)x0 = x & xk = x′ & (∀i)1 ≤ i ≤ k ⇒ xi ≡ xi−1(mod Fi)

12 CHAPTER 1

Fig. 1.4. Join of Two Partitions———————— boundaries of E-cells- - - - - - - - - - - - - boundaries of F -cells(E ∨ F )-cells are formed by zig-zag linkage of E-cells and F -cells

Proof (Outline)As defined above, inf(F) and sup(F) are indeed equivalence relations on

X, and have the properties required by the definitions of inf and sup givenin Section 1.2. 2

Exercise 8: Supply the details.

The definition of inf(F) says that x and x′ are equivalent with respect toeach of the equivalence relations in the collection F. The definition of sup(F)says that x and x′ can be chained together by a finite sequence of elements,where each link of the chain represents equivalence (mod F ) for some F ∈ F.

In particular ⊥ = inf(E) and ⊤ = sup(E) exist and are given by

x ≡ x′(mod ⊥) iff x = x′, x ≡ x′(mod ⊤) iff true

Thus ⊥ is the finest possible partition (each singleton is a cell), while ⊤ isthe coarsest possible partition (there is only one cell: the whole set X).

We have now shown that the lattice of equivalence relations on X iscomplete.

1.3 13

To conclude this section we note that the elements of E(X) may be crudelyinterpreted as information structures on X. Thus if E ∈ E(X), and someelement y ∈ X is ‘known exactly’, we may interpret the statement ‘x ≡y(mod E)’ to mean that ‘x is known to within the cell that contains y’. [Asa metaphor, consider an ideal voltmeter that is perfectly accurate, but onlyreads out to a precision of 0.01 volt. If a voltage may be any real number andif, say, a reading of 1.23 volts means that the measured voltage v satisfies1.225 ≤ v < 1.235, then the meter determines a partition of the real lineinto cells (intervals) of length 0.01. What is ‘known’ about any measuredvoltage is just that it lies within the cell corresponding to the reading.] Onthis basis a given partition represents more information than a coarser one.The element ⊥ ∈ E stands for ‘perfect information’ (or ‘zero ignorance’),while ⊤ stands for ‘zero information’ (‘complete ignorance’). If E,F ∈ E(X)then E∧F represents ‘the information contributed by E and F when presenttogether, or cooperating.’ [Let X be the state space of an electrical network,and let E and F represent an ideal ammeter and an ideal voltmeter.] DuallyE ∨ F might be interpreted as ‘the information that E and F produce incommon.’ [With X as before, suppose the state x ∈ X of the network canbe perturbed, either by a shove or a kick. Assume that shoves and kicksare known to define partitions S and K belonging to E(X): a shove canonly perturb x to a state x′ in the same cell of S, while a kick can onlyperturb x to a state x′ in the same cell of K. If initially x is measuredwith perfect accuracy, and the network is subsequently perturbed by somearbitrary sequence of shoves and kicks, then the best available informationabout the final state y is that y ≡ x(mod S ∨K).]

Exercise 9: In a certain Nation, regarded as a network of villages, it isalways possible to make a two-way trip from any village to itself or to oneor more other villages, by at least one of the modes: canoe, footpath, orelephant. Show that, to a Traveller restricted to these modes, the Nation ispartitioned into Territories that are mutually inaccessible, but within eachof which every village can be reached from any other.

Exercise 10: For X = 1, 2, 3 present E(X) as a list of partitions of X anddraw the Hasse diagram. Repeat for X = 1, 2, 3, 4.

Exercise 11: Let E,F,G ∈ E(X). Investigate the validity of proposeddistributive identities

(?) E ∧ (F ∨G) = (E ∧ F ) ∨ (E ∧G)

14 CHAPTER 1

and(?) E ∨ (F ∧G) = (E ∨ F ) ∧ (E ∨G)

If either one is valid (i.e. holds for arbitrary E,F,G), prove it; otherwiseprovide a counterexample. Hint: Examine the first Hasse diagram of Exer-cise 10.

Exercise 12: Investigate whether E(X) is modular. That is, either provethat E(X) is modular, or show by a counterexample that it isn’t. Hint:Examine the second Hasse diagram of Exercise 10.

Exercise 13: Given two elements E,F ∈ E(X), say that elements x, x′ ∈ Xare indistinguishable, and write xIx′, if either x ≡ x′(mod E) or x ≡ x′(modF ), or possibly both. It can be checked that the binary relation I is reflexiveand symmetric but not necessarily transitive. Such a relation is a tolerancerelation. Provide examples of tolerance relations that are not transitive. IfR is any binary relation on X (i.e. R ⊆ X ×X), the transitive closure of Ris the smallest (in the sense of subset inclusion in X ×X) transitive binaryrelation that contains R. Show that the transitive closure of I is an elementof E(X) and compute this element in terms of E and F . Hint: First showthat the transitive closure of R is given by

R∗ := (x, x′)|(∃k)(∃x0, ..., xk)x = x0, x′ = xk, (∀i = 1, ..., k)xi−1Rxi

Exercise 14: For |X| = n let pn := |E(X)| (n = 1, 2, ...) and let p0 := 1.Show that

pn+1 =n∑

k=0

(nk

)pk

Deduce that (i) p2n ≥ n!2n, and (ii) pn ≤ n!. Write a program to computepn (1 ≤ n ≤ 10), and calculate pn approximately for n = 20, 30, ... (e.g.p50 ≃ 1.86× 1047).

1.4 Equivalence Kernel and Canonical Fac-

torization

Let X and Y be sets. In this section we shall write π, ρ etc. for elements ofE(X). It will be convenient to think of the elements of E(X) as partitions of

1.4 15

X. Let π ∈ E(X) and let X denote the set of (distinct) cells of π. Alterna-tively X can be taken to be a set of labels or indices for these cells. OftenX is written X/π, read ‘X mod π’. Denote by Pπ the surjective functionmapping any x to its cell (or cell label):

Pπ : X → X/π : x 7→ [x]

where [x] is the cell of xmod π. We call Pπ the canonical projection associatedwith π.

Let f : X → Y be a function with domain X and codomain Y . Withf we often associate the induced function f∗ : Pwr(X) → Pwr(Y ) takingsubsets of X into their f -images in Y :

f∗(A) := f(x)|x ∈ A, A ∈ Pwr(X) (i.e. A ⊆ X)

Thus f∗(A) ⊆ Y . In particular f∗(X) is the image of f, denoted im f . Usuallywe do not distinguish notationally between f and f∗, simply writing f(A)for f∗(A).

With f : X → Y we also associate the inverse image function f−1 :Pwr(Y ) → Pwr(X) according to

f−1(B) := x ∈ X|f(x) ∈ B, B ∈ Pwr(Y ) (i.e. B ⊆ Y )

Thus f−1(B) ⊆ X. Notice that f−1 is always well-defined, even if f does nothave an ‘inverse’ in the ordinary sense. If f happens to be bijective, then theordinary inverse of f (strictly, its induced map on subsets of Y ) coincideswith the inverse image function f−1.

Next, with f : X → Y associate an equivalence relation in E(X) calledthe equivalence kernel of f and denoted by ker f , as follows:

(∀x, x′ ∈ X)x ≡ x′(mod ker f) iff f(x) = f(x′)

For instance, ker Pπ = π. The cells of ker f are just the subsets of Xon which f assumes its distinct values in Y , and are sometimes called thefibers of f . [For illustration consider the function f : S2 → R that mapspoints on the earth’s surface into their elevation above sea level in m. Thenf−1(100) is the cell of ker f consisting of those points whose elevation is100 m.] The partition corresponding to ker f consists of the subfamily ofnonempty subsets of X formed from the family of subsets

f−1(y)|y ∈ Y

16 CHAPTER 1

Intuitively, f ‘throws away more or less information according to whetherits kernel is coarser or finer.’ [Consider the ideal voltmeter as a functionf : R → R. Compare the kernels of two voltmeters, respectively reading outto the nearest 0.01 v. and 0.001 v.]

Exercise 1: Let f : X → Y . Show that

(i) (∀B ⊆ Y )f(f−1(B)) ⊆ B;

equality holds for B iff B ⊆ im f ; and equality holds for all B ⊆ Y iffim f = Y , i.e. f is surjective.

(ii) (∀A ⊆ X)f−1(f(A)) ⊇ A;

equality holds for A iff ker f ≤ A,X − A; and equality holds for allA iff ker f = ⊥, i.e. f is injective.

(iii) Let Aα, Bβ be arbitrary families of subsets of X, Y respectively.Then

f(∪αAα) = ∪αf(Aα), f(∩αAα) ⊆ ∩αf(Aα)

f−1(∪βBβ) = ∪βf−1(Bβ), f−1(∩βBβ) = ∩βf

−1(Bβ)

Illustrate strict inclusion in the second of these distribution relations.

(iv) For all A ⊆ X,B ⊆ Y, f(A ∩ f−1(B)) = f(A) ∩B

Let f : X → Y , and let Pf : X → X/ ker f be the canonical projection.Then there is a unique function g : X/ ker f → Y such that f = g Pf . (denotes composition of functions). Indeed if z ∈ X/ker f and z = Pf (x) forsome x ∈ X, define g(z) := f(x). This definition is unambiguous becauseif, also, z = Pf (x

′) then Pf (x′) = Pf (x) and therefore f(x′) = f(x) since

kerPf = ker f . Uniqueness of g follows by the fact that Pf is surjective. Inthis way we obtain the canonical factorization of f through its equivalencekernel. The situation is displayed in the commutative diagram below.

1.4 17

X X= ker f

Y

Pf

gf

In a canonical factorization f = g Pf the left factor g is always injective.For suppose z, z′ ∈ X/ ker f and g(z) = g(z′). If z = Pf (x) and z

′ = Pf (x′)

thenf(x) = g Pf (x) = g(z) = g(z′) = g Pf (x

′) = f(x′)

namely x ≡ x′(mod ker f), so x ≡ x′(mod kerPf ), i.e.

z = Pf (x) = Pf (x′) = z′

as claimed.If π ∈ E(X) we may write Pπ : X → X/π for the canonical projection;

thus kerPπ = π.The following propositions offer variations on the foregoing theme; their

proof will be left as an exercise.

Proposition 2Suppose f : X → Y and let ρ ∈ E(X) with ker f ≥ ρ. There exists a

unique map g : X/ρ→ Y such that f = g Pρ.

X X=ρ

Y

Pρ

gf

ker f ≥ ρ

Proposition 3Suppose f : X → Y and g : X → Z and let ker f ≥ ker g. Then there

exists a map h : Z → Y such that f = h g. Furthermore h is uniquelydefined on the image g(X) ofX in Z; that is, the restriction h|g(X) is unique.

18 CHAPTER 1

Zh

Y

X

g f ker f ≥ ker g

In this situation f is said to factor through g. Intuitively, ‘g preservesenough information to calculate f (via h).’

Proposition 4If π, ρ ∈ E(X) and π ≤ ρ, there is a unique function f : X/π → X/ρ such

that Pρ = f Pπ.

X=πf

X=ρ

X

Pπ Pρ ρ ≥ π

Exercise 5: Prove Propositions 2 - 4. In Proposition 4, by drawing a pictureof X interpret ker f ∈ E(X/π) in terms of the partitions π, ρ of X.

Exercise 6: Parable of the toolmakerTo illustrate the benefits of functional factorization, consider a large field

of N ≫ 1 stones. Each stone is suited for making exactly one of k possibletools: hammer, arrowhead, ... . One fine day, the toolmaker organizes histribe to sort all the stones in the field into k piles, one for each tool. Undersuitable probabilistic assumptions, and taking into account search and sorttimes, prove that the ‘sorted architecture’ is roughly k times more efficientthan no architecture, given that the toolmaker will make N(→ ∞) tools overhis lifetime.

Example 7: Congruence of a dynamic systemA dynamic system on a set X is a map α : X → X with the following

interpretation. The elements x ∈ X are the system ‘states’, and α is the‘state transition function’. Select x0 ∈ X as ‘initial’ state and let the system

1.4 19

evolve successively through states x1 = α(x0), x2 = α(x1), ... . Write αk forthe k-fold composition of α (with α0 = identity, α1 = α). The sequenceαk(x0)|k ∈ N ∈ XN is the path of (X,α) with initial state x0.

Let π ∈ E(X) with canonical projection Pπ : X → X := X/π. We saythat π is a congruence for α if there exists a map α : X → X such thatα Pπ = Pπ α, namely the following diagram commutes.

X X

X

Pπ

α

X

Pπ

α

Proposition 8π is a congruence for α iff

kerPπ ≤ ker(Pπ α)

namely(∀x, x′)(x, x′) ∈ π ⇒ (α(x), α(x′)) ∈ π

ProofImmediate from Proposition 2, with the identifications (Y, f, ρ, g) =

(X, Pπ α, π, α). 2

If π is a congruence for α, α is the map induced by α on X. The conditionsays that α ‘respects’ the partition corresponding to π, in the sense that cellsare mapped under α consistently into cells. Thus the dynamic system (X, α)can be regarded as a consistent aggregated (or ‘high-level’ or ‘lumped’) modelof (X,α).

Exercise 9: With (X,α) fixed, let C(X) ⊆ E(X) be the set of all congruencesfor α. Show that C(X) is a complete sublattice of E(X) that contains theelements ⊤, ⊥ of E(X).

Exercise 10: Let X = X1 ×X2 and write x = (x1, x2). Suppose

α : X → X : (x1, x2) 7→ (α1(x1, x2), α2(x2))

20 CHAPTER 1

i.e. α : x 7→ x is coordinatized as

x1 = α1(x1, x2), x2 = α2(x2)

for suitable maps α1, α2. Let (x, x′) ∈ π iff x2 = x′2. Show that π is acongruence for α and find a coordinatization (i.e. a concrete representation)of (X, α).

Exercise 11: Consider a clock with hour, minute and second hands. Identifythe corresponding congruences. Hint: For the second hand alone, consider

α : R → R : t 7→ t+ 1

where t is real-valued time in units of seconds. Let P : R → R/60N = R,and identify α : R → R so the appropriate diagram commutes. Generalizethe picture to include the hour and minute hands.

Exercise 12: Let A be a set of maps α : X → X. Show that if π ∈ C(X) isa congruence for every α ∈ A then π is a congruence for every compositionαk αk−1 ... α1 of maps in A.

Exercise 13: Given a finite set X with |X| = n, construct α : X → X‘randomly’, for instance by assigning each evaluation α(x) independently bya uniform probability distribution overX. Discuss the probability that (X,α)admits at least one nontrivial congruence (i.e. other than ⊥, ⊤), especiallyas n → ∞. Hint: Show that (X,α) admits a nontrivial congruence if α isnot bijective. For fixed n calculate the fractional number of such α and thenuse Stirling’s formula.

Exercise 14: Let X be a finite-dimensional linear vector space (over R, say)and assume α : X → X is linear. Describe C(X) (as in Exercise 9).

Exercise 15: With X a set and x0 ∈ X, let α : X → Pwr(X). Thetriple (X, x0, α) is a nondeterministic dynamic system. A path of (X,α) withinitial state x0 is either an infinite sequence xk|k ≥ 0 with xk ∈ α(xk−1)(k ≥ 1) or a finite sequence xk|0 ≤ k ≤ n with xk ∈ α(xk−1) (1 ≤ k ≤ n)and α(xn) = ∅. Let π ∈ E(X), Pπ : X → X := X/π. If S ⊆ X writePπS = Pπx|x ∈ S ⊆ X. We say that π is a quasi-congruence for (X,α) if

(∀x, x′ ∈ X)Pπx = Pπx′ ⇒ Pπ α(x) = Pπ α(x′)

where Pπ α(x) := Pπ (α(x)).

1.4 21

(i) Show that⊥ ∈ E(X) is a quasi-congruence and that the quasi-congruencesfor (X, x0, α) form a complete upper semilattice under the join opera-tion of E(X), namely if πλ ∈ E(X) is a quasi-congruence for each λ ∈ Λ(some index set) then so is

supπλ|λ ∈ Λ

Find an example showing that if π1, π2 are quasi-congruences, π1 ∧ π2need not be. Show also that ⊤ ∈ E(X) need not be a quasi-congruence.

(ii) Show that, if π is a quasi-congruence, there exists a unique (induced)mapping α : X → Pwr(X) such that the following diagram commutes.

x0 2 X Pwr(X)

Pwr(X)

Pπ

α

x0 2 X

Pπ

α

In particular let

ρ := supπ|π is a quasi-congruence for (X, x0, α)

with X := PρX and (X, x0, α) the corresponding nondeterministic dy-namic system. Show that ⊥ ∈ E(X) is the only quasi-congruence for(X, x0, α).

(iii) For π ∈ E(X) and α : X → Pwr(X) define π · α ∈ E(X) according to

x ≡ x′(mod π · α) iff Pπ α(x) = Pπ α(x′) in Pwr(X/π)

Let E = x ∈ X|α(x) = ∅ and let ρ0 ∈ E(X) be given by the partitionρ0 = E,X − E. Now consider the sequence ρn ∈ E(X):

ρn = ρn−1 ∧ (ρn−1 · α), n ≥ 1

Assuming X is finite, and with ρ as in (ii), show that

ρ = lim ρn(n→ ∞)

the limit being achieved in finitely many steps. In particular, if E = X,so ρ0 = ⊤, then also ρ = ⊤.

22 CHAPTER 1

(iv) Let X = 0, 1, ..., 10, x0 = 0, and let α : X → Pwr(X) be given bythe following table.

x 0 1 2 3 4 5 6 7 8 9 10

α(x)

3 3 ∅ 0 1 0 1 1 ∅ 0 14 1 2 2 8 2 2 8

2 5 9 10 97

Use the algorithm in (iii) to compute ρ, and specify (X, x0, α).

(v) In (iv) choose arbitrarily a state-output function γ : X → 0, 1, soker γ is a binary partition of X. Re-compute ρ subject to the additionalcondition ρ ≤ ker γ, say by setting

ρ0 = E,X − E ∧ ker γ

Is it possible to choose γ in such a way that ρ =⊥?

(vi) In general, assume that ρ = ⊥ and let x′, x′′ ∈ X with x′ = x′′.Prove that there exists a sequence of possible output measurements,say Y = y(0), y(1), . . . that distinguishes x′, x′′ as possible initialstates, namely Y is either possible for x′ but not for x′′ or possiblefor x′′ but not for x′. Provide a counterexample to show that, even ifρ = ⊥, in general there needn’t exist any sequence Y from which theinitial state can be determined uniquely.

(vii) Consider a sequence Yk = y(0), y(1), . . . , y(k) of k + 1 possible con-secutive output measurements corresponding to some (unknown) initialstate x0. That is,

Yk = γ(x(j))|x(j) ∈ αj(x0), j = 0, 1, . . . , k

Obtain a formula for Xk ⊆ X, the subset of all x0 in X that arecompatible with Yk. Namely, Xk is ‘the best information availableabout x0 based on the measurements Yk.’

(viii) Obtain a recursive formula for the best estimate of the current statex(k) based on Yk. Namely, if this is the subset Wk ⊆ X, show howWk+1 can be updated from Wk and y(k + 1).

1.4 23

Exercise 16: Let L be a complete lattice. A function ψ : L → L ismonotoneif, for all ω, ω′ ∈ L, ω ≤ ω′ implies ψ(ω) ≤ ψ(ω′). An element ω ∈ L is afixpoint of ψ if ω = ψ(ω).

Show that if ψ is monotone it has at least one fixpoint. Hint: Let

Ω↑ := ω ∈ L|ω ≤ ψ(ω)

Note that ⊥ ∈ Ω↑. Define ω∗ := supΩ↑, and show that ω∗ is a fixpoint of ψ.Now let Ω be the set of all fixpoints of ψ. Clearly Ω ⊆ Ω↑. Show that ω∗

is the greatest fixpoint of ψ, namely ω∗ ∈ Ω and thus ω∗ = supΩ. Dually let

Ω↓ := ω ∈ L|ω ≥ ψ(ω)

Note that ⊤ ∈ Ω↓, and define ω∗ := inf Ω↓. Show that ω∗ is the least fixpointof ψ, namely ω∗ ∈ Ω and thus ω∗ = inf Ω.

Suppose that ω1, ω2 ∈ Ω. Is it true that ω1 ∨ ω2, ω1 ∧ ω2 ∈ Ω? In eachcase either prove the positive statement or provide a counterexample.

For a sequence ωn ∈ L|n ∈ N write ωn↓ if the ωn are nonincreasing, i.e.ωn ≥ ωn+1 for all n. The function ψ is downward continuous if, wheneverωn ∈ L and ωn↓, then

ψ(infnωn) = inf

nψ(ωn)

Show that if ψ is downward continuous, it is necessarily monotone. For acounterexample to the converse see Exercise 19.

In case ψ is downward continuous show that

ω∗ = infψk(⊤)|k ∈ N

Exercise 17: Let L be a complete lattice. For a sequence ωn ∈ L|n ∈ Nwrite ωn ↑ if the ωn are nondecreasing, i.e. ωn ≤ ωn+1 for all n. Say thefunction ψ : L → L is upward continuous if, whenever ωn ∈ L and ωn↑, then

ψ(supnωn) = sup

nψ(ωn)

Dualize the results of Exercise 16 for upward continuity.

Exercise 18: Let ψ : E(N) → E(N). Show that ψ monotone and upward(resp. downward) continuous does not imply ψ downward (resp. upward)continuous.

24 CHAPTER 1

Exercise 19: (Yingcong Guan) In E(N) define

ω0 = ⊤ω1 = (0, 1), (2, 3, ...)ωn = (0, 1), (2), ..., (n), (n+ 1, n+ 2, ...), n ≥ 2

Write |π| for the number of cells of π ∈ E(N). Define ψ : E(N) → E(N)according to

ψ(ωn) = ωn+1, n ≥ 0

ψ(π) =

ωn if π = ωn and |π| = n+ 1 (n ≥ 1)⊥ if |π| = ∞

Show that ψ is monotone, investigate the fixpoint(s) of ψ, and calculateψ(inf

nωn) and inf

nψ(ωn).

Exercise 20: ObserversLet α : X → X be an arbitrary function. Recall that an element

ω ∈ E(X) is a congruence for α if, whenever x ≡ x′(mod ω) then α(x) ≡α(x′)(mod ω), i.e. α ‘respects’ the partition induced by ω. Define ω·α ∈ E(X)according to:

ω · α = ker(Pω α)

Thus x ≡ x′(mod ω ·α) iff α(x) ≡ α(x′)(mod ω). Then ω is a congruence forα iff ω ≤ ω · α.

(i) Let γ : X → Y be a function from X to a set Y . We define the observerfor the triple (X,α, γ) to be the equivalence relation

ωo := supω ∈ E(X)|ω ≤ (ker γ) ∧ (ω · α)

Thus the observer is the coarsest congruence for α that is finer thanker γ. Define ψ : E(X) → E(X) according to ψ(ω) := (ker γ) ∧ (ω · α).Show that ψ is monotone and that ωo is the greatest fixpoint of ψ.Prove that ψ is downward continuous, and that consequently

ωo = inf(ker γ) · αi−1|i = 1, 2, ...

where αj is the j-fold composition of α with itself.

1.4 25

(ii) We interpret the observer as follows. Consider a dynamic system withstate x ∈ X and discrete-time transition function α. When started instate x(0) at t = 0, the system generates the sequence of states, ortrajectory, given by

x(t+ 1) = α (x(t)) , t = 0, 1, 2, ...

With γ an output map, the system generates the corresponding se-quence of outputs, or observations

y(t) = γ (x(t)) , t = 0, 1, 2, ...

Thus ωo represents the information available about the initial state x(0)after observation of the entire output sequence y(t)|t = 0, 1, 2, ...:the observations cannot resolve the uncertainty about x(0) more finelythan ωo. On this basis the pair (γ, α) is said to be observable if ωo = ⊥,namely the observation sequence determines the initial state uniquely.

(iii) Calculate ωo when α, γ are defined as follows:

X = 1, 2, 3, 4, 5, 6, 7

x 1 2 3 4 5 6 7

α(x) 2 3 4 5 1 7 5γ(x) r r r g g r g

Here r, g stand for ‘red’ and ‘green’. What conclusions can be drawnabout the system from your result for ωo? With reference to Example 7,take π = ω0, explicitly coordinatize X = X/ω0, Pω0 , and the inducedtransition map α, and verify that α Pω0 = Pω0 α.Similarly, establish the existence and uniqueness, and a coordinatiza-tion, of the induced output map γ : X → Y such that γ Pω0 = γ.Verify that the pair (γ, α) is observable. These results can be displayedas shown below.

(iv) Calculate ωo for the following. Let X = N× N, and for (i, j) ∈ X,

α(i, j) = (i+ 1, j)

γ(i, j) =

0, i ≤ j1, i > j

Sketch the cells of ωo in the N2 plane, and coordinatize as in (iii).

26 CHAPTER 1

X X

X

α

Xα

P!0P!0

Y

γ

γ

(v) Very often in practice one is more interested in the current state x(t),as inferred from the observation set O(t) := y(0), y(1), ..., y(t), thanin the initial state as estimated in the long run. Define

ωt = ker γ ∧ ker(γ α) ∧ ... ∧ ker(γ αt)

Xt = X/ωt

After observations O(t), the uncertainty in x(0) is represented by anelement of Xt (i.e. cell of ωt in X), inducing a map Pt : Y

t+1 → Xt.The corresponding uncertainty in x(t) is just the subset

αt(x′)|x′ ∈ Pt(O(t)) ⊆ X

Discuss how to compute this subset in recursive fashion, ‘online’, andillustrate using the examples in (iii), (iv).

(vi) Just because a system is observable, it need not be true that muchuseful information can be gained about x(t) from O(t), even for large t.From this viewpoint investigate the ‘chaotic’ system defined as follows.

X := x ∈ R|0 ≤ x < 1

For x ∈ R, x ≥ 0, write x = integ(x) + fract(x), where integ(x) ∈ Nand 0 ≤ fract(x) < 1; and define α : X → X, γ : X → N according to

α(x) := fract(10x), γ(x) := integ(10x)

Exercise 21: ExponentiationLet α, β, γ ∈ E(X) and write [x] for the cell of x ∈ X (mod γ). Define

fα : X → Pwr(X/α) according to

fα(x) := Pα(x′)|x′ ∈ [x]

1.4 27

where Pα : X → X/α is the canonical projection; and similarly for fβ. Write

℘(α) := ker fα

the exponentiation of α with respect to γ. Show that |℘(α)| ≤ 2|α| and that

℘(α ∧ ℘(β)) = ℘(α) ∧ ℘(β)= ℘(℘(α) ∧ β)

If in particular α ≤ β then ℘(α) ≤ ℘(β), so

℘(α ∧ ℘(β)) = ℘(α)

Exercise 22: Independent functionsLet µ, ν ∈ E(X). Define the composition µ ν to be the binary relation

R ⊆ X × X such that (x, x′) ∈ R iff for some x′′ ∈ X, x ≡ x′′(mod µ) andx′′ ≡ x′(mod ν). Show that µ ν ∈ E(X) iff µ and ν are permutable, namelyµ ν = ν µ.

Now let f : X → Y, g : X → Z, both surjective. Say that the functionsf, g are independent if

(ker f) (ker g) = ⊤ ∈ E(X)

Show that f, g are independent iff

(∀x ∈ X) g∗ f−1(f(x)) = Z

or equivalently(∀x ∈ X) f∗ g−1(g(x)) = Y

In that case ‘knowing the result of a measurement f(x) (resp. g(x)) providesno information about the corresponding measurement g(x) (resp. f(x)).’

Let f : X → Y be surjective, and K ⊆ X with f(K) = Y . Let κ =K,X − K ∈ E(X). Show that κ ker f = ⊤, namely ‘knowledge merelythat x ∈ K provides no information about f(x) ∈ Y .’

Finally, generalize to an arbitrary family of equivalences µ1, . . . , µk ∈E(X) or surjections fi : X → Yi (i = 1, . . . , k).

28 CHAPTER 1

2

1.5 Application: Internal Model Principle

In this section we develop further the ideas of dynamic system (Exam-ple 1.4.7), congruence and observer (Exercise 1.4.20), to obtain a simpleabstract version of the Internal Model Principle (IMP) of regulation theory.The latter states that an ideal feedback regulator will include in its internalstructure a dynamic model of the external ‘world’ behavior that the regulatortracks or regulates against.

First we consider the restriction of an observer to an invariant subset. Asin Example 1.4.7 let α : X → X be a dynamic system, and let Z ⊆ X be asubset of X. It is convenient to represent the subset property by means of aso-called insertion map as follows. Regard Z simply as a set in its own right,initially with no special relation to X, and bring in an injection

inZ : Z → X : z 7−→ inZ(z) ∈ X

Thus inZ is a mechanism by which elements z ∈ Z are endowed with statusas elements inZ(z) ∈ X, perhaps by a transformation from ‘local’ (in Z)to ‘global’ (in X) coordinates. To highlight the distinction between Z as a‘local’ object and a ‘global’ object embedded in X we may sometimes write

inZ : Zloc → X, Z = inZ(Zloc)

Say Z is an α-invariant subset of X if there exists a map αZ : Zloc → Zloc

such that

α inZ = inZ αZ

namely the following diagram commutes:

Zloc Zloc

X

αZ

Xα

inZinZ

2Not needed in the sequel.

1.5 29

The map αZ is the restriction of α to Z, and is defined just when Z isα-invariant. [In traditional terminology, ‘Z ⊆ X is α-invariant if α(z) ∈ Zfor every z ∈ Z.’] Often αZ is written α|Z.

Similarly, if f : X → Y and Z ⊆ X then the restriction of f to Z, writtenfZ or f |Z, is defined to be fZ := f inZ , as in the diagram

XinZ

Zloc Yf

fZ

Next let π ∈ E(X) be an equivalence relation on X. We restrict π toZ ⊆ X simply by intersecting the cells of π with Z. Namely π|Z ∈ E(Z) isdefined by

z ≡ z′(mod π|Z) iff inZ(z) ≡ inZ(z′)(mod π) (1.1)

for all z, z′ ∈ Z. This rule inserts cells of Z/π|Z (considered as subsets ofZ) into cells of X/π (considered as subsets of X), and in turn determines aninsertion

inZ/π|Z : Z/π|Z → X/π

Indeed, distinct cells of π|Z are subsets (in Z) of distinct cells of π (in X).In terms of natural projections p(.) we now have the diagram

Zpπ|Z - Z/π|Z

X

inZ

?

pπ- X/π

inZ/π|Z

?

(1.2)

Exercise 1: Verify in detail that π|Z as defined by (1.1) is an elementof E(Z), and then that inZ/π|Z in (1.2) exists, is unique, and is injective.

30 CHAPTER 1

Alternatively, one could proceed more formally as follows. In the diagrambelow, let ρ := ker(Pπ inZ) and consider the canonical factorization

Pπ inZ = j Pρ (j injective)

Then ρ is the ‘restriction of π to Z’ while j is the required insertion.

Zloc

inZ - X

Zloc/ρ

Pρ

?

j- X/π

Pπ

?-

As in Exercise 1.4.20 let γ : X → Y denote an ‘output’ map for thedynamic system (X,α). If Z ⊆ X and α(Z) ⊆ Z we could compute an‘observer on Z’ in two different ways:

1. Compute the ‘local observer’ on Z using the restrictions α|Z and γ|Z.Call the result ωZ ∈ E(Z).

2. Compute the ‘global observer’ ω ∈ E(X), then restrict to Z to getω|Z ∈ E(Z).

Happily the results coincide.

Proposition 2 (Local observer = restricted global observer)

ωZ = ω|Z

2

We say that Z ⊆ X with α(Z) ⊆ Z is detectable with respect to (X,α, γ)if ω|Z = ⊥, namely Z is ‘locally observable’.

Exercise 3: Prove Proposition 2.

1.5 31

Consider now the following standard block diagram for regulation.

Exosystem Controller Plantoutputcontrolerrorreference

feedback

Here Exosystem (E), Controller (C) and Plant (P) are dynamic systemswhich generate, via suitable output maps, the reference, control and outputsignals respectively. The objective of regulation is to ensure that the outputsignal coincides (eventually) with the reference, namely the system ‘tracks’.To this end the output is ‘fed back’ and compared (via ⊗) to the reference,and the resulting tracking error signal used to ‘drive’ the controller. Thelatter in turn controls the plant, causing its output to approach the reference,so that the tracking error eventually (perhaps as t→ ∞) approaches ‘zero’.

Our aim is to show that this setup implies, when suitably formalized, thatthe controller incorporates a model of the exosystem: this statement is theInternal Model Principle.

We formalize the exosystem E as a dynamic system (XE, αE), and thetotal system, comprising E,C and P, as a dynamic system (X,α). Very oftenX will be of simple product form X = XE×XC×XP and α = αE×αC×αP :X → X, where

αE : XE → XE

αC : XE ×XC ×XP → XC

αP : XE ×XC ×XP → XP

In fact we do not need this degree of detail here. We shall, however, assumethat the feedback loop, comprising C,P interconnected as shown, enjoys astability property with the consequence that E ‘induces’ a correspondingaction on a unique α-invariant subset of X, namely there exists an injection

32 CHAPTER 1

iE : XE → X such that the following diagram commutes:

XE

αE - XE

X

iE

?

α- X

iE

?

(1.3)

Thus iE is assumed to be determined by

α iE = iE αE (1.4)

together with injectivity, and uniqueness of iE(XE). In that case iE itself isonly unique up to an automorphism φE : XE → XE, namely φE is a bijectionsuch that φEαE = αEφE. Then iE can always be replaced by iE := iEφE.

Exercise 4: Suppose XE = R1, XS = R1, X = XE ⊕XS,

αE = 2, α =

[2 01 1/3

]

Show that iE =

[13/5

], determined by (1.4), is the eigenvector of α with

eigenvalue 2, and that iE(XE) is its span.

As to the controller, we assume that its state set XC can be projectedfrom X by a surjection γ : X → XC.

The target subset for regulation (conventionally, states x ∈ X where thetracking error is zero) will be modeled as a subset K ⊆ X. We assume thatthe condition x ∈ K places no restriction on γ(x) ∈ XC; that is, knowledgemerely that x ∈ K yields no information about the control state xC = γ(x) ∈XC; briefly

γ(K) = XC (1.5)

namely any control state xC ∈ XC corresponds to some x ∈ K.

1.5 33

From now on we write iE(XE) = XE ⊆ X. We assume that the controlleris capable of identifying the state in XE induced inX by the exosystem. Thusconsider the time history

x(0) = x0 ∈ X, x(t+ 1) = α(x(t)), t ∈ N

Suppose x0 ∈ XE and the controller records

xC(t;x0) = γ(x(t)), t ∈ N

Then we assume x0 can be determined from the data

xC(t; x0)|t ∈ N

This means precisely that

XE is detectable with respect to (X,α, γ) (1.6)

Next we turn to feedback structure. By this we mean that the controlleris externally driven only when the system state deviates from the desiredsubset K ⊆ X (where ‘the error is zero’). Equivalently, as long as x ∈ K,the controller behaves as an autonomous dynamic system on XC. Formally,let x ∈ K. The control state is xC = γ(x) ∈ XC. Feedback implies that the‘next’ controller state

x′C = γ(x′) = γ(α(x)) = γ α(x)

depends only on xC = γ(x); i.e. for x ∈ K, γ α(x) can be computed fromγ(x). Equivalently

ker(γ|K) ≤ ker(γ α|K) (1.7)

There is no implication, of course, that x′ = α(x) ∈ K; in general K itselfwill not be α-invariant.

Finally we bring in the regulation condition, namely that the inducedsubset XE lie in K:

XE ⊆ K (1.8)

In applications, loop stability will typically ensure that XE ⊆ X is a globalattractor, namely for any initial condition x(0) ∈ X the motion x(t) will

34 CHAPTER 1

converge to XE as t → ∞; then (1.8) will ensure asymptotic regulation, asrequired. Note that K ⊆ X can be modeled by its insertion κ : Kloc → X,leading in view of (1.8) to an injection jE : XE → Kloc as shown below.

XE

Kloc

κ -

jE

X

iE

?

iE = κ jE (1.9)

Exercise 5: Prove that jE in (1.9) exists, is unique, and is injective.

Now we have the sought-for result. Write

αE = α|XE, γE = γ|XE

Theorem 6: Internal Model Principle

Subject to the foregoing assumptions:

(i) There exists a unique mapping αC : XC → XC determined by

αC γ|K = γ α|K

(ii) αC γE = γE αE

(iii) γE is injective

Proof

(i) Let xC ∈ XC. By (1.5) there is x ∈ K (so x ∈ X) with γ(x) = xC.Define αC(xC) := γ α(x). The definition is unambiguous, for x′ ∈ Kand γ(x′) = xC imply x′ ≡ x(mod ker γ), namely (as x, x′ ∈ K)x′ ≡ x(mod ker γ|K). By (1.7), x′ ≡ x(mod ker(γ α|K)) and soγ α(x′) = γ α(x). The situation is displayed below.

1.5 35

Xα

γX

X

XC

γ

αC

γ α|Kγ|K

κ

κ

Kloc

XC

(ii) Let x ∈ XE. Since XE ⊆ K, from (i) we get αC γ(x) = γ α(x). Butα(x) = αE(x) and α(x) ∈ XE, so

αC γE(x) = γE αE(x)

as claimed.

(iii) Recalling Exercise 1.4.20, let ω ∈ E(X) be the observer for (γ, α), andωE := ω|XE its restriction to XE. By observer theory

ωE = supω′ ∈ E(XE)|ω′ ≤ ker γE ∧ (ω′ αE)= ⊥

using (1.6). Also, (1.7) with restrictions to XE implies

ker γE ≤ ker(γE αE) = (ker γE) αE

Therefore ker γE ≤ ωE = ⊥, namely γE is injective as asserted. 2

36 CHAPTER 1

Our results can be displayed in the commutative diagram:

Xα

γ

Kloc

X

X

XC XC

κ

γ

γK

iEiE

XEXE

αE

jE

κ

αC

Here γK := γ|K = γ κ. Thus

γE = γ|XE = γ iE = γ (κ jE)= (γ κ) jE= γK jE

Finally, therefore, we have the diagram

XE

αE - XE

XC

γE

?

αC

- XC

γE

?

This may be paraphrased by saying that the controller dynamics faith-fully simulate the dynamics of the exosystem under the condition of perfectregulation. The ‘internal model’ in the controller is the dynamic system(γE(XE), αC |γE(XE)).

Example 7

1.5 37

Let the exosystem E be given by

XE = 0, 1, . . . , N − 1, αE(i) = i+ 1(mod N), i ∈ XE

We identify the plant P with the controller C and take

XC = 0, 1, . . . , N − 1 =: N, say

We take X = XE ×XC and let α : X → X be given by

α(i, j) =

(i+ 1, j + 1) if j = i

(i+ 1, j) if j = i

where evaluations of i, j are (mod N). Thus controller logic is to maintaintracking of xC = j ∈ XC with respect to xE = i ∈ XE, if j = i, or else todelay xC until tracking is achieved.

For the action induced by E in X we have iE : XE → X given by

iE(i) = (i, i), i ∈ N

Clearly α iE = iE αE as required by (1.4), and iE is essentially unique andis injective.

Next, γ : X → XC is given by

γ(i, j) = j, (i, j) ∈ N×N

SettingK = (i, j) ∈ X|j = i

= (i, i)|i ∈ Nwe have γ(K) = i|i ∈ N = XC as in (1.5).

To check detectability as in (1.6) we compute the local observer corre-sponding to the restriction of (γ, α) to

XE = iE(XE) = (i, i)|i ∈ N

ThenγE(i, i) = i, αE(i, i) = (i+ 1, i+ 1)

and thus ωE = ⊥ as required. The regulation condition (1.8) is simply

XE = iE(XE) = (i, i)|i ∈ N = K

38 CHAPTER 1

For (1.9), we can model

Kloc = N, κ : Kloc → X : i 7−→ (i, i)

whilejE : XE → Kloc : i 7−→ i

so that evidently iE = κ jE as stated.Finally, Theorem 6 provides

αC : XC → XC : i 7−→ i+ 1

withαC γE(i, i) = αC(i) = i+ 1

γE αE(i, i) = γE(i+ 1, i+ 1) = i+ 1

as the theorem asserts.It is interesting to note that XE ⊆ X plays the role of ‘global attractor’

in the sense that if x(0) = (i0, j0) is arbitrary, then

x(t) −→ XE as t→ ∞ (1.10)

In fact x(t) ∈ XE for all t ≥ N − 1. With this feature we can augment thediagram (1.3) as follows. Consider the mapping

pE : X → XE : (i, j) 7−→ i

and notice that ker pE is a congruence for α, namely

ker pE ≤ ker(pE α)

Thus we have the diagram

Xα - X

XE

pE

?

αE

- XE

pE

?

1.5 39

for a unique induced map αE. Since for i ∈ XE we have i = pE(i, j) for anyj, there follows:

αE(i) = αE pE(i, j)= pE α(i, j)= i+ 1

= αE(i)

and we can identify αE = αE. Also

pE iE(i) = pE(i, i) = i

namely pE iE = idE, the identity on XE. Thus the diagram (1.3) can beaugmented to

α

αE

αE

iE iE

pEpE

idEidE

XE

XE

XE

XE

X X

Intuitively, pE ‘projects out the stable behavior of α’ to recover the ‘unstablebehavior’ αE. Notice that the augmented diagram is valid whenever X is ofproduct form, having XE as a factor, and pE : X → XE.

Exercise 8: In a sketch of N × N locate XE and exhibit the convergence(1.10) and the motion on XE(= K). What are the cells of ker pE and howdo they move under αE?

Exercise 9: Extend Exercise 4 by taking XP = XS and introducing suitablefeedback control structure to ensure that P tracks E as t → ∞. Identify allthe elements discussed in this section.

Exercise 10: Extend Example 7 to a richer structure with physical signifi-cance.

40 CHAPTER 1

Exercise 11: Parametrized internal modelIn this exercise we propose a generalization of Theorem 6 which accom-

modates a family of plant models distinguished by a parameter µ with valuesin a set M . With XE, αE as before, now consider the diagram

M ×XE

idM × αE- M ×XE

M ×X

idM × iE

?

idM × α- M ×X

idM × iE

?

(1.11)

Here(idM × αE)(µ, xE) = (µ, αE(xE)) ∈ M ×XE (1.11a)

(idM × iE)(µ, xE) = (µ, iE(µ, xE)) ∈ M ×X (1.11b)

(idM × α)(µ, x) = (µ, α(µ, x)) ∈ M ×X (1.11c)

Thus α, but not αE, will depend on µ and, as the diagram is assumedto commute, iE will depend on µ as well. The regulation condition (1.9)generalizes to:

M ×XE

M ×Kloc

idM × κ-

idM × jE

M ×X

idM × iE

?

(1.12)

Here

(idM × jE)(µ, xE) = (µ, jE(µ, xE)) ∈M ×Kloc

(idM × κ)(µ, ξ) = (µ, κ(ξ)) ∈M ×X

Thus Klocκ−→X is a fixed subset of X as before. Note that iE = κ jE. The

diagram (1.12) states that regulation holds for all values of µ ∈M .

1.5 41

For simplicity we assume an explicit product structure

α = αE × αP × αC, X = XE ×XP ×XC (1.13)

where

αP :M ×X −→ XP : (µ, x) 7→ αP(µ, x)

αC :M ×X −→ XC : (µ, x) 7→ αC(µ, x)(1.14)

for suitable maps αP, αC. Here the formal dependence of αC on µ is reallygratuitous. In practice it is usually assumed that the controller can be fixedand made independent of plant parameters; on this basis we shall write simplyαC = αC(x).

In view of (1.13), (1.14) we write

iE = idE × iP × iC

where

iP :M ×XE −→ XP : (µ, xE) 7→ iP(µ, xE)

iC :M ×XE −→ XC : (µ, xE) 7→ iC(µ, xE)

The diagram (1.11) is now equivalent to:

αP(µ, xE, iP(µ, xE), iC(µ, xE)) = iP(µ, αE(xE)) (1.15a)

αC(xE, iP(µ, xE), iC(µ, xE)) = iC(µ, αE(xE)) (1.15b)

to hold for all µ ∈M,xE ∈ XE.The regulation condition will be specialized to constrain the pair (xE, xP)

but not xC. Thus the target set for regulation is

K = KEP ×XC

where KEP ⊆ XE ×XP. We therefore take

Kloc = KEP,loc ×XC

and(idM × κ)(µ, xEP,loc, xC) = (µ, κ(xEP,loc, xC))

whereκ(xEP,loc, xC) = (xEP, xC) ∈ KEP ×XC

42 CHAPTER 1

with xEP independent of xC. Regulation requires that

iE(µ, xE) = (xE, iP(µ, xE), iC(µ, xE))

with

(xE, iP(µ, xE)) ∈ KEP

By (1.12),

iE(µ, xE) = κ jE(µ, xE)

so that

(xE, iP(µ, xE), iC(µ, xE)) = κ jE(µ, xE) (1.16)

Let PP : X → XP be the natural projection. Then (1.16) implies

iP(µ, xE) = PP κ jE(µ, xE) (1.17)

If this expression is substituted for iP(µ, xE) in (1.15), we obtain equationsof the form

αP(µ, xE, jE(µ, xE), iC(µ, xE)) = PP κ jE(µ, αE(xE)) (1.18a)

αC(xE, jE(µ, xE), iC(µ, xE)) = iC(µ, αE(xE)) (1.18b)

to hold for all µ ∈M,xE ∈ XE. We make the basic assumption that XC andαC have been chosen such that the functional equations (1.18) are solvablefor functions jE and iC, identically in µ and xE. This is the property of struc-turally stable regulation. We note from (1.18b) that if the function αC can beshown to be independent of its first two arguments xE, jE (i.e. the controlleris autonomous on K), and if iC is injective, then error feedback structureand the internal model property of the controller will follow. The followingis a simple illustration, in which we focus on regulation, for simplicity takinginto account structural, but not dynamic, stability.

Example 12: Oscillator driving first-order lagLet E be given by

x′1 = x2, x′2 = −x1, xE = [x1 x2] ∈ R2×1

1.5 43

P by

x′3 = µ1x1 + µ3x3 + µ4x4, xP = x3 ∈ R1, µ = [µ1 µ3 µ4] ∈ R3

and C by

x′4 = c41x1 + c43x3 + c44x4 + c45x5

x′5 = c51x1 + c53x3 + c54x4 + c55x5, cij ∈ R, xC = [x4 x5] ∈ R2×1

Thus in matrix form the relevant maps for this linear system are:

αE =

[0 1 0 0 0

−1 0 0 0 0

]∈ R2×5

αP = [µ1 0 µ3 µ4 0] ∈ R1×5

αC =

[c41 0 c43 c44 c45c51 0 c53 c54 c55

]∈ R2×5

α =

αE

αP

αC

∈ R5×5

Let

iE =

1 00 1i1 i2i11 i12i21 i22

∈ R5×2

Then (1.11) translates as0 1 0 0 0

−1 0 0 0 0µ1 0 µ3 µ4 0c41 0 c43 c44 c45c51 0 c53 c54 c55

1 00 1i1 i2i11 i12i21 i22

=

1 00 1i1 i2i11 i12i21 i22

[

0 1−1 0

](1.19)

For the regulation condition we assume x1 − x3 = 0, namely

x ∈ K := ker [1 0 − 1 0 0] ⊆ X = R5

so that we may takeKloc = R4 = im I4×4

44 CHAPTER 1

and then κ : Kloc −→ K is represented by

κ :=

1 0 0 00 1 0 01 0 0 00 0 1 00 0 0 1

Now (1.12), or κ jE = iE, becomes

1 0 0 00 1 0 01 0 0 00 0 1 00 0 0 1

j11 j12j21 j22j31 j32j41 j42

=

1 00 1i1 i2i11 i12i21 i22

which yields (uniquely)

jE =

1 00 1i11 i12i21 i22

, iE =

1 00 11 0i11 i12i21 i22

Substitution in (1.19) results in

0 1 0 0 0−1 0 0 0 0µ1 0 µ3 µ4 0c41 0 c43 c44 c45c51 0 c53 c54 c55

1 00 11 0i11 i12i21 i22

=

1 00 11 0i11 i12i21 i22

[

0 1−1 0

](1.20)

giving the 6 equations

µ1 + µ3 + µ4i11 = 0, µ4i12 = 1c41 + c43 + c44i11 + c45i21 = −i12, c44i12 + c45i22 = i11c51 + c53 + c54i11 + c55i21 = −i22, c54i12 + c55i22 = i21

1.5 45

Formally these yield, in turn, the 4 evaluations

i11 = −(µ1 + µ3)/µ4, i12 = 1/µ4

i21 =−1− µ4(c41 + c43) + (µ1 + µ3)c44

µ4c45

i22 =−(µ1 + µ3)− c44

µ4c45

and then the 2 relations

(µ1+µ3)(c44c55−c45c54−1)+µ4 (c55(c41 + c43)− c45(c51 + c53))−(c44+c55) = 0(1.21a)

(µ1 + µ3)(c44 + c45)− µ4(c41 + c43) + (c44c55 − c45c54 − 1) = 0 (1.21b)

Now (1.21) will hold identically in µ if and only if the controller coefficientscij (i = 4, 5; j = 1, 3, 4, 5) are chosen to satisfy

c41 + c43 = 0 (1.22a)

c44 + c55 = 0 (1.22b)

c45(c51 + c53) = 0 (1.22c)

c44c55 − c45c54 = 1 (1.22d)

These equations hold if, for instance,[c41 c43 c44 c45c51 c53 c54 c55

]=

[0 0 0 11 −1 −1 0

]Note that (1.22a) is just the error feedback condition that input to the con-troller x4-component vanishes so long as the tracking error x1 − x3 remainszero. If in (1.22c) c45 = 0 then by (1.22d) c44c55 = 1, which is impossibleby (1.22b), and therefore c51 + c53 = 0, the error feedback condition for thecontroller component x5.

To interpret (1.22b,d) note from (1.20) that

CJ = JE

46 CHAPTER 1

where

C :=

[c44 c45c54 c55

], J :=

[i11 i12i21 i22

], E :=

[0 1

−1 0

]Formally

det(J) = i11i22 − i12i21 =1 + (µ1 + µ3)

2

µ24c45

We assume µ4 = 0, as otherwise P is decoupled from C; and necessarilyc45 = 0 as noted above. Then

C = JEJ−1

which states that the dynamics of controller and exosystem are isomorphic,exactly the Internal Model Principle. Equating the characteristic polynomi-als of C and E yields (1.22b,d).

Consistency of our results with the general case is easily verified, on noting

γ = [02×3 I2×2], αC = C

αC γ|K = αC γ κ = [02×2 C]

γ α|K = γ α κ = [02×2 C]

γE = γ|XE = γ iE = J

We return to the general discussion and introduce a parametrization forwhich (1.15)-(1.18) can be analyzed further. Specifically we assume that thestructural form of the system transition function α remains invariant underparameter variations, the latter inducing only changes in coordinatizationof the state sets XE, XP, XC in accordance with the diagrams below. HereR(µ), S(µ), T (µ) are bijections for each µ ∈ M . We assume that αE ×αP × αC undergoes perturbation only in the αP-component, and for some‘nominal’ value µ = µ0 simply write αP := αP(µ0). On the other hand, forall µ, αE(µ) = αE and (as assumed before) αC(µ) = αC remain fixed, withR(µ) and T (µ) restricted accordingly.

1.5 47

XE XE

XE

R(µ)

αE

XE

R(µ)

αE(µ)

(R× S × T )(µ)

αP

S(µ)

αP(µ)

X XP

XPX

(R× S × T )(µ)

αC

T (µ)

αC(µ)

X XC

XCX

Incorporating these transformations into the system dynamics we obtainthe commutative diagram below.

XE XE

XE

R(µ)−1

αE

XE

αE

idE × iP × iC

XE ×XP ×XC

R(µ)× S(µ)× T (µ)

αE × αP(µ)× αC

XE ×XP ×XC

XE ×XP ×XC XE ×XP ×XC

αE × αP × αC

R(µ)× S(µ)× T (µ)

idE × iP × iC

R(µ)−1

From the bottom square,

αP(µ) (R(µ)(xE), S(µ)(xP), T (µ)(xC)) = S(µ) αP(xE, xP, xC)

giving the plant perturbation model

αP(µ)(xE, xP, xC) = S(µ) αP

(R(µ)−1(xE), S(µ)

−1(xP), T (µ)−1(xC)

)Also, from the bottom and middle squares,

αC (R(µ)(xE), S(µ) iP(xE), T (µ) iC(xE)) = T (µ) iC αE(xE)

48 CHAPTER 1

Substitution of the regulation condition (1.17) for µ = µ0, namely

iP(xE) = PP κ jE(xE)

yields

αC (R(µ)(xE), S(µ) PP κ jE(xE), T (µ) iC(xE)) = T (µ) iC αE(xE)(1.23)

assumed to hold for all xE ∈ XE and µ ∈M .For simplicity we takeM =ME×MP×MC, where the component param-

eter sets are pairwise disjoint, and writeR(µ) = R(µE), S(µ) = S(µP), T (µ) =T (µC). In addition suppose that parametrization is ‘rich’ in the sense that

(∀xE ∈ XE)R(µE)(xE)|µE ∈ME = XE (1.24a)

(∀xE ∈ XE)S(µP) PP κ jE(xE)|µP ∈MP = XP (1.24b)

Under these conditions (1.23) implies that, as long as

x ∈ XE := (xE, iP(xE), iC(xE))|xE ∈ XE

and regulation holds as in (1.17), the function αC(xE, xP, xC) must be inde-pendent of its first two arguments xE, xP. But this amounts precisely to thestatement that the controller is then autonomous on XE, namely incorpo-rates ‘error feedback structure’. Finally, setting T (µ) iC = iC for brevity,and αC = αC|XE, we obtain

αC iC(xE) = iC αE(xE)

as displayed below.

XE

αE - XE

XC

iC

?

αC

- XC

iC

?

1.5 49

We conclude that both error feedback and an internal model are necessaryfor structurally stable regulation.

As an illustration consider again Example 12, with plant perturbationmodel

µ3x′3 = µ1x1 + µ2x2 + µ3x3 + µ4x4 + µ5x5

namely µ = [µ1 · · ·µ5] ∈ R5. This corresponds to xE = [x1 x2], xP = x3, xC =[x4 x5] and

R(µ) = R(µ1, µ2) =

[µ1 µ2

−µ2 µ1

]−1

, S(µ) = S(µ3) = µ−13 , T (µ) = T (µ4, µ5)

With K and therefore κ, jE as before, we obtain

PP κ jE(x1, x2) = x1

and then (1.23) becomes

αC

(R(µ1, µ2)xE, µ

−13 x1, T (µ4, µ5)iC(xE)

)= T (µ4, µ5)iC αE(xE)

to hold identically in µ, xE. Formally

R(µ1, µ2)xE =

[µ1 µ2

−µ2 µ1

]−1 [x1x2

]= (µ2

1 + µ22)

−1

[x1 −x2x2 x1

] [µ1

µ2

]=

[x′1x′2

]say, provided

(µ21 + µ2

2)−1

[µ1

µ2

]= (x21 + x22)

−1

[x1 x2

−x2 x1

] [x′1x′2

]=

[ξ1ξ2

]say, which holds if and only if[

µ1

µ2

]= (ξ21 + ξ22)

−1

[ξ1ξ2

]This verifies (1.24a), although with XE replaced by XE − 0. Similarly(1.24b) amounts to µ−1

3 x1 = x′3, say, or µ3 = x1/x′3, which verifies (1.24b)

for XP − 0 and x1 = 0. It follows that αC(·, ·, iC) is independent of itsfirst two arguments provided x1 = 0. By the assumed linearity (or even justcontinuity) of αC(·, ·, ·) in xE = [x1 x2] we conclude that αC(·, ·, iC) dependson its third argument iC alone. From this the results for error feedback andthe internal model follow as before.

50 CHAPTER 1

1.6 Notes and References

Much of the material in this chapter is standard. For Sections 1.1 - 1.4see especially Mac Lane & Birkhoff [1993], and Davey & Priestley [1990].Section 1.5 follows Wonham [1976], which may be consulted for more detailedbackground; see also Wonham [1985], Chapter 8. Since 1980 the literatureon the Internal Model Principle has grown considerably.

Chapter 2

Linguistic Preliminaries

In supervisory control, formal languages provide a level of abstraction atwhich control concepts can be formulated in a way that is independent ofany specific concrete implementation of the plant and controller. Some basicdefinitions are presented, leading to the Nerode equivalence relation as thebridge from a language to its dynamical state description. Emphasis is placedon regular (finite-state) languages as the class that is simplest and mostdirectly applicable in the control context.

2.1 Languages

Let Σ be a finite set of distinct symbols σ, τ , . . . . We refer to Σ as an alphabet.Let Σ+ denote the set of all finite symbol sequences, of the form σ1σ2 · · ·σkwhere k ≥ 1 is arbitrary and the σi ∈ Σ. It is convenient also to bring in theempty sequence (sequence with no symbols), denoted by the new symbol ϵ,where ϵ ∈ Σ. We then write

Σ∗ := ϵ ∪ Σ+

An element of Σ∗ is a word or string over the alphabet Σ; ϵ is the emptystring. If Σ = ∅ then Σ+ = ∅ and Σ∗ = ϵ.

51

52 CHAPTER 2

Next we define the operation of catenation of strings:

cat : Σ∗ × Σ∗ → Σ∗

according tocat(ϵ, s) = cat(s, ϵ) = s, s ∈ Σ∗

cat(s, t) = st, s, t ∈ Σ+

Thus ϵ is the unit element of catenation. Evidently cat(·, ·) is associative, forclearly

cat(cat(s, t), u) = cat(s, cat(t, u))

if s, t, u ∈ Σ+, and the other possibilities are easily checked.With catenation as the ‘product’ operation, the foregoing relationships

turn Σ∗ into a multiplicative monoid (or multiplicative semigroup with iden-tity).

Notice that a symbol sequence like

σ1σ2ϵσ3ϵϵσ4 (σi ∈ Σ)

is not (syntactically) an element of Σ∗. It will be taken as a convenientabbreviation for

cat(cat(cat(cat(cat(σ1σ2, ϵ), σ3), ϵ), ϵ), σ4)

As such it evaluates, of course, to the Σ∗-element σ1σ2σ3σ4. Also, bracketsmay sometimes be inserted in a string for clarity of exposition.

The length |s| of a string s ∈ Σ∗ is defined according to

|ϵ| = 0; |s| = k, if s = σ1 · · ·σk ∈ Σ+

Thus |cat(s, t)| = |s|+ |t|.A language over Σ is any subset of Σ∗, i.e. an element of the power set

Pwr(Σ∗); thus the definition includes both the empty language ∅, and Σ∗

itself. Note the distinction between ∅ (the language with no strings) and ϵ(the string with no symbols). For instance the language ϵ is nonempty,but contains only the empty string.

2.2 53

2.2 Nerode Equivalence and Right Congru-

ence

Let L ⊆ Σ∗ be an arbitrary language. We would like to construct, if possible,a decision procedure to test any given string s ∈ Σ∗ for membership in L.We might visualize a machine into which s is fed as input and which emits abeep just in case s ∈ L. To this end we first construct a partition of Σ∗ thatis finer than the partition L,Σ∗ − L and which has a certain invarianceproperty with respect to L.

The Nerode equivalence relation on Σ∗ with respect to L (or mod L) isdefined as follows. For s, t ∈ Σ∗,

s ≡L t or s ≡ t(mod L) or (s, t) ∈ Ner(L)

iff(∀u ∈ Σ∗)su ∈ L iff tu ∈ L

In other words s ≡L t iff s and t can be continued in exactly the same ways(if at all) to form a string of L.

We write ∥L∥ for the index (cardinality of the set of equivalence classes) ofthe Nerode equivalence relation ≡L, i.e. ∥L∥ := | ≡L |. Since Σ∗ is countable,∥L∥ is at most countable infinity (cardinality of the integers). If ∥L∥ < ∞,the language L is said to be regular.

Let R ∈ E(Σ∗) be an equivalence relation on Σ∗. R is a right congruenceon Σ∗ if

(∀s, t, u ∈ Σ∗)sRt ⇒ (su)R(tu)

In other words, R is a right congruence iff the cells of R are ‘respected’ by theoperation of right catenation. As elements of E(Σ∗) the right congruences onΣ∗ inherit the partial order ≤ on E(Σ∗).

Proposition 1Nerode equivalence is a right congruence.

ProofLet s ≡ t(mod L) and u ∈ Σ∗. It must be shown that su ≡ tu(mod L).

Let v ∈ Σ∗ and (su)v ∈ L. Then s(uv) ∈ L, so t(uv) ∈ L, i.e. (tu)v ∈ L.Similarly (tu)v ∈ L implies (su)v ∈ L, hence su ≡ tu(mod L) as claimed. 2

Proposition 2

54 CHAPTER 2

Nerode equivalence is finer than the partition L,Σ∗ − L.

ProofLet s ≡ t(mod L). Then s ∈ L iff sϵ ∈ L, iff tϵ ∈ L, iff t ∈ L. 2

Proposition 3Let R be a right congruence on Σ∗ such that R ≤ L,Σ∗ − L. Then

R ≤ ≡L

ProofLet sRt. We show that s ≡ t(mod L). Let su ∈ L. Now sRt implies

(su)R(tu). Since R ≤ L,Σ∗ − L and su ∈ L, it follows that tu ∈ L.Similarly if tu ∈ L then su ∈ L. 2

We summarize Propositions 1 - 3 as

Theorem 4Let L ⊆ Σ∗. The Nerode equivalence (mod L) is the coarsest right con-

gruence on Σ∗ that is finer than L,Σ∗ − L. 2

Exercise 5: Let E,F ∈ E(Σ∗) with E ≤ F . Let

R = R|R is a right congruence on Σ∗, with E ≤ R ≤ F

Assuming that R = ∅, show that R is a complete sublattice of E(Σ∗). (Recallfrom Section 1.2 that a sublattice L of a lattice M is a subset of M that is alattice under the operations of meet and join inherited from M .)

Exercise 6: In the notation of Exercise 5, assume that E,F ∈ R. Considerthe statement

(∀G)G ∈ R ⇒ (∃H)H ∈ R & G ∧H = E & G ∨H = F

Either prove it’s always true or show by counterexample that it can be false.For s ∈ Σ∗ we say t ∈ Σ∗ is a prefix of s, and write t ≤ s, if s = tu for

some u ∈ Σ∗. Thus ϵ ≤ s and s ≤ s for all s ∈ Σ∗. If L ⊆ Σ∗ the (prefix)closure of L is the language L consisting of all prefixes of strings of L:

L = t ∈ Σ∗|t ≤ s for some s ∈ L

2.3 55

Clearly L ⊆ L. If L = ∅ then L = ∅; if L = ∅ then ϵ ∈ L. For a string s weusually write s instead of s for its set of prefixes. A language L is closed ifL = L.

Exercise 7: If A ⊆ Σ∗ is closed and B ⊆ Σ∗ is arbitrary, show that A−BΣ∗

is closed.

Exercise 8: Let L ⊆ Σ∗, Lco := Σ∗ − L. Show that Ner(Lco) = Ner(L). Ifalso M ⊆ Σ∗ then Ner(L∩M) ≥ Ner(L)∧Ner(M). What can be said aboutNer(L ∪M)?

The closure of a language L is often relevant to control problems because itembodies the ‘evolutionary history’ of words in L. Notice that if s, t ∈ Σ∗−Lthen

(∀w ∈ Σ∗)sw ∈ L & tw ∈ L

so that s ≡ t(mod L). In other words the subset Σ∗−L of Σ∗ is, if nonempty, asingle Nerode cell, which we call the dump cell; a string that enters the dumpcell can never exit from it. On the other hand if s ∈ L and s ≡ t(mod L)then sw ∈ L for some w ∈ Σ∗ and so tw ∈ L, i.e. t ∈ L. If s ∈ L − L ands ≡ t(mod L) then s = sϵ ∈ L, so t = tϵ ∈ L but (as just proved) t ∈ L.These remarks are summarized in

Proposition 9Nerode equivalence ≡L refines the partition

L, L− L,Σ∗ − L

of Σ∗. 2

2.3 Canonical Recognizers

The fact that Nerode equivalence is invariant under right catenation allowsus to construct abstractly an automaton that tracks the Nerode cells whicha string in Σ∗ visits as it evolves symbol-by-symbol. Because Nerode equiv-alence is as coarse as can be for this purpose, the corresponding automatonis said to be canonical.

56 CHAPTER 2

Thus let L ⊆ Σ∗ and write

X := Σ∗/ ≡L

withPL : Σ∗ → X : s 7→ [s]

the canonical projection. Write

cat : Σ∗ × Σ → Σ∗ : (s, σ) 7→ sσ

for catenation,idΣ : Σ → Σ : σ 7→ σ

for the identity on Σ, and

PL × idΣ : Σ∗ × Σ → X × Σ : (s, σ) 7→ ([s], σ)

Proposition 1There exists a unique map

ξ : X × Σ → X

such thatξ (PL × idΣ) = PL cat

namely the following diagram commutes:

Σ∗× Σ Σ

∗

X

PL × idΣ

cat

X × Σ

PL

ξ

ProofBy Proposition 1.4.3, for the existence of ξ it is enough to check that

ker(PL × idΣ) ≤ ker(PL cat)

2.3 57

Uniqueness will follow by the fact that PL × idΣ is surjective. Let

((s, σ), (s′, σ′)) ∈ ker(PL × idΣ)

namely(PL × idΣ)(s, σ) = (PL × idΣ)(s

′, σ′)

or([s], σ) = ([s′], σ′),

that is,s ≡L s

′, σ = σ′

Since ≡L is a right congruence,

sσ ≡L s′σ′

namely[sσ] = [s′σ′]

orPL(cat(s, σ)) = PL(cat(s

′, σ′))

so(PL cat)(s, σ) = (PL cat)(s′, σ′)

or finally((s, σ), (s′, σ′)) ∈ ker(PL cat)

as required. 2

The elements x ∈ X are the states of L; X is the state set of L; ξ is thetransition function of L; and the triple (X,Σ, ξ) is the transition structure ofL. It is convenient to extend ξ to a map

ξ : X × Σ∗ → X

as follows. Define

ξ(x, ϵ) = x, x ∈ X

ξ(x, σ) = ξ(x, σ) x ∈ X, σ ∈ Σ

ξ(x, sσ) = ξ(ξ(x, s), σ) x ∈ X, s ∈ Σ∗, σ ∈ Σ

58 CHAPTER 2

It is easily checked (say, by induction on length of strings) that ξ is welldefined. From now on we omit the ˆ and write ξ in place of ξ.

If x = [t] then by definition of ξ, ξ(x, σ) = [tσ]. Assuming inductivelythat ξ(x, s) = [ts] we have

ξ(x, sσ) = ξ(ξ(x, s), σ) by definition of ξ (i.e. ξ)= ξ([ts], σ) by the inductive assumption= [tsσ] by definition of ξ

so that ξ(x, u) = [tu] for all u ∈ Σ∗. From this we get the compositionproperty: for all x ∈ X and s, u ∈ Σ∗,

ξ(x, su) = [tsu]

= ξ(x′, u), x′ = [ts]

= ξ(ξ(x, s), u)

We distinguish an element x0 and a subset Xm of X as follows. Let

x0 = [ϵ], Xm = [s]|s ∈ L

The state x0 is the initial state of L, and if x ∈ Xm, x is a marker state ofL. We have by definition

ξ(x0, s) = [ϵs] = [s], s ∈ Σ∗

In particular, if s ∈ L then

ξ(x0, s) = [s] ∈ Xm

Thus one can think of Xm as the subset of states of L that ‘mark’ preciselythe strings of L: imagine that a beep sounds just when such a state is reached.These definitions are displayed in the diagram below.

ǫ 2 Σ∗

L

Xm

PL

x0 2 X

PL

2.3 59

Here the horizontal arrows are the natural subset injections.

Finally the dump state of L is the (single) state corresponding to thedump cell Σ∗ − L, when the latter is nonempty.

In general, then, a language L can be visualized as shown in Fig. 2.1.The shaded divisions demarcate cells of ≡L. The marker states are the cellscontained in L. The initial state (cell) x0 belongs to L if the empty stringϵ ∈ L; otherwise (provided L = ∅) x0 belongs to L. In case L = ∅ thenL = ∅, so

X = Σ∗, x0 = Σ∗, Xm = ∅

On the other hand if L = Σ∗ then L = Σ∗ and

X = Σ∗, x0 = Σ∗, Xm = Σ∗

In general if L is closed then

Xm = X − Σ∗ − L

namely all states except the dump state are marked.

L L− L Σ∗ − L Σ∗

Fig. 2.1. Subset diagram for a typical language L ⊆ Σ∗

Σ∗ = L ∪ (L− L) ∪ (Σ∗ − L)

60 CHAPTER 2

Fig. 2.2 displays alternative ‘high-level’ transition graphs for L, showingin a general way how transitions may occur in the two cases where (a) theinitial state is not a marker state (namely the empty string ϵ does not belongto L), and (b) the initial state is a marker state. If L were nonempty andclosed then in the corresponding graph (b) the right-hand state (identifiedwith L− L) and its associated transitions would be deleted.

The 5-tuple

R = (X,Σ, ξ, x0, Xm)

will be called a canonical recognizer for L. While its existence has now beenestablished abstractly there is, of course, no implication in general that Rcan actually be implemented by some constructive procedure. Naturally thisissue is fundamental in the applications.

(a) ϵ ∈ L

+

(b) ϵ ∈ L

+

Fig. 2.2. ‘High-level’ state transition graphs for a language LCase (a): ϵ ∈ L− L; x0 ∈ Xm

Case (b): ϵ ∈ L; x0 ∈ Xm

2.3 61

In general, a recognizer for L (see below, Section 2.4) will be called canon-ical if its state set X is in bijective correspondence with the cells of ≡L; thus|X| = | ≡L | = ∥L∥. Subject to this requirement, X may be chosen accordingto convenience, for example as a subset of the integers. In another commonrepresentation, X is identified with the nodes of a directed graph G whoseedges are labeled with symbols σ ∈ Σ; namely [x, σ, x′] is a labeled edge

x

σ

x0

of G, if and only if ξ(x, σ) = x′. Such a graph G is a state transition graphfor R (or L). In G we attach to x0 an entering arrow, as in

x0

and to state x ∈ Xm an exiting arrow, as in

x

If x0 happens also to be a marker state we may attach a double arrow, as in

x0

The dump state will be labeled +.

Example 2: Canonical recognizers

Let Σ = α, β.

(i) L = ∅

α, β+

(ii) L = ϵ α, β

α, β +

62 CHAPTER 2

(iii) L = Σ∗

α, β

(iv) L = αn|n = 0, 1, 2, ...

α, βα

β +

(v) L = αnβn|n = 0, 1, 2, ....

+

+

+

α α α

α;βα

β β

β β

β

+

α α

α

β

β β

β

α

β

+

α

· · ·

· · ·

· · ·

· · ·

In the above transition graph, the nodes labeled + should be mergedto a single ‘dump’ node self-looped with α, β.

(vi) L = s|#α(s) = #β(s), where 0 ≤ #σ(s) = number of σ’s in thestring s.

β

α

β

α

β

α

β

α

β

α

β

α

· · ·· · ·

2.3 63

We conclude this section with a useful extension of the concept of canon-ical recognizer, obtained by starting with an arbitrary partition θ of Σ∗ inplace of the binary partition L,Σ∗−L. Let T be a new alphabet, not nec-essarily disjoint from Σ, with |T | = |θ| (here we allow the possibility that Tis countably infinite); and label the cells of θ in bijective correspondence withT . Thus T ≃ Σ∗/θ. There is then a well-defined projection, say Pθ : Σ

∗ → T ,taking strings s ∈ Σ∗ to their labels in T , as shown below. An element τ ∈ Tcan be thought of as signalling the presence of a string s ∈ Σ∗ in the cor-responding cell of θ (or kerPθ); for this reason T will be called the outputalphabet.

Σ∗ Σ

∗=θ ' T

Pθ

It is straightforward to construct (abstractly) an automaton A that mapsany string

s = σ1σ2 · · ·σk ∈ Σ∗

into the corresponding sequence of output elements

t = Pθ(ϵ)Pθ(σ1)Pθ(σ1σ2) · · ·Pθ(σ1σ2 · · ·σk) ∈ T ∗

For the state space X it suffices to take the set of cells of the coarsest rightcongruence ω on Σ∗ that is finer than θ. There is then a unique output mapλ : X → T such that λ(x[s]) = Pθ(s), where x[s] is the cell of s(mod ω). Thetransition function ξ : X × Σ → X is defined as before, together with theinitial state x0 = x[ϵ]. The 6-tuple

A = (X,Σ, ξ, x0, T, λ)

is sometimes called a Moore automaton. Evidently the previous constructionof a canonical recognizer for L is recovered on taking θ = L,Σ∗ − L,T = 0, 1, Pθ(s) = 1 iff s ∈ L, and Xm = x|λ(x) = 1.

Exercise 3: Let K = L and let κ, λ be the Nerode right congruences for K,L respectively. Show that κ ≤ λ. In other words, closing a language coarsensits right congruence.

64 CHAPTER 2

Exercise 4: Verify in detail that transition graphs 1 - 5 in Example 2 aboveindeed display the canonical recognizers for the indicated languages. Hint:For each node n of the given transition graph, let Σ∗(n) ⊆ Σ∗ be the subsetof strings that correspond to paths through the graph from the initial noden0 to n. Show that the Σ∗(n) are precisely the Nerode cells for the givenlanguage L: namely every string in Σ∗ belongs to Σ∗(n) for some n, for everyn any pair of strings in Σ∗(n) are Nerode equivalent, and no two strings indistinct subsets Σ∗(n), Σ∗(n′) are equivalent.

Exercise 5: As in the construction of a Moore automaton, let θ be a givenpartition of Σ∗ and let T label the cells of θ. Construct a recognizer thatgenerates a new output symbol from T only when the θ-cell membershipof the input string in Σ∗ actually changes, as the string evolves symbol-by-symbol. Show that the number of states of this recognizer need be nomore than twice that of the original Moore automaton. Hint: Start byaugmenting T with a ‘silent symbol’ τo ∈ T , corresponding to ‘no change inθ-cell membership’. Let To = T ∪ τo. Examine the relationship betweenNerode cells when the output alphabet is T and when it is To. Provide aconcrete example displaying both the original and the new Moore automata.

Exercise 6: Let Σ, T be alphabets, let L ⊆ Σ∗, and let P : Σ∗ → T ∗ be amap with the properties

P (ϵ) = ϵ

P (sσ) = either P (s) or P (s)τ , some τ ∈ T

Notice that P is prefix-preserving in the sense that

(∀s, s′ ∈ Σ∗)s ≤ s′ ⇒ P (s) ≤ P (s′)

With τo a ‘silent symbol’ as in Exercise 5, define To = T ∪ τo, and thenQ : Σ∗ → To according to

Q(ϵ) = τo,

Q(sσ) =

τo if P (sσ) = P (s)τ if P (sσ) = P (s)τ

Evidently Q maps a string s ∈ Σ∗ either into τo, or into the last symbolof P (s) in T upon its fresh occurrence. Let ν ∈ E(Σ∗) be the equivalencerelation defined by s ≡ s′(mod ν) if and only if Q(s) = Q(s′) and

(∀u ∈ Σ∗)(∀t ∈ T ∗)P (su) = P (s)t ⇔ P (s′u) = P (s′)t

2.4 65

Show that ν is the coarsest right congruence that is finer than kerQ. Thenshow how to construct (abstractly) a Moore automaton A that recognizesthe language L and, for each string s ∈ L, produces the output Q(s) in To.A is both a recognizer for L and a realization of the restriction of P to L.Create a simple but nontrivial example for which your construction can becarried out explicitly.

Exercise 7: Let K ⊆ L ⊆ Σ∗ and suppose the canonical recognizers forK,L have the same numbers (assumed finite) of states, marker states, andtransitions. Investigate whether or not K = L, i.e. either prove equality orfind an example with K ⫋ L.

Exercise 8: Let Σ = 0. Construct L ⊆ Σ∗ such that Ner(L) =⊥.

2.4 Automata

LetA = (Y,Σ, η, y0, Ym)

be a 5-tuple with Σ as before, Y a nonempty set, y0 ∈ Y , Ym ⊆ Y , and

η : Y × Σ → Y

a function. A is an automaton over the alphabet Σ. As before, η is the statetransition function, y0 is the initial state and Ym is the subset of markerstates; again we extend η to a function

η : Y × Σ∗ → Y

by induction on length of strings.The language L ⊆ Σ∗ recognized by A is

L := s ∈ Σ∗|η(y0, s) ∈ Ym

A is said to be a recognizer for L.A state y ∈ Y is reachable if y = η(y0, s) for some s ∈ Σ∗; and A

is reachable if y is reachable for all y ∈ Y . Evidently a state that is notreachable can play no role in the recognition process. If Yrch ⊆ Y is the

66 CHAPTER 2

subset of reachable states then the reachable subautomaton Arch of A isdefined as

Arch = (Yrch,Σ, ηrch, y0, Ym,rch)

whereηrch = η|Yrch × Σ, Ym,rch = Ym ∩ Yrch

Clearly Arch recognizes L ⊆ Σ∗ iff A does.Define an equivalence relation λ on Y according to

y1 ≡ y2(mod λ)

iff(∀s ∈ Σ∗)η(y1, s) ∈ Ym ⇔ η(y2, s) ∈ Ym

That is, two states ofA are λ-equivalent if the same input strings map each ofthem into the subset of marker states of A. As usual we write s ≡ s′(mod L)for Nerode equivalence of strings with respect to L. Now we can state

Proposition 1

(i) (∀t, t′ ∈ Σ∗)η(y0, t) ≡ η(y0, t′)(mod λ) ⇔ t ≡ t′(mod L)

(ii) (∀y, y′ ∈ Y )y ≡ y′(mod λ) ⇔ (∀s ∈ Σ∗)η(y, s) ≡ η(y′, s)(mod λ)

(iii) (∀y, y′ ∈ Y )y ∈ Ym & y′ ≡ y(mod λ) ⇒ y′ ∈ Ym 2

Here (iii) states that λ refines the partition Ym, Y − Ym.Define X := Y/λ and let P : Y → X be the canonical projection. Let

Xm := PYm and x0 := Py0. For x = Py define

ξ(x, σ) = Pη(y, σ)

Then ξ is well defined (Exercise 5) and extends inductively to X×Σ∗. Prop-erties of the extended map are summarized in

Proposition 2

(i) (∀s ∈ Σ∗)ξ(x, s) = Pη(y, s) for x = Py

(ii) (∀s ∈ Σ∗)s ∈ L⇔ ξ(x0, s) ∈ Xm

2.4 67

(iii) (∀s, s′ ∈ Σ∗)ξ(x0, s) = ξ(x0, s′) ⇔ s ≡ s′(mod L) 2

Thus the 5-tupleB = (X,Σ, ξ, x0, Xm)

is an automaton over Σ. The foregoing definitions and relationships aredisplayed in the commutative diagrams below.

x0 ∈ X

PP

ξX × Σ∗

P × id

η y0 ∈ Y Ym

P

Xm

YY × Σ∗

X

Informally, ‘P projects A onto B.’ The automaton B is reachable if A isreachable. By Proposition 2(iii) the reachable states of B can be identifiedwith the cells of the Nerode equivalence relation on Σ∗ with respect to L.We therefore have the following.

Theorem 3If B = (X,Σ, ξ, x0, Xm) is reachable then B is a canonical recognizer for

L. 2

Let A = (Y,Σ, η, y0, Ym) as before. Define the complementary automaton

Aco = (Y,Σ, η, y0, Y − Ym)

Clearly A recognizes L ⊆ Σ∗ iff Aco recognizes the complementary languageLco := Σ∗ − L. It is easy to see that s ≡ s′(mod L) iff s ≡ s′(mod Lco), andthus ∥Lco∥ = ∥L∥.

Similarly if A1, A2 are automata over Σ then in obvious notation theproduct automaton A1 ×A2 is defined to be

A1 ×A2 = (Y1 × Y2,Σ, η1 × η2, (y10, y20), Y1m × Y2m)

where η1 × η2 : Y1 × Y2 × Σ → Y1 × Y2 is given by

(η1 × η2)((y1, y2), σ) = (η1(y1, σ), η2(y2, σ))

IfAi recognizes Li ⊆ Σ∗ then it is easily seen thatA1×A2 recognizes L1∩L2.

68 CHAPTER 2

Exercise 4: Prove Proposition 1.

Exercise 5: Show that ξ as described above exists and is unique by firstverifying ker(P × id) ≤ ker(P η) on Y × Σ. Then extend ξ to X × Σ∗ andprove Proposition 2.

Exercise 6: Consider the automaton

A = (Y,Σ, η, y0, Ym)

with

Y = 0, 1, 2, 3, 4Σ = α, βy0 = 0

Ym = 0, 1, 2

and transitions

[0, α, 1] [2, β, 3][0, β, 4] [3, α, 3][1, α, 2] [3, β, 3][1, β, 4] [4, α, 4][2, α, 2] [4, β, 4]

Construct the automaton B as above, and tabulate P . Use TCT minstateto check your result.1

Exercise 7: Given recognizers for L1 and L2 ⊆ Σ∗, construct a recognizerfor L1 ∪ L2. Hint: use

L1 ∪ L2 = [ (L1)co ∩ (L2)co ]co

Exercise 8: Let L1, L2 ⊆ Σ∗ and let $ be a symbol not in Σ. Let L ⊆(Σ ∪ $)∗ be the language L1$L2, consisting of strings s1$s2 with s1 ∈ L1

and s2 ∈ L2. Given recognizers for L1 and L2, construct a recognizer for L.

1The software package TCT will be introduced in Example 3.2.1.

2.5 69

Exercise 9: In the regular case where ∥L1∥ = n1 and ∥L2∥ = n2 are bothfinite, derive tight upper bounds on ∥L1 ∩L2∥, ∥L1 ∪L2∥ and ∥L1$L2∥: thatis, show by examples that your bounds cannot be improved for any (n1, n2).

Exercise 10: Let Σ = 0. Construct a language L with Ner(L) equal tothe bottom element ⊥ ∈ EΣ∗, and specify the canonical recognizer.

2.5 Generators

In Section 2.4 we saw that a language can be represented concretely byspecifying a corresponding recognizer. For many purposes, a similar but moreflexible and economical representation is provided by a generator, namely atransition structure in which, in general, only a proper subset of the totalityof events can occur at each state. For example, a generator might simply bea recognizer from which the dump state (if any) and all transitions to it havebeen dropped. Let

G = (Y,Σ, η, y0, Ym)

In the present case the transition function η : Y × Σ → Y is defined at eachy ∈ Y only for a subset of the elements σ ∈ Σ, namely η is a partial function(pfn) and we write

η : Y × Σ → Y (pfn)

The notation η(y, σ)! will mean that η(y, σ) is defined.2

Much as before, η is extended to a partial function η : Y × Σ∗ → Y bythe rules

η(y, ϵ) = y

η(y, sσ) = η(η(y, s), σ)

provided y′ := η(y, s)! and η(y′, σ)!.

Example 1: Generator for a ‘machine’The state transition graph of a simple generator is displayed below. The

generator represents a ‘machine’ with possible states (I)dle, (W )orking, (D)ownand (S)crapped. Starting in I, the machine may take a workpiece (event α),

2If η(y, σ)! for all (y, σ) ∈ Y ×Σ, η may be called a total function (η is then an ‘ordinary’function, as in Section 2.4).

70 CHAPTER 2

thereby moving to W . From W the machine may either complete its workcycle, returning to I (event β), or else break down (event λ), moving to D.It remains at D until it is either repaired (events µ, ν) or scrapped (event κ).Repair event µ corresponds to loss of workpiece and return to I, completinga cycle of working, breakdown and repair, while ν corresponds to saving theworkpiece to continue work atW . The initial state is I and the marker statesboth I and S. This process may be thought of as repeating an arbitrary finitenumber of times.

β

α

I

W D

λ

ν

µ

κ

S

Exercise 2: Let Σ = α, β, L = Σ∗αβαΣ∗. Thus L consists of all finitestrings of the form s1αβαs2, where s1 and s2 are arbitrary strings over Σ.

(i) Give an alternative verbal description of L, regarding the occurrenceof αβα as the signal of an ‘emergency’.

(ii) Design a (deterministic) finite-state recognizer for L. Hint: This canbe done using just 4 states.

Exercise 3: Develop a finite-state operational (not electrical) model of anordinary household telephone, as seen by a single subscriber able to place orreceive a call. Note: this can become surprisingly complicated, so start withsomething simple and then refine it in stages, up to a model on the order of10 to 20 states.

In general one may think of G as a device that ‘generates’ strings bystarting at the initial state y0 and executing only transitions for which itstransition function η is defined; if more than one transition is defined toexit from a given state y, the device may be supposed to choose just one ofthese possibilities, on any particular occasion, by some quasi-random inter-nal mechanism that is unmodeled by the system analyst. In this sense the

2.5 71

generating action is ‘possibilistic’. It may be thought of as carried out inrepeated ‘trials’, each trial generating just one of the possible strings s forwhich η(y0, s) is defined. In this account, ‘choose’ needn’t always be inter-preted literally: most machines do not choose to start work autonomously,but are forced by some external agent. The generation model is indepen-dent of (but consistent with) causative factors, which should be examined incontext.

The set of strings s ∈ Σ∗ such that η(y0, s)! is the closed behavior of G,denoted by L(G), while the subset of strings s ∈ L(G) such that η(y0, s) ∈ Ymis the marked behavior of G, denoted by Lm(G). Clearly L(G) is closed andcontains Lm(G). A generator G is to be thought of as representing bothits closed and marked behaviors. As in the case of an automaton, a statey ∈ Y is reachable if there is a string s ∈ Σ∗ with η(y0, s)! and η(y0, s) = y;G itself is reachable if y is reachable for all y ∈ Y . A state y ∈ Y iscoreachable if there is s ∈ Σ∗ such that η(y, s) ∈ Ym; and G is coreachable ify is coreachable for every y ∈ Y . G is nonblocking if every reachable state iscoreachable, or equivalently L(G) = Lm(G); the latter condition says thatany string that can be generated by G is a prefix of (i.e. can always becompleted to) a marked string of G. Finally G is trim if it is both reachableand coreachable. Of course G trim implies G nonblocking, but the converseis false: a nonblocking generator might have nonreachable states (that mightor might not be coreachable). The ‘machine’ of Example 1 is trim; if thestate S were not marked, the resulting generator would still be reachable,but not coreachable. In practice one usually models a generator G to bereachable; however, it may be quite realistic for G not to be coreachable, forinstance to have a ‘dump’ or ‘dead-end’ state from which no marker state isaccessible. As a rule it is therefore advisable not to overlook non-coreachablestates, or inadvertently remove them from the model.

As an aid to intuition the following interpretation of the behavior ofG as a stochastic system may be helpful. Assume that the state set Yand the alphabet Σ are both finite, the usual case in applications. At eachstate y ∈ Y assign a discrete probability distribution p(y, σ) over the eventsσ ∈ Σ for which η(y, σ)!; here the p(y, σ) > 0 and at each state y, sumto 1. If there is no such σ, i.e. the system halts at y, attach an artificialselfloop (labeled τ , say) with p(y, τ) = 1. Imagine thatG moves by randomlyselecting σ at y according to p(y, σ), with successive choices statisticallyindependent. This rule assigns to G the structure of a discrete Markov chain;if preferred, a stationary continuous-time Poisson-Markov structure could be

72 CHAPTER 2

assigned in similar fashion. Probability theory now provides an appealingsemantics for the behavior of G ‘in the long run’. For instance, at anystate y which G visits ‘infinitely often’, every defined event σ will be choseninfinitely often. And if G is nonblocking, i.e. some definite marker statealways remains reachable, then with probability 1 it will indeed eventuallybe reached. Standard calculations can confirm intuition. For instance in theDES G shown below, suppose event α is chosen at y = 0 with probability p(0 < p < 1), event β with probability q = 1− p. Then

Lm(G) = αnβ|n ≥ 0

the nth string having probability of execution pnq; while the mean numberof transitions to reach the marker state 1 will be

∞∑n=0

(n+ 1)pnq = 1/q

0

β

1

α

G

While often plausible, this Markov chain picture of G should neverthelessbe invoked with caution: it might not be appropriate in situations involvingseveral ‘agents’ in a competitive or antagonistic relationship, where a strongernotion of nonblocking (or liveness), perhaps requiring use of a queue, shouldbe enforced (cf. Exercises 4.3.3, 4.9.6).

Example 4: GeneratorsThe following trim generators correspond to the languages of Exam-

ple 2.3.2, over Σ = α, β. Here Lm denotes the language represented, whilethe closed behavior L = Lm.

(i) Lm = ∅ EMPTY (having empty state set)

(ii) Lm = ϵ

2.5 73

(iii) Lm = Σ∗

α, β

(iv) Lm = αn|n = 0, 1, 2, ...

α

(v) Lm = αnβn|n = 0, 1, 2, ...

ααα

β β

βββ

(vi) Lm = s|#α(s) = #β(s)

α α α α αα

β ββ β β β

The following counterpart of Proposition 2.4.1 can be used to reduce a(reachable) generator G to a minimal-state version having the same closedand marked behaviors. This time we need Nerode equivalence relations onΣ∗ for both L(G) (≡c, say) and Lm(G) (≡m). Define λ ∈ E(Y ) according toy ≡ y′(mod λ) provided

(i) (∀s ∈ Σ∗)η(y, s)! ⇔ η(y′, s)!

(ii) (∀s ∈ Σ∗)η(y, s)! & η(y, s) ∈ Ym ⇔ η(y′, s)! & η(y′, s) ∈ Ym

Proposition 5

(i) (∀s, s′ ∈ Σ∗)η(y0, s) ≡ η(y0, s′)(mod λ) ⇔ s ≡c s

′ & s ≡m s′

(ii) (∀y, y′ ∈ Y )y ≡ y′(mod λ) ⇔ (∀s ∈ Σ∗)η(y, s) ≡ η(y′, s)(mod λ)

(iii) (∀y, y′ ∈ Y )y ∈ Ym & y′ ≡ y(mod λ) ⇒ y′ ∈ Ym.

74 CHAPTER 2

Exercise 6: Prove Proposition 5 and provide a nontrivial application.

Reduction of a generatorG to a minimal (reachable) version by projection(mod λ) is implemented in TCT as the procedure minstate.1

Exercise 7: Let L ⊆ Σ∗ andG be its minimal-state recognizer. Show how toconstruct a recognizer H whose current state encodes both the current stateof G and the last previous state of G. Generalize your result to encode thelist of n most recent states of G (in temporal order). Alternatively, constructa recognizer K whose current state encodes the list of n most recent eventsof G, in order of occurrence. Illustrate your results using G as shown below.

α;β

µ

G λ

Exercise 8: Let Σ = 0, 1 and let L ⊆ Σ∗ be those strings in which a 1occurs in the third-to-last place. Design a recognizer for L.

Occasionally it will be useful to bring in a nondeterministic generator,namely one in which more than one transition defined at a given exit statemay carry the same label σ ∈ Σ. Formally a nondeterministic generator is a5-tuple

T = (Y,Σ, τ, y0, Ym)

as before, but with the difference that the transition function τ now mapspairs (y, σ) into subsets of Y :

τ : Y × Σ → Pwr(Y )

Notice that τ may be considered a total function because of the possibleevaluation τ(y, σ) = ∅. We extend τ to a function on strings by the rules

τ(y, ϵ) = y

τ(y, sσ) =∪

τ(y′, σ)|y′ ∈ τ(y, s)

We define the closed behavior L(T) of the nondeterministic generator T tobe the set of all strings s ∈ Σ∗ for which τ(y0, s) = ∅. The marked behavior

2.5 75

Lm(T) of T is the set of all strings in L(T) for which at least one particularrealization (path through the transition graph) corresponds to a sequence ofstates starting at y0 and ending in Ym:

Lm(T) = s ∈ Σ∗|τ(y0, s) ∩ Ym = ∅

If the nondeterministic generator T is given, then a deterministic gen-erator Tdet that generates the same languages L(T) and Lm(T) can beconstructed by taking as the states of Tdet the nonempty subsets of Y ,i.e. Ydet = Pwr(Y ) − ∅; usually only a small fraction of the new statesturn out to be reachable and therefore worthy of retention. This process ofconverting a nondeterministic to a deterministic generator is known as thesubset construction. While a nondeterministic generator can always be con-verted in this way to a deterministic one, in some applications the use of anondeterministic generator may result in greater convenience or economy ofdescription.

A word of warning. Conversion by the subset construction may obliterateblocking situations in the nondeterministic model. For instance

0 1

2 3

α

β

αT converts to Tdet

α β

obscuring the fact that T can block at state 1. A solution is first to enhanceT by selflooping all non-coreachable states with a new event label κ ∈ Σ.Thus

3

α

β

αT′

κ

converts to T′det

α κ

β

κ0 1

2

76 CHAPTER 2

Exercise 9: Subset constructionSupply the details of the subset construction. Namely let

H = (Y,Σ, τ, y0, Ym)

be a nondeterministic generator, and let

G = (X,Σ, ξ, x0, Xm)

be the deterministic generator defined by

X = Pwr(Y )− ∅, ξ(x, σ) =∪τ(y, σ)|y ∈ x

x0 = y0, Xm = x|x ∩ Ym = ∅

Here ξ is a partial function on X ×Σ with ξ(x, σ)! iff the defining evaluationis nonempty. Show that L(G) = L(H) and Lm(G) = Lm(H). Check the twoexamples above in detail.

Exercise 10: Implementation of the subset construction is unattractive inthat it may require exponential computational effort in the state size of T.Why? Can you exhibit a ‘worst case’?

2.6 Regular Expressions

In discussing small examples we may use, in addition to state transitiongraphs, a representation for regular languages known as regular expressions.These may be combined by regular algebra to represent complex languagesin terms of simpler ones.

If s ∈ Σ∗ we may write s for the language s ⊆ Σ∗. Let L,M ⊆ Σ∗.New languages L+M , LM and L∗ are defined as follows.

L+M := s|s ∈ L or s ∈MLM := st|s ∈ L and t ∈M

L∗ := ϵ+∞∪k=1

s1 · · · sk|s1, ..., sk ∈ L

Thus

L∗ = ϵ+ L+ L2 + · · · =∞∪k=0

Lk, L0 := ϵ

2.6 77

If Σ = α, β we may sometimes write Σ = α + β. In accordance with thedefinition of catenation and the properties of ϵ we have

ϵs = sϵ = s, ϵϵ = ϵ, ϵ∗ = ϵ

and for the empty language ∅,

∅+ L = L, ∅L = L∅ = ∅, ∅∗ = ϵ

A regular expression over Σ is a formal expression obtained by a finitenumber of applications of the operations listed above, to elements in thelist: elements of Σ, ϵ,∅, and all expressions so obtained. Since Σ, ϵ,∅ aresubsets of Σ∗, a regular expression represents a subset of Σ∗. It is shown inthe literature (Kleene’s Theorem) that the subsets represented by the regularexpressions over Σ are exactly the regular sublanguages of Σ∗, namely thesublanguages whose canonical recognizers have a finite state set.

Regular algebra admits numerous identities that are useful for simplifyingregular expressions. They may be proved by comparing the correspondingsubsets of Σ∗. While we are not likely to undertake complicated manipula-tions of regular expressions, the following catalog of identities is provided forreference. Here L,M,N ⊆ Σ∗ are arbitrary languages over Σ.

Lϵ = ϵL = L, L+ L = L, L+M =M + L

(L+M) +N = L+ (M +N) (so we write L+M +N)

(LM)N = L(MN) (so we write LMN), (L+M)N = LN +MN

L∗ = ϵ+ LL∗, L∗L∗ = L∗, (L∗)∗ = L∗, LL∗ = L∗L

(L∗ +M∗)∗ = (L∗M∗)∗ = (L∗M)∗L∗ = (L+M)∗

(LM)∗L = L(ML)∗, (L∗M)∗ = ϵ+ (L+M)∗M

The following result is fundamental for the solution of systems of equa-tions.

Proposition 1

(i) If L =M∗N then L =ML+N

(ii) If ϵ ∈M then L =ML+N implies L =M∗N 2

78 CHAPTER 2

Part (ii) is known as Arden’s rule. Taken with (i) it says that if ϵ ∈M thenL = M∗N is the unique solution of L = ML + N ; in particular if L = ML(with ϵ ∈M) then L = ∅.

Exercise 2: Show by counterexample that the restriction ϵ ∈M in Arden’srule cannot be dropped.

Exercise 3: Prove Arden’s rule. Hint: If L =ML+N then for every k ≥ 0

L =Mk+1L+ (Mk +Mk−1 + · · ·+M + ϵ)N

As an application of Arden’s rule it will be shown how to find a regularexpression for the language generated by a finite nondeterministic transitionstructure. In the example displayed below we write by definition

Lm(G) = s ∈ Σ∗|τ(x0, s) ∩Xm = ∅

β

α

x1 x2γ

x0

α

β

Step 1. Write a formal linear equation representing the transitions at eachstate of G:

x0 = αx1 + αx2

x1 = βx1 + γx2

x2 = βx2 + ϵ

Note that the ‘forcing’ term ϵ is added on the right side if x ∈ Xm.

Step 2. Consider the states xi as tokens for the ‘unknown’ regular languages

Xi = s ∈ Σ∗|τ(xi, s) ∩Xm = ∅

2.6 79

Thus it is easy to see that the Xi satisfy exactly the regular-algebraic equa-tions just written. Solve these equations using Arden’s rule:

X2 = β∗

X1 = β∗γX2 = β∗γβ∗

X0 = αβ∗γβ∗ + αβ∗

= αβ∗(ϵ+ γβ∗)

Step 3. Since x0 is the initial state we obtain

Lm(G) = X0 = αβ∗(ϵ+ γβ∗)

As a second example consider the transition graph below, with stateslabeled a, b, c. We have

a = αb+ ϵ, b = βa+ γc, c = γc

α

β

γγ

a b c

These equations give

c = ∅, b = βa, a = (αβ)∗

Exercise 4: Consider the problem of designing a recognizer for the language

L = Σ∗0 1 0 0 1 0Σ∗

where Σ = 0, 1. In other words, we want a bell to beep (and go on beepingwith each new input symbol) as soon as the string indicated occurs for thefirst time in an arbitrary sequence of 0’s and 1’s. It is easy to specify anondeterministic recognizer, as shown below.

80 CHAPTER 2

0 1 0 010

0; 10; 1

NDR

By contrast, it’s somewhat tricky to design a deterministic recognizer ‘byhand’: try it and see. To do this using TCT,1 modify the initial selfloop toobtain

· · ·

0; 1

XDR

2

where 2 is a dummy symbol to make XDR deterministic. Compute

DR = project(XDR,null[2])

Draw the state diagram and convince yourself that DR does the job.

Exercise 5: Consider the generators

β

α

β

µT1 µα

β

α

T2

By application of the subset construction to T1, show that T1 and T2 deter-mine the same regular language. Using Arden’s rule, obtain correspondingregular expressions

L1 = (αβ(ϵ+ µ))∗αβ

L2 = (α(βα)∗βµ)∗α(βα)∗β

2.7 81

and prove by regular algebra that indeed L1 = L2. Hint: First prove theidentity

(L∗M)∗L∗ = (L+M)∗

and then reduce L2 to L1.

32.7 Causal Output Mapping and Hierarchical

Aggregation

In this section we develop in greater detail some of the ideas in Sections 2.2,2.3 and 2.5. For easier reading, some definitions are repeated.

Let G = (Q,Σ, δ, q0) be a generator: namely Q is a nonempty state set,q0 ∈ Q is the initial state, Σ is a nonempty set, the alphabet of transitionlabels, and δ : Q × Σ → Q is the (partial) transition function. The actionof δ may sometimes be written by juxtaposition: δ(q, σ) = qσ; and if thisconvention is understood then G may be written (Q,Σ, , q0). Also δ isextended by iteration in the natural way to a partial function on the set Σ∗

of all finite strings s of elements in Σ. We write δ(q, s)! or qs! to mean thatthe action of δ is defined at (q, s) ∈ Q × Σ∗. If ϵ ∈ Σ∗ is the empty stringthen qϵ := δ(q, ϵ) := q. The closed behavior of G is the subset of strings

L(G) = s ∈ Σ∗|δ(q0, s)!

In this section marked behavior plays no role.For brevity write L(G) =: L. Note that L contains ϵ, and that L is

prefix-closed, namely if s ∈ L and s′ ≤ s (s′ is a prefix of s) then s′ ∈ L aswell. Now let T be a second alphabet and suppose that P : L → T ∗ is a(total) map with the properties

P (ϵ) = ϵ

P (sσ) =

either P (s)or s ∈ Σ∗, σ ∈ ΣP (s)τ, some τ ∈ T

We call P the reporter of G. P is causal (or nonanticipative); in particularit is prefix preserving: if s ≤ s′ then P (s) ≤ P (s′). The pair (G, P ) may becalled a generator with reporter.

3Not needed in the sequel.

82 CHAPTER 2

The simplest way to visualize the behavior of (G, P ) is via the reachabilitytree of L(G), a tree in which each node n is identified with a string s of Lby a bijection n : L → Nodes: the root node is n(ϵ), and for each s ∈ Lthe children of n(s) are exactly the nodes n(sσ)|sσ ∈ L. Notice that itis possible to drop the distinction between nodes and strings, taking as oneparticular version of G the 4-tuple

T(L) := L,Σ, , ϵ

In the reachability tree the action of P can be indicated as follows. Bring inan element τo ∈ T and write To = T ∪ τo. Define the tail map ωo : L→ Toaccording to

ωo(ϵ) = τo

ωo(sσ) =

τo if P (sσ) = P (s)τ if P (sσ) = P (s)τ

Thus ωo identifies the last output symbol ‘reported’ by P , with τo inter-preted as the ‘silent output symbol’. Using T(L) to represent G, we can nowrepresent (G, P ) by the 6-tuple

T(L, P ) := L,Σ, , ϵ, To, ωo

In graphical representation the edges of the tree (transitions sσ−→ sσ of L)

are labeled by the corresponding element σ of Σ, while the nodes are labeledby the corresponding output in To.

Define the output language of (G, P ) to be PL ⊆ T ∗, and let T(PL) be thereachability tree of PL. Write ϵ for the empty string in T ∗ as well. ClearlyPL contains ϵ and is prefix-closed. Again, ignoring the distinction betweennodes of the tree and strings of PL, we have that P induces a surjection Pfrom T(L, P ) to T(PL):

P : L→ PL : s 7→ Ps

It is convenient to introduce the modified tail map

ωo : L× Σ → To : (s, σ) 7→ ωo(sσ)

and define the product map

P × ωo : L× Σ → PL× To : (s, σ) 7→ (P (s), ωo(s, σ))

2.7 83

L× Σ L

PLPL× To

PP × !o

Then we have the obvious commutative diagramHere the horizontal arrows represent the transition action, with the extendeddefinition for the bottom arrow that (t, τo) 7→ t. One can think of the diagramas a display of how transitions in the tree (L) are ‘tracked’ by transitions inT(PL). Notice that by composition of transition functions the diagram canbe iterated arbitrarily far to the right:

L× Σ L

PLPL× To

×Σ L

PL×To

×Σ · · ·

· · ·×To

thus extending the tracking feature to strings of L.While the reachability trees of L and PL are useful for purposes of visu-

alization, more efficient representations are available in principle, which areoften more convenient in practical applications. These are obtained by ag-gregating nodes of the tree (i.e. strings of the language) by means of suitableequivalence relations. For any language K ⊆ A∗ over an alphabet A, write

K/s := u ∈ A∗|su ∈ K, s ∈ A∗

The Nerode equivalence relation (Ner(K)) on A∗ is defined by

s ≡ s′(mod Ner(K)) iff K/s = K/s′

For brevity write (mod K) for (mod Ner(K)). In more detail the definitioncan be stated:

s ≡ s′(mod K) iff (∀u ∈ A∗)su ∈ K ⇔ s′u ∈ K

Ner(K) is a right congruence on A∗, namely

(∀u ∈ A∗)s ≡ s′(mod K) ⇒ su ≡ s′u(mod K)

84 CHAPTER 2

as is quickly seen from the identity

K/(su) = (K/s)/u

If [s] is the cell of s (mod K) it then makes sense to define

[s]α = [sα] s ∈ A∗, α ∈ A

Setting Z = [s]|s ∈ L, z0 = [ϵ] and with transitions (as just described)written by juxtaposition, we obtain the generator

N = (Z,A, , z0)

with L(N) = K. We refer to N as the Nerode generator of K. Its statesare the cells (equivalence classes) of Ner(K). It can easily be shown that theNerode generator of K is ‘universal’ in the sense that any other generator forK (over A), say

N = (Z, A, , z0)

can be mapped onto N in accordance with the commutative diagram

~Z × A ~Z 3 ~z0

Z 3 z0

π × idA

Z × A

π

where π : Z → Z is a suitable surjection and idA is the identity map on A.Let N(PL) = (X,T, , x0) be the Nerode generator for the language PL

discussed above.In order to find a suitably economical representation of the pair (L, P ) we

must incorporate into the new state structure both the information requiredfor the generation of L and the additional information required to specify P .To this end, define an equivalence relation Fut(P ) on L as follows:

s ≡ s′(mod Fut(P )) iff (∀u ∈ Σ∗)P (su)/Ps = P (s′u)/Ps′

or in more detail

s ≡ s′(mod Fut(P )) iff

(∀u ∈ Σ∗)(∀w ∈ T ∗)P (su) = (Ps)w ⇔ P (s′u) = P (s′)w

2.7 85

Thus Fut(P ) aggregates strings whose corresponding outputs share a com-mon future. It is well to note that equivalence Fut(P ) does not imply thatcorresponding outputs share a common present, namely that the output mapωo determined by P takes the same value on equivalent strings. In the posetof equivalence relations on L the equivalence kernel of ωo is in general notcomparable with Fut(P ).

The identity

P (suv)/P (su) = (P (suv)/Ps) / (P (su)/Ps)

shows that Fut(P ) is actually a right congruence on L. Since the meet of rightcongruences is again a right congruence, we may define the right congruence

Mealy(L, P ) := Ner(L) ∧ Fut(P )

Now let G = (Q,Σ, , q0) be specifically the generator of L = L(G)based on Mealy(L, P ), i.e. q ∈ Q stands for a cell (mod Mealy(L, P )) in L.We define the Mealy output map λ of G according to

λ : Q× Σ → To : (q, σ) 7→ ωo(sσ)

for all s ∈ q. From the definitions it easily follows that λ is well defined. The5-tuple

M(L, P ) := (Q,Σ, , q0, λ)

will be called the Mealy generator for (L, P ). One can verify that any othergenerator for (L, P ) of the same type, say

M(L, P ) = (Q,Σ, , q0, λ)

maps onto M(L, P ) in the sense that for a suitable surjection π the followingdiagram commutes:

~Q× Σ ~Q 3 ~q0

Q 3 q0

π × id

Q× Σ

πTo

~λ

λ

86 CHAPTER 2

In particular such a diagram exists with M taken to be the Mealy description

(L,Σ, , ϵ, ωo)

The situation now is that we have obtained two ‘economical’ descrip-tions: the Mealy generator M(L, P ) of (L, P ), and the Nerode generatorN(PL) of PL. However, while the items P and PL can certainly be re-covered from M(L, P ), the state set of M(L, P ) is a little too coarse toallow tracking in N(PL) of transitions in M(L, P ). The problem is just thats ≡ s′(mod Mealy(L, P )) does not imply Ps ≡ Ps′(mod PL). The cure isto refine equivalence (mod Mealy(L, P )) as follows. Define

Hier(L, P ) := Mealy(L, P ) ∧ Ner(PL) P

where s ≡ s′(mod Ner(PL) P ) is defined to mean Ps ≡ Ps′(mod PL).

Proposition 1Hier(L, P ) is a right congruence on L.

ProofIn the proof write Hier, Mealy, and Norode for brevity. Suppose s ≡

s′(mod Hier), let u ∈ Σ∗, and let P (su) = (Ps)w. Since s ≡ s′(mod Mealy),it follows both that su ≡ s′u(mod Mealy) and that P (s′u) = (Ps′)w. SincePs ≡ Ps′(mod PL) we therefore have P (su) ≡ P (s′u)(mod PL) and thusNerode P (su) ≡ Nerode P (s′u). 2

With Hier(L, P ) as the basis of our new description of (L, P ), let thecorresponding generator of Mealy type be

H(L, P ) = (Y,Σ, , y0, η)

Just as above we have that (L,Σ, , ϵ, ωo) projects onto H according to thediagram

L× Σ L 3 ǫ

Y 3 y0

ρ× idΣ

Y × Σ

ρTo

~!o

η

2.7 87

It will be seen that the output map η can be identified with the map g ofthe following proposition, which states that there is a natural connectionbetween H(L, P ) and N(PL) that admits step-by-step transition tracking.

Proposition 2There exist a surjection f : Y → X and a map g : Y ×Σ → To such that

the following diagram commutes, where

f × g : Y × Σ → X × To : (y, σ) 7−→ (f(y), g(y, σ))

Y × Σ Y 3 y0

X 3 x0

f × g

X × To

f

For the bottom arrow we recall the extended definition (x, τo) 7→ x.

ProofLet ρ : L → Y be the natural projection (mod Hier), ν : PL → X the

natural projection (mod PL), and consider the diagram

Lρ - Y

PL

P

? ν - X

f

?

(2.1)

By definition of Hier, ρ(s) = ρ(s′) implies ν P (s) = ν P (s′), namelyker(ρ) ≤ ker(ν P ), which shows that f exists as displayed. That f issurjective follows because P and ν are surjective, hence ν P is surjective.Furthermore ν P (ϵ) = ν(ϵ) = x0 and ρ(ϵ) = y0 by definition of generator,so f(y0) = x0.

88 CHAPTER 2

To complete the proof we need another version of the tail map, namelyω : L× Σ → T ∗, defined according to

ω(s, σ) =

ϵ if ωo(s, σ) = τoτ if ωo(s, σ) = τ ∈ T

With the usual definition t = tϵ for catenation by ϵ, we have the identity

P (sσ) = P (s)ω(s, σ) (2.2)

Next consider the diagram

L× Σρ× id - Y × Σ

To

g

ωo

-

(2.3)

where id := idΣ. We have (ρ× id)(s, σ) = (ρ× id)(s′, σ′) iff ρ(s) = ρ(s′) andσ = σ′, which implies s ≡ s′(mod Fut(P )). But then P (sσ) = P (s)ω(s, σ)iff P (s′σ) = P (s′)ω(s, σ), so that ωo(sσ) = ωo(s

′σ) ∈ To, namely ωo(s, σ) =ωo(s

′, σ). This shows that

ker(ρ× id) ≤ ker(ωo)

proving the existence of g as displayed. To check that f(yσ) = f(y)g(y, σ)we assume that y = ρ(s) and compute

f(yσ) = f(ρ(s)σ)

= f ρ(sσ) [ker ρ := Hier is a right congruence]

= ν P (sσ) [commutativity of (2.1)]

= ν (P (s)ω(sσ)) [identity (2.2) for ω]

= ν (P (s))ω(sσ) [ker ν := Nerode is a right congruence]

= f (ρ(s))ω(sσ) [commutativity of (2.1)]

= f (ρ(s)) ωo(s, σ) [definitions of ω, transition function]

= f(y)(g (ρ× id))(s, σ) [commutativity of (2.3)]

= f(y)g(y, σ) [y = ρ(s)]

2.7 89

2

The results so far can all be displayed in the commutative cube below.

PLPL× To

XX × To

ν × idTo νP × !o

LL× Σ

YY × Σ

f × g

ρ

P

ρ× idΣ f

In the cube, unlabeled arrows represent transition action. The bottomface can be thought of as representing ‘fast’ dynamics, originating with thegenerating action L × Σ → L, while the top face represents the ‘slow’ dy-namics that result from hierarchical aggregation. The rear face of the cuberepresents fine-grained behavioral descriptions in terms of strings, while thefront face carries the corresponding more economical state descriptions. Thescheme is summarized below.

aggregation

realizationstate

dynamics

As it stands, the scheme is purely passive (it is nothing more than a ‘clockwith two hands’); the dynamic action is purely deterministic, and there is noway for an ‘agent’ to intervene. However, the scheme admits an interestingelaboration that incorporates the action of a controller: this is the subject ofhierarchical control theory, to be considered in Chapter 5.

90 CHAPTER 2

To conclude this section we note for completeness’ sake a slightly morefine-grained state realization of (L, P ) in which the next output symbol cor-responding to a state transition q

σ−→ q′ in M(L, P ) or H(L, P ) becomesa function of the entrance state q′ alone (as distinct from being a functionof the pair (q, σ) – of course q′ may be the entrance state for several othertransitions too). Such a representation is more convenient than the Mealy de-scription for graphical representation and certain data processing operations.For this, refine the equivalence Fut(P ) to include the present:

Pfut(P ) := Fut(P ) ∧ ker ωo

In detail,

s ≡ s′(mod Pfut(P )) iff s ≡ s′(mod Fut(P )) & ωo(s) = ωo(s′)

It is easy to see that Pfut(P ) is a right congruence on L, so we may definethe right congruence

Moore(L, P ) := Ner(L) ∧ Pfut(P )

All the previous considerations now apply with Mealy(L, P ) replaced byMoore (L, P ). It can be checked that the finer granularity of state descriptionfor H(L, P ) is reflected in the property that the output map g of Proposi-tion 2 now factors through the transition function (say δ : Y × Σ → Y ) ofH(L, P ): namely ker g ≥ ker δ, hence there exists a map ϕ : Q → To suchthat g = ϕ δ.

Exercise 3: Show how to include marked behavior in the foregoing discus-sion by ‘marking’ states of G with an auxiliary selfloop.

2.8 Chains of Regular Languages

In this section we consider descending chains of regular languages and their fi-nite convergence. The situation commonly arises when computing languageswith special properties by successive approximation.

Let Ki ⊆ Σ∗ (i = 0, 1, . . .) be a descending chain, namely

K0 ⊇ K1 ⊇ K2 . . . (2.4)

2.8 91

where the languages Ki over Σ are otherwise arbitrary. The chain (or set-theoretic) limit K always exists, and is

K =∞∩i=0

Ki

Let P be some ‘property’ common to the Ki (e.g. regularity) that is closedunder finite intersection, so for every n, ∩n

i=0Ki has property P as well. Ingeneral there is no guarantee that K also has P. For instance with Σ =α, β, the languages

Ki := Σ∗ − αjβj|j = 0, 1, . . . , i

are regular, butK = Σ∗ − αjβj|j = 0, 1, . . .

is not, as it is the complement of a non-regular language (Example 2.3.2(v)).The simplest condition under which K will have P is evidently that the

chain (2.4) terminates finitely, namely for some n,

Ki = Kn, i ⩾ n (2.5)

To obtain a useful criterion for (2.5), consider the Nerode equivalence ≡L ofa language L ⊆ Σ∗ (Section 2.2), and write ∥L∥ for its index. We recall that∥L∥ is the state size of a canonical recognizer for L.

Proposition 1Fix the alphabet Σ, with |Σ| = M < ∞. For every R = 1, 2, . . . the

number of distinct languages L ⊆ Σ∗ with ∥L∥ ≤ R is finite.

ProofLet R = (X,Σ, ξ, x0, Xm) be a canonical recognizer for L. Then |X| ≤ R,

the number of choices for Xm ⊆ X is no more than 2R, and the number ofchoices for ξ : X × Σ → X no more than |X||X×Σ| ≤ RRM . 2

To establish (2.5) we now have the following.

Proposition 2For fixed Σ with |Σ| <∞, let Ki ⊆ Σ∗ be a descending chain, as in (2.4).

Assume that for some R and all i, ∥Ki∥ ≤ R. Then for some n,Ki = Kn forall i ⩾ n.

92 CHAPTER 2

ProofIf the conclusion fails then for every n there is m > n with Kn ⊃ Km,

hence there is an infinite subsequence

Ki(1) ⊃ Ki(2) ⊃ Ki(3) ⊃ · · ·

where the inclusions are strict. By Proposition 1 the Ki(j) belong to a com-mon finite collection of sublanguages, and therefore

Ki(r) = Ki(r+s)

for some r, s. From this contradiction the result follows. 2

In the remainder of this section we consider a condition on regular sub-languages of Σ∗ by which a state size bound as in Proposition 2 can beestablished. Note first that if, for languages K,L ⊆ Σ∗, it happens to betrue that

≡L ≤ ≡K (2.6)

for their Nerode equivalences, then obviously ∥K∥ ≤ ∥L∥. However therefinement condition (2.6), equivalent to the existence of a morphism P as inProposition 2.4.2, is rarely applicable in the present context, and we introducea weaker condition that is more relevant.

Let K,L ⊆ Σ∗ be arbitrary, with prefix-closures K, L. We say that K isweakly supported on L, and write4 K ⊢ L, if

K,Σ∗ − K∧ ≡L ≤ ≡K (2.7)

Here ·, · is the binary partition separating K from its complement. Explic-itly, (2.7) states

(∀s1, s2 ∈ Σ∗)s1 ≡ s2(mod K,Σ∗ − K) & s1 ≡L s2 ⇒ s1 ≡K s2 (2.8)

In fact if s1, s2 ∈ Σ∗ − K then, as the latter is a single cell of ≡K (seeSection 2.2), (2.8) is automatic; only the condition s1, s2 ∈ K plays a role.Thus (2.8) is equivalent to

(∀s1, s2 ∈ Σ∗)s1, s2 ∈ K & s1 ≡L s2 ⇒ ((∀w ∈ Σ∗)s1w ∈ K ⇔ s2w ∈ K)(2.9)

4The symbol ⊢ may be pronounced ‘bu’.

2.8 93

Example 3Consider ∅ ⊆ ϵ ⊆ Σ∗ and write Ner(·) for ≡. We have

Ner(∅) = Ner(Σ∗) = Σ∗

andNer(ϵ) = ϵ,Σ∗ − ϵ

Thus for any L ⊆ Σ∗,

∅ ⊢ L, ϵ ⊢ L, and Σ∗ ⊢ L

In general L ⊢ L, but as Ner(L) ≤ Ner(L), usually L ⊬ L.

Example 4Given ∅ = M ⊆ Σ∗ closed, select t ∈ M , and let L = s ∈ M |s ≡M t.

Thus L is the sublanguage of M consisting of strings that terminate in thecell [t]M . In general L is not closed; in any case

L = s ∈ Σ∗|(∃w ∈ Σ∗)sw ≡M t ⊆M

One can think of [t] as a ‘marker state’ of M , and of L as the ‘trim’ of Mwith respect to it.

We show that L ⊢ M . For this let s1, s2 ∈ L, s1 ≡M s2, and s1w ∈ L.Then s1w ≡M t, s2w ≡M s1w, so s2w ∈ L, as required.

One easily verifies the corresponding more general result, based on select-ing t1, . . . , tk ∈M and defining

L :=k∪

j=1

s ∈M |s ≡M tj

Example 5Fix t ∈ Σ∗, L ⊆ Σ∗, and let

K := L− s ∈ Σ∗|(∃s′ ≤ s)s′ ≡L t

Setting λ(t) := s′ ∈ Σ∗|s′ ≡L t, the Nerode cell of t (mod L), show that

K = supJ ⊆ L|J ∩ λ(t) = ∅

94 CHAPTER 2

We use (2.9) to verify that K ⊢ L. Let s1, s2 ∈ K, s1 ≡L s2, and s1w ∈ K.It must be shown that s2w ∈ K. Now s1w ∈ K ⊆ L along with s2 ≡L s1implies s2w ∈ L. Next, s2 ∈ K implies s2x ∈ K for some x ∈ Σ∗, hence forall s′ ≤ s2x there holds s′ ≡Lt, in particular for all s′ ≤ s2. Let y ≤ w. Thens1w ∈ K implies s1y ≡Lt, and then s2y ≡L s1y yields s2y ≡Lt, so that nows′ ≡Lt for all s

′ ≤ s2w. There follows s2w ∈ K, as required.

We next investigate the Nerode equivalence relation of K and its relationto the cells of ≡L. Consider the family of subsets of Σ∗ given by

Φ := [s]L ∩ K|s ∈ K ∪ Σ∗ − K

Proposition 6The family Φ (restricted to its nonempty members) is a partition of Σ∗,

determining (say) an equivalence relation φ ∈ E(Σ∗). If K ⊢ L then φ is aright congruence, with φ ≤ ≡K . In that case

∥K∥ ≤ |φ| ≤ ∥L∥+ 1

If, furthermore, K ⊆ L ⫋ Σ∗ then |φ| ≤ ∥L∥.

ProofSince ∪[s]L|s ∈ K ⊇ K, it is clear that Φ covers Σ∗. Suppose

t ∈ ([s1]L ∩ K) ∩ ([s2]L ∩ K)

Then [s1]L ∩ [s2]L = ∅, so [s1]L = [s2]L, and Φ is a partition. Now assumeK ⊢ L and let s1 ≡ s2(mod φ). If s1, s2 ∈ Σ∗− K, clearly s1w, s2w ∈ Σ∗− Kfor all w ∈ Σ∗, hence s1w ≡ s2w(mod φ). Suppose s1, s2 ∈ K, so thats1, s2 ∈ [s]L ∩ K for some s ∈ K. Thus s1 ≡L s2. As K ⊢ L, we know

K,Σ∗ − K∧ ≡L ≤ ≡K

Therefore s1 ≡K s2 (and we have now proved φ ≤≡K). Thus if, for somew, s1w ∈ Σ∗ − K, then also s2w ∈ Σ∗ − K. If instead s1w ∈ K thens1w ∈ [s1w]L ∩ K, and as s2w ≡L s1w we have s2w ∈ [s1w]L. But s1 ≡K s2and s1w ∈ K implies s2w ∈ K (otherwise s2wx /∈ K for all x ∈ Σ∗, sos1wx /∈ K for all x, contradicting s1w ∈ K); therefore s2w ∈ [s1w]L ∩ K.It follows that, for all w ∈ Σ∗, s1 ≡ s2(mod φ) implies s1w ≡ s2w(mod φ),

2.8 95

namely φ is a right congruence on Σ∗. Next, from φ ≤ ≡K the inequality∥K∥ ≤ |φ| follows at once; and obviously |φ| ≤ ∥L∥+1. The latter inequalitycan be improved if some cell of ≡L does not meet K. Thus if L = Σ∗ thenΣ∗ − L = ∅, and K ⊆ L implies Σ∗ − L ⊆ Σ∗ − K. Thus t ∈ Σ∗ − L yields[t]L = Σ∗ − L, with [t]L ∩ K = ∅. In that case, |φ| ≤ ∥L∥. 2

Proposition 6 suggests a useful strengthening of the ‘weak support’ rela-tion ⊢. For K,L ⊆ Σ∗ we say that K is supported on L, and write5 K ⊢ L,if both K ⊆ L and K ⊢ L. Then we have

Corollary 7If K ⊢ L and L ⫋ Σ∗ then ∥K∥ ≤ ∥L∥.

The condition L = Σ∗ in this corollary cannot be dropped altogether, asshown by the example K = ϵ, L = Σ∗, where ∥K∥ = 2, ∥L∥ = 1.

We remark that it need not be true that φ ≥ ≡L. For instance if Σ =α, β, L = α∗, K = ϵ, then K ⊢ L, and Ner(K) = φ = ϵ,Σ∗ −ϵ,Ner(L) = [ϵ], [β]. Thus ϵ ≡L α but ϵ ≡ α(mod φ).

Our next result is the useful fact that ⊢ is transitive: if K is supportedon L, and L on M , then so is K on M .

Proposition 8The binary relation ⊢ on Pwr(Σ∗) is transitive.

ProofSuppose K ⊢ L and L ⊢ M . To show K ⊢ M , we have by definition

K ⊆ L, K,Σ∗ − K∧ ≡L ≤ ≡K

L ⊆ M, L,Σ∗ − L∧ ≡M ≤ ≡L

By transitivity of ≤ on E(Σ∗),

K,Σ∗ − K ∧ L,Σ∗ − L∧ ≡M ≤ ≡K

Now if s1, s2 ∈ K then s1, s2 ∈ L, so

(s1, s2) ∈ K,Σ∗ − K ∧ L,Σ∗ − L5The symbol ⊢ may be pronounced ‘shang’.

96 CHAPTER 2

Then s1 ≡M s2 yields s1 ≡K s2. This together with K ⊆ M gives K ⊢ M ,as required. 2

For application to chain convergence, it is convenient to generalize slightlythe relations ⊢ and ⊢ as follows. Let ρ be an arbitrary right congruence onΣ∗ (not necessarily the Nerode equivalence of a sublanguage). For K,L ⊆ Σ∗

we say that K is weakly ρ-supported on L, and write K ⊢ρ L, if

K,Σ∗ − K ∧ ρ∧ ≡L ≤ ≡K

If in addition K ⊆ L, we say that K is ρ-supported on L, written K ⊢ρL.

Setting π := ρ∧ ≡L, consider the family of subsets of Σ∗ given by

Ψ := [s]π ∩ K|s ∈ K ∪ Σ∗ − K

It is straightforward to prove the following generalizations of Propositions 6and 8.

Proposition 9The family Ψ is a partition, determining (say) an equivalence relation ψ,

on Σ∗. If K ⊢ρ L then ψ is a right congruence, with ψ ≤ ≡K . In that case

∥K∥ ≤ |ψ| ≤ |π|+ 1 ≤ |ρ| · ∥L∥+ 1

If, furthermore, K ⊆ L ⫋ Σ∗ then

∥K∥ ≤ |ρ| · ∥L∥

ProofThe proof closely follows that of Proposition 8 and may be left to the

reader. For the third statement, note that

[s]π ∩ K = ∅

for some s provided[s]L ∩ K = ∅

By use of the obvious estimate |π| ≤ |ρ| · ∥L∥, the argument is completed asbefore. 2

Proposition 10

2.8 97

The binary relation ⊢ρon Pwr(Σ∗) is transitive: ifK ⊢

ρL and L ⊢

ρM

then K ⊢ρM . 2

Our main result is now the following.

Theorem 11For a finite alphabet Σ, let Ki ⊆ Σ∗ (i = 0, 1, 2, . . .) be a descending

chain, with K0 regular. Assume that, for some fixed right congruence ρ onΣ∗ with |ρ| <∞,

Ki ⊢ρKi−1, i = 1, 2, . . .

Then each Ki is regular, and the chain is finitely convergent to a sublanguageK. Furthermore, K ⊢

ρK0 and

∥K∥ ≤ |ρ| · ∥K0∥+ 1

ProofBy transitivity of ⊢

ρ, Proposition 10, Ki ⊢

ρK0 for all i ⩾ 1, and

therefore∥Ki∥ ≤ |ρ| · ∥K0∥+ 1, i ⩾ 1

by Proposition 9. Now finite convergence follows by Proposition 2. 2

Applications of Theorem 11 will be given in Sections 3.5 and 6.1.

Exercise 12: K ⊢ L does not imply K ⊆ L. Hint: K = ϵ.

Exercise 13: Let G, K be two generators over the alphabet Σ. SupposeLm(K) is supported on Lm(G). Show by example that it needn’t be truethat L(K) is supported on L(G).

The following definition will be useful in Chapter 6. LetG, K be two gen-erators over the alphabet Σ. Say K is supported on G if Lm(K) is supportedon Lm(G) and L(K) is supported on L(G).

98 CHAPTER 2

2.9 Notes and References

Except for Section 2.8, which originates here, most of the material in thischapter is standard. For Sections 2.1-2.6 see especially Hopcroft & Ullman[1979]. Exercise 2.6.4 is adapted from Carroll & Long [1989], p.123. Ourdistinction between ‘automaton’ and ‘generator’ is perhaps non-standard,but is helpful in control theory. Section 2.7 also originates here, but is notused in the sequel.

For an early appearance of (robotic) automata in Western literature, seeHomer, Iliad, V (749-751) and XVIII (373-377).

Chapter 3

Supervision of Discrete-EventSystems: Basics

We introduce the concept of controlled discrete-event system, by adjoining tothe structure of a language generator a control technology. This amounts topartitioning the set of events into controllable events and uncontrollable, theformer being amenable to disablement by an external controller or supervisor.Starting from the fundamental definition of a controllable language, it isshown how to formulate and solve a basic problem of optimal supervision.The formulation is extended to treat event forcing, mutual state exclusion,and forbidden state subsets. Computation is illustrated using the softwarepackage TCT.

3.1 Introduction

Discrete-event systems encompass a wide variety of physical systems thatarise in technology. These include manufacturing systems, traffic systems,logistic systems (for the distribution and storage of goods, or the delivery ofservices), database management systems, communication protocols, and datacommunication networks. Typically the processes associated with these sys-tems may be thought of as discrete (in time and state space), asynchronous

99

100 CHAPTER 3

(event-driven rather than clock-driven), and in some sense generative (or non-deterministic). The underlying primitive concepts include events, conditionsand signals.

Our approach in this monograph will be to regard the discrete-event sys-tem to be controlled, i.e. the ‘plant’ in traditional control terminology, asthe generator of a formal language. By adjoining control structure, it will bepossible to vary the language generated by the system within certain limits.The desired performance of such a controlled generator will be specified bystating that its generated language must be contained in some specificationlanguage. It is often possible to meet this specification in an ‘optimal’, thatis, minimally restrictive, fashion. The control problem will be consideredfully solved when a controller that forces the specification to be met hasbeen shown to exist and to be constructible. In accordance with widely ac-cepted control methodology, we take the state description of a system (and,in this case, a language) to be fundamental.

In parallel with the formal theory, we shall provide a guide to the softwarepackage TCT, which can be used for developing small-scale examples on apersonal computer.

3.2 Representation of Controlled Discrete-Event

Systems

The formal structure of a DES to be controlled is that of a generator in thesense of Section 2.5. As usual, let

G = (Q,Σ, δ, q0, Qm)

Here Σ is a finite alphabet of symbols that we refer to as event labels, Qis the state set (at most countable), δ : Q × Σ → Q is the (partial) tran-sition function, q0 is the initial state, and Qm ⊆ Q is the subset of markerstates. The transition graph shown below represents a primitive ‘machine’named MACH, with 3 states, labeled I,W,D for ‘idle’, ‘working’ and ‘bro-ken down’.

In a transition graph the initial state is labeled with an entering arrow( ), while a state labeled with an exiting arrow ( ) will denote amarker state. If the initial state is also a marker state, it may be labeled with

3.2 101

β

α

I

W D

λ

µ

a double arrow ( ). Formally a transition or event of G is a triple ofthe form [q, σ, q′] where δ(q, σ) = q′. Here q, q′ ∈ Q are respectively the exitstate and the entrance state, while σ ∈ Σ is the event label. The transitionset of G is just the set of all such triples.

The mode of operation of a DES, of which MACH is typical, may bepictured as follows. Starting from state I, MACH executes a sequence ofevents in accordance with its transition graph. Each event is instantaneous intime. The events occur at quasi-random (unpredictable) time instants. Uponoccurrence of an event, the event label is ‘signaled’ to some external agent.In this way MACH generates a string of event labels over the alphabet Σ.At a state such as W from which more than one event may occur, MACHwill be considered to select just one of the possibilities, in accordance withsome mechanism that is hidden from the system analyst and is thereforeunmodeled. Such a mechanism could be ‘forcing’ by an external agent. Inthis sense the operation of MACH is nondeterministic. However, it will beassumed that the labeling of events is ‘deterministic’ in the sense that distinctevents exiting from a given state always carry distinct labels. In general itmay happen that two or more events exiting from distinct states may carrythe same label.

The marker states serve to distinguish those strings that have some specialsignificance, for instance represent a completed ‘task’. In many applicationsa task is cyclic, for example a production cycle, and its completion will berepresented by the return of one or more system components to their initialstate, which is therefore marked, as shown for MACH. If all states of acomponent have equal ‘task-completion’ status (in other words the modeleris indifferent as to which state of this component the process might terminatein, or just reach) then all its states should be marked.

For the alphabet Σ we have the partition (disjoint union)

Σ = Σc∪Σu

102 CHAPTER 3

where the disjoint subsets Σc and Σu comprise respectively the controllableevents and the uncontrollable events. In a transition graph a controllableevent may be indicated by an optional tick on its transition arrow ( ).For MACH, Σc = α, µ and Σu = β, λ.

The controllable event labels, in this case α, µ, label transitions thatmay be enabled or disabled by an external agent. A controllable event canoccur only if it is enabled. Thus if the event (labeled) α is enabled, butnot otherwise, MACH can execute the transition [I, α,W ] to W from I;if MACH is at D, enablement of µ may be interpreted as the conditionthat MACH is under repair, and so may (eventually) execute the transition[D,µ, I]. For brevity we shall often refer to ‘the event σ’, meaning any or allevents (transitions) that happen to be labeled by σ.

By contrast, the uncontrollable event labels, in this case β, λ, labeltransitions over which (as expected) an external agent has no control: anuncontrollable event simply ‘happens’ in accordance (let us say) with internalmachine volition, as when MACH ‘chooses’, at state W , to execute eitherβ or λ. In a DES the assignment of controllability status (controllable oruncontrollable) to an event is entirely up to the modeler.

The TCT procedure create allows the user to create and file a new DES.In response to the prompt, the user enters the DES name, number of statesor size, the list of marker states and list of transitions (event triples). TheTCT standard state set is the integer set 0, 1, ..., size − 1, with 0 as theinitial state. Event labels must be entered as integers between 0 and 999,where controllable events are odd and uncontrollable events are even. Forinstance MACH could be created as displayed below.

Example 1: TCT procedure createName? MACH# States? 3

% TCT selects standard state set 0,1,2Marker state(s)? 0

% User selects event labels 0,1,2,3:% events labeled 1 or 3 are controllable

Transitions?[0,1,1][1,0,0][1,2,2][2,3,0]

3.2 103

The TCT procedure SE displays an existing DES in approximately theformat indicated above.

We recall from Chapter 2 that the languages associated with a DES Gare the closed behavior

L(G) = s ∈ Σ∗|δ(q0, s)!

and the marked behavior

Lm(G) = s ∈ L(G)|δ(q0, s) ∈ Qm

Note that ∅ ⊆ Lm(G) ⊆ L(G), and always ϵ ∈ L(G) (provided G =EMPTY, the DES with empty state set). The reachable (state) subset ofG is

Qr = q ∈ Q|(∃s ∈ Σ∗) δ(q0, s) = q

G is reachable if Qr = Q. The coreachable subset is

Qcr = q ∈ Q|(∃s ∈ Σ∗) δ(q, s) ∈ Qm

G is coreachable if Qcr = Q. G is trim if it is both reachable and coreachable.The TCT procedure trim returns the trimmed version of its argument:

TDES = trim(DES)

possibly after state recoding, as illustrated below.

Example 2: TCT procedure trim

TDES = trim(DES)

0

DES

2

1 3

4

104 CHAPTER 3

0

TDES

1 2

Qr = 0, 1, 3, 4, Qcr = 0, 1, 2, 3, Qnew = Qr ∩Qcr = 0, 1, 3

Note that state 3 in Qnew has been recoded as 2.

The DES G is nonblocking if every reachable state is coreachable, namelyQr ⊆ Qcr. In linguistic terms,

Lm(G) = L(G)

In particular G is nonblocking if it is trim. If K ⊆ Σ∗ then G represents Kif G is nonblocking and Lm(G) = K. Then L(G) = K, although G mightpossibly be non-coreachable. Normally, if G is intended to represent K, it istaken to be both reachable and coreachable (i.e. trim).

3.3 Synchronous Product, Shuffle, and Meet

In this section we describe a way of combining several DES into a single,more complex DES. The technique will be standard for the specificationof control problems involving the coordination or synchronization of severalDES together. We define the operations required on languages, and then thecounterpart TCT operations on their generators.

Let L1 ⊆ Σ∗1, L2 ⊆ Σ∗

2, where it is allowed that Σ1 ∩ Σ2 = ∅. LetΣ = Σ1 ∪ Σ2. Define

Pi : Σ∗ → Σ∗

i (i = 1, 2)

according to

Pi(ϵ) = ϵ

Pi(σ) =

ϵ if σ ∈ Σi

σ if σ ∈ Σi

Pi(sσ) = Pi(s)Pi(σ) s ∈ Σ∗, σ ∈ Σ

3.3 105

Clearly Pi(st) = Pi(s)Pi(t), i.e. Pi is catenative. The action of Pi on a strings is just to erase all occurrences of σ in s such that σ ∈ Σi. Pi is the naturalprojection of Σ∗ onto Σ∗

i . Let

P−1i : Pwr(Σ∗

i ) → Pwr(Σ∗)

be the inverse image function of Pi (cf. Section 1.4), namely for H ⊆ Σ∗i ,

P−1i (H) := s ∈ Σ∗|Pi(s) ∈ H

For L1 ⊆ Σ∗1, L2 ⊆ Σ∗

2 we define the synchronous product L1∥L2 ⊆ Σ∗

according toL1∥L2 := P−1

1 L1 ∩ P−12 L2

Thus s ∈ L1∥L2 iff P1(s) ∈ L1 and P2(s) ∈ L2. If L1 = Lm(G1) and L2 =Lm(G2), one can think of G1 and G2 as generating L1∥L2 ‘cooperatively’by agreeing to synchronize those events with labels σ which they possess incommon.

The TCT procedure sync returns G = sync(G1,G2) where

Lm(G) = Lm(G1)∥Lm(G2), L(G) = L(G1)∥L(G2)

Example 1: Synchronous product

β

αΣ1 = fα;βg G1

β

βG2Σ2 = fβ; γg

γ

α

γ

β γ β α

γ

sync(G1;G2)

106 CHAPTER 3

Exercise 2: Show that, in general,

L1∥L2 = (L1∥(Σ2 − Σ1)∗) ∩ (L2∥(Σ1 − Σ2)

∗)

Here the alphabet for (Σi − Σj)∗ should be taken as Σi − Σj. Discuss the

boundary cases Σ1 = Σ2 and Σ1 ∩ Σ2 = ∅.

Exercise 3: With Li, Pi,Σi (i = 1, 2) as above, let

Pi0 : Σ∗i → (Σ1 ∩ Σ2)

∗ i = 1, 2

be the natural projections. Show that

P1(L1∥L2) = L1 ∩ P−110 (P20L2)

P2(L1∥L2) = L2 ∩ P−120 (P10L1)

This result describes how L1 (resp. L2) is constrained when synchronizedwith L2 (resp. L1). Interpret the boundary cases when Pi(L1∥L2) = Li orPi(L1∥L2) = ∅, provide examples, and check with TCT.

Notation: If µ, ν are binary relations on a set X, then µ ν is the relationgiven by

x(µ ν)x′ iff (∃x′′)xµx′′ & x′′νx′

Exercise 4: With Σ1 ∪ Σ2 ⊆ Σ and Pi : Σ∗ → Σ∗i (i = 1, 2) natural

projections, show that P1P2 = P2P1, and that

kerP1 ∨ kerP2 = ker(P1P2)

= (kerP1) (kerP2)

Exercise 5: Show that synchronous product is associative, namely

(L1∥L2)∥L3 = L1∥(L2∥L3)

where Li is defined over Σi and the Σi bear no special relationship to oneanother.

It is well to note a subtlety in the definition of synchronous product.While it must be true that Σi includes all the event labels that explicitly

3.3 107

appear in Gi, it may be true that some label in Σi does not appear in Gi atall. If σ ∈ Σ1 ∩ Σ2 does not actually appear in G2 but may appear in G1,then sync will cause G2 to block σ from appearing anywhere in G. Thus if,in Example 1, Σ2 is redefined as α, β, γ, then α is blocked, with the resultthat now

Lm(G1)∥Lm(G2) = ϵThus in general L1∥L2 depends critically on the specification of Σ1, Σ2. Cur-rently TCT implements sync by taking for Σi exactly the events that appearin Gi.

Exercise 6: Nonassociativity of TCT syncThe TCT implementation sync of synchronous product need not respect

associativity, since the events appearing in sync(G1,G2) may form a propersubset of Σ1 ∪ Σ2. Consider

β

G1

γ α

β

G2

γα

G3

γ

Check thatsync((sync(G1,G2),G3)

= sync(G1, sync(G2,G3))

and explain why.

TCT will warn the user if some event in Σ1 ∪ Σ2 fails to appear in thesynchronous product: such an event is ‘blocked’. This remedy was deemedpreferable to maintaining a separate event list for a DES throughout itshistory. For more on this issue see Exercise 12 below.

Exercise 7: With Σi, Pi, Li (i = 1, 2) as before, take strings si ∈ Li.(i) Show that s1||s2 = ∅ iff P2(s1) = P1(s2).

(ii) Calculate ϵ||s2, where ϵ is the empty string (considered as an elementof Σ∗

1). Be careful: there are two relevant cases for s2.

(iii) Illustrate your results with TCT examples. Hint: Remember that TCTtakes for Σi exactly the events that occur in Gi, so to model ϵ over Σ∗

1 use,for example

108 CHAPTER 3

G1Σ1 10

Exercise 8: For alphabets Σ0, Σ1, Σ2 with Σ0 ⊆ Σ1 ∪ Σ2, let

L1 ⊆ Σ∗1, L2 ⊆ Σ∗

2

and letP0 : (Σ1 ∪ Σ2)

∗ → Σ∗0

be the natural projection. Show that

P0(L1∥L2) ⊆ (P0L1)∥(P0L2)

always, and that equality holds provided

Σ1 ∩ Σ2 ⊆ Σ0,

namely ‘every shared event is observable under P0’. Here consider P0Li ⊆(Σ0 ∩ Σi)

∗. Now extend this result to languages Li ⊆ Σ∗i (i = 1, ..., n).

Let G be a DES over alphabet Σ, and Σloop be an arbitrary event listwith no particular relation to Σ. As its name suggests, the TCT procedureselfloop forms

SLG = selfloop(G,Σloop)

by attaching a transition [q, σ, q] for each σ ∈ Σloop, at each state q in Gwhere a transition [q, σ, q′] is not already defined.

Assume temporarily that Σ1 ∩Σ2 = ∅. With L1, L2 as before the shuffleproduct L1∥L2 is defined to be the synchronous product for this special case.Thus the shuffle product of two languages L1, L2 over disjoint alphabets isthe language consisting of all possible interleavings (‘shuffles’) of strings ofL1 with strings of L2. One can think of G1 and G2 as generating L1∥L2 byindependent and asynchronous generation of L1 and L2 respectively.

In this monograph we may write shuffle to stand for the TCT proceduresync when the component alphabets Σ1 and Σ2 are disjoint.

Reverting to the case of general Σ1,Σ2 and G1,G2, the TCT proceduremeet returns a reachable DES G = meet(G1,G2) such that

Lm(G) = Lm(G1) ∩ Lm(G2), L(G) = L(G1) ∩ L(G2)

3.3 109

Thusmeet is really the special case of sync corresponding to the assumptionof a common alphabet Σ1 ∪Σ2, namely all events are considered shared andsynchronization is total. In particular, meet will block any event whose labeldoes not occur in both G1 and G2. Note also that Lm(G) may be a propersublanguage of L(G), even when each of G1 and G2 is trim.

Example 9: Meet

β

G1

α

γ β

G2

α

δ

β

G = meet(G1;G2)α

While Lm(G) = α = Lm(G1) ∩ Lm(G2) and L(G) = ϵ, α, β =L(G1) ∩ L(G2), nevertheless Lm(G) ⫋ L(G) even though each of G1 andG2 is trim.

Exercise 10: The TCT procedure meet is implemented for DES G1 andG2 as follows. Let Gi = (Qi,Σ, δi, q0i, Qmi), i = 1, 2. First define the productG1 ×G2 = (Q,Σ, δ, q0, Qm), where Q = Q1 ×Q2, δ = δ1 × δ2, q0 = (q01, q02),and Qm = Qm1 ×Qm2, with

(δ1 × δ2)((q1, q2), σ) := (δ1(q1, σ), δ2(q2, σ))

whenever δ1(q1, σ)! and δ2(q2, σ)!. In other words the product is definedlike the product of two automata, due account being taken of the fact thatthe component transition functions are partial functions, hence the producttransition function is a partial function as well. TCT now returns G =meet(G1,G2) as the reachable sub-DES of G1 ×G2, and will number thestates from 0 to size−1 (in some arbitrary fashion) as usual. Note that onecan think of G as a structure that is capable of tracking strings that can begenerated by G1 and G2 in common, when each starts at its initial state.Calculate by hand the meet of two DES and check your result using TCT.Using Exercise 2, explain how meet can be extended to obtain sync.

110 CHAPTER 3

Exercise 11: Let L ⊆ Σ∗. Writing

L =[L ∪

(Σ∗ − L

)]∩ L

show that the two languages intersected on the right are represented by twogenerators in which, respectively, all events are enabled (i.e. can occur) ateach state, and every state is marked. The former places no constraints onlocal choice but does distinguish ‘successful’ (marked) strings from others,while the latter declares every string to be ‘successful’ but constrains eventchoice. For Σ = α, β, L = α(βα)∗, illustrate by drawing the state diagramsand check using meet.

Exercise 12: With reference to the Gi of Exercise 6, adopt the TCT speci-fication

Σ1 = Σ2 = α, β, γ, Σ3 = γ

and write Σ = Σ1∪Σ2∪Σ3. Show that the synchronous product of languages,

Lm(G1)||Lm(G2)||Lm(G3)

is represented bymeet(G1

′,G2′,G3

′) (3.1)

where G′i = selfloop(Gi,Σ− Σi). Here

meet(F,G,H) := meet(meet(F,G),H)

is always independent of the order of arguments. Thus (3.1), and its gener-alization to k arguments, provides a correct, order-independent (hence, asso-ciative) implementation of synchronous product, as long as all the relevantGi are specified in advance.

Which of the two results in Exercise 6 agrees with (3.1)? Explain.

Exercise 13: Let I = 1, ..., k, and take Σi, Li ⊆ Σ∗i ,Σ =

∪Σi|i ∈ I and

Pi : Σ∗ → Σ∗

i (i ∈ I). Define

L := ||Li|i ∈ I :=∩

P−1i Li|i ∈ I

Show that PiL ⊆ Li and that

L = ||PiL|i ∈ I

3.3 111

Thus if arbitrary L′i ⊆ Σ∗

i happen to satisfy L = ||L′i|i ∈ I, then PiL ⊆ L′

i

(i ∈ I). With reference to Exercise 12, illustrate your results with TCTexamples.

For use in the following we introduce TCT project. For a DES G overΣ, let Σo ⊆ Σ, Σnull := Σ − Σo, and P : Σ∗ → Σ∗

o the natural projection.Then project(G,null[Σnull]) returns a (state-minimal) DES PG over Σo

such that

Lm(PG) = PLm(G), L(PG) = PL(G)

Exercise 14: Consider a buffer having capacity n, with input event 0 andoutput event n:

B = (Q,Σo, δ, q0, Qm)

where

Q = 0, 1, ..., n, Σo = 0, n

q0 = 0, Qm = 0

and δ determines transitions

[i− 1, 0, i], [i, n, i− 1], i = 1, ..., n

For i = 1, ..., n let Bi be the 1-slot buffer with

Qi = 0, 1, Σi = i− 1, i,

q0i = 0, Qm,i = 0

and transitions [0, i− 1, 1], [1, i, 0]. Let

Σ = 0, 1, ..., n, Σo = 0, n, Po : Σ∗ → Σ∗

o

Show that

Lm(B) = Po[Lm(B1) ∥ · · · ∥ Lm(Bn)]

Check your result for n = 4 using TCT and provide a physical interpretation.

Exercise 15: The prioritized synchronous product of languages L1 ⊆ Σ∗1

and L2 ⊆ Σ∗2 can be defined informally as follows. Let Li be represented by

112 CHAPTER 3

generator Gi = (Qi,Σi, δi, , ). Let α ∈ Σ1 ∩ Σ2. To assign G1 ‘priority’over G2 with respect to α declare that, in G1 ×G2,

δ((q1, q2), α) =

(δ1(q1, α), δ2(q2, α)) if δ1(q1, α)! & δ2(q2, α)!(δ(q1, α), q2) if δ1(q1, α)! & not δ2(q2, α)!undefined, otherwise

In other words, G1 may execute α whenever it can; G2 synchronizes withG1 if it can, but otherwise exercises no blocking action and makes no statechange. The definition of δ may be completed in the evident way, correspond-ing to a three-fold partition of Σ1 ∩ Σ2 into events prioritized for G1 (resp.G2), or non-prioritized (as in ordinary synchronous product). For simplicityassume that only α ∈ Σ1 ∩Σ2 is prioritized, say for G1. Denote the requiredproduct by psync(G1,G2). To implement this in TCT, extend G2 to G′

2

according to

δ′2(q2, α) =

δ2(q2, α) if δ2(q2, α)!q2 if not δ2(q2, α)!

In TCT, G′2 = selfloop(G2, [α]). Then

psync(G1,G2) = sync(G1,G′2)

Illustrate this construction using Example 1, assigning G1 priority with re-spect to β, and compare the result with that of sync(G1,G2).

Remark 16: FlagsSince TCT recodes the states of a product structure generated by sync or

meet sequentially as natural numbers, information about component statesis discarded. To retain such information one can use auxiliary selfloops as‘flags’. For instance, to display which states of G3 = sync(G1, G2) cor-respond to states (1,2) or (6,2) of G1 × G2, first modify G1 and G2 byselflooping states 1 and 6 of G1 and state 2 of G2 with a new flag eventσflag. After recoding, the selected product states will appear self-looped inG3.

Example 17: KANBANThis example illustrates the usefulness of synchronous product (TCT

sync) in building up complex systems. KANBAN is an instance of akanban production system. We consider just two workcells, say CELL1and CELL2, indexing from output (right-hand) end of the system to input

3.3 113

(left-hand) end. CELLi consists of an output hopper HOPi, and inputbulletin-board BBi for kanbans (cards to signal request for input), a feederqueue Qi for processor machine Mi, and Mi itself. Information (via kan-bans) circulates in the same order. We model each storage item HOPi,BBi, Qi as a 2-slot buffer. CELLi = sync (HOPi,BBi,Qi,Mi) (9,14) andKANBAN = sync(CELL1,CELL2) (81,196), where integer pairs (n,m)denote the number n of states and m of transitions in the DES.

Customer requests for product are sensed at CELL1 and modeled byevent 100. Requests are either blocked, if HOP1 is empty, or satisfied in-stantaneously by decrementingHOP1. WhenHOP1 is decremented, a cardis transferred to BB1, incrementing BB1 (doubly synchronized event 100).A card in BB1 represents a signal to CELL2 that an input part is requiredfor processing. If HOP2 is empty, nothing happens. Otherwise, HOP2 andBB1 are decremented and Q1 is incremented, by the 4-tuply synchronizedevent 12. Parts are taken from Q1 by M1 for processing (event 11) and thefinished parts deposited in HOP1 (event 10). In CELL2 the action is simi-lar: event 12 increments BB2; if BB2 is nonempty a raw part can be takenin by CELL2, causing BB2 to be decremented and Q2 incremented (dou-bly synchronized event 22). M2 deposits its output part in HOP2 (doublysynchronized event 20).

To display the overall input/output structure, let

PKANBAN = project(KANBAN,null[10,11,12,20,21]) (5,8)

The result is just a 4-slot buffer that is incremented by event 22 (raw partinput) and decremented by event 100 (customer request filled). Notice thatno more than 4 parts will be in progress in the system (WIP ≤ 4) at onetime. If the system is initialized with BB1, BB2 both full and HOP1, Q1,HOP2, Q2 all empty, then initially requests are blocked and productionmust begin at the input end.

100

HOP1

10

100

10

100

BB1

12

100

12

114 CHAPTER 3

11

Q1

12

11

12

10

M1

11

12

HOP2

20

12

20

12

BB2

22

12

22

21

Q2

22

21

22

20

M2

21

partfinished

requestcustomer

Q1/M1Q2/M2

HOP1BB1HOP2BB2

raw part

kanbankanban

KANBAN

CELL1CELL2

3.3 115

Exercise 18: Consider the DES TOY defined as follows.#states: 3; state set: 0,1,2; initial state: 0; marker state: 0transition table:

[0,0,1], [0,1,1], [0,2,2], [1,1,2], [1,2,0], [1,3,1], [2,1,0], [2,2,1], [2,3,2]

(i) Construct PTOY = project(TOY,null[0]) by hand and check your an-swer using TCT.(ii) If you did things right, you should find that PTOY has 5 states, i.e. thestate size of the projected DES is larger (cf. also Exercise 2.5.9). Since it canbe shown using minstate that both TOY and PTOY have the minimalpossible number of states, this increase in state size is a modeling ‘reality’,and not just a result of inefficient representation. Provide an intuitive ex-planation for what’s going on. It may help to give TOY some physicalinterpretation.(iii) Call the preceding DES TOY 3 and generalize to TOY N on state set0, 1, ..., N − 1, with 3N transitions:

[0, 0, 1]

[k, 1, k + 1] , k = 0, 1, ..., N − 1

[k + 1, 2, k] , k = 0, 1, ..., N − 1

[k, 3, k] , k = 1, 2, ..., N − 1

where the indexing is mod(N). Let

PTOY N = project(TOY N,null[0])

Find a formula for the state size of PTOY N and verify it computationallyfor N = 3, 4, ..., 20. For N = 20 the answer is 786431. Hint: To calculatethe result of project by hand, first replace each transition with label in thenull list by a ‘silent’ transition labeled, say, λ, where λ ∈ Σ. Next applya variant of the subset construction to obtain a deterministic model that isλ-free: the initial ‘state’ is the subset reachable from 0 on paths labeled bystrings in λ∗ only; the next ‘state’, following σ, say (with σ not in the nulllist), is the subset reachable on paths of form λ∗σλ∗; and so on.

For later reference we define the TCT procedure complement. Assumethat the DES G contains in its description exactly the event labels of some

116 CHAPTER 3

alphabet Σ, and let T ⊇ Σ. Then Gco = complement(G, T − Σ) has theproperties

Lm(Gco) = T ∗ − Lm(G), L(Gco) = T ∗

If T = Σ we write simply Gco = complement(G, ). In terms of transitionstructures, complement forms Gco by adjoining a (non-marker) dump stateq+ to the state set of G, and complementary transitions from each state ofGco to q+ as required to render the new transition function a total function;after that, the subsets of marker and non-marker states are interchanged.

Example 19: Small FactoryTo conclude this section we show how the foregoing procedures can be

used to build up the specifications for a supervisory control problem, to beknown as Small Factory. We bring in two ‘machines’ MACH1, MACH2as shown.

βi

αi

I

W Dλi

µi i = 1; 2MACHi

Define FACT = shuffle(MACH1,MACH2). Small Factory consistsof the arrangement shown below, where BUF denotes a buffer with one slot.

MACH2BUFMACH1α1 β1 α2 β2

Small Factory operates as follows. Initially the buffer is empty. Withthe event α1, MACH1 takes a workpiece from an infinite input bin andenters W . Subsequently MACH1 either breaks down and enters D (eventλ1), or successfully completes its work cycle, deposits the workpiece in thebuffer, and returns to I (event β1). MACH2 operates similarly, but takes itsworkpiece from the buffer and deposits it when finished in an infinite outputbin. If a machine breaks down, then on repair it returns to I (event µ).

The informal specifications for admissible operation are the following:

3.3 117

1. The buffer must not overflow or underflow.

2. If both machines are broken down, then MACH2 must be repairedbefore MACH1.

To formalize these specifications we bring in two language generators as theDES BUFSPEC and BRSPEC, as shown below.

selfloopα1, λ1, µ1, β2, λ2, µ2

selfloopα1, β1, λ1, α2, β2

µ2

λ2µ1

β1

α2

BRSPEC

BUFSPEC

L(BUFSPEC) expresses the requirement that β1 and α2 must occuralternately, with β1 occurring first, while L(BRSPEC) requires that if λ2occurs then µ1 may not occur (again) until µ2 occurs. The assignment ofthe initial state as a marker state in each of these DES is largely a matterof convenience. In each case selfloops must be adjoined to account for allevents that are irrelevant to the specification but which may be executed inthe plant. For the combined specification we form

SPEC = meet(BUFSPEC,BRSPEC)

By inspection it is clear that SPEC is trim.Temporarily denote byG the (as yet unknown) DES that would represent

‘FACT under control’. In general, for a given DES G and given specificationDES SPEC as above, we shall say that G satisfies SPEC if

Lm(G) ⊆ Lm(SPEC)

Typically G and SPEC will both be trim, and then it follows on takingclosures,

L(G) ⊆ L(SPEC).

118 CHAPTER 3

The first condition could be checked in TCT by computing

COSPEC = complement(SPEC, )

and then verifying that trim(meet(G,COSPEC)) = EMPTY, whereEMPTY is the DES with empty state set (it suffices to check that meet(G,COSPEC) has empty marker set). The results for Small Factory will be pre-sented in Section 3.7 below.

3.4 Controllability and Supervision

Let

G = (Q,Σ, δ, q0, Qm)

be a (nonempty) controlled DES, with Σ = Σc∪Σu as in Section 3.2. Aparticular subset of events to be enabled can be selected by specifying asubset of controllable events. It is convenient to adjoin with this all theuncontrollable events as these are automatically enabled. Each such subsetof events is a control pattern; and we introduce the set of all control patterns

Γ = γ ∈ Pwr(Σ)|γ ⊇ Σu

A supervisory control for G is any map V : L(G) → Γ. The pair (G, V )will be written V/G, to suggest ‘G under the supervision of V ’. The closedbehavior of V/G is defined to be the language L(V/G) ⊆ L(G) described asfollows.

(i) ϵ ∈ L(V/G)

(ii) If s ∈ L(V/G), σ ∈ V (s), and sσ ∈ L(G) then sσ ∈ L(V/G)

(iii) No other strings belong to L(V/G)

We always have ϵ ⊆ L(V/G) ⊆ L(G), with either bound a possibilitydepending on V and G. Clearly L(V/G) is nonempty and closed.

The marked behavior of V/G is

Lm(V/G) = L(V/G) ∩ Lm(G)

3.4 119

Thus the marked behavior of V/G consists exactly of the strings of Lm(G)that ‘survive’ under supervision by V . We always have ∅ ⊆ Lm(V/G) ⊆Lm(G).

We say that V is nonblocking (for G) if

Lm(V/G) = L(V/G)

Our main objective is to characterize those languages that qualify as themarked behavior of some supervisory control V . To this end we define alanguage K ⊆ Σ∗ to be controllable (with respect to G) if

(∀s, σ)s ∈ K & σ ∈ Σu & sσ ∈ L(G) ⇒ sσ ∈ K

In other words, K is controllable if and only if no L(G)-string that is alreadya prefix of K, when followed by an uncontrollable event in G, thereby exitsfrom the prefixes of K: the prefix closure K is invariant under the occurrencein G of uncontrollable events.

For a more concise statement, we use the following notation. If S ⊆ Σ∗

and Σo ⊆ Σ, let SΣo denote the set of strings of form sσ with s ∈ S andσ ∈ Σo. Then K is controllable iff

KΣu ∩ L(G) ⊆ K

It is clear that ∅, L(G) and Σ∗ are always controllable with respect to G.Note that the controllability condition constrains only K ∩L(G), since if

s ∈ L(G) then sσ ∈ L(G), i.e. the condition s ∈ K − L(G) & sσ ∈ L(G) isalways false.

Example 1: Controllable and uncontrollable languages

β

α

I

W D

λ

µMACH

Σc = α, µ, Σu = β, λ

120 CHAPTER 3

With respect to MACH, L′ = αλµ is not controllable, since αβ con-sists of a prefix α of L′ followed by an uncontrollable event β such that αβbelongs to L(MACH) but not to L′. On the other hand L′′ = αβ, αλ iscontrollable, since none of its prefixes s ∈ L′′ = ϵ, α, αβ, αλ can be followedby an uncontrollable event σ such that sσ belongs to L(MACH)− L′′.

Exercise 2: Assume that a language K is controllable with respect to aDES G. Show that if s ∈ K, w ∈ Σ∗

u, and sw ∈ L(G), then sw ∈ K. Hint:Use structural induction on w.

Let K ⊆ L ⊆ Σ∗. The language K is (relatively) L-closed if K = K ∩ L.Thus K is L-closed provided it contains every one of its prefixes that belongsto L.

We now present our first main result.

Theorem 3

Let K ⊆ Lm(G), K = ∅. There exists a nonblocking supervisory controlV for G such that Lm(V/G) = K if and only if

(i) K is controllable with respect to G, and

(ii) K is Lm(G)-closed.

Proof

(If) We have KΣu ∩ L(G) ⊆ K together with K ⊆ Lm(G) ⊆ L(G).Furthermore ϵ ∈ K since K = ∅. For s ∈ K define V (s) ∈ Γ according to

V (s) = Σu ∪ σ ∈ Σc|sσ ∈ K

We claim that L(V/G) = K. First we show that L(V/G) ⊆ K. Supposesσ ∈ L(V/G), i.e. s ∈ L(V/G), σ ∈ V (s), and sσ ∈ L(G). Assuminginductively that s ∈ K we have that σ ∈ Σu implies sσ ∈ KΣu ∩ L(G),so that sσ ∈ K (by controllability); whereas σ ∈ Σc implies that sσ ∈ Kby definition of V (s). For the reverse inclusion, suppose sσ ∈ K; thussσ ∈ L(G). Assuming inductively that s ∈ L(V/G) we have that σ ∈ Σu

automatically implies that σ ∈ V (s), so that sσ ∈ L(V/G); while σ ∈ Σc

and sσ ∈ K imply that σ ∈ V (s), so sσ ∈ L(V/G). The claim is proved.

3.4 121

Finally

Lm(V/G) = L(V/G) ∩ Lm(G) (by definition)

= K ∩ Lm(G)

= K (since K is Lm(G)-closed)

and Lm(V/G) = K = L(V/G), so V/G is nonblocking for G.(Only if) Let V be a supervisory control for G with Lm(V/G) = K.

Assuming that V is nonblocking for G we have L(V/G) = K, so

K = L(V/G) ∩ Lm(G) = K ∩ Lm(G)

i.e. K is Lm(G)-closed. To show that K is controllable let s ∈ K, σ ∈ Σu,sσ ∈ L(G). Then s ∈ L(V/G) and σ ∈ V (s). So sσ ∈ L(V/G) = K, i.e.

KΣu ∩ L(G) ⊆ K

as required. 2

Corollary 4Let K ⊆ L(G) be nonempty and closed. There exists a supervisory

control V for G such that L(V/G) = K if and only if K is controllable withrespect to G. 2

For brevity we refer to a nonblocking supervisory control (for G, under-stood) as an NSC. It is useful to introduce a slight generalization of NSC inwhich the supervisory action includes marking as well as control. For this,let M ⊆ Lm(G). Define a marking nonblocking supervisory control for thepair (M,G), or MNSC, as a map V : L(G) → Γ exactly as before; but nowfor the marked behavior of V/G we define

Lm(V/G) = L(V/G) ∩M

One may think of the marking action of the MNSC V as carried out by arecognizer for M that monitors the closed behavior of V/G, sounding a beepexactly when a string inM has been generated. As a sublanguage of Lm(G),these strings could be thought of as representing a subset of the ‘tasks’ thatG(or its underlying physical referent) is supposed to accomplish. For instancein Small Factory, one might define a ‘batch’ to consist of 10 fully processed

122 CHAPTER 3

workpieces. M might then be taken as the set of strings that represent thesuccessful processing of N integral batches, N ≥ 0, with both machinesreturned to the I(dle) state and the buffer empty.

The counterpart result to Theorem 3 actually represents a simplification,as the condition of Lm(G)-closedness can now be dropped.

Theorem 5Let K ⊆ Lm(G), K = ∅. There exists an MNSC V for (K,G) such that

Lm(V/G) = K

if and only if K is controllable with respect to G.

Proof(If) With V defined as in the proof of Theorem 3, it may be shown as

before that L(V/G) = K. Then

Lm(V/G) = L(V/G) ∩K = K ∩K = K

so that Lm(V/G) = K = L(V/G), namely V is nonblocking for G.(Only if) We have K = Lm(V/G) = L(V/G). Then the proof that K is

controllable is unchanged from that of Theorem 3. 2

3.5 Supremal Controllable Sublanguages and

Optimal Supervision

Let G = ( ,Σ, , , ) be a controlled DES with Σ = Σc∪Σu; the items ( )of G will be immaterial to the discussion of this section. Let E ⊆ Σ∗; laterE will play the role of a specification language for the supervisory control ofG. We introduce the set of all sublanguages of E that are controllable withrespect to G:

C(E) = K ⊆ E|K is controllable with respect to G

As a subset of the sublanguages of E, C(E) is a poset with respect to in-clusion. It will be shown that the supremum in this poset always exists inC(E).

3.5 123

Proposition 1C(E) is nonempty and is closed under arbitrary unions. In particular,

C(E) contains a (unique) supremal element [which we denote by supC(E)].

ProofSince the empty language is controllable, it is a member of C(E). Let

Kα ∈ C(E) for all α in some index set A, and let K =∪Kα|α ∈ A. Then

K ⊆ E. Furthermore, K =∪Kα|α ∈ A and KΣu =

∪KαΣu|α ∈ A.

Therefore

KΣu ∩ L(G) =[∪

(KαΣu)]∩ L(G)

=∪[

KαΣu ∩ L(G)]

⊆∪

Kα

= K

Finally we have for the supremal element

supC(E) =∪

K|K ∈ C(E)

2

It may be helpful to keep in mind the following Hasse diagram, whereKsup = supC(E).

Σ∗

E

Ksup

K0 K

00

?

124 CHAPTER 3

We remark that C(E) is not generally closed under intersection, so it isnot a sublattice of the lattice of sublanguages of E. To see what goes wrong,let K1, K2 ∈ C(E). We must determine whether or not

K1 ∩K2Σu ∩ L(G) ⊆ K1 ∩K2 (?)

But K1 ∩K2 ⊆ K1 ∩ K2 always, and quite possibly with strict inclusion. Itfollows that the left side of (?) is included in

(K1 ∩ K2)Σu ∩ L(G) = (K1Σu ∩ L(G)) ∩ (K2Σu ∩ L(G))

⊆ K1 ∩ K2

= K1 ∩K2

in general. The situation may be described by saying that C(E) is only acomplete upper semilattice with join operation (union) that of the lattice ofsublanguages of E.

Example 2: Controllability need not be preserved by intersection

β

G

γ

α

Here Σ = α, β, γ, Σc = β, γ. The languages K1 = ϵ, αβ, K2 =ϵ, αγ are controllable, butK1∩K2 = ϵ is not controllable, since the eventα is uncontrollable and α ∈ K1 ∩K2. On the other hand, K1 ∩ K2 = ϵ, αis controllable.

It is easy to see that the intersection of an arbitrary collection of closedcontrollable languages is always closed and controllable. Proof of the follow-ing observation may now be left to the reader.

Proposition 3With respect to a fixed controlled DES G with alphabet Σ, the closed

controllable sublanguages of an arbitrary language E ⊆ Σ∗ form a completesublattice of the lattice of sublanguages of E. 2

3.5 125

To summarize, if Kα (α ∈ A) are controllable then ∪Kα and ∩Kα arecontrollable, but generally ∩Kα is not.

Together with E ⊆ Σ∗ now fix L ⊆ Σ∗ arbitrarily. Consider the collectionof all sublanguages of E that are L-closed:

F(E) = F ⊆ E|F = F ∩ L

It is straightforward to verify that F(E) is nonempty (∅ belongs) and isclosed under arbitrary unions and intersections. Thus we have the following.

Proposition 4F(E) is a complete sublattice of the lattice of sublanguages of E. 2

Again let E,L ⊆ Σ∗. We say that E is L-marked if E ⊇ E ∩ L, namelyany prefix of E that belongs to L must also belong to E.

Proposition 5Let E ⊆ Σ∗ be Lm(G)-marked. Then supC(E∩Lm(G)) is Lm(G)-closed.

ProofWe have E ⊇ E ∩ Lm(G), from which there follows in turn

E ∩ Lm(G) ⊆ E ∩ Lm(G)

E ∩ Lm(G) ∩ Lm(G) ⊆ E ∩ Lm(G)

E ∩ Lm(G) ∩ Lm(G) ⊆ E ∩ Lm(G)

so that F := E ∩ Lm(G) is Lm(G)-closed. Let K = supC(F ). If K is notLm(G)-closed, i.e. K ⫋ K ∩ Lm(G), there is a string s ∈ K ∩ Lm(G) withs ∈ K. Let J = K ∪ s. Since J = K we have that J is controllable. AlsoK ⊆ F implies that

K ∩ Lm(G) ⊆ F ∩ Lm(G) = F

so that s ∈ F and thus J ⊆ F . Therefore J ∈ C(F ) and J ⫌ K, contradictingthe fact that K is supremal. 2

Now we can present the main result of this section.

Theorem 6

126 CHAPTER 3

Let E ⊆ Σ∗ be Lm(G)-marked, and let K = supC(E ∩ Lm(G)). IfK = ∅, there exists a nonblocking supervisory control (NSC) V for G suchthat Lm(V/G) = K.

ProofK is controllable and, by Proposition 5, Lm(G)-closed. The result follows

by Theorem 3.4.3. 2

The result may be paraphrased by saying that K is (if nonempty) theminimally restrictive, or maximally permissive, solution of the problem ofsupervising G in such a way that its behavior belongs to E and control isnonblocking. In this sense the supervisory control provided by Theorem 6 isoptimal.

Example 7Let G be the controlled DES displayed below:

βG

α α

HereΣ = α, β, Σc = α, L(G) = ϵ, α, α2, α2β,

Lm(G) = α, α2, α2β

For the specification language we take E = α, α2, β. Then

E ∩ Lm(G) = α, α2, E = ϵ, α, α2, β

E ∩ Lm(G) = α, α2, supC(E ∩ Lm(G)) = α,

α = ϵ, α, α ∩ Lm(G) = α

From these results we see that E is Lm(G)-marked, and that indeed supC(E∩Lm(G)) is Lm(G)-closed as asserted by Proposition 5. For the supervisorycontrol we may take V (ϵ) = α, β, V (α) = β, and V (s) = β otherwise.Then it is clear that

L(V/G) = ϵ, α, Lm(V/G) := L(V/G) ∩ Lm(G) = α

3.5 127

namely V is nonblocking for G, as expected.As might be expected, if we place part of the burden of ‘marking action’

on the supervisory control itself we may relax the prior requirement on E. Byan application of Theorem 3.4.5 the reader may easily obtain the following.

Theorem 8Let E ⊆ Σ∗ and let K = supC(E ∩ Lm(G)). If K = ∅ there exists a

marking nonblocking supervisory control (MNSC) V for (K,G) such thatLm(V/G) = K. 2

Exercise 9: Let E ⊆ L(G). Show that

supC(E) = E ∩ supC(E)

that is, supC(E) is E-closed. Show next that supC(E) is prefix-closed, butin general

supC(E) ⫋ supC(E)

andsupC(E) ⫋ E ∩ supC(E)

Exercise 10: For MACH defined in Example 3.4.1, consider the languages

E1 := s ∈ Lm(MACH)|#β(s) ≥ 5

‘production runs with at least 5 items produced’; and

E2 := s ∈ Lm(MACH)|#λ(s) ≤ 10

‘runs with at most 10 breakdowns’; and

E3 := E1 ∩ E2

In each case calculate the supremal controllable sublanguage and describethe corresponding control action.

Exercise 11: Let E ⊆ Σ∗ be arbitrary, and let K := supC(E ∩ Lm(G))with respect to a controlled DES G over Σ = Σc∪Σu. That is,

K ⊆ E ∩ Lm(G), KΣu ∩ L(G) ⊆ K

128 CHAPTER 3

and K is supremal with respect to these two properties. Set K0 := E ∩Lm(G), write H0 := K0, and define the chain

Hj := s ∈ Hj−1|sΣu ∩ L(G) ⊆ Hj−1, j = 1, 2, . . .

Verify that Hj is closed. For the chain limit write

H∞ := limj→∞

Hj =∞∩j=0

Hj

Prove thatH∞ = supC(H0)

Write λ for the Nerode equivalence relation of Lm(G). With reference toSection 2.8, prove that

Hj ⊢λHj−1, j = 1, 2, ...

Assuming as usual that |Σ| < ∞, and E,Lm(G) are both regular, applyTheorem 2.8.11 to conclude that the chain Hj is finitely convergent, andH∞ ⊢

λH0. Finally, prove from the latter result that H∞ ⊢

λK0.

Next defineK1 := H∞ ∩ E ∩ Lm(G)

and show that K1 ⊢λK0.

The foregoing definitions of K0 and K1, via the construction of H∞,determine a mapping T : Pwr(Σ∗) → Pwr(Σ∗) given by

T (J) := J ∩ supC(J), J ⊆ Σ∗

where T (J) ⊢λJ . Setting K0 = E ∩ Lm(G) as above, we obtain the chain

Kj = T (Kj−1), j = 1, 2, ...

which is finitely convergent by virtue of the transitivity of ⊢λand the fact

that ∥K0∥ <∞.Writing K∞ for the chain limit, show that K∞ = K (as defined above),

K ⊢λE, and thus

∥K∥ ≤ ∥E∥ · ∥Lm(G)∥+ 1

3.6 129

3.6 Implementation of Supervisory Controls

by Automata

While theoretically convenient, the abstract definition of a supervisory con-trol as a map L(G) → Γ does not in itself provide a concrete representationfor practical implementation. We now show how such a representation maybe derived in the form of an automaton.1 Let V be a marking nonblockingsupervisory control (MNSC) for the controlled DES G = (Q,Σ, δ, q0, Qm),with

Lm(V/G) = K, L(V/G) = K (3.1)

In case V is nonmarking, but is nonblocking, i.e. V is an NSC, the discussionwill specialize in an evident way. Now let KDES be a reachable automatonover Σ that represents K, namely

Lm(KDES) = K, L(KDES) = K

Obviously

K = Lm(KDES) ∩ Lm(G), K = L(KDES) ∩ L(G)

With K as in (3.1), now let SDES be any DES such that

K = Lm(SDES) ∩ Lm(G), K = L(SDES) ∩ L(G) (3.2)

If (3.2) holds we say that SDES implements V . Notice that, in general,SDES need not represent Lm(V/G) in order to implement V : the condi-tions (3.2) allow SDES to represent a superlanguage of Lm(V/G) that maybe simpler (admit a smaller state description) than Lm(V/G) itself. Thisflexibility is due to the fact that closed-loop behavior is a consequence ofconstraints imposed by the plant G (i.e. the structure of L(G)) as well as bythe supervisory control V .

In any case we have

Proposition 1

1In this section we prefer the term ‘automaton’ for this representation, rather than‘generator’, but allow the transition function to be a partial function.

130 CHAPTER 3

Let E ⊆ Σ∗ and let

K := supC(E ∩ Lm(G)) = ∅

Let V be an MNSC such that Lm(V/G) = K (which exists by Theo-rem 3.5.8). Let KDES represent K. Then KDES implements V . 2

For the converse, let S ⊆ Σ∗ be an arbitrary language over Σ such that

S is controllable with respect to G (3.4a)

S ∩ Lm(G) = ∅ (3.4b)

S ∩ Lm(G) = S ∩ L(G) (3.4c)

We note that K := S ∩ Lm(G) is controllable with respect to G; in fact

KΣu ∩ L(G) = (S ∩ Lm(G))Σu ∩ L(G)

= (S ∩ L(G))Σu ∩ L(G)

⊆ SΣu ∩ L(G)

⊆ S ∩ L(G) (by (3.4a))

= K (by (3.4c))

Let V be an MNSC such that Lm(V/G) = K (which exists by Theorem 3.5.8)and let SDES represent S. It is easy to see that SDES implements V ; infact

Lm(SDES) ∩ Lm(G) = S ∩ Lm(G) = K

L(SDES) ∩ L(G) = S ∩ L(G) = K

Thus we have

Proposition 2Let SDES be any nonblocking DES over Σ such that S := Lm(SDES)

satisfies conditions (3.4a) and (3.4c). Let ∅ = K := S ∩ Lm(G) and letV be an MNSC such that Lm(V/G) = K. Then SDES implements V . Inparticular

Lm(V/G) = Lm(G) ∩ Lm(SDES), L(V/G) = L(G) ∩ L(SDES)

3.6 131

2

If (3.4a) and (3.4c) hold and SDES represents S we say that SDES is asupervisor forG. It is thus convenient to include under ‘supervisor’ the trivialcase where Lm(G) ∩ Lm(SDES) = ∅. If, in addition, it is trim, SDES willbe called a proper supervisor for G. It is also convenient to extend the usageof ‘controllability’ to DES: thus if SDES represents the language S and S iscontrollable with respect to G, we shall say that SDES is controllable withrespect to G. To summarize, SDES is declared to be a proper supervisor forG if

(i) SDES is trim (reachable and coreachable)

(ii) SDES is controllable with respect to G

(iii) Lm(SDES) ∩ Lm(G) = L(SDES) ∩ L(G)

As an illustration of Proposition 2, let EDES be an arbitrary DES overΣ and let

K := supC(Lm(G) ∩ Lm(EDES))

where the right side may possibly be empty. Let KDES represent K. ThenKDES is a proper supervisor for G.

The relationships discussed above are displayed in Fig. 3.1. The TCTprocedures supcon and condat are introduced in the following section. Ingeneral a ‘simplified’ supervisor language S, or its generator SDES, can beobtained only by intelligent guesswork, or a heuristic reduction procedurelike supreduce (Section 3.10).

Let S = (X,Σ, ξ, x0, Xm) implement V . We may interpret S as a statemachine that accepts as ‘forcing inputs’ the sequence of symbols of Σ outputby G and executes corresponding state transitions in accordance with itstransition function ξ. In this interpretation, control action is exercised by Son G implicitly, by way of a state-output function

ψ : X → Pwr(Σ)

defined according toψ(x) := σ ∈ Σ|ξ(x, σ)!

The control action of S may be visualized as follows. Immediately uponentering the state x ∈ X, and while resident there, S disables in G just those

132 CHAPTER 3

(controllable) events σ ∈ Σc such that σ ∈ ψ(x). In other words the nextpossible event that can be generated by G is any event, but only events, inthe set

σ ∈ Σ|ξ(x, σ)! & δ(q, σ)!

where q ∈ Q is the current state of G. The actual mechanism of disablement,which would involve instantaneous transfer of information from S to G, willbe left unspecified in our interpretation. As a metaphor, one might considerthe switching of signals between red and green (no amber!) in an idealizedroad traffic network.

To formalize the closed-loop supervisory control system that results fromthis construction, we denote by S/G the product generator (cf. Section 2.4)

S/G = (X ×Q,Σ, ξ × δ, (x0, q0), Xm ×Qm)

where

ξ × δ : X ×Q× Σ → X ×Q : (x, q, σ) 7→ (ξ(x, σ), δ(q, σ))

provided ξ(x, σ)! and δ(q, σ)!.

Exercise 3: From the foregoing discussion verify that

Lm(S/G) = Lm(V/G), L(S/G) = L(V/G)

In this sense our use of the term ‘implements’ is justified.

3.6 133

V

S\Lm(G

)

genG

⊇S

EK

genG

supCG

EDES

SDES

impG

KDES

impG

rep

rep

supcon(G

;·)

rep

meet(G;·)

supreduce(G

;·;·)

KDAT

condat(G

; ·)

=represents

=generates,in

rep

gen

G

=gu

essw

ork

impG

=im

plements,via

G

Fig.3.1.Schem

eforsupervisory

controlim

plementation

feedbackloop

withG

134 CHAPTER 3

Example 4: SupervisorReferring to Example 3.5.7 and applying the foregoing result for MNSC,

we may take for S the recognizer for supC(E ∩Lm(G)) = α with (partial)transition function displayed below:

α

Alternatively, since in this example the specification language E is Lm(G)-marked, all marking action for supC(E ∩ Lm(G)) could be left to G itself,namely we could take for S the recognizer with Xm = X corresponding tothe closed language ϵ, α:

α

Which style is selected will depend on computational convenience. CurrentlyTCT runs more efficiently the smaller the subset of marker states, so the firstapproach would be preferred.

The condition (3.4c) provides the basis for a useful definition. In generallet K,L be arbitrary sublanguages of Σ∗. Then K,L are nonconflicting if

K ∩ L = K ∩ L

Thus K and L are nonconflicting just in case every string that is both aprefix of K and a prefix of L can be extended to a string belonging to K andL in common. In TCT the boolean function nonconflict(G1,G2) = truejust in case every reachable state of the product structure meet(G1,G2) iscoreachable, namely Lm(G1) ∩ Lm(G2) = L(G1) ∩ L(G2). Thus to checkwhether two languages L1 and L2 are nonconflicting it is equivalent to checkthat G1 and G2 satisfy nonconflict, where Li = Lm(Gi) and Li = L(Gi),namely G1, G2 represent L1, L2 respectively.

The next result follows immediately from the definitions.

Proposition 5Let SUP be an arbitrary DES over Σ and assume Lm(G) = L(G). Then

SUP is a proper supervisor for G if and only if (i) Lm(SUP) is controllable

3.6 135

with respect to G, (ii) SUP is trim, and (iii) Lm(SUP) and Lm(G) arenonconflicting. 2

In case Lm(SUP) ⊆ Lm(G) the ‘nonconflicting’ condition is automatic.Notice that condition (iii) for SUP is a nontrivial property that may

require separate verification whenever SUP is not, or is not already known(perhaps by construction) to be, the trim (or at least nonblocking) generatorof a controllable sublanguage of Lm(G).

The following example illustrates how the conclusion of Proposition 5 failswhen Lm(SUP) and Lm(G) conflict.

Example 6: Conflict

β

G

α

γ

β

SUP

α

Here Σ = α, β, γ with Σc = γ. We have Lm(SUP) ∩ Lm(G) = α,whereas L(SUP) ∩ L(G) = ϵ, α, β.

Taken literally, the interpretation of supervisory control action proposedearlier in this section assigns to the supervisor a role that is purely passive,consisting only in the disablement of events whose occurrence or nonoccur-rence is otherwise actively ‘decided’ by the plant. While often physicallyplausible, this is not the only interpretation that is possible or even desir-able. It should be borne in mind that, from a formal point of view, the theorytreats nothing but event synchronization among transition structures: the is-sue as to which (if any) among two or more synchronized transition structuresactively ‘causes’ a given shared event to occur is not formally addressed atall. The system modeler is free to ascribe causal action as he sees fit: amachine transition from Idle to Working is (in the theory) nothing but that;it is consistent with the theory to suppose that the transition is ‘caused’ byspontaneous internal machine volition, or by internal volition on the part ofthe supervisor, or indeed by some external agent that may or may not be

136 CHAPTER 3

explicitly modeled, say a human operator or aliens on Mars. This featureprovides the modeler with considerable flexibility. In the exercises of latersections, the reader is invited to test the model against whatever interpreta-tion he deems appropriate; of course the desired interpretation may very wellguide the modeling process. See, for instance, Section 3.8, which touches onthe related issue of forced events.

3.7 Design of Supervisors Using TCT

We now indicate how the results of Sections 3.5 and 3.6 can be applied tosupervisor design. Let the controlled DES G be given, along with an upperbound E ⊆ Σ∗ on admissible marked behavior. As before we refer to E asthe specification language. It will be assumed that E = Lm(E), where theDES E along with G has been created by TCT. Our objective is to designan optimal (i.e. minimally restrictive) proper supervisor S for G subjectto Lm(S/G) ⊆ E. In accordance with Theorem 3.5.8 and the discussion inSection 3.6 the most direct method is to compute a trim generator (used asrecognizer) for the language K := supC(E ∩ Lm(G)). The TCT proceduresupcon computes a trim representation KDES of K according to

KDES = supcon(G,E)

To complete the description of S, the TCT procedure condat returns thecontrol pattern (specifically, the minimal set of controllable events that mustbe disabled) at each state of S:

KDAT = condat(G,KDES)

In outline the procedure supcon works as follows. Let Pwr(Σ∗) be thepower set of Σ∗, i.e. the set of all sublanguages of Σ∗. Define the operator

Ω : Pwr(Σ∗) → Pwr(Σ∗)

according to

Ω(Z) = E ∩ Lm(G) ∩ supT ⊆ Σ∗|T = T , TΣu ∩ L(G) ⊆ Z

3.7 137

With K as defined above, it can be shown that K is the largest fixpoint ofΩ. In the present regular (finite-state) case, this fixpoint can be computedby successive approximation. Let

K0 = E ∩ Lm(G), Kj+1 = Ω(Kj) (j = 0, 1, 2, ...)

It can be shown thatK = limKj (j → ∞)

Furthermore the limit is attained after a finite number of steps that is of worstcase order ∥Lm(G)∥·∥E∥. In TCT the operator Ω is implemented by a simplebacktracking operation on the product transition structure meet(G,E).

As an example, we consider Small Factory, as described in Example 3.3.19.The result for

FACTSUP = supcon(FACT,SPEC)

is displayed in Figs. 3.5 and 3.6 (see Appendix 3.1). By tracing through thetransition graph the reader may convince himself that the specifications aresatisfied; and the theory guarantees that FACTSUP represents the freestpossible behavior of FACT under the stated constraints. We also tabulatethe control patterns as displayed by2

FACTSUP = condat(FACT,FACTSUP)

Only controllable events that are strictly required to be disabled appear inthe table.

In practice it is rarely necessary to implement an optimal supervisor byexplicit representation of the language supC(Lm(G) ∩ E). Often commonsense and intuition will lead to an optimal supervisor with a much smallertransition structure.3 For justification of such a proposed supervisor, we mayapply the TCT analog of Proposition 3.6.5.

Proposition 1Let SUP be a DES over Σ, such that

(i) condat(G,SUP) lists only controllable (i.e. odd-numbered) events asrequiring disablement

2TCT stores the result of condat as a .DAT file, whereas the result of supcon is a.DES file.

3See also Section 3.10.

138 CHAPTER 3

(ii) SUP = trim(SUP)

(iii) nonconflict(G,SUP) = true

Then SUP is a proper supervisor for G. 2

In analogy to the notation V/G, denote by SUP/G the closed-loop con-trolled DES obtained by forming themeet of SUP withG. Then, with SUPa proper supervisor for G, we have

Lm(SUP/G) = Lm(meet(G,SUP)), L(SUP/G) = L(meet(G,SUP))

along with the guaranteed nonblocking property

Lm(SUP/G) = L(SUP/G)

For Small Factory we construct the candidate supervisor SIMFTSUPdirectly as shown in Fig. 3.6, where the natural decomposition of the controlproblem into the regimes of ‘normal operation’ and ‘breakdown and repair’is clearly manifest. Evidently SIMFTSUP is trim. Controllability of thelanguage Lm(SIMFTSUP) is easily checked from the table for

SIMFTSUP = condat(FACT,SIMFTSUP)

inasmuch as only controllable events are required to be disabled. To testwhether SIMFTSUP is nonblocking we apply the TCT procedure noncon-flict. In the present case we find that nonconflict(FACT,SIMFTSUP) istrue, and so conclude finally that SIMFTSUP really is a proper supervisorfor FACT, as expected.

As yet there is no guarantee that SIMFTSUP is optimal. To verify thatit is, we must first compute the closed-loop language

Lm(SIMFTSUP/FACT) = Lm(SIMFTSUP) ∩ Lm(FACT)

as represented by, say,

TEST = meet(SIMFTSUP,FACT)

and then check that Lm(TEST) = Lm(FACTSUP).

3.7 139

In general, suppose M1 = Lm(G1) and M2 = Lm(G2), with G1,G2 bothtrim. TCT offers two ways of investigating equality ofM1 andM2. A generalmethod is to check the inclusions M1 ⊆M2 and M2 ⊆M1 according to

trim(meet(G1, complement(G2, ))) = EMPTY

trim(meet(G2, complement(G1, ))) = EMPTY

Alternatively, if G1 and G2 are seen to have the same state size, number ofmarker states and number of transitions, then it may already be plausiblethat M1 =M2, and it is sufficient to check that the TCT procedure

isomorph(G1,G2)

returns true. In fact, this method becomes definitive provided G1,G2 areboth state-minimal; namely M1 =M2 iff

isomorph(MG1,MG2) = true

where MGi = minstate(Gi) (i = 1, 2).In the present example, one can verify by either method that Lm(TEST) =

Lm(FACTSUP), as hoped. The design and justification of SIMFTSUPare now complete.

Exercise 2: A workcell consists of two machinesM1, M2 and an automatedguided vehicle AGV as shown.

10

M1

11

21

AGV

10

30

22

22

M2

21

AGV can be loaded with a workpiece either from M1 (event 10) or from M2(event 22), which it transfers respectively to M2 (event 21) or to an outputconveyor (event 30). Let CELL = sync(M1,M2,AGV). By displayingan appropriate event sequence show that CELL can deadlock, i.e. reach astate from which no further transitions are possible. Interpret physically.To prevent deadlock, define the legal language TCELL = trim(CELL),then SUPER = supcon(CELL,TCELL). Explain how SUPER prevents

140 CHAPTER 3

deadlocking event sequences. Also explain why TCELL itself cannot servedirectly as a (proper) supervisor.

Exercise 3: A transmitter is modeled by the 3-state generator T0 tabu-lated, where the event α denotes arrival of a message to be transmitted, σdenotes the start of a message transmission, τ denotes timeout in case thetransmitted message is not acknowledged, and ρ denotes reset for transmis-sion of a subsequent message. An unacknowledged message is retransmittedafter timeout. New messages that arrive while a previous message is beingprocessed are ignored.

The system T to be controlled consists of transmitters T1 and T2, whereTi is modeled over the alphabet αi, σi, τi, ρi; thus T = shuffle(T1,T2).Only the events σ1, σ2 are controllable. It’s required that the channel beutilized by at most one transmitter at a time.

A first trial solution implements the supervisory control V as the 2-statedevice C, which can be thought of as a model of the channel. C ensures thatif, for instance, σ1 occurs, then σ2 cannot occur until ρ1 occurs, namely T1has finished processing a message.

Verify that T and C conflict, compute TC := meet(T,C), and find astring that leads to a state of TC that is non-coreachable. Explain why Cis not a suitable controller.

Try the new channel modelNC, verify that T andNC are nonconflicting,and that NC controls T1 and T2 according to specification. Provide TCTprintouts and state transition graphs as appropriate.

T0 # states: 3; marker state: 0transitions:[0, α, 1], [1, α, 1], [1, σ, 2], [2, ρ, 0], [2, τ, 1], [2, α, 2]

C # states: 2; marker state: 0transitions:[0, σ1, 1], [0, σ2, 1], [1, ρ1, 0], [1, ρ2, 0][adjoin selfloops with events αi, τi, i = 1, 2]

NC # states: 3; marker state: 0transitions:[0, σ1, 1], [1, σ1, 1], [1, ρ1, 0], [0, σ2, 2], [2, σ2, 2], [2, ρ2, 0][adjoin selfloops with events αi, τi, i = 1, 2]

3.7 141

Exercise 4: WORKCELL is the synchronous product ofROBOT, LATHEand FEEDER. The latter is a mechanism that imports new parts forWORK-CELL to process. There is a 2-slot input buffer INBUF to store new partsas they are imported, and a 1-slot buffer SBBUF associated with LATHE,to hold parts on standby. ROBOT transfers new parts from INBUF toLATHE. If LATHE is idle, ROBOT loads the new part; if busy, ROBOTplaces the new part in SBBUF; in each case, ROBOT then returns to idle.If ROBOT is idle and LATHE is idle and there is a part in SBBUF, thenROBOT can load it. There are other tasks unrelated to LATHE, whichROBOT can initiate and return from.

Specifications are the following. SPEC1 says that LATHE can beloaded only if it is idle. SPEC2 says that if a part is on standby (i.e.SBBUF is not empty) then ROBOT cannot transfer a new part fromINBUF. SPEC3 says that LATHE can move from idle to busy only af-ter being loaded. SPEC4 says that a part can be put on standby onlyif LATHE is busy. SPEC5 says that ROBOT must give LATHE pri-ority over its other tasks: namely ROBOT can initiate other tasks onlywhen: either LATHE is busy, or both INBUF and SBBUF are empty.To set up SPEC5, compute sync(LATHE,INBUF,SBBUF), then self-loop with ROBOT’s ‘initiate unrelated task’ event at just the appropriatestates (recall the method of ‘flags’, Remark 3.3.16). SPEC5 automaticallyincorporates the usual overflow/underflow constraints on the buffers. FinallySPEC is the synchronous product of SPEC1,...,SPEC5, self-looped withany WORKCELL events not already included.

Create TCT models for the items described above, making your owndetailed choices for controllable/uncontrollable events. Then compute SU-PER = supcon(WORKCELL,SPEC), as well as SUPER(.DAT) =condat(WORKCELL,SUPER). Discuss any points of interest.

To examine the controlled behavior when ROBOT’s extraneous tasksare hidden from view, compute

PSUPER = project(SUPER,null/image[appropriate event list])

and discuss.

Exercise 5: Use TCT to re-solve Exercise 3.5.10, making sure your resultsare consistent.

142 CHAPTER 3

Exercise 6: In Small Factory, compute

PFACTSUP = project(FACTSUP,null[10, 12, 13, 21, 22, 23])

and interpret the result.

Exercise 7: Using TCT, redo Small Factory using a buffer of capacity 2.Also design the corresponding simplified supervisor. Generalize your resultsto a buffer of arbitrary size N .

Exercise 8: Three CooksThree cooks share a common store of 5 pots. For his favorite dish, COOK1

needs 2 pots, COOK2 4 pots, and COOK3 all 5 pots. The cooks may takepots from the store individually and independently, but only one pot at atime; a cook returns all his pots to the store simultaneously, but only whenhe has acquired and used his full complement. Design a supervisor that ismaximally permissive and guarantees nonblocking. Assume that ‘take-pot’events are controllable and ‘return-pot’ events uncontrollable. Explain thesupervisor’s control action in terms of disabling entrance by the cooks to‘forbidden states’.

Exercise 9: In the context of a DES problem where the alphabet is Σ, definethe self-looped DES

ALL = (0,Σ, transitions [0, σ, 0]|σ ∈ Σ, 0, 0)

Thus the closed and marked behaviors of ALL are both Σ∗. As usual letPLANT and SPEC be two DES over Σ. The corresponding supervisorycontrol problem has solution SUP = supcon(PLANT,SPEC). Show thatthis problem can always be replaced by an equivalent problem where thespecification is ALL. Hint: First replace SPEC by NEWSPEC, whereNEWSPEC merely adjoins a ‘dump state’ to SPEC, if one is needed. Thismakes the closed behavior of NEWSPEC equal to Σ∗, while the markedbehavior is that of SPEC. In TCT,

NEWSPEC = complement(complement(SPEC)) (why?)

Now set

NEWPLANT = meet(PLANT,NEWSPEC)

NEWSUP = supcon(NEWPLANT,ALL)

3.7 143

Show that NEWSUP and SUP define exactly the same languages (in par-ticular, perhaps after application of minstate, NEWSUP and SUP areisomorphic).

While this maneuver offers no computational advantage, it can simplifytheoretical discussion, as the specification ALL requires only that the closed-loop language be nonblocking.

If Σ is exactly the set of events appearing in a DES G, then ALL inExercise 9 is computed in TCT as

ALL = allevents(G)

Exercise 10: Let G be a DES defined over the alphabet Σ. With ALLdefined as in Exercise 9, show that G is nonblocking if and only if noncon-flict(ALL,G) = true. Using TCT check this result against examples of yourown invention.

Exercise 11: Let G = (Q,Σ, δ, q0, Qm) and let K ⊆ Σ∗. Suppose K isrepresented by a DES KDES = (X,Σ, ξ, x0, Xm), in the sense that K =Lm(KDES), K = L(KDES), i.e. the marked and closed behaviors ofKDESare K and K respectively. Let PROD = G × KDES as defined in Sec-tion 2.4, and let RPROD be the reachable sub-DES of PROD.

Show that K is controllable with respect to G if and only if, at each state(q, x) of RPROD,

σ ∈ Σu|δ(q, σ)! ⊆ σ ∈ Σu|ξ(x, σ)!

namely any uncontrollable event that is state-enabled (‘physically executable’)by G is also control-enabled (‘legally admissible’) by KDES.

Illustrate the foregoing result with two simple examples, for the cases Kcontrollable and uncontrollable respectively.

Exercise 12: The result of Exercise 11 is the basis of the TCT procedurecondat. The result of condat, say KDAT = condat(G,KDES), is a tableof the states x of KDES along with all the events which must be disabledin G (by a supervisory control) when RPROD is at (q, x) in G × KDESfor some q ∈ Q, in order to force the inclusion

σ ∈ Σ|δ(q, σ)!, σ control-enabled ⊆ σ ∈ Σ|ξ(x, σ)!

144 CHAPTER 3

Thus the set of disabled events tabulated by condat at x is

σ ∈ Σ|[(∃q ∈ Q)(q, x) in RPROD & δ(q, σ)!] & not ξ(x, σ)!

For K to be controllable, this set must contain only events that are control-lable (so they can be disabled): in other words, in the TCT event encoding,only events with odd-numbered labels. So to check controllability of K it’ssufficient to scan the condat table: if only odd events are listed, K is con-trollable; if an even event occurs anywhere, K is uncontrollable.

Illustrate this remark by testing your two examples from Exercise 11 andsupply the TCT printouts for condat.

Exercise 13: Message passingInvestigate how to implement message-passing in our setup. For instance,

suppose a supervisorM0 wishes to enable an event 11 ‘remotely’ in controlledmodule M1 by sending a ‘message’ 0. M1 should not execute 11 beforereceiving 0, but M0 needn’t wait for M1 to execute 11 before completingother tasks (say, event 2). Also, if M1 has just executed 11, it must not doso again until it has executed task 10 (say) and once again received a 0. Forthis, define

M0 = (Q,Σ, δ, q0, Qm)

= (0, 1, 2, 0, 1, 2, [0, 1, 1], [1, 0, 2], [2, 2, 0], 0, 0)M1 = (0, 1, 10, 11, [0, 11, 1], [1, 10, 0], 0, 0)

To couple M0 and M1 as described define a ‘mailbox’

MB = (0, 1, 0, 11, [0, 0, 1], [1, 0, 1], [1, 11, 0], 0, 0)

Check that the synchronous product of M0, M1, and MB displays the re-quired behavior. Show that the approach can be extended to two or more con-trolled modules M1, M2, . . . . For instance, create M2 by relabeling events10,11 in M1 as 20,21; rename MB as MB1; create MB2 by relabeling 11in MB1 as 21; and consider the new controlled module M = sync(M1,M2)and mailbox MB = sync(MB1,MB2). Notice that the message 0 can al-ways be projected out of the final structure sync(M0,M,MB) if it is of noexternal interest.

Investigate this model, with particular attention to the growth in com-plexity as measured by the size of the final state set.

3.7 145

Other message-passing semantics are possible. For instance, suppose M0should not progress past state 2 until both enabled events 11 and 21 haveoccurred – M0 waits for its message to be acted on. For this, remodel M0as

N0 = (0, 1, 2, 3, 4, 1, 2, 11, 21,[0, 1, 1], [1, 11, 2], [1, 21, 3], [2, 21, 4], [3, 11, 4], [4, 2, 0], 0, 0)

Because N0 waits, there’s logically no need for a mailbox at all. Check thatthe result has 20 states and 36 transitions, still complicated but much lessso than before.

Now explore other variations on the theme.

Exercise 14: Show that

supcon(G,meet(E1,E2)) = supcon(supcon(G,E1),E2)

and interpret.

Exercise 15: InterruptsLet G be a controlled DES over alphabet Σ = Σc∪Σu, and let events

α, β /∈ Σ. Interpret α as an ‘interrupt’, namely an event that causes allcontrollable events in G to be instantly disabled, pending the occurrence ofevent β as a signal that the interrupt has been serviced and normal activityof G may be resumed. Explain how G with the interrupt feature can bemodeled as sync(G,H), with H as below.

H

Σ

α

Σu

β

Exercise 16: Uncontrollable subsystemsIt is important to be aware that in system modeling, the ‘plant’ may cer-

tainly include subsystem components all of whose events are uncontrollable,and that such inclusion may actually be necessary for the computed result tobe meaningful. As shown below, suppose a PUMP increments (event 10) aTANK, modeled as a buffer with capacity 2, and that TANK is uncontrol-lably drained (event 12). If the plant is taken to be PUMP alone (but with

146 CHAPTER 3

event 12 self-looped) and TANK as the specification (with 11 self-looped),verify that the supremal controllable sublanguage is empty, and explain why.Alternatively, if the plant is taken to be the synchronous product of PUMPand TANK, and the specification taken as ALL (as in Exercise 9) withevents 10,11,12, then no control action is called for by the supervisor (ex-plain why), but this result is clearly not the one intended. A correct mod-eling approach is to consider TANK as embedded in an environment, sayPOOL, with infinite capacity; take PLANT to be the synchronous productof PUMP with POOL; and let TANK be the specification, in effect lim-iting the content of POOL as required. Here it suffices to take as ‘infinity’anything larger than TANK, say a buffer with capacity 3. Carry throughthe supervisor design as suggested, including the simplified supervisor ob-tained by supreduce (see Section 3.10). Extend the approach to a chain oftanks downstream from PUMP, having possibly different capacities, eachdraining uncontrollably into the next.

10

PUMP

11

12

10

12

TANK

10

12

10

12

POOL

10

12

10

Exercise 17: Carry through an original supervisor design problem of yourown, along the lines of this section. If feasible, draw the transition graph ofyour supremal controllable sublanguage and discuss any features of specialinterest.

3.8 147

Exercise 18: Let G be a possibly blocking DES, i.e. with Lm(G) ⫋ L(G).Let K be a trim ‘coordinator’, i.e. trim supervisor which controllably imple-ments the sole specification of nonblocking, namely

Lm(K) := supC(Lm(G) ∩ Lm(ALL)) = supC(Lm(G))

Show that Lm(K) is Lm(G)-closed, i.e. Lm(K) = L(K) ∩ Lm(G), whereas usual L(K) is the closed behavior of K. Hint: See Exercise 3.5.9, withE = Lm(G).

Exercise 19: LetK be as in Exercise 18. Recalling the definition of ‘support’in Section 2.8, show thatK is supported onG. Hint: Exploit Exercise 3.5.11.

Exercise 20: Variation on Small FactoryWith reference to Small Factory, redefine MACH1 and MACH2 ac-

cording to

MACHi = (0, 1, 2, 3, i0, i1, i2, i3, i4, [0, i1, 1], [1, i0, 0], [1, i2, 2],[2, i4, 3], [3, i3, 0], 0, 0)

where the event i4 stands for ‘request for repair’, and the remaining eventsare as in Small Factory. Create a specification TECHN called ‘technician’with transitions

[0, 14, 1], [0, 24, 2], [1, 13, 0], [1, 24, 3], [2, 14, 4], [2, 23, 0], [3, 13, 2], [4, 23, 1]

together with appropriate selfloops. Explain in words the behavior that is en-forced. After adjoining a buffer specification as before, compute the optimalsupervisor and its reduced version (in the sense of Section 3.10 below).

3.8 Forced Events

In practice one often thinks of control as ‘forcing’ the occurrence of some de-sirable result. In the asynchronous world of discrete events, forcing amountsto timely preemption: a tap or valve is closed in time to prevent overflow, astirrer is switched on to prevent gelatification in a tank of fluid, a drainagepump is started when water in a mine reaches a defined level, a car is braked

148 CHAPTER 3

to forestall an impending collision, an industrial process is begun in time todeliver the product on schedule (before a deadline).

The crucial feature common to these examples is that the controllingagent denies permission for the occurrence of undesirable competing events;namely (directly or indirectly) such events are disabled. Enforcing the famil-iar specification that a buffer must not overflow or underflow is achieved bydisabling the appropriate ‘upstream’ events in the causal (or just behavioral)sequence; meeting a deadline is achieved by ‘disabling’ the tick of a clockto ensure the occurrence of a desired event on schedule – how this can bemodeled without violence to the physical requirement that ‘time goes on’regardless of technology is explained in Chapter 9.

While in general ‘forcing’ is probably best placed in a temporal context(cf. Chapter 9) simple preemption can often capture the required action inthe untimed framework considered so far. As a primitive example, supposea tank T is filled by fluid flow through a valve V , which must be turned offto prevent overflow when the tank is full. V can be modeled as a one-stateDES

V = (Q,Σ, δ, q0, Qm) = (0, σ, [0, σ, 0], 0, 0)

with σ controllable. The event σ is interpreted as the delivery of a definedunit of fluid to the tank. The tank itself is modeled like a buffer, with itscontent incremented by one unit when σ occurs. If the tank capacity is Nunits then the transition structure could be

T = (0, 1, ..., N + 1, σ, [0, σ, 1], [1, σ, 2], ...,[N, σ,N + 1], [N + 1, σ,N + 1], 0, 0, 1, ..., N + 1)

where the state N +1 represents an overflow condition. To prevent overflow,let

TSPEC = (0, 1, ..., N, σ, [0, σ, 1], [1, σ, 2], ...,[N − 1, σ,N ], 0, N)

thus disabling σ at state N . The closed behavior with respect to TSPECis then simply σN , as required. Notice that the model is consistent withthe physical picture of (temporally) continuous flow through the valve, asthere is no inconsistency in supposing that σ occurs one second after it isinitially enabled, or re-enabled after a subsequent occurrence. As soon as σis disabled, flow stops. However, there is no logical necessity that σ be tied

3.8 149

to a fixed interval of time or a unit flow. The situation is much like filling upthe fuel tank of a car using a hose with a spring-loaded trigger valve: whenthe tank is full, the trigger is released ‘automatically’ (or by the user) andthe valve closes.

More generally, the notion of forcing as timely preemption can be formal-ized as follows. Define a new subset Σf ⊆ Σ of forcible events, and a subsetΣp ⊆ Σ of preemptable events, with Σf ∩Σp = ∅. Bring in a new controllableevent τ ∈ Σ which may be thought of as a ‘timeout’ event. Assume thata plant model G has been created as usual over Σ, and we wish to adjointhe feature that any event in Σf can be ‘forced’ to preempt any event inΣp. For this, examine each state in G where some event α ∈ Σf and someevent β ∈ Σp are both enabled, e.g. the state q as displayed in Fig. 3.2.Notice that there may exist events γ defined at q that are neither forciblenor preemptable.

β1

γ

α1

α2

β2

q

1

2

3

4

5

β1

γ

α1

α2 β2

q0

1 2

q00

45

γ

τ

3

Fig. 3.2. Modeling forcing by α1 or α2

to preempt β1 and β2

Also, we impose no constraint as to whether an event in either Σf or Σp iscontrollable or not, although normally events in Σp will be uncontrollable.Now modify G (or in TCT, edit(G)) at q as shown: split q into q′ and q′′,with a transition [q′, τ, q′′]. If, say, α1, α2, β1, β2, γ are the events definedat q in G, then define α1, α2, γ at q′ and β1, β2, γ at q′′. Selfloops shouldbe treated as follows. If α was self-looped at q it should be self-looped atq′; a selfloop β at q is replaced by a transition [q′′, β, q′]; while a selfloop γ

150 CHAPTER 3

at q is replaced by selfloops γ at both q′ and q′′. In the new DES Gnew,say, the effect of disabling τ is to ‘force’ one of the events α1, α2, γ topreempt β1, β2. Observe that, unless γ is included in Σp, it could alsopreempt the other events α1, α2 defined at q′. Having modified G to Gnew,modify the specification DES E say, to Enew, by selflooping each state ofE with τ . We now have, in (Gnew,Enew) a supervisory control problem ofstandard type, and proceed as usual to compute supcon(Gnew,Enew). Thisstandard solution will ‘decide’ exactly when forcing (i.e. disablement of τ) isappropriate.

The foregoing procedure is implemented in TCT as force. After thedesign has been completed, the event τ can be hidden by being projectedout. Thus all the details except initial selection of the subsets Σf , Σp can berendered invisible to the user if desired.

Example 1: ForcingConsider the two machines M1, M2 and the 1-slot buffer B in Fig. 3.3,

with TCT encoding of events. For the plant take M = sync(M1,M2) andfor the specification E take B self-looped with 11, 20.

The solution SUP = supcon(M,E) is displayed in Fig. 3.4. Now sup-pose that event 21 (‘M2 starts work’) is forcible with respect to event 10(‘M1 completes work’) as preemptable. Construct MNEW by modifyingthe structure of M as shown in Fig. 3.3, at the one state q (in this case)where events 21 and 10 are both defined. The new controllable ‘timeout’event 23 can be thought of as inserting a time delay invoked by disable-ment of this event, thus providing event 21 with the opportunity to preemptevent 10. In TCT, MNEW = force(M,[21],[10],23). Construct ENEW =selfloop(E,[23]), and compute SUPNEW = supcon(MNEW,ENEW).Finally, hide the auxiliary event 23 to obtain the solution PSUPNEW =project(SUPNEW,null[23]), as displayed in Fig. 3.4. Notice that PSUP-NEW generates a super-language of that of SUP; in general, controlledbehavior with forcing will be less conservative than it is with the disable-ment feature alone.

3.8 151

11

10

21

20

10

21

11

11

21 21 2020

10

10

11

11

21 21 2020

10

10

23

q′

q′′

M1 M2 B

M MNEW

Fig. 3.3. Modeling forcing by event 21to preempt event 10

152 CHAPTER 3

x

10

20

20

10

20

20

20

11

11

11

20

21

11

21

10

10

21

11

SUP PSUPNEW

Fig. 3.4. In PSUPNEW event 21 preempts 10 at x

To summarize, forcing is really an issue not of synthesis but of modeling;more precisely, by declaring forcibility as a modeling assumption, we elimi-nate forcing as a synthesis issue, and the standard framework can be utilizedwithout further change or the addition of any new mechanism. Neverthelessit is well to note that, once an instance of a controllable event is designatedto be forced (e.g. event 21 at state x in PSUPNEW, Fig. 3.4), it is nolonger available for disablement in any subsequent refinement of the controldesign. For instance, 21 at x could be relabeled as 22 (i.e. redefined as un-controllable) as a safeguard against inadvertent disablement in a subsequentapplication of TCT.

Exercise 2: Forcing in Small Factory

In Small Factory, assume that events α2, µ2 can be forced to preemptevents α1, β1 with a new timeout event τ . Use TCT force to create the cor-responding plant model, say FFACT. For the same specifications as before

3.9 153

(now additionally self-looped with τ) compute the supervisor, say FFACT-SUP, then project out τ to obtain, say, NEWFACTSUP. Show that

Lm(FACTSUP) ⫋ Lm(NEWFACTSUP)

and illustrate with sample strings.

Exercise 3: Forced eventsProvide examples of modeling intuitively ‘forced’ events as just described,

carrying through a complete control design. For instance, consider a watersupply tank for a country cottage, which is emptied incrementally by randomhousehold events, and filled by a pump. The pump is to be switched on whenthe water falls below a defined lower level and switched off when it rises toa defined upper level. Ideally a good design would ensure that the tank isnever emptied by normal household usage.

3.9 Mutual Exclusion

Assume we are given DES

G1 = (Q1,Σ1, δ1, q10, Q1m)

G2 = (Q2,Σ2, δ2, q20, Q2m)

with Σ1 ∩ Σ2 = ∅. We may wish to control G1, G2 in such a way thatdesignated state pairs q1 ∈ Q1, q2 ∈ Q2 are never occupied simultaneously. Insuch problems ‘Gi in qi’ typically means ‘Gi is using a single shared resource’,for instance when two readers share a single textbook or two AGVs a singlesection of track.

Because such a constraint can be awkward to express linguistically, TCTprovides a procedure to compute the required result directly. Thus

MXSPEC = mutex(G1,G2,LIST)

whereLIST = [(q

(1)1 , q

(1)2 ), ..., (q

(k)1 , q

(k)2 )]

with (q(i)1 , q

(i)2 ) ∈ Q1 ×Q2, is the user’s list of mutually exclusive state pairs.

MXSPEC is reachable and controllable with respect toG = shuffle(G1,G2)

154 CHAPTER 3

but needn’t be coreachable. If not, it may serve as a new specification forthe plant G, and the final result computed using supcon in the usual way.

Exercise 1: In FACT (Section 3.2) suppose power is limited, so at mostone of MACH1, MACH2 may be working at once. Compute a suitablesupervisor. Repeat the exercise using the constraint that at most one machineat a time may be broken down.

Exercise 2: Cat and MouseA cat and mouse share a maze of 5 interconnected chambers. The cham-

bers are numbered 0,1,2,3,4 for the cat, but respectively 3,2,4,1,0 for themouse. Adjoining chambers may be connected by one-way gates, each forthe exclusive use of either the cat or the mouse. An event is a transition byeither the cat or the mouse from one chamber to another via an appropri-ate gate; the animals never execute transitions simultaneously. Some gatesare always open, corresponding to uncontrollable events; while others maybe opened or closed by an external supervisory control, so passage throughthem is a controllable event. The cat and the mouse are initially located intheir ‘home’ chambers, numbered 0. TCT models for the cat and mouse areprinted below.

It is required to control the roamings of cat and mouse in such a waythat (i) they never occupy the same chamber simultaneously, (ii) they canalways return to their respective home chambers, and (iii) subject to thelatter constraints they enjoy maximal freedom of movement.

CAT # states: 5 state set: 0...4 initial state: 0

marker states: 0

vocal states: none

# transitions: 8

transitions:

[0,201,1] [1,205,2] [1,207,3] [2,200,3]

[2,203,0] [3,200,2] [3,211,4] [4,209,1]

CAT printed

MOUSE # states: 5 state set: 0...4 initial state: 0

marker states: 0

vocal states: none

# transitions: 6

transitions:

3.10 155

[0,101,1] [1,103,2] [2,105,0] [2,107,3] [3,111,4] [4,109,2]

MOUSE printed

Exercise 3: Forbidden statesThe ‘forbidden states’ problem for a DES G with state set Q is simply

to control G in such a way that a given state subset F ⊆ Q is never entered.Show that this problem can be treated as mutual exclusion, taking

MXSPEC = mutex(G,ALL,LIST)

where ALL = allevents(G), and LIST = [(q, 0)|q ∈ F ].

3.10 Supervisor Reduction

As indicated in Section 3.7 for Small Factory, the ‘standard’ supervisor

SUPER = supcon(PLANT,SPEC)

computed by supcon (and representing the full optimal controlled behavior)can be much larger in state size than is actually required for the same controlaction. This is because the controlled behavior incorporates all the a prioritransitional constraints embodied in the plant itself, as well as any additionalconstraints required by control action to enforce the specifications. The prob-lem of finding a simplified proper supervisor, say MINSUP, equivalent incontrol action but of minimal state size, is of evident practical interest. Un-fortunately, it is NP-hard. A reduction procedure called supreduce hasbeen developed, based on heuristic search for a suitable congruence on thestate set of SUPER. Supreduce is of polynomial complexity in the statesizes of PLANT and SPEC. While of course it cannot guarantee a simpli-fied supervisor of minimal size, supreduce will often find a greatly reducedsupervisor, say SIMSUP, and can also provide a lower bound on the sizeof MINSUP. SIMSUP is actually minimal if its size matches this bound.Some results found by supreduce are reported in Section 4.7 and for theexamples of Appendix 8.1.

In TCT the syntax for computing a simplified supervisor SIMSUP fromSUPER (as above) is:

SUPDAT = condat(PLANT,SUPER)

SIMSUP = supreduce(PLANT,SUPER,SUPDAT)

156 CHAPTER 3

Under SIMSUP as supervisor, the controlled behavior of PLANT can berepresented by, say,

TEST = meet(PLANT,SIMSUP)

A check on correctness is provided by

isomorph(TEST,SUPER) = true

provided both TEST and SUPER are state-minimal generators, as willoften be the case. Otherwise, one should verify

isomorph(MTEST,MSUPER) = true

whereMTEST=minstate(TEST) andMSUPER=minstate(SUPER).When correctness is satisfied, we say that SIMSUP is control-equivalent toSUPER with respect to PLANT.

Exercise 1: With the help of supreduce, confirm that the simplified su-pervisor SIMFTSUP for Small Factory (Section 3.7) is actually minimal.

Exercise 2: Apply supreduce to your results (say) SUPER of Exercises3.7.2, 3.7.4, 3.7.7, 3.7.8, and 3.7.15.

3.11 Notes and References

Supervisory control theory in the sense of this chapter originates with thedoctoral thesis of P.J. Ramadge [T01] and related papers [J03,J05,C01-C05].

The synchronous product of languages is a convenient packaging of themore primitive language operations Meet and Shuffle. For the latter, thecorresponding recognizers or generators are instances of the product con-struction for automata, as defined in Eilenberg [1974]; from that book wealso borrow the term ‘trim’. A counterpart definition for the synchronousproduct of ‘processes’ was introduced by Hoare [1985] under the name ‘con-currency operator’ or ‘parallel composition’, and was further discussed byMilner [1989] as a product of ‘agents’ under the name ‘conjunction’.

The kanban Example 3.3.17 is adapted from Viswanadham & Narahari[1992], p.514-524.

Appendix 157

The extension in Exercise 3.3.8 is due to R. Su ([T51], p.16, Corollary 2.1).Prioritized synchronous product (Exercise 3.3.15) was introduced by Hey-

mann [1990].Exercise 3.3.18 is based on Wong [1998] and Exercise 3.7.3 on Cassandras

[1993] (Example 2.17, p.108). Exercise 3.7.4 was suggested by Robin Qiu.The supervisor reduction method of Section 3.10 was developed by Su

[C82,J40], as an evolution of work by Vaz [C10,J01].Computational methods for supervisor synthesis for DES of industrial

size is an active area of current research. The reader is referred to the pub-lished theses of Germundsson [1995] and Gunnarsson [1997], as well as subse-quent work by Zhang [T44,C84], Leduc [T46,C85,C86,C87,J45,J46], and Ma[C95,C107,T50,M1]. An interesting large-scale industrial design is reportedby Theunissen et al. [2010].

Appendix 3.1

EVENT CODING FOR SMALL FACTORY

TCT: 10 11 12 13 20 21 22 23TEXT: β1 α1 λ1 µ1 β2 α2 λ2 µ2

FACTSUP # states: 12 state set: 0...11 initial state: 0marker states: 0# transitions: 24transition table:

[0,11,1] [1,12,2] [1,10,3] [2,13,0] [3,21,4][4,20,0] [4,11,5] [4,22,11] [5,20,1] [5,10,6][5,12,8] [5,22,10] [6,20,3] [6,22,7] [7,23,3][8,20,2] [8,13,4] [8,22,9] [9,23,2] [10,23,1][10,10,7] [10,12,9] [11,23,0] [11,11,10]

FACTSUP printed.

FACTSUPControl Data are displayed by listing the supervisor states where disablingoccurs, together with the events that must be disabled there.

158 CHAPTER 3

Control Data:0: 21 1: 212: 21 3: 116: 11 7: 119: 13

FACTSUP printed.

SIMFTSUP # states: 3 state set: 0...2 initial state: 0marker states: 0# transitions: 16transition table:

[0,13,0] [0,11,0] [0,12,0] [0,20,0] [0,10,1][0,22,2] [1,21,0] [1,23,1] [1,12,1] [1,20,1][1,22,1] [2,23,0] [2,10,1] [2,11,2] [2,12,2] [2,20,2]

SIMFTSUP printed.

SIMFTSUPControl Data are displayed by listing the supervisor states where disablingoccurs, together with the events that must be disabled there.

Control Data:0: 21 1: 112: 13

SIMFTSUP printed.

Appendix 159

FACTSUP

β2

λ2

µ2

µ2 µ2

λ2

λ2

µ2

β2

λ2

λ1

λ1

λ1

β1

β1

β2

β2

µ1

α1

α1

α2

α1

µ1

Fig. 3.5. Supremal Controllable Sublanguage L(FACTSUP)for Small Factory

α1

α1, µ1

β1

λ2, µ2

α2

β1

µ2

λ2

SIMFTSUP

selfloopλ1, β2

Fig. 3.6. Reduced Supervisor for Small Factory

160 CHAPTER 3

Chapter 4

Decentralized and DistributedSupervision of Discrete-EventSystems

In applications of supervisory control, especially to large systems made up ofseveral component subsystems and with several individual specifications, it isgenerally advantageous to decompose the monolithic supervisor accordingly,both for greater computational feasibility and for enhanced transparency ofcontrol action. A risk, however, is that component modular supervisors mayconflict and result in blocking, leading to the often difficult requirement ofeffective coordination. This chapter introduces the formal issues involved.

4.1 Introduction

In this chapter we discuss a decentralized approach to the synthesis of su-pervisors for discrete-event systems. In this approach the overall supervisorytask is divided into two or more subtasks. Each of the latter is solved usingthe results of Chapter 3, and the resulting individual subsupervisors are runconcurrently to implement a solution of the original problem. We refer tosuch a construction as a decentralized modular synthesis, and to the resultant

161

162 CHAPTER 4

supervisor as a decentralized supervisor. The control architecture is sketchedbelow.

G S2S1

Such constructions represent a very general approach to complex prob-lems – sometimes called ‘divide and conquer’. In addition to being moreeasily synthesized, a decentralized supervisor should ideally be more readilymodified, updated and maintained. For example, if one subtask is changed,then it should only be necessary to redesign the corresponding modular com-ponent supervisor: in other words, the overall decentralized supervisor shouldexhibit greater flexibility than its ‘monolithic’ counterpart.

Unfortunately, these advantages are not always to be gained without aprice. The fact that the individual supervisory modules are simpler impliesthat their control action must be based on a partial or ‘local’ version ofthe global system state; in linguistic terms, a component supervisor pro-cesses only a ‘projection’ of the behavior of the DES to be controlled. Aconsequence of this relative insularity may be that different component su-pervisors, acting quasi-independently on the basis of local information, comeinto conflict at the ‘global’ level, and the overall system fails to be nonblock-ing. Thus a fundamental issue that almost always arises in the presence ofdecentralization is how to guarantee the nonblocking property of the finalsynthesis.

4.2 Conjunction of Supervisors

Let S1 and S2 be proper supervisors for G: that is, each of S1 and S2 isa trim automaton1, is controllable with respect to G (equivalently, Lm(S1),Lm(S2) are controllable with respect to G), and each of S1/G, S2/G isnonblocking, namely

Lm(S1/G) = L(S1/G), Lm(S2/G) = L(S2/G)

1As in Section 3.6 and our usage of ‘generator’, ‘automaton’ includes the case of partialtransition function.

4.2 163

Recalling from Section 2.4 the definitions of reachable subautomaton and ofproduct automaton, we define the conjunction of S1 and S2, written S1∧S2,as the reachable subautomaton of the product:

S1 ∧ S2 = Rch(S1 × S2) = meet(S1,S2)

It is easily seen from the definition that the supervisory action of S1 ∧ S2 isto enable an event σ just when σ is enabled by S1 and S2 simultaneously.To describe the action of S1 ∧ S2 more fully we have the following.

Theorem 1Under the foregoing conditions,

Lm((S1 ∧ S2)/G) = Lm(S1/G) ∩ Lm(S2/G)

Furthermore S1∧S2 is a proper supervisor for G if and only if it is trim andthe languages Lm(S1/G), Lm(S2/G) are nonconflicting.

ProofFor the first statement we have

Lm((S1 ∧ S2)/G) = Lm(S1 ∧ S2) ∩ Lm(G)

= Lm(S1) ∩ Lm(S2) ∩ Lm(G)

= Lm(S1/G) ∩ Lm(S2/G)

Similarly, as L(S1 ∧ S2) = L(S1) ∩ L(S2) we have

L((S1 ∧ S2)/G) = L(S1/G) ∩ L(S2/G)

so that (S1 ∧ S2)/G is nonblocking if and only if Lm(S1/G) and Lm(S2/G)are nonconflicting. Now S1 and S2 proper implies that each is controllable,so L(S1) and L(S2) are both controllable with respect to G. By Proposi-tion 3.5.3, L(S1)∩L(S2) is controllable, therefore L(S1 ∧S2) is controllable.Thus S1 ∧ S2 is a proper supervisor if and only if it satisfies the definingcondition that it be trim, as claimed. 2

Recall from Section 3.3 that in TCT

S1 ∧ S2 = meet(S1,S2)

164 CHAPTER 4

Obviously, if S1 and S2 satisfy all the conditions of Theorem 1 except thatS1 ∧ S2 happens not to be trim (i.e. fails to be coreachable), then S1 ∧ S2

may be replaced by its trim version, to which the conclusions of the theoremwill continue to apply. When designing with TCT the desirable situationis that Lm(S1) and Lm(S2) be nonconflicting (in TCT, nonconflict(S1,S2)returns true); then S1 ∧ S2 = meet(S1,S2) will indeed be trim.

Let the controlled DES G be arbitrary. The following results, which arealmost immediate from the definitions, will find application when exploitingdecentralization.

Proposition 2Let K1, K2 ⊆ Σ∗ be controllable with respect to G. If K1 and K2 are

nonconflicting then K1 ∩K2 is controllable with respect to G. 2

Proposition 3Let E1, E2 ⊆ Σ∗. If supC(E1), supC(E2) are nonconflicting then

supC(E1 ∩ E2) = supC(E1) ∩ supC(E2)

2

Exercise 4: Prove Propositions 2 and 3.

To complete this section we provide a version of Theorem 1 adaptedto TCT. For DES G1, G2, write G1 ≈ G2, ‘G1 and G2 are behaviorallyequivalent’, to mean

Lm(G1) = Lm(G2), L(G1) = L(G2)

Theorem 5Assume

(i) S1, S2 are controllable with respect to G [as confirmed, say, by con-dat],

(ii) nonconflict(S1 ∧ S2,G) = true, and

(iii) S1 ∧ S2 is trim

4.3 165

Then S1 ∧ S2 is a proper supervisor for G, with

(S1 ∧ S2) ∧G ≈ (S1 ∧G) ∧ (S2 ∧G)

2

Notice that condition (i) holds in particular if S1, S2 are proper super-visors for G. Even in that case, however, condition (ii) is not automaticand must be checked. Finally, the result is easily extended to any collectionS1,S2, ...,Sk.

Corollary 6Let E1, E2 be arbitrary DES and

Si = supcon(G,Ei), i = 1, 2

If nonconflict(S1,S2) = true, then

S1 ∧ S2 ≈ supcon(G,E1 ∧ E2)

2

Exercise 7: Prove Theorem 5 and Corollary 6.

4.3 Naive Decentralized Supervision: Deadly

Embrace

Before presenting successful examples of decentralized supervision we illus-trate the possibility of blocking in a simple but classical situation. Considertwo users of two shared resources (e.g. two professors sharing a single penciland notebook). To carry out his task each user needs both resources simul-taneously; but the resources may be acquired in either order. We modelthe generators USER1, USER2 and the legal constraint languages RESA,RESB in the simple manner shown. Here

Σc = α1, β1, α2, β2, Σu = γ1, γ2

The DES to be controlled is then

USER = shuffle(USER1,USER2)

166 CHAPTER 4

αi

USERi

βi

βiαi

γi

γ1; γ2

RESA

α1;α2

RESB

γ1; γ2

β1;β2

selfloop fβ1;β2g selfloop fα1;α2g

β1

α1

α2

β2

γ1

α2

β2β1

γ2

USERSUP

α1

subject to the legal language

RES = meet(RESA,RESB)

The optimal global supervisor is

USERSUP = supcon(USER,RES)

4.3 167

as displayed. Initially users and resources are all idle; as soon as one useracquires one resource, USERSUP disables the other user from acquiring anyresource until the first user has completed his task. Notice, incidentally, thatthe validity of this proposed control depends crucially on the assumptionof the shuffle model that independent events can never occur at the samemoment; if this assumption fails, the system will block if both users acquiretheir first resource simultaneously.

Let us now employ RESA and RESB as naive modular component su-pervisors. Each is controllable and nonconflicting with respect to USER,hence is proper. The corresponding controlled languages are

CONA = meet(USER,RESA), CONB = meet(USER,RESB)

however,CONA andCONB are conflicting! It is easy to see that concurrentoperation of CONA and CONB could lead to blocking: because nothingpreventsUSER1 from acquiring one resource (event α1 or β1), thenUSER2acquiring the other (resp. event β2 or α2), with the result that both usersare blocked from further progress, a situation known as ‘deadly embrace’.The example therefore illustrates the crucial role of marker states in systemmodeling and specification, as well as the importance of absence of conflict.

Exercise 1: Discuss control of this situation that guarantees nonblockingand also ‘fairness’ according to some common-sense criterion of your inven-tion: fairness should guarantee that neither user could indefinitely shut outthe other. Hint: Use a queue.

Exercise 2: Replace RESA above with the more refined model

γ1

NRESA

α1

γ2

α2

selfloop fβ1;β2g

168 CHAPTER 4

and similarly for RESB. Carry out the new design to get NUSERSUP.Verify that it is isomorphic to USERSUP and explain why this might beexpected.

Exercise 3: As stated in the text, USERSUP depends for its validityon the assumption that events in independent agents interleave in time, i.e.never occur simultaneously. Discuss how event interleaving could be enforced,for practical purposes, by use of a queue. For this, require that USER1,USER2 first request the use of a desired resource, while it is up to thesupervisor to decide in what order competing requests are granted. Assumethat simultaneous requests could be queued in random order.

4.4 Decentralized Supervision: Small Factory

We shall apply the results of Section 4.2 to the decentralized supervision ofSmall Factory (cf. Sections 3.3, 3.7). As displayed below, introduce trimautomata BUFSUP and BRSUP to enforce the buffer and the break-down/repair specifications respectively.

β1

α2

BUFSUP

α1

selfloop fλ1;µ1;β2;λ2;µ2g

λ2

µ2

BRSUP

µ1

selfloop fα1;β1;λ1;α2;β2g

By use of the TCT procedure condat it can be confirmed that BUF-SUP and BRSUP are controllable with respect to FACT, and applica-tion of nonconflict to the pairs FACT, BUFSUP and FACT, BRSUP

4.5 169

respectively shows by Proposition 3.6.5 that BUFSUP and BRSUP arenonblocking for FACT; so we may conclude that each is a proper supervi-sor for FACT. For our modular decentralized supervisor we now take theconjunction

MODSUP = BUFSUP ∧BRSUP

It is easy to check by hand that BUFSUP, BRSUP are nonconflicting, so

MODSUP = trim(meet(BUFSUP,BRSUP))

namely MODSUP is trim; and by application of condat and nonconflictto the pair FACT, MODSUP we now conclude by Proposition 3.7.1 thatMODSUP is a proper supervisor for FACT.

We note parenthetically that, on taking G = FACT, Proposition 4.2.2holds with

K1 = Lm(BUFSUP), K2 = Lm(BRSUP)

while Proposition 4.2.3 holds with

E1 = Lm(SPEC1), E2 = Lm(SPEC2)

Finally it may be verified that MODSUP is actually optimal. Variousapproaches are possible: perhaps the most direct is to check that

Lm(FACT) ∩ Lm(MODSUP) = Lm(FACTSUP)

via the computation

isomorph(meet(FACT,MODSUP),FACTSUP) = true

Another possibility, using Proposition 4.2.3, is left to the reader to developindependently.

4.5 Decentralized Supervision: Big Factory

As another example of the foregoing ideas we consider Big Factory, describedbelow. Two machines as before operate in parallel to feed a buffer withcapacity 3; a third machine empties the buffer.The informal specifications are:

170 CHAPTER 4

i0

i1

i2

i3MACHi

MACH1

MACH1

11

21

BUF (3)

20

10

MACH331 30

1. Buffer must not overflow or underflow.

2. MACH1 and MACH2 are repaired in order of breakdown.

3. MACH3 has priority of repair over MACH1 and MACH2.

As the plant we take

BFACT = shuffle(MACH1,MACH2,MACH3)

To formalize the specifications we construct the DES shown below:

Buffer overflow/underflow:

10,2010,20

3131

10,20

31

BUF3

Breakdown/repair of MACH1,MACH2:

4.5 171

13; 23

BR12

12; 22

23

12

22

13

Breakdown/repair of MACH3:

33

32

23

13

BR3

Each DES is understood to be self-looped with its complementary subalpha-bet.

We first consider ‘monolithic’ supervision. BFACT turns out to have 27states and 108 transitions (written (27,108)). Combining the specificationlanguages into their intersection, we define

BSPEC = meet(BUF3,BR12,BR3) (32, 248)

For the ‘monolithic’ supervisor we then obtain

BFACTSUP = supcon(BFACT,BSPEC) (96, 302)

By the theory, the transition structure of the DES BFACTSUP is that ofthe supremal controllable sublanguage of Lm(BFACT) that is contained inthe specification language Lm(BSPEC). Thus BFACTSUP is guaranteedto be the optimal (i.e. minimally restrictive) proper supervisor that controlsBFACT subject to the three legal specifications. Nevertheless, BFACT-SUP is a rather cumbersome structure to implement directly, and it makessense to consider a decentralized approach.

For prevention of buffer overflow alone, we compute

status1 = # empty buffer slots − # feeder machines at work

172 CHAPTER 4

12; 22; 31

11; 21

12; 22; 31

STATUS1

11; 21

12; 22; 31

11; 2112

22

status1= 0

disable 11; 21

31

10; 20

31

STATUS2

10; 20

31

10; 2010

20

status2 = # full slots in buffer

disable 31

STATUS1 disables 11 and 21 when status1 = 0, and is a proper supervisorfor BFACT. For prevention of buffer underflow alone, we compute

STATUS2 disables 31 when status2 = 0 and is also proper. For controlof breakdown/repair, BR12 and BR3 are themselves proper supervisors. Itcan be verified that optimal (and proper) supervision of the buffer is enforcedby

STATUS = STATUS1 ∧ STATUS2

while optimal (and proper) supervision of breakdown/repair is enforced by

BR = BR12 ∧BR3

Finally, optimal (and proper) supervision with respect to all the legal speci-fications is enforced by

BFTMDSUP = STATUS ∧BR

Obviously BFTMDSUP is much simpler to implement than BFACTSUP,to which it is equivalent in supervisory action.

4.6 173

Exercise 1: Construct a 9-state supervisor that is equivalent in controlaction to STATUS. Check your result by TCT and supply the printouts.

Exercise 2: Carry out the following ‘direct’ approach to decentralized con-trol of Big Factory. For each of the three specifications BUF3, BR12, BR3compute the ‘global’ controllers using supcon , and their corresponding re-duced versions using supreduce, of (minimal) state size 7, 3, 2 respectively.Verify that these provide an optimal decentralized control. While no specialanalysis was required, supervisor reduction was essential for efficient decen-tralization.

4.6 Decentralized Supervision: Transfer Line

As a third example of decentralized control we consider an industrial ‘transferline’ consisting of two machines M1, M2 followed by a test unit TU, linkedby buffers B1 and B2, in the configuration shown. A workpiece tested byTU may be accepted or rejected; if accepted, it is released from the system;if rejected, it is returned to B1 for reprocessing by M2. Thus the structureincorporates ‘material feedback’. The specification is simply that B1 andB2 must be protected against underflow and overflow, along with the tacitrequirement of nonblocking.

TUB2M2B1M11 2 3 5

8

64

The component DES, displayed below, are taken to be as simple as pos-sible.

M1 1 2 M2 3 4 TU 6 85

174 CHAPTER 4

The DES representing the transfer line is

TL = shuffle(M1,M2,TU)

The capacities of B1 and B2 are assumed to be 3 and 1 respectively, andthe specifications are modeled as B1SP, B2SP in the usual way.

selfloop1,2,3,6,85

4

B2SP

33

2,82,82,8

3

selfloop1,4,5,6

B1SP

Then the total specification is

BSP = meet(B1SP,B2SP)

The centralized or monolithic supervisor is computed as

CSUP = supcon(TL,BSP) (28,65)

and turns out to have 28 states and 65 transitions. The control data file forCSUP is

CSUP = condat(TL,CSUP)

For decentralized supervision we may proceed as follows. A modularcomponent supervisor for B2 is simple enough: we construct B2SUP todisable event 5 in TU when B2 is empty (to prevent underflow) and todisable event 3 in M2 when B2 is full (to prevent overflow).

4.6 175

selfloop1,2,6,8

5

43

B2SUP

For B1 we separate the requirements of overflow and underflow into twosubtasks, assigned to component supervisors B1SUP1, B1SUP2. To pre-vent underflow it suffices to adopt for B1SUP2 the specification modelB1SP, augmented by a harmless selfloop for events 2,8 at state 3 to ren-der B1SUP2 controllable. Then B1SUP2 disables M2 at state 0 (whereB1 is empty), but is indifferent to possible overflow at state 3. To preventoverflow we make a first, ‘naive’ attempt at designing B1SUP1, with re-sult XB1SUP1, as follows. The entities feeding B1 (potentially causingoverflow) are M1 and TU: define

FB1A = shuffle(M1,TU), FB1 = selfloop(FB1A,[3])

FB1 will be considered to be the controlled DES for the overflow specification

FB1SP = selfloop(B1SP,[1,5,6]),

leading to the proposed modular component supervisor

XB1SUP1A = supcon(FB1,FB1SP)

over the subalphabet 1,2,3,5,6,8, and finally the global version

XB1SUP1 = selfloop(XB1SUP1A,[4]) (12,45)

over the full alphabet. It can be checked that each of XB1SUP1 andB1SUP2 is nonconflicting and controllable with respect to TL, and thatXB1SUP1 and B1SUP2 are nonconflicting. Let

XB1SUP = meet(XB1SUP1,B1SUP2) (12,45)

(Verify that XB1SUP1, XB1SUP are isomorphic: why is this so?) Fromthe theory or by direct computation, XB1SUP is controllable and noncon-flicting with respect to TL. It remains to combine XB1SUP with B2SUP:to our chagrin, these components turn out to be conflicting! Let

176 CHAPTER 4

XBSUP = trim(meet(XB1SUP,B2SUP))

Because of conflict, the closed behavior of XBSUP (equal to the closure ofits marked behavior, by definition of the operation trim) is a proper sublan-guage of the intersection of the closed behaviors of the trim DES XB1SUP,B2SUP; and from

XBSUP = condat(TL,XBSUP)

it is seen that XBSUP fails to be controllable as it calls for the disablementof events 4 and 8. The concurrent operation of XB1SUP and B2SUPwill certainly result in satisfaction of the specifications B1SP and B2SP.However, each of these components admits the TL-string

s = 1.2.1.2.1.2.3.4.1.2

which leaves B1 and B2 both full. Following s, B2SUP disables M2, whileXB1SUP disables M1 and TU, and the system deadlocks; i.e. no furthertransitions are possible. The result illustrates that conflict and blocking canarise in seemingly innocent ways.2

A correct decentralized supervisor for overflow of B1 can be obtained byexamining the overall feedback operation of the system. It is seen that anyworkpiece removed from B1 by M2 is a candidate for eventual return to B1by TU. Thus overflow of B1 is prevented if and only if the number of emptyslots in B1 is maintained at least as great as the number of workpieces beingprocessed by M2 and TU or being stored in B2. In terms of event counts(#event) on the current string,

# empty slots in B1 = cap(B1) + #3 − #2 − #8

while

# workpieces in M2,B2,TU = #3 − #6 − #8

To maintain the desired inequality it is therefore required to disable M1 (i.e.event 1) if and only if

# empty slots in B1 ≤ # workpieces in M2,B2,TU2This is nothing but an instance of a feedback loop going unstable if it is ‘driven too

hard’, namely ‘its gain is too high’. Here ‘instability’ (deadlock) is the inability of thesystem to return to its ‘equilibrium’ (initial) state.

4.6 177

i.e. (with cap(B1) = 3) 3−#2 ≤ − #6, or

disable M1 iff #2 − #6 ≥ 3

Under these conditions event 2 can occur at most three times before anoccurrence of event 6, so our new attempt at an overflow control for B1takes the form of B1SUP1 as displayed. Here the harmless selfloop [0,6,0]has been adjoined to render B1SUP1 controllable.

selfloop3,4,5,8

222

6

1

6

6,1

B1SUP1

6

1

It can now be verified that B1SUP1, B1SUP2 are nonconflicting, sothat concurrent operation is represented by the proper supervisor

B1SUP = meet(B1SUP1,B1SUP2) (16,100)

and that B1SUP, B2SUP are nonconflicting, with their concurrent opera-tion represented by

BSUP = meet(B1SUP,B2SUP) (32,156)

It can be checked that BSUP is nonconflicting and controllable with respectto TL. Thus the behavior of TL under decentralized supervision is given by

DCSUP = meet(TL,BSUP) (28,65)

Finally it can be checked that DCSUP is isomorphic with CSUP, namelythe decentralized supervisor BSUP is optimal.

Exercise 1: Improve the recycling logic of Transfer Line as follows. A failedworkpiece is sent by TU to a new buffer B3 (size 1), and M2 can take itsworkpiece from eitherB1 orB3. Introduce a new specification thatM2 takesfrom B1 only if B3 is empty, that is, a failed workpiece has priority over anew one. Design both centralized (monolithic) and decentralized supervisorsfor the improved system.

178 CHAPTER 4

Exercise 2: Carry out the following ‘direct’ approach to decentralized con-trol of Transfer Line. For each of the two specifications B1SP, B2SP com-pute the ‘global’ controllers using supcon, and their corresponding versionsusing supreduce, of (minimal) state size 7, 2 respectively. Check that thesedo not provide a nonblocking decentralized control as their meet is conflictingwith TL. Having noted as before that blocking is due to both buffers fillingup, introduce a third specification which always maintains at least one bufferslot free, namely

#2−#6 ≤ (storage capacity of loop)− 1

= capacity(B1) + capacity(B2)− 1

= 3 + 1− 1 = 3

Create the corresponding buffer, say LOOPSPEC, then the corresponding‘global’ controller, and its reduced version of (minimal) size 4. Verify thatthe three reduced supervisors provide an optimal decentralized control. Ofcourse, success depended on precisely identifying the cause of blocking, astep which in many applications will be nontrivial.

Apply this method to the enhanced model of Exercise 1.

Example 3: Formal verificationWe provide a formal verification of the decentralized control for Transfer

Line proposed in Exercise 2. Bring in the modular specification languages

B1 = Lm(B1SP) ∩ Lm(TL)

B2 = Lm(B2SP) ∩ Lm(TL)

L0 = Lm(LOOPSPEC) ∩ Lm(TL)

The corresponding decentralized controlled behaviors are then

K1 := supC(B1), K2 := supC(B2), K0 := supC(L0)

while the optimal monolithic controlled behavior (Lm(CSUP) above) is

K := supC(B1 ∩B2)

In these expressions supC(·) is computed with respect to Lm(TL) = L(TL).Evidently K ⊆ K1 ∩K2, but the blocking action already mentioned indi-

cates that the inclusion is strict. We wish to show, however, that

K = K1 ∩K2 ∩K0

4.6 179

First we check that the loop condition is necessary, namely K ⊆ L0, i.e. ifs ∈ K then

0 ≤ #2(s)−#6(s) ≤ 3

The first inequality is obvious for any s ∈ L(TL). By the buffer constraintss ∈ K1 ∩ K2, so

#2(s)−#6(s) ≤ 4

Suppose #2(s)−#6(s) = 4. If (following s) state(TU) = 1 then by control-lability of K, the string s.8 ∈ K; similarly if state(M2) = 1 then s.4 ∈ K;so we may assume that, following s,

state(TU) = 0, state(M2) = 0

Thus buffers B1, B2 are both full; by the buffer constraints and controllabil-ity, events 3 and 5 must both be disabled (i.e. s.3, s.5 /∈ K) and the systemblocks, hence for no string w is sw ∈ K, a contradiction to s ∈ K, provingK ⊆ L0.

Next, if s ∈ K then s ∈ Lm(TL), thus 0 = #2(s)−#6(s), hence s ∈ L0,so K ⊆ L0, namely K ⊆ B1 ∩B2 ∩ L0, and by controllability

K ⊆ supC(B1 ∩B2 ∩ L0)

By definition of K the reverse inclusion is obvious, so

K = supC(B1 ∩B2 ∩ L0) (4.1)

Let

H1 := supC(B1 ∩ L0), H2 := supC(B2 ∩ L0)

We will show that H1, H2 are nonconflicting. By (4.1) and Proposition 4.2.3it will follow that

K = H1 ∩H2 (4.2)

Let s ∈ H1 ∩ H2; we must show s ∈ H1 ∩H2. By controllability we mayassume as above that, following s, TU and M2 are both at their state 0.Since s ∈ L0, the possible states of LOOPSPEC, B1, B2 are tabulatedbelow.

180 CHAPTER 4

LOOPSPEC B1 B2 admissible string w0 0 0 ϵ1 1 0 3.4.5.61 0 1 5.62 1 1 5.6.3.4.5.62 2 0 3.4.5.6.3.4.5.63 2 1 5.6.3.4.5.6.3.4.5.63 3 0 3.4.5.6.3.4.5.6.3.4.5.6

It is easy to check that in each case there exists a string w (e.g. as tabulated)such that sw ∈ H1 ∩H2; thus s ∈ H1 ∩H2 as claimed.

By an even simpler argument we obtain

H1 = K1 ∩K0, H2 = K2 ∩K0 (4.3)

From (4.2), (4.3) there results K = K1 ∩K2 ∩K0 as was to be proved.

4.7 Decentralized Supervision: AGVs in a

Manufacturing Workcell

As our fourth example of decentralized control we consider the coordinationof a system of automatic guided vehicles (AGVs) serving a manufacturingworkcell. As a side-benefit this will illustrate the power of supervisor reduc-tion (Section 3.10, and TCT supreduce) in reducing modular componentsto minimal or near-minimal state size for transparency of modeling and econ-omy in computational verification.

The system consists of two input stations IPS1, IPS2 for parts of types1, 2; three workstations WS1, WS2, WS3; one completed parts station CPS;and five AGVs – AGV1,...,AGV5. The AGVs travel on fixed circular routesalternately loading and unloading, as shown in Fig. 4.1, or explicitly:

AGV1: WS2 −−> IPS1 −→ WS2AGV2: WS3 −−> IPS2 −→ WS3AGV3: WS1 −−> WS2 −→ WS1AGV4: WS1 −−> WS3 −→ WS1AGV5: CPS −−> WS1 −→ CPS

4.7 181

AGVs : direction loadeddirection unloadedparking locationO

Fig. 4.1. Manufacturing Workcell

IPS1

IPS2

WS1

WS2

WS3

CPS

Zone 1

Zone 3

Zone 4

Zone 2

AGV1

AGV2

AGV3

AGV4

AGV5

182 CHAPTER 4

Here −→ (resp. −−>) indicates travel direction when loaded (resp. un-loaded), with each AGV returning to its initial (parking) location just afterunloading. Thus AGV1 starts unloaded from WS2, travels to IPS1 where itloads, and returns to WS2 where it unloads. Input parts of type 1 traversethe route

IPS1 −→ (AGV1) −→ WS2 −→ (AGV3) −→ WS1

and type 2 the route

IPS2 −→ (AGV2) −→ WS3 −→ (AGV4) −→ WS1

At WS1 a processed part of type 1 and one of type 2 are assembled into anoutput part, which is exported via the route

WS1 −→ (AGV5) −→ CPS

Only one part can be processed at one time by each of WS2, WS3, whileWS1 can assemble just two parts at a time into an output part.

As shown in Fig. 4.1 the AGV track systems cross one another in fourshared zones, as follows:

Zone Shared by AGVs

1 1, 22 2, 33 2, 44 4, 5

For safety reasons each zone should be occupied by at most one AGV at atime.

Finally it will be assumed that IPS1, IPS2 share a common loading area,so only one of AGV1, AGV2 can be loaded at one time.

DES models of the AGVs are displayed in Fig. 4.2(1)-(5), while theirevents are listed in Table 4.1. Controllability status is denoted by odd/evenlabeling as usual. Our models contain no more detail than will be needed tocapture the control specifications. Thus intermediate physical states implicitin (physical) event sequences like (interpreted) event 11 for AGV1 etc. aremerged into one, and the corresponding sequences are replaced by singleevents, considered atomic.

4.7 183

Fig. 4.2(1): AGV1

11

Zone 1 = f1; 3g

10

13

12

Fig. 4.2(2): AGV2

22

Zone 1 = f3; 5g

24

26

21

18

20

23

28

Zone 2 = f2; 6g

Zone 3 = f1; 7g

Fig. 4.2(3): AGV3

31

Zone 2 = f1; 3g

32

33

34

Fig. 4.2(4): AGV4

46

Zone 3 = f1; 5g

40

42

43

4441

Zone 4 = f2; 4g

Fig. 4.2(5): AGV5

51

Zone 4 = f1; 3g

50

53

52

Fig. 4.2. AGVs, with zone locations. States numbered counterclockwise,from initial state 0.

184 CHAPTER 4

TABLE 4.1. Events of AGVs

Event AGV Interpretation

11 1 Unparks & enters Zone 110 Exits Zone 1 & loads from IPS113 Re-enters Zone 112 Exits Zone 1, unloads to WS2, & parks21 2 Unparks & enters Zone 318* Exits Zone 3 & enters Zone 220 Exits Zone 2 & enters Zone 122 Exits Zone 1 & loads from IPS223 Re-enters Zone 124 Exits Zone 1 & re-enters Zone 226 Exits Zone 2 & re-enters Zone 328 Exits Zone 3, unloads to WS3, & parks33 3 Unparks & enters Zone 234 Exits Zone 2 & loads from WS231 Re-enters Zone 232 Exits Zone 2, unloads to WS1, & parks41 4 Unparks & enters Zone 340 Exits Zone 3 & enters Zone 442 Exits Zone 4 & loads from WS343 Re-enters Zone 444 Exits Zone 4 & re-enters Zone 346 Exits Zone 3, unloads at WS1, & parks51 5 Unparks & enters Zone 450 Exits Zone 4 & loads from WS153 Re-enters Zone 452 Exits Zone 4, unloads to CPS, & parks

*numbering due to need for 6 even-numbered labels

The specifications on AGV travel are stated more formally below, andtheir DES models displayed in Fig. 4.3(1)-(8).

Specification 1: At most one AGV can occupy a shared zoneat one time. For instance, Z1SPEC should prohibit AGV1(resp. AGV2) from entering Zone 1 while the latter is occupiedby AGV2 (resp. AGV1). We model this by saying ‘if AGV2

4.7 185

enters Zone 1 then AGV1 cannot enter Zone 1 until AGV2 exitsZone 1’ and vice-versa.

Specification 2: WS1SPEC should enforce the cyclic sequencingallowed by WS1, namely the latter should unloadAGV3, AGV4in either order, then (after the assembly process) allow AGV5to load the assembled output part for transport to CPS.

Specification 3: WS2SPEC should enforce that WS2 is alter-nately loaded by AGV1 (for processing of an input part type1) and unloaded by AGV3 (for transport of processed part toWS1).

Specification 4: WS3SPEC should enforce that WS3 is alter-nately loaded by AGV2 (for type 2) and unloaded by AGV4.

Specification 5: IPSSPEC should prohibit AGV1 and AGV2from attempting to occupy simultaneously the assumed commonwork area of IPS1 and IPS2.

Our plant model will be the synchronous product of the 5 AGVs, whilethe full specification will be the meet of 8 components (4 for Specification 1and one each for Specifications 2-5). System components IPS1, IPS2, CPSplay no direct role in the system’s control logic. While they could be createdfor completeness’ sake, they would not be included in the computations andtherefore we ignore them. Similarly, details for WS1, WS2, WS3 are notincluded as the workstations contribute only the sequencing specificationsalready provided.

After solving the monolithic centralized supervision problem we developsimple decentralized modular supervisors. For each of the 8 specificationswe take for the ‘local’ plant only the synchronous product of the AGVswhose events appear directly, and apply supreduce to the resulting localsupervisor.

Finally we check for nonblocking when the modular supervisors are placedonline together. As the combination fails to be nonblocking, we develop aninth ‘coordinating’ modular supervisor by examining the system’s overallinput-output behavior. The combination of all 9 resulting modules is verifiedto be control-equivalent to the monolithic supervisor.

186 CHAPTER 4

22; 24

20; 23

10; 12

11; 13

Fig. 4.3(1): Z1SPEC

32; 34

31; 33

20; 26

18; 24

Fig. 4.3(2): Z2SPEC

40; 46

41; 44

18; 28

21; 26

Fig. 4.3(3): Z3SPEC

50; 52

51; 53

42; 44

40; 43

Fig. 4.3(4): Z4SPEC

32 46

46 32

50

Fig. 4.3(5): WS1SPEC

34

12

Fig. 4.3(6): WS2SPEC

42

28

Fig. 4.3(7): WS3SPEC

23

22

13

10

Fig. 4.3(8): IPSSPEC

4.7 187

Commented MAKEIT.TXT file

Create the 5 AGVs.

AGV1 = create(AGV1,[mark 0],[tran [0,11,1],[1,10,2],[2,13,3],[3,12,0]]) (4,4)

AGV2 = create(AGV2,[mark 0],[tran [0,21,1],[1,18,2],[2,20,3],[3,22,4],[4,23,5],[5,24,6],[6,26,7],[7,28,0]]) (8,8)

AGV3 = create(AGV3,[mark 0],[tran [0,33,1],[1,34,2],[2,31,3],[3,32,0]]) (4,4)

AGV4 = create(AGV4,[mark 0],[tran [0,41,1],[1,40,2],[2,42,3],[3,43,4],[4,44,5],[5,46,0]]) (6,6)

AGV5 = create(AGV5,[mark 0],[tran [0,51,1],[1,50,2],[2,53,3],[3,52,0]]) (4,4)

AGV = sync(AGV1,AGV2) (32,64) Blocked events = None

AGV = sync(AGV,AGV3) (128,384) Blocked events = None

AGV = sync(AGV,AGV4) (768,3072) Blocked events = None

Compute the plant model.

AGV = sync(AGV,AGV5) (3072,15360) Blocked events = None

ALL = allevents(AGV) (1,26)

188 CHAPTER 4

Create the four zonal exclusion specifications and their meet.

Z1SPEC = create(Z1SPEC,[mark 0,1,2],[tran [0,11,1],[0,13,1],[0,20,2],[0,23,2],[1,10,0],[1,12,0],[2,22,0],[2,24,0]]) (3,8)

Z1SPEC = sync(Z1SPEC,ALL) (3,62) Blocked events = None

Z2SPEC = create(Z2SPEC,[mark 0,1,2],[tran [0,18,1],[0,24,1],[0,31,2],[0,33,2],[1,20,0],[1,26,0],[2,32,0],[2,34,0]]) (3,8)

Z2SPEC = sync(Z2SPEC,ALL) (3,62) Blocked events = None

Z3SPEC = create(Z3SPEC,[mark 0,1,2],[tran [0,21,1],[0,26,1],[0,41,2],[0,44,2],[1,18,0],[1,28,0],[2,40,0],[2,46,0]]) (3,8)

Z3SPEC = sync(Z3SPEC,ALL) (3,62) Blocked events = None

Z4SPEC = create(Z4SPEC,[mark 0,1,2],[tran [0,40,1],[0,43,1],[0,51,2],[0,53,2],[1,42,0],[1,44,0],[2,50,0],[2,52,0]]) (3,8)

Z4SPEC = sync(Z4SPEC,ALL) (3,62) Blocked events = None

ZSPEC = meet(Z1SPEC,Z2SPEC) (9,146)

ZSPEC = meet(ZSPEC,Z3SPEC) (27,318)

ZSPEC = meet(ZSPEC,Z4SPEC) (81,594)

Compute a modular supervisor for the combined zonal exclusion specifica-tion.

ZSUP = supcon(AGV,ZSPEC) (1112,3776)

4.7 189

Create the three workstation sequencing specifications and their meet.

WS1SPEC = create(WS1SPEC,[mark 0,1,2,3],[tran [0,32,1],[0,46,2],[1,46,3],[2,32,3],[3,50,0]]) (4,5)

WS1SPEC = sync(WS1SPEC,ALL) (4,97)Blocked events = None

WS2SPEC = create(WS2SPEC,[mark 0,1],[tran [0,12,1],[1,34,0]]) (2,2)

WS2SPEC = sync(WS2SPEC,ALL) (2,50)Blocked events = None

WS3SPEC = create(WS3SPEC,[mark 0,1],[tran [0,28,1],[1,42,0]]) (2,2)

WS3SPEC = sync(WS3SPEC,ALL) (2,50)Blocked events = None

WSSPEC = meet(WS1SPEC,WS2SPEC) (8,186)

WSSPEC = meet(WSSPEC,WS3SPEC) (16,356)

Compute a modular supervisor for the combined workstation sequencingspecification.

WSSUP = supcon(AGV,WSSPEC) (12666,47730)

Create the input parts stations exclusion specification.

IPSSPEC = create(IPSSPEC,[mark 0,1,2],[tran [0,10,1],[0,22,2],[1,13,0],[2,23,0]]) (3,4)

IPSSPEC = sync(IPSSPEC,ALL) (3,70) Blocked events = None

Compute a modular supervisor for the IPS specification.

190 CHAPTER 4

IPSSUP = supcon(AGV,IPSSPEC) (2304,10944)

IPSSUP = condat(AGV,IPSSUP) Controllable.

Compute the centralized supervisor for combined zonal and workstation spec-ifications.

ZWSSPEC = meet(ZSPEC,WSSPEC) (1296,7884)

ZWSSUP = supcon(AGV,ZWSSPEC) (6910,18226)

Compute the monolithic centralized supervisor for combined zonal, worksta-tion and input parts stations specifications.

ZWSISPEC = meet(ZWSSPEC,IPSSPEC) (3888,20196)

ZWSISUP = supcon(AGV,ZWSISPEC) (4406,11338)

ZWSISUP = condat(AGV,ZWSISUP) Controllable.

We can reduce the size of this monolithic supervisor.

ZWSISMSP = supreduce(AGV,ZWSISUP,ZWSISUP)(494,3544;slb=169)

TEST = meet(AGV,ZWSISMSP) (4406,11338)

isomorph(ZWSISUP,TEST;identity) = true

4.7 191

Modular supervisors and their reduced versions

Zone 1 modular exclusion specification

AGV12 = sync(AGV1,AGV2) (32,64) Blocked events = None

ALL12 = allevents(AGV12) (1,12)

Z1C12 = meet(Z1SPEC,ALL12) (3,20)

Z1P12 = supcon(AGV12,Z1C12) (24,36)

Z1P12 = condat(AGV12,Z1P12) Controllable.

Z1R12 = supreduce(AGV12,Z1P12,Z1P12) (2,14;slb=2)

Z1R = sync(Z1R12,ALL) (2,42) Blocked events = None

Zone 2 modular exclusion specification

AGV23 = sync(AGV2,AGV3) (32,64) Blocked events = None

ALL23 = allevents(AGV23) (1,12)

Z2C23 = meet(Z2SPEC,ALL23) (3,20)

Z2P23 = supcon(AGV23,Z2C23) (24,36)

Z2P23 = condat(AGV23,Z2P23) Controllable.

Z2R23 = supreduce(AGV23,Z2P23,Z2P23) (2,14;slb=2)

Z2R = sync(Z2R23,ALL) (2,42) Blocked events = None

Zone 3 modular exclusion specification

192 CHAPTER 4

AGV24 = sync(AGV2,AGV4) (48,96) Blocked events = None

ALL24 = allevents(AGV24) (1,14)

Z3C24 = meet(Z3SPEC,ALL24) (3,26)

Z3P24 = supcon(AGV24,Z3C24) (36,58)

Z3P24 = condat(AGV24,Z3P24) Controllable.

Z3R24 = supreduce(AGV24,Z3P24,Z3P24) (2,17;slb=2)

Z3R = sync(Z3R24,ALL) (2,41) Blocked events = None

Zone 4 modular exclusion specification

AGV45 = sync(AGV4,AGV5) (24,48) Blocked events = None

ALL45 = allevents(AGV45) (1,10)

Z4C45 = meet(Z4SPEC,ALL45) (3,14)

Z4P45 = supcon(AGV45,Z4C45) (18,26)

Z4P45 = condat(AGV45,Z4P45) Controllable.

Z4R45 = supreduce(AGV45,Z4P45,Z4P45) (2,11;slb=2)

Z4R = sync(Z4R45,ALL) (2,43) Blocked events = None

4.7 193

Global combination of reduced modular supervisors for zonal exclusion specs

ZR = meet(Z1R,Z2R) (4,69)

ZR = meet(ZR,Z3R) (8,108)

ZR = meet(ZR,Z4R) (16,160)

nonconflict(AGV,ZR) = true

ZR = condat(AGV,ZR) Controllable.

AGVZR = meet(AGV,ZR) (1112,3776)

isomorph(ZSUP,AGVZR) = true [map omitted]

Thus the modular reduced zonal supervisor (16 states) is control-equivalentto the global zonal supervisor (1112 states) as expected.

Direct reduction of ZSUP

ZSUP = condat(AGV,ZSUP) Controllable.

ZSIM = supreduce(AGV,ZSUP,ZSUP) (30,270;slb=16)

Thus ZSIM is larger than simply the meet of Z1R,...,Z4R, which has sizeexactly the slb.

194 CHAPTER 4

Modular supervisors for workstation sequencing specifications

Modular supervisor for Workstation 1 sequencing

AGV345 = sync(AGV3,AGV4) (24,48)Blocked events = None

AGV345 = sync(AGV345,AGV5) (96,288)Blocked events = None

ALL345 = allevents(AGV345) (1,14)

WS1C345 = meet(WS1SPEC,ALL345) (4,49)

WS1P345 = supcon(AGV345,WS1C345) (222,550)

WS1P345 = condat(AGV345,WS1P345) Controllable.

WS1R345 = supreduce(AGV345,WS1P345,WS1P345)(4,40;slb=4)

WS1R345 = condat(AGV345,WS1R345) Controllable.

WS1R = sync(WS1R345,ALL) (4,88)Blocked events = None

nonconflict(AGV,WS1R) = true

WS1R = condat(AGV,WS1R) Controllable.

Modular supervisor for Workstation 2 sequencing

4.7 195

AGV13 = sync(AGV1,AGV3) (16,32) Blocked events = None

ALL13 = allevents(AGV13) (1,8)

WS2C13 = meet(WS2SPEC,ALL13) (2,14)

WS2P13 = supcon(AGV13,WS2C13) (24,40)

WS2P13 = condat(AGV13,WS2P13) Controllable.

WS2R13 = supreduce(AGV13,WS2P13,WS2P13) (2,12;slb=2)

WS2R = sync(WS2R13,ALL) (2,48) Blocked events = None

Modular supervisor for Workstation 3 sequencing

AGV24 = sync(AGV2,AGV4) (48,96) Blocked events = None

ALL24 = allevents(AGV24) (1,14)

WS3C24 = meet(WS3SPEC,ALL24) (2,26)

WS3P24 = supcon(AGV24,WS3C24) (62,110)

WS3P24 = condat(AGV24,WS3P24) Controllable.

WS3R24 = supreduce(AGV24,WS3P24,WS3P24) (2,21;slb=2)

WS3R = sync(WS3R24,ALL) (2,45) Blocked events = None

nonconflict(AGV,WS3R) = true

Compute the global version of the workstation reduced supervisors.

196 CHAPTER 4

WSR = meet(WS1R,WS2R) (8,160)

WSR = meet(WSR,WS3R) (16,264)

WSSUP = supcon(AGV,WSSPEC) (12666,47730)

AGVWSR = meet(AGV,WSR) (12666,47730)

isomorph(WSSUP,AGVWSR) = true [map omitted]

Thus WSR (16 states) is control-equivalent to WSSUP (12666 states).

Modular supervisor for IPS exclusion specification

IPSC12 = meet(IPSSPEC,ALL12) (3,28)

IPSP12 = supcon(AGV12,IPSC12) (24,42)

IPSP12 = condat(AGV12,IPSP12) Controllable.

IPSR12 = supreduce(AGV12,IPSP12,IPSP12) (2,16;slb=2)

TEST = allevents(IPSR12) (1,12)

isomorph(ALL12,TEST;identity) = true

IPSR = sync(IPSR12,ALL) (2,44) Blocked events = None

nonconflict(AGV,IPSR) = true

IPSR = condat(AGV,IPSR) Controllable.

TEST = allevents(IPSR) (1,26)

isomorph(ALL,TEST;identity) = true

AGVIPSR = meet(AGV,IPSR) (2304,10944)

isomorph(AGVIPSR,IPSSUP) = true [map omitted]

4.7 197

Combine zonal and workstation modular supervisors into global version.

ZWS1R = meet(ZR,WS1R) (64,528)

nonconflict(AGV,ZWS1R) = true

ZWS1R = condat(AGV,ZWS1R) Controllable.

TEST = meet(AGV,ZWS1R) (3034,9220)

MTEST = minstate(TEST) (3034,9220)

nonconflict(ZWS1R,WS2R) = true

ZWS12R = meet(ZWS1R,WS2R) (128,928)

nonconflict(ZWS12R,AGV) = true

ZWS12R = condat(AGV,ZWS12R) Controllable.

ZWS123R = meet(ZWS12R,WS3R) (256,1600)

Examine ZWS123R as a modular supervisor for AGV subject to the zonaland workstation specifications.

TEST = minstate(ZWS123R) (256,1600)

isomorph(ZWS123R,TEST;identity) = true

TZWS123R = trim(ZWS123R) (256,1600)

isomorph(TZWS123R,ZWS123R;identity) = true

nonconflict(AGV,ZWS123R) = true

ZWS123R = condat(AGV,ZWS123R) Controllable.

Thus ZWS123R is a proper supervisor for AGV. We get the controlledbehavior (for zonal and workstation specifications) as follows.

198 CHAPTER 4

AGVZWS = meet(AGV,ZWS123R) (6910,18226)

nonconflict(AGVZWS,ALL) = true

isomorph(AGVZWS,ZWSSUP) = true [map omitted]

Combine zonal/workstation global modular supervisor with modular IPS su-pervisor. Investigate whether the result is nonblocking.

nonconflict(ZWS123R,IPSR) = true

ZWSIR = meet(ZWS123R,IPSR) (512,2608)

nonconflict(ZWSIR,ALL) = true

ZWSIR is state-minimized.

TEST = minstate(ZWSIR) (512,2608)

isomorph(TEST,ZWSIR;identity) = true

nonconflict(ZWS123R,IPSR) = true

nonconflict(IPSR,ZWSSUP) = false

While the meet of the first 7 modular reduced supervisors (the 4 zonal andthe 3 workstation sequencing modules) provides an optimal (proper) modularsupervisor for AGV, conflict arises when the IPS specification is introduced.Conflict could be removed in the final step of the synthesis, by global supervi-sion, but the resulting ‘global’ coordinator ZWSIRSUP merely reproducesthe monolithic centralized supervisor, and is therefore unacceptable.3

3It will be shown in Section 6.8 how this apparently useless coordinator can be ab-stracted to one that is small and efficient. For now, we proceed ‘naively’.

4.7 199

nonconflict(AGV,ZWS123R) = true

nonconflict(ZWS123R,IPSR) = true

nonconflict(AGV,ZWSIR) = false

ZWSIRSUP = supcon(AGV,ZWSIR) (4406,11338)

AGVZWSIR = meet(AGV,ZWSIR) (4424,11368)

TAGVZWSI = trim(AGVZWSIR) (4406,11338)

isomorph(ZWSIRSUP,TAGVZWSI;identity) = true

Thus the final supcon operation simply removes inadmissible states fromthe meet of AGV with the meet of the 8 reduced modular supervisors.

It requires some trial-and-error to find a (relatively) small coordinator toachieve the same result economically: namely to remove the 4424-4406=18states in AGVZWSIR that are either not coreachable or lead to non-coreachable states along uncontrollable paths. We return to this problemafter some further checks on the results so far.

Rename the final optimal nonblocking controlled behavior. We run someroutine checks to confirm nonblocking and that the specifications are allenforced.

SUPER = edit(ZWSIRSUP) (4406,11338)

nonconflict(SUPER,ALL) = true

200 CHAPTER 4

COZSPEC = complement(ZSPEC,[]) (82,2132)

TEST = meet(SUPER,COZSPEC) (4406,11338)

TTEST = trim(TEST) (0,0)

COWSSPEC = complement(WSSPEC,[]) (17,442)

TEST = meet(SUPER,COWSSPEC) (4406,11338)

TTEST = trim(TEST) (0,0)

COIPSSPE = complement(IPSSPEC,[]) (4,104)

TEST = meet(SUPER,COIPSSPE) (4406,11338)

TTEST = trim(TEST) (0,0)

We project to check that the AGVs are all embedded in the controlled be-havior without constraint.

P1SUPER = project(SUPER,image[10,11,12,13]) (4,4)

isomorph(AGV1,P1SUPER;identity) = true

P2SUPER = project(SUPER,image[18,20,21,22,23,24,26,28]) (8,8)

isomorph(AGV2,P2SUPER;identity) = true

P3SUPER = project(SUPER,image[31,32,33,34]) (4,4)

isomorph(AGV3,P3SUPER;identity) = true

P4SUPER = project(SUPER,image[40,41,42,43,44,46]) (6,6)

isomorph(AGV4,P4SUPER;identity) = true

P5SUPER = project(SUPER,image[50,51,52,53]) (4,4)

isomorph(AGV5,P5SUPER;identity) = true

4.7 201

Finally we project on the input/output events (IPS to CPS) to display theinput/output behavior (importing workpieces of type 1 with event <10>4

and type 2 <22>, and exporting assembled workpiece <52>).

IOSUPER = project(SUPER,image[10,22,52]) (29,64)

The result is displayed in Fig. 4.4. It shows, as expected, complete symmetrybetween parts of type 1 and type 2, as loaded by the two IPS ontoAGV1 andAGV2 respectively. The system can contain at most 5 parts of type 1 and4 of type 2 (or else respectively 4, 5) before it must unload a fully processedand assembled workpiece at the CPS. The maximum work-in-progress (WIP)is therefore 9. The system can only return to its initial state after havingprocessed an equal number of parts of each type.

Projecting IOSUPER onto event 10 and 52, say, shows that, as seen bythe input-output abstraction IPS1→CPS, the system behaves like a buffer ofcapacity 5.

P22IOSUP = project(IOSUPER,null[22]) (6,10)

For comparison we project the controlled behavior under supervisor ZWS123Ralone, i.e. subject only to the zonal exclusion and workstation sequencingconstraints. The result PAGVZWS is more permissive, of course, thanbefore, since the constraint IPSSPEC is omitted. The transition graph(Fig. 4.5) reveals that maximum WIP is now 10, namely 5 of each work-piece type can be accepted by the system before a delivery to CPS (event52) must be executed. Thus the ‘5/4’ constraint mentioned above is due toIPSSPEC.

PAGVZWS = project(AGVZWS,image[10,22,52]) (34,81)

PAGVZWS = BFS(PAGVZWS) (34,81)

Projecting out event 22 (importing a type 2 workpiece) yields a buffer ofcapacity 5 for the IPS1 → CPS abstraction, just as before.

P22AGVZW = project(PAGVZWS,null[22]) (6,10)

isomorph(P22AGVZW,P22IOSUP;identity) = true

4In this section, an event or string may be enclosed in brackets < · > for clarity.

202 CHAPTER 4

Conclusion so far:

Efficient modular control was achieved for the combination of zonal exclusionand workstation sequencing specifications. Although the monolithic problemwith the additional input-parts-stations exclusion specification could indeedbe solved, we must still find a simple modular way of doing so, which willresolve the conflict between the supervisor for this specification and the con-trolled behavior for the previous specifications.

Blocking analysis:

We investigate the blocking problem in detail. It turns out that block-ing is due to deadlock. A search of the transition table for the blockingDES AGVZWSIR turns up deadlock states from which deadlocking eventsequences can be extracted. One of these is the following, common to SU-PER and AGVZWSIR.

% # ∗11 10 13 12 | 11 33 34 10 13 31 32 12 | 11 33 34 10 13 12 | (+)

Problematic events in this string are the following.%<32> AGV3 → WS1 [AGV3 unloads part type 1 to WS1]#<34> WS2 → AGV3 [AGV3 loads part type 1 from WS2]*<12> AGV1 → WS2 [AGV1 unloads part type 1 to WS2]

This leaves

WS1 loaded with type 1 by AGV3 %<32>, AGV3 parkedAGV3 loaded from WS2 by #<34>WS2 loaded from AGV1 by *<12>, AGV1 parked

Thus the next events that should be enabled are

<21> AGV2 unparks<22> IPS2 → AGV2 [type 2] <23 24 25 26><28> AGV2 → WS3 [type 2], AGV2 parks<42> WS3 → AGV4 [type 2]<46> AGV4 → WS1 [type 2]<50> WS1 → AGV5 [output assembled part]

However, AGZVWSIR allows <11 10> following (+), resulting in deadlock!After <11> AGZVWSIR must disable <21> to prevent a Zone 1 collision

4.7 203

via <21 18 20>. Why not allow <21> after <10>? Evidently because IPSRdisables <21> following <11 10>. This is because of the event interpreta-tion that AGV1 only exits from the common workspace of IPS1 and IPS2by executing <13>. Only then, by IPSSPEC, can AGV2 execute <22>.The situation would not be cured by more detailed modeling of AGV1, sayreplacing <10> by a sequence <10 14>, with <14> the exit from workspace.However, if AGV1 executes <13> then it enters Zone 1, hence <21> stillcannot be enabled lest Z1SPEC be violated. So AGV1 must continue onto do <12>, which is impossible because WS2 has already been been loadedon the previous AGV1 cycle by *<12>, and cannot be loaded again untilit has been cleared by AGV3 on event <34>. But this too is impossible,because AGV3 has already been loaded from WS2 by #<34>.

Following (+), the (nonblocking) monolithic controller SUPER disallows<11 10> but in effect forces <21>, so deadlock is prevented. In other words,SUPER prevents deadlock by forcing AGV2 into action, which eventuallyallows transfers <22>IPS2 → AGV2, <28>AGV2 → WS3, <42>WS3 →AGV4, <46>AGV4 → WS1. The result is to allow AGV1 to execute <1110 13> and the transfer <12>AGV1 → WS2.

We conclude that the blocking/deadlock situation is rather complicatedbecause of the interplay of several subsystems and their mutual constraints.Thus a modular solution (if one exists) might turn out to be complicatedas well. In the present example it is now evident that deadlock is due to‘choking’ on too many input parts allowed into the system at one time.With this in mind we examine the global I/O behavior IOSUPER (Fig. 4.4)which exhibits how inputs (or WIP) must be constrained if deadlock is to beprevented. Thus we attempt to convert IOSUPER into a controllable versionwhich, as a modular supervisor, would yield the correct result for controlledbehavior.

Provisional decentralized control:

We can obtain an acceptable result in two different ways. The first is simplyto convert IOSUPER directly by moving the uncontrollable events in theirrespective AGVs back to their nearest controllable events upstream in theparts flow (i.e. <10>→<11>, <22>→<21> and <52>→<53>).

204 CHAPTER 4

BUXR125 = relabel(IOSUPER,[[10,11],[22,21],[52,53]]) (29,64)

BUXR = sync(BUXR125,ALL) (29,731) Blocked events = None

BUXR = condat(AGV,BUXR) Controllable.

nonconflict(AGV,BUXR) = true

ZWSIBR = meet(ZWSIR,BUXR) (14813,72482)

TEST = meet(AGV,ZWSIBR) (4406,11338)

isomorph(SUPER,TEST;identity) = true

This confirms that BUXR does indeed provide the correct coordinating con-trol action to remove the blocking. We could also have obtained BUXR byprojecting SUPER onto the controllable events identified above:

CUXR125 = project(SUPER,image[11,21,53]) (29,64)

isomorph(CUXR125,BUXR125;identity) = true

Provisional conclusion:

To identify the coordinating control action required to remove (possible)blocking (often deadlock) from the action of synchronized modular supervi-sors, one may need to examine the global (optimal) behavior as projectedonto the relevant input/output events. This could entail trial-and-error, re-quiring human insight. The fact is that blocking and deadlock can arisefrom quite subtle interactions of the various plant components and modularcontrollers, and the rectifying control action may well be rather nonobvious.Deadlock in an I/O system will usually occur because the system becomes‘choked’ with input items, and this will occur relatively far down the reach-ability tree of blocking behavior. This means that the required coordinatingmodular controller may be rather complex.

In the present example our provisional result is acceptable. Correspond-ing to the 8 specifications Z1, Z2, Z3, Z4, WS1, WS2, WS3, IPS we obtained8 modular supervisors of state size 2, 2, 2, 2, 4, 2, 2, 2 having product size512. The resulting product supervisor failed to be nonblocking for the plant.

4.7 205

Investigation showed that to achieve nonblocking required the controlled re-moval of 4424-4406=18 states. This was achieved using ‘input/output heuris-tics’ to obtain an auxiliary, ninth modular supervisor, or coordinator, of 29states. The combination of all 9 modular supervisors was verified to becontrol-equivalent to the (optimal) monolithic centralized supervisor.

1010 10

22 22 22 2252 52 52 52

1010 10

22 22 22 2252 52 52 52

1010 10

10

10

2252

10

22 22 22 2252 52 52 52

1010 10 10

2252

10

22 22 2252 52 52 52

10 10 10

2252

10

2252

2252

2252

Fig. 4.4. IOSUPERInput-Output Controlled Behavior

206 CHAPTER 4

1010 10

22 22 22 2252 52 52 52

1010 10

22 22 22 2252 52 52 52

1010 10

10

10

2252

10

22 22 22 2252 52 52 52

1010 10 10

2252

10

22 22 2252 52 52 52

10 10 10

2252

10

10

2252

10

22

22

2222

10

22 22 2252 52 52 52

10 10 10

2252

10

22

Fig. 4.5. PAGVZWSInput-Output Controlled Behavior with IPSSPEC omitted

Refined decentralized control:To refine our approach to decentralized control of the AGV system we employa decomposition and ‘direct’ method due to L. Feng. For this we make theimportant preliminary observation that the zonal specifications ZiSPEC andtheir reduced modular supervisors ZiR (i = 1, 2, 3, 4) can be temporarilydisregarded. In justification bring in

IPSWSSPEC = meet(IPSSPEC, WSSPEC) (48,940)

IPSWSSUP = supcon(AGV, IPSWSSPEC) (7800,26248)

for the combined IPS and WS specifications and corresponding optimal con-trolled behavior. Now we verify

4.7 207

nonconflict(ZSUP, IPSWSSUP) = true

namely ZSUP can introduce no new blocking behavior if IPSWSSUP isnonblocking already. By Proposition 4.2.3 we conclude

ZWSISUP = supcon(AGV, ZWSISPEC) (4406,11338)

≃ meet(ZSUP, IPSWSSUP)

where ≃ denotes isomorphism. This means that global optimal supervision isachieved by online supervision of the combined zonal specifications, and thecombined input-parts and workstation specifications, independently. Thusit will be sufficient to construct a refined decentralized supervisor that iscontrol-equivalent to IPSWSSUP.

To this end we make the second key observation that WS1SPEC can bedecomposed as

WS1SPEC = sync(WS13SPEC, WS14SPEC)

separating the couplings of WS1 to AGV3 and AGV4, as displayed below.

32 46

46 32

50

WS1SPEC

50

32

WS13SPEC

50

46

WS14SPEC

We can thereby present the control flow of IPSWSSPEC as shown in

208 CHAPTER 4

Fig. 4.6.

32

34

12

23 13

28

42

46

22 10

50 50

AGV2 AGV1

AGV4

AGV5

AGV3

WS14 WS13

WS3 WS2

IPS

Fig. 4.6. Control Flow of IPSWSSPEC

In Fig. 4.6, ovals denote specifications (with the suffix ‘SPEC’ omitted).The WSj (j = 13, 14, 2, 3) are buffers, while IPS is considered a ‘server’ thatis shared by AGV1 and AGV2 providing to each an independent service:the supply of part type 1 by event 10 to AGV1, or type 2 by event 22to AGV2. Notice that the temporary removal of the ZiSPEC, and thedecomposition of WS1, have resulted in a control flow of ‘parallel’ type thatis logically transparent.

4.7 209

In the usual way we begin the modular control design by computingreduced supervisors (suffix SIM) for each of the 5 specifications pictured inFig. 4.6:

AGV35 = sync(AGV3, AGV5) (16,32)

WS13SUP = supcon(AGV35, WS13SPEC) (24,40)

WS13SUP = condat(AGV35, WS13SUP)

WS13SIM = supreduce(AGV35, WS13SUP, WS13SUP) (2,12)

AGV45 = sync(AGV4, AGV5) (24,48)

WS14SUP = supcon(AGV45, WS14SPEC) (34,58)

WS14SUP = condat(AGV45, WS14SUP)

WS14SIM = supreduce(AGV45, WS14SUP, WS14SUP) (2,15)

AGV13 = sync(AGV1, AGV3) (16,32)

WS2SUP = supcon(AGV13, WS2SPEC) (24,40)

WS2SUP = condat(AGV13, WS2SUP)

WS2SIM = supreduce(AGV13, WS2SUP, WS2SUP) (2,12)

AGV24 = sync(AGV2, AGV4) (48,96)

WS3SUP = supcon(AGV24, WS3SPEC) (62,110)

WS3SUP = condat(AGV24, WS3SUP)

WS3SIM = supreduce(AGV24, WS3SUP, WS3SUP) (2,21)

AGV12 = sync(AGV1, AGV2) (32,64)

IPSSUP = supcon(AGV12, IPSSPEC) (24,42)

210 CHAPTER 4

IPSSUP = condat(AGV12, IPSSUP) (24,42)

IPSSIM = supreduce(AGV12, IPSSUP, IPSSUP) (2,16)

Combining these results we compute

MODSIM0 = sync(WS13SIM, WS14SIM, WS2SIM, WS3SIM,IPSSIM) (32,416)

but find, as expected,

nonconflict(AGV, MODSIM0) = false

It remains to construct a coordinator, and Fig. 4.6 suggests how thisshould be done. Note that the left-hand and right-hand branches

L = AGV2 - WS3 - AGV4 - WS14

R = AGV1 - WS2 - AGV3 - WS13

can each hold at most 4 workpieces, written |L| ≤ 4, |R| ≤ 4, say. If |L|reaches 4 while |R| = 0 then event 50 is blocked. Having just executed event22, AGV2 is held at state 4 by disablement of event 23, as otherwise itcould uncontrollably execute event 28 and overflow WS3. By IPSSPEC,event 10 is therefore blocked, so |R| is held at 0 indefinitely, and the systemdeadlocks.

By this argument and its symmetric counterpart a coordinator shouldenforce the condition ||L| − |R|| ≤ 3, as expressed by the control-flow speci-fication CFSPEC shown below.

10

22

CFSPEC

10 10

22 22

10

22

10 10

22 22

From this we obtain

4.8 211

CFSUP = supcon(AGV12, CFSPEC) (204,396)

CFSUP = condat(AGV12, CFSUP)

CFSIM = supreduce(AGV12, CFSUP, CFSUP) (7,78)

Now we are ready to compute

MODSIM1 = sync(MODSIM0, CFSIM) (224, 2816)

and find, as we hoped,

nonconflict(AGV, MODSIM1) = true

Furthermore the controlled behavior

TEST = meet(AGV, MODSIM1) (7800, 26248)

is exactly as required, namely

isomorph(TEST, IPSWSSUP) = true

We have now justified the full modular supervisor with 10 components

Z1R, Z2R, Z3R, Z4R,WS13SIM, WS14SIM,WS2SIM,WS3SIM,IPSSIM, CFSIM

All but CFSIM have state size 2, while |CFSIM| = 7.

While straightforward and easily understood, the foregoing approach tomodular supervision has involved some large-scale computation at the levelof monolithic design. In fact this could be avoided by suitable analysis andthe use of abstraction, for which the reader may consult the original work ofL. Feng cited in Section 4.12 below. The reader is also referred to Section 6.8for an alternative approach using monolithic coordinator abstraction, leadingto an equally efficient coordinator.

212 CHAPTER 4

4.8 Decentralized Supervision by Natural Pro-

jection

An approach to decentralized supervision that is often effective is to basethe design of each modular component supervisor on a natural projectionof the monolithic plant on suitable local components. This will be feasibleespecially when the plant G is the synchronous product of components Gi

over pairwise disjoint alphabets Σi, and when each specification involves onlya small subset of the Gi. Projection onto a subset amounts to forming thesynchronous product of Gi over this subset alone, hence runs no risk of theexponential state explosion attendant on natural projection in general (cf.Exercise 3.3.18). A convincing example is the decentralized AGV supervisorof Section 4.7.

In this section we explore ‘supervision by projection’ in somewhat greatergenerality. Consider first a DES G over the alphabet Σ. For simplicityassume that G is trim, so L(G) = Lm(G). Let Σo ⊆ Σ be a subalphabetof ‘observable events’ and let P : Σ∗ → Σ∗

o be the corresponding naturalprojection. The ‘observer’s local model’ is then the projection Go of G onΣo, namely

Lm(Go) = PLm(G), L(Go) = PL(G)

With Σ = Σc∪Σu as usual, we define

Σoc = σ ∈ Σc|Pσ = σ = Σo ∩ Σc

Σou = σ ∈ Σu|Pσ = σ = Σo ∩ Σu

thus assigning control structure to Go.Let Eo ⊆ Lm(Go) be a specification language for the controlled behavior

of Go; in other words, our specification is declared ‘locally’ (in Go) ratherthan ‘globally’ (in G), and we consider that a ‘local supervisor’ can be as-signed toGo. To this end we let Co be the family of controllable sublanguagesof L(Go) and write

Ko := supCo(Eo)

for the supremal controllable sublanguage of Eo in Go. Of course we have

Ko ⊆ Eo ⊆ Lm(Go), Ko ⊆ Lm(Go) = L(Go)

The action of a supervisor implementing Ko in Go is to disable onlyevents in Σoc. The corresponding global supervisory action can be described

4.8 213

as follows. LetH := P−1(Ko) ∩ L(G)

Then H is closed, H ⊆ L(G), and

PH = Ko ∩ PL(G) = Ko ∩ L(Go) = Ko

We claim that H is globally controllable, namely as a sublanguage ofL(G). For this let s ∈ H, σ ∈ Σu, sσ ∈ L(G). If Pσ = ϵ then

P (sσ) = Ps ∈ Ko

hence sσ ∈ P−1(Ko) ∩ L(G) = H; while if Pσ = σ ∈ Σou, then

(Ps)σ ∈ KoΣou

and(Ps)σ = P (sσ) ∈ PL(G) = L(Go)

so(Ps)σ ∈ KoΣou ∩ L(Go) ⊆ Ko

by controllability of Ko. Again we have sσ ∈ H, and the claim is proved.It remains to identify H as the ‘induced’ implementation of Ko in G.

Formally, let s ∈ H, σ ∈ Σc. Then sσ ∈ H implies P (sσ) ∈ Ko. If Pσ =σ ∈ Σoc then (Ps)σ ∈ Ko, i.e. σ is enabled following Ps in Ko. Converselyif s0σ ∈ Ko with σ ∈ Σoc, and sσ ∈ L(G) with Ps = so, then P (sσ) = soσ,and

sσ ∈ P−1(Ko) ∩ L(G) = H

namely s ∈ H (as H is closed) and σ is enabled following s. The conclusionis that a local supervisor, say So, for Go with control over events in Σoc couldbe implemented (if need be) by a global supervisor S for G with controllableevent set Σoc ⊆ Σc. However, the information available to S following a strings ∈ L(G) is only Ps ∈ L(Go). Because of this informational abstraction itcannot be expected that S is globally ‘optimal’, as we shall see.

For the same reason, it cannot be expected that S is nonblocking for G(i.e. nonconflicting with G), even though (by construction) So is nonblockingfor Go. For global nonblocking we need to impose on P a new condition ofobservational consistency. Say P is an Lm(G)-observer if

(∀s ∈ L(G))(∀w ∈ Σ∗o)(Ps)w ∈ Lm(Go)

=⇒ (∃v ∈ Σ∗)sv ∈ Lm(G) & P (sv) = (Ps)w

214 CHAPTER 4

Namely, whenever s ∈ L(G), and Ps ∈ L(Go) can be extended to a markedstring of Go, then s can be extended to a marked string of G with the sameprojection.

Let the natural projection P : Σ∗ → Σ∗o be an Lm(G)-observer, and define

E := P−1(Eo) ∩ Lm(G)

K := P−1(Ko) ∩ Lm(G)

Proposition 1Under the stated conditions, K = H, K is controllable, and

K ⊆ supC(E)

ProofWe first show that P−1(Ko) and Lm(G) are nonconflicting. Let

s ∈ P−1(Ko) ∩ Lm(G)

so that s ∈ L(G) and sx ∈ P−1(Ko) for some x ∈ Σ∗. So

P (s)P (x) = P (sx) ∈ Ko ⊆ Lm(Go)

and by the observer property (with w = Px) there is v ∈ Σ∗ with sv ∈ Lm(G)and P (sv) = P (sx). Therefore

sv ∈ P−1(Ko) ∩ Lm(G)

namelys ∈ P−1(Ko) ∩ Lm(G)

as required. We now have

K = P−1(Ko) ∩ Lm(G)

= P−1(Ko) ∩ L(G)

= H

and therefore K is controllable (because H is). Clearly K ⊆ E, and thereforeK ⊆ supC(E), as claimed. 2

4.8 215

Note that E can be thought of as the global counterpart of the localspecification Eo. A marking nonblocking supervisor S for G that globallysynthesizes K provides the global counterpart of So.

As suggested at the beginning of this section, it will often be true in theapplication that G is a synchronous product of independent components overdisjoint alphabets, say

G = sync(G′,G′′)

i.e.Lm(G) = Lm(G

′) ∥ Lm(G′′), L(G) = L(G′) ∥ L(G′′)

Here we denote the corresponding alphabets by Σ′,Σ′′ with Σ′ ∩ Σ′′ = ∅,so the above synchronous products of languages are simply shuffles. LetΣ := Σ′∪Σ′′, Σo := Σ′ and, as before, P : Σ∗ → Σ∗

o. It is not hard to see thatthe Lm(G)-observer property for P is satisfied automatically. Furthermore

H = (Ko ∥ Σ′′∗) ∩ (L(G′) ∥ L(G′′))

= Ko ∥ L(G′′)

E = (Eo ∥ Σ′′∗) ∩ (Lm(G′) ∥ Lm(G

′′))

= Eo ∥ Lm(G′′)

K = Ko ∥ Lm(G′′)

In summary, supervisor design for G′ is unaffected by the presence ofG′′ as long as Σ′ and Σ′′ are disjoint. If G′′ as well as G′ is trim, so thatLm(G′′) = L(G′′), then Lm(G

′′) is automatically controllable, with the pleas-ant consequence (left to the reader to verify) that K = supC(E), instead ofmerely (⊆) as in the general discussion.

To complete this section we briefly describe an extension to the casewhere several projections of G are controlled concurrently. Thus assumeG is given, defined over Σ, and several subalphabets Σi ⊆ Σ (i ∈ I), notnecessarily pairwise disjoint, are selected for observation by independent localobservers. Define projections Gi (i ∈ I) such that

Lm(Gi) = PiLm(G), L(Gi) = PiL(G), i ∈ I

where Pi : Σ∗ → Σ∗i (i ∈ I) are the natural projections. Assuming as

usual Lm(G) = L(G), there follows Lm(Gi) = L(Gi) (i ∈ I). Local controlstructure is assigned to the Gi as before:

Σic := Σi ∩ Σc, Σiu = Σi ∩ Σu, i ∈ I

216 CHAPTER 4

and the controllable sublanguage families Ci(·) are defined for each Gi in theexpected way.

We assume that local specification languages Ei ⊆ Lm(Gi) are given, forwhich we compute Ki = supCi(Ei) (i ∈ I). As before, the ith local supervisor(synthesizing Ki) induces global closed controllable behavior

Hi = P−1i (Ki) ∩ L(G), i ∈ I

The concurrent action of all local supervisors is then the global closed con-trollable behavior

H =∩

Hi |i ∈ I

Clearly PiH ⊆ Hi (i ∈ I), but in general equality fails, as the Hi imposesynchronization constraints on one another.

To obtain the desired extension of Proposition 1 we shall need a cor-respondingly strengthened version of the observer property, which appliesuniformly across the index set I. For ease of writing let I = 1, ..., k. Ac-cordingly, we say that the family Pi|i ∈ I is an I-fold Lm(G)-observerif

(∀s ∈ L(G)) (∀t1, ..., tk) ((∀i ∈ I)ti ∈ Lm(Gi) & Pis ≤ ti)

=⇒ (∃v ∈ Σ∗)sv ∈ Lm(G) & (∀j ∈ I)Pj(sv) = tj

Namely, whenever s ∈ L(G), and each Pis ∈ L(Gi) can be extended to amarked string of L(Gi) respectively, then s can be extended to a markedstring of G with the same I-fold projection.

Lemma 2Let Pi|i ∈ I be an I-fold Lm(G)-observer. Then the family P−1

i (Ki)|i ∈I is I-fold nonconflicting, in the sense that∩

P−1i (Ki)|i ∈ I ∩ L(G) =

∩P−1

i (Ki)|i ∈ I ∩ L(G)

ProofIt is enough to prove (⊇). With s ∈ P−1

i (Ki) ∩ L(G) (i ∈ I) there existti ∈ Σ∗

i such that

Pis ≤ ti ∈ Ki ⊆ Lm(Gi), i ∈ I

4.8 217

By the I-fold observer property there is v ∈ Σ∗ with sv ∈ Lm(G) andPj(sv) = tj (j ∈ I). Therefore

sv ∈∩

P−1j (Kj)|j ∈ I

namely

s ∈∩

P−1j (Kj)|j ∈ I

as required. 2

Now define

E :=∩

P−1i (Ei)|i ∈ I ∩ Lm(G)

K :=∩

P−1i (Ki)|i ∈ I ∩ Lm(G)

Then we have the following extension of Proposition 1.

Proposition 3Let Pi|i ∈ I be an I-fold Lm(G)-observer. Then K = H, K is control-

lable, and K ⊆ supC(E).

ProofUsing the I-fold observer property we easily confirm that the two lan-

guages ∩P−1

i (Ki)|i ∈ I, Lm(G)

are nonconflicting. From this it follows that

K =∩

P−1i (Ki)|i ∈ I ∩ Lm(G)

By Lemma 2 and the assumption that G is trim,

K =∩

P−1i (Ki)|i ∈ I ∩ L(G)

= H

as claimed. Thus K is controllable. Clearly K ⊆ E and so K ⊆ supC(E).2

Our discussion has shown that synthesizing each Ki locally in Gi is equiv-alent to globally synthesizing K. The I-fold observer property for the Pi willguarantee that the synthesis is globally nonblocking for G.

218 CHAPTER 4

We conclude with a remark on optimality. As suggested before, G willoften be given as a synchronous product of independent trim components,say G′

j (j ∈ J), over disjoint alphabets Σ′j. In the typical case considered

above, each Σi will be precisely a disjoint union of form

Σi =∪

Σ′j|j ∈ Ji

for some subset Ji ⊆ J . Thus Gi can be taken as precisely the synchronousproduct of the G′

j over j ∈ Ji. Then for each i ∈ I we can write

G = sync(Gi,G′′i )

where G′′i is defined over

Σ− Σi =∪

Σ′j|j ∈ J − Ji

and the above synchronous product is simply a shuffle.It follows that, for instance,

Ei := P−1i (Ei) ∩ Lm(G) = Ei ∥ Lm(G

′j)|j ∈ J − Ji, i ∈ I

Ki := P−1i (Ki) ∩ Lm(G) = Ki ∥ Lm(G

′j)|j ∈ J − Ji, i ∈ I

From this it is easy to see that each local control will be globally optimal, inthe sense that

Ki = supC(Ei), i ∈ I

NowE =

∩Ei|i ∈ I, K =

∩Ki|i ∈ I

and therefore

K =∩

Ki =∩

supC(Ei)

⊇ supC(∩

Ei

)= supC(E)

As we already know by Proposition 3 that K is controllable and K ⊆ E, itfollows that K = supC(E), namely K is globally optimal as well.

In summary: when G is the shuffle of trim components, and when thespecifications are ‘localizable’ to component groups (indexed i ∈ I) subject

4.9 219

to the I-fold observer property, then concurrent optimal nonblocking localcontrol for each group provides global control that is also optimal and non-blocking. However, it should be recognized that the I-fold observer propertyis only a sufficient condition, and may well be too strong for many practi-cal applications. In practice other methods of ensuring nonblocking may bepreferred which are likely to be case-dependent (cf. Section 4.7).

Exercise 4: Taking the index sets J = 1, 2, 3, J1 = 1, 2, J2 = 1, 3, I =1, 2, construct examples of (G′

1,G′2,G

′3) over pairwise disjoint alphabets

(Σ′1,Σ

′2,Σ

′3) for which the I-fold observer property is (resp. is not) satisfied.

Exercise 5: Investigate the applicability of the results of this section to theAGV system of Section 4.7.

4.9 Reasoning about Nonblocking

In many applications the verification that the closed-loop languages imple-mented by individual modular controllers are nonconflicting can be achievedby exploiting plant structure and its relation to the task decomposition onwhich the modularity is based. For example, in Small Factory the overallsupervisory task was decomposed into subtasks corresponding to ‘normaloperation’ and ‘breakdown and repair’, of which the latter in a natural senseprecedes the former: if either or both machines are broken down, then repairthem before continuing with production. To verify that modular supervisionis nonblocking, it suffices to show, roughly speaking, that at any state ofthe system MODSUP/FACT a breakdown and repair subtask (possiblynull) can be completed first, followed by the completion of a normal oper-ation subtask, in such a way that the system is brought to a marker state.The success of this maneuver depends on the fact that the subtasks of themodular decomposition are ordered in a natural sequence.

We present a simple formalization of this idea on which the reader maymodel his own versions in the context of more elaborate examples. Adoptingthe notation of Section 4.2, let

Si = (Xi,Σ, ξi, x0i, Xmi) i = 1, 2

For simplicity we assume that Xm2 is a singleton xm2. Now define

Σ1 = σ ∈ Σ|(∀x ∈ X1)ξ1(x, σ)!

220 CHAPTER 4

In particular Σ1 will include the events that are self-looped at each state ofS1, these being the events to which the operation of S1 is indifferent, namelythe events that are irrelevant to the execution of S1’s subtask; and theseevents will typically include those that are relevant to S2. Next define

Σ2 = σ ∈ Σ|ξ2(xm2, σ) = xm2

Thus Σ2 is the subset of events that are self-looped at xm2 in S2, henceto which S2 is indifferent upon completion of its subtask. We impose twostructural conditions on S1 ∧ S2:

(i) (∀s ∈ L(S2/G))(∃t ∈ Σ∗1)st ∈ Lm(S2) ∩ L(G)

(ii) (∀s ∈ L(S1/G) ∩ Lm(S2))(∃t ∈ Σ∗2)st ∈ Lm(S1/G)

Condition (i) says that any string of G that is accepted (but not necessarilymarked) by S2 can be completed to a marked string of S2 by means of a stringthat is accepted by G and S1. Condition (ii) states that any string that isaccepted by G and S1 and marked by S2 can be completed to a markedstring of both S1 and G by means of a string to which S2 is indifferent (withS2 resident in xm2).

Theorem 1Let S1 and S2 be proper supervisors for G. Subject to conditions (i) and

(ii) above, the supervisor S1 ∧ S2 is nonblocking for G.

ProofLet s ∈ L((S1 ∧ S2)/G). It must be checked that there exists t ∈ Σ∗

such that st ∈ Lm((S1 ∧ S2)/G). Since s ∈ L(S2/G), by condition (i) thereis u ∈ Σ∗

1 such that su ∈ Lm(S2) ∩ L(G). By definition of Σ1 and the factthat s ∈ L(S1/G) it follows that su ∈ L(S1/G); therefore su ∈ L(S1/G) ∩Lm(S2). By condition (ii) there is v ∈ Σ∗

2 such that suv ∈ Lm(S1/G); andby definition of Σ2 we also have suv ∈ Lm(S2). This shows that

suv ∈ Lm(S1) ∩ Lm(G) ∩ Lm(S2) = Lm((S1 ∧ S2)/G)

and the result follows on setting t = uv. 2

As a straightforward illustration, we apply Theorem 1 to Small Factory.Set G = FACT, S1 = BUFSUP and S2 = BRSUP. Then we have

Σ1 = λ1, µ1, β2, λ2, µ2, Σ2 = µ1, α1, β1, λ1, α2, β2

4.9 221

Let s ∈ L(BRSUP/FACT). Call the states of BRSUP ‘idle’ and ‘active’.If BRSUP is active (MACH2 is broken down), then let u1 := µ2 (repairMACH2), otherwise u1 := ϵ (do nothing). Call the states of MACHi‘idle’, ‘working’ and ‘down’. If after s was generated MACH1 was downthen let u2 := µ1 (repair MACH1), otherwise u2 := ϵ (do nothing); andset u := u1u2. Then u is accepted by BUFSUP, and after su BRSUPis resident at its marker state ‘idle’. Now use the fact that with each ofMACH1 and MACH2 either idle or working there is a string v accepted byBUFSUP that returns both machines to idle and BUFSUP to its markerstate (where the buffer is empty), while always keeping BRSUP idle. Thestring uv then suffices to show that BUFSUP ∧ BRSUP is nonblocking.

Exercise 2: Apply Theorem 1 (or a suitable variation thereof) to show thatthe modular supervisor for Big Factory (Section 4.5) is nonblocking. Repeatthe exercise for Transfer Line (Section 4.6).

Exercise 3: Consider a manufacturing cell consisting of a robot (ROB), in-put conveyor (INCON), input buffer (INBUF), machining station (MS),output buffer (OUTBUF), and output conveyor (OUTCON). The opera-tions of MS are to download and initialize the machining program, accept aworkpiece from INBUF, machine it to the specified dimensions, and placeit in OUTBUF. The preconditions for the process to start are that MSshould be idle and a workpiece should be available at INBUF. ROB trans-fers a workpiece from INCON to INBUF, provided a workpiece is available,ROB is free, and INBUF is empty. Similarly, ROB transfers a completedworkpiece from OUTBUF to OUTCON. INBUF (resp. OUTBUF) canbe in one of the states: empty (full), being loaded (being unloaded) by therobot, or full (empty). A workpiece follows the path: INCON, INBUF,MS, OUTBUF, OUTCON.

Develop a DES model for the workcell with plausible assignments of con-trollable and uncontrollable events. Investigate both centralized and modu-lar supervision, subject (at least) to the specifications that the buffers neveroverflow or underflow, and that the supervised system is nonblocking.

Exercise 4: Four jobs A1, A2, A3, A4 are to be done with two tools T1,T2. Each job is to be done exactly once. A1 consists of an initial operationusing T1, then a final operation using both T1 and T2. A2 consists of aninitial operation using T2, then a final operation using both T2 and T1.

222 CHAPTER 4

A3 uses only T1; A4 uses only T2. The four jobs can be done in any order;interleaving of several jobs at a time is permitted.

The jobs are identified with corresponding ‘agents’; thus ‘Ai does jobi’. Model T1 on two states, with transitions [0,i11,1] (i=1,2,3) to mean‘Ai acquires T1’, and [1,i10,0] to mean ‘Ai releases T1’. Similarly T2 ismodeled on two states with transitions [0,i21,1],[1,i20,0] (i=1,2,4). After ajob is finished, the tool or tools are released, in any order, and finally a‘job completed’ signal is output (event i00, i=1,2,3,4). Thus A1, A2 areeach modeled on 6 states, A3 and A4 on three. The requirement that theith job be done exactly once is modeled by the two-state automaton Di inwhich only state 1 is marked, and the appropriate event i?1 disabled there toprevent a repetition. PLANT is the synchronous product of A1, A2, A3,A4; SPEC is the synchronous product of T1, T2, D1, D2, D3, D4, ALL,where ALL is obtained from allevents.

Find the global supervisor by supcon, and then reduce it using supre-duce. Compute various projections of interest: for instance, focus on toolusage but (by means of relabel) blur the identity of agents, or focus onagents but blur the identity of tools.

To construct a modular supervisor, first note that PLANT and T (=sync(T1,T2,ALL)) conflict, since for instance if A1 takes T1 (event 111)and immediately afterwards A2 takes T2 (event 221) then deadlock occurs;and similarly for the event sequence 221,111. These sequences can be ruledout a priori by suitable specifications (conflict resolvers).

Exercise 5: Consider agents A1, A2, A3, each defined on two states withthe initial state (only) marked.

A1 has transitions [0, γ, 0], [0, α, 1], [1, α, 0]A2 [0, γ, 0], [0, β, 1], [1, β, 0]A3 [0, γ, 1], [1, γ, 0]

A1 and A2 can be thought of as operating two switches which control A3. Ifboth switches are RESET (state 0) then A3 can make the transition [1,γ,0]and return home, but if either switch is SET then A3 is blocked at state1. Clearly A1 and A2 can cycle in such a way that, once A3 has enteredits state 1, it remains blocked forever. Despite this, the overall system A =sync(A1,A2,A3) is nonblocking in the DES sense. Suggest a possible cure.

Exercise 6: Dining Philosophers

4.9 223

In this famous problem (due to E.W. Dijkstra) five philosophers (P1,...,P5), who spend their lives alternately eating and thinking, are seated ata round table at the center of which is placed a bowl of spaghetti. Thetable is set with five forks (F1, ...,F5), one between each pair of adjacentphilosophers. So tangled is the spaghetti that a philosopher requires bothforks, to his immediate right and left, in order to eat; and a fork may notbe replaced on the table until its user has temporarily finished eating andreverts to thinking. No a priori constraint is placed on the times at which aphilosopher eats or thinks.

Design modular supervisors which guarantee that (1) a fork is used byat most one philosopher at a time, and (2) every philosopher who wishes toeat can eventually do so – i.e. no one is starved out by the eating/thinkinghabits of others. Hint: Model each P on states [0] Thinking, [1] Ready, and[2] Eating, with the transition from [1] to [2] controllable; and each F on twostates [0] Free and [1] In use. You may assume that a philosopher can pick upand replace both his forks simultaneously. A fair way to prevent starvationcould be to require that no philosopher may commence eating if either ofhis two neighbors has been ready longer. For this, equip each philosopherwith a queue which he and his two neighbors enter when they are ready toeat. Note that the queue for Pi should not distinguish between P(i-1) andP(i+1), but only enforce priority between Pi and one or both of them; itmay be modeled on 9 states. Prove that, under your control scheme, anyonewho is ready to eat is guaranteed eventually to be able to do so: this is astronger condition than ‘nonblocking’, as it prohibits ‘livelock’ behavior suchas P2 and P5 cycling in such a way as to lock out P1.

A TCT modular solution along these lines produced a combined onlinecontroller size of (1557,5370) with corresponding controlled behavior of size(341,1005).

Next assume that no philosopher dawdles longer than 1 minute if Readyand enabled to eat, or spends more than 9 minutes Eating. Show that aphilosopher need wait at most 40 minutes at Ready before Eating. Hint: Asa worst case for P5, suppose that initially P1, P2,...,P5 enter Ready withoutdelay and in that order.

224 CHAPTER 4

Exercise 7: Manufacturing cell with interacting loops

2

3

02 1 0

3

12

3

02 1 0

3

133

M213 17

23 11

1525

27

45

21

35

43M1

M2

#1 IN

33

1513

35

2325

21

11

27

17

4543

#2 IN

M1

BUF2 BUF3BUF4BUF1

#2 OUT

#1 OUT

4.9 225

Consider the manufacturing cell displayed, consisting of 2 machines M1,M2; and 4 buffers BUF1,...,BUF4. The cell runs 2 production sequences,for workpieces of types 1,2 respectively. The sequences share use of M1, M2,but employ separate buffers:

#1 : IN11−→M1

15−→BUF133−→M2

35−→BUF313−→M1

17−→OUT

#2 : IN21−→M2

45−→BUF423−→M1

25−→BUF243−→M2

27−→OUT

Numbers on the arrows are event labels; all events are controllable. Eachbuffer has capacity 1. The specification is no buffer overflow, together withsystem nonblocking (with marked initial state for machines and buffers). M1and M2 have similar structure, with events as displayed.

Sequence Event Interpretation

1

11 M1 takes a type #1 workpiece at IN15 M1 deposits result in BUF133 M2 takes #1 wp from BUF135 M2 deposits result in BUF313 M1 takes #1 wp from BUF317 M1 sends finished #1 wp OUT

2

21 M2 takes a type #2 workpiece at IN45 M2 deposits result in BUF423 M1 takes #2 wp from BUF425 M1 deposits result in BUF243 M2 takes #2 wp from BUF227 M2 sends finished #2 wp OUT

In the usual way compute the monolithic supervisor SUPER (225,472),which may be reduced to SIMSUP (38,258; slb=32). For decentralizedcontrol, start with BUF1,...,BUF4 as representations of their individualspecifications; combine these with M1, M2 to form CELL. As the latterfails to be nonblocking, it turns out that several coordinators are needed.Construct these as follows: COORD1 (resp. COORD2) enforces that atmost 3 #1 (resp. #2) workpieces can be in progress at any time; COORD3enforces that at most 3 workpieces of either kind can be admitted to thesystem before a transfer to the second stage of processing (i.e. to M2 viaevent 33 for #1 or to M1 via event 23 for #2); COORD4 enforces that atmost 3 workpieces of either kind can be transferred to the second stage of

226 CHAPTER 4

processing (events 23,33) before a transfer to the output stage (events 13,43).Each coordinator can be modeled on 4 states. Verify that the decentralizedarchitecture comprising the 4 2-state buffer controllers plus the 4 4-statecoordinators achieves optimal nonblocking supervision. Analyze the systembehavior to explain the rationale underlying this approach.

Repeat this exercise after relabeling the following controllable events totheir more ‘natural’ uncontrollable counterparts: relabel (15,17,25,27,35,45)to, say, (14,16,24,26,34,44) respectively. Explain the (perhaps surprising)difference between the two decentralized architectures.

4.10 Synchronization and Event Hiding

Individual DES can be combined into modules by synchronization followedby projection to achieve event hiding and thus encapsulation. However, caremust be taken not to attempt to synchronize an uncontrollable specifica-tion with a generator, with respect to an uncontrollable event. The correctprocedure would be to compute the supremal controllable sublanguage, andthen hide the uncontrollable event. Also, care must be taken not to produceblocking or deadlock.

Example 1: Small FactoryDefine MACH1, MACH2, BUF2 [buffer with 2 slots] as in Exam-

ple 3.3.19. To plug MACH1 into BUF2 requires synchronizing on event10. Since 10 is uncontrollable, one must compute the supremal controllablesublanguage. For this, take as the specification the (uncontrollable) syn-chronous product of MACH1 and BUF2: call this SPEC1; and as theplant, MACH1 self-looped with the buffer event 21: call this SMACH1.

SPEC1 = sync(MACH1,BUF2) (9,17)SMACH1 = selfloop(MACH1,[21]) (3,7)SUPM1B = supcon(SMACH1,SPEC1) (7,12)

MACH1, BUF2 are now controllably synchronized on the shared event 10.Hiding this event, we get

HSUPM1B = project(SUPM1B,null[10])

4.10 227

Thus HSUPM1B can be considered as a module with events 11,12,13,21.Let’s suppose that the breakdown/repair logic is of no interest, and hideevents 12,13. This gives the module

MACH3 = project(HSUPM1B,null[12,13]) (3,5)

Now MACH3 can be synchronized with MACH2 on event 21, and events21,22,23 hidden. This yields the final module MACH5, over events 11(‘MACH1 goes to work’) and 20 (‘MACH2 outputs a product’).

MACH4 = sync(MACH3,MACH2) (9,20)MACH5 = project(MACH4,null[21,22,23]) (4,7)

This procedure may be compared with the more standard one of ‘monolithic’design:

MACH6 = shuffle(MACH1,MACH2) (9,24)SPEC2 = selfloop(BUF2,[11,12,13,20,22,23]) (3,22)MACH7 = supcon(MACH6,SPEC2) (21,49)MACH8 = project(MACH7,null[10,12,13,21,22,23]) (4,7)

One now can verify that MACH8, the standard input-output model forSmall Factory under control, is isomorphic with MACH5.

Example 2: Transfer LineSystems with feedback loops should be encapsulated by working from

inside a loop to the outside. For this system, M1, M2, B1, B2, TU are cre-ated as in Section 4.6. From the block diagram, it makes sense to synchronizeM2 with B2, then this result with TU.

SP1 = sync(M2,B2) (4,5)SM2 = selfloop(M2,[5]) (2,4)SUPM2B2 = supcon(SM2,SP1) (3,3)M3 = project(SUPM2B2,null[4]) (2,2)

M3TU = sync(M3,TU) (4,7)M4 = project(M3TU,null[5]) (3,6)

228 CHAPTER 4

At this stage the system can be regarded as the shuffle of plant componentsM1 and M4, subject to the constraint imposed by B1 alone as specification.To obtain the corresponding optimal supervisor (M6, below) we compute

M5 = sync(M1, M4) (6,18)M5ALL = allevents (M5) (1,5)B1SPEC = sync(B1,M5ALL) (4,17)M6 = supcon(M5,B1SPEC) (15,36)

Projecting out the internal events 2,3,8 of M6, we obtain

M7 = project(M6,image[2,3,8]) (4,6)

M7 displays the correct operation of Transfer Line with respect to inputevent 1 and output event 6, equivalent to a buffer of capacity 3, as shownbelow.

1 1 1

6 6 6

Finally we compute reduced versions of the two modular supervisors SUPM2B2and M6 obtained above.

SUPM2B2 = condat(SM2,SUPM2B2)SIMM2B2= supreduce(SM2,SUPM2B2,SUPM2B2) (2,3;slb=2)M6 = condat(M5,M6)M6SIM = condat(M5,M6SIM)M6SIM = supreduce(M5,M6,M6) (7,25;slb=7)

These can be verified correct in the usual way; for instance

TEST = meet(M5,M6SIM) (15,36)isomorph(M6,TEST;identity) = true

We can check the correctness of our decentralized supervisor as follows. Itstwo modular components yield the equivalent controller

MODSUP = sync(SIMM2B2,M6SIM) (14,59)

4.11 229

which is verified to incorporate all events of TL:

MODSUPAL = allevents(MODSUP) (1,7)true = isomorph(MODSUPAL,ALL;identity)

Furthermore, MODSUP is a proper supervisor for TL:

TMODSUP = trim(MODSUP) (14,59)isomorph(TMODSUP,MODSUP;identity) = truenonconflict(TL,MODSUP) = trueMODSUP = condat(TL,MODSUP)

The resulting controlled behavior is

TEST = meet(TL,MODSUP) (28,65)

Comparing TEST with CSUP (Section 4.6), we see that TEST is optimal,in accordance with

isomorph(CSUP,TEST;identity) = true

Finally, it is of interest to compare the reduced supervisor for monolithiccontrol, namely

CSIM = supreduce(TL,CSUP,CSUP) (8,31;slb=8)

having (minimal) size 8, with the modular reduced supervisors SIMM2B2and M6SIM, of (minimal) sizes 2 and 7 respectively.

Exercise 3: Formalize synchronization and event hiding with the aid of thegraph-theoretic structure of the plant block diagram.

4.11 Distributed Supervision by Supervisor

Localization

As discussed in previous sections of this chapter, decentralized supervisioncan be viewed as the allocation of control action to distinct specifications. Forinstance, in Small Factory (Section 4.4) we associated a specialized supervisorto each of the specifications concerning buffer control, and priority of repair,respectively.

230 CHAPTER 4

Each supervisor is decentralized in the sense that it exercises controlaction with respect to its corresponding specification alone. We have seenthat the resulting family of decentralized supervisors must typically (as inTransfer Line, Section 4.6) be augmented by a coordinator which overseestheir collective action to prevent possible conflict and overall system blocking.A coordinator can be regarded as just one more decentralized supervisor,corresponding to the specification of global nonblocking alone.5 The goal isto ensure that the resulting family of supervisors is control-equivalent (has thesame control action) as the (perhaps hypothetical) optimal and nonblockingcentralized ‘monolithic’ supervisor, which for large systems may be infeasibleto compute.

In this section we carry the control decomposition process one step fur-ther, by an extension and refinement of decentralized supervision that is moreproperly termed ‘distributed supervision’. We start from a plant model that,just as before, is typically the synchronous product of individual componentDES that we now term ‘agents’, for instance in Small Factory the modelFACT = sync(MACH1,MACH2). For simplicity we make the assump-tion (usually the case in decentralized supervision) that the agents Ai (e.g.MACH1, MACH2) are defined over pairwise disjoint alphabets Σi, namelyin that sense the agents are ‘independent’.

Suppose SUPER is one of our decentralized supervisors. We propose todecompose SUPER into local supervisors, say LOCi, one for each agent Ai.LOCi is ‘local’ in the sense that it will exercise control (disabling) action onlyover the controllable events of Ai, although it may very well depend for thisaction on events ‘imported’ from various other agents Aj with j = i. ThusLOCi will be a DES defined over an alphabet formed as the union of Σi withsome subalphabet of

∪Σj|j = i. The process of computing the components

LOCi will be called ‘supervisor localization’. The desired result (not alwaysachievable) is that each LOCi is rather small in size (compared to SUPER),and involves relatively few of the Σj with j = i. In any case, the criterionof validity is just that the joint action of the LOCi is control-equivalent toSUPER, namely if PLANT = sync(A1, . . . ,AN) then

sync(A1,LOC1, . . . ,AN,LOCN) = SUPER

For a suggestive physical metaphor consider a group of agents - in this casemotorists - maneuvering through a congested intersection without benefit

5This specification can be represented in TCT by the DES ALLPLANT = al-levents(PLANT).

4.11 231

of any ‘global’ supervision by the usual external controls (traffic lights oran officer). Each motorist will exercise direct control only over his ownvehicle, in pursuit of his individual objective but obviously in response tovisual and auditory cues (‘events’) from neighboring vehicles, and guidedalso by commonly accepted protocols. We imagine that a monolithic externalcontroller SUPER exists in principle, but is now replaced by its localizationinto each individual motorist (vehicle and driver).

In general the possible advantages of such a localized control architectureare that the local controllers LOCi are relatively simple, hence easily main-tainable, and their control action is transparent, namely readily understood.

Returning to Small Factory, say with buffer capacity 1 slot, we obtainthe monolithic supervisor FACTSUPER (12,24) and its reduced version(using supreduce) FACTSIMSUP (3,3). We apply TCT localize to theinput arguments (FACT,MACH1,MACH2,FACTSUPER) to obtain lo-cal supervisors MACH1LOC (3,-) and MACH2LOC (2,-), as displayedin Fig. 4.7. MACH1LOC imports events (21,22,23) from MACH2, whileMACH2LOC imports event 10 from MACH1. As a check we may com-pute the overall behavior under localized control as

sync(MACH1,MACH1LOC,MACH2,MACH2LOC) = TEST

say, and confirm that

isomorph(TEST,FACTSUPER) = true

MACH1LOC

2211; 12; 13 11; 12 22; 23

10

23

10

21

1020; 22; 23 20; 22; 23

21

MACH2LOC

Fig. 4.7. Local Supervisors MACH1LOC and MACH2LOC

232 CHAPTER 4

10

21

MACH2BUFLOC

1011

21

MACH1BRLOC

2213

23

MACH1BRLOC MACH2BRLOC

Fig. 4.8. Local Supervisors MACH1BUFLOC, MACH1BRLOC,MACH2BUFLOC, MACH2BRLOC

Smaller local supervisors can be obtained by applying localization sepa-rately to each of the two decentralized supervisors, sayBUFSUP (12,25) andBRSUP (9,23). As displayed in Fig. 4.8, MACH1 is equipped with localsupervisors MACH1BUFLOC (2,-), importing event 21 from MACH2,and MACH1-BRLOC (2,-) importing events 22,23 from MACH2; whileMACH2 is assigned local supervisors MACH2BUFLOC (2,-) importingevent 10 from MACH1 and a ‘virtual’ supervisor MACH2BRLOC (1,0)with no imports and exercising no control action. Again one checks correct-ness by (re)computing

TEST = sync(MACH1,MACH1BUFLOC,MACH1BRLOC,MACH2,MACH2BUFLOC,MACH2BRLOC)

and confirming

isomorph(TEST,FACTSUPER) = true

4.12 233

Exercise 1: Verify these results for Small Factory. Interpret and discusslocal supervisors’ action, paying special attention to the role of importedevents.

Exercise 2: Carry out a similar study of localization for Transfer Line (Sec-tion 4.6, especially Exercise 4.6.2), this time computing 9 local supervisors,namely 3 for each of the plant components M1,M2,TU corresponding tothe 3 decentralized supervisors obtained from the specifications governingthe buffers B1,B2 and the coordinator LOOP.

4.12 Notes and References

Modular (specifically, decentralized) supervisory control theory, in the senseof this chapter, originated with the doctoral theses of P.J. Ramadge [T01], F.Lin [T08] and K. Rudie [T23], and related papers [J06, J07, J08, J20]. TheTransfer Line of Section 4.6 is adapted from Al-Jaar & Desrochers [1988] andDesrochers & Al-Jaar [1995].

The instructive AGV control problem of Section 4.7, including (essen-tially) Fig. 4.1, is due to Holloway & Krogh [1990], whose approach wasbased on Petri nets, and was not confirmed to achieve nonblocking. In ourversion, adding the mutual exclusion Specification 5 and requiring globalnonblocking, the problem is appreciably more difficult.

Details of the work by L. Feng cited in the latter part of Section 4.7can be found in Section 4.6 of [T54]. Summary versions were reported in[C110,J56,J59]. The key concepts are control flow net, inessential or ‘harm-less’ specifications (here the ZiSPEC), and abstraction using natural ob-servers with an output-control-consistency property.

The decentralized projection formulation of Section 4.8 is a variation onLin & Wonham [J08]; the observer property is due to K.C. Wong [T28, J30,J31], while its ‘I-fold’ extension originates here. The computation of localcontrollers for individual specifications was highlighted by Queiroz & Cury[2000]. For other investigations of decentralized supervisory control see, forinstance, Willner & Heymann [1991] and Akesson et al. [2002].

The robotics model of Exercise 4.9.3 was suggested by K.P. Valavanis,while the celebrated problem of the Dining Philosophers (Exercise 4.9.6)originated with E.W. Dijkstra [1971] and has been widely reproduced in theliterature on concurrency and computer operating systems.

234 CHAPTER 4

Exercise 4.9.7 is adapted from Lin & Wonham [J16]. Our coordinatorswere obtained using the ‘control-flow’ decomposition due to L. Feng [C110,J56, T54].

Recent approaches to decentralized supervision, including [C109], [C110],can be found among the contributions to WODES’06 and WODES’08.

The concept of distributed control by supervisor localization is due to K.Cai in [T55] and derived publications [C119, C120, J61, J62, M2]. Localiza-tion makes essential use of the construct ‘control cover’ used for supervisorreduction, as introduced in [J40].

Chapter 5

Hierarchical Supervision ofDiscrete-Event Systems

Hierarchy is a layered architecture in which control authority is structuredaccording to scope, as measured by temporal horizon and logical depth ofcommand. The fundamental problem with hierarchy is to guarantee thateach layer faithfully executes the commands received from the next higher, asconfirmed by the corresponding feedback loop. Such hierarchical consistencyis addressed in the framework of controlled DES already introduced; it isachieved by suitable refinement of the information transmitted from a givenlayer to the next higher.

5.1 Hierarchical Control Structure

Hierarchical structure is a familiar feature of the control of dynamic systemsthat perform a range of complex tasks. It may be described generally asa division of control action and the concomitant information processing bylayering, according to scope. Commonly, the scope of a control action isdefined by the extent of its temporal horizon, or by the depth of its logicaldependence in a task decomposition. Generally speaking, the broader thetemporal horizon of a control and its associated subtask, or the deeper its

235

236 CHAPTER 5

logical dependence on other controls and subtasks, the higher it is said toreside in the hierarchy. Frequently the two features of broad temporal horizonand deep logical dependency are found together.

In this chapter we formalize hierarchical structure in the control of DES,by means of a mild extension of the framework already introduced. Whiledifferent approaches to hierarchical control might be adopted even within thisrestricted framework, the theory to be presented captures the basic feature ofscope already mentioned, and casts light on an issue that we call hierarchicalconsistency.

In outline our setup will be the following. Consider a two-level hierarchyconsisting of a low-level plant Glo and controller Clo, along with a high-levelplant Ghi and controller Chi. These are coupled as shown in Fig. 5.1.

Chi

Clo Glo

Ghi high-level

low-level

Infhi

Conhi

Inflo

Conlo

InflohiComhilo

Fig. 5.1. Two-Level Control Hierarchy

Our viewpoint is that Glo is the actual plant to be controlled in the realworld by Clo, the operator; while Ghi is an abstract, simplified model of Glo

that is employed for decision-making in an ideal world by Chi, the manager.The model Ghi is refreshed or updated every so often via the informationchannel (or mapping) labeled Inflohi (‘information-low-to-high’) to Ghi fromGlo. Alternatively one can interpret Inflohi as carrying information sent upby the operator Clo to the manager Chi: in our model the formal result willbe the same. Another information channel, Inflo (‘low-level information’),provides conventional feedback from Glo to its controller Clo, which in turnapplies conventional control to Glo via the control channel labeled Conlo

5.1 237

(‘low-level control’). Returning to the high level, we consider that Ghi isendowed with control structure, according to which it makes sense for Chi toattempt to exercise control over the behavior of Ghi via the control channelConhi (‘high-level control’), on the basis of feedback received from Ghi viathe information channel Infhi (‘high-level information’). In actuality, thecontrol exercised by Chi in this way is only virtual, in that the behaviorof Ghi is determined entirely by the behavior of Glo, through the updatingprocess mediated by Inflohi. The structure is, however, completed by thecommand channel Comhilo linking Chi to Clo. The function of Comhilo is toconvey the manager’s high level control signals as commands to the operatorClo, which must translate (compile) these commands into corresponding low-level control signals which will actuate Glo via Conlo. State changes inGlo will eventually be conveyed in summary form to Ghi via Inflohi. Ghi

is updated accordingly, and then provides appropriate feedback to Chi viaInfhi. In this way the hierarchical loop is closed. The forward path sequenceComhilo;Conlo is conventionally designated ‘command and control’, whilethe feedback path sequence Inflohi; Infhi could be referred to as ‘report andadvise’.

As a metaphor, one might think of the command center of a complexsystem (e.g. manufacturing system, electric power distribution system) asthe site of the high-level plant model Ghi, where a high-level decision maker(manager) Chi is in command. The external (real) world and those (opera-tors) coping with it are embodied in Glo, Clo. The questions to be addressedconcern the relationship between the behavior required, or expected, by themanager Chi of his high-level model Ghi, and the actual behavior imple-mented by the operator Clo in Glo in the manner described, when Glo andInflohi are given at the start. It will turn out that a relationship of hierar-chical consistency imposes rather stringent requirements on Inflohi and that,in general, it is necessary to refine the information conveyed by this channelbefore consistent hierarchical control structure can be achieved. This resultaccords with the intuition that for effective high-level control the informa-tion sent up by the operator to the manager must be timely, and sufficientlydetailed for various critical low-level situations to be distinguished.

Exercise 1: Pyramidal hierarchyIn its simplest form, the ‘classical’ pyramidal hierarchy can be considered

as a population of N ‘agents’ organized into levels indexed 0, 1, 2, ..., n, start-ing from the top. Assume that the kth level has population rk, where the

238 CHAPTER 5

‘scope ratio’ r is constant from one level to the next; thus the total popula-tion has size N = 1+ r+ r2 + ...+ rn. In applications, r could be identified,as here, with the number of subordinate agents reporting directly to a givenagent, or alternatively as the ratio of time horizons from one level to the nextlower, or the ratio of the average occurrence frequencies of significant eventsfrom one level to the next higher. In the analogous structure of nested-loopcontrol systems, r could be thought of as the ratio of bandwidths in passingfrom a given loop to the next outermost, inner loops being fast and outerones slow. We conjecture that in real life, the scope ratio r tends to be on theorder of 5, ranging from 2 to perhaps 10. Test this claim against examples ofyour own choosing, say the Mongolian armed forces, or the Pepsi-Cola Co.For instance, you could work out a value of r from an estimate of the totalpopulation N and the number of levels n + 1; or else n from r and N . In amore refined model, r might increase or decrease with rise in level; interpret,and check the numbers again.

5.2 Two-Level Controlled Discrete-Event Sys-

tem

For Glo we take the usual 5-tuple

Glo = (Q,Σ, δ, q0, Qm)

Here Σ is the set of event labels, partitioned into controllable elements (Σc ⊆Σ) and uncontrollable elements (Σu ⊆ Σ); Q is the state set; δ : Q× Σ → Qis the transition function (in general a partial function, defined at each q ∈ Qfor only a subset of events σ ∈ Σ: in that case we write δ(q, σ)!); q0 is theinitial state; and Qm ⊆ Q is the subset of marker states. The uncontrolledbehavior of Glo is the language

Llo := L(Glo) ⊆ Σ∗

consisting of the (finite) strings s ∈ Σ∗ for which the (extended) transitionmap δ : Q× Σ∗ → Q is defined.

In this section, as well as Sections 5.3-5.5, we only consider the case Qm =Q, namely all the relevant languages are prefix-closed. This assumption ismade for simplicity in focussing on the basic issue of hierarchical consistency.

5.2 239

The theory will be generalized to include marking and treat nonblocking inSection 5.7.

We recall that if G is a controlled DES over an alphabet Σ = Σc∪Σu, andK is a closed sublanguage of Σ∗, then K is controllable (with respect to G) ifKΣu ∩ L(G) ⊆ K. To every closed language E ⊆ Σ∗ there corresponds the(closed) supremal controllable sublanguage supC(E ∩ L(G)). In this chapterit will be convenient to use the notation

supC(M) =:M↑

Let T be a nonempty set of labels of ‘significant events’. T may bethought of as the events perceived by the manager which will enter into thedescription of the high-level plant model Ghi, of which the derivation willfollow in due course. First, to model the information channel (or mapping)Inflohi we postulate a map

θ : Llo → T ∗

with the properties

θ(ϵ) = ϵ,

θ(sσ) =

either θ(s)or θ(s)τ , some τ ∈ T

for s ∈ Llo, σ ∈ Σ (here and below, ϵ denotes the empty string regardless ofalphabet). Such a map θ will be referred to as causal. A causal map is, inparticular, prefix-preserving: if s ≤ s′ then θ(s) ≤ θ(s′). Intuitively, θ canbe used to signal the occurrence of events that depend in some fashion onthe past history of the behavior of Glo: for instance θ might produce a freshinstance of symbol τ ′ whenever Glo has just generated a positive multiple of10 of some distinguished symbol σ′, but ‘remain silent’ otherwise.

Exercise 1: Prove that θ : Llo → T ∗ is causal if and only if it commuteswith prefix closure, namely for all sublanguages K ⊆ Llo, not necessarilyclosed,

θ(K) = θ(K)

Exercise 2: Show that a prefix-preserving map θ : Llo → T ∗ need not becausal.

240 CHAPTER 5

It is convenient to combine θ with Glo in a unified description. Thismay be done in standard fashion by replacing the pair (Glo, θ) by a Mooregenerator having output alphabet

To = T ∪ τo

where τo is a new symbol ( ∈ T ) interpreted as the ‘silent output symbol’. Tothis end write temporarily

Glo = (Q,Σ, To, δ, ω, q0, Qm)

Here the items written with a tilde play the same role as in Glo, whileω : Q→ To is the state output map. Glo is constructed so that

δ(q0, s)! iff δ(q0, s)!, s ∈ Σ∗

Thus Glo generates exactly the language Llo. For ω define

ω(q0) = τo

while if δ(q0, sσ)! then

ω(δ(q0, sσ)) = τo if θ(sσ) = θ(s)

ω(δ(q0, sσ)) = τ if θ(sσ) = θ(s)τ

Thus ω outputs the silent symbol τo if θ outputs ‘nothing new’, and outputsthe ‘fresh’ symbol τ ∈ T otherwise.

An abstract construction of Glo is straightforward, using the canonicalidentification of states with the cells (equivalence classes) of a suitable rightcongruence on strings. For s, s′ ∈ Llo define

s ≡ s′(mod Llo) iff (∀u ∈ Σ∗)su ∈ Llo ⇔ s′u ∈ Llo

Next define ω : Llo → To according to

ω(ϵ) = τo

and if sσ ∈ Llo, then

ω(sσ) =

τo if θ(sσ) = θ(s)τ if θ(sσ) = θ(s)τ

5.2 241

Now let, for s, s′ ∈ Llo,

s ≡ s′(mod θ) iff ω(s) = ω(s′) &

(∀u ∈ Σ∗)(∀t ∈ T ∗)su ∈ Llo & s′u ∈ Llo ⇒ (θ(su) = θ(s)t⇔ θ(s′u) = θ(s′)t)

It is readily shown that equivalence (mod θ) is a right congruence on Llo.As equivalence (mod Llo) is a right congruence too, so is their commonrefinement (i.e. their meet in the lattice of right congruences); and the cellsof this refinement furnish the states of Glo.

From this point on we shall assume that the starting point of our hier-archical control problem is the unified description Glo. So we drop the tildeand write

Glo = (Q,Σ, To, δ, ω, q0, Qm) (5.1)

with Qm = Q.At this stage we temporarily define Ghi. For this we note that, in the

absence of any control action, Glo generates the uncontrolled language Llo.For now, Ghi will be taken as the canonical recognizer (in the generatorsense) for the image of Llo under θ:

L(Ghi) = θ(Llo) ⊆ T ∗

and we write L(Ghi) =: Lhi. As yet, however, the event label alphabet T ofGhi needn’t admit any natural partition into controllable and uncontrollablesubalphabets; that is, Ghi needn’t possess any natural control structure.This defect will be remedied in the next section.

The following simple example will be used throughout. Following theinteger labeling conventions of TCT we define the state set and alphabets ofGlo in (5.1) according to

Q = 0, 1, 2, 3, 4, q0 = 0

Σ = 0, 1, 2, 3, 4T = α, β, τo = o

In Σ the odd-numbered elements are controllable, the even-numbered ele-ments uncontrollable. The state transition and output structure of Glo isdisplayed in Fig. 5.2 along with a canonical recognizer for Lhi. Observe that,whether or not τ ∈ α, β can be disabled as ‘next output’ by a supervisory

242 CHAPTER 5

controller that can disable the controllable elements of Σ, depends on thecurrent state q ∈ Q of Glo: for instance τ = α can be disabled at q = 2but not at q = 0, 1, 3 or 4. Thus Ghi does not yet possess natural controlstructure.

Glo

α β

3

2

0

1 4201 2 3

4

α

Ghi

α

β

0

ooo

Fig. 5.2. Low and High-level DES

Exercise 3: Show that equivalence (mod θ) is a right congruence on Llo.

5.3 High-Level Control Structure

In this section we indicate how to refine the descriptions of Glo and Ghi inorder to equip Ghi with control structure, so that a high-level controller Chi

that observes only the state of Ghi can make meaningful control decisions.By way of control structure we adopt the (usual) supervisory structure havingthe same type as in Glo. We shall refine the state structure of Glo, extendthe high-level event alphabet T , and partition the extension into controllableand uncontrollable subsets.

Conceptually these operations are carried out as follows. Referring to theexample above, consider a reachability tree for Llo with initial state q0 = 0as the root. The first few levels of the tree are displayed in Fig. 5.3. Eachnode of the tree is labeled with the corresponding value τ ′ ∈ To = o, α, βof the output map ω, and is then called a τ ′-node.

5.3 243

o

o

α

o

α β

α o

α u

2

c

c

2

3 0

c

u

0

2

1

root

4

Fig. 5.3. Reachability Tree

In general it will be convenient to write ω : Llo → To for the output mapon strings defined by ω(s) = ω(δ(q0, s)) whenever s ∈ Llo, i.e. δ(q0, s)!. Witha slight abuse of notation we also write ω : N → To where N is the node setof the reachability tree of Llo.

In the tree, τ ′-nodes with τ ′ = τo = o are silent; τ ′-nodes with τ ′ ∈ T =α, β are vocal. A silent path in the tree is a path joining two vocal nodes, or

244 CHAPTER 5

the root to a vocal node, all of whose intermediate nodes (if any) are silent.Schematically a silent path has the form

nσ−→ s

σ′−→ s′ −→ · · · −→ s′′

σ′′−→ n′

where the starting node n is either vocal or the root node, and where theintermediate silent nodes s, s′, ..., s′′ may be absent. Thus to every vocal noden′ there corresponds a unique silent path of which it is the terminal node. Asilent path is red if at least one of its transition labels σ ∈ Σ is controllable;otherwise it is green. Now color each vocal node red or green according to thecolor of its corresponding silent path. Create an extended output alphabetText as follows. Starting with Text = τo, for each τ ∈ T adjoin a new symbolτc ∈ Text if some τ -node in the tree is red; similarly adjoin τu ∈ Text if someτ -node in the tree is green. Now define ωext : N → Text according to

ωext(n) = τo if n is silent

ωext(n) = τc if ω(n) = τ ∈ T and color(n) = red

ωext(n) = τu if ω(n) = τ ∈ T and color(n) = green

Define the extended tree to be the original tree with the node labelingdetermined by ωext. In Fig. 5.3, vocal nodes are labeled c or u accordingly.It is clear that ωext in turn determines an extension

θext : Llo → T ∗ext

Evidently θ is recovered from θext as follows: Define P : T ∗ext → T ∗ according

toP (τc) = P (τu) = τ, τ ∈ T,

P (ϵ) = ϵ, P (τ0) = ϵ, P (tt′) = P (t)P (t′), t, t′ ∈ T ∗ext

The line just written expresses the property that P is catenative. So P justmaps the new output symbols in any string back to where they came from.Then

θ = P θextFinally, define

Glo,ext = (Qext,Σ, Text, δext, ωext, q0, Qext)

from the current transition structure (Q,Σ, δ, q0, Q) and the map θext in justthe way Glo was defined (Section 5.2) in terms of Glo and θ.

5.3 245

By the construction it is seen that |Text| ≤ 2|T |+ 1: the number of non-silent output symbols has at most doubled, as each old output symbol hasnow split into controllable and uncontrollable siblings (in some cases onesibling may be absent). It will be shown that the number of states has atmost doubled as well. For this we extend the domain of the color map toinclude strings of Llo. Returning to the reachability tree of Llo, color thesilent nodes by the same rule as used previously for the vocal nodes (andcolor the root node green). For s ∈ Llo define node(s) ∈ N to be the nodereached by s, and define color(s) = color(node(s)). For s, s′ ∈ Llo defines ≡ s′ to mean (cf. Section 5.2)

s ≡ s′(mod Llo) and s ≡ s′(mod θ)

We claim that if s ≡ s′ and color(s) = color(s′), then for all u ∈ Σ∗ suchthat su ∈ Llo it is the case that su ≡ s′u and color(su) = color(s′u). Infact, the first statement follows by the observation (Section 5.2) that ≡ isa right congruence on Llo. Thus we know that s′u ∈ Llo, and that forv ≤ u, if θ(sv) = θ(s)t for some t ∈ T ∗ then θ(s′v) = θ(s′)t. In otherwords, ‘the output behaviors (under θ) of su (resp. s′u) coincide betweens (resp. s′) and su (resp. s′u)’. Since su and s′u share the suffix u, itfollows immediately by the definition of color on strings that color(su) =color(s′u), and the second statement follows, as claimed. The upshot of thisargument is that the common refinement of the right congruence ≡, and theequivalence defined by equality of color, is again a right congruence on Llo. Itis, of course, the right congruence that provides the state structure of Glo,ext.Thus in passing from Glo to Glo,ext each state of Glo is split at most once,into colored siblings. It follows that |Qext| ≤ 2|Q|.

In the sections to follow it will be assumed that the foregoing constructionhas been carried out, namely our new starting point will be the Moore transi-tion structure Glo,ext as described. The property of Glo,ext that each outputτ ∈ Text is unambiguously controllable or uncontrollable in the sense indi-cated, will be summarized by saying that Glo,ext is output-control-consistent.While we have not yet presented an algorithm (as distinct from a conceptualprocedure) to pass from Glo to Glo,ext, such an algorithm exists at least incase |Q| < ∞ (see Appendix 5.1). The result for our running example isdisplayed in Fig. 5.4, along with the extended high-level language

θext(L(Glo,ext)) ⊆ T ∗ext

246 CHAPTER 5

αuαc

0

1 2

αc

βcαu

o o αu o βc

αc

0 2 1 4

1 2

0

3

10 2

3

4

5

Glo,ext

Ghi,ext

Fig. 5.4. Output Control Consistency

In TCT, a DESGLO with state outputs is referred to as ‘vocalized’ and isset up using either the ‘vocalize’ option in create or, more conveniently, TCTvocalize. State outputs τ can be numbered 10,...,99. The correspondingstructure GHI is given by higen(GLO). To extend GLO to be output-control-consistent, compute

OCGLO = outconsis(GLO)

with high-level result

OCGHI = higen(OCGLO)

In this process TCT will create event siblings τu = 100, τc = 101 from τ = 10,and so forth.

For completeness we provide the formal, albeit cumbersome, definition ofoutput control consistency of a Moore transition structure

G = (Q,Σ, To, δ, ω, q0, Qm) (5.2)

5.3 247

where the input alphabet Σ = Σc∪Σu and the output alphabet To = τo∪Twith T = Tc∪Tu. As before write ω(s) for ω(δ(q0, s)). Then G is output-control-consistent if, for every string s ∈ L(G) of the form

s = σ1σ2 · · ·σk or respectively s = s′σ1σ2 · · ·σk

(where s′ ∈ Σ+, σi ∈ Σ) with

ω(σ1σ2 · · ·σi) = τo (1 ≤ i ≤ k − 1), ω(s) = τ = τo

or respectively

ω(s′) = τo, ω(s′σ1σ2 · · ·σi) = τo (1 ≤ i ≤ k − 1), ω(s) = τ = τo

it is the case thatif τ ∈ Tc then for some i (1 ≤ i ≤ k), σi ∈ Σc

if τ ∈ Tu then for all i (1 ≤ i ≤ k), σi ∈ Σu

To conclude this section we return to the output-control-consistent struc-ture Glo,ext and corresponding structure Ghi,ext, as above, where from nowon the subscript ‘ext’ will be dropped. While the usefulness of output-control-consistency will be demonstrated in the next section, the following exercisebrings out some of its limitations.

Exercise 1: With Glo output-control-consistent and Klo, Khi prefix-closed,construct examples where

(i) Klo ⊆ Llo is controllable with respect to Glo, but Khi := θ(Klo) is notcontrollable with respect to Ghi.

(ii) Khi ⊆ Lhi is controllable with respect to Ghi, but Klo := θ−1(Khi) isnot controllable with respect to Glo. Furthermore there is no (closed)controllable sublanguage K ′

lo ⊆ Llo such that θ(K ′lo) = Khi.

Exercise 2: With Glo output-control-consistent, assume Khi ⊆ Lhi, andthat Klo := θ−1(Khi) is controllable with respect to Glo. Show that Khi iscontrollable with respect to Ghi.

248 CHAPTER 5

5.4 Command and Control

We continue on the assumption that Glo is output-control-consistent. Weshall relate supervisory control defined by the high-level controller (supervi-sor) Chi to the appropriate low-level control exercised by Clo, thus definingthe command and control path consisting of the command channel Comhilo

followed by the control channel Conlo shown in Fig. 5.1.High-level supervisory control is determined by a selection of high-level

controllable events to be disabled, on the basis of high-level past history.That is, Chi is defined by a map

γhi : Lhi × T → 0, 1

such that γhi(t, τ) = 1 for all t ∈ Lhi and τ ∈ Tu. As usual, if γhi(t, τ) = 0the event (labeled) τ is said to be disabled; otherwise τ is enabled; of course,only controllable events (τ ∈ Tc) can be disabled. The result of applying thiscontrol directly on the generating action of Ghi would be to synthesize theclosed-loop language

L(γhi,Ghi) ⊆ T ∗

say. In the standard theory, implementation of Chi would amount to theconstruction of a suitable automaton (supervisor) over T as input alphabet,and the factorization of γhi through its state space (X, say) to create anequivalent state feedback control ψ : X × T → 0, 1. In the hierarchicalcontrol loop, however, direct implementation of Chi is replaced by commandand control. The action of Chi on Ghi must be mediated via Comhilo andConlo as already described. To this end, assuming γhi is given, define thehigh-level disabled-event map

∆hi : Lhi → Pwr(Tc)

(Pwr(·) denotes power set) according to

∆hi(t) = τ ∈ Tc|γhi(t, τ) = 0

Correspondingly we may define the low-level disabled-event map

∆lo : Llo × Lhi → Pwr(Σc)

according to

∆lo(s, t) = σ ∈ Σc|(∃s′ ∈ Σ∗u)sσs

′ ∈ Llo & ω(sσs′) ∈ ∆hi(t)

& (∀s′′)s′′ < s′ ⇒ ω(sσs′′) = τo

5.4 249

Observe that the explicit t-dependence of ∆lo factors through the subsetevaluation ∆hi(t); in other words, ∆lo can be evaluated by examination ofthe structure of Glo alone, once the subset ∆hi(t) of high-level events tobe disabled has been announced by Chi. The definition says that ∆lo(s, t) isjust the set of low-level controllable events that must be disabled immediatelyfollowing the generation of s (in Glo) and of t (in Ghi) in order to guaranteethe nonoccurrence of any τ ∈ ∆hi(t) as the next event in Ghi. Of course sucha guarantee is actually provided only if, for the given pair (s, t), the set ofuncontrollable strings leading to the next occurrence of τ is empty:

s′ ∈ Σ+u |ss′ ∈ Llo & ω(ss′) = τ & (∀s′′ ∈ Σ+)s′′ < s′ ⇒ ω(ss′′) = τo = ∅

As will be seen, the result of our construction in Section 5.3 of an output-control-consistent structure Glo is that the required guarantee is providedwhen necessary.

When the hierarchical loop is closed through Inflohi, a string s ∈ Llo ismapped to t = θ(s) ∈ Lhi. Then the control implemented by Clo will begiven by

γlo(s, σ) =

0 if σ ∈ ∆lo(s, θ(s))1 otherwise

(5.3)

Now suppose that a nonempty closed ‘legal’ (or specification) languageEhi ⊆ Lhi is specified to the high-level controller Chi. We assume that Ehi

is controllable with respect to the high-level model structure; that is,

EhiTu ∩ Lhi ⊆ Ehi

In accordance with standard theory, Ehi would be synthesized as the con-trolled behavior of Ghi by use of a suitable control law γhi. In the standardtheory the determination of γhi is usually not unique; however, γhi mustalways satisfy

γhi(t, τ) = 0 if t ∈ Ehi & tτ ∈ Lhi − Ehi

Define Elo to be the (maximal) behavior in Glo that would be transmittedby Inflohi as behavior Ehi in the high-level model Ghi:

Elo := θ−1(Ehi) ⊆ Llo (5.4)

250 CHAPTER 5

Since Lhi = θ(Llo) we have θ(Elo) = Ehi. Clearly Elo is closed; but in generalit will not be true that Elo is controllable with respect to Glo. The mainresult of this section states that by use of the control (5.3) the closed-looplanguage L(γlo,Glo) synthesized in Glo is made as large as possible subjectto the constraint (5.4).

Theorem 1Under the foregoing assumptions

L(γlo,Glo) = E↑lo

ProofIt suffices to show the following:

(i) L(γlo,Glo) is controllable with respect to Glo.

(ii) L(γlo,Glo) ⊆ Elo.

(iii) For anyGlo-controllable sublanguageK ⊆ Elo we haveK ⊆ L(γlo,Glo).

In the proof we write L(Glo) =: Llo, L(Ghi) =: Lhi and L(γlo,Glo) =:Klo. By definition of γlo, it follows that Klo is nonempty and closed.

(i) By the definition of γlo we also have

γlo(s, σ) =

0 if σ ∈ ∆lo(s, θ(s)) ⊆ Σc

1 otherwise

Since the closed-loop behavior in Glo is obtained by disabling a subset (pos-sibly null) of controllable events following the generation of any string of Llo,it follows that for all s ∈ Klo, σ ∈ Σu we have γlo(s, σ) = 1, and therefore

KloΣu ∩ Llo ⊆ Klo,

namely Klo is controllable, as claimed.(ii) Since Elo = θ−1(Ehi) it suffices to show that

θ(Klo) ⊆ Ehi

and we proceed by induction on length of strings. Because both Klo and Ehi

are nonempty and closed we have

ϵ ∈ θ(Klo) ∩ Ehi

5.4 251

Assume that t ∈ T ∗, τ ∈ T , and tτ ∈ θ(Klo). Clearly t ∈ θ(Klo) and tτ ∈ Lhi.Invoking the inductive assumption yields t ∈ Ehi. Now if τ ∈ Tu then

tτ ∈ EhiTu ∩ Lhi

and by controllability of Ehi, tτ ∈ Ehi. On the other hand if τ ∈ Tc then bythe fact that Glo is output-control-consistent there exist

s ∈ Σ∗, σ ∈ Σc, s′ ∈ Σ∗u

such thatsσs′ ∈ Klo, θ(s) = t, θ(sσs′) = tτ

By definition of γlo, σ ∈ ∆lo(s, t); therefore

ω(sσs′) = τ ∈ ∆hi(t)

so again tτ ∈ Ehi.(iii) LetK ⊆ Elo be nonempty, and controllable with respect toGlo. Since

Elo and Klo are both closed, it can be assumed without loss of generality thatK is closed. By induction on length of strings it will be shown that K ⊆ Klo.First, ϵ ∈ K ∩ Klo. Now let sσ ∈ K. Since K is closed, s ∈ K. Invokingthe inductive assumption, s ∈ Klo. Since K ⊆ Elo ⊆ Llo we have sσ ∈ Llo.Now if σ ∈ Σu then γlo(s, σ) = 1 and therefore sσ ∈ Klo. Suppose on theother hand that σ ∈ Σc. To show that sσ ∈ Klo it must be shown thatγlo(s, σ) = 1, or equivalently

σ ∈ ∆lo(s, θ(s))

Assuming the contrary and setting t := θ(s) we have by definition of ∆lo(s, t):

(∃s′ ∈ Σ∗u)sσs

′ ∈ Llo & ω(sσs′) ∈ ∆hi(t) & (∀s′′)s′′ < s′ ⇒ ω(sσs′′) = τo

Since sσ ∈ K andK is controllable it results that sσs′ ∈ K. Let ω(sσs′) = τ .Then θ(sσs′) = tτ . But τ ∈ ∆hi(t) implies γhi(t, τ) = 0, so tτ ∈ Lhi − Ehi.That is tτ ∈ Ehi, namely not θ(K) ⊆ Ehi. But this contradicts the fact thatK ⊆ Elo = θ−1(Ehi). Therefore γlo(s, σ) = 1 after all, so that sσ ∈ Klo asrequired. 2

Obviously the transmitted high-level behavior will satisfy the requiredlegal constraint:

θ(L(γlo,Glo)) ⊆ Ehi (5.5)

252 CHAPTER 5

but in general the inclusion will be proper. That is, while the ‘expectation’of the high-level controller Chi on using the control γhi might ideally bethe synthesis in Ghi of the controllable behavior Ehi, only a subset of thisbehavior can in general actually be realized. The reason is simply that acall by Chi for the disablement of some high-level event τ ∈ Tc may requireClo (i.e. the control γlo) to disable paths in Glo that lead directly to outputsother than τ . However, this result is the best that can be achieved under thecurrent assumptions about Glo.

The condition stated in Theorem 1 will be called low-level hierarchicalconsistency. Intuitively it guarantees that the updated behavior of Ghi willalways satisfy the high-level legal constraint, and that the ‘real’ low-level be-havior in Glo will be as large as possible subject to this constraint. Nonethe-less, the high-level behavior expected in Ghi by the manager may be largerthan what the operator of Glo can optimally report.

To conclude this section consider again the running example with Glo

(i.e. Glo,ext) and Ghi (i.e. Ghi,ext) as displayed in Fig. 5.4.

First suppose that the transition graph of Ehi coincides with that of Ghi

except that the (controllable) transition [2, αc, 1] has been deleted. It is clearthat Ehi is a controllable sublanguage of Lhi. The corresponding control lawγlo requires merely the disablement of event 3 at state 4 in Glo (in this simpleexample, state-based control with no additional memory is sufficient). It isevident that

θ(L(γlo,Glo)) = Ehi

By contrast, suppose instead that Ehi is derived from Ghi by deletion ofthe selfloop [1, αc, 1]. Then γlo must disable event 1 at state 2 in Glo, withthe unwanted side effect that state 4 in Glo, with output βc, can never bereached. The manager is chagrined to find that the behavior reported by theoperator is much less than he expected:

θ(L(γlo,Glo)) = ϵ, αu⫋ Ehi

Exercise 2: Assume that Ehi ⊆ L(Ghi) is nonempty and closed, but notnecessarily controllable, and set Elo = θ−1(Ehi). While it is always true that

θ(E↑lo) ⊆ θ(Elo) = Ehi

5.5 253

it may be true that

θ(E↑lo) ⫌ E↑

hi

Provide an example to illustrate this situation. In intuitive, ‘real world’ termsexplain why, in general, this result might not be unexpected.

5.5 Hierarchical Consistency

Let Ehi ⊆ Lhi be closed and controllable and let Glo be output-control-consistent. It was noted in the previous section that the inclusion

θ((θ−1(Ehi))↑) ⊆ Ehi (5.6)

may turn out to be strict. Intuitively, the behavior Ehi ‘expected’ by themanager in Ghi may be larger than what the operator can actually realize:the manager is ‘overoptimistic’ in respect to the efficacy of the command-control process. If equality does hold in (5.6) for every closed and controllablelanguage Ehi ⊆ Lhi, the pair (Glo,Ghi) will be said to possess hierarchicalconsistency. In that case, by Theorem 5.4.1, the command and control pro-cess defined in Section 5.4 for Ehi will actually synthesize Ehi in Ghi. Inthe terminology of hierarchical control, every high-level ‘task’ (representedby a choice of Ehi) will be successfully ‘decomposed’ and executed in thehierarchical control loop.

Achieving equality in (5.6) for arbitrary controllable specification lan-guages Ehi in general requires a further refinement of the transition structureof Glo, in other words, the possibly costly step of enhancing the informationsent up by Clo to Chi (or by Glo to Ghi, depending on one’s interpretationof the setup); of course such enhancement might or might not be feasible inan application. Referring to the reachability tree for L(Glo,ext) as describedin Section 5.3, say that red vocal nodes n1, n2, with ω(n1) = ω(n2), are part-ners if their silent paths start either at the root node or at the same vocalnode, say n = node(s); share an initial segment labeled s′σ with σ ∈ Σc;and this shared segment is followed in turn by segments labeled by stringss′′s1, s

′′s2 respectively, where s′′ ∈ Σ∗u and at least one of the strings s1, s2

belongs to Σ∗u (see Fig. 5.5, where we assume s1 ∈ Σ∗ΣcΣ

∗u and s2 ∈ Σ∗

u).We call node(ss′σ) the antecedent of the partners n1, n2. In this structurethe controllable events labeled τ1c = ω(n1), τ2c = ω(n2) in Ghi cannot be

254 CHAPTER 5

disabled independently by a command to Clo. Thus if Ehi requires disablingof τ2c (at some state of its transition structure) then it may be true thatClo is forced to disable τ1c as well, via direct disablement of σ. So a cure inprinciple is to break up the occurrence of partners: declare that the hithertosilent antecedent node(ss′σ) is now a red vocal node with controllable outputany new symbol τ ′′c , extend Tc by τ ′′c accordingly, and reevaluate color(ni),ω(ni), (i = 1, 2) as appropriate (in Fig. 5.5, n2 would be recolored green andω(n2) redefined to be τ2u).

τ0 τ τ0 τ0 τ0

τ0

τ1c

τ0

τ2c

s′′σs′n

sn′

n1

n2

s1

s2

Fig. 5.5. Partners n1, n2 with antecedent n′. Note that τ1c = τ2c.

A formal version of this procedure is provided in Appendix 5.2. Theresult is embodied in the following definition. Let G be a Moore transitionstructure as in (5.2). Then G is strictly output-control-consistent (SOCC)if it is output-control-consistent and if in the reachability tree of L(G) notwo red vocal nodes are partners. As in Section 5.3, this definition could beformally rephrased in terms of the strings of L(G) if desired. In Appendix 5.2it is shown that the SOCC property can be obtained by no more than a 4-foldincrease in state size over that of the original DES Glo that we started with;in practice, a factor of about 1.5 seems to be much more typical.

Consider again our running example. By inspection of Glo (i.e. Glo,ext

in Fig. 5.4) we note the partner configuration

5.5 255

αu o βc

αc

2

3

41

2

4

5

Its cure is the vocalization of the antecedent 3 of states 4 and 5, say with anew controllable event γc. The final results are displayed in Fig. 5.6. Noticethat in Glo,new the status of β has changed from βc to βu and that Ghi,new

is larger than Ghi,ext by one state and transition.

0

o o αu γc βu4120

αc

3

0 1 2

5

4

Glo,new

Ghi,new

αu

γc

βu

αu

αc

αu

1

3

2

Fig. 5.6. Strict Output Control Consistency

256 CHAPTER 5

Returning to our hierarchical control structure we finally have the desiredresult.

Theorem 1Assume that Glo is SOCC, and let Ehi ⊆ L(Ghi) be nonempty, closed

and controllable. Thenθ((θ−1(Ehi))

↑) = Ehi

ProofIn the proof write L(Glo) =: Llo, L(Ghi) =: Lhi, L(γlo,Glo) =: Klo. With

Elo := θ−1(Ehi), Theorem 5.4.1 can be applied to yield

Klo = E↑lo = (θ−1(Ehi))

↑

which impliesθ(Klo) = θ((θ−1(Ehi))

↑) ⊆ θ(Elo) = Ehi

We note directly that (Klo =)E↑lo = ∅. Otherwise, Klo being closed, there

is a string so ∈ Llo ∩Σ∗u with so ∈ Elo = θ−1(Ehi), namely θ(so) ∈ Ehi. Thus

θ(so) ∈ Lhi ∩ (T ∗u − Ehi)

which implies that Ehi is uncontrollable, contrary to hypothesis.Now suppose that the inclusion θ(Klo) ⊆ Ehi is strict, and let t ∈ Ehi −

θ(Klo). Since ϵ ∈ θ(Klo) there exists a maximal prefix t′ < t with t′ ∈ θ(Klo).Let s ∈ Elo with θ(s) = t. Since ϵ ∈ Klo we can select a prefix s′′ ≤ sof maximal (possibly zero) length such that s′′ ∈ Klo and node(s′′) is vocal(or is the root node). Then t′′ := θ(s′′) satisfies t′′ ≤ t′, where the prefixordering may be strict. Let w ∈ Σ∗ with s′′w ≤ s, node(s′′w) vocal, andθ(s′′w) = θ(s′′)τ for some τ ∈ T ; that is, the path from node(s′′) to node(s′′w)is silent. Now w ∈ Σ∗ΣcΣ

∗u, as otherwise w ∈ Σ∗

u, which implies by thecontrollability of Klo that s′′w ∈ Klo, contrary to the maximality of s′′.Choose w′ ≤ w to be of maximal length such that s′′w′ ∈ Klo, namelys′′w′σ ∈ Klo, with w

′σ ≤ w and σ ∈ Σc (so that σ is disabled by γlo).We claim that there must exist a string v ∈ Σ∗

u such that (1) node(s′′w′σv)is vocal, and (2) the path from node(s′′) to node(s′′w′σv) is silent, with (3)θ(s′′w′σv) ∈ Ehi. For if there is no string v ∈ Σ∗

u with properties (1)-(3)then, because

θ(s′′w) = θ(s′′)τ ∈ Ehi = E↑hi

5.5 257

we have that s′′w ∈ Klo after all, contradicting the maximality of s′′ and thefact that Klo is supremal.

Sincet′′τ = θ(s′′)τ = θ(s′′w) ≤ θ(s) = t ∈ Ehi

and θ(s′′w′σv) ∈ Ehi, it results finally that θ(s′′w′σv) = t′′τ ′, say, with τ ′ = τ ,and therefore node(s′′w) and node(s′′w′σv) are partners, in contradiction tothe main hypothesis of the theorem. 2

s00

· · · · · · τ

τ0

·

·

·

t00

vocal

w0

w

σ

v

Thus when Glo is SOCC, hierarchical consistency is achieved for the pair(Glo,Ghi).

In TCT, hierarchical consistency can be achieved by computing either

HCGLO = hiconsis(OCGLO)

or directly as

HCGLO = hiconsis(GLO)

bypassing the intermediate stage of output control consistency. The resultinghigh-level DES is

HCGHI = higen(HCGLO)

More information on hiconsis is provided in Appendix 5.1.

Exercise 2: Use TCT to verify the running example of Sections 5.2-5.5.Finally it should be noted that our restriction to a hierarchy of two lev-

els was inessential. Once hierarchical consistency has been achieved for the

258 CHAPTER 5

bottom level and first level up, say (G0,G1), the constructions may be re-peated on assigning state outputs in G1 and bringing in a next higher level,G2. Clearly hierarchical consistency for (G1,G2) can be achieved withoutdisturbing the consistency of (G0,G1). The theory thus possesses the highlydesirable attribute of ‘vertical modularity’.

To conclude this section we give two results (due to K.C. Wong) whichplace the property of hierarchical consistency in clear perspective. Let Glo

be OCC. Recall the notation C(E) for the family of controllable sublanguagesof E; thus C(Llo) (resp. C(Lhi)) is the family of all controllable sublanguagesof Llo (resp. Lhi).

Let us bring in the

Main Condition: θC(Llo) = C(Lhi)

Main Condition (MC) says, not only that θ preserves controllability, but alsothat every high-level controllable language is the θ-image of some (possiblymore than one) low-level controllable language. In other words, equating exe-cutable ‘tasks’ with controllable languages, every task that could be specifiedin the manager’s (aggregated) model Ghi is executable in the operator’s (de-tailed) model Glo; high-level policies can always be carried out operationally.Of course a justification of this interpretation would require that an online hi-erarchical control mechanism be spelled out; but this was done in Section 5.4.Now let Ehi ⊆ Lhi be a high-level legal specification, not necessarily control-lable. Suppose that Ehi is ‘proposed’ to the operator by specification of itspreimage θ−1(Ehi). The operator may then synthesize (θ−1(Ehi))

↑ ⊆ Llo,with the result that θ((θ−1(Ehi))

↑) is implemented in Ghi. One would likethis implemented sublanguage of Lhi to be precisely the language E↑

hi thata manager working at the level of Ghi would synthesize directly (if directcontrol were feasible): this is the essence of hierarchical consistency. Theresult to follow states that hierarchical consistency in this strong sense isequivalent to MC.

Theorem 3

MC ⇔((∀Ehi)Ehi ⊆ Lhi ⇒ θ((θ−1(Ehi))

↑) = E↑hi

)2

The usefulness of this result resides in the fact that the ‘complicated’condition of hierarchical consistency (involving the (·)↑ operation) is replacedby the formally simpler MC, which involves only the controllability property.

5.6 259

Along the same lines, on weakening MC slightly the following relatedresult can be proved, as a simpler version of the condition of hierarchicalconsistency defined earlier in this section.

Theorem 4

θC(Llo) ⊇ C(Lhi) ⇔((∀Ehi)Ehi ∈ C(Lhi) ⇒ θ((θ−1(Ehi))

↑) = Ehi

)2

It is of interest to note that these results depend on nothing more thanthe fact that the operations θ(·) and (·)↑ = supC(·) are monotone on sublan-guages.

Exercise 5: Prove Theorems 3 and 4.

Exercise 6: Construct examples to illustrate Theorems 3 and 4.

5.6 Hierarchical Supervision of Transfer Line

The theory will be illustrated by developing a high-level hierarchical supervi-sor for Transfer Line (cf. Section 4.6). We recall that Transfer Line consistsof two machines M1, M2 plus a test unit TU, linked by buffers B1, B2 inthe sequence: M1,B1,M2,B2,TU (Fig. 5.7). State transition diagrams ofM1, M2 and TU are displayed in Fig. 5.8.

TUB2B1M11 2 3 5

M24

82

62

Fig. 5.7

260 CHAPTER 5

M1 1 2 M2 3 4 TU

62 82

5

60 80

Fig. 5.8

TU either ‘passes’ or ‘fails’ each processed workpiece, signaling its deci-sion with events 60, 80 respectively. In case of ‘pass test’, the workpiece issent to the system output (event 62); in case of ‘fail test’, it is returned toB1 (event 82) for reprocessing by M2. There is no limit on the number offailure/reprocess cycles a given workpiece may undergo.

For ease of display we consider only the simplest case, where B1 and B2each has capacity 1. Initially an optimal low-level supervisor is designed byany of the methods of Chapters 3 or 4, to ensure that neither of the buffersis subject to overflow or underflow. In detail, let

PL = sync(M1,M2,TU)

and let B1SP, B2SP be the buffer specification generators (Fig. 5.9).

2; 82

3

B1SP selfloop f1; 4; 5; 60; 62; 80g

4

5

B2SP selfloop f1; 2; 3; 60; 62; 80; 82g

Fig. 5.9

Then we set BSP = meet(B1SP,B2SP), and

5.6 261

PLSUP = supcon(PL,BSP)

as displayed in Fig. 5.10. With PLSUP as the starting point for the devel-opment of hierarchical structure, we must first assign the ‘significant’ eventsto be signaled to the ‘manager’. Let us assume that the manager is interestedonly in the events corresponding to ‘taking a fresh workpiece’ (low-level event1, signaled as high-level event τ1, say), and to ‘pass test’ (low-level event 60,signaled as τ2) or ‘fail test’ (low-level event 80, signaled as τ3). If too manyfailures occur the manager intends to take remedial action, which will startby disabling the failure/reprocess cycle. To this end the uncontrollable event80 is now replaced in the low-level structure by a new controllable event 81.Furthermore, the meaning of the signaled events τ1, τ2, τ3 must be unambigu-ous, so a transition entering state 1 like [8,62,1] must not be confused withthe ‘significant’ transition [0,1,1]; namely a new state (say, 12) must be intro-duced, transition [8,62,1] replaced by [8,62,12], and a new transition [12,2,2]inserted. The final Moore structure, GLO, is displayed in Fig. 5.11. Herethe vocal [state,output] pairs are [1,τ1], [8,τ1], [6,τ2] and [7,τ3]. In TCT, theforegoing adjustments can be made using edit and vocalize.

62 62 62 62 62

82

60

80

1 2 3 4

1 2 3 4 5

62 62 62 62 62

82

60

80

1 2 3 4

1 2 3 4 5

7

0 1 3 4

6 8 9 10 11

52

Fig. 5.10. PLSUP

262 CHAPTER 5

1 2 3 4 5

81

3 4

262

262 62 62 62

1

1 2 3 4 5

81

3 4

262

262 62 62 62

1

82

201

3 4

7

6

8

9 10 11

12

5

τ1

60

τ1

τ2

τ3

Fig. 5.11. GLO

We are now ready to carry out the procedures of the theory. By inspectionof Fig. 5.11, it is clear that each of τ1, τ2, τ3 is unambiguously controllable,that is, GLO is already output-control-consistent. The corresponding high-level model GHI is displayed in Fig. 5.12. In TCT, GHI = higen(GLO).

However, for the manager to disable τ2 will require the operator to disablelow-level event 5, which in turn disables the high-level event τ3 as an unde-sired side effect; thus GLO is not strictly-output-control-consistent (SOCC).To improve matters it is enough to vocalize the low-level state 5 with a newhigh-level output τ4, signaling the new ‘significant’ event that ‘TU takes aworkpiece’. This step incidentally converts the status of τ2 from control-lable to uncontrollable. With this the construction of a SOCC model, sayHCGLO, from GLO is complete (Fig. 5.13). The corresponding high-levelmodel HCGHI is displayed in Fig. 5.14, where τ1, τ2, τ3, τ4 have been codedrespectively as 111,200,311,101. In TCT, HCGLO = hiconsis(GLO) andHCGHI = higen (HCGLO).

5.6 263

τ2

τ1τ3

Fig. 5.12. GHI

8282

1 2 3 4 5

81

3 4

262

262 62 62 62

1

201

3 4

7

6

8

9 10 11

12

τ1

τ3

τ2

5

τ4

60

τ1

Fig. 5.13. HCGLO

The simple model HCGHI can be supervised by the manager to achievehis objective of ‘quality control’. A possible high-level specification might be:‘if two consecutive test failures (311) occur, allow TU to operate just oncemore, then shut down the system’; this is modeled by SPECHI as displayed(Fig. 5.15). The resulting supervisor

HCGHISUP = supcon(HCGHI,SPECHI)

264 CHAPTER 5

is shown in Fig. 5.16. On termination of HCGHISUP at state 7, andexecution by TU of event 62, it can be easily verified that HCGLO willhave halted at its marker state 0.

311

101111

200

311

101111

200

Fig. 5.14. HCGHI

200

311

Fig. 5.15. SPECHI

selfloop 101, 111

200

0

1 2 3311 200

200 pass

200 pass

111 101 311 101 311 101 200

fail fail

0 1 2 3 4 5 6 7

Fig. 5.16. HCGHISUP

Exercise 1: To appraise the utility of hierarchical control for Transfer Line,replace SPECHI by an equivalent DES SPECLO for GLO (with vocaliza-

5.7 265

tions removed), compute the corresponding low-level supervisor, and com-pare its state size with that of HCGHISUP.

Exercise 2: For a manageable but nontrivial example with a plausiblephysical interpretation, carry out the design of a SOCC hierarchical controlstructure, illustrating the successive refinements involved in first achieving(non-strict) output control consistency and then strict consistency. For aparticular high-level controllable specification language, define precisely therequired command and control γlo.

5.7 Hierarchical Supervision with Nonblock-

ing

In this section we extend our theory of hierarchical supervision to includemarking and nonblocking. Unsurprisingly, nonblocking is not ensured by hi-erarchical consistency over closed sublanguages, in the sense of Section 5.5.For instance, in the example of Fig. 5.17, with α, β, γ uncontrollable, evi-dently

Clo(Llo) = ∅, Llo, Chi(Lhi) = ∅, Lhi

and Glo is hierarchically consistent; however, Glo blocks on executing α.

τ1 τ2

α β γτ1 τ1 τ2

Glo

o

Ghi

Fig. 5.17

Throughout this section it will be convenient to write L for Llo := L(Glo),Lm ⊆ L for the marked behavior of Glo, M := θ(L) for Lhi := L(Ghi) andMm := θ(Lm) for the marked behavior of Ghi.

266 CHAPTER 5

We begin by generalizing Theorem 5.5.3. Our standing assumption isthat Glo is output-control-consistent (Section 5.3). The scenario will bethat, with Ehi ⊆ Mm a given specification language for Ghi, the markedbehavior ‘virtually’ synthesized in Ghi is, as usual (cf. Section 3.5)

Khi := supChi(Ehi)

The specification ‘announced’ to the low-level controller is θ−1(Ehi), so themarked behavior synthesized in Glo is, again as usual,

Klo := supClo(Lm ∩ θ−1(Ehi))

The desired consistency property is then

θ(Klo) = Khi

Theorem 1In the foregoing notation

(∀Ehi)Ehi ⊆Mm ⇒ θ(Klo) = Khi (HCm)

iffθClo(Lm) = Chi(Mm) (MCm)

Proof(If) Let Ehi ⊆Mm and assume (MCm). Then

Khi := supChi(Ehi) ∈ Chi(Mm)

so by (MCm), Khi = θ(K ′lo) for some K ′

lo ∈ Clo(Lm). Therefore

K ′lo ⊆ supClo(Lm ∩ θ−1(Khi))

⊆ supClo(Lm ∩ θ−1(Ehi)) = Klo

ThusKhi = θ(K ′

lo) ⊆ θ(Klo)

But Klo ⊆ Lm ∩ θ−1(Ehi) implies

θ(Klo) ⊆Mm ∩ Ehi = Ehi

5.7 267

So by (MCm) θ(Klo) ⊆ supChi(Ehi) = Khi. Thus θ(Klo) = Khi as claimed.(Only if) Let Khi ∈ Chi(Mm) and set Ehi = Khi in (HCm). Then

Khi = θ(Klo) ∈ θ(Clo(Lm))

namely Chi(Mm) ⊆ θClo(Lm). For the reverse inclusion let K ′lo ∈ Clo(Lm)

and set E ′hi := θ(K ′

lo). Then E ′hi ⊆ θ(Lm) = Mm, so K

′hi := supChi(E

′hi) ∈

Chi(Mm). Now K ′lo ⊆ θ−1(E ′

hi) implies

K ′lo ⊆ supClo

(Lm ∩ θ−1(E ′

hi))

Also (HCm) provides

θ(supClo(Lm ∩ θ−1(E ′

hi))= supChi(E

′hi)

Therefore

θ(K ′lo) ⊆ supChi(E

′hi) ⊆ E ′

hi = θ(K ′lo)

giving

θ(K ′lo) = supChi(E

′hi) = K ′

hi ∈ Chi(Mm)

namely θClo(Lm) ⊆ Chi(Mm) as required. 2

While Theorem 1 provides an interesting perspective on hierarchical su-pervision with nonblocking, the ‘Main Condition with marking’ (MCm) isnot immediately effective. To satisfy (MCm) we shall endow our causal re-porter map θ with a certain ‘global observer property’; we shall also require atype of ‘local controllability’ in Glo. These properties seem natural from theviewpoint of a designer with some capability of structuring Glo in advance.

In the following we use the terminology for reachability tree as in Sec-tion 5.3. Let

Lvoc := s ∈ L|s = ϵ or node(s) is vocal

Thus Lvoc is the subset of strings of L that correspond to the root nodeor a vocal node of the reachability tree of L. Clearly θ(Lvoc) = θ(L) =M . To avoid fussy details we shall assume, reasonably, that vocalization is‘complete’, namely any string of L can be extended (in L) to a string of Lvoc,i.e. Lvoc = L. Now we say that θ : L→M is an Lvoc–observer if

(∀s ∈ Lvoc)(∀t ∈M)θ(s) ≤ t⇒ (∃s′ ∈ Σ∗)ss′ ∈ Lvoc & θ(ss′) = t

268 CHAPTER 5

In other words, whenever θ(s) can be extended to a string t ∈ M , the un-derlying Lvoc-string s can be extended to an Lvoc-string ss

′ with the sameimage under θ: ‘the manager’s expectation can always be executed in Glo’,at least when starting from a string in Lvoc. In the Example of Fig. 5.17, θis not an Lvoc–observer, while in that of Figs. 5.11, 5.12 it is.

Write θvoc for the restriction θ|Lvoc. Thus

θvoc : Lvoc →M, θ−1voc : Pwr(M) → Pwr(Lvoc)

The Lvoc–observer property can be characterized as commutativity of θ−1voc

with prefix-closure. Recall that the operation of prefix-closure maps Lvoc

onto L.

Proposition 2θ is an Lvoc–observer iff, for all E ⊆M ,

θ−1voc(E) = θ−1

voc(E) ∩ Lvoc

Proof(If) Let s ∈ Lvoc, t ∈M, θ(s) ≤ t. Then θ(s) ∈ t ⊆M , so

s ∈ θ−1voc(t) = θ−1

voc(t) ∩ Lvoc

Thus for some s′ ∈ Σ∗, ss′ ∈ θ−1voc(t), namely θvoc(ss

′) = t, as required.

(Only if) The direction θ−1voc(E)∩Lvoc ⊆ θ−1

voc(E) is automatic, for if ss′ ∈θ−1voc(E) for s ∈ Lvoc and some s′ with ss′ ∈ Lvoc, then θvoc(s) ≤ θvoc(ss

′) ∈ E,so θvoc(s) ∈ E and s ∈ θ−1

voc(E). For the reverse inclusion, taking s ∈ θ−1voc(E)

we have t := θvoc(s) ∈ E, so for some t′, tt′ ∈ E and θvoc(s) ≤ tt′. Since θis an Lvoc–observer, there is some s′ with ss′ ∈ Lvoc and θvoc(ss

′) = tt′, sos ≤ ss′ ∈ θ−1

voc(E), namely s ∈ θ−1voc(E) ∩ Lvoc. 2

We now bring in a ‘local’ description of controllability in Glo. Generaliz-ing the control action of Section 5.4, one should now think of control decisionsin Glo (made by the ‘operator’ of Section 5.1) being delegated to ‘agents’,say to Agent(s) for each s ∈ Lvoc. The scope of Agent(s) will be the ‘local’language Lvoc(s) linking node(s) to the adjacent downstream vocal nodes (ifany) in the reachability tree of L. Formally, for s ∈ Lvoc let

Lvoc(s) := s′ ∈ Σ∗|ss′ ∈ Lvoc & (∃τ ∈ T )θ(ss′) = θ(s)τ

5.7 269

Notice that the empty string ϵ cannot belong to Lvoc(s), and that possiblyLvoc(s) is the empty language, ∅.

Let Llo(s) := Lvoc(s). Thus Llo(s) is either ∅ or, if not, contains ϵ. Alongwith Llo(s) define the local reporter map θs : Llo(s) → ϵ ∪ T according to

θs(s′) :=

ϵ, if s′ = ϵ, or s′ = ϵ and ω(ss′) = τo

τ, if ω(ss′) = τ

Let Lhi(t) be the (at most) one-step closed sublanguage that is postfix tot := θ(s) in GHI. Thus Lhi(t) is the ‘next-step’ sublanguage seen followingt by the manager.

Let Clo(s) denote the family of all controllable sublanguages of Llo(s),namely

Clo(s) := K ⊆ Llo(s)|KΣu ∩ Llo(s) ⊆ K

Apart from ∅, these are exactly the sublanguages of Llo(s) that Agent(s) isauthorized (and able) to synthesize by supervisory control.

Similarly let Chi(t) denote the controllable sublanguages of Lhi(t). Thelocal controllability property of interest is that Agent(s) can synthesize (i.e.select from Clo(s)) a controllable sublanguage for each controllable sublan-guage that the manager can see one step ahead in GHI; namely

Chi(t) [:= Chi(θ(s))] = θs (Clo(s)) (5.7)

When (5.7) holds we shall say that Glo is locally output controllable at s;and if (5.7) holds for all s ∈ Lvoc, that Glo is globally output controllable.This says that Agent(s) can always synthesize exactly any controllable localhigh-level behavior ordered by the manager, no more and no less. Returningto the example of Fig. 5.17, we see that Glo is locally output controllable atstrings ϵ, β, and βγ but not at string α.

Notice that if ∅ = θs (Lvoc(s)) ⊆ Tc, i.e. there exist downstream vo-cal events and they are all controllable, then the manager can terminate theprocess, by commanding the controllable sublanguage ϵ. For this it is suffi-cient that Agent(s) disable (say) all his immediately downstream controllableevents, and this will clearly synthesize a controllable sublanguage of Llo(s),hence an element of Clo(s), as required.

270 CHAPTER 5

To illustrate the notation in detail consider the following two examplesfrom Fig. 5.4.

Example 3s = 0.2 ∈ Lvoc, t = αu.Lvoc(s) = 1.2, 1.4, Llo(s) = ϵ, 1, 1.2, 1.4Lhi(t) = ϵ, αc, βc (by inspection of Ghi,ext in Fig. 5.4)Clo(s) = ∅, ϵ, ϵ, 1, 1.2, 1.4, 1, 1.2, 1.4, 1.2, 1.4Chi(t) = ∅, ϵ, αc, βc, αc, βc, ϵ, αc, ϵ, βc, ϵ, αc, βcθs (Clo(s)) = ∅, ϵ, αc, βc, ϵ, αc, βc ⊆ Chi(t)Conclusion: Glo,ext is not locally controllable at s.

Example 4s = 0.2.1.4 ∈ Lvoc, t = αuβc.Lvoc(s) = 0.2, 3, Llo(s) = ϵ, 0, 0.2, 3Lhi(t) = ϵ, αu, αc (by inspection of Fig. 5.4)Clo(s) = ∅, 0.2, 0.2, 3, ϵ, 0, 0.2, ϵ, 0, 0.2, 3Chi(t) = ∅, αu, αu, αc, ϵ, αu, ϵ, αu, αcθs (Clo(s)) = ∅, αu, αu, αc, ϵ, αu, ϵ, αu, αc = Chi(t)Conclusion: Glo,ext is locally controllable at s.

Notice that the above C listings are needlessly cumbersome, since theempty language ∅ is always listed; if a sublanguage K is listed, it is under-stood that its closure K should be listed also; and if K1, K2 are listed thenso also should be K1∪K2. Thus in Example 3 one could write, symbolically,

Clo(s) ≈ ϵ, 1.2, 1.4, Chi(t) ≈ ϵ, αc, βc

and in Example 4,

Clo(s) ≈ 0.2, 0.2, 3, Chi(t) ≈ αu, αu, αc

We can now state the main result of this section, establishing the condi-tion (MCm) of Theorem 1. As a technical detail, it is convenient to specializeslightly the marking condition θ(Lm) = Mm as indicated in (iii) below. Inthis version only strings in Lvoc will be marked in L.

Theorem 5Assume that

5.7 271

(i) θ : L→M is an Lvoc–observer;(ii) Glo is locally output controllable; and(iii) Lm = θ−1(Mm) ∩ Lvoc

ThenChi(Mm) = θClo(Lm)

ProofFor inclusion (⊇) let Klo ∈ Clo(Lm); we show Khi := θ(Klo) ∈ Chi(Mm).

First, Klo ⊆ Lm and θ(Lm) = Mm imply Khi ⊆ Mm. For controllability, lett ∈ Khi, τ ∈ Tu, tτ ∈ M . Since θ(Klo) = θ(Klo) (Exercise 5.2.1) there is s ∈Klo with θ(s) = t, and we can certainly assume s ∈ Klo ∩Lvoc. As θ(s) ≤ tτ ,by (i) there exists s′ ∈ Σ∗ with ss′ ∈ Lvoc and θ(ss′) = tτ . So s′ ∈ Lvoc(s)and as τ ∈ Tu, s

′ ∈ Σ∗u (by output-control-consistency, Section 5.3); therefore

ss′ ∈ Klo (by controllability of Klo). Finally

tτ = θ(ss′) ∈ θ(Klo) = θ(Klo) = Khi

as required.For the reverse inclusion (⊆) let ∅ = Khi ∈ Chi(Mm). We construct

Klo ∈ Clo(Lm) inductively, such that θ(Klo) = Khi. By (ii) we know that Glo

is globally output controllable, namely for all s ∈ Lvoc, t = θvoc(s),

Chi(t) = θsClo(s) (5.8)

Starting with ϵ ∈ Khi, ϵ = θvoc(ϵ), we have

Chi(ϵ) = θϵClo(ϵ)

Since Khi is controllable,

Elig(Khi; ϵ) := τ ∈ T |τ ∈ Khi ∈ Chi(ϵ)

and soElig(Khi; ϵ) = θϵ(Hlo(ϵ))

for some locally controllable sublanguage Hlo(ϵ) ∈ Clo(ϵ). Thus for everyτ1 ∈ Elig(Khi; ϵ) there is at least one string s1 ∈ Hlo(ϵ) ⊆ Lvoc(ϵ) withθvoc(s1) = τ1. We continue in the evident way: for such τ1 we have

Elig(Khi; τ1) := τ ∈ T |τ1τ ∈ Khi ∈ Chi(τ1)

272 CHAPTER 5

so again by (5.8)

Elig(Khi; τ1) = θs1(Hlo(s1))

for some Hlo(s1) ∈ Clo(s1). In general, for t ∈ Khi and s ∈ Lvoc withθvoc(s) = t, we shall have

Elig(Khi; t) := τ ∈ T |tτ ∈ Khi = θs(Hlo(s))

for some locally controllable sublanguage Hlo(s) ∈ Clo(s).Denote by Hlo the prefix-closure of all strings of form

s = s1 · · · sk, k ∈ N

such that

xj := s1 · · · sj ∈ Lvoc, 1 ≤ j ≤ k

θvoc(s) ∈ Khi

Elig(Khi; θvoc(xj)) = θsj(Hlo(sj)), Hlo(xj) ∈ Clo(xj), 1 ≤ j ≤ k

sj ∈ Hlo(xj−1), 1 ≤ j ≤ k, x0 := ϵ

Clearly

θ(Hlo) = θvoc(Hlo ∩ Lvoc) = Khi

We claim that Hlo ∈ Clo(L). Let s ∈ Hlo, σ ∈ Σu, sσ ∈ L, and let s′ be themaximal prefix of s such that s′ ∈ Lvoc. If s

′ < s then s ∈ L−Lvoc and s = s′vfor some v ∈ Hlo(s

′). Since Hlo(s′) is locally controllable, vσ ∈ Hlo(s

′) sosσ = s′vσ ∈ Hlo. If s

′ = s and sσ ∈ L then again σ ∈ Hlo(s) by controllabilityof Hlo(s), so sσ ∈ Hlo. This proves the claim.

Define

Klo := Hlo ∩ Lvoc ∩ θ−1(Khi)

Then Klo ⊆ Lvoc ∩ θ−1(Mm) = Lm. To establish Klo ∈ Clo(Lm) it suffices toverify Klo = Hlo, or simply Hlo ⊆ Klo. Let s ∈ Hlo, t := θ(s). We claim thereexists w with sw ∈ Klo, i.e. sw ∈ Hlo ∩ Lvoc ∩ θ−1(Khi). If already s ∈ Klo,set w = ϵ. If not, let u ≤ s be the maximal prefix of s with u ∈ Lvoc andwrite s = uv. By construction of Hlo, we know that for some w1 ∈ Σ∗ andlocally controllable sublanguage Hlo(u) ∈ Clo(u),

vw1 ∈ Hlo(u), Elig(Khi; t) = θu(Hlo(u))

5.7 273

By definition of Clo(u), we know Hlo(u) ⊆ Lvoc(u) and thus θu(vw1) =τ1 (say) with tτ1 ∈ Khi. This means sw1 = uvw1 ∈ Hlo ∩ Lvoc ∩ θ−1(Khi). Ifalready tτ1 ∈ Khi then set w = w1; if not, suppose tτ1τ2 · · · τk ∈ Khi. Clearly

τ2 ∈ Elig(Khi; tτ1), tτ1 = θvoc(sw1)

Repetition of the previous argument produces w2 ∈ Σ∗ with

sw1w2 ∈ Hlo ∩ Lvoc ∩ θ−1(Khi)

and we are done after at most k steps.It only remains to verify that θ(Klo) = Khi. Let t ∈ Khi(⊆ Mm). Since

θ(Hlo) = Khi there is s ∈ Hlo ∩ Lvoc such that θvoc(s) = t, namely

s ∈ Hlo ∩ Lvoc ∩ θ−1(Khi) = Klo

On the other hand θ(Klo) = θvoc(Klo) ⊆ Khi. 2

Combining Theorems 1 and 5 we have immediately

Corollary 6Let Ehi ⊆Mm, Khi := supChi(Ehi), and

Klo := supClo(Lm ∩ θ−1(Ehi))

Assume conditions (i)-(iii) of Theorem 5. Then (Glo, θ) is hierarchicallyconsistent, in the sense that θ(Klo) = Khi. 2

Exercise 7: By examining the initial state and vocal states in HCGLO,Fig. 5.13, show that Transfer Line already satisfies assumptions (i), (ii) ofTheorem 5, and can be (mildly) remodeled to satisfy (iii) as well.

The foregoing results can be regarded as a fundamental basis for hierarchi-cal control with nonblocking. Of course, algorithmic design, and verificationof the appropriate conditions, remain as challenging issues. To conclude thissection we provide a more specialized result, building directly on the the-ory for closed languages in Sections 5.4, 5.5, including the property of strictoutput-control-consistency (SOCC) and the control action of Section 5.4. Forthis we place a much stronger observer condition on θ, and modify our de-scription of nonblocking slightly to facilitate use of Theorem 5.5.1. The price

274 CHAPTER 5

of greater concreteness, in Theorem 9 below, is somewhat involved argumen-tation in the proof.

With Mm = θ(Lm) as before we say that θ : L→M is an Lm–observer if

(∀t ∈Mm)(∀s ∈ L)θ(s) ≤ t =⇒ (∃u ∈ Σ∗)su ∈ Lm & θ(su) = t

In other words, whenever θ(s) can be extended in T ∗ to a string t ∈Mm, theunderlying string s ∈ L can be extended to a string su ∈ Lm with the sameimage under θ : ‘the manager’s expectation is never blocked in Glo’. Thisproperty fails for the example of Fig. 5.17, as one sees by taking t = τ1τ2 ands = α.

Exercise 8: Show that θ : L → M is an Lm–observer iff, for all E ⊆Mm, θ−1(E) = θ−1(E) ∩ Lm.

The following more general definition will also be useful. Let Hlo ⊆L,Hhi ⊆ M . We say that Hlo is hierarchically nonblocking (HNB) withrespect to Hhi if

(∀t ∈ Hhi)(∀s ∈ Hlo)(∀t′ ∈ T ∗)θ(s) = t & tt′ ∈ Hhi

=⇒ (∃s′ ∈ Σ∗)ss′ ∈ Hlo & θ(ss′) = tt′

In words, whenever θ(s) can be extended to a string in Hhi, s can be extendedto a string in Hlo with the same θ–image. This is essentially the Lm–observerproperty for θ, but ‘parametrized’ by Hlo, Hhi in place of Lm,Mm. We cannow state the main result.

Theorem 9Let Mm = θ(Lm) and let θ : L → M be an Lm–observer. Assume Glo is

SOCC (as in Section 5.5). Let ∅ = Khi ∈ Chi(Mm), and define

Hlo := supClo(θ−1(Khi))

Then θ(Hlo) = Khi and Hlo is HNB with respect to Khi.

ProofSince Khi is nonempty, closed and controllable, and Glo is SOCC, we

know by Theorem 5.5.1 that θ(Hlo) = Khi.Note that Hlo is closed. Suppose Hlo is not HNB with respect to Khi.

Then for some t ∈ Khi, s ∈ Hlo and w ∈ T ∗ we have

θ(s) = t, tw ∈ Khi

5.7 275

but for all x ∈ Σ∗ with sx ∈ L,

θ(sx) = tw ⇒ sx /∈ Hlo (5.9)

Note that w = ϵ; otherwise, by (5.9) with x = ϵ, s /∈ Hlo, contrary tohypothesis. However, as θ is an Lm–observer, and

θ(s) = t < tw ∈ Khi ⊆Mm

there is u ∈ Σ∗, u = ϵ, with su ∈ Lm and θ(su) = tw (refer to Table 5.1).By (5.9), su /∈ Hlo. Let u′ (ϵ ≤ u′ < u) be the maximal prefix of u suchthat su′ ∈ Hlo. By controllability of Hlo, there is σ ∈ Σc with u

′σ ≤ u (andsu′σ /∈ Hlo). Let u = u′σu′′ (where possibly u′′ = ϵ). We have

θ(su′σ) ≤ θ(su) = tw ∈ Khi

so θ(su′σ) ∈ Khi. Also, since su′ ∈ Hlo but su′σ /∈ Hlo, and because Hlo

is supremal controllable with respect to the specification θ−1(Khi), there isv ∈ Σ∗

u such that su′σv /∈ θ−1(Khi), i.e. θ(su′σv) /∈ Khi. Thus

t ≤ θ(su′σ) ≤ tw

so θ(su′σ) = tw′ (say) ∈ Khi, while

θ(su′σv) = θ(su′σ)y (say)

= tw′y

/∈ Khi

We consider the two possible cases for node (su′σ), in the reachabilitytree of L (as in Section 5.5).

1. Node(su′σ) is vocal. Since v ∈ Σ∗u, we have that y ∈ T ∗

u . Thus tw′ ∈Khi while tw

′y /∈ Khi, contradicting the controllability of Khi.

2. Node(su′σ) is silent. We claim there is some vocal node in the pathfrom node(su′σ) to node(su′σu′′). Otherwise

θ(su′) = θ(su′σ) = θ(su′σu′′) = θ(su) = tw

But as su′ ∈ Hlo we have a contradiction to (5.9), and conclude thatθ(su′σu′′) > θ(su′σ). Let

θ(su′σu′′) = θ(su′σ)τ1 · · · τk

276 CHAPTER 5

and let u′′′ ≤ u′′ with

node(su′σu′′′) vocal, θ(su′σu′′′) = θ(su′σ)τ1

Recall that tw′ ∈ Khi while tw′y /∈ Khi, so ϵ = y = τ ′1τ

′2 · · · τ ′l (say).

Let v′ ≤ v be such that node(su′σv′) is vocal with

θ(su′σv′) = θ(su′σ)τ ′1 = tw′τ ′1

We claim that τ ′1 = τ1. Otherwise

tw′τ ′1 = tw′τ1 = θ(su′σ)τ1 = θ(su′σu′′′) ≤ θ(su′σu′′) = θ(su) = tw ∈ Khi

i.e. tw′τ ′1 ∈ Khi. But then v = v′v′′ (say), and v′′ ∈ Σ∗u, imply τ ′j ∈

Tu (2 ≤ j ≤ l), hence tw′y ∈ Khi (by controllability), a contradiction.So τ ′1 = τ1 as claimed, and therefore

node(su′σu′′′), node(su′σv′)

are partners (in the sense of Section 5.5). This contradicts our hypoth-esis that Glo is SOCC. 2

Table 5.1. String factorizations in proof of Theorem 9

string ∈ L θ(string) ∈M

s tsu = su′σu′′ twsu′σ tw′

su′σu′′ tw = tw′τ1 · · · τksu′σu′′′ tw′τ1su′σv = su′σv′v′′ tw′y = tw′τ ′1 · · · τ ′lsu′σv′ tw′τ ′1

Corollary 10With Lvoc as defined earlier in this section, let

Lm := θ−1(Mm) ∩ Lvoc

5.7 277

and (with Hlo as in Theorem 9) define

Klo := Hlo ∩ Lm

Then Hlo = Klo. 2

The Lm–observer property of θ is stronger than necessary for the resultin Theorem 9.

τ1 τ2αβ γ τ1τ2

GhiGlo

Fig. 5.18

In Fig. 5.18, θ(α) = θ(ϵ) = ϵ, θ(ϵγ) = θ(γ) = τ2 but θ(αs′) = τ2 for any s

′, soθ is not an Lm–observer. However, for any choice of Khi ∈ Chi(Mm), Hlo :=supClo(θ

−1(Khi)) is HNB.

Exercise 11: Prove Corollary 10 and interpret the result in terms of ‘low-level nonblocking’.

Exercise 12: Verify that the assumptions of Theorem 9 are valid for theTransfer Line HCGLO, Fig. 5.13.

Exercise 13: Investigate how Theorem 9 might be improved by (possibly)weakening the Lm–observer property but strengthening the SOCC assump-tion. For instance, the Lm–observer property becomes more ‘reasonable’ ifthe local control structure is everywhere as sketched below:

σk

τk ∈ Tc

.

.

.

τk · · ·

· · ·

τ1 ∈ Tu

τ

· · ·

σ1

τ1

· · ·

Formalize, relate to Theorem 9, and discuss necessity of the Lm–observerproperty in this situation.

278 CHAPTER 5

5.8 Notes and References

The material of this chapter originates with the theses of H. Zhong [T09, T20]and related publications [J14, C34, C38]. Theorems 5.5.3 and 5.5.4 are due toK.C. Wong [T12], who also addressed the hierarchical nonblocking problem[T28, J30, J31]. The specific results of Section 5.7 are new, but adapted from[T20, J30]; cf. also Pu [T41]. Dual approaches to hierarchical supervisorycontrol, based on state aggregation, have been reported by Schwartz [T25]and Hubbard & Caines [2002]; or on state space decomposition, by Wang[T29] and Leduc [T46].

Hierarchy is a long-standing topic in control theory and has been discussedby many authors, notably Mesarovic et al. [1970]. For a perceptive andclassic essay on the benefits of hierarchical organization the reader is referredto Simon [1962].

For a literary antecedent to Exercise 5.1.1, see L. Tolstoy, War and Peace,Epilogue, Part II, Section VI.

Appendix 5.1: Computational Algorithm for

Output-Control-Consistency

We provide an algorithm for implementing the procedure of Section 5.3 forachieving output-control-consistency. It is assumed that Glo is representedas a finite-state Moore transition structure

Glo = (Q,Σ, To, δ, ω, q0, Qm)

as defined in Section 5.2. The state-transition graph (including state outputs)of Glo will be denoted simply by G. Recall that To = T ∪ τo, τo being the‘silent’ output symbol. Adapting the terminology of Section 5.3 to G, we saythat a state q ∈ Q is silent if ω(q) = τo or is vocal if ω(q) ∈ T . The initialstate q0 is silent. A path in G, displayed as

q′σ1−→ q1

σ2−→ q2 −→ · · · σk−1−→ qk−1σk−→ q

Appendices 279

is silent if (i) q′ is either a vocal state or the initial state, and (ii) eitherk = 1, or k > 1 and the states q1, ..., qk−1 are silent. A silent path is redif at least one of its transition labels σ1, ..., σk is controllable; otherwise itis green. For each q ∈ Q let P (q) be the set of all silent paths that end atq; because of possible loops in G, P (q) may be infinite. Then G is output-control-consistent (OCC) if and only if, for each vocal state q ∈ Q, eitherevery p ∈ P (q) is red or every p ∈ P (q) is green.

In general G will fail to be OCC. Our objective is to replace G by anew version Gnew that is OCC, has the same marked and closed behavior asG, and incorporates the modified (split) output structure described for thereachability tree in Section 5.3. To this end we define, for any graph G ofthe type described, the predecessor and successor functions:

in set : Q→ Pwr(Q× Σ)

in set(q) := (q′, σ) ∈ Q× Σ|δ(q′, σ) = qout set : Q→ Pwr(Σ×Q)

out set(q) := (σ, q′′) ∈ Σ×Q|δ(q, σ) = q′′It can and will be arranged that in set(q) = ∅ if and only if q = q0. For anypair (q′, σ) define

out color(q′, σ) ∈ red,green,amber

according to the rule

out color(q′, σ) :=

red if red(q′) & silent(q′) & uncont(σ)

or cont(σ)green if green(q′) & silent(q′) & uncont(σ)

or vocal(q′) & uncont(σ)amber if amber(q′) & uncont(σ)

Here cont(σ) means σ ∈ Σc, uncont(σ) means σ ∈ Σu. Then define, forq = q0,

new color(q) :=

red if out color(q′, σ) = red

for all (q′, σ) ∈ in set(q)green if out color(q′, σ) = green

for all (q′, σ) ∈ in set(q)amber otherwise

280 CHAPTER 5

Without essential loss of generality it will be assumed that every state ofG is coreachable with respect to the vocal states: that is, from every statethere is some vocal state that can be reached by a path in G. It is thenstraightforward to show from the foregoing assumptions and definitions thatG is OCC just in case

(i) for all q ∈ Q, either color(q) = red or color(q) = green, and

(ii) the following stability condition is satisfied:

(∀q ∈ Q)new color(q) = color(q) (stable)

The idea of the OCC algorithm is iteratively to modify the graph G by aprocess of recoloring, and elimination of amber states by state-splitting, until(stable) is achieved. The formal procedure is summarized as Procedure OCCin the pseudo-Pascal Unit POCC listed in Appendix 5.4. By the procedureInitialize, OCC first assigns to all q color(q) := green. By RecolorStates,each state other than the initial state q0 (which stays green) is recolored inarbitrary order according to the assignment

color(state) := new color(state) (∗)

If thereby any state changes color, (stable) is falsified.In case (stable) is false, each amber state (if any), say qa, is processed by

FixAmberStates. Initially the subprocedure SplitAmberStates splits qa intosiblings qr, qg with the assignments

color(qr) := red, color(qg) := green

If qa ∈ Qm then the new states qr, qg are declared to be marker states as well,while the subprocedure MakeNewOutputs assigns new outputs

ω(qr) := [τ, 1], ω(qg) := [τ, 0] if ω(qa) = τ ∈ T

ω(qr) = ω(qg) = τo if ω(qa) = τo

Next the local transition structure at qa is modified. The subprocedure Mak-eNewTrans executes the following:

(i) for all (q′, σ) ∈ in set(qa)case q′ = qa

Appendices 281

back-connects (qr, qg) to create transitions

[q′, σ, qr] if out color(q′, σ) = red[q′, σ, qg] otherwise

case q′ = qa & qa silent

creates transitions

[qr, σ, qr], [qg, σ, qr] if cont(σ)[qr, σ, qr], [qg, σ, qg] if uncont(σ)

case q′ = qa & qa vocal

creates transitions

[qr, σ, qr], [qg, σ, qr] if cont(σ)[qr, σ, qg], [qg, σ, qg] if uncont(σ)

(The selfloop cases q′ = qa are treated by first copying qa as q′a = qa,splitting both q′a and qa, back-connecting as in first case, then mergingq′r, qr and q

′g, qg.)

(ii) for all (σ, q′′) ∈ out set(qa), forward-connects qr, qg to create transitions

[qr, σ, q′′], [qg, σ, q

′′]

(iii) removes qa with its associated transitions from the database.

A list of split states is maintained to ensure that a state is split atmost once. If on a subsequent iteration a state that is a member of a splitpair is recolored amber, then instead of SplitAmberStates the subprocedureSwitchOldTrans is invoked and executes the following:

(i) gets the siblings qr, qg corresponding to qa (it will be shown below thatnecessarily qa = qg)

(ii) for all (q′, σ) ∈ in set(qa) such that out color(q′, σ) = red, creates[q′, σ, qr] and deletes [q′, σ, qa].

282 CHAPTER 5

The foregoing process is iterated by the repeat loop until (stable) (hencecondition (∗)) becomes true.

It must be shown that OCC terminates. For this we first note

Property 1Once a state (or a state sibling) has been colored red, it remains red in

subsequent iterations.

ProofSuppose some red state reverts to green or amber on a subsequent itera-

tion. Consider the first instance (state q and iteration #N) of such a change.At iteration #(N − 1), for each element

(q′, σ) ∈ in set(q)

it was the case that either σ ∈ Σc or (if σ ∈ Σu) q′ was silent and red. Since

the controllable status of σ and the vocal status of q′ are both invariant, q′

must have changed from red to green or amber, contradicting the assumptionthat q is the first state to have so changed. 2

Since a state is split at most once, Property 1 implies

Property 2Eventually the state set size, and the subsets of red states and of green

states on reentry to the repeat loop, remain invariant.

To prove termination it now suffices to show that a state can changefrom green to amber at most finitely often. By Property 2 and the action ofSwitchOldTrans, eventually all transitions

[q′, σ, q] with out color(q′, σ) = red

will have been switched to states q with color(q) = red. Under this condition,on reentry to the repeat loop it will be true for any transition [q′, σ, q] that

color(q) = green ⇒ out color(q′, σ) = green

It follows that for all states q, (∗) is satisfied and therefore (stable) is true,as claimed.

Appendices 283

Because a state is split at most once, when OCC terminates the state setwill have at most doubled in size; it is also clear that the closed and markedbehaviors of the generator described by the graph remain unchanged.

Computational effort can be estimated as follows. SupposeG has n statesand m transitions. Both RecolorStates and FixAmberStates will requireO(nm) steps (comparisons and assignments), while the number of iterationsis at worst O(n+m), giving O(nm(n+m)) steps for the overall computation.

Appendix 5.2: Conceptual Procedure for Strict-

Output-Control-Consistency

To achieve strict-output-control-consistency, a conceptual procedure basedon the reachability tree of Glo (say, tree) can be organized as follows.

Starting at the root node, order the nodes of tree level-by-level (i.e.breadth first) as 0,1,2,...; and write n < n′ if n precedes n′ in the order-ing. Let ζ ∈ To be a new output symbol, and let

To,new = To ∪ ζ

be the extension of To. We write path(nsn′), and refer to the path nsn′, ifthere is a path in tree starting at n and leading via s ∈ Σ∗ to n′. Say thenode n is vocalizable if

(i) n is silent;

(ii) (∃no < n)(∃σ ∈ Σc) path(noσn);

(iii) (∃n1 > n)(∃s1 ∈ Σ∗u) path(ns1n1), ns1n1 is silent, and n1 is vocal; and

(iv) (∃n2 > n)(∃s2 ∈ Σ∗) path(ns2n2), ns2n2 is silent, n2 is vocal, andω(n2) = ω(n1).

Conditions (i)-(iv) express the fact that n1, n2 are partners with respectto n. Examining each node in order, modify tree as follows. If node nis vocalizable, then vocalize n by redefining ω at n as ωnew(n) = ζ. [Ifω(n1) = τc ∈ Tc then ultimately we shall redefine ω at n1 as ωnew(n1) = τu,

284 CHAPTER 5

but at this stage no change of state output will be introduced.] Otherwise,if n is not vocalizable, go on to the successor node of n.

Since vocalization of n has no effect on nodes n′ < n, the procedure is welldefined, transforming tree to newtree, say. Furthermore if n is vocalizable itremains so as the procedure moves to nodes n′′ > n (vocalization at a givenlevel is never rendered superfluous by vocalization later on), because theuncontrollable silent path nsn1 is never modified. Define str:N → Σ∗ bynode(str(n)) = n. Write s = str(n), s′ = str(n′) and define n ≡ n′(mod tree)to mean (cf. Section 5.3)

s ≡ s′(mod Lo) and s ≡ s′(mod θ)

Note that n ≡ n′ if and only if the subtrees of tree rooted at n and n′

respectively are identical. Corresponding to newtree we shall have the map

θnew : Σ∗ → T ∗o,new

The equivalence ≡ (mod θnew) is then defined in similar fashion (Section 5.3),as is equivalence ≡ (mod newtree).

Now suppose that n, n′ are vocalizable. If n < n′ and there is s ∈ Σ∗Σc

such that path(nsn′), it is clear that vocalization of n can have no effect onthe subtree rooted at n′; and the same is true a fortiori if there is no pathfrom n to n′. Consequently, if nodes n, n′ are vocalizable, and n ≡ n′(modtree), then also n ≡ n′(mod newtree). Next suppose that neither n nor n′

is vocalizable and that n ≡ n′(mod tree). Since the subtrees of tree rootedrespectively at n and at n′ are identical, and neither n nor n′ gets vocalized,the vocalization procedure applied to these subtrees must yield the sameresult; that is, the subtrees of newtree rooted at n and n′ must be identical,and so again n ≡ n′(mod newtree).

The foregoing discussion can be summarized by the assertions that thecells of ≡ (mod newtree) are formed by splitting the cells of ≡ (mod tree)according to the partition of nodes in tree into vocalizable and nonvocalizable;and that only cells of the silent nodes of tree are so affected. Thus, in theregular case, if the canonical Moore automaton Glo (corresponding to tree)has Ns silent states and Nv vocal states, the canonical Moore automatonGlo,new (corresponding to newtree) will have no more than Ns silent statesand Nv +Ns vocal states.

The vocalization procedure in no way depended on a prior assumptionthat Glo was output-control-consistent: in (iv) above the condition ω(n1) =

Appendices 285

ω(n2) is true after the OCC output assignment procedure (Section 5.4) ifand only if it was true beforehand. Thus vocalization could be carried outinitially, before the OCC procedure itself, with no difference to the result.Suppose this is done. It is clear that newtree can then be rendered OCC bythe OCC procedure, and that this process will not introduce any vocalizablenodes (by the remark just made about (iv)). The final result is thereforeSOCC, as required, and the final state count in terms of the parametersabove is bounded by 2(Nv + 2Ns), or less than four times the state count ofthe Moore structure provided at the start.

Appendix 5.3: Computational Algorithm for

Hierarchical Consistency

While the property of strict-output-control-consistency is sufficient for hier-archical consistency (Theorem 5.5.1) and, as described in Appendix 5.2, isconceptually straightforward to achieve, it falls short of being necessary. Inthis section a somewhat weaker (albeit still not necessary) condition thatensures the desired result will be introduced, together with an effective algo-rithm to achieve hierarchical consistency in the regular case. This algorithmis slightly more efficient than the procedure of Appendix 5.2 in that possi-bly fewer states need to be newly vocalized. Regrettably, the approach israther complicated to describe. A high-level pseudo-Pascal version is listedas Program PSHC in Appendix 5.4. PSHC uses Procedure OCC from UnitPOCC, as well as Procedure HCC described below.

Consider a (finite) state-transition graph G for Glo, where we assumethat Glo is already output-control-consistent. Thus, in the terminology forstate-transition graphs introduced in Appendix 5.1, each vocal state of Gis unambiguously either red (controllable output) or green (uncontrollableoutput). The following definitions will be needed. A silent path suffix (sps)is a path

qσ1−→ q1

σ2−→ q2 −→ · · · σk−1−→ qk−1σk−→ q′

with q1, ..., qk−1 silent and q′ vocal (but q unrestricted). An agent is a pair

(q, σ) ∈ Q× Σc

286 CHAPTER 5

such that there is an sps as displayed, with σ1 = σ ∈ Σc and σ2, ..., σk ∈ Σu

(thus q′ is red). Say q′ is critical for (q, σ), and denote the subset of criticalstates by C(q, σ). According to the definition of γlo, we have γlo( , σ) = 0(i.e. an event σ ∈ Σc is disabled under command and control) just at statesq ∈ Q such that (q, σ) is an agent and C(q, σ) contains a state q′ such thatω(q′) = τ ′ with γhi( , τ ′) = 0. Next, the blocking set B(q, σ) of an agent (q, σ)is the subset of (red, vocal) states q′ ∈ Q such that an sps exists as displayedabove, with σ1 = σ but σ2, ..., σk unrestricted; thus B(q, σ) ⊇ C(q, σ), andthe inclusion may be strict. An agent (q, σ) is unary if |B(q, σ)| = 1, i.e.contains just one state, which is thus critical. Let p, q ∈ Q with p red andvocal but q arbitrary. An sps from q to p is dedicated if each of its transitions[a, λ, b] is such that either (a, λ) is not an agent, or (a, λ) is a unary agentwith B(a, λ) = p. Define the set

D(q) := p ∈ Q|red(p) & vocal(p)

& there exists a dedicated sps joining q to p

An agent (q, σ) will be called admissible if

B(q, σ) ⊆ D(q)

that is, each state p (potentially) blocked by (q, σ) is reachable from q along adedicated sps. Otherwise (q, σ) is inadmissible. Note that if q′ = δ(q, σ) (withq′ vocal, σ ∈ Σc) then (q, σ) is always admissible; so if (q, σ) is inadmissiblethen δ(q, σ) is silent.

The idea of the algorithm (Procedure HCC) is to identify the inadmissi-ble agents (q, σ), then vocalize the states δ(q, σ). The connection with theconceptual procedure of Appendix 5.2 is provided by

Proposition 1If Glo is SOCC then every agent of Glo is admissible. If Glo is OCC and

every agent in some finite transition graph (FTG) of Glo is unary, then Glo

is SOCC.

ProofSuppose an agent (q, σ) is inadmissible. Then there is p ∈ B(q, σ) with

p ∈ D(q), so there is no dedicated sps from q to p. By definition of B(q, σ)there is an sps

qσ−→ q1

σ2−→ q2 −→ · · · σk−1−→ qk−1σk−→ p

Appendices 287

Since this sps is not dedicated, it includes a transition [a, λ, b] such that(a, λ) is an agent and it is not the case that (a, λ) is a unary agent withB(a, λ) = p. Thus either (a, λ) is a unary agent with B(a, λ) = p, or(a, λ) is a non-unary agent. The first case is impossible since the sps ends atp. In the second case, since (a, λ) is an agent there is an sps

aλ−→ a1

λ2−→ a2 −→ · · · λh−1−→ ah−1λh−→ a′

with a′ red and vocal and λ2, ..., λh ∈ Σu; and since (a, λ) is non-unary thereis an sps

aλ−→ a1

µ2−→ b2 −→ · · · µj−1−→ bj−1µj−→ a′′

with a′′ red and vocal, a′′ = a′, and the µ’s unrestricted. Let n be a nodein T corresponding to a, and let the strings λλ2 · · ·λh resp. λµ2 · · ·µj leadfrom n to nodes n1 resp. n2. Clearly n1, n2 are partners, namely Glo is notSOCC.

For the second assertion note that the reachability tree of Glo can beconstructed inductively from an FTG for Glo by tracing all silent paths inthe FTG from the root node to a vocal node or from one vocal node toanother. If every agent a = (q, σ) in the FTG is unary then all sps in theFTG which start with a terminate at the same (red, vocal) state, hence thecorresponding silent paths in the tree terminate at equivalent nodes. Butthis fact rules out the existence of partners. 2

We note that Glo need not be SOCC even though every agent of itsFTG is admissible. For instance, consider the structures G and T shown inFig. 5.19; T is the reachability tree corresponding to G. In G the agent (0,1)

is admissible because the sps 03→ 2 and 0

5→ 3 are dedicated, and obviously(0,3), (0,5) are admissible. Hence every agent is admissible, but in T nodes4 and 5 are partners.

288 CHAPTER 5

o

o

1 3 1 3

o

o

31

0

3 51

0 2

2 3 4 5

1

53

2 3

0 2

1 1

G T

0

Fig. 5.19

The counterpart of Theorem 5.5.1 that we need is the following.

Proposition 2Assume that Glo is OCC and that every agent in the (finite) state transi-

tion graph of Glo is admissible. Let Ehi ⊆ L(Ghi) be nonempty, closed andcontrollable. Then

θ((θ−1(Ehi))↑) = Ehi

ProofThe proof will just be summarized, with details left to the reader. Write

L(Glo) =: Llo, L(Ghi) =: Lhi and L(γlo,Glo) =: Klo. As in the proof ofTheorem 5.5.1 it suffices to show that

θ(Klo) = Ehi

To the contrary, assume that Ehi − θ(Klo) = ∅. We begin with the sameconstruction as in the proof of Theorem 5.5.1, and select t, t′, t′′, s, s′′, w, w′, σand τ as before, so that t ∈ Ehi − θ(Klo), t

′ < t is maximal for t′ ∈ θ(Klo),s ∈ Elo with θ(s) = t, θ(s′′) = t′′ ≤ t′, θ(s′′w) = t′′τ , s′′w′ ∈ Klo, s

′′w′σ ∈Klo, w

′σ ≤ w, s′′w ≤ s, and σ ∈ Σc. This time we work in the finite

Appendices 289

state transition graph of Glo and write q′′ := δ(q0, s′′), q′ := δ(q0, s

′′w′) andq := δ(q0, s

′′w). Like node(s′′) and node(s′′w) in the former proof, here q′′ andq are vocal. Note that (q′, σ) is an agent, with q ∈ B(q′, σ). By hypothesis,there is a dedicated sps joining q′ to each state p in the set B(q′, σ), hencethere is an sps from q′′ to q via q′, along which no element σ ∈ Σc is disabledby γlo. That is, there is v ∈ Σ∗ of the form v = w′v′ such that

δ(q0, s′′v) = δ(q0, s

′′w) = q, s′′v ∈ Klo and θ(s′′v) = t′′τ

In case t′′ = t′, we have that t′τ ∈ θ(Klo), contradicting the maximality oft′, and we are done. Otherwise, suppose t′′ < t′. Since s′′w ≤ s, we haves′′wx = s for some x ∈ Σ∗. Now replace s by snew := s′′vx, s′′ by s′′v,t′′ by t′′new := t′′τ , q′′ by q′′new := q, and repeat the argument starting fromstate q′′new. At each stage we extend t′′ < t′ by one element τ at a time,to eventually achieve that t′′new = t′. After one more, final stage we obtaint′τ ≤ t with t′τ ∈ θ(Klo). Since this contradicts the maximality of t′, wemust have θ(Klo) = Ehi after all. 2

Observe that an agent (q, σ) that is inadmissible can be rendered admis-sible simply by vocalizing the state q′ := δ(q, σ) (cf. Appendix 5.2). It isclear that the totality of such vocalizations cannot introduce further agents,i.e. convert a pair (q, σ) (with σ ∈ Σc and δ(q, σ)!) to an agent if it was notan agent before. In fact, if a new agent (q, σ) were thereby created, a newsps would appear, of the form

qσ−→ q1

σ2−→ q2 −→ · · · σk−1−→ qk−1σk−→ q′

where σ2, ..., σk ∈ Σu. Because (q, σ) was already an agent, there is an sps

q′σ′1−→ q1

σ′2−→ q2 −→ · · ·

σ′k−1−→ qk−1

σ′k−→ p

with σ′1, ..., σ

′k ∈ Σu. Clearly the catenation of these two sps was, prior to

the vocalization of q′, an sps joining q to p, namely (q, σ) was previously anagent after all.

In HCC each agent is inspected in turn, with any agent that is inadmissi-ble immediately vocalized; as shown above, in this process no new agents arecreated. However, it may result from the process that an admissible agentis converted to one that is inadmissible. But as any agent, once vocalized,remains admissible, by repetition of the process a number of times at most

290 CHAPTER 5

equal to the number of agents (i.e. no more than the number of transitions)all agents will eventually be rendered admissible. HCC therefore loops untilthis condition is satisfied.

In general, vocalization will destroy the property that Glo is output-control-consistent. If the algorithm of Appendix 5.1 (Procedure OCC) isexecuted once more, OCC will be restored. It remains to show that in thisfinal step, involving state-splitting and recoloring, no inadmissible agents arecreated. Indeed, a new agent is created only if a former agent (q, σ) is split,into (qr, σ), (qg, σ) say. Consider a dedicated sps formerly joining q to q′

(say). If q′ is not split, the sps will get replaced by a dedicated sps to q′

from each of qr, qg, so the two new agents are again admissible; while if q′

is split into q′r, q′g this conclusion holds with q′r in place of q′. We infer that

the inclusion B(q, σ) ⊆ D(q) is true for each agent in the new transitionstructure provided it was true for each agent in the old.

Computational effort can be estimated as follows. Suppose G has nstates and m transitions. For a pair (q, σ), the subsets D(q) and B(q, σ)can each be identified by examining all (state,transition) pairs, namely inO(nm) steps. Checking the inclusion B(q, σ) ⊆ D(q) requires at most O(n2)steps. As there are at most m agents, Procedure HCC therefore requiresO(n3m + n2m2) steps. Combining this result with that of Appendix 5.1 forProcedure OCC, we obtain a complexity bound of

O(n3m+ n2m2 + nm2) = O(n3m+ n2m2)

for the overall Program PSHC for achieving high-level hierarchical consis-tency.

Appendix 5.4: Listing for Pseudo-Pascal Unit

POCC and Program PSHC

UNIT POCC;

pseudo-Pascal Unit with procedure OCC for achieving

output-control-consistency; operates on database defining

Appendices 291

transition structure of G lo, to create G lo new

INTERFACE

CONST

specify integers MaxStateSize, MaxAlphabetSize

TYPE

States = 0..MaxStateSize;

Events = 0..MaxAlphabetSize;

Colors = (red, green, amber);

In Events = array[States, Events] of Integer;

Out Events = array[Events, States] of Integer;

PROCEDURE OCC;

FUNCTION GetSize: States;

IMPLEMENTATION

VAR

stable: Boolean;

FUNCTION GetSize;

begin

reads size of state set from databaseend;

FUNCTION GetColor(state: States): Colors;

begin

reads state color from databaseend;

PROCEDURE SetColor(state: States; color: Colors);

begin

assigns state color to databaseend;

292 CHAPTER 5

PROCEDURE SetSibling(state, sibling: States);

begin

assigns sibling to state in databaseend;

FUNCTION GetSplit(state: States): Boolean;

begin

returns true if state listed as split in databaseend;

PROCEDURE SetSplit(state: States; split: Boolean);

begin

lists state as split in databaseend;

PROCEDURE InSet(state: States; var in set: In Events);

begin

collects in set(state) from databaseend;

PROCEDURE OutSet(state: States; var out set: Out Events);

begin

collects out set(state) from databaseend;

PROCEDURE Initialize;

var size, state: States;

begin

size:= GetSize;

for state:= 0 to size-1 do

begin

SetColor(state, green);

SetSplit(state, false)

end

end;

PROCEDURE RecolorStates;

Appendices 293

FUNCTION NewColor(in set: In Events): Colors;

begin

returns color determined by in setend;

VAR old color, new color: Colors;

in set: In Events;

size, state: States;

begin RecolorStatessize:= GetSize;

for state:= 0 to size-1 do

begin

old color:= GetColor(state);

InSet(state, in set);

new color:= NewColor(in set);

if new color <> old color then

begin

stable:= false;

SetColor(state, new color)

end

end

end;

PROCEDURE FixAmberStates;

var size, state: States;

count: Integer;

PROCEDURE SplitAmberStates(state: States; var count: Integer);

PROCEDURE MakeSibling(var count: Integer);

var sibling: States;

begin

sibling:= size+count;

count:= count+1;

SetSibling(state, sibling);

SetColor(state, green);

294 CHAPTER 5

SetSplit(state, true);

SetColor(sibling, red);

SetSplit(sibling, true)

end;

PROCEDURE MakeNewOutputs(state: States);

begin

writes to database:

tags a vocal state and its sibling with appropriate

controllable or uncontrollable version of state outputend;

PROCEDURE MakeNewTrans(state: States;in set: In Events;

out set: Out Events);

begin

writes to database:

redistributes incoming transitions

between state and its siblingend;

var in set: In Events;

out set: Out Events;

begin SplitAmberStatesMakeSibling(count);

MakeNewOutputs(state);

InSet(state, in set);

OutSet(state, out set);

MakeNewTrans(state, in set, out set)

end;

PROCEDURE SwitchOldTrans(state: States);

begin

writes to database:

redistributes outgoing transitions between

state and its siblingend;

Appendices 295

begin FixAmberStatessize:= GetSize;

count:= 0;

for state:= 0 to size-1 do

if GetColor(state) = amber then

begin

if not GetSplit(state) then SplitAmberStates(state, count)

else SwitchOldTrans(state)

end

end;

PROCEDURE OCC;

BEGIN PROCEDURE OCCInitialize;

repeat

stable:= true;

RecolorStates; returns stable = false unless

OCC achievedif stable = false then FixAmberStates

until stable

END;

END.

PROGRAM PSHC;

pseudo-Pascal program for achieving

strict-output-control-consistency; operates on database defining

transition structure of G lo, to create G lo new

USES POCC;

PROCEDURE HCC;

TYPE

Array States = array[States] of Integer;

296 CHAPTER 5

FUNCTION Agent(state: States; event: Events): Boolean;

begin

returns true if (state,event) is an agentend;

PROCEDURE GetDedicatedSet(state: States; var dedicated set: Array States);

begin

collects dedicated set from databaseend;

PROCEDURE GetBlockingSet(state: States; event: Events;

var blocking set: Array States);

begin

collects blocking set from databaseend;

FUNCTION Subset(blocking set, dedicated set: Array States): Boolean;

begin

returns true if blocking set is a subset of dedicated setend;

PROCEDURE Vocalize(state: States; event: Events);

begin

finds transition (state,event,new state) in database;

vocalizes new stateend;

var flag: Boolean;

size, state: States;

event: Events;

dedicated set, blocking set: Array States;

begin PROCEDURE HCCsize:= GetSize;

repeat

flag:= true;

for state:= 0 to size-1 do

begin

Appendices 297

for event:= 0 to MaxAlphabetSize do

ifAgent(state,event) then

begin

GetDedicatedSet(state,dedicated set);

GetBlockingSet(state,event,blocking set);

ifnot Subset(blocking set,dedicated set) then

begin

flag:= false; agent is inadmissibleVocalize(state,event)

end

end

end

until flag = true all agents are admissibleend;

BEGIN PROGRAM PSHCOCC;

HCC;

OCC

END.

298 CHAPTER 5

Chapter 6

Supervisory Control WithPartial Observations

A natural generalization of the control paradigm explored so far allows forfeedback in which information may be lost in the channel linking plant tocontroller. It will be assumed that the channel behaves like a natural (zero-memory) projection, transmitting observable and erasing unobservable eventssymbol by symbol. A concept of language observability is introduced to ex-press that control decisions based on such partial feedback information arealways correct. It is shown that control synthesis of a given language ispossible just when the language is controllable and observable; constructiveprocedures are provided to design and implement the resultant feasible con-troller. It is then effectively computable how control performance dependson the information available to the supervisor, as parametrized by the subsetof observable events.

6.1 Natural Projections and Normal Languages

In this chapter we consider the problem of supervisory control under theassumption that only a subset of the event labels generated by the plant canactually be observed by the supervisor. This subset in general need have

299

300 CHAPTER 6

no particular relation to the subset of controllable events. Our model willlead to a natural definition of observable language, in terms of which theexistence of a supervisor for the standard type of control problem consideredin previous chapters can be usefully discussed. It will turn out that, whileobservability is a somewhat difficult property to work with, two strongerproperties, called respectively normality and relative observability, provideeffective alternatives, and often lead to satisfactory solutions of the problemof supervision.

S G

C

The general setup is shown in the figure. The DES generator G modelingthe system to be controlled is of the form considered in previous chapters.The new feature here is the communication channel C linking G to thesupervisor S. We consider only the simplest case, where the events visibleto S form a subset Σo of the alphabet Σ associated with G. Apart fromthis feature, S operates in the usual way, enabling or disabling events inthe controllable subset Σc of Σ. No particular relation is postulated to holdbetween Σc and Σo: in particular, S can potentially disable controllableevents that are not observable, namely Σc−Σo need not be empty. To modelthe channel C we employ the natural projection

P : Σ∗ → Σ∗o

defined inductively according to

P (ϵ) = ϵ

P (σ) =

σ if σ ∈ Σo

ϵ otherwise

P (sσ) = P (s)P (σ) for s ∈ Σ∗, σ ∈ Σ

6.1 301

Thus the action of P on a string s is just to erase from s the events that donot belong to Σo, leaving the order of Σo-events in s unchanged. If s1, s2 ∈ Σ∗

then P (s1s2) = P (s1)P (s2), namely P is catenative. For s, s′ ∈ Σ∗ define

s ≡ s′(mod kerP ) if Ps = Ps′

Because P is catenative, ker P is a right congruence on Σ∗ (in general withinfinitely many cells).

In TCT, P is implemented by project. Let E be a DES over Σ, andnull(P ) (resp. image(P )) a list of the events erased by P , i.e. σ ∈ Σ − Σo

(resp. preserved by P , i.e. σ ∈ Σo). Then

PE := project(E,null(P )/image(P ))

is a (minimal-state) DES with

Lm(PE) = PLm(E), L(PE) = PL(E)

Because project uses the subset construction (Exercise 2.5.9) to ensure thatPE is deterministic, this procedure requires, in the worst case, computationaleffort (both time and computer memory) that is exponential in the state sizeof E. Fortunately, such exponential blowup seems to be rarely encounteredin practice.

Denote byP−1 : Pwr(Σ∗

o) → Pwr(Σ∗)

the usual inverse image function of P (cf. Section 1.4). In TCT P−1 isimplemented by selfloop. Thus let GO be a DES over Σo, and let

PINVGO := selfloop(GO,null(P ))

Then

Lm(PINVGO) = P−1Lm(GO)

L(PINVGO) = P−1L(GO)

Exercise 1: Let K ⊆ Σ∗,Σo ⊆ Σ, and P : Σ∗ → Σ∗o the natural projection.

Write [s] for the cell of s (mod kerP ) i.e.

[s] := s′ ∈ Σ∗|Ps′ = Ps

302 CHAPTER 6

Denote by PK(s) the Nerode K-cell of s ∈ Σ∗, and define the function

f : Σ∗ → Pwr (Σ∗/Ner(K))

according tof(s) = PK(s

′)|s′ ∈ [s], s ∈ Σ∗

As in Exercise 1.4.21, write

℘(Ner(K)) = ker f

for the exponentiation of Ner(K) with respect to kerP . Show that ℘(Ner(K))is a right congruence on Σ∗. Next let Ner(PK) be the Nerode equivalencerelation of PK on Σ∗

o, and denote by Ner(PK) · P the equivalence relationon Σ∗ given by

s1 ≡ s2 iff Ps1 ≡ Ps2(mod Ner(PK))

Show that Ner(PK) · P is a right congruence on Σ∗, with

℘(Ner(K)) ≤ Ner(PK) · P = Ner(P−1(PK))

From this result deduce that

∥PK∥ ≤ 2∥K∥

where ∥ · ∥ denotes Nerode index.

Exercise 2: In Exercise 1 let κ be a right congruence on Σ∗ with Ner(K) ≥ κ.Show that ℘(κ) is also a right congruence, and that

∥PK∥ ≤ |℘(κ)| ≤ 2|κ|

Here |α| denotes the number of cells of the equivalence relation α.

Exercise 3: Marking and reductionLet ν be a right congruence on Σ∗, and N ⊆ Σ∗ with Ner(N) ≥ ν. Define

n : Σ∗ → 0, 1 according to n(s) = 1 iff s ∈ N . If Pν : Σ∗ → Σ∗/ν is thecanonical projection, show that kerPν ≤ kern, so there exists n : Σ∗/ν →0, 1 such that n = nPν . We say ν is marked by n, and that the pair (ν, n)marks N . Since Σ∗ − N is (if nonempty) a cell of Ner(N), it is a union ofcells of ν. We say ν is reduced with respect to N if Σ∗ − N is a single cell of

6.1 303

ν, which we call the dump cell of ν. If (ν, n) marks N and ν is reduced forN , we say (ν, n) represents N .

With reference to Exercises 1 and 1.4.21, observe that a cell of ℘(ν), orelement of Σ∗/℘(ν), is naturally identified with a subset of elements of Σ∗/ν,according to

[s]℘(ν) = f(s), s ∈ Σ∗

wheref(s) = Pν(s

′)|s′ ∈ [s]

Define n : Σ∗/℘(ν) → 0, 1 according to

n([s]℘(ν)) = 1 iff n([s′]ν) = 1

for at least one string s′ ∈ [s]. Show that (℘(ν), n) marks P−1(PN).In case ν is reduced for N , so that Σ∗− N is a cell of ν, obtain a reduced

representation of P−1(PN) by aggregating f as follows. For s ∈ Σ∗ define

f(s) =

Pν(s

′)|s′ ∈ [s] ∩ N if [s] ∩ (Σ∗ − N) = ∅Pν(s

′)|s′ ∈ [s] ∩ N∪Σ∗ − N if [s] ∩ (Σ∗ − N) = ∅

In the first case all look-alike strings s′ belong to N ; in the second at leastone s′ does not. Write ℘(ν) = ker f and show that ℘(ν) is a right congruenceon Σ∗ which is reduced for P−1(PN). In ℘, Σ∗ − N again plays the role ofdump cell, for s ∈ Σ∗−P−1(PN) iff [s] ⊆ Σ∗− N , namely f(s) = Σ∗− N.Thus (℘(ν), n) represents P−1(PN).

Exercise 4: Let K ⊆ Σ∗, κ := K,Σ∗− K, and let ν be a right congruenceon Σ∗. If Ner(K) ≥ κ ∧ ν, show that κ ∧ ν is also a right congruence on Σ∗.Suppose N ⊆ Σ∗,Ner N ≥ ν, and (ν, n) marks N . Define k : Σ∗/κ ∧ ν →0, 1 as follows: If c ⊆ Σ∗ is a cell of κ ∧ ν, then k(c) = 1 iff c ⊆ K ∩ N .Assuming (κ ∧ ν, k) marks K, show that K = K ∩N .

Definition 5 With K, κ, ν,N and k as in Exercise 4, we say that K inherits(its marking) from ν. In case ν = Ner(N), we may say that K is marked byN .

Associated with any projection P is a useful property of languages definedas follows. Let

N ⊆M ⊆ Σ∗

304 CHAPTER 6

Define N to be (M,P )-normal if

N =M ∩ P−1(PN)

Note that in this equality the inclusion ⊆ is automatic, while the reverseinclusion is not. Thus N is (M,P )-normal if and only if it can be recoveredfrom its projection along with a procedure for deciding membership in M .Equivalently, from s ∈ N , s′ ∈ M and P (s′) = P (s) one may infer thats′ ∈ N . An (M,P )-normal language N is the largest sublanguage N of Mwith the property that PN = PN . It is easily seen that both M and theempty language ∅ are (M,P )-normal. In fact, if K ⊆ Σ∗

o is arbitrary, thenthe language

N :=M ∩ P−1K

is always (M,P )-normal. Notice also that if N is (M,P )-normal, so isM−N .

Exercise 6: Let [s] denote the cell of ker P containing s ∈ Σ∗. If N ⊆ Σ∗

show thatP−1(PN) =

∪[s]|s ∈ N

Then show that N is (M,P )-normal iff

N =∪

[s] ∩M |s ∈ N

Illustrate with a sketch of Σ∗ partitioned by ker P .

With P fixed in the discussion, and the language E ⊆ Σ∗ arbitrary, bringin the family of languages

N(E;M) = N ⊆ E|N is (M,P )-normal,

the class of (M,P )-normal sublanguages of E. Then N(E;M) is nonempty(∅ belongs), and enjoys the following algebraic closure property.

Proposition 7The class of languages N(E;M) is a complete sublattice (with respect to

sublanguage inclusion) of the lattice of sublanguages of E. In particular, theintersection and union of (M,P )-normal sublanguages are (M,P )-normal. 2

From Proposition 7 it follows by the usual argument that the language

supN(E;M)

6.1 305

exists in N(E;M): that is, any language E contains a unique supremal(M,P )-normal sublanguage, the ‘optimal’ (M,P )-normal approximation toE from below.

Exercise 8: With [s] as in Exercise 6, show that

supN(E;M) =∪

[s] ∩M |[s] ∩M ⊆ E

Illustrate with a sketch.

In supervisory control the two most important classes of (M,P )-normallanguages result from setting M = Lm(G) or M = L(G) respectively. Asimple relation between them is the following.

Proposition 9Assume that G is trim (in particular Lm(G) = L(G)), N ⊆ Lm(G) is

(Lm(G), P )-normal, and the languages Lm(G), P−1PN are nonconflicting.Then N is (L(G), P )-normal. 2

Again in connection with supervisory control the following result will findapplication later.

Proposition 10Let E ⊆ Lm(G). The class of languages

N(E;L(G)) = N ⊆ E|N is (L(G), P )-normal

is nonempty and closed under arbitrary unions. 2

As before, from Proposition 10 we infer that the language

sup N(E;L(G))

exists in N(E;L(G)).Examples show that in general the supremal (L(G), P )-normal sublan-

guage of a closed language need not be closed. However, we have the follow-ing more detailed result, which states that if C ⊆ L(G) is closed, N is thesupremal (L(G), P )-normal sublanguage of C, and B is the supremal closedsublanguage of N , then in fact B is the supremal sublanguage of C whoseclosure is (L(G), P )-normal.

306 CHAPTER 6

Proposition 11 (Feng Lin)Let C ⊆ L(G) be closed. Then

sup N(C;L(G)) = supF(supN(C;L(G)))

ProofIn the proof write ‘normal’ for ‘(L(G), P )-normal’, N := supN(C;L(G)),

B := supF(N), B := L(G) ∩ P−1(PB). Clearly B is closed and normal.Since B ⊆ N and N is normal,

B ⊆ L(G) ∩ P−1(PN) = N

Therefore B ⊆ B. But automatically B ⊇ B (since B ⊆ L(G)), so B = B,i.e. B is normal. Let D := sup N(C;L(G)). Now B ⊆ C and B = B isnormal, so B ⊆ D. Also D ⊆ C = C and D normal imply D ⊆ N , and thenD closed implies that D ⊆ B, so D ⊆ B. That is, D = B, as claimed. 2

For supN(E;M) with E ⊆M but E,M otherwise arbitrary, we have thefollowing explicit description.

Proposition 12 (Lin-Brandt formula)1

Let E ⊆M . Then

supN(E;M) = E − P−1P (M − E)

ProofIn the proof write ‘normal’ for ‘(M,P )-normal’, S := P−1P (M −E) and

N := E − S. To see that N is normal, suppose

u ∈M, Pu ∈ PN

For some v ∈ N , Pu = Pv. We claim u ∈ S: otherwise, there existst ∈ M − E with Pu = Pt, so Pv = Pt, i.e. v ∈ S, a contradiction. We alsoclaim that u ∈ E: otherwise u ∈M−E and therefore u ∈ S, a contradiction.Thus u ∈ E − S = N , namely

M ∩ P−1PN ⊆ N

1So-called here for brevity: see [J15].

6.1 307

hence N is normal. Now let K ⊆ E be normal. We claim that K ⊆ N :otherwise there is s ∈ K (so s ∈ E) with s ∈ S, and so there is t ∈ M − Ewith Ps = Pt, i.e. Pt ∈ PK. But t ∈ M and t ∈ P−1PK, so by normalityt ∈ K, a contradiction to K ⊆ E. 2

An implementation of the Lin-Brandt formula is available in TCT:

N = supnorm(M,E,null/image(P ))

Here E, M are representative DES for E and M , with E arbitrary. Then Nrepresents sup N(E∩M ;M); thus the user need not arrange in advance thatE ⊆M . Like project, supnorm is computationally expensive.

Exercise 13: Illustrate the Lin-Brandt formula with a sketch showing Σ∗

partitioned by ker P , along with sublanguages E ⊆ M ⊆ Σ∗. In light ofExercises 6 and 8, the formula should now be ‘obvious’; clearly it is valid forsets and functions in general.

As the last topic of this section we introduce the following related propertythat is sometimes useful. Let R ⊆ Σ∗. Say that R is (L(G), P )-paranormalif

R(Σ− Σo) ∩ L(G) ⊆ R

Thus R is (L(G), P )-paranormal if the occurrence of an unobservable eventnever results in exit from the closure of R. By analogy with controllabilityit is clear, for instance, that the class of (L(G), P )-paranormal sublanguagesof an arbitrary sublanguage of Σ∗ is nonempty, closed under union (but notnecessarily intersection), and contains a (unique) supremal element.

Proposition 14If the closure of R is (L(G), P )-normal, then R is (L(G), P )-paranormal.

2

The converse of Proposition 14 is false: an (L(G), P )-paranormal sub-language of L(G), closed or not, need not be (L(G), P )-normal. However,the result can be useful in showing that a given closed language R is not(L(G), P )-normal, by showing that an unobservable event may cause escapefrom R.

To illustrate these ideas we consider three examples.

308 CHAPTER 6

Example 15Let Σ = α, β, Σo = α, L(G) = ϵ, α, β, C = ϵ, α. Then C is

closed and PC = C. However

L(G) ∩ P−1(PC) = ϵ, α, β = L(G) ⫌ C

and C is not (L(G), P )-normal. C is not (L(G), P )-paranormal either:

C(Σ− Σo) ∩ L(G) = Cβ ∩ L(G) = β, αβ ∩ ϵ, α, β = β ⊆ C

namely the unobservable event β catenated with the string ϵ ∈ C results inescape from C. On the other hand, for the sublanguage A := α,

L(G) ∩ P−1Pα = L(G) ∩ β∗αβ∗ = α = A

so that A is (L(G), P )-normal, and therefore A = supN(C;L(G)). It canbe checked that supN(C;L(G)) is correctly calculated by the Lin-Brandtformula (Proposition 12). Note also that A = C, showing that the supremal(L(G), P )-normal sublanguage of a closed language need not be closed; here,in fact, sup N(C;L(G)) = ∅, in agreement with Proposition 11.

Now let B := α, β. Whereas B is (L(G), P )-paranormal, we have

L(G) ∩ P−1(PB) = L(G) ∩ P−1α, ϵ = L(G) ⫌ B

so B is not (L(G), P )-normal.

Example 16As another example let Σ = α, β, γ, Σo = γ,

L(G) = ϵ, α, αγ, αγγ, β, βγ, βγγ = (α + β)γ2

C = ϵ, α, αγ, β, βγ, βγγ = (α + βγ)γ

ThenL(G) ∩ P−1P (C) = L(G) ⫌ C

so C is not (L(G), P )-normal; in fact Lin-Brandt yields

supN(C;L(G)) = ϵ, α, β, αγ, βγ = (α + β)γ

so in this case sup N(C;L(G)) and supN(C;L(G)) coincide. On the otherhand C is (L(G), P )-paranormal, since the occurrence of unobservable eventsα or β does preserve membership in C.

6.1 309

Example 17Let Σ = α, β, Σo = α, L(G) = ϵ, α, β, βα, A = βα. Then A is

(L(G), P )-paranormal:

A(Σ− Σo) ∩ L(G) = ϵ, β, βαβ ∩ L(G) = β ⊆ A

However, the closure A is not (L(G), P )-normal, because

L(G) ∩ P−1(PA) = ϵ, α, β, βα ⫌ A

Exercise 18: With Σo ⊆ Σ, let P : Σ∗ → Σ∗o be the natural projection, and

let A ⊆ Σ∗, B ⊆ Σ∗o. Show that

PA = PA, P−1B = P−1B

Exercise 19: Supply proofs of Propositions 7, 9, 10 and 14.

Exercise 20: Show by example that N(E;L(G)) is not in general closedunder intersection.

Exercise 21: Does there exist a language A that is normal but not para-normal? If so, what can be said about A?

Exercise 22: Show that, with E ⊆M ,

P supN(E;M) = PE − P (M − E)

Exercise 23: With L ⊆ Σ∗ write

F(L) := H ⊆ L|H = H

for the family of closed sublanguages of L, and letM be its supremal element:

M := supF(L)

= s ∈ L|s ⊆ L

Prove the inductive rulesM = ∅ ⇔ ϵ ∈ L

310 CHAPTER 6

(∀s ∈ Σ∗)(∀σ ∈ Σ)sσ ∈M ⇔ s ∈M & sσ ∈ L

Referring to Section 2.8, show that M ⊢ L, but in general Ner(M) ≱Ner(L). More generally, suppose λ is a right congruence on Σ∗ with Ner(L) ≥λ. Show that µ ∧ λ is a right congruence and Ner(M) ≥ µ ∧ λ, where

µ = M,Σ∗ −M ∈ E(Σ∗)

Show also thatM = L− (Σ∗ − L)Σ∗

In particular, L is closed iff

L ∩ (Σ∗ − L)Σ∗ = ∅

For i = 1, 2 let Li ⊆ Σ∗i . We say that L1, L2 are synchronously noncon-

flicting over (Σ1 ∪ Σ2)∗ if

L1 ∥ L2 = L1 ∥ L2

Let Pi : (Σ1 ∪ Σ2)∗ → Σ∗

i (i = 1, 2) be the natural projections. By Exer-

cise 18, P−1i Li = P−1

i Li (i = 1, 2), so L1, L2 are synchronously nonconflictingover (Σ1∪Σ2)

∗ iff P−11 L1, P

−12 L2 ⊆ (Σ1∪Σ2)

∗ are nonconflicting in the usualsense (Section 3.6).

Exercise 24: (Lei Feng) For i = 1, 2 let Li ⊆ Σ∗i . Also let Σ1 ∩ Σ2 ⊆ Σo ⊆

Σ1 ∪Σ2, and Po : (Σ1 ∪Σ2)∗ −→ Σ∗

o be the natural projection. Call Po an Li

– observer if

(∀t ∈ PoLi)(∀s ∈ Li)Pos ≤ t ⇒ (∃u ∈ Σ∗i )su ∈ Li & Po(su) = t

In other words, whenever Pos can be extended to a string t ∈ PoLi, theunderlying string s ∈ Li can be extended to a string su ∈ Li with the sameprojection. Assume that Po is an Li-observer (i = 1, 2) and that

PoL1 ⊆ (Σo ∩ Σ1)∗, PoL2 ⊆ (Σo ∩ Σ2)

∗

are synchronously nonconflicting over Σ∗o. Show that L1, L2 are synchronously

nonconflicting over (Σ1 ∪Σ2)∗. Specialize to each of the cases Σ1 = Σ2,Σo =

Σ1 ∩ Σ2, and Σ1 ∩ Σ2 = ∅. Hint: Make use of Exercise 3.3.8.

6.1 311

Exercise 25: With reference to Exercises 6 and 8, write N := supN(E;M);and [s] for the cell of s (mod kerP ), namely [s] = s′ ∈ Σ∗|Ps′ = Ps. Recallthat

N =∪

[s] ∩M |s ∈ Σ∗, [s] ∩M ⊆ E

Let µ = Ner(M), η = Ner(E) be the Nerode equivalence relations for M,Erespectively, and write

Pµ : Σ∗ → Σ∗/µ, Pη : Σ∗ → Σ∗/η

for the corresponding canonical projections. Define

f : Σ∗ → Pwr(Σ∗/µ× Σ∗/η)

according to

f(s) := (Pµ × Pη)[s] = (Pµs′, Pηs

′)|s′ ∈ [s]

Show that ℘(µ ∧ η) := ker f is a right congruence on Σ∗ and that

Ner(N) ≥ µ ∧ ℘(µ ∧ η) (6.1)

From this conclude that

∥N∥ ≤ ∥M∥ · 2∥M∥·∥E∥

Finally sharpen (6.1) as follows. Define

f(·; M) : Σ∗ → Pwr(Σ∗/µ ∧ η)

according tof(s; M) := (Pµ(s

′), Pη(s′))|s′ ∈ [s] ∩ M

and let ℘(µ ∧ η; M) := ker f(·, M). Show that

Ner(N) ≥ µ ∧ ℘(µ ∧ η; M)

Hint: First note that P is a congruence of catenation:

[sw] = [s][w] := s′w′|s′ ∈ [s], w′ ∈ [w]

Thusf(sw) = (Pµ(s

′w′), Pη(s′w′))|s′ ∈ [s], w′ ∈ [w]

312 CHAPTER 6

If f(s2) = f(s1) then for every pair

(Pµ(s′2), Pη(s

′2)) ∈ f(s2)

there is an identical pair

(Pµ(s′1), Pη(s

′1)) ∈ f(s1)

Since µ, η are right congruences

Pµ(s′2w

′) = Pµ(s′1w

′), Pη(s′2w

′) = Pη(s′1w

′)

so(Pµ(s

′2w

′), Pη(s′2w

′)) ∈ f(s1w)

i.e. f(s2w) ⊆ f(s1w). Similarly f(s1w) ⊆ f(s2w) and thus ker f is a rightcongruence.

Write π := µ∧ker f . Then π is a right congruence, and it suffices to showπ ≤ N,Σ∗ − N. Let s1 ≡ s2(mod π) and s1 ∈ N , so that [s1] ∩M ⊆ E.Since N ⊆M and s2 ≡ s1(mod µ), we have s2 ∈M , and it remains to showthat [s2] ∩M ⊆ E. Let s′2 ∈ [s2] ∩M . Using the fact that f(s2) ⊆ f(s1),note that there is s′1 ∈ [s1] with

Pµs′2 = Pµs

′1, Pηs

′2 = Pηs

′1

So s′2 ∈M implies s′1 ∈M , hence s′1 ∈ E, and in turn s′2 ∈ E, as required.

Exercise 26: Let N ⊆ Σ∗ and suppose ν is a right congruence on Σ∗, withPν : Σ∗ → Σ∗/ν. Let t ∈ Σ∗ and define

K = s ∈ N |(∀u ≤ s)u ≡ t(mod ν)

Thus K is the sublanguage of N whose strings never visit the ν-cell of t.Show that K = K ∩N . Define T ⊆ Σ∗/ν according to

T := Pν(sσ)|s ∈ K, σ ∈ Σ, sσ /∈ K

and verify

(∀s ∈ Σ∗)(∀σ ∈ Σ)sσ ∈ K ⇔ s ∈ K & Pν(sσ) /∈ T

Show next thatNer(K) ≥ κ ∧ ν

6.1 313

where κ = K,Σ∗ − K. Conclude that

Ner(K) ≥ κ ∧ ν ∧ Ner(N)

Exercise 27: Let M,E ⊆ Σ∗,Σo ⊆ Σ, and let P : Σ∗ → Σ∗o be the natural

projection. Consider a chain

Σ∗ ⊇ K0 ⊇ N0 ⊇ K1 ⊇ N1 ⊇ · · ·

where K0 = E,N0 = supN(K0;M), and for j ≥ 1,

Kj = Kj ∩Nj−1, Nj = supN(Kj;M)

Let [s] denote the cell of s (mod kerP ). Show by induction on j that

Nj =∪

[s] ∩M |s ∈ Σ∗, [s] ∩M ⊆ Kj ∩ E, j ≥ 0

Write µ := Ner(M), η := Ner(E), and κj := Kj,Σ∗−Kj. Assuming further

Ner(Kj) ≥ κj ∧ µ ∧ η ∧ ℘(µ ∧ η), j ≥ 1

show thatNer(Nj) ≥ µ ∧ ℘(κj ∧ µ ∧ η), j ≥ 1

Conclude that the chain is finitely convergent, say to a limit N , where

∥N∥ ≤ ∥M∥ · 2∥M∥·(∥E∥+1)

Hint: For the latter estimate justify the replacement of η, in the inequalityfor Ner(N), by the reduction of η with respect to K (for ‘reduction’ seeExercise 3).

Exercise 28: Let

K := sup N(E;L(G))

:= supF ⊆ E|F is (L(G), P )− normal

Define the operator T : Pwr(Σ∗) → Pwr(Σ∗) according to

T (J) = J ∩ supF(supN(J ;L(G))), J ⊆ Σ∗

314 CHAPTER 6

Set K0 := E,Kj := T (Kj−1), j ⩾ 1. Show that, provided E and L(G)are regular, the chain K0 ⊇ K1 ⊇ K2 ⊇ · · · is finitely convergent to K.Furthermore

∥K∥ = O(∥L(G)∥ · ∥E∥ · 2∥L(G)∥·∥E∥)

Hint: Let µ = Ner(L(G)), η = Ner(E), and for j ≥ 0,

Nj := supN(Kj;L(G))

Fj := supF(Nj)

So

Kj+1 = Kj ∩ Fj

Show that the sequences Nj, Fj, Kj are descending chains; and bythe results of Exercises 23 and 25,

Ner(Fj) ≥ φj ∧ µ ∧ ℘(φj−1 ∧ · · · ∧ φ0 ∧ µ ∧ η)where φj = Fj,Σ

∗ − Fj. Noting that, for all j ≥ 0,

Fj =∪

[s] ∩ L(G)|s ∈ Σ∗, (∀t ≤ s)[t] ∩ L(G) ⊆ Kj

show that

s ∈ Fj, s′ ∈ [s] ∩ L(G) ⇒ s′ ∈ Fj

from which there follows

Ner(Fj) ≥ φj ∧ µ ∧ ℘(µ ∧ η)where the right-hand side is a right congruence. It follows that

Ner(Kj+1) ≥ φj ∧ µ ∧ η ∧ ℘(µ ∧ η)with the right-hand side a right congruence. This yields the asserted bound,together with the finite convergence of Kj to a limit, say K. Confirm by

induction on j that K = K.

Exercise 29: Let K ⊆ M ⊆ Σ∗,Σ = Σc∪Σu,Σo ⊆ Σ∗, and let P : Σ∗ → Σ∗o

be the natural projection. Suppose PK is controllable with respect to PM ,namely

(PK)(PΣu) ∩ PM ⊆ PK

Show that if K is (M, P )-normal then K is controllable with respect to M ,namely

KΣu ∩ M ⊆ K

6.2 315

6.2 Observable and Relatively Observable Lan-

guages

Let G = ( ,Σ, , , ) be a DES over alphabet Σ. In order to define observ-ability, it is convenient to associate with each string s ∈ Σ∗ two distinguishedsubsets of events, as follows. LetK ⊆ Σ∗ be arbitrary. Define the active eventset

AK(s) =

σ ∈ Σ|sσ ∈ K, s ∈ K∅ otherwise

and the inactive event set

IAK(s) =

σ ∈ Σ|sσ ∈ L(G)− K, s ∈ K∅ otherwise

Thus AK(s) consists of just those events whose occurrence following a prefixs of K preserves the prefix property; while events in IAK(s) could occurin G, but destroy the prefix property. Next we define the binary relationK-active on Σ∗, denoted by actK , according to: (s, s′) ∈ actK iff

(i) AK(s) ∩ IAK(s′) = ∅ = AK(s

′) ∩ IAK(s), and

(ii) s ∈ K ∩ Lm(G) & s′ ∈ K ∩ Lm(G) ⇒ (s ∈ K ⇔ s′ ∈ K)

Equivalently, for all s, s′ ∈ Σ∗, (s, s′) ∈ actK if and only if

(i′) (∀σ ∈ Σ)sσ ∈ K & s′ ∈ K & s′σ ∈ L(G) ⇒ s′σ ∈ K, and

(ii′) s ∈ K ∩ Lm(G) & s′ ∈ K ∩ Lm(G) ⇒ s′ ∈ K, and

(iii′) conditions (i′) and (ii′) hold with s and s′ interchanged.

Note that a pair (s, s′) ∈ actK if either of s or s′ does not belong to K,because if s ∈ K then AK(s) = IAK(s) = ∅. Otherwise (the nontrivial case)membership of a pair of strings (s, s′) in actK means, roughly, that prefixes sand s′ of K have identical one-step continuations with respect to membershipin K; and, if each is in Lm(G) and one actually belongs to K, then so doesthe other. It should be noted that actK is a tolerance relation on Σ∗, namelyit is reflexive and symmetric but need not be transitive. Notice finally thatif K is closed, or Lm(G)-closed, then conditions (ii) and (ii′) are satisfiedautomatically and may be dropped.

316 CHAPTER 6

β

α

G

λ µ

α

Example 1Let Σ = α, β, λ, µ, Σo = α, β,

L(G) = λα + µ(α + β), K = λα + µβ

Then, for instance

AK(ϵ) = λ, µ, IAK(ϵ) = ∅AK(λ) = α, IAK(λ) = ∅AK(µ) = β, IAK(µ) = α

So the string pairs (ϵ, λ), (ϵ, µ) ∈ actK , but (λ, µ) ∈ actK . Suppose

Lm(G) = ϵ+ λ(ϵ+ α) + µ(α + β), J = ϵ+ λα + µβ

Then J = K but J is not even Lm(G)-closed, since

λ ∈ J ∩ Lm(G), λ ∈ J

Now ϵ ∈ J ∩ Lm(G) and λ ∈ J ∩ Lm(G), but λ ∈ J , so in this case (ϵ, λ) ∈actJ .

We can now frame the definition desired. With Σo ⊆ Σ and P : Σ∗ →Σ∗

o as before, say that a language K ⊆ Σ∗ is (G, P )-observable, or simplyobservable, if

kerP ≤ actK

6.2 317

Explicitly, on substituting the definitions of kerP and actK , we see thatK ⊆ Σ∗ is (G, P )–observable provided

(i′′)(∀s, s′ ∈ Σ∗)(∀σ ∈ Σ)sσ ∈ K & s′ ∈ K & s′σ ∈ L(G) & Ps′ = Ps ⇒ s′σ ∈ K

(ii′′)(∀s, s′ ∈ Σ∗)s ∈ K∩Lm(G) & s′ ∈ K∩Lm(G) & Ps′ = Ps ⇒ s′ ∈ K∩Lm(G)

Thus observability declares that the equivalence relation ker P refines actK ,namely that P preserves at least the information required to decide consis-tently the question of continuing membership of a string sσ in K after thehypothetical occurrence of an event σ, as well as to decide membership of sin K when membership in K ∩ Lm(G) happens to be known. If two strings‘look the same’ (have the same projections), then a decision rule that appliesto one can be used for the other. By contrast, if K is not (G, P )-observable,then an event (observable or not) may have different consequences for look-alike strings. For example, in case K ⊆ L(G) is closed, there would exists, s′ ∈ K with Ps = Ps′, and σ ∈ Σ, such that sσ ∈ K but s′σ ∈ L(G)−K.Nevertheless, observability does not preclude the existence of s ∈ K andσ ∈ Σ− Σo (hence Ps = P (sσ)) such that sσ ∈ L(G)−K : see the remarkfollowing Example 7.

In the transition graph for Example 1, the nodes are grouped to displayker P . Since

Pϵ = Pλ = Pµ

neither J nor K is observable.

Exercise 2: Show that the main condition that K be (G, P )-observable(from (i′′) above) can be written

(∀s′)(∀σ)s′ ∈ K & s′σ ∈ L(G) & [(∃s)sσ ∈ K & Ps = Ps′] ⇒ s′σ ∈ K

Roughly, the test for s′σ ∈ K is the existence of at least one look-alike s suchthat sσ ∈ K. Hint: Use the predicate logic tautology

(∀x, y)P (y) & Q(x, y) ⇒ R(y) ≡ (∀y)P (y) & [(∃x)Q(x, y)] ⇒ R(y)

Exercise 3: The main condition that K be (G, P ) observable, i.e. either(i), or (i′) and (iii′), or (i′′) above, can be displayed as follows. For brevityof notation write L(G) = L and assume K = K. For σ ∈ Σ let catσ : Σ∗ →Σ∗ : s 7→ sσ and define

Kσ := K ∩ cat−1σ (L)

318 CHAPTER 6

Thus Kσ ⊆ L since L is closed. Also let catσ : Σ∗o → Σ∗

o according to

s 7→ sσ if σ ∈ Σo, s 7→ s if σ /∈ Σo

Let ρK : L → 0, 1 with ρK(s) = 1 iff s ∈ K. For each σ ∈ Σ consider thediagram.

Kσ

P (Kσ)

catσ

P P

catσ(Kσ)

catσP (Kσ)catσ

0, 1

ρK

ρσ

The square always commutes, by definition. Show that ρσ exists for eachσ ∈ Σ, and makes the right side of the diagram commute, iff kerP ≤ actK . Inother words observability means that for every σ ∈ Σ, the ‘decision function’ρK |catσ(Kσ) for membership in K factors through P |catσ(Kσ).

Of some interest in practice is a condition intermediate between observ-ability and normality. We first recall from Section 2.2 the definition of Nerodeequivalence: if H ⊆ T ∗ then strings t, t′ ∈ T ∗ are Nerode-equivalent with re-spect to H, written t ≡ t′(mod H) if, for all v ∈ T ∗, tv ∈ H iff t′v ∈ H.This means that t, t′ lead to the same state of a canonical recognizer for H.Now let K ⊆ Σ∗. We say that K is strongly (G, P )–observable provided thefollowing hold:

(i′′′)(∀s, s′ ∈ Σ∗)(∀σ ∈ Σ)sσ ∈ K & s′ ∈ K & s′σ ∈ L(G)

& Ps′ ≡ Ps(mod PK) ⇒ s′σ ∈ K

(ii′′′)(∀s, s′ ∈ Σ∗)s ∈ K ∩ Lm(G) & s′ ∈ K ∩ Lm(G)

& Ps′ ≡ Ps(mod PK) ⇒ s′ ∈ K

Here conditions (i′′′) and (ii′′′) agree with (i′′) and (ii′′) above, except for thecrucial replacement of the condition Ps′ = Ps by the much weaker conditionPs′ ≡ Ps(mod PK). The practical consequence is that a correct decisionas to whether s′σ ∈ K in condition (i′′′), or s′ ∈ K in condition (ii′′′), can

6.2 319

be based on the ‘current’ state reached by the observed string Ps′ in anytransition structure for PK, for instance a canonical recognizer: no furtherinformation about the past history of Ps′ is necessary.

Exercise 4: Define the equivalence relation (≡ (mod PK)) P on Σ∗ ac-cording to

s ≡ s′(mod (≡ (mod PK)) P )

just in case Ps ≡ Ps′(mod PK). Show that K is strongly (G, P )–observableiff

(≡ (mod PK)) P ≤ actK

This order relation succinctly compares strong observability with the conciseform of the observability definition, kerP ≤ actK .

It is clear that observability is implied by strong observability. Our nextresult shows that, under mild restrictions on marking, strong observability isimplied in turn by normality.

Proposition 5Assume that either K ⊆ L(G) and K is closed, or K ⊆ Lm(G) and

K is Lm(G)-closed. If K is (L(G), P )-normal then K is strongly (G, P )-observable. 2

The converse statement is false.

Example 6: Strong observability does not imply normalityLet Σ = α, β,Σo = α, so Pα = α and Pβ = ϵ. Let G,K be as

displayed.

α

α

Kβ

α

G

Taking K = Lm(K) we have PK = K = α∗. Therefore K is closed, but

L(G) ∩ P−1PK = L(G) ∩ Σ∗ = L(G) ⫌ K

320 CHAPTER 6

so K is not (L(G), P )–normal. To see that K is strongly observable notethat sσ ∈ K = K implies σ = α, and then s′ ∈ K implies s′α ∈ K asrequired by (i′′′). Of course (ii′′′) holds since K is closed.

Example 7: Observability does not imply strong observabilityLet Σ = α1, α2, β1, β2, β3, Σo = α1, α2, so Pαi = αi and Pβj = ϵ.

Let G,K be as displayed, with all states marked, so K = Lm(K) is closed.

K

β1 β1

α2

α1

α2

β2α1

β3β2

α2

β1α1

β2α1β1

β3

β3

β3 α2

G

Thus PK is represented by PK as shown:

PK

α1

α2

Lets = α1β1, s

′ = α2β3, σ = β2

Then

sσ = α1β1β2 ∈ K, s′ ∈ K, s′σ = α2β3β2 ∈ L(G)

Ps = α1, Ps′ = α2, Ps

′ ≡ Ps(mod PK)

As s′σ ∈ L(G) − K, K is not strongly observable. However, by inspectingthe groups of strings s ∈ L(G) with Ps = ϵ, Ps = α1, Ps = α2 respectively,the reader may confirm that K is observable.

From the viewpoint of an observing agent, the essential difference betweena (G, P )-observable language and a closed (L(G), P )-normal language is thatwith a normal language one can always tell, by watching the projection Psof an evolving string s, if and when the string exits from the language; butwith an observable language in general this is not the case. For instance in

6.2 321

Example 6, the occurrence of β would represent an unobservable exit fromK. As we shall see in Section 6.5 (Propositions 6.5.4, 6.5.6) this differencebetween observability and normality has the following implication for super-visory control. Suppose the (closed, controllable) language to be synthesizedis normal. Then no unobservable event will cause a string to exit, in par-ticular no controllable unobservable event. Thus no such event will ever bedisabled by the supervisor.

Exercise 8: Formalize (i.e. provide a rigorous version of) the precedingstatement, and supply a proof.

Exercise 9: Prove Proposition 5.

Exercise 10: As a variation on Proposition 5, show that K is strongly(G, P )–observable if K is (Lm(G), P )–normal and K is (L(G), P )–normal.

The following is a partial converse to Proposition 5.

Proposition 11Let K ⊆ Lm(G) be G-controllable and (G, P )-observable. Assume that

Pσ = σ for all σ ∈ Σc. Then K is (Lm(G), P )-normal and K is (L(G), P )-normal. 2

Exercise 12: Prove Proposition 11, under the weaker assumption that Pσ =σ for all σ ∈ Σc such that σ is actually disabled by a supervisor synthesizingK. Hint: Use structural induction on strings.

Exercise 13: Checking observability by ‘observation consistency’Let

G = (Q,Σ, δ, q0, Qm)

K = (X,Σ, ξ, x0, Xm)

be DES generators over the alphabet Σ, representing languages L,K ⊆ Σ∗

respectively; i.e. L = Lm(G), L = L(G), K = Lm(K), K = L(K). ForΣo ⊆ Σ let P : Σ∗ → Σ∗

o be the natural projection. Whether or not K is(G, P )-observable may in principle be checked as follows. For every s ∈ Σ∗

compute the set of all state pairs reached by look-alike strings s′, namely

T (s) := (δ(q0, s′), ξ(x0, s′))|Ps′ = Ps, δ(q0, s′)!, ξ(x0, s

′)!⊆ Q×X

322 CHAPTER 6

and write T := T (s)|s ∈ Σ∗, T (s) = ∅. The family T of subsets T can becomputed in exponential time inasmuch as |T| ≤ 2|Q|·|X|. Now say T ∈ T isobservation-consistent (o.c.) if

(∀(q, x), (q′, x′) ∈ T )((∀σ ∈ Σ)[δ(q′, σ)! & ξ(x, σ)! ⇒ ξ(x′, σ)!]

& [q ∈ Qm & q′ ∈ Qm & x ∈ Xm ⇒ x′ ∈ Xm])

Show that K is (G, P )-observable iff T is o.c. for every T ∈ T. Providesimple examples to illustrate both outcomes.

In TCT observability (resp. strong observability) can be checked by theprocedure (s)observ.

Exercise 14: Uncertainty setsLetG = (Q,Σ, δ, q0, Qm) be a recognizer forK := Lm(G), so the function

δ : Q × Σ → Q is total. Let Σo ⊆ Σ and P : Σ∗ → Σ∗o be the natural

projection. For s ∈ Σ∗, observation of Ps alone results in uncertainty as tothe state of G given by the uncertainty set

U(s) := δ(q0, s′)|Ps′ = Ps, s′ ∈ Σ∗ ⊆ Q

We can use the uncertainty sets to obtain a recognizer for the projectedlanguage PK, as follows. First note that, with U : Σ∗ → Pwr(Q), kerU ∈E(Σ∗) is a right congruence on Σ∗, namely if s1, s2 ∈ Σ∗ and U(s1) = U(s2)then for all w ∈ Σ∗ we have U(s1w) = U(s2w). Let PU : Σ∗ → Σ∗/ kerU bethe corresponding canonical projection, as displayed below.

Pwr(Q)

Σ∗/ kerUPU

Σ∗

U

Here the (injective) dashed arrow identifies each cell of kerU with an uncer-tainty subset of Q. Now define µ ∈ E(PΣ∗) according to s1 ≡ s2(mod µ)(where si = Psi) if and only if U(s1) = U(s2). Check that µ is well-defined,

6.2 323

and is a right congruence on PΣ∗ that is finer than the binary partitionPK,PΣ∗ − PK. Let Pµ : PΣ∗ → PΣ∗/µ. With the help of µ and Pµ ver-ify that there exist unique maps δ, h and η such that the following diagramcommutes.

h

cat

δ

η

Σ∗/ kerU × PΣ

∗

PU

Σ∗/ kerU

PΣ∗/µ

Σ∗

h× id

PU × P

PΣ∗/µ× PΣ

∗

Σ∗× Σ

∗

Fig. 6.1

Here δ is defined by PU cat = δ (PU × P ), h by Pµ P = h PU , and ηby h δ = η (h × id). As h is bijective (verify!) we obtain for PK theequivalent (isomorphic) recognizers

(PUΣ∗,Σo, δ, PU(ϵ), PUK)

and

(Pµ(PΣ∗),Σo, η, Pµ(ϵ), Pµ(PK))

In general these are not canonical (i.e. minimal-state), even if G is canonicalfor K. Nevertheless they provide a ‘universal’ basis for supervisor design, asexplained in Example 6.3.4 below.

In this representation of PK show that a state PU(s) ∈ Σ∗/ kerU ismarked if and only if q is marked for some state q ∈ U(s).

Generalize the above discussion when G is a generator and δ : Q×Σ → Qis a partial function. Then work out details for the example displayed below.

324 CHAPTER 6

Assume all states are marked, Σ = 0, 1, 2, and Σo = 0.

G

0

0

00, 1

2

1 0

To conclude this section we briefly introduce the concept of relative ob-servability, which will prove to be an effective alternative to (standard) ob-servability as hitherto defined. With relative observability a fixed, ambientlanguage is given (or selected by the designer), relative to which the stan-dard observability property is tested. Relative observability is stronger thanobservability, but enjoys the important property that it is preserved un-der sublanguage union; hence there exists the supremal relatively observablesublanguage of a given (say, specification) language. Relative observabilityis weaker than normality and, unlike normality in the control context (Sec-tion 6.5, below), places no constraint on the disablement of unobservablecontrollable events.

Relative observability is formally defined as follows. Given a (plant) DESG as usual, with alphabet Σ, fix a sublanguage C ⊆ Lm(G): its closureC ⊆ L(G) will be called the ambient language. Fix Σo ⊆ Σ as observablesubalphabet, and let P : Σ∗ → Σ∗

o be the natural projection. Consider asublanguage K ⊆ C. We say that K is relatively observable with respect toC, G, and P , or simply C-observable, if the following hold:

(i) (∀s, s′ ∈ Σ∗)(∀σ ∈ Σ)sσ ∈ K & s′ ∈ C & s′σ ∈ L(G)

& Ps′ = Ps⇒ s′σ ∈ K

6.2 325

(ii) (∀s, s′ ∈ Σ∗)s ∈ K & s′ ∈ C ∩ Lm(G) & Ps′ = Ps⇒ s′ ∈ K

Note that a pair of look-alike strings (s, s′) trivially satisfies (i) and (ii) ifeither s or s′ does not belong to C. For a look-alike pair (s, s′) both inC, relative observability requires that (i) s and s′ have identical one-stepcontinuations, if allowed in L(G), with respect to membership in K; and (ii)if each string is in Lm(G) and one actually belongs to K, then so does theother.

In the special case C = K the definition above becomes that of observ-ability of K as given at the beginning of this section. This implies that ifK is C-observable then K is also observable. Examples show, however, thatthe reverse statement need not be true. Thus the set of C-observable sub-languages of C is in general a proper subset of the observable sublanguagesof C.

We can now state our main results.

Proposition 15: Closure of relative observability under unionLet Ki ⊆ C, i ∈ I (some index set), be C-observable. Then

K :=∪

Ki|i ∈ I

is also C-observable.

Now let K ⊆ C be an arbitrary sublanguage of C, and write O(K) forthe family of C-observable sublanguages of K. Trivially the empty language∅ is a member of O(K).

Proposition 16: Existence of the supremal C-observable sublan-guage

The family O(K) is nonempty and contains a unique supremal element,namely

supO(K) :=∪

K ′|K ′ ∈ O(K)

Exercise 17: Prove Propositions 15 and 16.

In TCT, a representation of supO(K) can be computed by the procedure

KSUP := suprobs(G, K, null(P)/image(P))

326 CHAPTER 6

where K represents the language K. In suprobs the ambient language Cis taken to be K. In computations it can (and should) be verified by use ofTCT (s)observ that Lm(KSUP) is indeed actually observable.

It is not difficult to show that relative observability is weaker than nor-mality. More precisely, we have

Proposition 18: Relative observability is weaker than normalityLet K ⊆ C be (Lm(G), P )-normal, and suppose K is (L(G), P )-normal.

Then K is C-observable.

Exercise 19: Prove Proposition 18. Provide an example where K is C-observable but K is not (L(G), P )-normal.

6.3 Feasible Supervisory Control

We now introduce the concept of supervisory control, proceeding just as inSection 3.4, except for taking into account the constraint that control mustbe based purely on the result of observing the strings generated byG throughthe channel C, namely on information transmitted by P : Σ∗ → Σ∗

o. With

G = ( ,Σ, , , ), Σ = Σc∪Σu

as usual, define as before the set of all control patterns

Γ = γ ∈ Pwr(Σ)|γ ⊇ Σu

A feasible supervisory control for G is any map V : L(G) → Γ such that

ker(P |L(G)) ≤ kerV

Here P |L(G) denotes the restriction of P to L(G). As before we write V/Gto suggest ‘G under the supervision of V ’. The closed behavior L(V/G) andmarked behavior Lm(V/G) are defined exactly as in Section 3.4, as is theproperty that V is nonblocking for G. Our first main result is the expectedgeneralization of Theorem 3.4.3.

Theorem 1Let K ⊆ Lm(G), K = ∅. There exists a nonblocking feasible supervisory

control V for G such that Lm(V/G) = K if and only if

6.3 327

(i) K is controllable with respect to G, and

(ii) K is observable with respect to (G, P ), and

(iii) K is Lm(G)-closed.

Proof(If) The proof follows the same lines as that of Theorem 3.4.3, but ex-

tended to ensure the feasibility property. First bring in the function

Q : K → Pwr(Σ)

according to

Q(s) := σ ∈ Σ|(∀s′ ∈ K)Ps′ = Ps & s′σ ∈ L(G) ⇒ s′σ ∈ K

Now define V : L(G) → Γ as follows. If s ∈ K then

V (s) := Σu ∪ (Σc ∩Q(s))

while if s ∈ L(G)− K and Ps = Pv for some v ∈ K, let

V (s) := V (v)

V (s) is well-defined in the latter case, for if also Ps = Pw with w ∈ K thenPv = Pw, hence by definition of Q, Q(v) = Q(w), so V (v) = V (w). Finallyif s ∈ L(G)− K and there is no v ∈ K such that Ps = Pv then let

V (s) := Σu

Next we show that V is feasible, namely ker(P |L(G)) ≤ ker V . Lets1, s2 ∈ L(G), Ps1 = Ps2. We consider the three cases (i) s1, s2 ∈ K, (ii)s1 ∈ K, s2 ∈ L(G) − K, and (iii) s1, s2 ∈ L(G) − K. As to (i) it is easilychecked that Q(s1) = Q(s2), so V (s1) = V (s2), namely (s1, s2) ∈ ker V asclaimed. For (ii), by definition V (s2) = V (s1), so (s1, s2) ∈ ker V . In case(iii), if Ps1 = Pv for some v ∈ K, then by definition V (s1) = V (v), andPs2 = Ps1 implies similarly V (s2) = V (v); while if Ps1 = Pv for no v ∈ Kthen

V (s1) = V (s2) = Σu

so in either subcase (s1, s2) ∈ ker V , as required.

328 CHAPTER 6

To complete the proof it may be shown by induction on length of stringsthat

L(V/G) = K

and then directly that Lm(V/G) = K. As the argument is similar to theproof of Theorem 3.4.3, we just provide the inductive step. Thus supposes ∈ L(V/G), s ∈ K and sσ ∈ L(V/G), i.e. σ ∈ V (s) and sσ ∈ L(G). Ifσ ∈ Σu then sσ ∈ K by controllability; while if σ ∈ Σc∩Q(s) then sσ ∈ K bydefinition of Q. Conversely suppose sσ ∈ K. If σ ∈ Σu then clearly σ ∈ V (s)so sσ ∈ L(V/G). Suppose σ ∈ Σc. We claim σ ∈ Q(s): for if s′ ∈ Kwith Ps′ = Ps then by observability (s, s′) ∈ actK , and then s′σ ∈ L(G)implies s′σ ∈ K, the required result. Thus it follows that σ ∈ V (s), andas sσ ∈ L(G) we again conclude that sσ ∈ L(V/G). This shows thatL(V/G) = K, as claimed.

(Only if) Let V be a nonblocking feasible supervisory control for G withLm(V/G) = K. As the proof that K is controllable and Lm(G)-closedis unchanged from the proof of Theorem 3.4.3, it suffices to show that Kis observable. So let (s, s′) ∈ kerP , sσ ∈ K, s′ ∈ K and s′σ ∈ L(G).Since s, s′ ∈ L(G) and ker(P |L(G)) ≤ kerV , there follows V (s) = V (s′).Therefore sσ ∈ K implies in turn σ ∈ V (s), σ ∈ V (s′), and s′σ ∈ K.This verifies the observability condition (i′) of Section 6.2; condition (ii′) isautomatic sinceK is Lm(G)-closed; while condition (iii′) is true by symmetryof the argument. 2

Corollary 2Let K ⊆ L(G) be nonempty and closed. There exists a feasible supervi-

sory control V for G such that L(V/G) = K if and only if K is controllablewith respect to G and observable with respect to (G, P ). 2

For brevity we refer to a nonblocking feasible supervisory control (forG, P ) as an NFSC. As before we may generalize this idea to incorporatemarking as well as control in the supervisory action. Thus if M ⊆ Lm(G)we define a marking nonblocking feasible supervisory control for the triple(M,G, P ), or MNFSC, as a map V : L(G) → Γ as defined above, but nowwith marked behavior given by

Lm(V/G) = L(V/G) ∩M

However, for this definition to satisfy the intended interpretation of ‘marking’we must place a further restriction on M . For instance, in a manufacturing

6.3 329

system a string s ∈ Lm(G) might correspond to ‘completion of a finishedworkpiece’, while s ∈ M might mean ‘completion of a batch of finishedworkpieces’. If a batch consists of 10 workpieces, then we would not wantthe supervisor to confuse a string s corresponding to 6 batches with a strings′ corresponding to 61 workpieces. It is natural, then, to require that s, s′

be distinguishable, namely look different when viewed through P . In generalterms we require

(∀s, s′ ∈ Σ∗)s ∈M & s′ ∈ M ∩ Lm(G) & s′ ∈M ⇒ Ps = Ps′

or more directly

(∀s, s′ ∈ Σ∗)s ∈M & s′ ∈ M ∩ Lm(G) & Ps = Ps′ ⇒ s′ ∈M

or succinctly

ker(P |(M ∩ Lm(G))) ≤ M, M ∩ Lm(G)−M

If this condition is satisfied then we shall say that M is (G, P )-admissible.As the counterpart to Theorem 3.4.5 we now have

Theorem 3Let K ⊆ Lm(G), K = ∅, and let K be (G, P )-admissible. There exists

an MNFSC V for (K,G, P ) such that

Lm(V/G) = K

if and only if K is controllable with respect to G and observable with respectto (G, P ).

ProofThe proof of sufficiency may be left to the reader (cf. the proof of Theorem

3.4.5). As to necessity, the proof that K is controllable is unchanged from theproof of Theorem 1. For observability let s, s′ ∈ L(G) with Ps = Ps′. Theproof of condition (i′) (or (i′′)) of Section 6.2 is unchanged, while condition(ii′) (or (ii′′)) is just the property that K is (G, P )-admissible. 2

Example 4: Implementation of a feasible supervisor based on un-certainty sets

We show how to implement a feasible supervisor based on the uncer-tainty sets defined in Exercise 6.2.14. The method succeeds whenever the

330 CHAPTER 6

(controllable) behavior to be synthesized is observable. Initially assume (forthe sake of implementation) that all events are observable, and construct aproper supervisor K = (X,Σ, ξ, x0, Xm) that represents the controlled be-havior K ⊆ Lm(G) of the plant DES G (cf. Section 3.6). For instance, Kmight be obtained as supcon(G,E) for a specification DES E. With thenatural projection P : Σ∗ → Σ∗

o given, assume that K is (G, P )-observable.Let [s] denote the cell of s (mod kerP ), and let PU be the canonical projec-tion on uncertainty subsets of X, as defined in Exercise 6.2.14; the state setfor our feasible supervisor can then be taken to be Σ∗/ kerU , as displayed inFig. 6.1. Finally let

D : Σ∗ × Σ → 0, 1

be the supervisory control disablement function, defined according to

D(s, σ) =

1 if sσ ∈ L(G) & s ∈ K & sσ /∈ K

0 if sσ /∈ L(G), or s /∈ K, or sσ ∈ K

Thus D(s, σ) = 1 iff σ must be disabled following string s by the supervisorK. We first claim that, with K observable, D factors through PU × idΣ, asdisplayed below.2

Σ∗× Σ

Σ∗= kerU × Σ

PU f0; 1g

D

D

idΣ

It must be shown that ker(PU × idΣ) ≤ kerD. For this let σ ∈ Σ,s1, s2 ∈ Σ∗, PU(s1) = PU(s2), and D(s1, σ) = 1. It will be verified thatD(s2, σ) = 1. We have

PU(s1) = PU(s2) ⇒ U(s1) = U(s2)

⇒ PK(s′1)|s′1 ∈ [s1] = PK(s

′2)|s′2 ∈ [s2] (6.2)

2Strictly speaking, the asserted factorization need hold only on pairs (s, σ) with sσ ∈L(G), but we refrain from complicating the notation accordingly.

6.3 331

where PK : Σ∗ → Σ∗/Ner(K) is the canonical state projection for K. Byobservability

D(s1, σ) = 1 ⇒s1σ ∈ L(G) & s1 ∈ K & s1σ /∈ K &

(∀s′1 ∈ [s1])[s′1σ ∈ L(G) & s′1 ∈ K ⇒ s′1σ /∈ K]

By (6.2), with s′2 = s2 ∈ [s2] there exists s′1 ∈ [s1] with PK(s′1) = PK(s2).

Therefore,

s2σ ∈ L(G) & s′1 ∈ K & s′1σ /∈ K

⇒s2σ ∈ L(G) & s2 ∈ K & s2σ /∈ K

⇒D(s2, σ) = 1 (by definition of D(., .))

as claimed.It follows immediately that the induced disablement mapping

D : (Σ∗/ kerU)× Σ → 0, 1

displayed above provides the required feasible control action correspondingto the given supervisor K.

Exercise 5: Verification of observability using uncertainty setsGiven a DES G, and a sublanguage K ⊆ Lm(G), let K be represented

by the DES K = (X,Σ, ξ, x0, Xm), where (for simplicity) we assume that Kis a recognizer with transition function ξ : X ×Σ → X a total function. LetΣo ⊆ Σ and P : Σ∗ → Σ∗

o the natural projection. As in Exercise 6.2.14 wedefine the uncertainty mapping U to state subsets of K according to

U : Σ∗ → Pwr(X) : s 7→ U(s) := ξ(x0, s′)|s′ ∈ Σ∗, Ps′ = Ps ⊆ X

Denote Σ∗/ kerU = X and write PU : Σ∗ → X for the canonical projection.Show that there is a well-defined induced transition map ξ : X × Σ → Xsuch that

ξ(PU(s), σ) = PU(sσ)

for all s ∈ Σ∗, σ ∈ Σ. As before, define

D : Σ∗ × Σ → 0, 1

332 CHAPTER 6

with respect to K. Check that K is observable (with respect to G and P )only if D factors through PU × idΣ as displayed above. For a more completestatement we need in addition that the mapping U distinguish between Kand its complement; namely, confirm the following

Proposition: (characterization of observability by uncertainty sets)

K is observable with respect to (G, P ) if and only if

ker(PU × idΣ) ≤ kerD & kerPU ≤ K,Σ∗ −K

Example 6: Mutual exclusion under partial observation

The previous construction is illustrated by the following problem of mu-tual exclusion under partial observation. Consider agents A1, A2 as shownin Fig. 6.2.

i0Ai i2

i1

0

1 2

Idle

Request Use

Fig. 6.2. Agents subject to Mutual Exclusion (i = 1, 2)

The state name Use refers to a single shared resource, subject to mutualexclusion, so simultaneous occupancy of the state pair (2,2) is prohibited.An additional specification is that resource usage be ‘fair’ in the sense of‘first-request-first-use’, implemented by means of a queue. It is assumed thatevents 11, 21 (transitions from Request to Use) are unobservable. To attempta solution, start by constructing A = sync(A1,A2), then ASPEC (left tothe reader), and finally the supervisor ASUPER = supcon(A,ASPEC),with the result displayed in Fig. 6.3.

6.3 333

ASUPER

22 12

3

7

2020

11

11

1

10020

2

21

821

5

6

1010

22 12

4

Fig. 6.3. Supervisor with Full Observation

By construction, ASUPER is controllable, and is easily seen to be (A, P )-observable. With events 11, 21 unobservable, inspection of Fig. 6.3 yieldsthe uncertainty sets

y0 := 0, y1 := 1, 3, y2 := 2, 6, y3 := 4, 7, y4 := 5, 8

and corresponding state transition structure in Fig. 6.4, where U : Σ∗ →Pwr(0, ..., 8) is identified with the projection PU of Exercise 6.2.14. Notethat the unobservable events 11, 21 appear in the transition graph of UA-SUPER only as selfloops.

12

3

20110

1222

20

2

10

22

UASUPER

04

11

21

21

11

Fig. 6.4. Projection of ASUPER under PU (State set Y = 0, 1, 2, 3, 4)

334 CHAPTER 6

Now the table condat(A,ASUPER) shows that event 11 is disabled atx = 5, 8 while 21 is disabled at x = 4, 7. From this we assert

D(5, 11) = D(8, 11) = D(4, 21) = D(7, 21) = 1

and obtain

D(y3, 21) = D(y4, 11) = 1;

D(y1, 11) = D(y2, 21) = D(y3, 11) = D(y4, 21) = 0

The disablement logic expressed by the function D is already incorporatedin the transition structure of UASUPER. It is easily checked that UASU-PER and A are nonconflicting, so the result is nonblocking for A, and infact the controlled behavior of A under supervision by UASUPER is iden-tical with the behavior by ASUPER. Intuitively it is clear that observationof events 11 and 21 ought to be irrelevant to control, subject to the givenspecification.

Exercise 7: Show that K = Lm(ASUPER) in Example 6 is strongly (A,P)–observable.

Exercise 8: Supervision based on observation consistencyIn case the language K to be synthesized is controllable and observable

(but not necessarily strongly observable) a supervisor can be constructed asfollows. We adopt the notation of Exercise 6.2.13. Assume that K (say, byconstruction) is already controllable, and ∅ = K ⊆ L = Lm(G). First showthat T ∈ T is observation consistent (o.c.) iff

(∀(q, x), (q′, x′) ∈ T )((∀σ ∈ Σc)[δ(q

′, σ)! & ξ(x, σ)! ⇒ ξ(x′, σ)!]

& [q ∈ Qm & q′ ∈ Qm & x ∈ Xm ⇒ x′ ∈ Xm])

namely the definitional test for o.c. need be applied only for σ ∈ Σc.Assume next that every T ∈ T is o.c., so K is (G, P )-observable. For

(feasible) supervision we start with a representation of PK derived as follows.For each T ∈ T define XT ⊆ X according to

XT := x ∈ X|(∃q ∈ Q)(q, x) ∈ T

namely XT is the projection of T ⊆ Q × X on X. Clearly XT = ∅. Torepresent PK we adopt the state set

X := XT |T ∈ T

6.3 335

and adjoin the obvious definitions

X0 := ξ(x0, s)|Ps = ϵ, δ(q0, s)!, ξ(x0, s)!Xm := XT |XT ∩Xm = ∅, T ∈ T

Xσ7−→X ′ := ξ(x, σ)|x ∈ X, X ∈ X, σ ∈ Σo

Writing Ξ : X× Σo → X for the transition rule as just defined, let

So = X,Σo,Ξ, X0,Xm

Supply the details of checking that So represents PK. In general - and thisis significant - So will not be a minimal-state representation of PK (in theNerode sense).3

It remains to extend So to a feasible supervisor (over Σ), say S. For thisit is enough to selfloop each state X of So by σ ∈ Σ − Σo, exactly whenthere exists x ∈ X such that ξ(x, σ)! It is clear that S is feasible, and thereader may complete the detailed verification that S has the fundamentalsupervisory properties required, namely

Lm(G) ∩ Lm(S) = K

L(G) ∩ L(S) = K

Example 9Consider the plant G and specification E, defined over Σ = 0, 1, 2, as

shown below.

G

1 0

2

0 1

0 1 3

2

2

0 1

0; 1 0

E

Thus L(G) = ϵ, 0, 1, 0.1, 1.0, 1.2, 1.2.1. Computing

K = minstate(supcon(G,E))

K(.DAT) = condat(G,K)

3It can be replaced by one only if K is strongly observable.

336 CHAPTER 6

we obtain:

0

1

0

0

2

1

2

1

3

K(.DAT)K

State

3

Disabled event

1

Let the observable event subset Σo = 0, 2. We shall verify that K isobservable, and obtain the corresponding feasible supervisor.

Referring to Exercise 6.2.13, we first record the state sets Q,X of G,Krespectively:

Q = 0, 1, 2, 3, X = 0, 1, 2, 3Corresponding to the possible observed strings

PL(G) = ϵ, 0, 2

we have the partition induced by lookalike strings:

ker (P |L(G)) = ϵ, 1, 0, 0.1, 1.0, 1.2, 1.2.1

The resulting state pair subsets of Q×X determine the family

T = T0, T1, T2

whereT0 = (0, 0), (1, 2), T1 = (2, 1), (3, 3), T2 = (2, 3)

We also need the state subsets

Qj := q ∈ Q|δ(q, j)!, Xj := x ∈ X|ξ(x, j)!, j = 0, 1, 2

namely

Q0 = 0, 1, X0 = 0, 2Q1 = 0, 2, X1 = 0, 1Q2 = 1, X2 = 2

along withQm = 2, 3, Xm = 1, 3

6.3 337

σ 0 1 2 markT q x Q0 X0 Q1 X1 Q2 X2 Qm Xm

T00 0

√ √ √ √× − × −

1 2√ √

× −√ √

× −

T12 1 × −

√ √× −

√ √

3 3 × − × − × −√ √

T2 2 3 × −√

× × −√ √

Observability can be verified by inspection of the table displayed. A cell incolumn Qj (resp. Xj) is checked (

√) if in the corresponding row both q ∈ Qj,

and x ∈ Xj (j = 0, 1, 2). If q ∈ Qj but x /∈ Xj, the corresponding Xj−cellis crossed (×); while if q /∈ Qj its cell is crossed (×) and the correspondingXj−cell is considered ‘don’t care’ (−). If q ∈ Qm then its Qm−cell is checked(√); the corresponding Xm−cell is checked (

√) if x ∈ Xm, or crossed (×) if

x /∈ Xm. Finally if q /∈ Qm its cell is crossed (×) and the Xm−cell is labeled(−).

The observability condition depends only on T ∈ T with |T | ≥ 2, herejust T0, T1. Within each such T , it must hold (for observation consistency)that if some (q, x)−cell pair is checked (

√,√) then every cell pair (q′, x′)

with q′ checked (√) must have x′ checked (

√). This condition clearly holds

for the table shown, from which we conclude that the language Lm(K) is(G, P )−observable.

The desired feasible supervisor is obtained as in Exercise 8. Our repre-sentation So of PLm(K) will be based on the projected state subsets

XT0 = 0, 2, XT1 = 1, 3, XT2 = 3

which we denote by Y0, Y1, Y2 say. So the initial state (corresponding toPs = ϵ) is Y0, and the marker subset is Ym = Y1, Y2. The transitionfunction (Ξ in Exercise 8) is then

Y007−→1, 3 = Y1, Y0

27−→3 = Y2

and is undefined otherwise. Thus we have

338 CHAPTER 6

So

0

2

0 1

2

It remains to extend So (over Σo) to a feasible supervisor S (over Σ). AsΣ − Σo = 1 and (as above) X1 = 0, 1, we see that Y0(= 0, 2) andY1(= 1, 3) should be self-looped by σ = 1, but not Y2(= 3). Our finalresult for S is displayed below.

S

0

2

0 1

2

1 1

disable σ = 1

The reader can easily check that S as supervisor for G synthesizes Lm(K).

Exercise 10: With G,E, K and P as in Example 9, use the method of un-certainty sets (Example 4) to carry through the design of a feasible supervisorcorresponding to

SUPER = supcon(G,E)

Also investigate the reduced versions, say SIMK, SIMSUP of K, SU-PER respectively, computed as usual using supreduce.

Example 11: Relative observability in feasible supervisionLet G be given as usual, together with a specification language E, and

a natural projection P defining observable events. Taking the ambient lan-guage for relative observability to be K, whereK is the supremal controllablesublanguage of E ∩ Lm(G), we may consider the two sublanguage families:

6.3 339

(1) controllable sublanguages of K, and (2) relatively K-observable sublan-guages of K. Since both families contain ∅ and are closed under arbitraryunions, the same is true of their intersection, and therefore there exists thesupremal controllable relatively observable sublanguage ofK, sayH. WithGfinite and E regular, it can be shown that H is regular. With E representedby DES E, a representation H of H can be computed in TCT as

H = supconrobs(G, E, null(P )/image(P ))

Use supconrobs to explore a range of examples of supervisory controlunder partial observation, such as those considered in this text so far. Ofinterest is Small Factory (Section 3.7), taking event α2 (in TCT, 21) as unob-servable. In your examples, appraise the price paid for event unobservabilityin terms of diminished performance.

Example 12: Local observability for distributed controlWe consider a rudimentary decentralized control problem which is not

solvable unless the agents involved are provided with a mechanism to com-municate. By repeated observability checking, the ‘channel’ by which theycommunicate is found as part of the problem solution. We develop the prob-lem as a TCT computation, providing an annotated MAKEIT.TXT file.

Let DES G1 and G2 be independent agents, that is, have disjoint alpha-bets. It is assumed that G1 and G2 can observe and control only events intheir respective alphabets.

Suppose that G1 can execute a sequence of 3 actions, namely the string10.12.11, while G2 can execute only a single action (20).

G1 = create(G1,[mark all],[tran [0,10,1],[1,12,2],[2,11,3]]) (4,3)G2 = create(G2,[mark all],[tran [0,20,1]]) (2,1)

We may write Σ1,Σ2 to refer to the alphabets of G1, G2 or their laterenhanced versions. To start with, Σ1 = 10, 11, 12, Σ2 = 20. In fact onlyΣ1, but not Σ2, will be changed later.

SPEC declares that G1 should execute its third action (11) if and onlyif G2 executes (20) before G1 executes its first action (10).

SPEC= create(SPEC,[mark all],[tran [0,10,1],[0,20,2],[1,20,3],[2,10,4],[4,11,4]]) (5,5)

This global supervision problem is solved as usual.

PLANT = sync(G1,G2) (8,10) Blocked events = NoneALLPLANT = allevents(PLANT) (1,4)

340 CHAPTER 6

SPEC = sync(SPEC,ALLPLANT) (5,10) Blocked events = NoneSUPER = supcon(PLANT,SPEC) (9,9)MSUPER = minstate(SUPER) (8,9)MSUPER = condat(PLANT,MSUPER) ControllableMSUPER disables 11 at states [3] and [6]SIMSUP = supreduce(PLANT,MSUPER,MSUPER) (3,7;slb=2)SIMSUP = condat(PLANT,SIMSUP) Controllable

It is clear that the supervisor SUPER or its reduced version SIMSUPcannot be implemented locally by G1 on the basis of its current state, asG1 has no means of sensing whether or not the priority condition embodiedin the specification is satisfied. To make local supervision possible by G1,information must be transferred in some manner to G1 from G2. We knowthat G1 can locally synthesize only behavior that is controllable and observ-able within its own structure. Use of this fact will lead us to a mechanismfor the required information transfer.

We begin by testing observability of MSUPER with respect to each ofthe alphabets seen (i.e. owned) by G1 and G2 respectively, namely Σ1,Σ2.

obs(PLANT,MSUPER,image[10,11,12]) = false

The diagnostic file for observability failure displays

3 : 11 6 : 11

namely observability fails at states [3] and [6] of MSUPER for event 11.

obs(PLANT,MSUPER,image[20]) = false

In this case the diagnostic file for observability failure displays

6 : 11

or (again) that observability fails at state [6] of MSUPER for event 11.Since event 20 (the sole event of G2) does not appear as a failure event in

either diagnostic file, we conclude thatMSUPER is ‘locally’ observable withrespect to G2 but not G1. For the latter, observability fails at MSUPERstates [3] and [6], where 11 is disabled. A ‘witness’ pair of MSUPER stringsconfirming observability failure at [3] is

Witness: s = [0]10.12[3]x11, s′ = [0]20.10.12[7]v11

Here the notation [3]x11 means ‘11 is disabled at [3]’, while [7]v11 means ‘11is enabled at [7]’. Obviously P1(s) = P1(s′), where P1 is natural projection

6.3 341

with image[10,11,12] = Σ1. Thus G1 cannot distinguish s, s′, and thereforecannot execute conflicting control decisions based on their observation viaP1.

To resolve the situation at state [3], we note that [3] is entered onlyby event 12, so we first split 12 into 121 and 123. This will allow G1 todistinguish the string 10.123, following which 11 will be disabled, from thestring 20.10.121, after which 11 will be enabled.

We bring in the appropriate enhancements to PLANT and SPEC.

PLANT1 = edit(PLANT,[trans +[1,121,3],+[1,123,3],+[4,121,6],+[4,123,6],-[1,12,3],-[4,12,6]]) (8,12)ALLPLANT1 = allevents(PLANT1) (1,5)

We check that the corresponding enhancement toG1 leads to the same result.

EG1 = edit(G1,[trans +[1,121,2],+[1,123,2],-[1,12,2]]) (4,4)EPLANT1 = sync(EG1,G2) (8,12) Blocked events = Noneisomorph(PLANT1,EPLANT1;[[3,4],[4,3],[5,6],[6,5]]) = true

Similarly we enhance SPEC.

SPEC1 = create(SPEC1,[mark all],[tran [0,10,1],[0,20,2],[1,20,3],[2,10,4],[4,11,4]]) (5,5)SPEC1= sync(SPEC1,ALLPLANT1) (5,15) Blocked events = NoneSUPER1 = supcon(PLANT1,SPEC1) (9,12)MSUPER1 = minstate(SUPER1) (8,12)QCMSUPER1= supqc(MSUPER1,image[10,11,20]) (5,5) Determin-

istic

The behavior of MSUPER1 projects4 exactly to specification, as required.Next we retest local observability.

obs(PLANT1,MSUPER1,image[10,11,121,123]) = falseobs(PLANT1,MSUPER1,image[20]) = false

Local observability holds with respect to Σ2, but fails with respect to Σ1:[4]x11, [6]x11.

Witness: s = [0]10.(121/123)[4]x11, s′ = [0]20.10.(121/123)[7]v11Cure: Disable 121 at [1] in s, i.e. delete [1,121,4]; disable 123 at [5] in s′,

i.e. delete [5,123,7].SUPER2 = edit(SUPER1,[trans -[1,121,4],-[5,123,7]]) (9,10)SUPER2 = minstate(SUPER2) (8,10)

4For supqc see Section 6.7.

342 CHAPTER 6

Continue with a new check for local observability which, unsurprisingly,again fails with respect to Σ1.

obs(PLANT1,SUPER2,image[10,11,121,123]) = false

obs(PLANT1,SUPER2,image[20]) = false

Local observability holds with respect to Σ2, but fails with respect to Σ1:[1]x121, [5]x123, [6]x11.

Witness: s = [0]10[1]x121v123, s′ = [0]20.10[5]v121x123

Cure: Create channel in which initial occurrence of 20 enables 121 anddisables 123, while initial occurrence of 10 disables 121 and enables 123.By this ‘semantic’ split the channel becomes equivalent to an encoder, ortranslator, from G2 to G1.

CHNL2 = create(CHNL2,[mark all],[tran [0,10,1],[0,20,2],[1,20,1],

[1,123,1],[2,10,2],[2,121,2]]) (3,6)

If we attempt to treat CHNL2 as an auxiliary controller, we fail tosolve the local control problem, because of course CHNL2 is not locallyobservable. We are therefore forced to hard-wire CHNL2 into PLANT1as an auxiliary encoder as distinct from a controller. Just as ‘controllability’is the basis of controller design, so ‘observability’ can be seen here as thebasis of encoder design. ‘Controlling’ and ‘encoding’ can be considered asoperational dualities reflecting the structural dualities of controllability andobservability.

The hardwiring yields

PLANT2 = sync(PLANT1,CHNL2) (11,12) Blocked events = None

SPEC2 = edit(SPEC1) (5,15)

SUPER3 = supcon(PLANT2,SPEC2) (9,9)

MSUPER3 = minstate(SUPER3) (8,9)

isomorph(SUPER3,MSUPER3) = false

QCMSUPER3= supqc(MSUPER3,image[10,11,20]) (5,5) Determin-istic

MSUPER3 projects to plant behavior in accordance with specification, asrequired.

obs(PLANT2,MSUPER3,image[10,11,121,123]) = true

obs(PLANT2,MSUPER3,image[20]) = false

MSUPER3 is locally observable with respect to both Σ1 and Σ2. The goalhas been achieved.

6.3 343

It remains to confirm that the projection of MSUPER3 on Σ1 leads toa correct local supervisor.

P1MSUPER3 = project(MSUPER3,image[10,11,121,123]) (4,4)P2MSUPER3 = project(MSUPER3,image[20]) (2,1)

The controlled behavior of EG1 under P1MSUPER3 is given by

SUPEG1 = meet(EG1,P1MSUPER3) (5,4)

We compute the overall system behavior SYSTEM2 from that of thecontrolled EG1, together with CHNL2 and G2.

SYSTEM2 = sync(SUPEG1,G2) (10,13) Blocked events = NoneSYSTEM2= sync(SYSTEM2,CHNL2) (9,9) Blocked events = NoneQCSYSTEM2 = supqc(SYSTEM2,image[10,11,20]) (5,5) Determin-

istic

Overall system behavior is correct, in accordance with SPEC2.

TESTEG1 = supcon(EG1,SUPEG1) (5,4)isomorph(TESTEG1,SUPEG1;identity) = trueSUPEG1 = condat(EG1,SUPEG1) ControllableSIMEG1 = supreduce(EG1,SUPEG1,SUPEG1) (2,4;slb=2)SIMEG1 = condat(EG1,SIMEG1) ControllableTEST1 = meet(EG1,SIMEG1) (5,4)isomorph(TEST1,SUPEG1;identity) = true

Thus the reduced local supervisor for EG1 is confirmed correct.

This problem works out satisfactorily as an example of top-down encoderdesign starting from the initial global optimal supervisor. The principles arethat (1) event splitting is used to provide an adequate information structurefor achieving local observability, and then (2) the requisite encoding to re-solve unobservability is implemented by a channel. This entity must (3) becontrollable, namely no further control action is required to implement it,and (4) be hardwired into the plant, to represent exactly the intercommu-nication action between the independent plant components. Thus channelsplay a new role, alongside (local) controllers. Essentially, channels are en-coders through which distinct agents communicate. What they encode isevent symbol strings from one or both alphabets into some event of theother alphabet.

This might suggest an alternative approach to the present example, wherethe channel simply encodes event 20 in G2 into a new event in G1. It iseasily seen, however, that this maneuver will not work, as what is needed is

344 CHAPTER 6

an encoding into yes/no of whether or not event 20 occurs before or afterevent 10. Thus our approach is correct as it stands, with no further economyapparently possible.

6.4 Infimal Closed Observable Sublanguages

Let G, P be as before, and let A ⊆ L(G). Consider the class of languages

O(A) = K ⊇ A|K is closed and (G, P )-observable

We have the following (dual) analog of Theorem 3.5.6.

Theorem 1O(A) is nonempty and is closed under arbitrary intersections. In particu-

lar, O(A) contains a (unique) infimal element [which we denote by inf O(A)].

ProofClearly L(G) ∈ O(A). Let Kβ ∈ O(A) for all β in some index set B, and

letK =

∩Kβ|β ∈ B

Then K is closed. Suppose (s, s′) ∈ kerP , sσ ∈ K, s′ ∈ K and s′σ ∈ L(G).We have for each β that sσ ∈ Kβ and s′ ∈ Kβ, so s

′σ ∈ Kβ. Hence s′σ ∈ K,

and K is observable. In particular

inf O(A) =∩

K|K ∈ O(A)

2

In general the conclusion of Theorem 1 fails if the observable languagesare not closed, nor does it help to require them to be Lm(G)-closed.

Example 2Let Σ = α, β, γ, δ, Σo = β, γ, δ and

L(G) = δ + αδ(β + γ), Lm(G) = α, δ, αδ(β + γ)

K1 = α+ δ + αδβ, K2 = α + δ + αδγ

6.4 345

The reader may verify thatK1 andK2 are both Lm(G)-closed and observable.Now

K1 = ϵ, α, δ, αδ, αδβ), K2 = ϵ, α, δ, αδ, αδγ

K1 ∩K2 = α, δ, K1 ∩K2 = ϵ, α, δ

K1 ∩ K2 = ϵ, α, δ, αδ

K1 ∩ K2 −K1 ∩K2 = αδ

Taking s = ϵ, s′ = α gives s, s′ ∈ K1 ∩K2, while

sδ = δ ∈ K1 ∩K2, s′δ = αδ ∈ K1 ∩ K2 −K1 ∩K2

Thus K1 ∩K2 is not observable.

Furthermore, in general it is not true that the union of observable lan-guages (closed or not) is observable.

Example 3Let Σ = α, β, Σo = β, with

L(G) = (ϵ+ α)β, K1 = α, K2 = β

Then K1 and K2 are both observable, but for K = K1 ∪K2 we have

ϵ, α ∈ K, P (ϵ) = P (α), ϵβ = β ∈ K, αβ ∈ K

and thus K is not observable.

We conclude from these results that the class of observable languages con-taining a given language (and with no closure requirement), despite its seem-ingly natural definition from the viewpoint of system theory, is algebraicallyrather badly behaved. A more satisfactory approach will be described inthe section to follow. In the meantime we can, however, solve a problem ofoptimal supervision that addresses only the closed behavior of the resultingsystem. The result will be applicable provided nonblocking is not an issue.

Without essential loss of generality, we assume for the remainder of thissection that

Σo ∪ Σc = Σ

346 CHAPTER 6

namely every event is either observable or controllable. As a consequence,every uncontrollable event is observable. Let A and E be closed sublanguageswith

A ⊆ E ⊆ L(G)

We interpret E as ‘legal behavior’ and A as ‘minimally adequate behavior’.Our objective is:

Obtain a feasible supervisory control V such that

A ⊆ L(V/G) ⊆ E (∗)

First suppose that A = ∅. The supervisory control V defined by permanentlydisabling all controllable events is feasible and it is enough to check thatL(V/G) ⊆ E. If A = ∅, bring in the language class O(A) as before, and theclass C(E) defined by

C(E) = K ⊆ E|K is closed and controllable

Recall from Section 3.5 that C(E) is closed under arbitrary intersections. Wenow have the following abstract solvability condition.

Theorem 4 (Feng Lin)Assume A = ∅. The problem (∗) is solvable if and only if

inf O(A) ⊆ sup C(E)

Proof(Only if) Let K = L(V/G). Then K is closed. Taking Lm(G) = L(G)

in Corollary 6.3.2 we obtain that K is controllable and observable, so

inf O(A) ⊆ K ⊆ sup C(E)

from which the condition follows.(If) The family of sublanguages

K = K ′|K ′ ⊇ inf O(A) & K ′ ∈ C(E)

is nonempty (sup C(E) belongs). Since C(E) is closed under intersections,the language

K := inf K =∩

K ′|K ′ ∈ K

6.4 347

belongs to K and is thus closed and controllable.Write A = inf O(A). It will be shown that K is given explicitly by

K = AΣ∗u ∩ L(G)

Denote the right side of the proposed equality by K#. Clearly K# is closedand contains A. Also, K# is controllable: for if s = s1s2 with s1 ∈ A,s2 ∈ Σ∗

u, σ ∈ Σu and sσ ∈ L(G), then

sσ ∈ AΣ∗u ∩ L(G) = K#

and it is easy to see (by induction on strings) that any closed controllablelanguage containing A must contain K#.

We claim that K is even observable. With this established, it only remainsto invoke Corollary 6.3.2 for the desired result.

Because K is closed, to prove the claim it suffices to show

(∀s, s′)(∀σ)sσ ∈ K & s′ ∈ K & s′σ ∈ L(G) & Ps = Ps′ ⇒ s′σ ∈ K

Taking σ ∈ Σu in the antecedent yields the result by controllability of K.Suppose σ ∈ Σc and assume, for a proof by contradiction, that s′σ ∈ K. Wemust have sσ ∈ A. Clearly s′σ ∈ A, for if s′σ ∈ A and s′σ ∈ L(G) thens′σ ∈ L(G) ∩ AΣ∗

u = K, contrary to our assumption.It will be shown that s′ ∈ A. Otherwise, if s′ ∈ A, let w′σ′ be the longest

prefix of s′ such that w′ ∈ A and w′σ′ ∈ A: because A is nonempty andclosed, we have at least ϵ ∈ A, so if s′ ∈ A then |s′| > 0, and a prefix ofthe form described must surely exist. Furthermore σ′ ∈ Σu: in fact, theassumption s′ ∈ K implies w′σ′ ∈ K = AΣ∗

u ∩ L(G), and then w′σ′ ∈ Arequires σ′ ∈ Σu as stated. Now

Σ = Σc ∪ Σo

implies Σu ⊆ Σo, so that σ′ ∈ Σo. Since Ps = Ps′ by hypothesis, there is aprefix wσ′ of s such that Pw = Pw′. Since s ∈ A so is wσ′. Therefore

wσ′ ∈ A, w′ ∈ A, w′σ′ ∈ L(G)

and by observability of A there follows w′σ′ ∈ A. This contradicts thesupposition above that w′σ′ ∈ A. Therefore s′ ∈ A after all. Finally wehave

Ps = Ps′, sσ ∈ A, s′ ∈ A, s′σ ∈ L(G)− A

348 CHAPTER 6

in contradiction to the fact that A is observable. The claim is proved, andwith it the desired result. 2

Example 5The requirement in Theorem 4 that the relevant languages be closed

cannot be dropped. Suppose, for instance, we replace C(E) by C(E), thefamily of all controllable sublanguages of E, and replace K by

K = K|K ⊇ inf O(A) & K ∈ C(E)

Then inf K need not exist. As an example, let

Σ = Σo = α, β, γ, Σc = β, γ, Σu = α

Lm(G) = ϵ, αβ, αγ, A = ϵ, E = Lm(G)

Since all events are observable, inf O(A) = A. Since α ∈ AΣu ∩ L(G) andα ∈ A, A is not controllable. Because Lm(G) is controllable, if infK existsthen A ⊆ infK ⊆ Lm(G). Therefore the possible candidates for infK are

ϵ, αβ, ϵ, αγ, or ϵ, αβ, αγ

but none of these is infimal.

Example 6If A and E are not closed, a solution to our problem (∗) need not exist,

even if A is observable and E is controllable. Let

Σ = α, β, Σo = α, Σc = β

L(G) = ϵ, α, αβ, β, βα, βαβ, Lm(G) = L(G)− ϵ

We take

A = β, E = α, β, βαβ

Now A = ϵ, β and β ∈ Lm(G) so A = A ∩ Lm(G), i.e. A is Lm(G)-closed.Also (in the active/inactive set notation of Section 6.2)

AA(ϵ) = β, IAA(ϵ) = α,AA(β) = ∅, IAA(β) = α

6.5 349

hence A is observable. However, as

β ∈ A, α ∈ Σu, βα ∈ L(G)− A

A is not controllable. Next, it can be verified that E is controllable; however,as

α, βα ∈ E, Pα = α = P (βα)

AE(α) = ∅, IAE(α) = βAE(βα) = β, IAE(βα) = ∅

it follows that E is not observable. Thus neither A nor E is a solution of theproblem (∗). Finally, if

A ⫋ K ⫋ E

thenK = K1 := α, β or K = K2 := β, βαβ

but neitherK1 norK2 is controllable, and we conclude that (∗) is not solvable.On the other hand, if E is replaced by E then the problem (∗) is solved by

K = ϵ, α, β, βα

In general, if E is not closed then (*) may fail to be solvable simplybecause E has too few sublanguages.

6.5 Supervisory Control and Normality

As we saw in the previous section, the observability property can be conve-niently exploited in supervisory control only when the relevant languages areall closed. Even then, because observability is not preserved under union, ingeneral an optimal (minimally restrictive) supervisory control will not exist.We obtain a better structured problem if we replace observability by thestronger requirement of normality. To this end we set up our problem anew,in such a way that this section is independent of Sections 6.2-6.4.

Let the controlled DES G over Σ = Σc∪Σu be given, along with theobserving agent’s projection P : Σ∗ → Σ∗

o. As in Section 3.4, define the setof control patterns

Γ = γ ∈ Pwr(Σ)|γ ⊇ Σu

350 CHAPTER 6

Just as before, we bring in the concept of a supervisory control V : L(G) → Γ.However, V must now ‘respect’ the observational constraint that control bebased purely on the result of observing the strings generated by G throughthe channel C, namely on the information transmitted by P . We say V isfeasible if

(∀s, s′ ∈ L(G))Ps = Ps′ ⇒ V (s) = V (s′)

namely ‘look-alike strings result in the same control decision’. Succinctly,

ker(P |L(G)) ≤ kerV

As to marking, we require as usual that

(i) Lm(V/G) ⊆ Lm(G)

It’s natural to require as well that marking ‘respect’ the observational con-straint, namely ‘look-alike strings in Lm(G)∩L(V/G) are either both markedor both unmarked’:

(ii) (∀s, s′)s ∈ Lm(V/G) & s′ ∈ Lm(G) ∩ L(V/G) & Ps′ = Ps ⇒ s′ ∈Lm(V/G)

If both (i) and (ii) hold we shall say that V is admissible. Admissibility isrelated to normality as follows.

Lemma 1

(i) If Lm(V/G) is (Lm(G), P )-normal then V is admissible.

(ii) If L(V/G) is (L(G), P )-normal and V is admissible then Lm(V/G) is(Lm(G), P )-normal. 2

Thus if L(V/G) is (L(G), P )-normal then V admissible means that Lm(V/G)is a union of sublanguages of the form [s] ∩ Lm(G), with [s] a cell of ker P .

Exercise 2: Prove Lemma 1.

Now let E ⊆ Lm(G) be a specification language. We introduce

Supervisory control and observation problem (SCOP)

6.5 351

Find nonblocking, feasible, admissible V such that

∅ = Lm(V/G) ⊆ E

To investigate SCOP we bring in the following three families of languages.

C(E) := K ⊆ E|K is controllable wrt G

N(E;Lm(G)) := K ⊆ E|K is (Lm(G), P )-normal

N(E;L(G)) := K ⊆ E|K is (L(G), P )-normal

Each family is nonempty (∅ belongs), and is closed under arbitrary unions.Let

S(E) := C(E) ∩N(E;Lm(G)) ∩ N(E;L(G))

Then S(E) is nonempty and closed under arbitrary unions, so that sup S(E)exists in S(E). Now we can provide a sufficient condition for the solution ofSCOP.

Theorem 3Let K = ∅ and K ∈ S(E). Define V : L(G) → Γ according to:

V (s) :=

Σu ∪ σ ∈ Σc|P (sσ) ∈ PK Ps ∈ PKΣu Ps ∈ PL(G)− PK

and define

Lm(V/G) := L(V/G) ∩K

Then V solves SCOP, with

Lm(V/G) = K

ProofClearly V is feasible. We first claim that

L(V/G) = K

Notice that

K = ∅ ⇒ K = ∅ ⇒ ϵ ∈ K

352 CHAPTER 6

To show L(V/G) ⊆ K, let s ∈ L(V/G), s ∈ K, and sσ ∈ L(V/G). Bydefinition of L(V/G), we have sσ ∈ L(G) and σ ∈ V (s); and s ∈ K impliesPs ∈ PK. If σ ∈ Σu then, since K ∈ C(E),

sσ ∈ KΣu ∩ L(G) ⊆ K

If σ ∈ Σc, then P (sσ) ∈ PK, which implies

sσ ∈ L(G) ∩ P−1(PK) = K

since K ∈ N(E;L(G)).Next we show K ⊆ L(V/G). Let s ∈ K, s ∈ L(V/G), and sσ ∈ K. Then

Ps ∈ PK; also sσ ∈ Lm(G) ⊆ L(G). If σ ∈ Σu then σ ∈ V (s). If σ ∈ Σc

then, since P (sσ) ∈ PK, again σ ∈ V (s). Thus s ∈ L(V/G), sσ ∈ L(G),and σ ∈ V (s), so sσ ∈ L(V/G), and our claim is proved.

To see that V is nonblocking, note that

Lm(V/G) := L(V/G) ∩K= K ∩K= K

namely Lm(V/G) = L(V/G).Finally, V is admissible, by the fact that

Lm(V/G) = K ∈ N(E;Lm(G))

and Lemma 1. 2

It is well to note that the replacement of observability by normality willrestrict the resulting supervisory control by prohibiting the disablement ofany controllable event that happens not to be observable: i.e. only observableevents will be candidates for disablement. We may state this fact preciselyas follows.

Proposition 4Let K ⊆ L(G) be controllable. If K is (L(G), P )-normal, then

(∀s ∈ Σ∗)(∀σ ∈ Σ)s ∈ K & sσ ∈ L(G)− K ⇒ σ ∈ Σo ∩ Σc 2

Exercise 5: Prove Proposition 4.

6.5 353

On a more positive note, observability is tantamount to normality in thepleasant circumstance that all controllable events are observable under P .For convenience we restate Proposition 6.2.11.

Proposition 6Let K ⊆ Lm(G) be controllable and observable. Assume Pσ = σ for all

σ ∈ Σc. Then K is (Lm(G), P )-normal and K is (L(G), P )-normal. 2

Exercise 7: Prove Proposition 6, under the weaker assumption (suitablyformalized) that Pσ = σ for all σ ∈ Σc except possibly for those σ that arenever disabled in the synthesis of K.

Now let Go be defined over the alphabet Σo, with

Lm(Go) = PLm(G), L(Go) = PL(G)

Thus Go is the ‘observer’s local model of G’. Let

Σc,o := σ ∈ Σc|Pσ = σ = Σc ∩ Σo

andΣu,o := Σu ∩ Σo

be respectively the controllable and uncontrollable event subsets in Go. ForEo ⊆ Σ∗

o, let

Co(Eo) := Ko ⊆ Eo|Ko is controllable wrt Go

Fix a specification language E ⊆ Σ∗, and bring in languages

No := P supN(E;Lm(G))

Ko := supCo(No)

J := P−1Ko

K := Lm(G) ∩ J

Theorem 8Assume G is nonblocking, i.e. Lm(G) = L(G). If Lm(G), J are noncon-

flicting and K = ∅, then SCOP is solvable with

Lm(V/G) = K

354 CHAPTER 6

ProofIt will be shown that K ∈ S(E). For this, let

N := supN(E;Lm(G))

Then

K ⊆ Lm(G) ∩ P−1(No)

= Lm(G) ∩ P−1(PN)

= N (by normality)

⊆ E

Also (cf. remark preceding Exercise 6.1.1),

K = Lm(G) ∩ P−1Ko

implies that K is (Lm(G), P )-normal, i.e.

K ∈ N(E;Lm(G)) (6.3)

Since Lm(G), J are nonconflicting, we have

K = Lm(G) ∩ J= Lm(G) ∩ J= L(G) ∩ P−1Ko (by Exercise 6.1.18)

i.e. K is (L(G), P )-normal, namely

K ∈ N(E;L(G)) (6.4)

To see that K is controllable, let s ∈ K, σ ∈ Σu, and sσ ∈ L(G). ThenPs ∈ Ko. If Pσ = σ, then

(Ps)σ = P (sσ) ∈ P (L(G)) = L(Go)

By Go-controllability of Ko, we have P (sσ) ∈ Ko, i.e.

sσ ∈ L(G) ∩ P−1(Ko) = K

If Pσ = ϵ, thenP (sσ) = Ps ∈ Ko

6.5 355

so againsσ ∈ L(G) ∩ P−1(Ko) = K

as required. Thus

K ∈ C(E) (6.5)

and by (6.3)-(6.5), K ∈ S(E). The result now follows by Theorem 3. 2

Exercise 9: Under the conditions of Theorem 8, with K as previouslydefined, show that K = sup S(E). Hint: By the proof of the theorem,K ∈ S(E). If H ∈ S(E) use H ∈ C(E) ∩ N(E;L(G)) to show thatPH ∈ Co(PE), and then H ⊆ K. 2

Exercise 10: Write Lm = Lm(G), L = L(G) and PL := P |L; thus PL :L→ Σ∗

o. Call PL an Lm-observer if

(∀t ∈ PLm)(∀s ∈ L)Ps ≤ t ⇒ ((∃u ∈ Σ∗)su ∈ Lm & P (su) = t)

In other words, whenever Ps can be extended in Σ∗o to a string t ∈ PLm, the

underlying string s ∈ L can be extended to a string su ∈ Lm with the sameprojection; the ‘local observer’s expectation is never blocked in G’. Showthat PL is an Lm–observer iff, for every sublanguage E ⊆ PLm,

Lm ∩ P−1(E) = L ∩ P−1(E)

In particular, if K ⊆ Lm and PL is an Lm–observer then

Lm ∩ P−1(PK) = L ∩ P−1(PK)

If K is (Lm, P )-normal conclude that K is (L, P )-normal, in which case

S(E) = C(E) ∩N(E;Lm(G))

With J as defined prior to Theorem 8, show that Lm(G), J are necessar-ily nonconflicting, and so it is enough to assume in Theorem 8 that G isnonblocking and K = ∅.

The foregoing results are brought together in the following (somewhatrestricted) step-by-step design method. For a more general algorithm whichis always effective, see Exercises 16, 17 below.

356 CHAPTER 6

TCT Procedure for SCOP

0. Given G, E, and the list NULL of P -unobservable events

1. N := supnorm(G,E, null(NULL))

2. NO := project(N, null(NULL))5

3. GO := project(G, null(NULL))

4. KO := supcon(GO,NO) proposed ‘observer’s supervisor’

5. KODAT := condat(GO,KO)

6. PINVKO := selfloop(KO,NULL)

7. nonconflict(G,PINVKO) = true?

8. K = meet(G,PINVKO)

9. K nonempty?

If this procedure terminates successfully (with ‘yes’ at steps 7 and 9), thenPINVKO provides a solution to SCOP, and K is the corresponding con-trolled behavior.

5Note that steps 1 and 2 could be combined by use of Exercise 6.1.22.

6.5 357

Example 11: SCOP for Small FactoryTake MACH1, MACH2 as in Small Factory (Example 3.3.19), with

specification

21

BUF

10

selfloop f11; 12; 13; 20; 22; 23g

FACT = sync(MACH1,MACH2)

Σo = 10, 11, 20, 21

Thus the unobservable events pertain to breakdown and repair. By the designprocedure we obtain the following.

0. FACT, BUF, NULL := [12,13,22,23]

1. N = supnorm(FACT, BUF, null(NULL)) (18,42)

2. NO = project(N, null(NULL)) (8,18)

3. FACTO = project(FACT, null(NULL)) (4,12)

4. KO = supcon(FACTO, NO) (6,11)

5. KODAT = condat(FACTO, KO)

6. PINVKO = selfloop(KO, NULL) (6,35)

7. nonconflict(FACT, PINVKO) = true

8. K = meet(FACT, PINVKO) (20,37)

9. K is nonempty

Thus termination is successful. In the following additional steps we compareour result with the ideal case where all events are observable.

10. MK = minstate(K) (12,25)

358 CHAPTER 6

11. BUFSUP = supcon(FACT,BUF) (12,25)

12. isomorph(MK,BUFSUP) = true

From this we conclude (rigorously if unsurprisingly) that optimal controlof the buffer does not require observation of breakdowns and repairs.

Exercise 12: A possible drawback of the TCT design procedure for SCOPis that the observer’s supervisor, being based on the projected plant model(GO in Step 4), may fail to account for possible blocking (cf. the discussionin Section 2.5). As a result, conflict may result at Step 7, whereupon thedesign procedure fails. For instance, consider the plant model G displayedbelow with alphabet Σ = 0, 1, 2, 3, 5, in which event 0 is unobservable.

G

5

1

5

5

5

3; 5

3

0

2

0

0

1

2

3

4

5

6 7

The observer’s plant model GO = project(G,null[0]) is the following:

6.5 359

GO

5

5

3

31

2

5

0

2

3 4 5

1

Note that the closed and marked behaviors of GO are exactly the projec-tions of the corresponding behaviors of G as required. However, GO hasobliterated the information that the event sequence 1.0.2.0 in G leads to anon-coreachable state in G. With reference to Exercise 10, verify that herePL is not an Lm-observer.

Attempt the TCT design procedure using the specification language Σ∗

(i.e. requiring only nonblocking), verify that it fails at Step 7, and explainhow the proposed supervisor could cause blocking. Start again, enhancingthe plant model by self-looping its non-coreachable states (5,6,7) with anauxiliary uncontrollable but (hypothetically) observable event (4, say). Re-peating the design procedure (with Σ unchanged, so that non-coreachablestates are prohibited), verify that it now succeeds, and describe the con-trol action. Finally, generalize this approach for arbitrary specifications, andprovide conditions for its validity.

Exercise 13: It is almost obvious a priori that the approach of this sectionwill fail for the two-agents problem in Example 6.3.6. Why?

Exercise 14: Given G,E and P , take K = supcon(G,E), assumed observ-able, and proceed as in Example 6.3.4 to compute the feasible supervisor, sayS1. Also compute S2 = PINVKO as in SCOP. Assuming that both S1 andS2 turn out to be nonconflicting with respect to G, show that the (marked)controlled behavior using S1 contains that using S2. Hint: If V1, V2 are thecorresponding supervisory controls, show that Lm(V1/G) ⊇ Lm(V2/G).

360 CHAPTER 6

Exercise 15: For a mild generalization of the setup in this chapter, supposeT is an alphabet disjoint from Σ, but that P : Σ∗ → T ∗ remains catenative,and that for each σ ∈ Σ, either Pσ ∈ T or Pσ = ϵ. For ‘control consistency’assume also that the subsets Tc := T ∩ PΣc and Tu := T ∩ PΣu are disjoint,while T = Tc∪Tu. Revise the exposition accordingly.Hint: If G = (Q,Σ, δ, q0, Qm), define G = (Q, Σ, δ, q0, Qm) as follows. Foreach transition [q, σ, q′] such that Pσ ∈ T introduce a new state x, and replace[q, σ, q′] with two new transitions [q, σ, x], [x, Pσ, q′]. If X is the set of all suchx, let Q := Q∪X. Define Σ := Σ∪T, q0 := q0, Qm := Qm and δ : Q× Σ → Q(pfn) accordingly. Let Σo := T and define P : Σ → Σo ∪ ϵ according to

P σ = ϵ, σ ∈ Σ

P τ = τ, τ ∈ T

Clearly P determines a (unique) natural projection Σ∗ → Σ∗o.

6 Finally,consider the (standard) problems of this chapter for the pair (G, P ).

Exercise 16: In the notation of SCOP, define the operator T : Pwr(Σ∗) →Pwr(Σ∗) according to

T (J) := supC(supN(sup N(J ;L(G));Lm(G))), J ⊆ Σ∗

Set K0 := E,Kj = T (Kj−1), j ⩾ 1. Show that, provided E and Lm(G) areregular, the chain K0 ⊇ K1 ⊇ K2 ⊇ · · · is finitely convergent, to

K := sup S(E)

Hint: Use the results of Exercises 6.1.25, 6.1.28, 3.5.11 to obtain estimates ofthe form ‘Ner(·) ≥’ for sup N, supN, supC respectively, and then for Ner(Kj)(j ≥ 1). Proceed as in Exercise 6.1.28 to show that the state sizes |Ner(Kj)|are bounded and hence the chain Kj is finitely convergent.

The result of Exercise 16 is implemented in the TCT procedure supscop.Thus ifE,G,K represent respectivelyE,Lm(G) andK, and if null/image(P )lists the events erased (or resp. retained) by P , then

K = supscop(G,E,null/image(P ))

6The foregoing steps could be carried out more directly using the TCT hierarchicalprocedures vocalize and higen described in Chapter 5.

6.6 361

Since ∥K∥ may be exponentially large in ∥E∥ · ∥Lm(G)∥, supscop is com-putationally intensive.

Exercise 17: Verify the following ‘feedback implementation’ of the solu-tion K of SCOP computed above. The ‘observer’s model’ of the super-visor, driven by strings Ps at the channel output, can be represented byPK := project(K,null(P)/image(P)). Also the observer’s model of theplant is PG = project(G,null(P)/image(P)). Thus the observer will dis-able controllable events on the basis of

PK(.DAT) = condat(PG,PK)

Show that this controller is consistent with K. Hint: Compute

QPK = selfloop(PK,null(P ))

TEST = meet(G,QPK)

and verifyisomorph(TEST,K) = true

(possibly after application of minstate to the arguments). Justify thesesteps on the basis of TCT semantics.

Exercise 18: State-size reduction under natural observerLet Lm, L := Lm ⊆ Σ∗, Σo ⊆ Σ, and P : Σ∗ → Σ∗

o be the naturalprojection. Suppose P is an Lm-observer, namely

(∀t ∈ PLm)(∀s ∈ L)Ps ≤ t⇒ ((∃u ∈ Σ∗)su ∈ Lm & P (su) = t)

Let λ = Ner(Lm), π = Ner(PLm) and write π P ∈ E(Σ∗) for ker(Pπ P ).Show that λ ≤ π P and deduce ∥PLm∥ ≤ ∥Lm∥.

The following definition will be useful. Given a DES G over Σ, a sub-alphabet Σo ⊆ Σ, and the natural projection P : Σ∗ → Σ∗

o, say that P is anatural observer forG if P is both an Lm(G)-observer and an L(G)-observer.

Exercise 19: Let G be nonblocking and assume P : Σ∗ → Σ∗o is a natural

projection. Show that if P is an observer for Lm(G) then it is necessarily anobserver for L(G), i.e. P is a natural observer for G. Show by example thatthe conclusion may fail if G is blocking.

362 CHAPTER 6

6.6 Control of a Guideway

The following example illustrates the ideas of this chapter in an intuitivelysimple setting, as well as the computation using TCT of the various DESrequired. Of course, this ‘universal’ approach to the example problem is farfrom being the most efficient; furthermore the piecemeal TCT computationscould certainly be combined into higher-level procedures if desired.

Stations A and B on a guideway are connected by a single one-way trackfrom A to B. The track consists of 4 sections, with stoplights (⋆) and detec-tors (!) installed at various section junctions.

⋆ ⋆

!!!!

· · · · Stn BStn A

⋆

·

Two vehicles, V1, V2 use the guideway simultaneously. Either vehicle is instate 0 (at A), state i (while travelling in section i, i = 1, ..., 4), or state 5(at B).

22

12

25

15

20

10

23

13

21

11

543210V2

V1

To prevent collision, control of the stoplights must ensure that V1 andV2 never travel on the same section of track simultaneously: i.e. the V’s aresubject to mutual exclusion of the state pairs (i, i), i = 1, ..., 4. Controllableevents are odd-numbered; the unobservable events are 13, 23.

By TCT the solution can be carried out as follows. Bracketed numbers(m,n) report the state size m and number of transitions n of the correspond-ing DES.

Following the procedure and notation in Section 6.5 (cf. Theorem 6.5.3),steps 0 to 9 compute the plant (generator) G = V, the legal specificationlanguage (generator) E, then the proposed feasible supervisor K.

0. create(V1) (6,5)create(V2) (6,5)V = sync(V1,V2) (36,60)E = mutex(V1,V2,[(1,1),(2,2),(3,3),(4,4)]) (30,40)NULL = [13,23]

6.6 363

1. N = supnorm(V,E, null(NULL)) (26,32)

2. NO = project(N, null(NULL)) (20,24)

3. VO = project(V, null(NULL)) (25,40)

4. KO = supcon(VO,NO) (20,24)

5. KODAT = condat(VO,KO)KODAT could instead be named KO, as in step 4 KO is filed asKO.DES, but in step 5 the result of condat is filed with suffix .DAT

6. PIKO = selfloop(KO,NULL) (20,64)

7. nonconflict(V,PIKO) = true

8. K = meet(V,PIKO) (26,32)

9. K is nonempty by step 8.

It can be verified that in this example K turns out to be isomorphic to N.The supervisory action of K can be read from the tabulated transition

structure or from the transition graph and is the following (where tsi standsfor ‘track section i’): If V2 starts first (event 21), it must enter ts4 before V1may start (event 11: disabled by light #1). V1 may then continue into ts3(event 10), but may not enter ts4 (event 15: disabled by light #3) until V2enters Stn B (event 22). Light #2 is not used. In fact, switching light #2 tored would mean disabling event 13 or 23; but these events are unobservable,while K is normal. If all events were observable, supervision could be basedon E, allowing V1 to start when V2 has entered ts2. But then V1 musthalt at light #2 until V2 has entered ts4.

The transition graph for K when V2 starts first is displayed in Fig. 6.6(for E adjoin the events shown dashed).

364 CHAPTER 6

11

23

20

25

22

11

13

10

15

12

21

11

11

13 10

20

25

22

22

22

Fig. 6.6. Transition graph for K when V2 starts first(For E adjoin events shown dashed)

This example illustrates that the replacement of observability by normal-ity as the property to be sought in control synthesis results in general in some‘loss of performance’ in the sense of a restriction on control behavior that isnot strictly necessary. For brevity write E for Lm(E). We claim first that

6.6 365

E is not observable. For let s = 21, s′ = 21.23. The projection P nulls theevent set 13,23, so Ps = Ps′ = 21, i.e. (s, s′) ∈ kerP . By inspection ofthe transition structure of V1,V2 we see that

AE(s) = σ|sσ ∈ E = 23IAE(s) = σ|sσ ∈ L(V)− E = 11AE(s

′) = 11, 20IAE(s

′) = ∅

The fact that AE(s′) ∩ IAE(s) = 11 = ∅ proves the claim.

11

0

212

1

4

3 5 8 12 16 25

27

7

13

15

15 23 22

6 9 13 17 261210

11

18

23

10

20 11 25 13

21

12 21

10

2120

21

23

24

20

25

14

22 15

11

11

25

22

15

12

1923

12

12

22

22 22

20

13

10

Fig. 6.7. COB

To obtain a controllable and observable sublanguage of E, delete from Ethe transitions [4,11,7] and [7,20,11], along with their mirror-image counter-parts [3,21,6], [6,10,10]; call the resulting language COB (Fig. 6.7). It is clearthat COB is controllable, since the first transition in each of these pairs iscontrollable. Now the conditions

s, s′ ∈ COB, (s, s′) ∈ kerP

plus the assumption that s = s′, hold (in the displayed graph for E) for

s = 21, s′ = 21.23

or vice-versa, and this time we have

ACOB(s) = 23, IACOB(s) = 11ACOB(s

′) = 20, IACOB(s′) = 11

366 CHAPTER 6

for which the null intersection requirement is satisfied; and similarly for theremaining pairs (s, s′) ∈ ker P . So COB is (V, P )–observable. ThereforeCOB can be synthesized by a feasible supervisor; by inspection the supervi-sory control requires the supervisor to: (i) disable event 11 after 21, keeping11 disabled until after the next observable event, and (ii) enable 11 but dis-able 13 after 21.23.20, and so on, as in the synthesis of E. Note that controlcalls for the disablement of the unobservable event 13, whereas in the syn-thesis of a closed normal language (cf. K, above) only observable events everneed to be disabled. Further details are provided in Exercise 2.

We check directly that E is not normal. Let

t = 21.23.11 ∈ E

s = Pt = 21.11 ∈ L(V)

so s = Ps = Pt ∈ PE and s ∈ L(V) ∩ P−1(P (E)). But s ∈ E, i.e.

E ⫋ L(V) ∩ P−1(P (E))

We can also check directly that COB is not normal, by exhibiting a stringterminating with an unobservable event that must be disabled. Let

s = 21.23.20.11.13

t = 21.23.20.11

Then

Ps = 21.20.11

Pt = 21.20.11

Now t ∈ COB and Ps = Pt, so Ps ∈ P (COB), and so

s ∈ P−1P (COB) ∩ L(V)

but s ∈ COB. Summarizing, we have

K ⫋ COB ⫋ E

Exercise 1: Complete the detailed verification that COB is (V, P )– observ-able. In addition show that COB is strongly (V, P )–observable.

6.6 367

Exercise 2: As in Example 6.3.4, apply the method of uncertainty sets tothe Guideway example of this section, in order to implement the controllableobservable language COB by use of the feasible supervisor UCOB.

Hint: With null(P ) = [13, 23] compute UCOB (Fig. 6.8) either directlyfrom the definition, or in this case as the projectionPCOB= project(COB,null[13,23]), selflooped with event 13 at states 1, 11, 16 and event 23 at2, 10, 13. To verify correctness let TEST = meet(V,UCOB), MTEST =minstate(TEST), MCOB = minstate(COB), and confirm

isomorph(MTEST,MCOB) = true

11

0

21

2

1 3 6 10 14 19

21

5

13 15

15 20 22

4 7 11 15 201222

9

16

23

10

20 11 25 10

21

12 21

8

2117

18

12

25

12

15

11

11

25

22

13

12

23

22

20

10

23

13

13

Fig. 6.8. UCOB

Exercise 3: Using TCT supscop, verify directly the solution K computedat step 9, above. Obtain supscop solutions for some unobservable eventsubsets other than 13, 23. For what maximal subsets does a (nontrivial)solution of this type exist? Confirm that for any such solution no unob-servable controllable event is ever disabled. For each of your solutions carryout the consistency check of Exercise 6.5.17. Finally, compute the reducedsupervisors using supreduce.

Exercise 4: As in Exercise 3, suppose the only observable events are 11, 12,21, 22. Explain why performance is degraded relative to the original casewhere the unobservable events were 13, 23.

368 CHAPTER 6

Exercise 5: As above, suppose 12, 22 are the only unobservable events.Explain why the result for supscop is empty. Is the optimal controlledbehavior subject to partial observation (but with no restriction to normality)empty?

Exercise 6: As above, suppose 11, 21 are the only unobservable events.Explain why the result for supscop is empty. But without the normalityrestriction there do exist nonempty controlled behaviors subject to partialobservation. Show that there are two such maximal behaviors - what arethey?

Exercise 7: Referring to Example 6.3.11 on relative observability, exploreGuideway using TCT supconrobs with various choices for unobservableevents. Compare your results with the corresponding (normality-based) re-sults using supscop. As you now know, the latter results prohibit thedisablement of unobservable controllable events, whereas the supconrobsresults impose no such restriction. In some applications, however, this re-striction could be considered a desirable safety feature. Illustrate with anexample.

6.7 Nondeterminism, Quasi-Congruences, and

the Observer Property

In this section we extend the definitions of nondeterministic dynamic sys-tem and quasi-congruence (Exercise 1.4.15), and nondeterministic generator(Section 2.5), to treat partial observation under a natural projection P . Thiswill provide a state-based characterization and computational test for theproperty that P is an Lm-observer (as defined in Exercise 6.5.10).

Consider initially the (deterministic) DES G = (Q,Σ, δ, q0, Qm). AssumeG is reachable and coreachable. Let µ /∈ Σ be a new event label, and bring ina new self-looped transition [q, µ, q] to ‘flag’ each q ∈ Qm (cf. Remark 3.3.16).We now replace G with

G′ = (Q,Σ′, δ′, q0, Qm)

where Σ′ := Σ ∪ µ, and δ′ is δ extended to Q× Σ′ as just described: thus

Qm = q ∈ Q|δ′(q, µ)!

6.7 369

Clearly G′ is reachable and coreachable. For the time being, to simplifynotation we drop primes, and employ the usual symbols G,Σ, δ to stand fortheir modifications G′,Σ′, δ′ as just described. We shall return to the originalG,Σ, δ after stating Theorem 11 below.

Next let Σo ⊆ Σ and P : Σ∗ → Σ∗o be the natural projection. Define

H = (Q,Σo, η, q0, Qm)

to be the nondeterministic generator with η : Q× Σ∗o → Pwr(Q) given by

η(q, so) = δ(q, s)|s ∈ Σ∗, δ(q, s)!, Ps = so

Of course, if not δ(q, s)! for every s with Ps = so then η(q, so) = ∅. Notethat, in general,

η(q, ϵ) = δ(q, s)|Ps = ϵ⫌ q

namely H generalizes the definition in Section 2.5. In H, η(q, ϵ) is the subsetof states ‘silently reachable’ from q in G. Evidently H is reachable, in thesense that

(∀q ∈ Q)(∃so ∈ Σ∗o)q ∈ η(q0, so)

For η we have the usual composition property, as follows.

Proposition 1For all q ∈ Q and so, to ∈ Σ∗

o,

η(q, soto) =∪

η(q′, to)|q′ ∈ η(q, so) (6.6)

ProofNote first that, P being catenative,

u ∈ Σ∗|Pu = soto = st|s, t ∈ Σ∗, Ps = so, P t = to

With the restriction to those s, t for which δ(., .)! understood, (6.6) is equiv-alent to

δ(q, st)|Ps = so, P t = to =∪

δ(q′, t)|Pt = to|q′ ∈ δ(q, s)|Ps = so

370 CHAPTER 6

For inclusion (⊆) let Ps = so, P t = to, q′ := δ(q, s). By the composition rule

for δ (Section 2.5),

δ(q, st) = δ(δ(q, s), t) = δ(q′, t)

For (⊇) let q′ ∈ δ(q, s′)|Ps′ = so, i.e. q′ = δ(q, s) for some s with Ps = so.Then if Pt = to,

δ(q′, t) = δ(δ(q, s), t) = δ(q, st)

For economy of notation it will be convenient to write (6.6) in the formof a composition rule

η(q, soto) = η(η(q, so), to)

thus extending the first argument of η(., .) to a subset of Q.

Let π ∈ E(Q) be an equivalence relation on Q, and Pπ : Q → Q/π =: Qthe corresponding canonical projection. If R ⊆ Q then as usual

Pπ(R) := Pπ(q)|q ∈ R ⊆ Q

In this case, to emphasize the domain we may write Pπ∗(R)(:= Pπ(R)), with

Pπ∗ : Pwr(Q) → Pwr(Q)

We say that π is a quasi-congruence for H (with respect to the naturalprojection P ) if, for all q, q′ ∈ Q,

Pπ(q) = Pπ(q′) ⇒ (∀α ∈ Σo)Pπη(q, α) = Pπη(q

′, α)

Thus

(∀α ∈ Σo) kerPπ ≤ kerPπ∗(η(., α))

so there exists a unique ‘induced’ map

η : Q× Σo → Pwr(Q)

such that the diagram below commutes:

6.7 371

Q× Σo

η - Pwr(Q)

Q× Σo

Pπ

?

id

? η - Pwr(Q)

Pπ∗

?

Trivially, ⊥ is a quasi-congruence for H; but in general ⊤ is not, by Propo-sition 2 below.

It is useful to extend the induced map η to Q× Σ∗o, by adjoining

η(q, ϵ) :=∪

Pπ(η(q′, ϵ))|Pπq

′ = q, q ∈ Q

Unfortunately the composition rule extends only partially. We have

η(η(q, ϵ), α) =∪x

η(x, α)|x ∈ η(q, ϵ)

=∪x

Pπη(x, α)|Pπx = x|x ∈ η(q, ϵ)

=

∪q′

∪x

Pπη(x, α)|x ∈ η(q′, ϵ)|Pπq

′ = q

=∪q′

Pπ

∪x

η(x, α)|x ∈ η(q′, ϵ)|Pπq′ = q

=

∪q′

Pπη(q′, ϵα)|Pπq′ = q

=∪q′

Pπη(q′, α)|Pπq′ = q

=∪q′

Pπη(q′, α)|Pπq

′ = q

= η(q, α)

In general, however,η(η(q, α), ϵ) ⫌ η(q, α)

372 CHAPTER 6

Clearly for so ∈ Σ+o we have by induction on |so|,

η(q, so) = Pπη(q, so)

for any q with Pπq = q. Thus we have the commutative diagram

Q× Σ+o

η - Pwr(Q)

Q× Σ+o

Pπ

?

id

? η - Pwr(Q)

Pπ∗

?

(6.7)

If to ∈ Σ+o , then by induction on |to|,

η(q, soto) = η(η(q, so), to)

Note, however, that in general, for Pπq = q,

Pπ∗η(q, ϵ) ⫋ η(q, ϵ)

With π a quasi-congruence for H, set q0 = Pπ(q0), Qm = PπQm, and let

H = (Q,Σo, η, q0, Qm)

We refer to H as the reduction of H (mod π).For α ∈ Σo, let Eα = q ∈ Q|η(q, α) = ∅ and πα = Eα, Q − Eα ∈

E(Q). Note that Eα is the subset of states q ∈ Q either at which G canexecute α (i.e. δ(q, α)!), or from which such a state is silently reachable:

Eα = q ∈ Q|(∃u ∈ Σ∗)Pu = ϵ & δ(q, uα)!Q− Eα = q ∈ Q|(∀u ∈ Σ∗)Pu = ϵ⇒ not δ(q, uα)!

Defineπo :=

∧πα|α ∈ Σo

Proposition 2

6.7 373

Let π be a quasi-congruence for H. Then π ≤ πo.

ProofLet Pπ(q) = Pπ(q

′) and q ∈ Q− Eα. Now

Pπ[η(q′, α)] = Pπ[η(q, α)] = Pπ(∅) = ∅

so η(q′, α) = ∅, i.e. q′ ∈ Q− Eα. Therefore

(∀α ∈ Σo)Pπ(q) = Pπ(q′) ⇒ q ≡ q′(mod πα)

namely π ≤ πo as claimed.

Proposition 3Let ψ, ω be quasi-congruences for H with respect to P . Then so is π :=

ψ ∨ ω.

ProofLet x, y ∈ Q with Pπ(x) = Pπ(y), and let α ∈ Σo. It must be shown that

Pπη(x, α) = Pπη(y, α)

For this let q0, q1, . . . , qn ∈ Q with q0 = x, qn = y, qi−1 ≡ qi(mod ψ or mod ω)(i = 1, . . . , n). Since ψ, ω are quasi-congruences, we have for each i

Pφη(qi−1, α) = Pφη(qi, α) (6.9)

where either φ = ψ or φ = ω as appropriate. Let a ∈ η(x, α); we claimthere is b ∈ η(y, α) with Pπ(b) = Pπ(a). By (6.9) there is c1 ∈ η(q1, α)with c1 ≡ a(mod φ), then c2 ∈ η(q2, α) with c2 ≡ c1(mod φ), and finallyb ∈ P (y, α) with b ≡ cn−1(mod φ). Thus b ≡ a(mod ψ∨ω), i.e. b ≡ a(mod π).This proves Pπη(x, α) ⊆ Pπη(y, α), and the reverse inclusion follows similarly.

Proposition 3 extends easily to arbitrary finite joins of quasi-congruences,hence

ρ := supπ ∈ E(Q)|π is a quasi-congruence for His the supremal (maximally coarse) quasi-congruence for H.

In computing ρ we use the following notation. If ξ ∈ E(Q) and α ∈ Σo,then ξ η(·, α) ∈ E(Q) is defined by

q ≡ q′(mod ξ η(·, α)) iff Pξη(q, α) = Pξη(q′, α)

374 CHAPTER 6

Proposition 4Let ρ0 = πo and for n ≥ 1,

ρn = ρn−1 ∧∧

ρn−1 η(·, α)|α ∈ Σo

Then ρ∞ := lim ρn(n→ ∞) exists in E(Q). If |Q| <∞, the limit is achievedin finitely many steps, and in that case ρ∞ = ρ.

ProofSince ρn ≤ ρn−1, and the lattice E(Q) is complete, the limit ρ∞ exists and

is given byρ∞ = infρn|n ⩾ 0

In case |Q| < ∞, so is E(Q), and the ρn sequence must converge finitely. Inthat case, clearly

ρ∞ ≤∧

ρ∞ η(·, α)|α ∈ Σo

Write P∞ : Q → Q/ρ∞. Then for all q, q′ ∈ Q, and all α ∈ Σo, P∞q = P∞q′

impliesP∞ η(q, α) = P∞η(q

′, α)

namely ρ∞ is a quasi-congruence for H. We claim that ρ∞ = ρ. In fact ifπ is any quasi-congruence for H then by Proposition 2 and induction on nthere results π ≤ ρn (n ≥ 1), so π ≤ ρ∞, namely ρ∞ is supremal.

The proposition shows that ρ can be determined effectively provided, asusual, |Q| <∞ and |Σ| <∞.

Let π be any quasi-congruence. By the commutative diagram (6.7),

(∀q, q′ ∈ Q)(∀so ∈ Σ+o )Pπ(q) = Pπ(q

′) ⇒ Pπη(q, so) = Pπη(q′, so) (6.10)

The following provides a useful explicit description of supremal quasi-congruence.First write Po for the (nonempty) cells of πo; thus Po partitionsQ. Now definethe binary relation ∼ on Q according to q1 ∼ q2 iff

(∀so ∈ Σ+o )(∀Co ∈ Po)η(q1, so) ∩ Co = ∅ ⇔ η(q2, so) ∩ Co = ∅ (6.11)

Thus q1 ∼ q2 iff every string in Σ+o leads both q1 and q2 (in H) into the same

block of cells defining enablement/disablement patterns of the events of Σo.

Proposition 5

6.7 375

The relation ∼ is a quasi-congruence for H.

ProofClearly ∼∈ E(Q). Let q1 ∼ q2 and α ∈ Σo. It must be shown that

η(q1, α) ∼ η(q2, α), namely for every x1 ∈ η(q1, α) there is x2 ∈ η(q2, α) withx1 ∼ x2 (and vice-versa, which will follow by symmetry). Supposing thecontrary, there are x1 ∈ η(q1, α), so ∈ Σ+

o and Co ∈ Po such that

η(x1, so) ∩ Co = ∅, (∀x2 ∈ η(q2, α))η(x2, so) ∩ Co = ∅

or vice-versa with indices 1, 2 interchanged. As η(x1, so) ⊆ η(q1, αso) itfollows that η(q1, αso) ∩ Co = ∅ whereas

η(q2, αso) ∩ Co =[∪

η(x2, so)|x2 ∈ η(q2, α)]∩ Co = ∅

in contradiction to q1 ∼ q2.

From this we obtain

Proposition 6Let π be any quasi-congruence for H. Then π ≤∼, namely ∼= ρ.

ProofLet q1, q2 ∈ Q with Pπq1 = Pπq2. We must verify (6.11). Let so ∈ Σ+

o .By (6.10) above,

Pπη(q1, so) = Pπη(q2, so)

Thus if q′1 ∈ η(q1, so) there is q′2 ∈ η(q2, so) with q′1 ≡ q′2(mod π) and soq′1 ≡ q′2(mod πo). Thus for all α ∈ Σo,

q′1 ≡ q′2(mod Eα, Q− Eα)

In particular q′1 ∈ Eα implies q′2 ∈ Eα, so

η(q1, so) ∩ Eα = ∅ ⇒ η(q2, so) ∩ Eα = ∅

Similarly for all β ∈ Σo, q′1 ∈ Q− Eβ implies q′2 ∈ Q− Eβ, namely

η(q1, so) ∩ (Q− Eβ) = ∅ ⇒ η(q2, so) ∩ (Q− Eβ) = ∅

and (6.11) (with ⇒) follows. The reverse implication is true by symmetry;thus π = kerPπ ≤∼.

376 CHAPTER 6

We next discuss nondeterminism. While H is formally nondeterministicby definition of η, we can nevertheless distinguish as follows between ‘ac-tual’ nondeterminism and determinism. We shall say that H is structurallydeterministic if, for all q ∈ Q and so ∈ Σ∗

o, we have

η(q, so) = ∅ ⇒ |η(q, so)| = 1

namely so leads from q to at most one state q′. Otherwise, H is structurallynondeterministic. Of principal relevance is the application to the reductionof H (mod ρ).

Let ρ ∈ E(Q) be the supremal quasi-congruence for H, as above, and Hthe reduction of H (mod ρ). One can think of H as the canonical form of Hwith respect to quasi-congruence. Since ρ is supremal (maximally coarse),and ρ =∼, no coarser reduction is possible for which (6.11) is valid.

Proposition 7Let H be structurally deterministic. Then for every so ∈ Σ∗

o there is acell Co of πo such that η(q0, so) ⊆ Co.

ProofAssume η(q0, so) = ∅, so that |η(q0, so)| = 1. If so = ϵ it follows from

η(q0, ϵ) =∪

Pρ(η(q′0, ϵ))|Pρq

′0 = q0

thatPρ(η(q0, ϵ)) = q0

In case so ∈ Σ+o then

η(q0, so) = Pρη(q0, so) = q1

say, so in either caseη(q0, so) ⊆ C

for some cell C of ρ. Since ρ ≤ πo, we have C ⊆ Co for some cell Co of πo, asclaimed.

Remark 8: The proposition holds for the reduction of H with respect toany quasi-congruence π for H.

Proposition 9

6.7 377

Assume H is structurally deterministic and let so, to ∈ Σ∗o. If q ∈ η(q0, so)

and η(q, to) = ∅, then η(q′, to) = ∅ for every q′ ∈ η(q0, so).

ProofIf to = ϵ, η(q′, to) ⊇ q′. Suppose to ∈ Σ+

o . By Proposition 7, η(q0, so) ⊆Co for some cell Co of πo, namely q′ ≡ q(mod πo). First assume to = α ∈ Σo.Since η(q, α) = ∅ we have q ∈ Eα, hence q

′ ∈ Eα, so η(q′, α) = ∅. The

general result follows easily by induction on |to|.

For the converse to Proposition 7, the restriction to ρ is essential.

Proposition 10If H is structurally nondeterministic, there are a string so ∈ Σ∗

o anddistinct cells C1, C2 of πo such that

η(q0, so) ∩ C1 = ∅ and η(q0, so) ∩ C2 = ∅

ProofBy hypothesis there are q ∈ Q and vo ∈ Σ∗

o such that |η(q, vo)| ≥ 2.First assume vo = ϵ, |η(q, ϵ)| ≥ 2, where q = Pρ q. There are q′ = q with

Pρ q′ = Pρ q, and also x′ ∈ η(q′, ϵ) with Pρx

′ = x′ = q, namely x′ ≡ q(mod ρ).Since ρ =∼ (by Proposition 6) we have that (6.11) fails for the pair x′, q;namely for some wo ∈ Σ+

o and some cell Co ∈ Po, either

η(q, wo) ∩ Co = ∅, η(x′, wo) ∩ Co = ∅ (6.12)

or (6.12) holds with q, x′ interchanged. Assuming (6.12) as displayed, supposefirst that η(x′, wo) = ∅. There is then C ′

o ∈ Po, C′o = Co, such that η(x′, wo)∩

C ′o = ∅. Since

η(q′, wo) = η(η(q′, ϵ), wo) ⊇ η(x′, wo)

there follows η(q′, wo)∩C ′o = ∅. As q′ ≡ q(mod ρ) and η(q, wo)∩Co = ∅ we

also have q′ ∼ q and soη(q′, wo) ∩ Co = ∅

By reachability of H there is uo ∈ Σ∗o such that q′ ∈ η(q0, uo). Setting

so = uovowo = uowo we obtain

η(q0, so) ∩ Co = η(η(q0, uo), wo) ∩ Co

⊇ η(q′, wo) ∩ Co

= ∅

378 CHAPTER 6

and similarly η(q0, so) ∩ C ′o = ∅, as required.

Now suppose that in (6.12), η(x′, wo) = ∅, and let w′o < wo be the

maximal prefix of wo such that η(x′, w′o) = ∅. Then for some α ∈ Σo

we have w′oα ≤ wo, so η(x′, w′

oα) = ∅, namely η(x′, w′o) ∩ Eα = ∅, or

η(x′, w′o) ⊆ Q− Eα. Clearly η(q

′, wo) = ∅ implies η(q′, w′o) ∩ Eα = ∅, hence

there are distinct Co, C′o in Po such that

η(q′, w′o) ∩ Co = ∅, η(x′, w′

o) ∩ C ′o = ∅

With w′o in place of wo, the argument is completed as before.

If (6.12) holds with q, x′ interchanged, we have

η(q, wo) ∩ Co = ∅, η(x′, wo) ∩ Co = ∅

Suppose η(q, wo) = ∅. There is C ′o = Co such that η(q, wo) ∩ C ′

o = ∅. Sinceq′ ∼ q we have η(q′, wo) ∩C ′

o = ∅ as well, and the argument is completed asabove. If η(q, wo) = ∅ we proceed using suitable w′

o < wo just as before.It remains to treat the case vo ∈ Σ+

o . Again let q1, q2 ∈ η(q, vo) withq1 = q2. If q = Pρ(q) then, as vo ∈ Σ+

o ,

Pρ(η(q, vo)) ⊇ q1, q2 = Pρq1, Pρq2

for some q1, q2 ∈ η(q, vo). We claim that there exist a string wo ∈ Σ∗o and an

element β ∈ Σo such that

η(q1, wo) ∩ Eβ = ∅ and η(q2, wo) ∩ Eβ = ∅

or vice-versa, with indices 1, 2 interchanged. Otherwise, q1 ∼ q2 and, byProposition 6, Pρq1 = Pρq2 or q1 = q2, a contradiction.

We may assume η(q2, wo) = ∅. Otherwise, for some prefix w′o < wo and

element β′ ∈ Σo with w′oβ

′ ≤ wo, we would have η(q2, w′o) = ∅ together with

η(q1, w′o) ∩ Eβ′ = ∅, η(q2, w′

o) ⊆ Q− Eβ′

and we could replace wo with w′o.

Letq′1 ∈ η(q1, wo) ∩ Eβ and q′2 ∈ η(q2, wo) ⊆ Q− Eβ

Clearly q′1, q′2 belong to distinct cells C1, C2 of πo. By reachability of H, there

is uo ∈ Σ∗o with q ∈ η(q0, uo). Set so = uovowo. Then q

′i ∈ η(q0, so) (i = 1, 2),

namelyη(q0, so) ∩ C1 = ∅ and η(q0, so) ∩ C2 = ∅

6.7 379

and the proof is complete.

We can now identify the property (of P ) that H is structurally determin-istic with the property that P is an Lm(G)-observer. Recall that the lattermeans

(∀s ∈ Σ∗, to ∈ Σ∗o)s ∈ L(G) & (Ps)to ∈ PLm(G)

⇒ (∃t ∈ Σ∗)Pt = to & st ∈ Lm(G)

As already assumed, G is trim (reachable and coreachable) and we nowrequire that the flag event µ ∈ Σo. Recall that q ∈ Eµ iff

(∃v ∈ Σ∗)Pv = ϵ & δ(q, vµ)!

Thus q ∈ Eµ iff there is q′ silently reachable from q where δ(q′, µ)!, namelyq′ ∈ Qm.

Let s ∈ L(G), so := Ps. Suppose to ∈ Σ∗o with soto ∈ PLm(G), so

soto = Pu for some u ∈ Lm(G). Thus

η(q0, soto) = δ(q0, u′)|Pu′ = soto

satisfies η(q0, soto) ∩Qm = ∅. Since Qm ⊆ Eµ, there follows

η(q0, soto) ∩ Eµ = ∅

Now suppose H is structurally deterministic. By Proposition 7 we musthave

η(q0, soto) = η(η(q0, so), to) ⊆ Eµ

Since q := δ(q0, s) ∈ η(q0, so) there results η(q, to) ⊆ Eµ. By Proposition 9,η(q, to) = ∅, hence there exists t′ with Pt′ = to such that q1 := δ(q, t′) ∈ Eµ.As noted previously, there exists v ∈ Σ∗ with Pv = ϵ and δ(q1, v) ∈ Qm. Onsetting t = t′v we have Pt = Pt′ = to as well as

δ(q0, st) = δ(δ(q0, s), t) = δ(q, t′v)

= δ(δ(q, t′), v) = δ(q1, v)

∈ Qm

namely st ∈ Lm(G), confirming the observer property for P .

380 CHAPTER 6

Suppose on the other hand that H is structurally nondeterministic. ByProposition 10 there are a string uo ∈ Σ∗

o and distinct cells C1, C2 of πo suchthat

η(q0, uo) ∩ C1 = ∅ and η(q0, uo) ∩ C2 = ∅

hence strings ui ∈ Σ∗ (i = 1, 2) with Pui = uo such that

q1 := δ(q0, u1) ∈ C1 and q2 := δ(q0, u2) ∈ C2

Since C1 = C2 there is α ∈ Σo with C1 ⊆ Eα, C2 ⊆ Q− Eα, so

η(q1, α) = ∅, η(q2, α) = ∅

Thus for some v1 with Pv1 = ϵ, q′1 := δ(q1, v1)! and δ(q′1, α)!, while for all v2

with Pv2 = ϵ, q′2 := δ(q2, v2)! implies not δ(q′2, α)!. Since G is coreachable,there exists w1 with δ(q′1, αw1) ∈ Qm, namely δ(q0, u1v1αw1) ∈ Qm, henceu1v1αw1 ∈ Lm(G), so uoα(Pw1) ∈ PLm(G). On the other hand for everystring w2 ∈ Σ∗ with δ(q2, v2w2)! the equality P (v2w2) = αP (w1) must fail,thus P is not an Lm(G)-observer.

We have now proved the main result of this section.

Theorem 11Let G = (Q,Σ, δ, q0, Qm) be reachable and coreachable, Σo ⊆ Σ, and

P : Σ∗ → Σ∗o the natural projection. AssumeQm is flagged by an (observable)

event µ ∈ Σo. LetH be defined fromG as in the text, and H be the canonicalform of H with respect to quasi-congruence. Then P is an Lm(G)-observerif and only if H is structurally deterministic.

At this point we recall that the DES G originally given can be recoveredfrom the current ‘working’ version by replacing Σ with Σ − µ, Σo withΣo − µ, and dropping the µ-selfloops from δ. As no change was made inQm, it is not difficult to see that the validity of Theorem 11 is not affected,namely also provides a criterion for the Lm(G)-observer property of P , nowwith the original G and P : Σ∗ → Σ∗

o.

Exercise 12: Justify the above remark in detail.

6.7 381

Example 13

H

µ

µ

α

α

α

α

0

1

2

3

4

5

Fig. 6.9

In Fig. 6.9, unlabeled transitions are ‘silent’, namely correspond to stringss ∈ Σ∗ with Ps = ϵ. With Σo = α, µ we have

Eα = 0, 1, 2, 3, 4, Q− Eα = 5Eµ = 3, 5, Q− Eµ = 0, 1, 2, 4πo = Eα, Q− Eα ∧ Eµ, Q− Eµ

= 0, 1, 2, 4, 3, 5= A,B,C, say

q η(q, α) η(q, µ) Pρ0(η(q, α)) Pρ0(η(q, µ))

0 3,5 ∅ B,C ∅1 3 ∅ B ∅2 3,5 ∅ B,C ∅3 5 3 C B4 5 ∅ C ∅5 ∅ 5 ∅ C

382 CHAPTER 6

Setting ρ0 = πo, we compute as shown in the table. Then

ρ1 = πo ∧ πo η(·, α) ∧ πo η(·, µ)= 0, 1, 2, 4, 3, 5

∧ 0, 2, 1, 3, 4, 5∧ 0, 1, 2, 4, 3, 5

= 0, 2, 1, 3, 4, 5= A,B,C,D,E, say

Repeating the process with ρ1 we obtain

q η(q, α) η(q, µ) Pρ1(η(q, α)) Pρ1(η(q, µ))

0 3,5 ∅ C,E ∅1 3 ∅ C ∅2 3,5 ∅ C,E ∅3 5 3 E C4 5 ∅ E ∅5 ∅ 5 ∅ E

ρ2 = ρ1 ∧ ρ1 η(·, α) ∧ ρ1 η(·, µ)= 0, 2, 1, 3, 4, 5

∧ 0, 2, 1, 3, 4, 5∧ 0, 1, 2, 4, 3, 5

= 0, 2, 1, 3, 4, 5= ρ1

Thus the computation terminates, to yield ρ = ρ1. Using the same celllabels as for ρ1 we obtain the transition structure of H displayed below.7 For

7For clarity only direct transitions under ϵ or α ∈ Σo are displayed in transition graphs.Thus in the graph for H the compositional transition A → E under α corresponding to0 → 5 under ϵ.ϵ.α in H (and which appears in the table) is omitted, as it can be derived

from Aϵ→D,D

α→E by composition.

6.7 383

instance

η(A, ϵ) = Pρ(η(0, ϵ)) ∪ Pρ(η(2, ϵ))

= Pρ(0, 1, 2, 4) ∪ Pρ(2, 4)= A,B,D

η(A,α) = Pρ(η(0, α)) ∪ Pρ(η(2, α))

= Pρ(3, 5) ∪ Pρ(3, 5)= C,E

q η(q, ϵ) η(q, α) η(q, µ)

A A,B,D C,E ∅B B C ∅C C E CD D E ∅E E ∅ E

µ

α

H

µ

A

B

C

D

α

E

α

α

Evidently H is structurally nondeterministic, and P fails to be an Lm(G)-observer for any G with H as first displayed.

Example 14In Fig. 6.10, unlabeled transitions of H are ‘silent’. Furthermore, H is

structurally deterministic, and P is an Lm(G)-observer for any G with H asdisplayed.

Example 15In Fig. 6.11, unlabeled transitions are ‘silent’. H is structurally non-

deterministic, and P fails to be an Lm(G)-observer for any G with H asdisplayed.

384 CHAPTER 6

µ

α β

µ

µ

βα

H

H

Fig. 6.10

α

β

α µ

µ

µ

α

µ

α

αβ

α

H H

Fig. 6.11

Exercise 16: Work out the details for Examples 14 and 15. In particularcalculate πo and ρ, and confirm that H is the canonical reduction of H. InExample 15, verify directly from the definition that P is not an Lm(G)-observer.

6.7 385

Exercise 17: Complete the inductive proof of Proposition 9.

Exercise 18: Show that if H is structurally deterministic, then it is a canon-ical (state-minimal) generator for PLm(G). Hint: First verify that H rep-resents PLm(G), so the required generator can be obtained from a suitablecongruence, say ν, on the state set Q (cf. Proposition 2.5.5). If Pν : Q→ Q/νshow that Pν Pρ determines a quasi-congruence on Q that is coarser thanρ unless ν = ⊥.

Exercise 19: Construct an example of H where H, the canonical form of Hwith respect to quasi-congruence, is nondeterministic in the sense of havingboth silent transitions and transitions [q, α, q′], [q, α, q′′] with α ∈ Σo andq′ = q′′.

Exercise 20: Strong quasi-congruenceSay that φ ∈ E(Q) is a strong quasi-congruence (sqc) for H (with respect

to the natural projection P : Σ∗ → Σ∗o) if, for all q, q

′ ∈ Q,

Pφ(q) = Pφ(q′) ⇒

(Pφη(q, ϵ) = Pφη(q

′, ϵ))&((∀α ∈ Σo)Pφη(q, α) = Pφη(q

′, α))

Thus every sqc is a quasi-congruence which, in addition, preserves state-equivalence under silent drift. Evidently an sqc φ will satisfy the strength-ened version of the commutative diagram (6.7) obtained by replacing Σ+

o byΣ∗

o:

Q× Σ∗o

η - Pwr(Q)

Q× Σ∗o

Pφ

?

id

?η - Pwr(Q)

Pφ∗

?

In this diagram Q = Q/φ and η is the map induced by η in the usualway. Show that every sqc φ satisfies φ ≤ πo and that the supremal sqc, sayψ, always exists and satisfies ψ ≤ ρ. Compute the corresponding reductionsH for Examples 13-15. Show that if H is structurally deterministic then ρ isan sqc. Finally show that H is structurally deterministic iff H is.

386 CHAPTER 6

Canonical (i.e. supremal) quasi-congruence and canonical strong quasi-congruence are computed in TCT by procedures supqc and supsqc respec-tively, according to

H = supqc(G,null(P )/image(P ))

or

H = supsqc(G,null(P )/image(P ))

Here G refers to the standard DES originally given. A silent transition inH is reported with label e. Just as in transition graphs, the TCT transitiontable for H displays direct transitions under ϵ (or e) and α ∈ Σo, but notcompositions. Finally, TCT drops µ-selfloops from H, simply listing thecorresponding states as marked.

As the most common application of the supqc algorithm is to check thata given natural projection is a natural observer, we note here that the priorcomputation of a natural observer itself can be a significant undertaking.Typically an observer is required whose image event set must contain a spec-ified subset, perhaps the subset of events shared by two DES (cf. Exercise6.1.24) or the subset of controllable events listed in a given condat table (asin Section 6.8 below). We refer to such a listed subset as a Seedlist, used to‘seed’ the observer computation. In TCT a corresponding full event list canbe computed using the procedure natobs, according to

(OG,OSEED) = natobs(G,SEED)

Here G is the DES for which a natural observer is required, while SEED andOSEED respectively represent the given Seedlist and the required naturalobserver image list in ‘allevents’ form (a single state, marked, with all eventsself-looped). The corresponding projection OG is, of course, deterministicprovided the result of natobs is correct. On that assumption, the ordinaryproject procedure could be used instead. Finally we note that, theoretically,the natural observer for given G and Seedlist need not be unique, and (forpractical computation) the result of natobs need not be of minimal eventsize; but within these limitations natobs is often of practical utility.

Exercise 21: For G as shown below, find the canonical forms with respectto quasi-congruence and strong quasi-congruence. Explain the differencebetween them.

6.8 387

2

G

0 1

2

3; 43

10 10 20

4

0

1 2

3

4 5 6

7

null(P ) = [10; 20]

Exercise 22: Complexity of supqc algorithmShow that the algorithm of Proposition 4 can be executed in polynomial

time, of order O(|Σ| · |Q|4).

Exercise 23: By examining the discussion leading to Theorem 11, confirmthat the ‘if’ statement can be proved without the assumption that G iscoreachable, namely it remains valid even when G is blocking. Also the‘only if’ statement is valid if the condition that G is nonblocking is replacedby the slightly weaker condition that Lm(G) is (L(G), P )-normal.

6.8 Efficient Coordination in Decentralized

Control

In this section we introduce a construction to obtain an efficient coordina-tor for nonblocking in decentralized control. We also propose two practical

388 CHAPTER 6

measures of DES complexity by which the complexity reduction achieved bya given decentralized control architecture can be realistically estimated.

First, consider an arbitrary blocking DES G. Let K be the (trim) coor-dinator given by

K := supcon(G,ALL)

where ALL = allevents(G). We assume that K is nonempty.Now Lm(K) = supC(Lm(G)), and Lm(K) = L(K). We wish to replaceK

by a smaller coordinator having the same (optimal) control action, based ona natural observer PK, where P : Σ∗ → Σ∗

o. We assume that Σo contains allthe controllable events that are disabled in the synthesis (see condat table)of K. Such Σo can be obtained using the TCT procedure natobs appliedto G, seeded with these controllable events. Since any controllable eventsnot disabled in the synthesis of K could be declared uncontrollable at theoutset (as far as concerns the supcon operation above), we may assume thatΣo ⊇ Σc. The property of P we shall require eventually is that P normalizeK, namely

K = Lm(G) ∩ P−1(PK)

and

K = L(G) ∩ P−1(PK)

To this end, an auxiliary condition we now bring in is that (K,P ) beexit-control-consistent (e.c.c.). Namely

(∀s ∈ K)(∀σ ∈ Σc)sσ ∈ L & [(∃s′ ∈ L)Ps′ = Ps & s′σ ∈ K] ⇒ sσ ∈ K

Equivalently,

(∀s ∈ K)(∀σ ∈ Σc)sσ ∈ L− K ⇒ [(∀s′ ∈ L)Ps′ = Ps⇒ s′σ /∈ K]

Thus if, for synthesis of K, the controllable event σ is disabled following s(to prevent ‘exit’ from K) then σ must (‘consistently’) be disabled followingall look-alike s′ ∈ K that satisfy s′σ ∈ L. Under this condition we shall showthat if P is a natural observer for L, then its restriction to K is also a naturalobserver.

6.8 389

If the e.c.c. property fails for (K, P ) then we should add suitably chosenP -unobservable events to image(P ) to obtain a new observer P that providesa richer information base.

Proposition 1As above, assume Σc ⊆ Σo, K is controllable and (K, P ) satisfies e.c.c.

Suppose P is an L-observer. Then P is a K-observer, namely

(∀t ∈ K)(∀w ∈ Σ∗o)(Pt)w ∈ PK ⇒ (∃x ∈ Σ∗)tx ∈ K & Px = w

ProofLet t ∈ K, w ∈ Σ∗

o, (Pt)w ∈ PK. Since t ∈ L, PK ⊆ PL, and P is anL-observer, there is a string x ∈ Σ∗ such that tx ∈ L and Px = w. We needto show that tx ∈ K.

Case (i): w ∈ PΣ∗u

We have x ∈ Σ∗u (otherwise, as Σc ⊆ Σo, Px /∈ PΣ∗

u). By controllabilityof K, t ∈ K and tx ∈ L imply tx ∈ K, as required.

Case (ii): w has a prefix vσ with v ∈ PΣ∗u and σ ∈ Σc

Then x has a prefix yσ such that y ∈ Σ∗u and Py = v. Write ty =: s ∈ K.

Then s ∈ L, and Ps = P (ty) = (Pt)v, so (Ps)σ ≤ (Pt)w, namely (Ps)σ ∈PK. Therefore there is s′ ∈ K with Ps′ = Ps and s′σ ∈ K. By e.c.c.,sσ ∈ K, i.e. tyσ ∈ K, as required.

Case (iii): If in case (ii) yσ < x then repeat the arguments for Cases (i) or(ii) with t replaced by tnew := tyσ, continuing until tnew ∈ K and Ptnew = w.

We now proceed to the main result of this section.

Proposition 2Under the same assumptions as for Proposition 1, P normalizes K.

ProofWe first show that K = L(G) ∩ P−1(PK). It suffices to show (⊇). For

this let s ∈ L(G) and P (s) ∈ P (K). We must show s ∈ K. If not, chooset < s to be the longest prefix of s such that t ∈ K. Let tσ ≤ s. Sinces ∈ L(G), tσ /∈ K, and K is controllable, we have σ ∈ Σc, hence P (σ) = σ.By Proposition 1, P is a natural observer for K. Since Pt ≤ Ps ∈ PK, thereis wo ∈ (Σ− Σo)

∗ (hence wo ∈ (Σ − Σo)∗ ∩ Σ∗

u) such that (Pt)wo = Ps. By

390 CHAPTER 6

the (K, P )-observer property, there exists w ∈ Σ∗ such that Pw = wo andtw ∈ K. Since P (σ) = σ, wo = σw′

o for some w′o. Hence there is x ≤ w

with xσ ≤ w and Px = ϵ, so x ∈ (Σ − Σo)∗ ⊆ Σ∗

u. As tw ∈ K impliestxσ ∈ K, while tσ /∈ K, we have that (K,P ) fails to be e.c.c, contradictingthe hypothesis; so s ∈ K after all.

It remains to show that K = Lm(G) ∩ P−1(PK). By Exercise 3.7.18, Kis Lm(G)-closed, namely K = Lm(G) ∩ K. Thus

Lm(G) ∩ P−1(PK) ⊆ Lm(G) ∩ L(G) ∩ P−1(PK)

= Lm(G) ∩ K= K

as claimed.

The proposition implies that K is represented by the DES K computedby supscop with E = ALL.

To show how the foregoing result yields an efficient coordinator we revisitthe example Transfer Line of Section 4.6, with particular reference to Exer-cise 4.6.2 and the monolithic controller SUPER(28,65), along with the re-duced decentralized controllers for the buffers B1, B2, say SIMSUP1(7,30)and SIMSUP2(2,3) respectively. In TCT notation these provide the mod-ular supervisor (having minimal state size)

MODSUPER = sync(SIMSUP1,SIMSUP2,TL) (36,85)

However, the result

nonconflict(MODSUPER,ALLTL) = false

indicates that the two decentralized controllers SIMSUP1, SIMSUP2 jointlyconflict with the plant TL, and therefore a coordinator is required to achievenonblocking. For this we let MODSUPER play the role of G in Propo-sition 2 above. First compute the global supervisor, say MODCOORD(denoted above by K) that renders MODSUPER nonblocking:

MODCOORD = supcon(MODSUPER,ALLTL) (28,65)

While MODCOORD is in fact identical with SUPER, its role as coordina-tor is much more limited, which allows it to be reduced as follows. From thecondat table for MODCOORD we note that only event 1 is ever disabled;we thus use this event to initialize the computation of the required natural

6.8 391

observer applied to our blocking modular supervisor MODSUPER:

SEED = allevents(MODCOORD.DAT) (1, 1)

(OMODSUPER,OSEED) = natobs(MODSUPER,SEED)

((9, 18); (1, 4))

Here the extended image set represented by OSEED is 1, 5, 6, 8. That theresulting natural projection P is indeed an observer for MODSUPER isverified by computation of the supremal quasi-congruence

QCMODSUPER = supqc(MODSUPER,OSEED, QC[omitted])(9,18)

and confirming by inspection that it is deterministic. To achieve the finalreduced coordinator one can work at the abstracted (i.e. projected) level andachieve nonblocking in the usual way:

COORD = supcon(OMODSUPER,ALLOMODSUPER) (7,14)COORD = condat(OMODSUPER,COORD) Controllable.

Now reduce to obtain

SIMCOORD = supreduce(OMODSUPER,COORD,COORD)(4,9;slb=-1)

It remains to verify that the final result is correct, namely by the sequence

TEST = sync(TL,SIMSUP1,SIMSUP2,SIMCOORD) (28,65)Blocked events = None

isomorph(SUPER,TEST;identity) = true

We observe that the ‘optimality’ of P could also be confirmed by the sequence

SCOP = supscop(MODSUPER,ALLTL,image[1,5,6,8]) (28,65)isomorph(SUPER,SCOP;identity) = true

Note that the e.c.c. property needed for Propositions 1 and 2 was neveractually confirmed, it being sufficient to verify the final result itself. In factthis example is small enough to confirm e.c.c. from the transition graph ofMODSUPER by inspection. Finally, we see that our result SIMCOORDis just as ‘efficient’ (having state size 4) as the result for LOOPSPEC inExercise 4.6.2. By contrast, the latter result depended on understanding themechanism of blocking, while the former (our new result) was secured by astraightforward algorithmic procedure.

Exercise 3: Computational verification of exit-control-consistency

392 CHAPTER 6

In the notation of the text, show that K satisfies the e.c.c. condition ifand only if

L ∩ P−1P (K ∩ KΣc) ⊆ K

Use this formula and TCT to check e.c.c. for Transfer Line, with L =Lm(MODSUPER) and K = Lm(MODCOORD) as defined in the text.Suppose in some instance e.c.c. failed. Explore how it might be made to suc-ceed by relabeling certain controllable events. What might be the practicalimplications of such relabeling?

Before presenting further examples of efficient coordination, we brieflydiscuss DES complexity as a basis for comparing the efficiencies of differentarchitectures. The ‘complexity’ of a DES G can be defined as the number ofbits required to specify it. Consider the family of all DES having state set Qof size |Q| = n and alphabet Σ of size |Σ| = k. Then there are

|Q(Q×Σ)| = |Q||Q×Σ| = |Q||Q|·|Σ| = nkn

possible transition functions, and for each of these 2|Q| = 2n possible markersubsets, so the family contains nkn · 2n possible DES (fixing the initial stateand disregarding state recodings). If each is considered equally likely, thenthe average complexity is log2(n

kn · 2n) bits or

C(n, k) := ln(nkn · 2n)/ ln(2) = n(1 + k · ln(n)/ ln(2)) bits

Instead of C(n, k), however, we shall employ the simple approximation Z(DES)= state size = n in individual cases. A realistic alternative to Z could be theactual DES file size (not size on disk), say S(DES), reported by the computerin use.

With complexity indices Z and S we can compare monolithic supervi-sor complexity with complexity of the decentralized architecture includingcoordinator. For the decentralized case a first choice might be the sum ofcomponent complexities; but the disadvantage of a sum rule is that it couldproduce the same result for 3 small decentralized components (say) as for 2larger components. Intuitively the former architecture is preferable to thelatter, hence should be assigned a more favorable figure. We therefore adoptnot the sum but the maximum of the figures for the components. Thus theactual number of components is considered less important than the greatestamong their complexities. Applying this rule to Transfer Line we obtain

6.8 393

SUPER (28,65), Z = 28, S = 1490BModular supervisors:SIMSUP1 (7,30), Z = 7, S = 720BSIMSUP2 (2,3), Z = 2, S = 238BSIMCOORD (4,9), Z = 4, S = 354BComplexity reduction by state size (Z) = ZR = 28/7 = 4.0Complexity reduction by file size (S) = SR = 1490/720 = 2.1

A similar approach to efficient coordination can be taken to the AGVsystem of Section 4.7, using as initial decentralized controllers the reducedsupervisors Z1SIM,...,Z4SIM for the four shared track zones, the reducedsupervisors WS1SIM, WS2SIM, WS3SIM for the workstations, and thereduced supervisor IPSSIM for the input parts station. First we computethe (blocking) modular behavior

MODSUPER = sync(AGV,Z1SIM,Z2SIM,Z3SIM,Z4SIM,WS1SIM,WS2SIM,WS3SIM,IPSSIM) (4424,11368)

followed by

MODCOORD = supcon(MODSUPER,ALL) (4406,11338)

From the condat file for MODCOORD we note that only events 11,21 areever disabled, and therefore use these to obtain from natobs the extendedevent set; in this case the result is again the list [11,21], for the image of therequired natural observer P . As before we confirm that the result of sup-scop using image[11,21] is the monolithic supervisor SUPER as expected.Finally we compute

COORD = supcon(OMODSUPER,ALLOMODSUPER) (7,12)

for which no further reduction is possible. COORD agrees in state size (7)with the global coordinator CFSIM (7,78) computed by the more compli-cated approach (demanding specific insight) of Section 4.7. For complexityreduction we obtain the following.

SUPER (4406,11338), Z = 4406, S = 362.kBModular supervisors:Z1SIM,...,Z4SIM (2,8), Z = 2, S = 318BWS1SIM (4,10), Z = 4, S = 370BWS2SIM, WS3SIM, IPSSIM (2,4), Z = 2, S = 254BCOORD (7,12), Z = 7, S = 432BComplexity reduction by state size (Z) = ZR = 4406/7 = 629

394 CHAPTER 6

Complexity reduction by file size (S) = SR = 362/0.432 = 838

For a third example we revisit the ‘manufacturing cell with interactingloops’ of Exercise 4.9.7. Leaving details to the reader, we merely recall that 4coordinators COORDij must be designed for the conflicting supervisor pairsSIMSUPi, SIMSUPj corresponding to the buffer specifications for BUFi,BUFj respectively ((i, j) = (1, 3), (1, 4), (2, 3), (2, 4)). Results for complexityreduction are the following.

SUPER (225,472), Z = 225, S = 9972BModular supervisors:SIMSUP1,...,SIMSUP4 (2,2), Z = 2, S = 222BCOORD13, COORD24 (4,6), Z = 4, S = 306BCOORD14, COORD23 (4,12), Z = 4, S = 402BComplexity reduction by state size (Z) = ZR = 225/4 = 56.2Complexity reduction by file size (S) = SR = 9972/402 = 24.8

We conclude from the foregoing results that crude complexity measuresof DES can be defined in such a way that the corresponding complexityreduction achieved by decentralized as compared to monolithic supervisioncan be meaningfully estimated, roughly to within an order of magnitude. Ineach of the above examples reduction depended on the ‘efficient’ coordinatordesign based on Proposition 1.

Exercise 4: Confirm the details for the example of Exercise 4.9.7.

Exercise 5: Naive coordinationA one-step design of a coordinator for nonblocking could be simply to

apply supreduce to the intermediate supervisor denoted above by MOD-COORD. Test this approach for the three examples in this section andcompare the results for complexity reduction.

Exercise 6: Instead of the ‘average’ complexity estimate C(n, k) one mightbase an estimate on the specific triple (n,m, k) where m = #transitions.Assuming the marker state subset is ‘small’ (as is true in most cases) weconsider only encoding the list of m transitions [q, σ, q′] where q, q′ ∈ Q andσ ∈ Σ. A possible measure of DES complexity is thus

T (n,m, k) = m(log2(kn2)) = m ln(kn2))/ ln(2) bits

6.9 395

Compute both C and T for each DES in the three examples of this sec-tion and appraise the usefulness of these measures in estimating complexityreduction.

6.9 Notes and References

This chapter is based largely on the doctoral thesis of F. Lin [T08] and relatedpublications [J09,J16,C16,C32]. The result in Exercise 6.2.3 is due to K.-C.Wong [T28, Appendix B]. Example 6.3.12 on distributed control by commu-nication is adapted from the thesis (Mannani 2009, Section 3.6), althoughour approach here is different. Further information related to problems ofthe type of SCOP can be found in Cho & Marcus (1989) and Takai & Ushio(2003).

The definition and results in Sections 6.2, 6.3 on relative observability aredue to K. Cai [C130,C131,C133,C136,J68,J73].

Exercise 6.5.15 is adapted from Cao et al. (1997).The definition of ‘quasi-congruence’ in Exercise 1.4.15 and Section 6.7

was introduced in [J41] as a generalization to nondeterminism of the observercongruence for deterministic systems discussed in Wonham [1976]. Applica-tion to the computation of ‘natural observers’ is provided in [C113,J60]. Asshown in [J41], reduction by quasi-congruence is closely related to the notionsof bisimulation and observational equivalence due to Milner [1989]; see alsoArnold [1994]. We prefer the ‘congruence’ terminology as closer to standardalgebra.

For Exercise 6.7.19 see e.g. Fig. 17 of [J60].

396 CHAPTER 6

Chapter 7

State-Based Control ofDiscrete-Event Systems

In certain contexts it is convenient to employ directly a state-space modelcombined with a simple logic formalism, in preference to the linguistic basisadopted so far. To retain flexibility, we indicate how the two approaches areconceptually dual. This chapter provides the background for vector discrete-event systems, and state-tree structures, to be introduced later. Two illus-trations of discrete state models are adapted from the literature on industrialprocess control.

7.1 Introduction

In previous chapters our approach to modeling the DES control problemhas started from two underlying languages, respectively generated by theplant and accepted by the specification. The system state descriptions werebrought in as vehicles for representation and computation rather than as es-sential to the problem description. In the present chapter we adopt a dualand more conventional viewpoint, in which the underlying state transitionstructure is assigned a more basic role. Two illustrative examples are pro-vided in the Appendix 7.1. In addition, the state viewpoint will facilitate the

397

398 CHAPTER 7

treatment of systems – notably the vector discrete-event systems of Chap-ter 8 – where the underlying state set has regular algebraic structure thatcan be exploited for modeling compactness and computational efficiency.

7.2 Predicates and State Subsets

Let G = (Q,Σ, δ, q0, Qm) be a DES, as defined in previous chapters. Inorder to place ‘conditions’ on the state q of G, it will be convenient to usea logic formalism. While not strictly necessary (in fact we could make dowith state subsets just as well), the logic terminology is sometimes closerto natural language and intuition. Thus, a predicate P defined on Q is afunction P : Q → 0, 1. P can always be identified with the correspondingstate subset

QP := q ∈ Q|P (q) = 1 ⊆ Q

thus the complement Q − QP = q ∈ Q|P (q) = 0. We say that P holds,or is satisfied, precisely on the subset QP , and that q ∈ QP satisfies P . Thesatisfaction relation P (q) = 1 will often be written q |= P (‘q satisfies P ’).Write Pred(Q) for the set of all predicates on Q, often identified with thepower set Pwr(Q). Boolean expressions will be formed as usual by logicalnegation, conjunction and disjunction; in standard notation:

(¬P )(q) = 1 iff P (q) = 0

(P1 ∧ P2)(q) = 1 iff P1(q) = 1 and P2(q) = 1(P1 ∨ P2)(q) = 1 iff P1(q) = 1 or P2(q) = 1

Recall the De Morgan rules

¬(P1 ∧ P2) = (¬P1) ∨ (¬P2), ¬(P1 ∨ P2) = (¬P1) ∧ (¬P2)

Given P ∈ Pred(Q), we say that P1, P2 ∈ Pred(Q) are equivalent withrespect to P if

P1 ∧ P = P2 ∧ Pnamely P1 and P2 coincide when restricted, or ‘relativised’, to the subset QP .As the logic counterpart to subset containment we introduce on Pred(Q) thepartial order ⪯ defined by

P1 ⪯ P2 iff P1 ∧ P2 = P1

iff (∀q ∈ Q)q |= ¬P1 ∨ P2

7.3 399

Thus P1 ⪯ P2 (P1 ‘precedes’ P2) just when P1 is stronger than P2 in the sensethat P1 ‘implies’ P2; equivalently if q |= P1 then q |= P2; and we also say thatP1 is a subpredicate of P2. Under the identification of Pred(Q) with Pwr(Q)and ⪯ with ⊆ it is clear that (Pred(Q),⪯) is a complete lattice. The topelement ⊤ of this lattice, defined by Q⊤ = Q, will be denoted by true (andis the weakest possible predicate), while the bottom element ⊥, defined byQ⊥ = ∅, will be written ⊥ = false (and is the strongest possible predicate).

Exercise 1: Justify the terms ‘strong’ and ‘weak’ in this usage.

7.3 Predicate Transformers

First we consider reachability issues for G. Let P ∈ Pred(Q). The reacha-bility predicate R(G, P ) is defined to hold precisely on those states that canbe reached in G from q0 via states satisfying P , according to the inductivedefinition:

1. q0 |= P ⇒ q0 |= R(G, P )

2. (q |= R(G, P ) & σ ∈ Σ & δ(q, σ)! & δ(q, σ) |= P ) ⇒ δ(q, σ) |= R(G, P )

3. No other states q satisfy R(G, P )

Explicitly, q |= R(G, P ) if and only if there exist an integer k ≥ 0, statesq1, ..., qk ∈ Q, and events σ0, σ1, ..., σk−1 ∈ Σ such that

1. δ(qi, σi)! & δ(qi, σi) = qi+1, i = 0, 1, ..., k − 1

2. qi |= P , i = 0, 1, ..., k

3. qk = q

For fixed G, R(G, ·) : Pred(Q) → Pred(Q) is an example of a predi-cate transformer, i.e. a map transforming predicates to predicates. ClearlyR(G, P ) ⪯ P ; also R(G, ·) is monotone with respect to ⪯, in the sense thatP ⪯ P ′ implies R(G, P ) ⪯ R(G, P ′). Note that R(G, true) is the reachableset for G, namely the set of states reachable from q0 without constraint.

400 CHAPTER 7

Fix σ ∈ Σ. The weakest liberal precondition corresponding to σ ∈ Σ isthe predicate transformer Mσ : Pred(Q) → Pred(Q) defined as follows:

Mσ(P )(q) :=

1 if either δ(q, σ)! & δ(q, σ) |= P, or not δ(q, σ)!0 otherwise (i.e. δ(q, σ)! and not δ(q, σ) |= P )

Equivalently and more concisely,

q |=Mσ(P ) iff δ(q, σ) |= P whenever δ(q, σ)! (and by default otherwise)

It is clear that Mσ(·) is monotone. The action of Mσ can be visualizedin terms of the ‘dynamic flow’ on Q induced by one-step state transitionsunder σ, wherever such transitions are defined. Thus Mσ(P ) is just thecondition on (states in) Q that ensures that from a state, say q, there is aone-step transition into QP under the occurrence of the event σ (so Mσ(P )is indeed a ‘precondition’ for P ), or else that σ cannot occur at q at all, i.e.δ(q, σ) is not defined (in this sense the precondition is ‘liberal’). Note that‘weakest’ means ‘the largest state subset with the asserted property’, namely‘the weakest assumption required to establish either that σ was not enabledor that σ occurred and led to P ’.

The weakest liberal precondition is retrospective, drawing attention froma present condition (i.e. P ) to its one-step antecedent. A dual concept isthe predicate transformer strongest postcondition Nσ: Pred(Q) → Pred(Q)defined according to

Nσ(P )(q) :=

1 if (∃q′ |= P )δ(q′, σ)! and δ(q′, σ) = q0 otherwise

(i.e. (∀q′ |= P )either not δ(q′, σ)! or δ(q′, σ) = q)

The strongest postcondition is prospective, drawing attention from a presentcondition to its one-step consequent; and ‘strongest’ means ‘the smallest statesubset with the asserted property’, namely ‘the strongest inference that canbe made solely on the assumption that P held and σ occurred’.

We shall see that weakest liberal precondition plays a role in controlla-bility properties, while it can be shown that strongest postcondition relatesto observability.

Later we shall use the connection between state reachability and languagebehavior, summarized as follows. The closed behavior L(G, q) correspondingto initialization of G at an arbitrary state q ∈ Q is defined to be

L(G, q) := w ∈ Σ∗|δ(q, w)!

7.4 401

while the corresponding marked behavior is, of course,

Lm(G, q) := w ∈ L(G, q)|δ(q, w) ∈ Qm

Similarly we define the closed (resp. marked) language induced by a predicateP ∈ Pred(Q) to be

L(G, P ) := w ∈ L(G, q0)|(∀v ≤ w)δ(q0, v) |= P(resp. Lm(G, P ) := w ∈ L(G, P )|δ(q0, w) ∈ Qm )

The reachable set R(G, q) of states reachable from arbitrary q ∈ Q is then

R(G, q) := δ(q, w)|w ∈ L(G, q)

Exercise 1: Consider an agent observing the behavior of G, who knowsonly that G was initialized at some (unspecified) state q ∈ QP ⊆ Q withP ∈ Pred(Q), and that G subsequently generated the string s = σ1σ2 · · ·σk.Show that the agent’s best estimate of the state at s is the predicate

Nσk(· · ·Nσ2(Nσ1(P )) · · · )

Exercise 2: If P is a predicate and σ is an element of Σ, consider the weakestliberal precondition of the strongest postcondition of P , namely

P ′ :=Mσ(Nσ(P ))

Similarly let P ′′ := Nσ(Mσ(P )). Show that

P ′′ ⪯ P ⪯ P ′

Illustrate with examples where the inequalities are strict.

7.4 State Feedback and Controllability

We define a state feedback control (SFBC) for G to be a total function

f : Q→ Γ

402 CHAPTER 7

whereΓ := Σ′ ⊆ Σ|Σ′ ⊇ Σu

Thus f attaches to each state q of G a subset of events that always containsthe uncontrollable events. The event σ ∈ Σ is enabled at q if σ ∈ f(q), andis disabled otherwise; σ is always enabled if σ ∈ Σu. For σ ∈ Σ introduce thepredicate fσ : Q→ 0, 1 defined by

fσ(q) := 1 iff σ ∈ f(q)

Thus a SFBC f is specified by the family of predicates fσ|σ ∈ Σ. Theclosed-loop transition function induced by f will be written δf , given by

δf (q, σ) :=

δ(q, σ) if δ(q, σ)! and fσ(q) = 1undefined otherwise

We write Gf := (Q,Σ, δf , q0, Qm) for the closed-loop DES formed from Gand f .

If f is a SFBC for G then, of course, R(Gf , P ) denotes the reachabilitypredicate for Gf (initialized at q0). Since for any q and σ, δf (q, σ)! only ifδ(q, σ)! it is evident that R(Gf , P ) ⪯ R(G, P ).

The following definition is fundamental. We say that P ∈ Pred(Q) iscontrollable (with respect to G) if

P ⪯ R(G, P ) & (∀σ ∈ Σu)P ⪯Mσ(P )

Thus controllability asserts that if q satisfies P then (i) q is reachable fromq0 via a sequence of states satisfying P , and (ii) if σ ∈ Σu, δ(q, σ)! and q

′ =δ(q, σ) then q′ satisfies P , namely ‘P is invariant under the flow induced byuncontrollable events’. Note that the predicate false is trivially controllable.

Theorem 1Let P ∈ Pred(Q), P = false. Then P is controllable if and only if there

exists a SFBC f for G such that R(Gf , true) = P .

Thus a nontrivial predicate P is controllable precisely when it can be‘synthesized’ by state feedback.

Proof(If) Assume R(Gf , true) = P . Since δf (q, σ)! implies δ(q, σ)! it is clear

that any q such that q |= P can be reached from q0 along a sequence of states

7.4 403

with the same property, so P ⪯ R(G, P ). Let σ ∈ Σu and q |= P . If δ(q, σ)!then δf (q, σ)! (since f is a SFBC) and then

δ(q, σ) = δf (q, σ) |= R(Gf , true) = P

This implies that q |=Mσ(P ), and therefore P ⪯Mσ(P ).(Only if) Assume P controllable and define the SFBC f : Q→ Γ by

(∀σ ∈ Σc)fσ :=Mσ(P )

First it will be shown that R(Gf , true) ⪯ P . Let q |= R(Gf , true). Then forsome k ≥ 0, q1, ..., qk(= q) ∈ Q and σ0, σ1, ..., σk−1 ∈ Σ, we have

δ(qi, σi)!, δ(qi, σi) = qi+1, fσi(qi) = 1, i = 0, 1, ..., k − 1

By hypothesis, q |= P for some q, and by controllability q |= R(G, P ),so in particular q0 |= P . We claim that q1 |= P . For if σ0 ∈ Σu thencontrollability implies that q0 |= Mσ0(P ), so δ(q0, σ0) = q1 |= P ; while ifσ0 ∈ Σc then fσ0(q0) = 1, namely q0 |=Mσ0(P ) and again δ(q0, σ0) = q1 |= P .By repetition of this argument for q2, ..., qk we conclude that qk = q |= P .It remains to show that P ⪯ R(Gf , true). Let q |= P . By controllability,q |= R(G, P ). For some k ≥ 0, q1, ..., qk(= q) ∈ Q and σ0, σ1, ..., σk−1 ∈ Σ wehave

qi |= P, i = 0, ..., k

δ(qi, σi)!, δ(qi, σi) = qi+1, i = 0, ..., k − 1

and therefore

qi |=Mσi(P ), i = 0, 1, ..., k − 1

If σi ∈ Σu then fσi(qi) = 1 because f is a SFBC; while if σi ∈ Σc then

fσi(qi) =Mσi

(P )(qi) = 1 (as just shown). Therefore δf (qi, σi)! and δf (qi, σi) =

qi+1 (i = 0, 1, ..., k − 1), namely

q = qk |= R(Gf , true)

as claimed. 2

Now suppose P ∈ Pred(Q) is not controllable. As usual, we seek a con-trollable predicate that best approximates P from below. Following standard

404 CHAPTER 7

procedure, bring in the family of controllable predicates that are strongerthan P , namely

CP(P ) := K ∈ Pred(Q)|K ⪯ P & K controllable

Proposition 2CP(P ) is nonempty and is closed under arbitrary disjunctions; in partic-

ular the supremal element supCP(P ) exists in CP(P ).

ProofWe have already seen that false ∈ CP(P ). Now let Kλ ∈ CP(P ) for

λ ∈ Λ, some index set. It will be shown that

K :=∨λ∈Λ

Kλ ∈ CP(P )

It is clear that K ⪯ P , so it remains to test controllability. Let q |= K, soq |= Kλ for some λ. By controllability of Kλ, q |= R(G, Kλ), and as Kλ ⪯ Kthere follows q |= R(G, K). If σ ∈ Σu then similarly q |= Mσ(Kλ), henceq |=Mσ(K) as required. Finally, the supremal element of CP(P ) is

supCP(P ) =∨

K|K ∈ CP(P )

2

The following characterization will be useful later. Define the predicatetransformer ⟨·⟩ according to

q |= ⟨P ⟩ if (∀w ∈ Σ∗u)δ(q, w)! ⇒ δ(q, w) |= P

Note that ⟨P ⟩ ⪯ P (since δ(q, ϵ) = q) and in fact ⟨P ⟩ is the weakest sub-predicate of P that is invariant under the flow induced by uncontrollableevents.

Proposition 3supCP(P ) = R(G, ⟨P ⟩)

ProofClaim 1. R(G, ⟨P ⟩) ∈ CP(P )

7.4 405

We show that R(G, ⟨P ⟩) is controllable. Let q |= R(G, ⟨P ⟩). Thenq0 |= ⟨P ⟩ and there are k ≥ 0, q1, ..., qk(= q) ∈ Q and σ0, σ1, ..., σk−1 ∈ Σsuch that

qi |= ⟨P ⟩, i = 1, ..., k

δ(qi, σi)!, δ(qi, σi) = qi+1, i = 0, ..., k − 1

We note that qi |= R(G, ⟨P ⟩) since qj |= ⟨P ⟩ for j = 0, 1, ..., i. In particularq |= R(G, R(G, ⟨P ⟩)), so R(G, ⟨P ⟩) ⪯ R(G, R(G, ⟨P ⟩)). Next we chooseσ ∈ Σu with δ(q, σ)! and establish q ⊨Mσ(R(G, ⟨P ⟩)), namely q′ := δ(q, σ) |=R(G, ⟨P ⟩). For this let w ∈ Σ∗

u with δ(q′, w)!. Then σw ∈ Σ∗u, and

δ(q′, w) = δ(δ(q, σ), w) = δ(q, σw) |= P (since q |= ⟨P ⟩)

Thus q′ |= ⟨P ⟩. Then q |= R(G, ⟨P ⟩) together with q′ = δ(q, σ) impliesq′ |= R(G, ⟨P ⟩), so q |=Mσ(R(G, ⟨P ⟩)), completing the proof of Claim 1.

Claim 2. Let P ′ ∈ CP(P ). Then P ′ ⪯ R(G, ⟨P ⟩).Let q |= P ′. Then q0 |= P ′ and there exist k ≥ 0, q1, ..., qk(= q) ∈ Q and

σ0, σ1, ..., σk−1 ∈ Σ such that

qi |= P ′, i = 1, ..., k

δ(qi, σi)!, δ(qi, σi) = qi+1 i = 0, ..., k − 1

Fix i and σ ∈ Σu. Then qi |= P ′ ⪯Mσ(P′) and δ(qi, σ)! imply δ(qi, σ) |= P ′.

If w ∈ Σ∗u then by induction on |w| we infer that if δ(qi, w)! then δ(qi, w) |=

P ′ ⪯ P . There follows in turn

q0 |= ⟨P ⟩, q1 |= ⟨P ⟩, ..., qk |= ⟨P ⟩, i.e. q |= ⟨P ⟩

namely q |= R(G, ⟨P ⟩), and Claim 2 is proved.The result follows from Claims 1 and 2. 2

Corollary 4

supCP(P ) = false iff R(G, ⟨P ⟩) = false iff q0 |= ⟨P ⟩

2

Under the assumption that supCP(P ) = false, we may define a corre-sponding ‘optimal’, i.e. behaviorally least restrictive, SFBC f ∗ to synthesizeR(G, ⟨P ⟩). Imitating the proof (‘Only if’) of Theorem 1 we may set

(∀σ ∈ Σc)f∗σ(q) :=

1 if δ(q, σ)! & δ(q, σ) |= ⟨P ⟩0 otherwise

406 CHAPTER 7

Note that f ∗σ(q) may be evaluated arbitrarily (in particular = 0) if not δ(q, σ)!.

This formula suggests that in practice optimal control can be implemented‘online’, namely by testing, at the current state q, the satisfaction relationδ(q, σ) |= ⟨P ⟩ for each controllable event σ such that δ(q, σ)!. Efficient im-plementation of f ∗

σ in an application will thus depend on devising an eco-nomical algorithmic representation of ⟨P ⟩, namely of ‘reachability on theuncontrollable subsystem’. While in general this reachability property maybe intractable or even undecidable, we shall see in the next chapter that anefficient algorithm is often available for vector discrete-event systems andlinear predicates.

Exercise 5: Show that the predicate P ∈ Pred(Q) is controllable if andonly if P = R(G, P ) and the language L(G, P ) is controllable.

Exercise 6: Show that, for arbitrary P ∈ Pred(Q),

L(G, supCP(P )) = supC(L(G, P ))

7.5 Balanced State Feedback Controls and Mod-

ularity

A SFBC f : Q→ Γ is balanced if

(∀q, q′ ∈ Q)(∀σ ∈ Σ)q, q′ |= R(Gf , true) & δ(q, σ)! & δ(q, σ) = q′ ⇒ fσ(q) = 1

A balanced SFBC is one which, among all SFBC synthesizing the same (con-trollable) predicate, enables at every reachable state q the largest possibleset of (controllable) events σ for which δ(q, σ)!. Thus a balanced SFBC is‘maximally permissive’.

Exercise 1: Show that an arbitrary SFBC can always be replaced by abalanced SFBC without changing the reachable set.

Let P ∈ Pred(Q), P = false, be expressible as a conjunction of predi-cates P1, ..., Pk:

P =k∧

i=1

Pi

7.5 407

We shall think of P as a specification for the controlled behavior of the DESG, and the Pi ∈ Pred(Q) as partial specifications. Our objective will be toimplement an optimal SFBC for P by means of modular SFBC for the Pi.

Write R(f/G) for R(Gf , true). For i = 1, ..., k let fi : Q → Γ be anoptimal SFBC for Pi, i.e.

R(fi/G) = supCP(Pi)

The modular SFBC f formed from the fi is given by

fσ :=k∧

i=1

fi,σ, σ ∈ Σ

i.e. fσ(q) = 1 iff fi,σ(q) = 1 for i = 1, ..., k: an event is enabled by f if andonly if it is enabled by each fi. In this case write symbolically

f :=k∧

i=1

fi

Theorem 2Assume that fi is balanced (i = 1, ..., k). Then f is balanced, and

R(f/G) = supCP(P )

Proof

Clearly R(f/G) ⪯k∧

i=1

R(fi/G), from which it easily follows that f is

balanced. Next, we have

R(fi/G) = R(G, ⟨Pi⟩) ⪯ Pi, i = 1, ..., k

so that R(f/G) ⪯ P , hence R(f/G) ∈ CP(P ), and therefore R(f/G) ⪯supCP(P ). It remains to check that

supCP(P ) ⪯ R(f/G)

Now supCP(P ) = R(G, ⟨P ⟩), and

⟨P ⟩ = ⟨k∧

i=1

Pi⟩ =k∧

i=1

⟨Pi⟩

408 CHAPTER 7

so it must be shown that

R(G,k∧

i=1

⟨Pi⟩) ⪯ R(f/G)

Let

q |= R(G,k∧

i=1

⟨Pi⟩)

Then there are m ≥ 0, q1, ..., qm(= q) and σ0, σ1, ..., σm−1 such that

δ(qj, σj)!, δ(qj, σj) = qj+1, j = 0, 1, ...,m− 1

qj |=k∧

i=1

⟨Pi⟩, j = 0, 1, ...,m

Thus qj |= R(G, ⟨Pi⟩) = R(fi/G) (i = 1, ..., k; j = 0, 1, ...,m). Since each fiis balanced,

fi,σj(qj) = 1, i = 1, ..., k; j = 0, 1, ...,m− 1

which implies in turn

k∧i=1

fi,σj(qj) = 1, j = 0, 1, ...,m− 1

qj |= R(f/G)

q = qm |= R(f/G)

as required. 2

Exercise 3: Provide an example to show that the conclusion of Theorem 2may fail if the assumption that the fi are balanced is dropped. On the otherhand show by another example that the conclusion may hold even thoughthe assumption fails, namely ‘balance’ isn’t a necessary condition.

7.6 409

7.6 Dynamic State Feedback Control

The foregoing methods are readily extended to the situation where additionalmemory elements are included in the state description, permitting the controlaction to depend not only on the current state of the plant G, but also onvarious properties of past behavior.

Let Gi = (Qi,Σ, δi, qi,0, Qi,m) (i = 1, 2) be DES defined over the same al-phabet Σ. We recall that the product DESG = G1×G2,G = (Q,Σ, δ, q0, Qm),is defined according to

Q = Q1 ×Q2

δ((q1, q2), σ) = (δ1(q1, σ), δ2(q2, σ))

(just in case δ(q1, σ)! and δ(q2, σ)!),

q0 = (q1,0, q2,0), Qm = Q1,m ×Q2,m

Let H = (Y,Σ, η, y0, Y ) be a DES with marker subset the entire state set(so marked and closed behaviors coincide). We say that H is a memory forG if L(H) ⊇ L(G). Such H does not constrain G under product of DES,namely

L(G×H) = L(G), Lm(G×H) = Lm(G)

Memory can provide a medium for the ‘recording’ of specification languagesrestricting the behavior of G, in the following sense. Let E ⊆ Σ∗ be a closedlanguage, and let P ∈ Pred(Q×Y ). We say that the pair (E,P ) is compatiblewith G×H if

L(G×H, P ) = E ∩ L(G)

Thus enforcement of the predicate P on the state set of the product DES isequivalent to restricting the closed behavior of G to the language E. Theprecise connection is the following, where we write CPG×H(·) for the familyof controllable (with respect to G × H) subpredicates (on Q × Y ) of itsargument, and CG×H(·) (resp. CG(·)) for the family of controllable (withrespect to G×H (resp. G)) sublanguages of its argument.

Theorem 1Let H be a memory for G. For E ⊆ Σ∗ unrestricted,

CG×H(E) = CG(E)

410 CHAPTER 7

Also, if E ⊆ Σ∗ is closed and (E,P ) is compatible with G×H, then

L(G×H, supCPG×H(P )) = supCG(E ∩ L(G))

ProofApply the definition of memory, and the result of Exercise 7.4.6 to G×H.

2

To implement behavior of the type just described, we bring in dynamicstate feedback control (DSFBC), defined as SFBC in the sense already em-ployed, but now on the state set of G × H. Thus a DSFBC is a mapf : Q × Y → Γ, with component predicates fσ : Q × Y → 0, 1 for σ ∈ Σ,just as before. For emphasis we may refer to the pair F := (f,H) as a DSFBCfor G and write L(F/G), Lm(F/G) for the corresponding controlled sublan-guages of L(G), Lm(G). Finally we say that the DSFBC F is balanced if fis balanced as a SFBC for G×H defined on Q× Y . In this terminology wehave the following consequence of Theorems 1 and 7.4.1, and Exercises 3 and7.5.1.

Corollary 2Let E ⊆ Σ∗, E closed, and assume supCG(E ∩ L(G)) = ∅. There exists

a balanced DSFBC F = (f,H) for G such that

L(F/G) = supCG(E ∩ L(G))

2

Exercise 3: Let E ⊆ L(G) be nonempty and closed. Show that there exista memory H for G and a predicate P ∈ Pred(Q × Y ) such that (E,P ) iscompatible with G ×H. Hint: Consider the reachability tree for L(G), oralternatively an automaton (recognizer) for E completed by an unmarkeddump state so its closed behavior is Σ∗. H can be constructed by markingall states of this recognizer.

Exercise 4: For a ‘distinguished’ event α ∈ Σ, let H model a counter thatrecords the number of occurrences of α, mod 10 say. Suggest some pairs(E,P ) that could be compatible with G×H.

Exercise 5: Prove Theorem 1 and Corollary 2. Hint: Use the results ofExercises 3 and 7.4.6.

7.6 411

Finally we indicate how the principle of DSFBC can be adapted to mod-ularity. With a view to later applications we assign to languages the pri-mary role of specifications. Let Ei ⊆ Σ∗ (i = 1, ..., k) be closed languageswhich we take to be specification languages for the closed behavior of G. LetE = E1 ∩ · · · ∩Ek. For each i let Hi = (Yi,Σ, ηi, yi,0, Yi) be a memory for G,and Pi ∈ Pred(Q× Yi) such that (Pi, Ei) is compatible with G×Hi. DefineP ∈ Pred(Q× Y1 × · · · × Yk) according to

(q, y1, ..., yk) |= P iff (q, yi) |= Pi, i = 1, ..., k

Let Fi = (fi,Hi) be a balanced DSFBC forG such that L(Fi/G) = supCG(Ei∩L(G)). Now define F = (f,H1 × ...×Hk) according to

fσ(q, y1, ..., yk) = 1 iff fi,σ(q, yi) = 1, i = 1, ..., k

With the foregoing conditions in place, we have

Theorem 6The DES H := H1 × · · · × Hk is a memory for G, the pair (E,P ) is

compatible with G×H, F := (f,H) is a balanced DSFBC for G, and

L(F/G) = L(G×H, supCPG×H(P )) = supCG(E ∩ L(G))

2

Exercise 7: Prove Theorem 6, and provide a concrete illustration.

Exercise 8: Marking and nonblocking.In this chapter so far, the marker states of G have played no role, and

nonblocking has not been explicitly treated. To complete the story in thisrespect, define a predicate P ∈ Pred(Q) to be nonblocking for G if

(∀q |= P )(∃s ∈ Σ∗)δ(q, s)! & δ(q, s) ∈ Qm & (∀w ≤ s)δ(q, w) |= P

Notice that P = false is trivially nonblocking; in any case, if q |= P , there isa path in Q leading from q to some state in Qm along which P is satisfied.Define a balanced SFBC f for G to be nonblocking for G if R(Gf , true) is anonblocking predicate. Assuming P = false, show that there is a nonblockingSFBC f for G such that R(Gf , true) = P , if and only if P is controllable andnonblocking. Next show that the family of nonblocking predicates stronger

412 CHAPTER 7

than a given predicate, say SPEC ∈ Pred(Q), is closed under arbitrary dis-junctions. Then show that the family of predicates that are stronger thanSPEC and are both nonblocking and controllable, is closed under arbitrarydisjunctions, hence possesses a weakest element, the supremal element of thefamily. If not false, this element will thus determine an optimal nonblockingSFBC that enforces SPEC. Go on to investigate the design requirement ofnonblocking when SFBC is modular. As might be expected, the conjunc-tion of nonblocking predicates generally fails to be nonblocking: prove thisby example. Say two nonblocking predicates are nonconflicting if their con-junction is nonblocking. On this basis, develop corresponding refinements ofthe previous results of Sections 7.5 and 7.6. Finally, link the above state-based approach to nonblocking with the linguistic approach of Chapter 3,identifying and proving the relations between dual concepts.

Exercise 9: Partial state observationsExtend the state feedback control theory of this chapter to the case where

the state q is known to the supervisor only modulo some equivalence relationρ ∈ E(Q). Find a necessary and sufficient condition that P ∈ Pred(Q) canbe synthesized by SFBC. Hint: Consider (among other things) the ‘observ-ability’ condition

(∀q, q′ |= P )(∀σ ∈ Σc)q ≡ q′(mod ρ) & δ(q, σ)! & δ(q′, σ)! & δ(q, σ) |= P

⇒ δ(q′, σ) |= P

Exercise 10: Observable predicateExplore the definition of observable predicate P ∈ Pred(Q), along the

following lines. Let Σo ⊆ Σ and R : Σ∗ → Σ∗o be the natural projection of

languages. Say the predicate P is (G, R)-observable iff the language L(G, P )is (G, R)-observable in the sense of Chapter 6. Develop a parallel theory tothat of Chapter 6 in the style of ‘states and predicates’.

7.7 Notes and References

Predicate transformers were introduced by E.W. Dijkstra [1976], and firstapplied to DES control theory in [J06, J07]. This chapter is based on thelatter references together with work of Y. Li [C24, C27, C29, T17, J21]. The

7.7 413

two industrial examples to follow are adapted from Sørensen et al. [1993]and Falcione & Krogh [1993] respectively.

A concrete representation for state-based modeling and supervision, called‘boolean discrete-event systems’ (BDES), and including a treatment of mem-ory, nonblocking, and forcing, is provided in the thesis of Y.W. Wang [T43].In particular the Gas Burner (Exercise 1 in Appendix 7.1 below) is developedin detail.

Appendix 7.1: Two Industrial Examples

In this appendix we sketch two exercises on DES modeling by predicates,specifically in a boolean formalism where the state structure is determinedby a list of independent propositional variables. For complementary detailsthe reader may consult the cited references.

Exercise 1: Gas Burner (Sørensen et al. [1993])The process state is given by the simultaneous truth values of 5 boolean

variables; state transitions are triggered by any of 10 distinct events. Someof these are:

predicate HR = ‘heat is required’X = ‘an explosion has occurred (system is in an

exploded condition)’

event ‘on’ = ‘system on-button is pushed’‘ex’ = ‘system explodes’

Transitions are determined by rules of two types: enablement rules ENRand next-state rules NSR. An example of ENR is: event ‘on’ can occur iffpredicate HR = false; while NSR might be: ‘on’ takes any state with HR= false into the corresponding state with HR = true. To each event theremay be associated several rules, corresponding to different subsets of states.Multiple rules should be checked for consistency, to ensure transitions aredeterministic.

The rule base is easily encoded into a case-statement associating witheach event an if-then clause in terms of boolean state components. From thisthe one-step state transition matrix (32×10) is computed once for all; then

414 CHAPTER 7

the reduced transition structure over the reachability set can be generated bydepth-first search. [This naive monolithic approach is exponentially complexin the number of predicates and is not recommended for large systems!]

1. Referring to the cited paper for ENR and NSR, carry out this procedurefor the gas burner example, and verify the authors’ state transitionmodel, writing your own program to calculate the reachability set. Youshould get a final state size of just 9. In the notation of the paper, labelevents as follows:

on off df1 df2 df3 df4 sr ff cr ex0 1 2 3 4 5 6 7 8 9

and encode state components according to

HR D F B X0 1 2 3 4

Each state component will take values 1 or 0, corresponding to true orfalse. States are numbered from 0 to 31 corresponding to all possibleboolean combinations of the vector [HR D F B X], evaluated as

HR ⋆ 1 +D ⋆ 2 + F ⋆ 4 +B ⋆ 8 +X ⋆ 16

For instance, the initial state is 2 = [0 1 0 0 0].

2. Extend the foregoing modeling procedure to include control, e.g. SCTdisablement, assuming for instance that Σc = on,off,sr,cr. Commenton whether or not the system could then be safely turned on and, if not,suitably modify the design, for instance by using forcible events in thesense of Section 3.8. Generalize the approach to take into account thatsometimes additional memory (an extended state space) is requiredto represent the control specifications, namely when the latter involveconditions on the past behavior of the process. For instance, ‘stop theprocess after 10 sensor failures’ could be enforced with the aid of anauxiliary counter.

Exercise 2: Neutralization System (Falcione & Krogh [1993])A neutralization system in an industrial chemical process could consist

of a reaction tank, heater, mixer, and valves for filling and emptying thetank. The plant seen by the programmable logic controller (PLC) consists

Appendix 415

of boolean variables to represent the operator setting (process off or on),fluid level, temperature and pressure. The controller variables are booleanvariables for the valve states (closed or open), temperature and pH indicatorlights (off or on), and heater and mixer states (off or on). Recall that pH isa measure of alkalinity; i.e. if pH is too low, more neutralizer is added. Indetail the plant state variables are the following:

x0 = start = 1 when process ONx1 = ls1 level ≥ level1x2 = ls2 level ≥ level2x3 = ls3 level ≥ level3x4 = ts temp ≥ OKx5 = as pH ≥ OK

Here level1 ≤ level2 ≤ level3, i.e. the possible level combinations are(x1, x2, x3) = (0, 0, 0), (1, 0, 0), (1, 1, 0), (1, 1, 1).

The controller state variables are:

u1 = v1 = 1 iff valve1 is OPEN (tank fluid feed from reservoir)

u2 = m mixer is ON

u3 = h heater is ON

u4 = tl temp indicator light is ON

u5 = v4 valve4 is OPEN (tank fluid drain back to reservoir)

u6 = v2 valve2 is OPEN (neutralizer feed)

u7 = al pH indicator light is ON

u8 = v3 valve3 is OPEN (tank fluid drain to next tank)

The controller state transition structure is given by assignment (:=) state-ments:

u1 := (u1 + x0).u8.x2

u2 := (u2 + x2).x1

u3 := u8.x2.x4

u4 := x2.x4

u5 := (u5 + x3).x2

u6 := u5.u8.x2.x5

u7 := x2.x5

u8 := (u8 + x2.x4.x5).u5.x1

416 CHAPTER 7

Note that + is boolean disjunction (thus 1+1 = 1), · boolean negation and. boolean conjunction.

Initially the process is OFF (x0 = 0), the tank is empty (x1 = x2 = x3 =0), temperature is low (x4 = 0), pH is unspecified (x5 = 0 or 1). In thecontroller, all valves are CLOSED (u1 = u5 = u6 = u8 = 0) and the mixerand heater are OFF (u2 = u3 = 0). From the control logic this implies thatthe indicator lights are both OFF (u4 = u7 = 0).

The rules of operation are the following. To start the process, set x0 := 1,opening valve1 (u1 = 1) which stays open until the tank has filled to level2(x2 = 1). When level2 is reached start the mixer (u2 := 1); if the level dropsbelow level1 (x1 = 0) stop the mixer (u2 := 0). Energize the heater (u3 := 1)if the temperature is too low (x4 = 0) and the tank level is at least level2(x2 = 1). If pH is too low (x5 = 0) open the neutralizer feed valve2 (u6 := 1).If the tank becomes full (level ≥ level3, i.e. x3 = 1) then open valve4 (draintank fluid back to reservoir, i.e. u5 := 1); this will close valve2 (u6 := 0)to stop the flow of neutralizer. When the fluid level drops just below level2(x2 = 0), close valve4 (u5 := 0). When both temperature and pH are OK(x4 = x5 = 1), de-energize the heater (u3 := 0) and open valve3 (u8 := 1) todrain the tank. When the tank is empty (x1 = 0), close valve3 (u8 := 0) andrestart the process.

While the description specifies how the controller reacts to the plant, nomodel has been specified as to how the plant responds to the controller, so thecontrol loop is open, and no analysis of controlled behavior is possible. Onecould experiment with various DES models for the plant. For instance, takethe plant to be the shuffle of 3 processes, LEVEL, TEMP and ALK. LEVELhas the 4 states listed above, with events ‘level rise’ and ‘level drop’, where‘level rise’ is enabled when valve1 or valve2 is OPEN and valve3 and valve4are CLOSED (i.e. (u1+u6).u5.u8), while ‘level drop’ is enabled when valve1and valve2 are CLOSED and valve3 or valve4 is OPEN (i.e. u1.u6.(u5+u8)).TEMP has 2 states (x4 = 0 or 1) with events ‘temp rise’, enabled whenheater is ON (u3 = 1) and ‘temp drop’, enabled when u3 = 0. SimilarlyALK has states (x5 = 0 or 1) with events ‘alk rise’ enabled when valve2 isOPEN (u6 = 1). Notice that what we have here is a simple qualitative modelof the plant physics. The example illustrates why there is current interest inqualitative modeling: this is simply high-level discrete aggregation, and (ifthe model is valid) is all you need for logic control design.

The plant transition triples are:

Appendix 417

[level0,level drop,level0][level0,level rise,level1][level1,level drop,level0][level1,level rise,level2][level2,level drop,level1][level2,level rise,level3][level3,level drop,level2][level3,level rise,level3]

Note that level drop (resp. level rise) leaves level0 (resp. level3) unchanged.In this formalism one can regard the occurrence of an event in a given

time window or sampling interval as a boolean variable. Recalling that level0= (0,0,0), level1 = (1,0,0), level2 = (1,1,0), level3 = (1,1,1), we can bring innew boolean level variables

l0 = x1.x2.x3

l1 = x1.x2.x3

l2 = x1.x2.x3

l3 = x1.x2.x3

with transition assignments

l0 := l0.level rise + l1.level drop

l1 := l1.level rise.level drop + l0.level rise + l2.level drop

and so on. These rules could be expressed in terms of the xi by the equations

x1 = l1 + l2 + l3

x2 = l2 + l3

x3 = l3

The events are enabled or disabled according to the controller and plantstates, i.e. events can occur only in control and plant states where they areenabled in accordance with the physical interpretation. Thus the enablementpreconditions for rise or drop in level are:

enable(level rise) = (u1 + u6).u5.u8enable(level drop) = u1.u6.(u5 + u8)

The transition rules are

418 CHAPTER 7

level rise := enable(level rise).random

level drop := enable(level drop).randomwhere random (= boolean 0 or 1) represents the mechanism of event selection.

Similarlyx4 := x4.temp rise + x4.temp dropx5 := x5.alk rise + x5

with preconditionsenable(temp rise) = u3enable(temp drop) = u3enable(alk rise) = u6Note that we have embodied a physical assumption that if u3 = 0 (heater

is OFF) then temp drop is enabled, so temp could drop but need not;whereas if temp is OK and heater is ON then temp drop is disabled, and thecondition x4 = 1 is stable. A more refined model could include a temperaturecontroller with ON/OFF thresholds bracketing the setpoint.

The equations can be used for simulation or analysis, with an enabledevent chosen randomly at each simulation step and the state and controlvariables updated. The process can now be considered a standard SCT modelwith the feedback already incorporated: for each state (x, u) certain eventswill be enabled and exactly one of them will be selected as the next event.Then (x, u) is updated and the process repeats.

In general the model is of the formx new := qualitative physics(x,u,events), u new := control logic(x, u).As always, the total process with state (x, u) is driven by the events con-

stituting the changes in physical state under the action of the plant dynamicsand control logic.

The archtypal system of this general kind is a level controller (e.g. waterpump or furnace control), where the plant state variables are x1, x2 with

x1 = 1 iff level ≥ level1x2 = 1 iff level ≥ level2

and level2 > level1 as above. The controller variable is u, with u = 1 rep-resenting that the pump or furnace is ON. The process has a main switchTOGGLE.

Thenu := TOGGLE.(u+ x1).x2

namely ‘keep pumping if (already pumping or level < level1) and (level <level2)’. So the pump starts low, stops high, and tries to keep level between

Appendix 419

level1 and level2. Once the level reaches level2 the pump shuts off, onlyturning on again if the level drops below level1. Ignoring TOGGLE we have

u := f(u, x1, x2), say

with u new = 1 iff x2 = 0 and either u = 1 or x1 = 0.The ‘correctness’ of such a controller means that the plant state subset

(x1, x2)|x1 = 1 is globally attractive, like the regulation condition ‘trackingerror = 0’ of standard control theory. Namely the system should eventuallyreach and remain in this subset from any initialization and in the absence offurther disturbances. In the absence of disturbances (e.g. leaks or cooling)a trivial plant model shows the attractive state is (1,1) because, when onceu = 1, the condition u = 1 is maintained until x2 = 1. If x2 = 1 thenx1 = 1 (by the plant model) and, again by the plant model, in the absenceof disturbances x2 just remains at 1. So one has to think of the plant modelas autonomous except for occasional disturbances, which are then fully cor-rected, just as in regulation theory. The effect of a disturbance is just tomove the plant to some arbitrary initial state. Thus the (undisturbed) plantmodel has to say that if x1 = 0 and u is kept at 1 then eventually x1 = 1; ifx1 = 1 and u is kept at 1 then eventually x2 = 1; and if once x2 = 1 then(regardless of u) x2 = 1 always. One could get u to turn off when x2 = 1by considering that u is controllable (can be disabled) and introducing anoverflow condition that is to be prohibited.

In the neutralization process, the assumptions are that temperature (resp.pH) always rises as long as the heater is ON (resp. the neutralizer valve isOPEN); and that level always rises (resp. falls) under appropriate valve con-ditions of OPEN or CLOSED. One then needs to prove that from the emptytank condition (or possibly other, disturbed, initial conditions) the targettemperature and pH are reached with level ≥ level1; and that subsequentlythe tank is emptied in an appropriate way. This could be done either withbrute force calculation or by analysis using logic and/or stability (e.g. Lia-punov) arguments. Considerations of this sort are explored in the currentlypopular area of hybrid (mixed discrete/continuous) systems.

Write a simulation program for the neutralization process, exploring var-ious plant models. Develop standard DES (generator/automaton) represen-tations, and investigate supervisory control and stability.

420 CHAPTER 7

Chapter 8

Supervision of VectorDiscrete-Event Systems

The state-based approach to DES supervisory control of Chapter 7 will beapplied to a class of models known as vector addition systems, which whenendowed with our standard control technology we call vector discrete-eventsystems (VDES). VDES offer a modeling option especially for systems in-corporating groups of similar entities (e.g. machines in a work cell) whichfor control purposes need not be individually distinguished; often in prac-tice such systems are equivalent to a synchronous product of buffers. VDESmay be represented graphically as Petri nets (PN); results from the extensivePN literature will be exploited to advantage. We further consider problemrestrictions under which an optimal supervisor itself admits a VDES repre-sentation, providing examples when this is or respectively is not the case.

8.1 Introduction

In this chapter we specialize the control theory of discrete-event systems de-veloped previously, to a setting of vector addition systems. We adopt thestate-based approach of Chapter 7. It is natural to enhance the abstract au-tomaton model by exploiting algebraic regularity of internal system structure

421

422 CHAPTER 8

when it exists. An obvious instance of such structure is arithmetic additivityover the integers. For example, the state of a manufacturing workcell mightbe the current contents of its buffers and the numbers of machines in vari-ous modes of operation: thus, when a machine completes a work cycle, thestatus vector of machines and the vector of buffer contents would be suit-ably incremented. Similar examples are furnished by various kinds of trafficsystems.

System modeling by vector addition systems is a long-standing technique,especially in the setting of Petri nets. For us, however, Petri nets will serveonly as a graphical representation tool, and we make little use of net theoryas such. Our treatment will be self-contained, using only elementary linearalgebra and integer programming.

We first develop the base model, then the feedback synthesis of control-invariant state subsets, along with the appropriate versions of controllability,observability and modularity. These results are illustrated by examples fromthe literature on manufacturing systems.

8.2 Vector Discrete-Event Systems

Let Z denote the integers ...,−1, 0, 1, ... and N the natural numbers 0, 1, 2, ....Let Zn (resp. Nn) denote the space of n-vectors (i.e. ordered n-tuples) withcomponents in Z (resp. N), along with vector addition, and scalar multipli-cation by integers (resp. natural numbers). In algebra, Zn so equipped is a‘module over the ring of integers’, not a vector space; nevertheless we shallloosely speak of its elements as ‘vectors’ and use vector space terminologyon grounds of familiarity. We shall employ the ‘direct sum’ operation ⊕ toform structures like Zn ⊕ Zm (≃ Zn+m under the obvious isomorphism) orNn ⊕ Zm. In such cases we may write x = x′ ⊕ x′′ to denote the decompo-sition of x into its natural projections onto the direct summands. If v is anarbitrary vector in some Zk, we write v ≥ 0 to mean that each componentof v is nonnegative, i.e. that in fact v ∈ Nk, thought of as embedded in Zk.

A vector discrete-event system (VDES) is a DES G = (X,Σ, ξ, x0, Xm)defined as in previous chapters (although we make a notational change toX from Q and to ξ from δ), but with vector structure, in the foregoingsense, attached to the state set X and transition function ξ. Thus in general

8.2 423

X = Nn ⊕ Zm, while ξ : X × Σ → X will always have the additive form:

ξ(x, σ) = x+ eσ

for some eσ ∈ Zn+m, the displacement vector corresponding to σ. Writingx = x′ ⊕ x′′ as above, we note that in general ξ will be a partial function,defined for just those (x, σ) pairs such that x′ ∈ Nn and (x+ eσ)

′ = x′+ e′σ ∈Nn, or briefly x′ ≥ 0, x′ + e′σ ≥ 0; however, no such restriction will applyto the second components x′′ and (x + eσ)

′′, in Zm. In particular if the Nn

summand is absent, so X = Zm, then ξ will be a total function. By theusual inductive definition, ξ is extended to strings s ∈ Σ∗, so from now onwe consider ξ : X × Σ∗ → X (pfn).

Let Σ be indexed as Σ = σ1, ..., σk and write ei for eσi. With X =

Nn ⊕ Zm as above, write p := n + m and regard x and the ei as (column)arrays of size p× 1. Bring in the matrix

E := [e1 · · · ek] ∈ Zp×k

the displacement matrix for G. Now consider strings s ∈ Σ∗. It will be usefulto count the occurrences of the various event symbols in s. For this define

V : Σ∗ → Nk : s 7→ [v1(s) · · · vk(s)] ∈ Nk×1

where vj(s) is the number of occurrences of σj in s. [Note that we maydisplay a column array as a row, to save space: the definition should resolveany ambiguity, and our vector-matrix operations will always be consistentwith the array definitions.] V (s) is the occurrence vector of s. V (·) canbe regarded as a morphism of monoids (Nk is an additive or commutative,monoid), with

V (ϵ) = 0 ∈ Nk, V (s1s2) = V (s1) + V (s2)

In this notation we have

ξ(x, s)! ⇒ ξ(x, s) = x+ EV (s)

The evaluation of ξ(x, s) depends just on x and V (s), but it makes senseonly when ξ(x, s) is defined. With X = Nn ⊕ Zm and x = x′ ⊕ x′′, ξ(x, s)!if and only if (x + EV (w))′ ≥ 0 for all w ≤ s, namely nonnegativity of theNn-projection is preserved for all prefixes of s. Thus it might well be that

424 CHAPTER 8

for certain x and s one has x′ ≥ 0 and (x + EV (s))′ ≥ 0, but for somew, ϵ < w < s, the nonnegativity condition fails; in that case, ξ(x, s) is notdefined.

Remark 1: A more general definition of VDES which might be preferredresults on strengthening the enablement conditions as follows. Suppose X =Nn. Given eσ ∈ Zn as before, let fσ ∈ Nn be any vector ≥ max0,−eσ(computed componentwise), and declare that ξ(x, σ)! iff x ≥ fσ. This willguarantee that x + eσ ≥ 0. Alternatively, one can pick vectors e+σ , e

−σ ∈ Nn

independently and define eσ := e+σ − e−σ , fσ := e−σ ; this is equivalent to theusual transition enablement definition for a Petri net allowing selfloops. Inthis chapter we use only the restricted definition corresponding to the choicefσ = −eσ. See, however, Exercise 8.8.2 for how a selfloop can be simulatedwhen it is needed.

As in Section 7.3, denote by L(G, x0) the closed behavior generated byG when initialized at state x0 ∈ X:

L(G, x0) := s ∈ Σ∗|ξ(x0, s)!

The following exercise illustrates a modeling limitation of VDES, namelynot all finite-state generators can be so represented, in the sense of closedbehavior equivalence.

Exercise 2: Consider the DES G in Fig. 8.1. Show that there exists no‘generalized’ VDES H (cf. Remark 1) such that L(H, x0) = L(G).

20

0

1

Fig. 8.1. DES G (all states considered marked)

Exercise 3: Let G be a VDES with no selfloops, state set X = Nn, andmatrix description

x(s) = x0 + EV (s)

8.3 425

for x0 ∈ X, s ∈ L(G, x0). Here E ∈ Zn×m, V ∈ Nm×1. Borrowing theterminology of Petri nets, define G to be structurally bounded if, for everychoice of initial state x0 ∈ X, there is an integer b such that |x(s)| ≤ bfor all s ∈ L(G, x0), where e.g. |x| := max|x1|, ..., |xn|. Prove that G isstructurally bounded iff there exists c = [c1 · · · cn] ∈ N1×n with all ci > 0,such that cE ≤ 0 (i.e. the vector cE ∈ Z1×m has each component ≤ 0). Inthis case obtain an estimate of b. Extend your result to ‘generalized’ VDESwith selfloops in the sense of Remark 1. Hint: Proof of the ‘if’ statement isstraightforward; for the deeper ‘only if’ statement you will need the following‘alternative’ theorem from linear inequalities.

Theorem 4The dual systems (over Z)

t ≥ 0, Et ≥ 0; cE ≤ 0, c ≥ 0

possess solutions t∗ and c∗ for which the following alternative holds:

either Et∗ = 0 or c∗ > 0

2

Use this theorem to show that if the required vector c fails to exist thenG is not structurally bounded.

Finally, prove that if G is structurally bounded, with vector c > 0 asabove, then

xi(s) ≤ cx0/ci , s ∈ L(G, x0), i = 1, ..., n

If bi := ⌊cx0/ci⌋ (i = 1, ..., n), show how to represent G as the synchronousproduct of n buffers B1, ...,Bn, where the capacity of Bi is bi. [Notation: forr ∈ R and r ≥ 0, ⌊r⌋ := maxk ∈ N|k ≤ r.] Thus a structurally boundedVDES in Nn is nothing other than the synchronous product of n buffers,one for each state component. This representation can be used to check, forinstance, whether the given VDES is nonblocking.

8.3 VDES Modeling

Example 1: FACT#1

426 CHAPTER 8

Consider a factory consisting of 10 machines, each a DES modeled overthe alphabet Σ = α, β, λ, µ in the usual way, and displayed as a Petri netin Fig. 8.2. We do not distinguish the machines individually, being interestedonly in the numbers resident in the three state components indexed 1, 2, 3corresponding respectively to Idle, Working, Down. The state of the fac-tory is then x ∈ N3, with xi ≥ 0 and x1 + x2 + x3 = 10. If it is assumedthat two or more machines never make a transition simultaneously, then thepossible transitions are x 7→ x+ eσ (σ ∈ Σ), with

E = [eα eβ eλ eµ] =

−1 1 0 11 −1 −1 00 0 1 −1

Thus the effect, if any, of each event on a state component is just to incrementor decrement it by 1. The initial state could be taken as x0 = [10 0 0] ∈ N3×1

and a transition is defined if and only if the condition x ≥ 0 is preserved.

β

α

I

W Dλ

µ

x1

x2 x3

Fig. 8.2. Petri net representation of factory, where denotes a ‘place’ and

denotes a labeled transition.

Note that, at the expense of additional notation, it would be quite straight-forward to model the occurrence of compound events, defined as the simul-taneous execution of individual events by distinct machines. Just as before,a compound event would be represented by a suitable displacement vectorand restricted by the appropriate nonnegativity condition. For example, ifeither two or three events α could occur together, label these simultaneousevents α2, α3 and bring in the corresponding displacements

eα2 = [−2 2 0], eα3 = [−3 3 0]

8.3 427

The corresponding transitions are defined just in case, respectively, x1 ≥ 2or x1 ≥ 3.

Example 2: FACT#2By augmenting the state of FACT#1 one can bring in ‘memory’ to

record features of past behavior. For instance, let

x4 := # workpieces produced

= # occurrences of event β since initialization

Thus x4 models a counter for β, with initially x4 = 0. Making this extensionto FACT#1 yields the new state space X = N4 and displacement matrixfor FACT#2:

E =

−1 1 0 11 −1 −1 00 0 1 −10 1 0 0

Note that x4 may grow without bound as the process evolves, although inan application one might impose a control specification such as x4 ≤ 100,perhaps to respect the capacity of a storage buffer.

Example 3: FACT#3We extend FACT#2 to allow a count of the excess of successful work

cycles over machine breakdowns, defining x5 := #β−#λ (where #σ denotesthe number of occurrences of σ since initialization). Now we must allowx5 ∈ Z and take for the new state space X = N4 ⊕ Z. Then, for instance,

eβ = [1 − 1 0 1 1], eλ = [0 − 1 1 0 − 1] ∈ Z5×1

and the reader will easily construct E.

Remark 4: Simultaneous eventsWe generalize the remark at the end of Example 1 as follows. Regard

the event set Σ = σ1, ..., σm as a basis set of simple events for the gener-ation of compound events, defined as arbitrary formal linear combinationsσ(r1, ..., rm) := r1σ1+ · · ·+ rmσm, where the rj ∈ N (thus any simple event iscompound). The full event set, including the null event, is now the set of allcompound events. The interpretation of a compound event is just that rj ≥ 0instances of σj occur simultaneously, for all j = 1, ...,m. In Example 1, an

428 CHAPTER 8

event 2α + 3β + λ + 3µ would mean that simultaneously 2 machines startwork, 3 end work successfully, 1 breaks down and 3 complete repair. Intuitionsuggests that this only makes sense if we imagine a small time delay betweenthe ‘beginning’ of a compound event and its ‘termination’, so the foregoingevent can occur only if the state vector satisfies x ≥ [2 3 + 1 3] = [2 4 3].In general for σ ∈ Σ write ej := eσj

, e−j := max−ej, 0, and declare thatξ(x, σ(r1, ..., rm))! iff x ≥ r1e

−1 + · · ·+ rme

−m, in which case

ξ(x, σ(r1, ..., rm)) := x+ r1e1 + · · ·+ rmem

In this chapter we prohibit (nonsimple) compound events, albeit they aresometimes of interest in applications, especially in problems of mutual exclu-sion.

Exercise 5: Show that in Example 1, σ(r1, r2, r3, r4) is enabled only if r1 +r2 + r3 + r4 ≤ 10, so the set of compound events that can actually occuris finite. Exactly how many are there? Find a general formula for the caser1 + · · ·+ rk ≤ N .

Exercise 6: With ξ(x, s) = x + EV (s) whenever ξ(x, s)!, and E ∈ Zn×k,interpret solutions t ∈ Zk×1 of Et = 0, and solutions p ∈ Z1×n of pE = 0.In the terminology of Petri nets, such t are ‘transition invariants’ and p are‘place invariants’. For an application of the latter see Exercise 8.13.20.

8.4 Linear Predicates

It will be appropriate to require of predicates on X that they be compatiblewith the algebraic setting, in particular that they be generated by basicpredicates that are ‘linear’ in the state. Such predicates occur commonlyin the applications: e.g. in conditions like ‘either x1 ≤ 5 or x2 > 10’. Forsimplicity of notation consider that X = Zn (if X has a component Nm thenembed Nm ⊆ Zm). Our basic predicates P will be those that distinguishstate subsets XP ⊆ X of the form

XP := x = [x1 · · · xn] ∈ Zn|a1x1 + · · ·+ anxn ≤ b

where a1, ..., an, b ∈ Z. Representing a ∈ Z1×n (a row array) and x ∈ Zn×1

(a column array), we have succinctly,

XP = x ∈ X|ax ≤ b

8.5 429

or

x |= P iff ax ≤ b

Call such P a linear predicate on X and denote by Predlin(X) the corre-sponding subset of Pred(X). Finally, let Predlin(X) be the Boolean clo-sure of Predlin(X), namely the smallest subset of Pred(X) that containsPredlin(X) and is closed under the Boolean operations ¬, ∧ and ∨. Wehave P ∈ Predlin(X) if and only if P can be built up by applying theBoolean operations a finite number of times to a finite number of predicatesin Predlin(X). Thus P = (x1 ≤ 5) ∨ (¬(x2 ≤ 10)) for the example above.

Exercise 1: If X = Nn ⊕ Zm and S ⊂ X is a finite subset, show that thepredicate P = (x ∈ S) belongs to Predlin(X).

Exercise 2: Show that Predlin(X) is a proper Boolean subalgebra of Pred(X).

8.5 State Feedback and Controllability of VDES

In this section we exemplify for VDES the definitions and results of Sec-tion 7.4. Recalling FACT#2 in Section 8.3 let us assume that items pro-duced (on occurrence of event β) are placed in a buffer of capacity 100. Toprevent possible buffer overflow we must maintain the control specification

# free slots in buffer ≥ # machines working

or 100− x4 ≥ x2, i.e. the linear predicate

SPEC := (x2 + x4 ≤ 100)

Assume Σc = α. Now SPEC is true under the initial condition x0 =[10 0 0 0]. It is easily seen that SPEC is maintained true provided α isenabled only if SPEC holds with positive slack, i.e. when x2+x4 < 100. Forthis define SFBC f : X × Σ → 0, 1 according to

fα(x) =

1 if x2 + x4 < 1000 otherwise

430 CHAPTER 8

Exercise 1: Draw a graph with vertical axis x2 + x4, and horizontal axis‘real’ time marked with the quasi-random instants of successive events, cor-responding to the string ααβαλαµβλ.... Next, assuming the process has runlong enough to approach the ‘control boundary’ x2 + x4 = 100, generate astring to display (on a similar graph) the action of the SFBC f .

Exercise 2: Reasoning ad hoc, show that f enforces SPEC with minimalrestriction placed on the behavior of FACT#2.

We shall be using the theory of Section 7.4 to solve problems of theforegoing type systematically. We begin by illustrating reachability and con-trollability for VDES.

Example 3: FACT#4We simplify FACT#2 by eliminating the breakdown/repair feature, tak-

ing Σ = α, β, Σc = α as shown in Fig. 8.3. In FACT#4 X = N3, withx = [x1 x2 x3] ∈ N3×1; x1, x2 are the number of machines idle (I) and working(W ) respectively; x3 is the number of occurrences of β since initialization;and the initial state is x0 = [10 0 0]. Thus

E = [eα eβ] =

−1 11 −10 1

β

α

x1

x2

x3

Fig. 8.3

We first consider the predicate P ∈ Pred(X) given by

x |= P iff (x1 + x2 = 10) & (x3 ≤ 100)

8.5 431

P amounts to our previous buffer constraint, conjoined with the ‘obvious’invariant on the total number of machines in the system, included here fortechnical convenience.

To investigate whether P is controllable, we start by checking the condi-tion

P ⪯ R(FACT#4, P ) (?)

Let x |= P , i.e. x = [10− j j k] for some j, k : 0 ≤ j ≤ 10, 0 ≤ k ≤ 100. Weattempt to construct a string that will lead FACT#4 from x0 to x whilepreserving P . For instance, let s := (αβ)kαj, corresponding to k successfulwork cycles followed by j machine transitions from I to W . It is clear thatx = ξ(x0, s)!. We claim:

(∀w ≤ s)y := ξ(x0, w)! & y |= P

In fact it is easy to verify ξ(x0, w)! and y |= P for strings w of each of theprefix types

w = (αβ)l, 0 ≤ l ≤ k − 1w = (αβ)lα, 0 ≤ l ≤ k − 1w = (αβ)kαl, 0 ≤ l ≤ j

This proves the claim, and thus (?) above. Next we check

(∀σ ∈ Σu)P ⪯Mσ(P ) (??)

Let σ = β and x = [9 1 100]. We have x |= P , ξ(x, β)! and

y := ξ(x, β) = x+ eβ = [10 0 101]

Since not y |= P , (??) fails, so P is not controllable.

Exercise 4: Explain intuitively why P is not controllable, i.e. how P mightfail under the occurrence of an uncontrollable event.

Now consider the alternative predicate Q ∈ Pred(X) given by

x |= Q iff (x1 + x2 = 10) & (x3 ≤ 100− x2)

In this case x |= Q iff x = [10− j j k] where 0 ≤ j ≤ 10, 0 ≤ k ≤ 100− j.Taking s = (αβ)kαj we verify x |= R(G, Q) as shown above for P . To check

432 CHAPTER 8

Q ⪯Mβ(Q) observe that

ξ(x, β)! iff x+ eβ ≥ 0

iff [10− j + 1 j − 1 k + 1] ≥ 0

iff j ≥ 1

i.e. x must satisfy

0 ≤ k ≤ 100− j, 1 ≤ j ≤ 10

and theny := ξ(x, β) = [10− l l m]

where l = j − 1, m = k + 1. Since 0 ≤ l ≤ 9 and

0 ≤ m ≤ 1 + (100− j) = 1 + (100− (l + 1)) = 100− l

we get that y |= Q. It follows that Q is controllable.According to Theorem 7.4.1 the controllability of Q guarantees the ex-

istence of a SFBC f such that Q = R(f/FACT#4), and in fact the proofshowed that f can be defined by

fσ :=Mσ(Q), σ ∈ Σc

With Σc = α we get

fα(x) = 1 iff either not ξ(x, α)! or ξ(x, α)! & ξ(x, α) |= Q

Now

ξ(x, α)! iff x+ eα ≥ 0

iff [10− j j k] + [−1 1 0] ≥ 0

iff [10− j − 1 j + 1 k] ≥ 0

iff (−1 ≤ j ≤ 9) & (k ≥ 0)

For ξ(x, α) |= Q we then require

0 ≤ k ≤ 100− (j + 1)

or

fα(x) = 1 iff either j = 10 or (j ≤ 9) & (0 ≤ k ≤ 100− (j + 1))

8.6 433

For instance, this control would enable α if j = 0 and k ≤ 99, but disableα if j = 1 and k = 99. Notice that the SFBC synthesizing Q is far fromunique: for instance, there is no need to enable α if j = 10, as there are thenno machines idle. It is clear that the way fσ(x) is defined when not ξ(x, σ)!may in principle be arbitrary.

From these examples it appears that direct calculation of reachable setscan become rather involved, even for the simplest VDES models. On theother hand, as far as P -invariance is concerned, the calculation need be doneonly along sequences of uncontrollable events. In the next section we explorethis issue in more detail.

8.6 Reachability and Loop-Freeness

Let G = (X,Σ, ξ, x0, Xm) be a VDES. In later application of the results ofthis section, G will be taken as ‘the uncontrollable subsystem of the plant’,to be defined in due course. For now, we focus generally on how the compo-nents of the vector x are successively incremented and decremented under theoccurrence of events. Let X = Zn and x = [x1 · · · xn]. This coordinatizationof X will be fixed and the subsequent definitions will depend on it. The cor-responding displacement vectors will be written eσ = [eσ(1) · · · eσ(n)], withthe eσ(i) ∈ Z. Write I = 1, ..., n and for σ ∈ Σ define

σ↑ := i ∈ I|eσ(i) < 0σ↓ := i ∈ I|eσ(i) > 0

Thus for i ∈ σ↑ the components xi of x are negatively incremented (i.e.positively decremented) by the occurrence of σ, while for i ∈ σ↓ the xi arepositively incremented. The index subsets σ↑ (resp. σ↓) can be visualizedas (labeling) the components of x that are ‘upstream’ (resp. ‘downstream’)from σ; the σ↑-labeled x-components act as ‘source’ state variables for σ,while the σ↓ act as ‘sinks’. Dually, for i ∈ I define

i↑ := σ ∈ Σ|eσ(i) > 0i↓ := σ ∈ Σ|eσ(i) < 0

The occurrence of an event σ ∈ i↑ positively increments xi, i.e. σ acts asa source for xi; while σ ∈ i↓ negatively increments xi, i.e. σ acts as a sink

434 CHAPTER 8

for xi. Dually again, i↑ (resp. i↓) represents the subset of events that areimmediately upstream (resp. downstream) from the state component xi.Notice that our notation is necessarily unsymmetrical. With state variables,we need to distinguish between (a) the component index (i), standing for thecomponent ‘xi’ as a fixed symbol for a state variable in the ordered n-tuple ofstate variables, and (b) the (current) value assumed by the state variable xi,an integer subject to incremental change as the process evolves. For events(labeled) σ no such distinction is applicable.

Observe that i ∈ σ↑ (resp. σ↓) if and only if σ ∈ i↓ (resp. i↑).Let τ1, ..., τk be a list of elements from Σ, possibly with repetitions, and

let [i1 · · · ik] be a similar list from I. The interleaved list L := [τ1 i1 · · · τk ik]will be called a loop in G if

τ1 ∈ i↓1, ..., τk ∈ i↓k

andi1 ∈ τ ↓2 , i2 ∈ τ ↓3 , ..., ik−1 ∈ τ ↓k , ik ∈ τ ↓1

Equivalently the loop relations can be displayed as

i1 ∈ τ ↓2 , τ2 ∈ i↓2, ..., ik−1 ∈ τ ↓k , τk ∈ i↓k, ik ∈ τ ↓1 , τ1 ∈ i↓1

If no loop in G exists, G is loop-free.Bring in the state-variable source subset

I↑ := I −∪

σ↓|σ ∈ Σ

Thus for i ∈ I↑, xi is never positively incremented by the occurrence of anevent, namely xi can only stay constant or decrease in value as the DES Gevolves.

Lemma 1Assume Σ = ∅. If G is loop-free then for some σ ∈ Σ, σ↑ ⊆ I↑.

ProofSuppose the contrary, namely

(∀σ ∈ Σ)σ↑ − I↑ = ∅

Pick τ1 ∈ Σ arbitrarily and let i1 ∈ τ ↑1 − I↑. Then i1 ∈ I↑ implies thati1 ∈ τ ↓2 for some τ2 ∈ Σ. Since τ ↑2 − I↑ = ∅, we pick i2 ∈ τ ↑2 − I↑, and

8.6 435

then i2 ∈ τ ↓3 for some τ3 ∈ Σ. Continuing this process we obtain a sequenceτ1, i1, τ2, i2, ..., τj, ij, ... such that

ij ∈ τ ↑j ∩ τ ↓j+1, j = 1, 2, ...

or equivalently

τj ∈ i↓j , ij ∈ τ ↓j+1, j = 1, 2, ...

Since the index set I is finite (|I| = n) we may select the least j > 1, sayj = k + 1 (k ≥ 1), such that ij = il for some l < j, and without loss ofgenerality assume l = 1. Then we have

i1 ∈ τ ↓2 , τ2 ∈ i↓2, ..., ik−1 ∈ τ ↓k , τk ∈ i↓k, ik ∈ τ ↓k+1, τk+1 ∈ i↓1

This states that

L := [τk+1 i1 τ2 i2 · · · τk ik]

is a loop in G, contrary to hypothesis. 2

We shall need the idea of a ‘subsystem’ of G obtained by picking out asubset of the components of the state vector and a subset of events. With Ias before, let I ⊆ I, and let Σ ⊆ Σ. The corresponding subsystem G of G is

G := (X, Σ, ξ, x0, Xm)

where X, x0, Xm are the natural projections of X, x0, Xm on the componentswith indices in I, and ξ is the restriction of ξ:

ξ : X × Σ → X : (x, σ) 7→ x+ eσ (pfn)

With σ ∈ Σ we declare ξ(x, σ)! whenever ξ(x, σ)! for some x with projectionx. For instance, if X = Nm, ξ(x, σ)! provided x ≥ 0 and x+ eσ ≥ 0. Thus Gis indeed a VDES.

Recall the definition of the closed behavior generated by G correspondingto initialization at an arbitrary state x:

L(G, x) := s ∈ Σ∗|ξ(x, s)!

Lemma 2

436 CHAPTER 8

Let G be a subsystem of G obtained by removing one or more elementsof Σ, but keeping X = X. Let s ∈ L(G, x), x′ := ξ(x, s), and s ∈ Σ∗. Then

s ∈ L(G, x′) iff ss ∈ L(G, x)

2

Lemma 3Let X = Nn, σ ∈ Σ, k ∈ N. Then

x+ keσ ≥ 0 ⇒ σk ∈ L(G, x)

ProofThe statement is true for k = 0. Assume inductively that it is true for

k ≤ l, and let x+ (l + 1)eσ ≥ 0. Clearly

x′ := x+ leσ ≥ 0

so σl ∈ L(G, x) and x′ = ξ(x, σl)!. Also x′ + eσ ≥ 0 implies ξ(x′, σ)!, soσl+1 ∈ L(G, x), as required. 2

Lemma 4Let X = Nn, x ∈ X and x + Σkσeσ|σ ∈ Σ ∈ X for some kσ ∈ N. For

some τ ∈ Σ assume τ ↑ ⊆ I↑. Then x+ kτeτ ∈ X.

ProofIf i ∈ I↑ then Σkσeσ(i)|σ = τ ≤ 0, so that

xi + kτeτ (i) ≥ xi + Σkσeσ(i)|σ ∈ Σ ≥ 0

If i ∈ I↑ then i ∈ τ ↑, so kτeτ (i) ≥ 0, and again xi + kτeτ (i) ≥ 0. 2

For the remainder of this section we assume Σ = σ1, ..., σm and thatX = Nn, namely all states x satisfy x ≥ 0. Recalling from Section 8.2 thedefinition of the occurrence vector V (·), we know that for s ∈ Σ∗, x ∈ X,

s ∈ L(G, x) ⇒ ξ(x, s) = x+ EV (s) ≥ 0

Our main result states that, under the condition of loop-freeness, this impli-cation can be reversed.

8.7 437

Theorem 5Assume G is loop-free. Then for every x ∈ Nn×1 and v ∈ Nm×1,

(∃s ∈ L(G, x))V (s) = v iff x+ Ev ≥ 0

Proof(Only if) The result is immediate by ξ(x, s)! and ξ(x, s) = x+ EV (s).(If) Let x ≥ 0, v ≥ 0, x+Ev ≥ 0. We may write v(i) for vi if convenient.

By Lemma 1, σ↑ ⊆ I↑ for some σ ∈ Σ, say σ1. Lemma 4 (with kσ = vσ)

yields x+v1e1 ≥ 0. With s1 := σv(1)1 Lemma 3 gives s1 ∈ L(G, x), so ξ(x, s1)!

and x1 := ξ(x, s1) ≥ 0. Let G be the subsystem of G obtained by removingσ1 (but keeping X = X), so Σ := Σ − σ1. Let I↑ be the state-variablesource subset for G. It is clear that G loop-free implies G loop-free, so (ifΣ = ∅) we pick σ ∈ Σ, say σ = σ2, with σ

↑ ⊆ I↑. Now we have

x1 +m∑i=2

vieσi= x+

m∑i=1

vieσi= x+ Ev ≥ 0

By Lemma 4, x1 + v2eσ2 ≥ 0; Lemma 3 gives s2 := σv(2)2 ∈ L(G, x1), and by

Lemma 2, s1s2 ∈ L(G, x). So x2 := ξ(x, s1s2)! and x2 ≥ 0. Continuing inthis way we get finally

s := s1s2 · · · sm ∈ L(G, x)

withsi = σ

v(i)i , i = 1, ...,m

and V (s) = v. 2

Exercise 6: Show that the assumption in Theorem 5 that G is loop-freecannot be dropped altogether if the stated conclusion is to hold. Also showthat the conclusion may hold in some cases where G is not loop-free.

8.7 Loop-Freeness and Optimal Control

Let G be a VDES as before, with X = Nn. In this section we apply The-orem 8.6.5 to obtain an (often) efficient way to compute SFBC ‘online’,

438 CHAPTER 8

whenever the specification predicate is linear, and G satisfies a conditionof loop-freeness. Formally, let Σ = Σu, X = X and define Gu (:= G) to bethe uncontrollable subsystem of G. Let P ∈ Predlin(X), with

x |= P iff ax ≤ b

for some a ∈ Z1×n, b ∈ Z. We arrange the indexing so that Σu = σ1, ..., σm,with

Eu = [e1 · · · em] ∈ Zn×m

We write |s|i to denote the number of occurrences of σi in s, and for s ∈ Σ∗u

bring in the occurrence vector

Vu(s) := [|s|1 · · · |s|m] ∈ Nm×1

Recalling the characterization supCP(P ) = R(G, ⟨P ⟩) of Proposition 7.4.3,our first task is to calculate ⟨P ⟩. Using the fact that L(Gu, x) is prefix-closed,we have that

x |= ⟨P ⟩ iff (∀s ∈ L(Gu, x))ξ(x, s) |= P

iff (∀s ∈ L(Gu, x))x+ EuVu(s) |= P

iff (∀s ∈ L(Gu, x))ax+ aEuVu(s) ≤ b

iff ax+maxaEuVu(s)|s ∈ L(Gu, x) ≤ b

In general the indicated maximization problem may be intractable, a factwhich makes the following result especially interesting.

Proposition 1If Gu is loop-free, then x |= ⟨P ⟩ if and only if

ax+ cv∗(x) ≤ b

Here c := aEu ∈ Z1×m, and v∗(x) is a solution of the integer linear program-ming problem:

cv = maximum

with respect to v ∈ Zm×1 such that v ≥ 0 and Euv ≥ −x.

ProofBy Theorem 8.6.5 applied to Gu,

Vu(s)|s ∈ L(Gu, x) = v ∈ Nm|x+ Euv ≥ 0

8.7 439

ThereforemaxaEuVu(s)|s ∈ L(Gu, x) = cv∗(x)

and the result for ⟨P ⟩ follows as claimed. 2

We can now provide our final result, on computation of the optimal con-trol.

Theorem 2Assume Gu is loop-free. An optimal SFBC f ∗, if one exists, enforcing the

linear predicate P := (ax ≤ b), is given for σ ∈ Σc by the formula:

f ∗σ(x) =

1 if ξ(x, σ)! & axnew + cv∗(xnew) ≤ b (where xnew := x+ eσ)0 otherwise

Furthermore, f ∗ so defined is balanced.

ProofThe fact that f ∗ optimally enforces P follows immediately from Sec-

tion 7.4 and Proposition 1. The property that f ∗ is balanced results byconstruction: f ∗

σ(x) = 1 whenever both x ∈ R(G, ⟨P ⟩) and ξ(x, σ)! withξ(x, σ) ∈ R(G, ⟨P ⟩). 2

We remark that ξ(x, σ)! just when xnew ≥ 0, by VDES dynamics. If notξ(x, σ)! then f ∗

σ(x) can in principle be defined arbitrarily.

Corollary 3Assume Gu is loop-free. An optimal SFBC f ∗ exists iff

ax0 + cv∗(x0) ≤ b

If this condition fails, then no SFBC exists for G that enforces P .

ProofBy the results of Section 7.4 an optimal control f ∗ exists iff supCP(P ) =

false, and this is true iff x0 |= supCP(P ). Since supCP(P ) = R(G, ⟨P ⟩), f ∗

exists iff x0 |= ⟨P ⟩, and the assertion follows by Proposition 1. 2

Exercise 4: For a given VDES G, suppose Gu is not loop-free, but youdecide to use the integer linear programming method of Theorem 2 anyway,because it is computationally convenient. Could such a control design violate

440 CHAPTER 8

the specification? Either prove it could not or find an example to show thatit may. If it does not, its only fault might be that it is overly conservative.In that case, create an example to illustrate.

8.8 Example: FACT#5

We consider the small factory with Petri net shown below, where a group of10 input machines feeds a buffer, which in turn supplies a group of 5 machinesat the output. Let I1,W1, D1 denote the numbers of input machines in stateI, W , D, with a similar notation for output machines, and let B denote thenumber of items in the buffer. We define the state vector x as

x := [I1 W1 D1 I2 W2 D2 B] ∈ N7×1

withx0 = [10 0 0 5 0 0 0]

β1

α1

I1

W1 D1λ1

µ1

input machines

β2

α2

I2

W2 D2λ2

µ2

output machinesbuffer

B

Fig. 8.4. Petri net for FACT#5

Listing the events in order (α1, β1, λ1, µ1, α2, β2, λ2, µ2) we get the displace-ment matrix E ∈ Z7×8 displayed below.

8.8 441

α1 β1 λ1 µ1 α2 β2 λ2 µ2

I1 −1 1 0 1 0 0 0 0W1 1 −1 −1 0 0 0 0 0D1 0 0 1 −1 0 0 0 0I2 0 0 0 0 −1 1 0 1W2 0 0 0 0 1 −1 −1 0D2 0 0 0 0 0 0 1 −1B 0 1 0 0 −1 0 0 0

Taking Σu = β1, λ1, β2, λ2 and extracting the corresponding submatrix ofE results in

Eu =

1 0 0 0−1 −1 0 00 1 0 00 0 1 00 0 −1 −10 0 0 11 0 0 0

∈ Z7×4

It is easy to check – for instance by inspection of its Petri net – that Gu isloop-free.

Assume that the buffer capacity is 100, and that we undertake to preventoverflow, namely to enforce the predicate Pover := (ax ≤ b), where

a := [0 0 0 0 0 0 1] ∈ Z1×7, b := 100

This givesc := aEu = [1 0 0 0] ∈ Z1×4

Writing v := [v1 v2 v3 v4] ∈ Z4×1, we attempt to maximize cv = v1, subjectto v ≥ 0 and Euv ≥ −x. With x = [x1 · · · x7] ∈ N7×1 the constraints become

v1 ≥ −x1−v1 − v2 ≥ −x2

v2 ≥ −x3v3 ≥ −x4

−v3 − v4 ≥ −x5v4 ≥ −x6v1 ≥ −x7

442 CHAPTER 8

together with v ≥ 0. All but the second and fifth of these conditions areenforced by VDES dynamics, which maintain x ≥ 0. Thus the effectiveconstraints reduce to

v1 ≥ 0, v2 ≥ 0, v1 + v2 ≤ x2, v3 + v4 ≤ x5

Clearly v1 is maximized at v1 = x2, v2 = 0, v3 = ω, v4 = ω, where ω denotes‘don’t care’. For α1 the optimal control defined in Section 8.7 is therefore

f ∗α1(x) = 1 iff axnew + cv∗(xnew) ≤ b (xnew := x+ eα1)

iff (x7)new + (x2)new ≤ 100

iff x7 + (x2 + 1) ≤ 100

iff x2 + x7 ≤ 99

In words, α1 is enabled if and only if the number of input machines at workplus the current buffer content is at most one less than the buffer capacity,and this is obviously intuitively correct.

Exercise 1: Under the same assumptions, investigate how to prevent bufferunderflow, namely enforce

Punder := (x7 ≥ 0) = (−x7 ≤ 0)

Following a similar procedure for α2, verify that optimal control enables α2

in all states, namely the only enablement condition for the occurrence of α2

is ξ(x, α2)!, or (x4 ≥ 1) & (x7 ≥ 1), and this is enforced automatically byVDES dynamics.

Exercise 2: Selfloop simulationConsider the additional specification that no input machine should be

repaired (i.e. µ1 is disabled) as long as some output machine is broken down.Writing #σ for the number of occurrences of event σ since initialization, wehave for the number of output machines broken down,

D2 = x6 = #λ2 −#µ2

Since µ1 must be disabled if D2 > 0, and up to I2(0) = x4(0) = 5 outputmachines can be down at one time, D2 > 0 means C := 5 − D2 < 5. Thisspecification can be modeled using a ‘VDES with selfloop’ as displayed bythe Petri net in Fig. 8.5.

8.8 443

0

5 0λ1µ1

C5

5

λ2

µ2

D2

D1

Fig. 8.5

To incorporate this specification in our standard model of VDES (from whichselfloops are excluded) one may interpose a new coordinate V and uncon-trollable transition ν as in Fig. 8.6.

V

ν

µ1

5

5

50 C

Fig. 8.6

At first glance this device may seem unrealistic, since when C = 0 and V = 1,following an occurrence of µ1, the (uncontrollable!) event λ2 will be disabledpending the occurrence of ν. Recall, however, that no timing constraints areimposed, so ν can be assumed to occur arbitrarily soon after its enablement.

(a) More formally, consider the configuration of Fig. 8.5, defined as a ‘gen-eralized’ VDES, say G, in the sense of Remark 8.2.1. Take for the statevector and initial condition

x = [D1 D2 C], x0 = [0 0 5]

444 CHAPTER 8

and for the alphabet λ1, µ1, λ2, µ2. The enablement conditions forλ1, λ2, µ2 are just as in a standard VDES, while for µ1 we define vectors

e+µ1= [0 0 5], e−µ1

= [1 0 5], eµ1 = [−1 0 0]

and the enablement condition x ≥ e−µ1. With the semantics of G now

well-defined, let L(G) be the corresponding closed behavior, of courseover λ1, µ1, λ2, µ2. Next define a VDES H by incorporating Fig. 8.6into Fig. 8.5. The state vector and initial condition of H can be takenas

x = [D1 D2 C V ] ∈ Z4×1, x0 = [0 0 5 0]

and the alphabet as λ1, µ1, λ2, µ2, ν. The displacement matrix E isthen

E =

1 −1 0 0 00 0 1 −1 00 −5 −1 1 50 1 0 0 −1

With the semantics that of a standard VDES, let the closed behaviorbe L(H). Finally, if P : λ1, µ1, λ2, µ2, ν∗ → λ1, µ1, λ2, µ2∗ is thenatural projection (erasing ν), show that L(G) = PL(H).

(b) With FACT#5 redefined as a new VDES by incorporating the addi-tional structure of the VDES H, in part(a), re-solve for the optimalcontrol to prevent buffer overflow, and compare the result with thecontrol law found in the earlier part of this section.

8.9 Memory and Dynamic State Feedback Con-

trol for VDES

We now apply to VDES the constructions of Section 7.6. As in Section 8.8assume that the plant VDES G has state set Nn. To G we shall adjoin aVDES H = (Y,Σ, η, y0, Y ), and in view of the vector structures write G⊕Hfor the ‘direct sum’ VDES:

G⊕H = (X ⊕ Y,Σ, ξ ⊕ η, x0 ⊕ y0, Xm ⊕ Y )

8.9 445

Typically the state vector y ∈ Y will play the role of a memory variable (asdistinct from a material variable like ‘numbers of machines’), and so we shalltake Y = Zp for some p > 0. The displacement vector for H correspondingto σ will be denoted by hσ ∈ Zp×1; the corresponding displacement vector inG⊕H is eσ ⊕ hσ ∈ Z(n+p)×1, with

(ξ ⊕ η)(x⊕ y, σ)! iff ξ(x, σ)! iff x+ eσ ≥ 0

In other words, the memory H places no additional ‘physical’ constraint onthe transitions of G⊕H.

As before let Σ = σ1, ..., σm. We define a linear dynamic predicate tobe an element Pdyn ∈ Predlin(Nm):

v = [v1 · · · vm] |= Pdyn iffm∑i=1

civi ≤ d

where the ci and d ∈ Z, i.e.

v |= Pdyn iff d− cv ≥ 0

where c := [c1 · · · cm] ∈ Z1×m. For the behavior of G subject to Pdyn, bringin

L(G, Pdyn) := s ∈ L(G)|(∀w ≤ s)V (w) |= PdynWith Pdyn we associate the memory H as above, where

Y := Z, y0 := d, η(y, σi) := y − ci, (i = 1, ...,m)

It should now be clear that enforcing s ∈ L(G, Pdyn) is tantamount to en-forcing the predicate y ≥ 0 in G⊕H. Formally, define Psta ∈ Predlin(X⊕Y )according to

x⊕ y |= Psta iff − y ≤ 0

Then we have

Lemma 1L(G⊕H, Psta) = L(G, Pdyn)

2

By Lemma 1 and Theorem 7.6.1, we have the main result, in the notationof Section 7.6, as follows.

446 CHAPTER 8

Theorem 2Let f ∗ be an optimal SFBC enforcing Psta in G ⊕ H, and write F ∗ =

(f ∗,H). Then F ∗ is an optimal DSFBC for G relative to Pdyn, namely

L(F ∗/G) = supCG(L(G, Pdyn))

2

With a slight modification of the definition of Pdyn, the computationalresult of Section 8.8 will apply in the present situation as well; for an examplesee Section 8.11 below.

8.10 Modular Dynamic State Feedback Con-

trol for VDES

By following the scheme outlined at the end of Section 7.6 it is quite straight-forward to describe modular control of VDES, by adjoining a direct sumof memory VDES of the type H in the previous section. Again takingΣ = σ1, ..., σm, suppose we wish to enforce on the occurrence vector V (·)of G a predicate Pdyn ∈ Predlin(Nm) of conjunctive form:

v |= Pdyn iffk∧

i=1

(civ ≤ di)

where v ∈ Zm×1, ci ∈ Z1×m, di ∈ Z (i = 1, ..., k). For each conjunct Pdyn,i :=(civ ≤ di), construct memory Hi as in Section 8.9, and let F ∗

i := (f ∗i ,Hi) be

a corresponding optimal balanced DSFBC forG. It follows by Theorem 7.6.6that

F ∗ := f ∗1 ∧ · · · ∧ f ∗

k ,H1 ⊕ · · · ⊕Hkis then an optimal balanced DSFBC enforcing Pdyn on the behavior of G.

To conclude this section we restate for future reference the correspondencebetween VDES and conjunctive predicates.

Proposition 1For any predicate of form Pdyn there is a VDES H with state set Nk and

event set Σ such that

L(G) ∩ L(H) = L(G, Pdyn)

8.11 447

Dually for any VDES H with state set Nk and event set Σ (|Σ| = m) thereexists a predicate Pdyn on Nm such that the above equality is true.

ProofFor the first statement, apply the construction of Section 8.9 to each

conjunct of Pdyn. For the second statement, reverse the procedure: givenH = (Y,Σ, η, y0, Y ) with Y = Nk, y0 = [y01 · · · y0k], Σ = σ1, ..., σm andη(y, σ) = y + hσ (defined when y ≥ 0, y + hσ ≥ 0), write hσj

=: hj =[hj1 · · ·hjk] ∈ Zk×1 (j = 1, ...,m) and let

di := y0i, cij := −hji, (i = 1, ..., k; j = 1, ...,m)

Then define ci := [ci1 · · · cim] ∈ Z1×m (i = 1, ..., k), and finally

Pdyn :=k∧

i=1

(di − civ ≥ 0)

2

Thus each state variable of a VDES can be regarded as a ‘memory’ vari-able that records a weighted sum of event occurrence numbers. The initialand occurrence conditions of a VDES with state space Nk impose the re-quirement that all k memory state variables be maintained nonnegative. AVDES on Nk thus expresses the same language as a conjunction of lineardynamic specifications. Thus such a VDES can be used to provide a controlspecification in the first place.

8.11 Example: FACT#2

Returning to FACT#2 (Sections 8.3, 8.5), we attempt to enforce predicates

P1 := (x4 ≤ 100), P2 := (10 + #β ≥ 3#λ)

where #σ means the number of occurrences of σ in the string generated byG since initialization. P2 is supposed to limit the number of breakdowns,relative to the number of workpieces successfully processed; since breakdown(λ) is uncontrollable, this may require that eventually the process be shutdown.

448 CHAPTER 8

Following the procedure of Section 8.9, to represent P2 bring in the mem-ory

H = (Y,Σ, η, y0, Y )

with

Y := Z, Σ = α, β, λ, µ, y0 := 10

hα = 0, hβ = 1, hλ = −3, hµ = 0

where η(y, σ) = y + hσ. It is clear that in G ⊕H, the state variable y willrecord the quantity

y = 10 + #β − 3#λ

and P2 is tantamount to (y ≥ 0). The state vector of G⊕H is

x⊕ y = [x1 x2 x3 x4 y] ∈ N4 ⊕ Z

initialized at [10 0 0 0 10]. Note that the VDES dynamics for G ⊕ Hautomatically enforce only x ≥ 0, and not y ≥ 0. The full displacementmatrix is

E :=

−1 1 0 11 −1 −1 00 0 1 −10 1 0 00 1 −3 0

For the control design we wish to use integer linear programming as in

Section 8.7. To do so we must respect the assumption (cf. Theorem 8.6.5)that our VDES state variables remain nonnegative under the defined (anduncontrolled) dynamic transition action. Since the memory variable y ∈ Zis not thus constrained we first write it as the difference of two nonnegativevariables, say

y = y1 − y2

with y1 = 10 + #β, y2 = 3#λ. We now redefine

Y := N2, y :=

[y1y2

], Σ = α, β, λ, µ, y0 :=

[100

]hα =

[00

], hβ =

[10

], hλ =

[03

], hµ =

[00

]

8.11 449

with η(y, σ) = y + hσ ∈ N2 and P2 = (y1 − y2 ≥ 0). The new state vector ofG⊕H is

x⊕ y = [x1 x2 x3 x4 y1 y2] ∈ N6

initialized at [10 0 0 0 10 0]. Note that the VDES dynamics for G itselfautomatically enforce x⊕ y ≥ 0. The full displacement matrix is

E :=

−1 1 0 11 −1 −1 00 0 1 −10 1 0 00 1 0 00 0 3 0

∈ Z6×4

To start the design we note that (G ⊕ H)u is loop-free. Referring toSection 8.7, write Eu for the 6× 2 submatrix of E corresponding to events βand λ, i.e. columns 2 and 3. For P1, let

a = [0 0 0 1 0 0] ∈ Z1×6, b = 100

Thenc := aEu = [1 0] ∈ Z1×2

and we take v = [v1 v2] ∈ N2×1. We are to maximize cv = v1 subject tov ≥ 0 and Euv ≥ −(x⊕ y), i.e.

v1 ≥ 0, v2 ≥ 0,

v1 ≥ −x1, − v1 − v2 ≥ −x2, v2 ≥ −x3,v1 ≥ −x4, v1 ≥ −y1, 3v2 ≥ −y2

In view of xi ≥ 0, yj ≥ 0 by the dynamics of G⊕H, the effective constraintsare

v1 ≥ 0, v2 ≥ 0, v1 + v2 ≤ x2

from which we obtain the solution

v∗1 = x2, v∗2 = 0

As expected, the solution for P1 is independent of the memory element H.From Theorem 8.7.2 we get for the optimal control

f (1)∗α (x⊕ y) = 1 iff a(x⊕ y)new + cv∗((x⊕ y)new) ≤ b

iff x4,new + x2,new ≤ 100

450 CHAPTER 8

using (x⊕ y)new := (x⊕ y) + (eα ⊕ hα).For P2 we have −y1 + y2 ≤ 0, or a(x⊕ y) ≤ b with

a = [0 0 0 0 − 1 1], b = 0

Thus c = aEu = [−1 3], and our problem is to maximize

cv = −v1 + 3v2

under the same effective conditions as before, namely vi ≥ 0, v1 + v2 ≤ x2.This gives v∗1 = 0, v∗2 = x2 and cv∗(x) = 3x2. Thus for σ ∈ Σc we may take

f (2)∗σ (x⊕ y) = 1 iff − y1,new + y2,new + 3x2,new ≤ 0

where (x ⊕ y)new := (x ⊕ y) + (eσ ⊕ hσ). Combining the SFBC for P1 withthe DSFBC for P2 we obtain for the conjunction

f ∗σ(x⊕ y) = 1 iff (x2,new + x4,new ≤ 100) ∧ (3x2,new − y1,new + y2,new ≤ 0)

whenever σ ∈ Σc, in particular for σ = α.This example provides an opportunity to implement optimal control by

means of a ‘control’ VDES, say Gcon, coupled (via ⊕) to G. To see how thisis done, rearrange the conditions for f ∗

σ in the form

100− x2,new − x4,new ≥ 0, − 3x2,new + y1,new − y2,new ≥ 0

Introduce control coordinates z1, z2 which we shall try to arrange so that

z1 = 100− x2 − x4, z2 = −3x2 + y1 − y2

as the process evolves; initially z1 = 100, z2 = 10. Heuristically note that

z1 = 100− (#α−#β −#λ)−#β = 100−#α +#λ

z2 = −3(#α−#β −#λ) + (10 + #β)− 3#λ = 10− 3#α + 4#β

With the ordering (α, β, λ, µ) we therefore take the displacements in z1, z2to be

k(z1) = [−1 0 1 0], k(z2) = [−3 4 0 0]

Thus if we let Gcon := (Z,Σ, ζ, z0, Z) with Z = N2, and let the foregoingdisplacements define ζ, then the behavior of G ⊕ Gcon (as a VDES with

8.12 451

state space N6) will be exactly the behavior of G under f ∗, inasmuch as σwill be enabled only if z1,new ≥ 0, z2,new ≥ 0. Notice that the only negativeentries in the k1, k2 vectors correspond to controllable events (specifically, α).Thus the requirement of coordinate nonnegativity enforced, by assumption‘physically’, by VDES over N6, captures the control action in a plausible way:no further ‘control technology’ is needed. This approach will be pursuedsystematically in Section 8.13.

8.12 Modeling and Control of a Production

Network

We consider the modeling and control of a production network, adaptedfrom work by Al-Jaar and Desrochers. A Petri net for the system is shownin Fig. 8.7.

Group 2

x2

1 x3

1

x1

1

α1

1α2

1α3

1

α5

1α4

1

x4

1

x1

2

x2

3 x3

3

x1

3

α1

3α2

3α3

3

α5

3α4

3

x4

3

x1

4

x2

5 x3

5

x1

5

α1

5α2

5α3

5

α5

5α4

5

x4

5

x1

6 x2

7 x3

7

x1

7

α1

7α2

7α3

7

α5

7α4

7

x4

7

x1

8 x2

8

α1

8α3

8

α2

8

Buffer 2

Group 1 Buffer 1

Buffer 3Group 3 Group 4 Inspector

Fig. 8.7. Production Network

The system operates as follows. Machines in Groups 1 and 2 receive partsfrom a non-depleting inventory and deposit the finished parts in Buffers 1and 2 respectively. Machines in Group 3 fetch parts from Buffers 1 and 2 for

452 CHAPTER 8

assembling. The assembled workpiece is deposited in Buffer 3 to be furtherprocessed by Group 4. The processed workpiece is sent to an inspection unitwhich can either output the workpiece as a finished product or return it forreworking by Group 4.

We use a modular approach to modeling this production network. Firstwe model modules of the network individually and then compose them toform the model of the complete system.

(i) Modeling of the MachinesThe state vector of machine group 1,2,3,4 is indexed respectively i =

1, 3, 5, 7 and is

xi = [x1i x2i x

3i x

4i ] ∈ N4×1, i = 1, 3, 5, 7

The state components denote, respectively, ‘idle’, ‘processing’, ‘holding (partprior to sending on)’, ‘broken down’. With reference to Fig. 8.7, transitionsα1i , α

2i , α

3i , α

4i , α

5i (i = 1, 3, 5, 7) represent ‘start processing’, ‘finish process-

ing’, ‘return to idle’, ‘break down’, ‘return to processing after repair’.The corresponding state transition function ξi : Xi×Σi → Xi is given by

ξi(xi, αji ) = xi + ei,αj

i(i = 1, 3, 5, 7; j = 1, 2, 3, 4, 5)

where

ei,α1i=

−1100

ei,α2i=

0

−110

ei,α3i=

10

−10

ei,α4i=

0

−101

ei,α5i=

010

−1

Initially, all machines are in the ‘idle’ state:

xi,0 =

gi000

The vector models of these machines are then

Gi = (Xi,Σi, ξi, xi,0)

8.12 453

whereΣi = α1

i , α2i , α

3i , α

4i , α

5i

with Σi,c = α3i , i.e. we assume that only the event ‘return to idle’ is con-

trollable.

(ii) Modeling of the Inspection UnitThe model for the inspector is

G8 = (X8,Σ8, ξ8, x8,0)

whereΣ8 = α3

7, α18, α

28, α

38

Σ8,c = α181

andx8 = [x18 x

28] ∈ N2×1

x8,0 = [0 0]

ξ8(x8, αi8) = x8 + e8,αi

8

with

e8,α37=

[10

]e8,α1

8=

[−11

]e8,α2

8=

[0

−1

]e8,α3

8=

[0

−1

]

(iii) Modeling of BuffersThe three buffers can be modeled as scalar systems. For Buffer 1, we

haveG2 = (X2,Σ2, ξ2, x2,0)

withΣ2 = α3

1, α15, Σ2,c = α3

1

X2 = N x12,0 = 0

ξ2(x12, α

31) = x12 + 1

ξ2(x12, α

15) = x12 − 1

1The ‘coupling event’ α37 is already controllable in G7.

454 CHAPTER 8

Buffer 2 is modeled similarly. For Buffer 3, we have

G6 = (X6,Σ6, ξ6, x6,0)

withΣ6 = α3

5, α17, α

28, Σ6,c = α3

5X6 = N, x16,0 = 0

ξ6(x16, α

35) = ξ6(x

16, α

28) = x16 + 1

ξ(x16, α17) = x16 − 1

(iv) CompositionFinally we compose the above components to obtain the VDES model of

the production network:

G = (X,Σ, ξ, x0) =8⊕

i=1

Gi

where

Σ =8∪

i=1

Σi, Σc =8∪

i=1

Σi,c

X =8⊕

i=1

Xi, x0 =8⊕

i=1

xi,0

ξ(x, αji ) = x+ eαj

iwith eαj

i=

8⊕k=1

ek,αji

where we define ek,αji= 0 if αj

i is not in Σk. The connections of the system

modules are displayed in Fig. 8.8.

G1

G3

G2

G4

G5 G6 G7 G8

Fig. 8.8. Production Network Connection

8.12 455

Note that the connection of G1 and G2 is serial, that of G2 and G4

parallel, and that of G6 and G8 feedback.

(v) Control of the Production NetworkWe now discuss how to synthesize a modular controller to satisfy the

performance specification of the system. The specification is that no bufferoverflow and that at most one part be inspected at a given time. We assumethat Buffer i has capacity ki and the buffer inside the inspection unit (x18)has capacity 1. This specification can be formalized as a predicate on thestate space X:

P =4∧

i=1

Pi

with

P1 = (x12 ≤ k1)

P2 = (x14 ≤ k2)

P3 = (x16 ≤ k3)

P4 = (x18 ≤ 1)

We list the optimal2 subcontrollers for the above linear specifications.

f1,α(x) = 0 ⇔ α = α31 and x12 ≥ k1

f2,α(x) = 0 ⇔ α = α33 and x14 ≥ k2

f3,α(x) = 0 ⇔ (α = α35 or α = α1

8) and x16 + x28 ≥ k3

f4,α(x) = 0 ⇔ α = α37 and x18 ≥ 1

The conjunction of these subcontrollers is

f :=5∧

i=1

fi

It is easy to check that all subcontrollers in f are balanced. Therefore,this modular controller is optimal in the sense that it synthesizes a largestreachable state set among all controllers which enforce the specification

P =4∧

i=1

Pi

2While Gu is not loop-free, and therefore Theorem 8.7.2 not strictly applicable, theasserted optimality is obvious by inspection.

456 CHAPTER 8

as asserted by Theorem 7.5.2.The above modular controller can lead to deadlock of the controlled sys-

tem. To see this, consider the state at which x12 = k1, x14 = k2, x

16 = k3,

x18 = 1 and x3i = gi (i = 1, 3, 5, 7), with all other state variables being 0.At this state all controllable events are disabled and no uncontrollable eventcan occur. One way to remove the deadlock in the system is to add anothersubspecification which ensures that the deadlock state cannot be reached.

For this it is sufficient to ensure that the number of empty slots in Buffer3 (k3 − x16) is maintained at least as great as the number of workpieces thatcould potentially be returned to Buffer 3 on being tested defective. In theworst case this is the number of workpieces being processed by the machinesin Group 4 together with the Inspector, namely

x27 + x37 + x47 + x18 + x28

So our new subspecification can be taken to be

P5 = (x16 + x27 + x37 + x47 + x18 + x28 ≤ k3)

Notice that P5 implies P3, so the latter may now be discarded and the controlsredesigned on the basis of P1, P2, P4 and P5.

Exercise 1: Redesign the controls as just specified. By detailed reasoningfrom your control design, prove that the controlled system is maximally per-missive and nonblocking with respect to the prescribed initial state as markerstate. For a plausible numerical assignment of the ki (not too large!) verifythis conclusion computationally using the DES representation described inExercise 8.2.3.

To illustrate dynamic control, let us consider the following linear dynamicspecification:

|α35| − |α3

8| ≤ k

which specifies that the number of parts in the inspection loop never exceedsan integer k. Here |α3

i | (i = 5, 8) denotes the number of occurrences of α3i . A

one-dimensional memory H can be easily constructed from this specificationand is shown in Fig. 8.9.

8.13 457

Group 2

x2

1 x3

1

x1

1

α1

1α2

1α3

1

α5

1α4

1

x4

1

x1

2

x2

3 x3

3

x1

3

α1

3α2

3α3

3

α5

3α4

3

x4

3

x1

4

x2

5 x3

5

x1

5

α1

5α2

5 α3

5

α5

5α4

5

x4

5

x1

6 x2

7 x3

7

x1

7

α1

7α2

7α3

7

α5

7α4

7

x4

7

x1

8 x2

8

α1

8 α3

8

α2

8

Buffer 2

Group 1 Buffer 1

Buffer 3Group 3 Group 4 Inspector

y

H

Fig. 8.9. Production Network with Dynamic Control

The dynamic specification is then equivalent to a static specification

y ≤ k

on the extended state space X ⊕ Y with Y being the one-dimensional statespace of H. By Theorem 8.9.2, the optimal controller f enforcing this staticspecification can be defined as

fα =

0 if α = α3

5 and y ≥ k1 otherwise

Exercise 2: Verify this result by calculating f ∗ as in Theorem 8.9.2.

8.13 Representation of Optimal Control by a

Control VDES

In this section we return to the problem, illustrated in Section 8.11, of rep-resenting the optimal control by a VDES. This kind of result has the appeal

458 CHAPTER 8

that control does not require departure from the basic model class, a fea-ture that offers convenience in control implementation, and ease of analysisand simulation of controlled behavior. On the other hand, insisting on aVDES implementation of the control does impose further restrictions on thestructure of the plant G (although not on the control specification).

As usual let G = (X,Σ, ξ, x0, Xm), with X = Nn and where ξ is definedby displacement vectors eσ ∈ Zn×1. Assume that the control specificationis provided in the form of a VDES S = (Y,Σ, η, y0, Y ), where Y = Np, andwith displacement vectors hσ ∈ Zp×1. One may think of S as tracking thebehavior of G, with the specification expressed as the predicate (y ≥ 0) onX ⊕ Y . Write S := L(S), the closed behavior of S. We shall assume thatsupCG(L(G) ∩ S) = ∅, so an optimal DSFBC F ∗ for G exists (as a SFBCon X ⊕ Y ), such that

L(F ∗/G) = supCG(L(G) ∩ S)

Let Gcon := (Z,Σ, ζ, z0, Z) be a VDES with Z = Nr. We say that Gcon

is a VDES implementation (VDESI) of F ∗ provided

L(F ∗/G) = L(G⊕Gcon)

We shall provide a constructive sufficient condition (jointly due to Nian-qing Huang, 1991, and Shu-Lin Chen, 1992) under which Gcon exists; it willthen turn out that r = p.

Let A ⊆ Σ and α ∈ A. Define the event subset Σ(α,A) and coordinate(index) set I(α,A) inductively by the rules:

1. α ∈ Σ(α,A)

2. σ ∈ Σ(α,A) & i ∈ σ↑ ⇒ i ∈ I(α,A)

3. i ∈ I(α,A) & σ ∈ i↑ ∩ A⇒ σ ∈ Σ(α,A)

4. No other elements belong to Σ(α,A) or I(α,A)

Note that Rule 2 says that i is placed in I(α,A) if eσ(i) < 0. The restrictionof G to I(α,A) and Σ(α,A) is the subsystem of G that is upstream from α,taking into account only the flow due to transitions in A.

8.13 459

Next take A := Σu and consider the (one-dimensional) S with p = 1,Y = N. Define

Σ−u := σ ∈ Σu|hσ < 0

Σ∇ :=∪

Σ(σ,Σu)|σ ∈ Σ−u

I∇ :=∪

I(σ,Σu)|σ ∈ Σ−u

Finally, denote by G∇ the restriction of G to I∇, Σ∇. Thus G∇ is just thesubsystem of G of which the flow is uncontrollable and effect is to decrementthe (scalar) specification coordinate y ∈ Y via events in Σ−

u . Since thespecification is precisely that y be maintained nonnegative, it is the structureof G∇ that is crucial for that of the optimal control.

Example 1: For FACT#2 we had P2 = (10 + #β ≥ 3#λ), which may beconverted to a VDES S with Y = N, y0 = 10, and [hα hβ hλ hµ] = [0 1 −3 0].We have

Σ−u = λ, Σ∇ = λ, I∇ = λ↑ = 2

Now we can state

Theorem 2 (Nianqing Huang, Shu-Lin Chen)Given a VDES G and a specification language S represented by a 1-

dimensional VDES S as above. Assume that an optimal DSFBC F ∗ for Gexists (i.e. supCG(L(G) ∩ S) = ∅). In addition assume the conditions

1. G∇ is loop-free.

2. For all σ ∈ Σ∇, the displacement vector eσ in G has at most onenegative component, i.e. |σ↑| ≤ 1; furthermore if for some i, eσ(i) < 0,then eσ(i) = −1 (by Rule 2 above, σ↑ = i and i ∈ I∇).

Then a VDESI Gcon for F ∗ exists. 2

Example 3: For FACT#2 the conditions of Theorem 2 are clearly satisfied;a VDESI was constructed ad hoc in Section 8.11.

Our proof will be constructive, and include a test for the existence of F ∗.Roughly, the procedure is to successively transform the specification VDES

460 CHAPTER 8

S, moving upstream in G∇ against the flow of (uncontrollable) events, untilthe controllability condition on the transformed version of S is satisfied. Theloop-freeness Condition 1 guarantees termination, while Condition 2 servesto rule out ‘disjunctive’ control logic (cf. Exercise 16 below).

We begin by defining a family of transformations Tα (α ∈ Σu) on 1-dimensional VDES. As above let S = (Y,Σ, η, y0, Y ) with y0 ≥ 0 and η(y, σ) =y+hσ. NULL will stand for the ‘empty’ VDES with L(NULL) := ∅. UnderCondition 2 of Theorem 2, define

Snew := TαS

as follows.

1. If hα ≥ 0 then Tα = id (identity operator), i.e. Snew := S.

2. If hα < 0 and α↑ = i (thus eα(i) < 0) then

ynew,0 := y0 + x0(i)hα

hnew,σ :=

hσ + eσ(i)hα if σ ∈ i↑ ∪ i↓hσ otherwise

If ynew,0 ≥ 0 then accept the VDES Snew with ynew,0, hnew,σ (σ ∈ Σ):otherwise Snew := NULL.

3. If hα < 0 and α↑ = ∅ then Snew := NULL.

4. For all σ ∈ Σ, Tσ(NULL) := NULL.

In part 2 of the definition of Tα, clearly ynew,0 ≤ y0. Also, Condition 2 ofTheorem 2 implies eα(i) = −1, so

hnew,α = hα + eα(i)hα = 0

In general hnew,σ is made up of the direct contribution hσ to y on the occur-rence of σ, plus a contribution to y of eσ(i)hα due to occurrences of α (seethe proof of Lemma 9 below).

Note that activation of part 3 of the definition of Tα is not ruled out byCondition 2 of Theorem 2.

8.13 461

Example 4: In FACT#2 recall that y = 10 +#β − 3#λ, h = [0 1 − 3 0],λ ∈ Σu, hλ = −3 < 0, λ↑ = 2. Thus, Snew = TλS is calculated accordingto

ynew,0 = y0 + x0(2)hλ = y0 = 10

2↑ ∪ 2↓ = α, β, λ

hnew,α = hα + eα(2)hλ = 0 + (+1)(−3) = −3

hnew,β = hβ + eβ(2)hλ = (+1) + (−1)(−3) = 4

hnew,λ = hλ + eλ(2)hλ = 0

hnew,µ = hµ

Thus

hnew = [−3 4 0 0]

For Snew,

σ ∈ Σu|hσ < 0 = ∅

so that now all Tσ = id.

Let I ⊆ I := 1, ..., n, Σ ⊆ Σ and let G be the restriction of G to I , Σ.An event σ ∈ Σ is a leaf event of G if, for all i ∈ σ↓∩ I, i↓∩ Σ = ∅, or briefly(σ↓ ∩ I)↓ ∩ Σ = ∅ (in particular this is true if σ↓ ∩ I = ∅). Evidently aleaf event of G cannot contribute to the occurrence in G of an immediatelyfollowing event in Σ.

Let LeafEvent(G, α) denote a procedure that selects an arbitrary leafevent α of G (or returns error if no leaf event exists). To compute Gcon westart with

Procedure (1) (index Σ∇ by leaf property):

Gvar := G∇;Σvar := Σ∇;k := |Σ∇|;index := 1;if k = 0 then LEList := [ ] else

while index ≤ k do

begin

462 CHAPTER 8

LeafEvent(Gvar, α);LEList[index] := α;Σvar := Σvar − α;Gvar := restriction of Gvar to I

∇,Σvar;index := index + 1

end.

Proposition 5

Under the conditions of Theorem 2, Procedure (1) is well-defined.

Proof

It suffices to check that Gvar always has a leaf event if index ≤ k. Butthis follows by Condition 1 of Theorem 2 that G∇ is loop-free. 2

Exercise 6: Supply the details.

Procedure (1) returns a listing of Σ∇, LEList = [ ] or [α1, ..., αk]. Proce-dure (2) will then compute the final result as follows.

Procedure (2):

If LEList = [ ] then Sfin := S else

Sfin := TαkTαk−1

...Tα1(S)

It will be shown that, under the Conditions 1 and 2 of Theorem 2, eitherSfin = NULL, in which case supCG(L(G) ∩ S) = ∅ and F ∗ does not exist,or else Sfin = Gcon is a VDESI for F ∗.

Exercise 7: Let G be a 1-dimensional VDES with Σu = Σ = α, β anddisplacement matrix E = [−1 − 1]. Define S by h = [−5 − 7]. Check thatα, β are both leaf events and that

Sfin = TαTβS = TβTαS

with yfin,0 = y0 − 7x0 and hfin = [2 0]. Thus Sfin = NULL if and only ify0 ≥ 7x0. Explain intuitively.

8.13 463

Exercise 8: Consider the 6-dimensional VDES G with Σu = Σ = σi|i =1, ..., 7, and

E :=

0 −1 −1 0 0 0 00 0 0 4 −1 0 02 1 0 0 0 −1 00 0 3 0 2 0 −1

−1 0 0 0 0 0 00 0 0 −1 0 0 0

For S let

h := [0 0 0 0 0 − 2 − 3]

Thus Σ−u = σ6, σ7. Show that a possible LEList is [σ6 σ2 σ7 σ1 σ5 σ3 σ4].

Calculate hfin and

yfin,0 = y0 − cx0

for suitable c ∈ N1×6. Interpret the result in terms of a ‘worst case’ eventsequence that maximally decrements y.

Write S = L(S), Snew = L(Snew).

Lemma 9

Let Snew = TαS (with α ∈ Σu). Then

supCG(L(G) ∩ Snew) = supCG(L(G) ∩ S) (∗)

Proof

If hα ≥ 0 then Tα = id, Snew = S, and there is nothing to prove.

If hα < 0 and α↑ = ∅ then Snew = NULL. Also, as αj ∈ L(G) for allj ≥ 0, and y0+jhα < 0 for j sufficiently large, we have supCG(L(G)∩S) = ∅,establishing (∗) for this case.

It remains to assume hα < 0 and α↑ = ∅, namely α↑ = i, with eα(i) =−1. Let s ∈ L(G), nσ = |s|σ (σ ∈ Σ). Then

0 ≤ k := ξ(x0, s)(i) = x0(i) +∑σ

nσeσ(i)

464 CHAPTER 8

Note that it suffices to sum over σ ∈ i↑∪i↓. First suppose s ∈ supCG(L(G)∩Snew). Then

0 ≤ ηnew(ynew,0, s)

= ynew,0 +∑σ

nσhnew,σ

= y0 + x0(i)hα +∑

σ∈i↑∪i↓nσ[hσ + eσ(i)hα] +

∑σ ∈i↑∪i↓

nσhσ

= y0 +∑σ

nσhσ +

[x0(i) +

∑σ∈i↑∪i↓

nσeσ(i)

]hα

= y0 +∑σ

nσhσ + khα

and so, as khα ≤ 0,

y0 +∑σ

nσhσ ≥ 0

The same argument applies to each prefix s′ ≤ s, showing that η(y0, s)!,namely s ∈ L(G) ∩ S. Therefore

supCG(L(G) ∩ Snew) ⊆ L(G) ∩ S

so thatsupCG(L(G) ∩ Snew) ⊆ supCG(L(G) ∩ S)

For the reverse inclusion, take s ∈ supCG(L(G) ∩ S). With k as beforewe have, as eα(i) = −1,

x0(i) +∑σ =α

nσeσ(i) + (nα + k)eα(i) = 0 (†)

so that ξ(x0, sαj)! for 0 ≤ j ≤ k, with ξ(x0, sα

k)(i) = 0. By controllability

sαk ∈ supCG(L(G) ∩ S)

In particular η(y0, sαk)!, namely

y0 +∑σ =α

nσhσ + (nα + k)hα ≥ 0 (††)

8.13 465

Calculating as before,

ynew,0 +∑σ

nσhnew,σ = y0 +∑σ

nσhσ +

[x0(i) +

∑σ∈i↑∪i↓

nσeσ(i)

]hα

= y0 +∑σ =α

nσhσ + nαhα − keα(i)hα

+

[x0(i) +

∑σ =α

nσeσ(i) + (nα + k)eα(i)

]hα

= y0 +∑σ =α

nσhσ + (nα + k)hα

≥ 0

using (†) and (††). By the same argument applied to each prefix of s, weconclude that ηnew(ynew,0, s)!, namely

s ∈ L(G) ∩ Snew

and therefore

supCG(L(G) ∩ S) ⊆ supCG(L(G) ∩ Snew)

as required. 2

Lemma 10Let G,S satisfy Condition 2 of Theorem 2, and assume α ∈ Σ∇ with

α↑ = i. Let Snew = TαS. Then

(∀σ ∈ i↑)hnew,σ ≥ hσ

2

Corollary 11Under the conditions of Theorem 2, let the result of Procedure (1) be

LEList = α1, ..., αk

Then for j = 2, ..., k, Tαjdoes not decrease the components of hαi

for i =1, ..., j − 1.

466 CHAPTER 8

ProofLet α↑

j = l and in turn set i = 1, ..., j−1. Note that αi ∈ l↑, since other-wise αi cannot be a leaf event in the restriction ofG∇ to I∇, αi, ..., αj, ..., αk,contrary to Procedure (1). The result follows by Lemma 10 with α = αj andputting σ = α1, ..., αj−1 in turn. 2

Exercise 12: In the example of Exercise 8, check that Tσ2 does not de-crease h6; Tσ7 does not decrease h6, h2; ...;Tσ4 does not decrease hi for i =6, 2, 7, 1, 5, 3.

Proof of Theorem 2Assume first that Procedure (2) yields Sfin = NULL. It will be shown

that Sfin is a VDESI for F ∗. By construction, LEList contains all α ∈ Σu suchthat hα < 0. Also, if at some stage in Procedure (2) we have S′′ = TαS

′, say,then hα(S

′′) ≥ 0. By Corollary 11 it follows that for all σ ∈ Σu, hfin,σ ≥ 0.Write Sfin = L(Sfin). We claim that Sfin is controllable with respect to

G. Indeed if s ∈ Sfin∩L(G) and σ ∈ Σu with sσ ∈ L(G), let ηfin(yfin,0, s) =y, so

ηfin(yfin,0, sσ) = y + hfin,σ ≥ y

namely sσ ∈ Sfin.It follows that

supCG(L(G) ∩ Sfin) = L(G) ∩ Sfin

By Lemma 9,

supCG(L(G) ∩ Sfin) = supCG(L(G) ∩ S)

and thusL(G) ∩ Sfin = supCG(L(G) ∩ S)

namely Sfin is a VDESI for F ∗.Finally we note that Sfin = NULL if and only if, at each stage of Proce-

dure (2), we have both α↑ = ∅ and ynew,0 ≥ 0. But if α↑ = ∅ (i.e. α ∈ Σ∇

is permanently enabled) there must exist a string s ∈ Σ∗u ∩L(G∇) such that

η(y0, s) < 0, i.e. s ∈ L(S), hence supCG(L(G) ∩ S) = ∅. The same conclu-sion follows if ynew,0 < 0 at some stage. Thus (under the conditions of thetheorem) the requirement Sfin = NULL is necessary and sufficient for theexistence of F ∗. 2

8.13 467

Remark 13: Procedure (2) could be modified by dropping the conditionthat ynew,0 ≥ 0 at each stage, and simply reporting whatever value of yfin,0is calculated at termination. A result yfin,0 < 0 would then represent theleast amount by which the original value of y0 should be raised to yield anacceptable (nonnegative) result.

It is straightforward to extend Theorem 2 to the case of a p-dimensionalspecification, merely by treating each component as an independent scalarin modular fashion.

Exercise 14: Justify the last statement in detail, and illustrate with amodular VDESI of dimension 2.

Exercise 15: Let G be a 5-dimensional VDES over Σ = σ1, σ2, σ3, σ4, σ5with Σc = σ4 and

E =

−1 −1 2 0 00 −2 0 0 00 0 −1 1 −20 0 0 −1 00 0 0 0 −1

h = [−1 0 0 0 0]

Let x0 = [0 3 0 4 1], y0 = 3. Apply Theorem 2 with Procedures (1) and (2)to obtain a VDESI for F ∗.

Exercise 16: Show that Condition 2 of Theorem 2 cannot be dropped alto-gether. Hint: In the following example, verify that Condition 2 is violated,and F ∗ exists but cannot be implemented as a VDES. LetG be 2-dimensionalwith Σ = α, β, γ, Σu = α and

E =

[−1 0 1−1 1 0

]h = [−1 0 0]

Let x0 = [0 0], y0 = 2. Show that optimal control is given by

F ∗β (x1, x2, y) = 1 iff minx1, x2 + 1 ≤ y

F ∗γ (x1, x2, y) = 1 iff minx1 + 1, x2 ≤ y

468 CHAPTER 8

Show that neither of these enablement conditions can be written as an in-equality (or conjunction of inequalities) linear in the occurrence vector, sothere can be no VDESI for either F ∗

β or F ∗γ . In particular, show that the en-

ablement region for β in the (x1, x2)-plane is the non-convex L-shaped region0 ≤ x1 ≤ y, x2 ≥ 0 ∪ x1 ≥ y, 0 ≤ x2 ≤ y − 1.

Exercise 17: Show that Condition 2 of Theorem 2 is not necessary. Hint:In the following example, verify that Condition 2 is violated, but F ∗ existsand does have a VDES implementation. Let G be 2-dimensional with Σ =α, β, γ, Σc = γ and

E =

[−1 0 1−1 1 0

]h = [−1 0 0]

Let x0 = [0 0], y0 = 2. Check that F ∗γ exists and has the VDESI S with

h(S) = [0 0 − 1] and initial value 2.

Exercise 18: Let G be 1-dimensional with Σ = α, β, γ, Σc = γ,

E = [−2 − 1 1]

h = [−3 1 0]

Investigate the existence of F ∗ and a VDES implementation. What conclu-sion can be drawn about Theorem 2?

Exercise 19: Repeat Exercise 18 for the following. Let G be 4-dimensionalwith Σ = α, β, λ, µ, Σu = λ,

E =

−1 0 0 10 −1 0 22 1 −2 00 0 1 −2

x(0) = [1 2 0 2] ∈ N4×1

and specification x4 ≤ 2.

Exercise 20: Continuing Exercise 19, find a ‘place invariant’ (cf. Exercise8.3.6) [c1 c2 c3 c4] with the ci > 0. From this derive a priori bounds

8.14 469

x1, x4 ≤ 4; x2, x3 ≤ 8. Using these bounds construct state models Xi forthe VDES components xi, and form the plant model X as their synchronousproduct. Use TCT to obtain the optimal supervisor enforcing (x4 ≤ 2).Verify consistency with your result in Exercise 19.

8.14 Notes and References

Supervisory control theory in the sense of [T01,J03] was subsequently for-mulated in Petri nets by B.H. Krogh [1987], who employed a mechanism of‘control places’ and ‘control arcs’. This chapter is based mainly on work ofY. Li [T17, C24, C27, C29, C33, J21, J22], N.-Q. Huang [C35, T16], andS.-L. Chen [C47, T24]. Further developments can be found in [T33]. Thestructural boundedness criterion of Exercise 8.2.3 seems to be due to Memmi& Roucairol [1980; p.215, Theorem 1]; see also Murata [1989; p.567, Theorem29]. The ‘alternative theorem’ we suggest using here is an easy extension fromR to Z of Tucker [1956; p.11, Corollary 3A(i)]. In the Petri net literature theresult of Theorem 8.6.5 has been attributed to Hiraishi & Ichikawa [1988].Exercise 8.13.19 is adapted from Moody & Antsaklis [1998], Section 4.5.

The Production Network of Section 8.12 is adapted from Al-Jaar &Desrochers [1988].

Further information on linking supervisory control theory to VDES orPetri net models can be found in [C98,J44].

An extensive recent treatment of controlled Petri nets which addressesthe nonblocking specification is available in the monograph by Chen & Li[2013].

Appendix 8.1: Three Examples from Petri Nets

We provide three examples to show how supervisory control problems de-scribed in terms of Petri nets can be treated in the automaton frameworkof this monograph, Chapters 3, 4 and 6. Commented output from the TCTMAKEIT.TXT files is provided for the reader’s convenience. Details of prob-lem formulation can be found in the cited literature.

470 CHAPTER 8

Example 1: Manufacturing Workcell

Ref: K. Barkaoui, I. Ben Abdallah. A deadlock prevention method for aclass of FMS. Proc. IEEE Int. Conf. on Systems, Man, and Cybernetics.Vancouver, Canada, October 1995, pp.4119-4124.

The system is a manufacturing workcell consisting of two input bins I1,I2,four machines M1,...,M4, two robots R1,R2, and two output bins O1,O2.Two production sequences, for RED and GRN workpieces, run concurrently;these are:

GRN: I1 → R1 → (M1 or M2) → R1 → M3 → R2 → O1RED: I2 → R2 → M4 → R1 → M2 → R1 → O2

In the simplest case, treated here, at most one workpiece of each type (red,green) is allowed in the system at any one time.

Since the machines and production sequences share the robots as re-sources, there is the a priori possibility of deadlock. In fact, without controlthere is exactly one deadlock state (20) in TEST = meet(CELL,SPEC).At this state the components are in states:

R1 R2 M1 M2 M3 M4 RED GRN1 0 0 1 0 0 2 3

One deadlock sequence is (write ev for event):R1 takes in green part (ev 11 in CELL)R2 takes in red part (ev 91)R1 loads M2 with green part (ev 21)R2 loads M4 with red part (ev 101)R1 unloads red part from M4 (ev 111)

At this point, R1 holds a red, having just unloaded it from M4 (event 111),while M2 holds a green, having finished processing it. R1 must load M2 withthe red it’s holding (ev 121) but cannot do so because M2 holds the green,which only R1 can unload (ev 41). The deadlock occurs because both R1and M2 are ‘full’ (with a red, green respectively), and there’s no mechanismfor making the required swap. The cure is easy: simply eliminate state20 from TEST; the result is then exactly the optimal controlled behaviorSUP. So instead of the old blocking sequence 11.91.21.101.111 we now have11.91.21.101.41; in other words GRN is allowed to progress to its state 4 (ev41) before RED is allowed to progress to its state 3 (ev 111). The problemarises because a single robot (R1) is shared by 2 machines M2,M4; and M2is shared by 2 processes (RED,GRN). At the deadlock state RED and GRNhave conflicting requirements for M2 and therefore on R1, which is deadlocked

Appendix 471

because of its previous action on M4. Conclusion: careful sequencing ofthe interleaved processes RED, GRN is needed to avoid deadlock due toconflicting demands on the shared resources R1 and M2. Of course, this isachieved ‘automatically’ by supcon.

R1 = create(R1,[mark 0],[tran [0,11,1],[0,41,1],[0,51,1],[0,111,1],[0,131,1],[1,21,0],[1,31,0],[1,61,0],[1,121,0],[1,141,0]]) (2,10)

R2 = create(R2,[mark 0],[tran [0,71,1],[0,91,1],[1,81,0],[1,101,0]]) (2,4)

M1 = create(M1,[mark 0],[tran [0,31,1],[1,51,0]]) (2,2)

M2 = create(M2,[mark 0],[tran [0,21,1],[0,121,1],[1,41,0],[1,131,0]]) (2,4)

M3 = create(M3,[mark 0],[tran [0,61,1],[1,71,0]]) (2,2)

M4 = create(M4,[mark 0],[tran [0,101,1],[1,111,0]]) (2,2)

CELL = sync(R1,R2) (4,28) Blocked events = None

CELL = sync(CELL,M1) (8,52) Blocked events = None

CELL = sync(CELL,M2) (16,88) Blocked events = None

CELL = sync(CELL,M3) (32,160) Blocked events = None

CELL = sync(CELL,M4) (64,288) Blocked events = None

ALL = allevents(CELL) (1,14)

GRN = create(GRN,[mark 0],[tran [0,11,1],[1,21,2],[1,31,3],[2,41,4],[3,51,4],[4,61,5],[5,71,6],[6,81,0]]) (7,8)

RED = create(RED,[mark 0],[tran [0,91,1],[1,101,2],[2,111,3],[3,121,4],[4,131,5],[5,141,0]]) (6,6)

472 CHAPTER 8

SPEC = sync(RED,GRN) (42,90) Blocked events = None

nonconflict(CELL,SPEC) = false

TEST = meet(CELL,SPEC) (35,61)

SUP = supcon(CELL,SPEC) (34,60)

SUP = condat(CELL,SUP) Controllable.

[Only events 51,71 do not appear in the condat table; therefore they couldbe replaced by uncontrollable counterparts (say 50,70) without changing thecontrolled behavior.]

SIMSUP = supreduce(CELL,SUP,SUP) (11,38)

STEST = meet(CELL,SIMSUP) (34,60)

isomorph(STEST,SUP;identity) = true

SIMSUP = condat(CELL,SIMSUP) Controllable.

The following shows that removing the single blocking state 20 is enough toobtain the optimal control from the naive behavior TEST.

ETEST = edit(TEST,[states -[20]],rch) (34,60)

isomorph(ETEST,SUP;identity) = true

Example 2: Piston Rod Robotic Assembly Cell

Ref: J.O. Moody, P.J. Antsaklis. Supervisory Control of Discrete EventSystems Using Petri Nets. Kluwer, 1998; Section 8.4.

With reference to Fig. 8.11 of the cited text, the system consists of an M-1robot performing various tasks (Petri net places p4, p5, p6, p7), and similarlyan S-380 robot (p2, p3); p1 is used for initialization.

M-1 ROBOTTo model this we replace p4 by a generator capable of holding up to twopiston pulling tools in a two-slot buffer MR1; the tools are generated byevent 40 and selected for use by event 41. The event sequence 41.51.60.70.80

Appendix 473

tracks the installation of a cap on a piston rod and the conveyance of itsengine block out of the work space. In our model, up to four operations inthis sequence could be progressing simultaneously, although a specification(below) will limit this number to one.

MR1 = create(MR1,[mark 0],[tran [0,40,1],[1,40,2],[1,41,0],[2,41,1]]) (3, 4)

MR2 = create(MR2,[mark 0],[tran [0,41,1],[1,51,0]]) (2,2)

MR3 = create(MR3,[mark 0],[tran [0,51,1],[1,60,0]]) (2,2)

MR4 = create(MR4,[mark 0],[tran [0,60,1],[1,70,0]]) (2,2)

MR5 = create(MR5,[mark 0],[tran [0,70,1],[1,80,0]]) (2,2)

MROB = sync(MR1,MR2) (6,9)

MROB = sync(MROB,MR3) (12,21)

MROB = sync(MROB,MR4) (24,48)

MROB = sync(MROB,MR5) (48,108)

S-380 ROBOTStarting from the ready-to-work condition, this robot performs the eventsequence 10.20.30 corresponding to readying parts for assembly; its workcycle is closed by event 80.

SROB = create(SROB,[mark 0],[tran [0,10,1],[1,20,2],[2,30,3], [3,80,0]])(4,4)

PLANT = sync(MROB,SROB) (192,504)Note that the only controllable events are 41,51, which more than satisfiesthe authors’ requirement that events 60,70,80 be uncontrollable.

There are 3 specifications, as detailed in the authors’ equations (8.11)-(8.13).These are linear inequalities on markings, which are easily converted (byinspection of the PN) into counting constraints on suitable event pairs. Forinstance, (8.12) requires that m4+m5+m6+m7 ≤ 1, where mi is the markingof place pi; by inspection, this is equivalent to

474 CHAPTER 8

(|41| − |51|) + (|51| − |60|) + (|60| − |70|) + (|70| − |80|) ≤ 1

or simply |41| − |80| ≤ 1; here |k| is the number of firings of transition ksince the start of the process. By inspection of the PN it is clear that theinequality forces events 41,80 to alternate, with 41 occurring first; henceSPEC2, below.

SPEC1 = create(SPEC1,[mark 0],[tran [0,10,1],[1,30,0]]) (2,2)

SPEC2 = create(SPEC2,[mark 0],[tran [0,41,1],[1,80,0]]) (2,2)

SPEC3 = create(SPEC3,[mark 0],[tran [0,30,1],[1,51,0]]) (2,2)

SPEC = sync(SPEC1,SPEC2) (4,8)

SPEC = sync(SPEC,SPEC3) (8,18)

PLANTALL = allevents(PLANT) (1,9)

SPEC = sync(SPEC,PLANTALL) (8,50)

The supremal supervisor can now be computed, then simplified by the control-congruence reduction procedure.

SUPER = supcon(PLANT,SPEC) (33,60)

SUPER = condat(PLANT,SUPER) Controllable.

SIMSUP = supreduce(PLANT,SUPER,SUPER) (3,12)

Thus SIMSUP is strictly minimal.

X = meet(PLANT,SIMSUP) (33,60)

isomorph(X,SUPER;identity) = true

SIMSUP = condat(PLANT,SIMSUP) Controllable.

TEST = meet(PLANT,SIMSUP) (33,60)

isomorph(TEST,SUPER;identity) = true

Appendix 475

The authors specify four auxiliary constraints (8.14)-(8.17), of the form al-ready discussed; we model these as follows, and create the auxiliary speci-fication ASPEC. We test these constraints against the existing controlledbehavior SUPER, and confirm that they are already satisfied.

ASP1 = create(ASP1,[mark 0],[tran [0,20,1],[1,30,0]]) (2,2)

ASP2 = create(ASP2,[mark 0],[tran [0,41,1],[1,60,0]]) (2,2)

ASP3 = create(ASP3,[mark 0],[tran [0,60,1],[1,70,0]]) (2,2)

ASP4 = create(ASP4,[mark 0],[tran [0,70,1],[1,80,0]]) (2,2)

ASPEC = sync(ASP1,ASP2) (4,8)

ASPEC = sync(ASPEC,ASP3) (8,18)

ASPEC = sync(ASPEC,ASP4) (16,40)

ASPEC = sync(ASPEC,PLANTALL) (16,88)

COASPEC = complement(ASPEC,[]) (17,153)

X = meet(SUPER,COASPEC) (33,60)

TX = trim(X) (0,0)

Unobservable events: we assume with the authors that events 51,60,70 havebecome unobservable. As a simplifying assumption on supervisor design, weconsider that controllable event 51 will now not be subject to disablement.Thus we could (but will not) relabel event 51 as 50 throughout. Our new as-sumption allows us to treat the problem as an instance of SCOP (Section 6.5).We therefore compute as follows.

476 CHAPTER 8

N = supnorm(PLANT,SPEC,null[51,60,70]) (24,39)

NO = project(N,null[51,60,70]) (15,24)

PLANTO = project(PLANT,null[51,60,70]) (60,129)

SUPERO = supcon(PLANTO,NO) (15,24)[‘Observer’s supervisor’]

SUPERO = condat(PLANTO,SUPERO) Controllable.[‘Observer’s supervisor’]

OSUPER = selfloop(SUPERO,[51,60,70]) (15,69)[Feasible supervisor]

nonconflict(PLANT,OSUPER) = true

K = meet(PLANT,OSUPER) (24,39)[Controlled behavior using feasible supervisor]

SIMSUPO = supreduce(PLANTO,SUPERO,SUPERO) (2,7)

Thus SIMSUPO is strictly minimal.

SIMSUPO = condat(PLANTO,SIMSUPO) Controllable.

TESTO = meet(PLANTO,SIMSUPO) (15,24)

isomorph(TESTO,SUPERO;identity) = true

We’ll check that, as expected, controlled behavior K using the feasible su-pervisor is more restricted than the original controlled behavior SUPER(which of course was computed without assuming any observational con-straint). Nevertheless, K is adequate for performance of the assembly pro-cess: for instance the K-string 10.20.30.40.41.51.60.70.80 is a full assemblycycle.

Appendix 477

COSUPER = complement(SUPER,[]) (34,306)

X = meet(K,COSUPER) (24,39)

TX = trim(X) (0,0)

Some routine checks, in principle redundant:

nonconflict(PLANT,OSUPER) = true

OSUPER = condat(PLANT,OSUPER) Controllable.

As expected, OSUPER never disables unobservable event 51.

Example 3: Unreliable Machine (Deadlock Avoidance)

Ref: J.O. Moody, P.J. Antsaklis. Deadlock avoidance in Petri nets withuncontrollable transitions. Proc. 1998 American Automatic Control Con-ference. Reproduced in J.O. Moody, P.J. Antsaklis. Supervisory Control ofDiscrete Event Systems Using Petri Nets. Kluwer, 1998; Section 8.3 (pp.122-129).

This is a problem which, in the authors’ Petri net formulation, requires find-ing the system’s two ‘uncontrolled siphons.’ By contrast, the TCT solutionis fast and immediate, requiring no special analysis.The system model consists of a machine M1 containing two 1-slot outputbuffers M1C (for completed workpieces) and M1B (for damaged workpieces,which result when M1 breaks down), together with two dedicated AGVs toclear them. M1 is the SCT machine model (e.g. Section 3.2). Event 10(successful completion) increments M1C, which must be cleared (event 14)by AGV1 before M1 can restart; event 12 (breakdown) increments M1B,which must be cleared (event 16) by AGV2 before M1 can be repaired af-ter breakdown (event 13); these requirements are enforced by SPEC1C,SPEC1B respectively. The workspace near the buffers can be occupied byonly one AGV at a time: this is enforced by SPEC1; the final SPEC modelis sync(SPEC1, SPEC1C, SPEC1B). Blocking would occur if, for in-stance, AGV1 moved into position to clear its buffer M1C, but M1B ratherthan M1C was filled; or AGV2 moved into position to clear its buffer M1B,but M1C rather than M1B was filled; in each case the positioned AGV wouldlock out the other.

478 CHAPTER 8

Modeling the plant

M1 = create(M1,[mark 0],[tran [0,11,1],[1,10,0],[1,12,2],[2,13,0]]) (3,4)

M1C = create(M1C,[mark 0],[tran [0,10,1],[1,14,0]]) (2,2)

M1B = create(M1B,[mark 0],[tran [0,12,1],[1,16,0]]) (2,2)

AGV1 = create(AGV1,[mark 0],[tran [0,101,1],[1,14,2],[2,100,0]]) (3,3)

AGV2 = create(AGV2,[mark 0],[tran [0,201,1],[1,16,2],[2,200,0]]) (3,3)

P = sync(M1,M1C) (6,10) Blocked events = None

P = sync(P,M1B) (12,24) Blocked events = None

P = sync(P,AGV1) (36,84) Blocked events = None

P = sync(P,AGV2) (108,288) Blocked events = None

PALL = allevents(P) (1,10)

Modeling the specification

SPEC1 = create(SPEC1,[mark 0],[tran [0,101,1],[0,201,2],[1,100,0],[2,200,0]]) (3,4)

SPEC1C = create(SPEC1C,[mark 0],[tran [0,10,1],[0,11,0],[1,14,0]])(2,3)

SPEC1B = create(SPEC1B,[mark 0],[tran [0,12,1],[0,13,0],[1,16,0]])(2,3)

Appendix 479

SPEC = sync(SPEC1,SPEC1C) (6,17) Blocked events = None

SPEC = sync(SPEC,SPEC1B) (12,52) Blocked events = None

SPEC = sync(SPEC,PALL) (12,52) Blocked events = None

nonconflict(P,SPEC) = false

Blocking could occur in the absence of supervisory control. Some blockingstrings are 11.10.201, 201.11.10, 11.12.101, 101.11.12. These result in thesituations described earlier, where an AGV in the workspace locks out theother, required AGV.

PSPEC = meet(P,SPEC) (24,40)

nonconflict(PSPEC,PALL) = false

MPSPEC = minstate(PSPEC) (23,40)

Computing the supremal supervisor

SUP = supcon(P,SPEC) (16,24)

SUP = condat(P,SUP) Controllable

Computing a simplified supervisor

SIMSUP = supreduce(P,SUP,SUP) (5,23)

X = meet(P,SIMSUP) (16,24)

isomorph(SUP,X;identity) = true

SIMSUP = condat(P,SIMSUP) Controllable

It’s easy to check by inspection that SIMSUP prohibits the blocking se-quences listed above.

480 CHAPTER 8

Chapter 9

Supervisory Control of TimedDiscrete-Event Systems

The untimed DES model considered in previous chapters will be extended byincorporating a digital clock for measuring the passage of time as an integralcount of ‘ticks’. Correspondingly, each event will be assigned an integer timedelay and a (possibly infinite) integer deadline relative to the clock time of itslast enablement. The resulting ‘timed discrete-event systems’ (TDES) admita natural definition of event ‘forcing’, interpreted as preemption of the next‘tick’ of the clock. TDES allow quantitative temporal requirements such asthe minimization of a production cycle time.

9.1 Introduction

In this chapter we augment the framework of Chapters 3 and 4 with a timingfeature. The occurrence of an event, relative to the instant of its enablement,will be constrained to lie between a lower and upper time bound, synchro-nized with a postulated global digital clock. In this way we are able tocapture timing issues in a useful range of control problems. Timing intro-duces a new dimension of DES modeling and control, of considerable powerand applied interest, but also of significant complexity. Nevertheless, it will

481

482 CHAPTER 9

turn out that our previous concept of controllability, and the existence ofmaximally permissive supervisory controls, can be suitably generalized. Theenhanced setting admits subsystem composition (analogous to synchronousproduct), and the concept of forcible event as an event that preempts thetick of the clock. An example of a manufacturing cell illustrates how thetimed framework can be used to solve control synthesis problems which mayinclude logic-based, temporal and quantitative optimality specifications.

Our timed framework is amenable to computation in the style of TCT;the enhanced package, designed to be used with this text, is TTCT.

9.2 Timed Discrete-Event Systems

To develop the base model we begin with the usual 5-tuple of form

Gact = (A,Σact, δact, a0, Am)

except that the ‘state set’ often designated Q has been replaced with anactivity set A whose elements are activities a. While in principle the activityset need not be finite, in applications it nearly always is; here we shall restrictA to be finite for technical simplicity. Σact is a finite alphabet of event labels(or simply, events). We stress that, in the interpretation, activities haveduration in time, while events are instantaneous. The activity transitionfunction is, as expected, a partial function δact : A × Σact → A. An activitytransition is a triple [a, σ, a′], with a′ = δact(a, σ). In line with standardterminology, a0 is the initial activity and Am ⊆ A is the subset of markeractivities. Let N denote the natural numbers 0, 1, 2, .... In Σact, eachtransition (label) σ will be equipped with a lower time bound lσ ∈ N and anupper time bound uσ ∈ N∪ ∞. To reflect two distinct possibilities of basicinterest we partition Σact according to

Σact = Σspe ∪ Σrem

where ‘spe’ denotes ‘prospective’ and ‘rem’ denotes ‘remote’. If an event σis prospective, its upper time bound uσ is finite (0 ≤ uσ < ∞) and 0 ≤lσ ≤ uσ; while if σ is remote, we set uσ = ∞ and require 0 ≤ lσ < ∞.The modeling function of time bounds is straightforward: lσ would typicallyrepresent a delay, in communication or in control enforcement; uσ a hard

9.2 483

deadline, imposed by legal specification or physical necessity. The formalrole of time bounds will be treated in detail below. The triples (σ, lσ, uσ) willbe called timed events, and for these we write

Σtim := (σ, lσ, uσ)|σ ∈ Σact

For j, k ∈ N write [j, k] for the set of integers i with j ≤ i ≤ k, and let

Tσ =

[0, uσ] if σ ∈ Σspe

[0, lσ] if σ ∈ Σrem

Tσ will be called the timer interval for σ. We can now define the state set

Q := A×∏

Tσ|σ ∈ Σact

Thus a state is an element of form

q = (a, tσ|σ ∈ Σact)

where a ∈ A and the tσ ∈ Tσ; namely q consists of an activity a togetherwith a tuple assigning to each event σ ∈ Σact an integer in its timer intervalTσ. The component tσ of q will be called the timer of σ in q. If σ ∈ Σspe, thecurrent deadline for σ is tσ, while the current delay is maxtσ+ lσ−uσ, 0. Ifσ ∈ Σrem, the current delay is tσ (while the current deadline may be regardedas infinite). The value uσ (resp. lσ) for a prospective (resp. remote) event σwill be called the default value of tσ. The initial state is

q0 := (a0, tσ0|σ ∈ Σact)

where the tσ are set to their default values

tσ0 :=

uσ if σ ∈ Σspe

lσ if σ ∈ Σrem

The marker state subset will be taken to be of the form

Qm ⊆ Am ×∏

Tσ|σ ∈ Σact

namely a marker state comprises a marker activity together with a suitableassignment of the timers.

484 CHAPTER 9

We introduce one additional event, written tick, to represent ‘tick of theglobal clock’, and take for our total set of events

Σ := Σact ∪ tick

The state transition function will be defined in detail below; as expectedit will be a partial function

δ : Q× Σ → Q

We now writeG = (Q,Σ, δ, q0, Qm)

With the above definitions, including the partition of Σ as

Σ = Σspe ∪ Σrem ∪ tick

and an assignment of time bounds, G will be called a timed discrete-eventsystem (TDES). For the purpose of display we may employ the activity tran-sition graph (ATG) of G, namely the ordinary transition graph of Gact; andthe timed transition graph (TTG) ofG, namely the ordinary transition graphof G, incorporating the tick transition explicitly. In addition, by projectingout tick from L(G) we can derive the timed activity DES Gtact over Σact, anddisplay its transition structure as the timed activity transition graph (TATG)of G. While the TATG suppresses tick, it does incorporate the constraints onordering of activities induced by time bounds. As illustrated by Examples 1and 2 below, Gtact may be much more complex than Gact.

Before defining the behavioral semantics of the TDES G in detail, weprovide an informal summary. As is customary with DES, events are thoughtof as instantaneous and occurring at quasi-random moments of real timeR+ = t|0 ≤ t < ∞. However, we imagine measuring time only with aglobal digital clock with output tickcount: R+ → N, where

tickcount(t) := n, n ≤ t < n+ 1

Temporal conditions will always be specified in terms of this digital clocktime; real-valued time as such, and the clock function tickcount, will playno formal role in the model. The temporal resolution available for modelingpurposes is thus just one unit of clock time. The event tick occurs exactlyat the real time moments t = n (n ∈ N). As usual, G is thought of as a

9.2 485

generator of strings in Σ∗; intuitively G incorporates the digital clock, andthus its ‘generating action’ extends to the event tick.

Events are generated as follows. G starts from q0 at t = 0 and executesstate transitions in accordance with its transition function δ, i.e. by followingits TTG. δ(q, σ) is defined at a pair (q, σ), written δ(q, σ)!, provided (i) σ =tick, and no deadline of a prospective event in q is zero (i.e. no prospectiveevent is imminent); or (ii) σ is prospective, q = (a, ), δact(a, σ)!, and 0 ≤tσ ≤ uσ − lσ; or (iii) σ is remote, q = (a, ), δact(a, σ)!, and tσ = 0. An eventσ ∈ Σact is said to be enabled at q = (a, ) if δact(a, σ)!, and to be eligible if,in addition, its timer evaluation is such that δ(q, σ)!. Only an eligible event‘can actually occur’. If σ is not enabled, it is said to be disabled; if σ is noteligible, it is ineligible; an enabled but ineligible event will be called pending.

The occurrence of tick at q causes no change in the activity componenta of q; however, the timer components tσ are altered in accordance with thedetailed rules given below. The occurrence of σ ∈ Σact at q always resets tσto its default value; again, the effect on other timers will be described below.After σ ∈ Σact first becomes enabled, its timer tσ is decremented by 1 at eachsubsequent tick of the clock, until either tσ reaches zero, or σ occurs, or σ isdisabled as a result of the occurrence of some eligible transition (possibly σitself). If σ occurs, or becomes disabled owing to some transition to a newactivity, tσ is reset to its default value, where it is held until σ next becomesre-enabled, when the foregoing process repeats.

An event σ ∈ Σact cannot become eligible (and so, occur) prior to lσticks of the clock after it last became enabled. A prospective event σ cannotbe delayed longer than uσ − lσ ticks after tσ has ‘ticked down’ to uσ − lσ;thus when tσ ‘times out’ to 0, σ cannot be delayed except by preemptiveoccurrence of some other eligible event in Σact. A remote event σ can occurany time (although it need not occur at all), as long as it remains enabled, andprovided lσ ticks have elapsed after it last became enabled. It is importantto note that, because of its possible non-occurrence (even if continuouslyenabled) a remote event is not just a ‘limiting case’ of a prospective event.

With the above as guidelines we now provide the formal definition of δ.Write δ(q, σ) = q′, where

q = (a, tτ |τ ∈ Σact), q′ = (a′, t′τ |τ ∈ Σact)

Then δ(q, σ)! if and only if

(i) σ = tick and (∀τ ∈ Σspe)δact(a, τ)! ⇒ tτ > 0; or

486 CHAPTER 9

(ii) σ ∈ Σspe, δact(a, σ)!, and 0 ≤ tσ ≤ uσ − lσ; or

(iii) σ ∈ Σrem, δact(a, σ)!, and tσ = 0

The entrance state q′ is defined as follows.

(i) Let σ = tick. Then a′ := a, and

if τ is prospective, t′τ :=

uτ if not δact(a, τ)!tτ − 1 if δact(a, τ)! and tτ > 0

(Recall that if τ is prospective, δact(a, τ)! and tτ = 0 then not δ(q, tick)!)

if τ is remote, t′τ :=

lτ if not δact(a, τ)!tτ − 1 if δact(a, τ)! and tτ > 00 if δact(a, τ)! and tτ = 0

(ii) Let σ ∈ Σact. Then a′ := δact(a, σ), and

if τ = σ and τ is prospective, t′τ :=

uτ if not δact(a

′, τ)!tτ if δact(a

′, τ)!if τ = σ and σ is prospective, t′τ := uσ

if τ = σ and τ is remote, t′τ :=

lτ if not δact(a

′, τ)!tτ if δact(a

′, τ)!if τ = σ and σ is remote, t′τ := lσ

To complete the general definition of TDES we impose a final technicalcondition, to exclude the physically unrealistic possibility that a tick tran-sition might be preempted indefinitely by repeated execution of an activityloop within a fixed unit time interval. A TDES is said to have an activityloop if

(∃q ∈ Q)(∃s ∈ Σ+act)δ(q, s) = q

We rule this out, and declare that all TDES must be activity-loop-free (alf),namely

(∀q ∈ Q)(∀s ∈ Σ+act)δ(q, s) = q

It should be stressed that the alf condition refers to the timed transitionstructure, not to the activity transition structure. The latter may quitesafely contain loops provided the time bounds associated with the relevantevents in Σact are appropriate.

9.3 487

With the definition of TDES transition structure now complete, the Σ∗

behavioral semantics of G is defined in the usual way: the closed behaviorL(G) of G is the subset of all strings in Σ∗ that can be generated by iterationof δ starting from q0 (i.e. the strings s such that δ(q0, s)!); while the markedbehavior Lm(G) is the subset of all strings in L(G) for which the terminalstate belongs to Qm (i.e. the strings s such that δ(q0, s) ∈ Qm). Note thata TDES never ‘stops the clock’: at any state either some transition [ , σ, ]with σ ∈ Σact is eligible, or at least the tick transition is defined. By activity-loop-freeness, no infinite (Σω−) string generated by the transition structureof a TDES can be tick-free; indeed in any infinite string tick must occurinfinitely often.1

Exercise 1: Verify the foregoing remark in detail. That is, if Q is finite andthe activity-loop-freeness (alf) condition holds for G, then every string inL(G) can be extended in L(G) (i.e. by use of the TDES transition structure)to include an additional occurrence of tick, and no string can be extendedindefinitely without an occurrence of tick. This shows that in every infinitestring generated by TDES, tick must occur infinitely often.

9.3 Example 1

The following example illustrates how timing constraints can strongly influ-ence complexity of the language generated by a TDES. Let

Gact = (A,Σact, δact, a0, Am)

withΣact = α, β, A = Am = 0, a0 = 0

δact(0, α) = δact(0, β) = 0

and timed events (α, 1, 1), (β, 2, 3), both prospective. The ATG for Gact issimply:

0α, β

1Here the fact that A, and so Q, are finite sets is crucial.

488 CHAPTER 9

0

α

t

t

t

α

α

β

β

β

1

2

3 4

5

67

α

β

Fig. 9.1. Timed Transition Graph, Example 1

State (node of TTG): 0 1 2 3 4 5 6 7Components [tα, tβ]: [1,3] [0,2] [1,2] [0,1] [0,3] [1,1] [0,0] [1,0]

Thus α, β are always enabled. The state set for G is

Q = 0 × Tα × Tβ = 0 × [0, 1]× [0, 3]

and has size |Q| = 8. We take Qm = (0, [1, 3]). The TTG for G is easilyconstructed and is displayed in Fig. 9.1; it has 11 transitions, over the eventset α, β, tick; the pairs [tα, tβ] corresponding to the states (0, tα, tβ) ofG are listed below. The event α is pending at states 0,2,5,7 and eligible atstates 1,3,4,6, while β is pending at 0,1,2,4 and eligible at 3,5,6,7. Notice thattick is preempted by α or β if either of these events has deadline 0 (namelyis imminent).

9.3 489

To obtain the TATG of G we require a projection operation on TDESdefined (in outline) as follows. Let G be an arbitrary TDES, over the al-phabet Σ, with closed and marked behaviors L(G), Lm(G) respectively. LetΣpro ⊆ Σ and write Σnul := Σ − Σpro. Let P : Σ∗ → Σ∗

pro be the naturalprojection whose action on a string s ∈ Σ∗ is just to erase any symbols ofΣnul that appear in s. Now let Gpro be any TDES over Σpro with closed andmarked behaviors

L(Gpro) := PL(G), Lm(Gpro) := PLm(G)

If the state set of G is finite, it is convenient in practice to select Gpro suchthat its state set is of minimal size. In any case, for a suitable determinationof Gpro we can define an operation project according to

Gpro = project(G,null[Σnul])

In examples Σnul will be written as a list. We can now specify the TATG ofG as

Gtact = project(G,null[tick])

For the example of this section the result is displayed in Fig. 9.2. Noticethat Gtact happens to have just as many states (8) as G, illustrating thelogical complexity that may be induced on the ordering of events by timebounds. This ordering, which could also be thought of as a set of phaserelationships, is exhibited in the TATG (Fig. 9.2) but not in the ATG (above).

αβ

β αα

α

α

α α

β

β β

Fig. 9.2. Timed Activity Transition Graph, Example 1

490 CHAPTER 9

9.4 Example 2

Let Σ = α, β, γ with the timed events α, β as in Example 1. Adjoin tothe structure of Example 1 the timed remote event (γ, 2,∞) with activ-ity transition [0, γ, 0]; Gact is otherwise unchanged. The state size of Gturns out to be |Q| = 24, with 41 transitions. It is found that Gtact :=project(G,null[tick]) has 52 states and 108 transitions, thus being evenmore complex than G itself! While at first glance surprising, inasmuch asthe occurrence or non-occurrence of γ does not appear to constrain that of αor β, this result can be thought of as a consequence of the nondeterminismcreated in the transition structure of G when tick is first projected out: anincrease in complexity is the penalty exacted (by project) for replacing thisnondeterministic description by a behaviorally equivalent deterministic one.

9.5 Time Bounds as Specifications

The imposition of time bounds on an event σ ∈ Σact can be thought ofas a specification over the alphabet σ, tick. If σ ∈ Σspe, with bounds0 ≤ lσ ≤ uσ, then the corresponding DES, say SPECσ, will have state set0, ..., uσ, with transitions [i, tick, i + 1] for 0 ≤ i ≤ uσ − 1, together with[i, σ, 0] for lσ ≤ i ≤ uσ. To state i corresponds the evaluation tσ = uσ − i.Similarly if σ ∈ Σrem, with bound lσ, 0 ≤ lσ <∞, then SPECσ has state set0, ..., lσ, with transitions [i, tick, i+ 1] for i = 0, ..., lσ − 1, [lσ, tick, lσ], and[lσ, σ, 0]. To state i corresponds the evaluation tσ = lσ− i. The specificationsfor the events α, β, γ of Examples 1 and 2 are displayed in Fig. 9.3.

It should be observed that in SPECσ all events other than σ are ignored,in particular events whose occurrence may reinitialize SPECσ by transitionto an activity where σ is disabled. Unfortunately there seems to be no simpleway to obtain G by straightforward combination of Gact with the SPECσ.In general, to obtain G (or its reachable subgraph) one must compute thereachable subset of Q, starting from q0 and systematically examining thetimed transition rules (for δ) in conjunction with the transition structure(δact) of Gact.

9.6 491

tSPECα

α

tSPECβ

β

t t

β

tSPECγ

β

tt

Fig. 9.3. Time Bound Specifications, Examples 1 and 2

9.6 Composition of TDES

Complex TDES can be built up from simpler ones by a composition operatorcomp. Let G1,G2 be TDES, over alphabets Σ1,Σ2 respectively, where Σi =Σi,act ∪ tick. In general Σ1,act,Σ2,act need not be disjoint. To form thecomposition G = comp(G1,G2) we start by defining the alphabet of Gas Σ1 ∪ Σ2, and the activity transition structure of G as the synchronousproduct of the component activity structures:

Gact = sync(G1,act,G2,act)

The time bounds (lσ, uσ) in G of an event

σ ∈ (Σ1,act − Σ2,act) ∪ (Σ2,act − Σ1,act)

492 CHAPTER 9

remain unchanged from their definition in the corresponding componentstructure, while if σ ∈ Σ1,act ∩ Σ2,act then its time bounds in G are definedin obvious notation to be

(lσ, uσ) = (maxl1,σ, l2,σ,minu1,σ, u2,σ)

provided lσ ≤ uσ. If the latter condition is violated for any σ then thecomposition G is considered undefined. Thus the component TDES withthe greater lower time bound (respectively smaller upper time bound) deter-mines the timing behavior of the composition. This convention extends theprinciple that synchronous product represents an agreement between com-ponents that a transition with a shared label can be executed when andonly when the conditions imposed on its execution by each component aresatisfied.2

Provided the time bound conditions as stated above are satisfied, thecomposition G is now fully defined; clearly the alf condition will be true forthe composition if it is true for each component.

Since synchronous product is associative, as a binary operation on theunderlying languages, it follows that composition is associative in this senseas well.

It is important to stress that comp(G1,G2) is in general quite differentfrom the result of forming the synchronous product of the timed transitionstructures ofG1 andG2, for the latter would force synchronization of the ticktransition as it occurs in the component TTGs. Such a rule of compositionplaces a constraint on the interaction of component TDES that proves unre-alistic for the modeling requirements in many applications; it may even leadto temporal deadlock (‘stopping the clock’) as in the example of Section 9.7.

Exercise 1: Let G1, G2 be TDES with Σ1,act ∩ Σ2,act = ∅. Show that, inthis special case,

comp(G1,G2) ≈ sync(G1,G2)

where ≈ denotes that the closed and marked behaviors respectively of thetwo TDES on either side coincide.

2While this convention respects physical behavior in many applications it need not beconsidered sacrosanct for all future modeling exercises.

9.7 493

9.7 Example 3

β

αG1

β

βG2

γ

α

γ

β γ β α

γ

G

Fig. 9.4. Activity Transition Graphs, Example 3

Consider the TDES G1,G2 with ATGs displayed in Fig. 9.4; Σ1,act =α, β, Σ2,act = β, γ; time bounds are as in Example 2. LetG= comp(G1,G2)(17,21). The ATG of G is also shown in Fig. 9.4; as the time bounds forthe shared event label β are the same in G1 and G2, the time bounds forΣact = α, β, γ are as specified already. While the structure of G is fairlyrich, and admits strings of arbitrary length, the synchronous product of thetimed transition graphs of G1 and G2 turns out to have a closed behaviorwhich terminates with deadlock (i.e. no subsequent transition is defined)after just 9 transitions.3 Thus, it does not even represent a TDES.

Exercise 1: Verify this example using TTCT. Explain why the timed be-havior fails to be nonblocking.

3The language generated is the closure of the string pairtick α tick2 β tick2 (γ tick | tick γ).

494 CHAPTER 9

9.8 Controllability of TDES

To use TDES as models for supervisory control, it is necessary to specifythe ways in which TDES transitions can be controlled by an external agentor supervisor. From a theoretical viewpoint it is natural and convenient toimpose two criteria on our ‘control technology’: (i) control should at mostrestrict uncontrolled behavior, never enlarge it; and (ii) controlled behaviorsubject to a specification constraint should admit optimization in the senseof maximal permissiveness.

By analogy with our theory of untimed DES, we first seek the counterpartof ‘controllable events’, namely transitions that can be disabled. Intuitively,if an event can be ‘disabled’, then it can be prevented indefinitely fromoccurring. In view of (i) this suggests that only remote events may belongto this category, for if a prospective event were disabled then it might beprohibited from occurring even when imminent and when no competing eventis eligible to preempt it. This situation would result in behavior that couldnever be realized in the absence of control. On this basis we bring in a newsubset Σhib ⊆ Σrem to label the prohibitible events. Our ‘technology’ willpermit the supervisor to erase a prohibitible event from the current list ofeligible transitions at a given state q of the supervised TDES. Of course, justas in the original model, the erased event may be reinstated if and when Grevisits q on a subsequent occasion.

The following example may render the notion of ‘prohibitible’ clearer.Suppose σ is a remote event with lower time bound lσ = b, and whoseoccurrence causes an ATG transition [0, σ, 1], after which σ is disabled. Thecorresponding TTG, say G, is displayed below, where t means tick.

σt t

b b+ 10 1

t t

With states b,b+ 1 marked, G can be thought of as generating the language

tbt∗ ∪ tbt∗σt∗

The first of these sublanguages can be interpreted as the behavior ‘event σnever occurs at all’, while the second says that ‘after at least b ticks, σ occurs

9.8 495

eventually, but with no hard deadline’. Notice that in Σ∗-semantics, ‘never’means ‘not in any finite time’; but as Σ∗ contains only finite strings we canprovide no ‘witness’ string (tω) of infinite length and free of σ. Now supposeσ is prohibitible; then disabling σ at state b will guarantee its nonoccurrence(ever); and doing so will respect the principle that controlled behavior shouldbe a sublanguage of uncontrolled behavior.

Next we consider a new category of events that arises naturally in thepresence of timing: the forcible events, or elements of a new subset Σfor ⊆Σact. A forcible event is one that can preempt a tick of the clock. If at agiven state of G, tick is defined and one or more elements of Σfor are eligible,then our supervisory control technology permits the effective erasure of tickfrom the current list of defined events, namely the guaranteed preemptiveoccurrence of some one of the eligible events in Σact, whether a member ofΣfor or otherwise. Thus forcible events are ‘events of last resort to beat theclock’. There is no particular relation postulated a priori between Σfor andany of Σhib, Σrem or Σspe. In particular an event in Σrem might be bothforcible and prohibitible.

It is convenient to define the uncontrollable event set

Σunc := Σact − Σhib

= Σspe ∪ (Σrem − Σhib)

Eligible events in Σunc can never be erased by control action. Finally, wedefine the (complementary) controllable event set

Σcon := Σ− Σunc

= Σhib ∪ tick

Note that a forcible event may be controllable or uncontrollable; a forcibleevent that is uncontrollable cannot be directly prevented from occurring bydisablement.4 Also, while formally designated ‘controllable’ to simplify ter-minology, the status of tick lies intuitively between ‘controllable’ and ‘uncon-trollable’: no technology could ‘prohibit’ tick in the sense of ‘stopping theclock’, although a forcible event, if eligible, may preempt it.

Exercise 1: ‘Delayable’ events

4An instance: air defense could force a plane to land within 20 minutes (say) but notprevent it from landing eventually; the landing is forcible but not controllable.

496 CHAPTER 9

Consider an event α that is both prohibitible and forcible, with the re-quirement that α occur no earlier than 2 ticks (from enablement) and nolater than 4 ticks. Provide the corresponding specification (as a languageover the full alphabet). More generally, suppose the requirement is that αbe delayed until some other event β occurs, but not for longer than 4 ticks,and that when α does occur, β is disabled. Assume, for instance, that β isuncontrollable and has time bounds (0,∞). Show that this specification canbe modeled on a structure with 11 states.

The simplest way to visualize the behavior of a TDES G under supervi-sion is first to consider the (infinite) reachability tree of G before any controlis operative. Each node n of the tree corresponds to a unique string s of L(G)(of course, over the full alphabet Σ including tick). At n we may define thesubset of eligible events, say EligG(s) ⊆ Σ. Thus

EligG(s) := σ ∈ Σ|sσ ∈ L(G)

Henceforth we shall use the term ‘eligible’ in this extended sense, to applyto tick as well as to events in Σact. By our assumptions on G, EligG(s) = ∅for all s ∈ L(G). A supervisor will be considered a decision-maker that, atn, selects a nonempty subset of EligG(s) in accordance with the rules statedabove. It is now clear that, under these rules, our criterion (i) is satisfied,and it will later be shown that criterion (ii) is satisfied as well.

To formalize the rules we proceed as follows. Define a supervisory controlto be any map V : L(G) → Pwr(Σ) such that, for all s ∈ L(G),

V (s) ⊇

Σunc ∪ (tick ∩ EligG(s))

if V (s) ∩ EligG(s) ∩ Σfor = ∅Σunc if V (s) ∩ EligG(s) ∩ Σfor = ∅

Notice that if V ′ and V ′′ are both supervisory controls, then so is V :=V ′ ∨ V ′′, defined by V (s) := V ′(s) ∪ V ′′(s). This property will imply thesatisfaction of criterion (ii).

Fix a supervisory control V . The remainder of the discussion proceeds byanalogy with Chapter 3. Write V/G to denote the pair (G, V ) (‘G under thesupervision of V ’). The closed behavior of V/G is the language L(V/G) ⊆L(G) defined inductively according to:

(i) ϵ ∈ L(V/G)

9.8 497

(ii) If s ∈ L(V/G), σ ∈ V (s), and sσ ∈ L(G) then sσ ∈ L(V/G)

(iii) No other strings belong to L(V/G)

Thus ϵ ⊆ L(V/G) ⊆ L(G), and L(V/G) is nonempty and closed. Themarked behavior of V/G is

Lm(V/G) = L(V/G) ∩ Lm(G)

and thus ∅ ⊆ Lm(V/G) ⊆ Lm(G). As usual we say V is nonblocking for Gprovided

Lm(V/G) = L(V/G)

Exercise 2: Show that, for all s ∈ L(G),

V (s) ∩ EligG(s) = ∅

We shall characterize those sublanguages of Lm(G) that qualify as themarked behavior of some supervisory control V . First let K ⊆ L(G) bearbitrary, and write

EligK(s) := σ ∈ Σ|sσ ∈ K, s ∈ Σ∗

We define K to be controllable (with respect to G) if, for all s ∈ K,

EligK(s) ⊇

EligG(s) ∩ (Σunc ∪ tick) if EligK(s) ∩ Σfor = ∅EligG(s) ∩ Σunc if EligK(s) ∩ Σfor = ∅

Thus K controllable means that an event σ (in the full alphabet Σ includ-ing tick) may occur in K if σ is currently eligible in G and either (i) σ isuncontrollable, or (ii) σ = tick and no forcible event is currently eligible inK. The effect of the definition is to allow the occurrence of tick (when it iseligible in G) to be ruled out of K only when a forcible event is eligible in Kand could thus (perhaps among other events in Σact) be relied on to preemptit. Notice, however, that a forcible event need not preempt the occurrenceof competing non-tick events that are eligible simultaneously. In general ourmodel will leave the choice of tick-preemptive transition nondeterministic.

In one form or another, the notion of forcing as preemption is inherent incontrol. Our notion of forcing is ‘weakly preemptive’, in that only the clock

498 CHAPTER 9

tick is assuredly preempted if forcing is invoked; however, the preemptiveoccurrence of a competing non-forcible but eligible event is not ruled out.A more conventional notion of forcing would require ‘strong preemption’,namely that a forcible event actually preempt any competing eligible event. Ifthe control technology to be modeled actually admits ‘forcing’ in the stronglypreemptive sense just indicated, then that feature would be modeled in oursetup by suitably defining the activity transition structure.5

Notice finally that the controllability of K is a property only of K, andthat the languages ∅, L(G), and Σ∗ are all trivially controllable.

Our first main result is the analog of Theorem 3.4.3. Since the tick tran-sition needs special treatment, the proof will be given in full.

Theorem 3Let K ⊆ Lm(G), K = ∅. There exists a nonblocking supervisory control

V for G such that Lm(V/G) = K if and only if

(i) K is controllable with respect to G, and

(ii) K is Lm(G)-closed

Proof(If) For s ∈ K define

V (s) := Σunc ∪ (Σcon ∩ EligK(s))

while if s ∈ L(G)− K assign the ‘don’t care’ value

V (s) := Σ

First of all, V really is a supervisory control. Indeed, V (s) ⊇ Σunc always.Next, if

V (s) ∩ EligG(s) ∩ Σfor = ∅

thenΣunc ∩ EligG(s) ∩ Σfor = ∅

5For instance, if a forcible event σ = ‘stop’ is to strictly preempt κ = ‘collision’, themodel requires interposing at least one tick between σ and κ, and a structure in which σcauses transition to an activity where κ is disabled. This seems quite intuitive on physicalgrounds.

9.8 499

andΣcon ∩ EligK(s) ∩ Σfor = ∅

Therefore(Σunc ∪ Σcon) ∩ EligK(s) ∩ Σfor = ∅

i.e.EligK(s) ∩ Σfor = ∅

By controllability of K,

tick ∩ EligG(s) ⊆ EligK(s)

and sotick ∩ EligG(s) ⊆ V (s)

as required.Next we show that L(V/G) = K and begin with L(V/G) ⊆ K. We have

ϵ ∈ L(V/G) by definition, and ϵ ∈ K since K = ∅. Arguing by induction,let s ∈ L(V/G), s ∈ K, sσ ∈ L(V/G). Then σ ∈ V (s) ∩ EligG(s). Ifσ ∈ Σunc then σ ∈ EligG(s) ∩ Σunc, so σ ∈ EligK(s) since K is controllable.If σ ∈ Σcon∩EligK(s) then again σ ∈ EligK(s). In either case σ ∈ EligK(s), sosσ ∈ K. For K ⊆ L(V/G), we proceed similarly, letting s ∈ K, s ∈ L(V/G),sσ ∈ K. If σ ∈ Σunc then σ ∈ V (s). Since sσ ∈ K we have sσ ∈ L(G) andso sσ ∈ L(V/G). If σ ∈ Σcon then σ ∈ Σcon ∩ EligK(s), i.e. σ ∈ V (s), andagain sσ ∈ L(V/G). We have now proved L(V/G) = K.

Finally

Lm(V/G) = L(V/G) ∩ Lm(G) (by definition)

= K ∩ Lm(G)

= K (since K is Lm(G)-closed)

and Lm(V/G) = K = L(V/G), so V is nonblocking for G.(Only if) Let V be a nonblocking supervisory control forG with Lm(V/G) =

K. Since V is nonblocking, we have L(V/G) = K, so

K = L(V/G) ∩ Lm(G) = K ∩ Lm(G)

i.e. K is Lm(G)-closed. To show that K is controllable let s ∈ K, so s ∈L(V/G), and by definition of L(V/G),

EligK(s) = V (s) ∩ EligG(s)

500 CHAPTER 9

ThusEligK(s) ⊇ Σunc ∩ EligG(s)

always. Also if EligK(s) ∩ Σfor = ∅ then

V (s) ∩ EligG(s) ∩ Σfor = ∅

Because V is a supervisory control,

V (s) ⊇ tick ∩ EligG(s)

henceEligK(s) ⊇ tick ∩ EligG(s)

as required. So K is controllable, as claimed. 2

For brevity we refer to a nonblocking supervisory control (for G, under-stood) as an NSC. It is useful to introduce a slight generalization of NSC inwhich the supervisory action includes marking as well as control. For this,let M ⊆ Lm(G). Define a marking nonblocking supervisory control for thepair (M,G), or MNSC, as a map V : L(G) → Pwr(Σ) exactly as before; butnow for the marked behavior of V/G we define

Lm(V/G) = L(V/G) ∩M

One may think of the marking action of the MNSC V as carried out by arecognizer for M that monitors the closed behavior of V/G, sounding a beepexactly when a string inM has been generated. As a sublanguage of Lm(G),these strings could be thought of as representing a subset of the ‘tasks’ thatG(or its underlying physical referent) is supposed to accomplish. For instancein a manufacturing problem, one might define a ‘batch’ to consist of 10 fullyprocessed workpieces. M might then be taken as the set of strings thatrepresent the successful processing of N integral batches, N ≥ 0, with allmachines returned to the idle state and all buffers empty.

The counterpart result to Theorem 3 actually represents a simplification,as the condition of Lm(G)-closedness can now be dropped.

Theorem 4Let K ⊆ Lm(G), K = ∅. There exists an MNSC V for (K,G) such that

Lm(V/G) = K

9.9 501

if and only if K is controllable with respect to G.

Proof(If) With V defined as in the proof of Theorem 3, it may be shown as

before that L(V/G) = K. Then

Lm(V/G) = L(V/G) ∩K = K ∩K = K

so that Lm(V/G) = K = L(V/G), namely V is nonblocking for G.(Only if) We have K = Lm(V/G) = L(V/G). Then the proof that K is

controllable is unchanged from that of Theorem 3. 2

9.9 Supremal Controllable Sublanguages and

Optimal Supervision

Let G = ( ,Σ, , , ) be a controlled TDES with Σ partitioned as in theprevious section. Let E ⊆ Σ∗. As in Chapter 3, we introduce the set of allsublanguages of E that are controllable with respect to G:

C(E) = K ⊆ E|K is controllable with respect to G

Proposition 1C(E) is nonempty and is closed under arbitrary unions.

ProofSince the empty language is trivially controllable, C(E) = ∅. Suppose

K1, K2 ∈ C(E). Let K = K1 ∪ K2; then K = K1 ∪ K2. For any s ∈ Σ∗,clearly

EligK(s) = EligK1(s) ∪ EligK2

(s)

Let s ∈ K. Since at least one of the two subsets on the right satisfiesthe inclusion condition appearing in the definition of controllability, so doesEligK(s), and therefore K is controllable. Extension of the argument to anarbitrary union is obvious. 2

We may now assert the existence of a unique supremal element sup C(E)in E.

502 CHAPTER 9

Let E,L ⊆ Σ∗. We say that E is L-marked if E ⊇ E ∩ L, namely anyprefix of E that belongs to L must also belong to E.

Proposition 2Let E ⊆ Σ∗ be Lm(G)-marked. Then sup C(E∩Lm(G)) is Lm(G)-closed.

ProofWe have E ⊇ E ∩ Lm(G), from which there follows in turn

E ∩ Lm(G) ⊆ E ∩ Lm(G)

E ∩ Lm(G) ∩ Lm(G) ⊆ E ∩ Lm(G)

E ∩ Lm(G) ∩ Lm(G) ⊆ E ∩ Lm(G)

so that F := E ∩ Lm(G) is Lm(G)-closed. Let K = supC(F ). If K is notLm(G)-closed, i.e. K ⫋ K ∩ Lm(G), there is a string s ∈ K ∩ Lm(G) withs ∈ K. Let J = K ∪ s. Since J = K we have that J is controllable. AlsoK ⊆ F implies that

K ∩ Lm(G) ⊆ F ∩ Lm(G) = F

so that s ∈ F and thus J ⊆ F . Therefore J ∈ C(F ) and J ⫌ K, contradictingthe fact that K is supremal. 2

Now we can present the main result of this section.

Theorem 3Let E ⊆ Σ∗ be Lm(G)-marked, and let K = supC(E ∩ Lm(G)). If

K = ∅, there exists a nonblocking supervisory control (NSC) V for G suchthat Lm(V/G) = K.

ProofK is controllable and, by Proposition 2, Lm(G)-closed. The result follows

by Theorem 9.8.3. 2

As in Chapter 3, the result may be paraphrased by saying that K is (ifnonempty) the maximally permissive (or minimally restrictive) solution ofthe problem of supervising G in such a way that its behavior belongs to Eand control is nonblocking. In this sense the supervisory control provided byTheorem 3 is (qualitatively) optimal.

9.10 503

As might be expected, if we place part of the burden of ‘marking action’on the supervisory control itself we may relax the prior requirement on E. Byan application of Theorem 9.8.4 the reader may easily obtain the followinganalog of Theorem 3.4.5.

Theorem 4Let E ⊆ Σ∗ and letK = supC(E∩Lm(G)). IfK = ∅ there exists a mark-

ing nonblocking supervisory control (MNSC) forG such that Lm(V/G) = K.2

Finally, the implementation of supervisory controls by automata is for-mally no different from procedures already described in Section 3.6.

Exercise 5: Specialization of timed to untimed supervisory controlInvestigate how the TDES control theory can be specialized to the un-

timed theory. Provide an example where you run an untimed problem usingTTCT. Note that the specialization should be legal within the frameworkof TDES. So, while tick must remain in the model, the timers should placeno logical constraints on the occurrence of activity events. Finally the cor-responding TCT solution of the untimed problem should be obtainable byprojecting tick out of the solution in TTCT.

9.10 Example 4: Endangered Pedestrian

Consider two TDES

BUS = (a, g, pass, [a, pass, g], a, g), (pass, 2, 2)

PED = (r, c, jump, [r, jump, c], r, c), (jump, 1,∞)

(where in place of δ we merely list the one activity transition). These modelrespectively a bus that makes a single transition pass between the activi-ties ‘approaching’ and ‘gone by’, and a pedestrian who may make a singletransition jump from ‘road’ to ‘curb’. These entities are combined in theTDES

BP = comp(BUS,PED)

The ATG and TTG of BP are displayed in Fig. 9.5.

504 CHAPTER 9

We bring in ‘control technology’, with the assumption

Σhib = Σfor = jump

However, nothing can stop the bus from passing in the interval between 2and 3 ticks of the clock.

Suppose it is required that the pedestrian be saved. As a first scenario,we specify a TDES that imposes no a priori timing constraints on events,but merely requires the pedestrian to jump before the bus passes:

p

p

j j

(g,c)

(g,r)

(a,c)

BP: ATG

(a,r)

p

p

t tt

jjj

tt

BP: TTG

Fig. 9.5. Activity and Timed Transition Graphs for BP

pj

S1 S2S0

t tt

pj

S1 S2S0

Fig. 9.6. Activity and Timed Transition Graphs for SAVE

9.10 505

SAVE = (s0, s1, s2, jump, pass, [s0, jump, s1], [s1, pass, s2], s0, s2)

with set of timed events Σtim = (jump, 0,∞), (pass, 0,∞). The ATGand TTG are displayed in Fig. 9.6; the TTG is obtained from the ATG byselflooping tick.

Here and later we use the operation meet, defined on TDES according to

G3 = meet(G1,G2)

where L(G3) := L(G1) ∩ L(G2), Lm(G3) := Lm(G1) ∩ Lm(G2). As usualwith such operations it is understood that meet is uniquely defined at im-plementation.

tt

p

t

j j

t

Fig. 9.7. Timed Transition Graph: BPSAVE

Now we can bring in the relevant (‘physically possible’) strings of L(SAVE)as those shared with BP, namely the behavior(s) of

BPSAVE = meet(BP,SAVE)

as displayed in the TTG of Fig. 9.7. The closed behavior L(BPSAVE) isnot controllable, since

EligBP(tick2) ∩ Σfor = jump = ∅, EligBP(tick

2) ∩ Σunc = pass

butEligBPSAVE(tick

2) = jumpEvidently, after tick2 nothing can prevent the bus from passing before thepedestrian jumps. But all is not lost: Lm(BPSAVE) has the supremalcontrollable sublanguage Lm(BPSAFE) as in Fig. 9.8. Note that, whiletick ∈ EligBP(tick), nonetheless

506 CHAPTER 9

t

p

t

j

t

Fig. 9.8. Timed Transition Graph: BPSAFE

EligBP(tick) ∩ Σfor = jump = ∅, EligBP(tick) ∩ Σunc = ∅

and thus the second tick can be reliably preempted by the forcible event jump(i.e. the pedestrian can be ‘forced’ to jump between the first tick and thesecond).

In a less optimistic scenario the pedestrian is again supposed to be saved,but at least 2 ticks must elapse from initialization before a jump (perhapsthe pedestrian is handicapped); since jump ∈ Σhib, the string tick.jumpcan surely be prohibited as a prefix of controlled behavior. The resultingspecification PRISK is shown in Fig. 9.9. Just as for BPSAVE, it is un-controllable; but now the supremal controllable sublanguage of Lm(PRISK)is empty, and the control problem is unsolvable.

tt

p

t

j

t

Fig. 9.9. Timed Transition Graph: PRISK

As a more complicated variation, suppose the bus can be stopped by atraffic officer and held up for 1 tick. Introduce NEWBUS, like BUS but

9.10 507

with new timed events (stop, 0,∞) with stop ∈ Σfor ∩ Σhib, and (wait, 1, 1),having ATG in Fig. 9.10. With the string delay1 := stop.tick, wait the TTGof NEWBUS can be displayed as in Fig. 9.11. In effect, delay1 can be usedto preempt tick at any state of the TTG where both are defined, althoughit cannot be relied on to preempt pass if pass is imminent. By use of delay1safety of the handicapped pedestrian can be guaranteed, for instance byforcing stop initially but disabling stop thereafter.

p

s w

Fig. 9.10. Activity Transition Graph: NEWBUS

t

t t p

d1

d1d1

Fig. 9.11. Timed Transition Graph: NEWBUS

Exercise 1: Work out the details for NEWBUS using TTCT.

9.11 Example 5: Timed Manufacturing Cell

The manufacturing cell of Fig. 9.12 consists of machinesMACH1,MACH2,with an input conveyor CONV1 as an infinite source of workpieces andoutput conveyor CONV2 as an infinite sink. Each machine may process twotypes of parts, p1 and p2; and each machine is liable to break down, but then

508 CHAPTER 9

may be repaired. For simplicity, the transfer of parts between machines willbe absorbed as a step in machine operation. The machine ATGs (identicalup to event labeling) are displayed in Fig. 9.13 and the timed events listedbelow.

MACH1 MACH2

CONV1 CONV2

p1:

p2:

MACH1, MACH2: numerically controlled machines

CONV1: incoming conveyor (infinite source)

CONV2: outgoing conveyor (infinite sink)

Fig. 9.12. Manufacturing Cell

MACHi, i = 1; 2

αi1 αi2

βi2βi1

λi λiµi

Fig. 9.13. Numerically Controlled Machines

9.11 509

MACH1 : (α11, 1,∞) (β11, 3, 3) (α12, 1,∞) (β12, 2, 2)

(λ1, 0, 3) (µ1, 1,∞)

MACH2 : (α21, 1,∞) (β21, 1, 1) (α22, 1,∞) (β22, 4, 4)

(λ2, 0, 4) (µ2, 1,∞)

Here αij is the event ‘MACHi starts work on a pj-part’, while βij is ‘MACHifinishes working on a pj-part’; λi, µi represent respectively the breakdown6

and repair of MACHi. We take

Σfor = αij|i, j = 1, 2, Σunc = λi, βij|i, j = 1, 2

Σhib = Σfor ∪ µ1, µ2

The TTGs of MACH1 and MACH2 are shown in Figs. 9.14, 9.15.

We shall impose (i) logic-based specifications, (ii) a temporal specification,and (iii) a quantitative optimality specification as follows:

(i) • a given part can be processed by just one machine at a time• a p1-part must be processed first by MACH1 and then by MACH2• a p2-part must be processed first by MACH2 and then by MACH1• one p1-part and one p2-part must be processed in each productioncycle• if both machines are down, MACH2 is always repaired beforeMACH1

6Since breakdown may occur only when a machine is working, the upper time bounduλ assigned to a breakdown event need not exceed the (finite) upper time bound uβ forcompletion of the corresponding work cycle. The uλ could be replaced by anything larger,including ∞, without affecting behavior.

510 CHAPTER 9

t t t t t

11

12

1

t

1

1

t

MACH1

t

1

1

1

1

1

t

11

12

Fig. 9.14. TTG of MACH1

t t t t t

t

α21 α22

MACH2

β22

β21 t

µ2 t

λ2

λ2λ2

λ2λ2

λ2 λ2t

Fig. 9.15. TTG of MACH2

9.11 511

(ii) in the absence of breakdown/repair events a production cycle must becompleted in at most 10 time units

(iii) subject to (ii), production cycle time is to be minimized

The first three specifications (i) are formalized as generalized TDES7 SPEC1-SPEC4, displayed in Fig. 9.16, while the fourth specification (i) is formalizedas SPEC5, Fig. 9.17, and the fifth (breakdown/repair) as SPEC6, Fig. 9.18.It can be verified that, in fact, SPEC1 and SPEC2 are automatically en-forced by SPEC3 and SPEC4 together. We therefore define the completelogic-based specification

SPEC1 SPEC2

SPEC3 SPEC4

β21, λ2

α21α11

**∗∗

α12 α22

β12, λ1 β22, λ2

β11 β22

α11, β21, ∗ α22, β12, ∗∗

∗ = t, α12, β12, α22, β22, λ1, λ2, µ1, µ2

∗

α21 α12

∗, λ1

∗∗, λ2

∗∗, λ1

∗∗ = t, α11, β11, α21, β21, λ1, λ2, µ1, µ2

*,λ2

β11, λ1

∗∗, λ1, λ2

∗ = t, α12, β12, α22, β22, µ1, µ2 ∗∗ = t, α11, β11, α21, β21, µ1, µ2

∗, λ1, λ2

Fig. 9.16. SPEC1 − SPEC4

7We refer to any DES over an alphabet which includes tick as a generalized TDES; itneed not be a (strict) TDES constructed according to the rules in Section 9.2. GeneralizedTDES are needed to model specifications and supervisors.

512 CHAPTER 9

β21

β12

SPEC5

β12

β21

∗

∗

∗

∗

∗ = ft;α11;β11;α12;α21;α22;β22;λ1;λ2;µ1;µ2g

Fig. 9.17. SPEC5

λ2

SPEC6

∗ = ft;α11;β11;α12;β12;α21;β21;α22;β22;λ1g

∗µ1; ∗

µ2

Fig. 9.18. SPEC6

SPECLOG = meet(SPEC3,SPEC4,SPEC5,SPEC6)

a generalized TDES with 32 states and 224 transitions. Define the cell’sopen-loop behavior as the composition MACH of MACH1 and MACH2:

MACH = comp(MACH1,MACH2)

(121 states, 345 transitions).Here and below we writeG3 = supcon(G1,G2) to denote the operation

that returns a generalized TDES G3 whose marked behavior Lm(G3) is the

9.11 513

supremal controllable sublanguage supC(Lm(G1)∩Lm(G2)); while its closedbehavior L(G3) = Lm(G3).

The maximally permissive proper supervisor for MACH that enforcesSPECLOG can now be computed as

SUPLOG = supcon(MACH,SPECLOG)

(264 states, 584 transitions). In this controlled behavior, forcing plays norole.

To address the temporal specification (ii) we first recompute the results for(i), under the stated assumption that breakdowns are absent. For this we de-fine new machines NMACH1, NMACH2 with simplified ATGs, Fig. 9.19.The new logic-based specification is

NMACHi, i = 1; 2

αi1 αi2

βi2βi1

Fig. 9.19. New Machine Activity Transition Graphs

NSPECLOG = meet(SPEC3,SPEC4,SPEC5)

(16 states, 72 transitions). The open-loop behavior of the simplified cell is

NMACH = comp(NMACH1,NMACH2)

(81 states, 121 transitions). These definitions yield the new supervisor

NSUPLOG = supcon(NMACH,NSPECLOG)

(108 states, 144 transitions), displayed in Fig. 9.20. Now we consider thetemporal specification itself. Bring in the generalized TDES TIMER10 dis-played in Fig. 9.21. TIMER10 is simply an 11-tick sequence all of whosestates are marked. TIMER10 forces any TDES with which it is synchro-nized by meet to halt after at most 10 ticks, i.e. after 11 ticks to execute no

514 CHAPTER 9

further event whatever except the tick event. Thus it extracts the markedstrings (if any) which satisfy this constraint, namely the ‘tasks’ of TDESwhich can be accomplished in at most 10 ticks. Of course, the designer mustguarantee that the 10-tick deadline is actually met, if necessary by suitableforcing action. To determine whether such a guarantee is feasible, it suf-fices to check that the corresponding supremal controllable sublanguage isnonempty. The result is

0

3

3

6

0

0

8

0

00

0

7*

6

0

07

0

0

0

30

10

03

0

8

0

0

0

0

3

7

7

1

1

1

1

1

1

2

8

8

3

0

* 3

0

4

6

4

0

6

4

6

0

5

0

5

4

0

6

0

0

6

3

0

2

0

8

0

0

0

8

0

0

0

04

00

20

0

4

0

5

5

0

5 0

5

0

5

0

2

8

0

0

0

0

0

0

8

0

2

0

0

0

1

10

0

0

20

50

5

0

2

7

0

2

0

7

0

2

0

0

7

7

0*

0

*

*0

*

*

*

0

1:α11, 2:β11, 3:α12, 4:β12, 5:α21, 6:β21, 7:α22, 8:β22, 0:tick, ∗:selfloop in tick

Fig. 9.20. NSUPLOG

9.11 515

TIMER10

t t

t

t t

t t t t

t

t

t*

*

** * * * *

*

**

∗ = α11, β11, α12, β12, α21, β21, α22, β22

Fig. 9.21. TIMER10 (12,100)

TNSUPLOG = supcon(NSUPLOG,TIMER10)

(209 states, 263 transitions), so the check succeeds. We conclude that, in theabsence of breakdowns, a production cycle can indeed be forced to completein 10 ticks or less. Here, of course, the use of forcible events is essential.

Finally, to address specification (iii), we proceed as in (ii) with successivetimer sequences of tick-length 9,8,..., until supcon returns an empty result.For this example the minimum enforcible production time turns out to be 7ticks, with behavior

OTNSUPLOG = supcon(NSUPLOG,TIMER7)

(19 states, 21 transitions) shown in Fig. 9.22. Initially both NMACH1 andNMACH2 are forced to start work on a p1-part and p2-part respectively(events α11, α22). Forcing occurs as soon as these events become eligible, thuspreempting a tick which would take the system along a suboptimal (slower)path (see Fig. 9.20). NMACH1 (NMACH2) finishes work on its p1-part(p2-part) within 3 (resp. 4) time units. As soon as NMACH2 has finishedwith its p2-part (event β22), NMACH1 is forced to start working on it (α12),again preempting a tick that would take the system along a suboptimal path.Finally, NMACH2 is forced to work on the p1-part, enabling the system tofinish its production cycle in minimum time.

516 CHAPTER 9

OTNSUPLOG

α11

α11α22

α12

α21

t t t

t

tt

t t

β12

β12β21

β22 β11

α22

tβ21

Fig. 9.22. OTNSUPLOG

9.12 Modular Supervision of Generalized TDES

Let

G = (Q,Σ, δ, q0, Qm), S = (X,Σ, ξ, x0, Xm)

be TDES, with Σ = Σact ∪ tick. We assume that G is equipped withcontrol structure, as in Section 9.8, and consider when S can be used as asupervisor for G. As in Chapter 4 write S ∧G for the conjunction of S andG (implemented by TCT meet), so

Lm(S ∧G) = Lm(S) ∩ Lm(G), L(S ∧G) = L(S) ∩ L(G)

As in Section 3.6 we say that S is a proper supervisor for G if

(i) S is trim

(ii) S is controllable with respect to G (i.e. Lm(S ∧G) is controllable)

9.12 517

(iii) S ∧G is nonblocking

Since by (iii), Lm(S ∧G) = L(S ∧G), (ii) means that

EligL(S∧G)(s) ⊇

EligG(s) ∩ (Σunc ∪ tick) if EligL(S∧G)(s) ∩ Σfor = ∅EligG(s) ∩ Σunc if EligL(S∧G)(s) ∩ Σfor = ∅

We remark that if Lm(S ∧G) = ∅ then

(∀s ∈ L(S ∧G))EligL(S∧G)(s) = ∅

Exercise 1: Justify this statement.

Let K ⊆ L(G). The following definition extracts the feature of controlla-bility that expresses the preemption of tick by a forcible event. We say thatK is coercive with respect to G if

(∀s ∈ K)tick ∈ EligG(s)− EligK(s) ⇒ EligK(s) ∩ Σfor = ∅

i.e.

(∀s ∈ K)EligK(s) ∩ Σfor = ∅ & tick ∈ EligG(s) ⇒ tick ∈ EligK(s)

We say that languages K1, K2 ⊆ L(G) are jointly coercive with respect to GifK1∩K2 is coercive with respect toG. Now let S1, S2 be proper supervisorsfor G.

Theorem 2S1 ∧ S2 is a proper supervisor for G if

(i) S1 ∧ S2 is trim,

(ii) Lm(S1 ∧G), Lm(S2 ∧G) are nonconflicting, and

(iii) Lm(S1 ∧G), Lm(S2 ∧G) are jointly coercive with respect to G

2

Exercise 3: Prove Theorem 2.

Example 4: Timed WorkcellConsider a workcell consisting of two machines M1,M2 linked by a one-

slot buffer BUF as shown below.

518 CHAPTER 9

WorkpieceBUF

Sink

Workpiece

SourceM1 M2

β1

BUF ∗ = fα1;λ1;µ1; η1;β2;λ2;µ2; η2g

∗∗

α2

ηi

βiαi µi

λi

03

21

2: down

3: under repairMi

Fig. 9.23

Let

Σunc = βi, λi, ηi|i = 1, 2, Σfor = Σhib = αi, µi|i = 1, 2

with corresponding timed events

(α1, 0,∞), (β1, 1, 2), (λ1, 0, 2), (µ1, 0,∞), (η1, 1,∞)

(α2, 0,∞), (β2, 1, 1), (λ2, 0, 1), (µ2, 0,∞), (η2, 2,∞)

For the TDES to be controlled we take WORKCELL = comp(M1,M2),under the informal specifications

1. BUF must not overflow or underflow

2. If M2 goes down, its repair must be started ‘immediately’, and priorto starting repair of M1 if M1 is currently down

BUF itself will serve as the first of these specifications. The second is for-malized as BR, in Fig. 9.24.

9.12 519

2

2

??

?? = f

1

;

1

;

1

;

1

;

2

;

2

;

2

g

1

; ti k; ??

BR

Fig. 9.24

For the monolithic supervisor we compute

SPEC = meet(BUF,BR) (4, 32)

SUPER = supcon(WORKCELL,SPEC) (54, 124)

SUPER = condat(WORKCELL,SUPER)

Now let us attempt to find modular supervisors. It can be verified thatBR is already controllable and nonconflicting with respect to WORK-CELL. BUF is not controllable but can be made so by disabling α1 atstate 1 to form XBUF, as in Fig. 9.25.

XBUF

1

0

1

2

?

? = f

1

;

1

;

1

;

2

;

2

;

2

;

2

; ti kg

1

; ?

Fig. 9.25

Now Theorem 2 can be used to confirm that XBUF∧BR is proper, andyields the controlled behavior representation

WCXBUFBR = meet(WORKCELL,meet(XBUF,BR)) (49, 110)

It can be verified that the marked behavior of WCXBUFBR is strictlysmaller than that of SUPER; namely the behavior under the above modular

520 CHAPTER 9

control, while nontrivial and correct, is suboptimal. The reason is that, in thetimed structure of WORKCELL, disablement of α1 is not always necessarywhen the buffer is full, for if M2 is idle it is sufficient immediately to forceα2, thus clearing the buffer and preventing overflow. Our modular supervisorXBUF is overly conservative.

Exercise 5: Check the conditions of Theorem 2, taking S1 = XBUF, S2= BR, G = WORKCELL. Use TTCT condat to check joint coerciveness.

Exercise 6: In the example above, show that the jointly coercive propertyof S1, S2 comes into play on the occurrence of λ2: the repair of M2 mustbe initialized without delay, thus preempting the occurrence of tick (by theforcible event µ2) in the transition structure of S2 and consequently of S1.

Exercise 7: Consider the simplified problem with M1, M2, BUF replacedwith NM1, NM2, NBUF on deleting the events λi, µi, ηi (i = 1, 2); andwith BR omitted. Compute

NM = comp(NM1,NM2) (12, 23)

NBUFSUP = supcon(NM,NBUF) (13, 21)

Show that there exists a reduced (timed) supervisor NBUFSIM (3,10)that is control-equivalent to NBUFSUP with respect to NM and explainits operation. Also show that a ‘naive’ extension XBUFSIM formed byself-looping λi, µi, ηi is blocking for WORKCELL and explain in detail whythis is so. Can you find a small, proper buffer supervisor for WORKCELL,say BUFSIM, that is compatible with BR (in the sense of Theorem 2)?

9.13 Conclusions

The chapter provides a framework for the study of theoretical issues in thedesign of supervisory controls for timed discrete-event systems. The modelincorporates both time delays and hard deadlines, and admits both forcingand disablement as means of control. In addition it supports compositionof modular subsystems and systematic synthesis. In particular, the modelretains the concept of design that is qualitatively optimal in the sense of min-imally restricting the behavior of the underlying controlled system, subjectto constraints imposed by formal specifications of performance.

9.14 521

Because the theory is expressed in the elementary framework of regularlanguages and finite automata, only rudimentary control scenarios can betreated directly. For instance, no explicit provision is made for program vari-ables, or such constructs of a real-time programming language as interruptsand logically conditioned events and procedures. In higher-level approacheswhere such constructs are supported, design approaches tend to be heuristic.With the introduction of suitable architecture the present framework maysupply a basis for rendering such approaches more formal and systematic.

9.14 Notes and References

The timed DES framework of this chapter is a simplified version of thatfor ‘timed transition models’ treated by Ostroff ([T06], Ostroff [1989,1990],[J13]); the new controllability features, including forcing, are due to Brandin([T11], [T26], [C51], [C52], [J22]). In Petri nets, time bounds on eventswere previously employed by Merlin & Farber [1976] and Berthomieu & Diaz[1991], while forcing in DES was investigated by Golaszewski & Ramadge[1987]. From a different perspective, timed automata are described in Alur& Dill [1990] and applied to supervisory control in Wong-Toi & Hoffmann[1991].

522 CHAPTER 9

Bibliography

TEXTBOOKS, MONOGRAPHS AND PROCEEDINGS

Discrete-Event Systems

Baccelli, F., G. Cohen, G.J. Olsder, J.-P. Quadrat. Synchronization andLinearity. Wiley, 1992.

Balemi, S., P. Kozak, R. Smedinga (Eds.). Discrete Event Systems: Modelingand Control. Birkhauser, 1993.

Boel, R., G. Stremersch (Eds.). Discrete Event Systems: Analysis and Con-trol. [Proceedings of WODES2000, Ghent, August 21-23, 2000]. Kluwer,2000.

Caillaud, B., P. Darondeau, L. Lavagno, X. Xie (Eds.). Synthesis and Controlof Discrete Event Systems. [Proceedings of SCODES’2001, INRIA, Paris,July 2001]. Kluwer, 2002.

Cassandras, C.G. Discrete Event Systems. Irwin, 1993.

Cassandras, C.G., S. Lafortune. Introduction to Discrete Event Systems.(2nd. ed.) Springer, 2008.

Cohen, G., J.-P. Quadrat (Eds). Proc. 11th International Conference onAnalysis and Optimization of Systems: Discrete Event Systems. Sophia-Antipolis, June 1994. Lecture Notes in Control and Information Sciencesvol. 119, Springer-Verlag, 1994.

Darondeau, P., S. Kumagai (Eds.). Proc. ATPN-Workshop on DiscreteEvent Systems Control. 24th Int. Conference on Application Theory of PetriNets (ATPN 2003). Eindhoven, The Netherlands, June 23-27, 2003.

Ho, Y.-C. (Ed.). Special Issue on Dynamics of Discrete-Event Systems. Proc.IEEE 77 (1), January 1989.

523

524 BIBLIOGRAPHY

Ho, Y.-C., Y.-P. Zheng (Eds.). Proc. 1991 IFAC Workshop on DiscreteEvent System Theory and Applications in Manufacturing and Social Phe-nomena. International Academic, 1991.

International Workshop on Discrete Event Systems – WODES’96. Instituteof Electrical Engineers, London, UK, August 1996.

International Workshop on Discrete Event Systems – WODES’98. Instituteof Electrical Engineers, London, UK, August 1998.

Lafortune, S., F. Lin, D. Tilbury (Eds.). Proc. 8th International Workshopon Discrete Event Systems (WODES’06), Ann Arbor, MI, July 10-12, 2007.IEEE 2006.

Lennartson, B. et al. (Eds.). Proc. Ninth International Workshop on Dis-crete Event Systems (WODES’08), Goteborg, Sweden, May 28-30, 2008.IEEE.

Lesage, J.-J., J.-M. Faure, J.E.R. Cury, B. Lennartson (Eds.). Proc. 12thIFAC & IEEE International Workshop on Discrete Event Systems (WODES-2014), Cachan, France, May 14-16, 2014.Available at http://www.ifac-papersonline.net.

Ma, C., W.M. Wonham. Nonblocking Supervisory Control of State TreeStructures. Lecture Notes in Control and Information Sciences (LNCIS) 317,Springer, 2005.

Sanchez, A. Formal Specification and Synthesis of Procedural Controllersfor Process Systems. Lecture Notes in Control and Information Sciences(LNCIS) 212, Springer, 1996.

Seatzu, C., M. Silva, J.H. van Schuppen (Eds.). Control of Discrete-eventSystems. Lecture Notes in Control and Information Sciences (LNCIS) 433,Springer 2013.

Silva, M., A. Giua, J.-M. Colom (Eds.). Proc. Sixth International Workshopon Discrete Event Systems (WODES’02), Zaragoza, Spain, October 2002.IEEE Computer Society 2002.

Varaiya, P., A.B. Kurzhanski (Eds.). Discrete Event Systems: Models andApplications. Lecture Notes in Control and Information Sciences (LNCIS)103, Springer, 1987.

Viswanadham, N., Y. Narahari. Performance Modeling of Automated Man-ufacturing Systems. Prentice-Hall, 1992.

525

Zaytoon, J., V. Carre-Menetrier, C. Cassandras, X. Cao (Eds.). Preprints7th International Workshop on Discrete Event Systems (IFAC Workshop onDiscrete Event Systems, WODES’04), Reims, France, 22-24 September 2004.

Automata and Languages

Arnold, A. Finite Transition Systems, Prentice-Hall, 1994.

Carroll, J., D. Long. Theory of Finite Automata. Prentice-Hall, 1989.

Eilenberg, S. Automata, Languages, and Machines: Volume A. Academic,1974.

Hopcroft, J.E., J.D. Ullman. Introduction to Automata Theory, Languagesand Computation. Addison-Wesley, 1979.

Lewis, H.R., C.H. Papadimitriou. Elements of the Theory of Computation.Prentice-Hall, 1981.

Algebra

Burris, S., H.P. Sankappanavar. A Course in Universal Algebra. Springer-Verlag, 1981.

Davey, B.A., H.A. Priestley. Introduction to Lattices and Order. CambridgeUniversity Press, 1990.

Mac Lane, S., G. Birkhoff. Algebra. Third ed., Chelsea, 1993.

Szasz, G. Introduction to Lattice Theory. Academic, 1963.

Wechler, W. Universal Algebra for Computer Scientists. Springer-Verlag,1992.

Temporal Logic

Manna, Z., A. Pnueli. The Temporal Logic of Reactive and Concurrent Sys-tems. Springer-Verlag, 1992.

Ostroff, J.S. Temporal Logic for Real-Time Systems. Research Studies Press,1989.

Petri Nets

Chen, Y., Z. Li. Optimal Supervisory Control of Automated ManufacturingSystems. CRC Press, 2013.

526 BIBLIOGRAPHY

David, R., H. Alla. Petri Nets and Grafcet. Prentice-Hall, 1992.

Desrochers, A.A., R.Y. Al-Jaar. Applications of Petri Nets in ManufacturingSystems. IEEE Press, 1995.

Iordache, M.V., P.J. Antsaklis. Supervisory Control of Concurrent Systems:A Petri Net Structural Approach. Birkhauser, 2006.

Moody, J., P. Antsaklis. Supervisory Control of Discrete Event SystemsUsing Petri Nets. Kluwer, 1998.

Peterson, J.L. Petri Net Theory and Modeling of Systems. Prentice-Hall,1981.

Reisig, W. Petri Nets. Springer-Verlag, 1985.

Zhou, M.C., F. DiCesare. Petri Net Synthesis for Discrete Event Control ofManufacturing Systems. Kluwer, 1993.

Zhou, M.C., K. Venkatesh. Modeling, Simulation and Control of FlexibleManufacturing Systems: A Petri Net Approach. World Scientific, Singapore,1999.

Zhou, M.C. (Ed.). Petri Nets in Flexible and Agile Automation. Kluwer,1995.

Discrete-Event Simulation

Birtwistle, G.M.DEMOS - A System for Discrete Event Modelling on Simula.Springer-Verlag, 1987.

Fishman, G.S. Principles of Discrete Event Simulation. Wiley, 1978.

Law, A.M., W.D. Kelton. Simulation, Modeling & Analysis. McGraw-Hill,1991.

Zeigler, B.P. Multifacetted Modeling and Discrete Event Simulation. Aca-demic, 1984.

Zeigler, B.P. Object-Oriented Simulation with Hierarchical, Modular Models.Academic, 1990.

Concurrency: Modeling, Programming, and Computation

Ben-Ari, M. Principles of Concurrent Programming. Prentice-Hall Interna-tional, 1982.

527

Dijkstra, Edsger W. A Discipline of Programming. Prentice-Hall, 1976.

Germundsson, R. Symbolic Systems - Theory, Computation and Applications.Ph.D. thesis No. 389, Dept. of Electrical Engineering, Linkoping University,1995.

Gunnarsson, J. On Modeling of Discrete Event Dynamic Systems, UsingSymbolic Algebraic Methods. Thesis No. 502, Division of Automatic Control,Lund University, 1997.

Hoare, C.A.R. Communicating Sequential Processes. Prentice-Hall, 1985.

Holt, R.C., G.S. Graham, E.D. Lazowska, M.A. Scott. Structured ConcurrentProgramming With Operating Systems Applications. Addison-Wesley, 1978.

Lynch, N. Distributed Algorithms. Morgan Kaufmann, 1996.

Magee, J., J. Kramer. Concurrency: State Models and Java Programs. Wi-ley, 1999.

Milner, R. Communication and Concurrency. Prentice-Hall, 1989.

Implementation and Engineering

Bennett, S. Real-Time Computer Control: An Introduction. Prentice-Hall,1988.

Burns, A., A. Wellings. Real-Time Systems and Their Programming Lan-guages. Sec. ed., Addison-Wesley, 1997.

Fleming, P.I. Parallel Processing in Control: The Transputer and Other Ar-chitectures. Peregrinus, 1988.

Gray, D. Introduction to the Formal Design of Real-Time Systems. Springer,1999.

Krishna, C.M., K.G. Shin. Real-Time Systems. McGraw-Hill, 1997.

Mesarovic, M.D., D. Macko, Y. Takahara. Theory of Hierarchical, Multilevel,Systems. Academic, 1970.

Raynal, M. Algorithms for Mutual Exclusion. The MIT Press, 1986.

Wagner, F., R. Schmuki, T. Wagner, P. Wolstenholme. Modeling Softwarewith Finite State Machines: A Practical Approach. Auerbach Publications,2006.

528 BIBLIOGRAPHY

SUPPLEMENTARY REPORTS AND ARTICLES

K. Akesson, H. Flordal, M. Fabian. Exploiting modularity for synthesis andverification of supervisors. Proc. 15th IFAC World Congress on AutomaticControl, Barcelona, Spain, 2002.

R.Y. Al-Jaar, A.A. Desrochers. A modular approach for the performanceanalysis of automated manufacturing systems using generalized stochasticPetri nets. Rpt. RAL #116, Robotics and Automation Lab., RensselaerPolytechnic Institute, Troy NY, 1988.

R. Alur, D. Dill. Automata for modeling real-time systems. In Proc. 17th In-ternational Colloquium on Automata, Languages and Programming. LectureNotes on Computer Science (LNCS) 443, Springer-Verlag 1990, pp. 322-335.

B. Berthomieu, M. Diaz. Modeling and verification of time dependent sys-tems using time Petri nets. IEEE Trans. on Software Engineering 17 (3),March 1991, pp. 259-273.

C. Cao, F. Lin, Z.-H. Lin. Why event observation: observability revisited.Discrete Event Dynamic Systems: Theory and Applications 7, 1997, pp. 127-149.

H. Cho, S.I. Marcus. Supremal and maximal sublanguages arising in super-visor synthesis problems with partial observations. Mathematical SystemsTheory 22, 1989, pp. 177-211.

E.W. Dijkstra. Hierarchical ordering of sequential processes. Acta Informat-ica 1, 1971, pp. 115-138.

A. Falcione, B. Krogh. Design recovery for relay ladder logic. IEEE ControlSystems 13 (2), April 1993, pp. 90-98.

M. Heymann. Concurrency and discrete event control. IEEE Control Sys-tems 10 (4), 1990, pp. 103-112.

K. Hiraishi, A. Ichikawa. A class of Petri nets that [sic] a necessary and suffi-cient condition for reachability is obtainable. Trans. Soc. of Instrumentationand Control Engineers (SICE) 24 (6), 1988, pp. 91-96 (in Japanese).

L.E. Holloway, B.H. Krogh. Synthesis of feedback logic control for a class ofcontrolled Petri nets. IEEE Trans. on Automatic Control 35 (5), 1990, pp.514-523.

P. Hubbard, P.E. Caines. Dynamical consistency in hierarchical supervisorycontrol. IEEE Trans. on Automatic Control 47 (1), January 2002, pp. 37-52.

529

A. Kay, J.N. Reed. A relay and guarantee method for timed CSP: a spec-ification and design of a telephone exchange. IEEE Trans. on SoftwareEngineering 19 (6), June 1993, pp. 625-639.

B.H. Krogh. Controlled Petri nets and maximally permissive feedback logic.Proceedings 25th Annual Allerton Conference on Communication, Controland Computing, October 1987, pp. 317-326.

K. Lyngbaek. Nonblocking Distributed State-Tree-Structures. Master ofScience Thesis, Department of Software Technology, Technical University ofDelft, 2011.

A. Mannani. Synthesis of communicating decentralized supervisors for discrete-event systems with application to communication protocol synthesis. Ph.D.Thesis, ECE Department, Concordia University, Montreal, June 2009.

G. Memmi, G. Roucairol. Linear algebra in net theory. In: W. Brauer (Ed.),Net Theory and Applications, Lecture Notes on Computer Science (LNCS)84, Springer-Verlag, 1980; pp. 213-223.

P.M. Merlin, D.J. Farber. Recoverability of communication protocols - im-plications of a theoretical study. IEEE Trans. on Communications 24, Sept.1976, pp. 1036-1043.

T. Murata. Petri nets: properties, analysis and applications. Proc. IEEE 77(4), April 1989, pp. 541-580.

J.S. Ostroff. Deciding properties of timed transition models. IEEE Trans.on Parallel and Distributed Systems 1 (2), April 1990, pp. 170-183.

M.H. de Queiroz, J.E.R. Cury. Modular control of composed systems. Proc.American Control Conference, Chicago, IL, June 2000, pp. 4051-4055.

H. Simon. The architectecture of complexity. Proc. Amer. Phil. Soc.106, December 1962, pp. 467-482. Reprinted in: Herbert A. Simon, TheSciences of the Artificial (Chapt. 7, pp. 193-229), Second ed., The MITPress, Cambridge MA, 1981.

E.V. Sørensen, J. Nordahl, N.H. Hansen. From CSP models to Markovmodels. IEEE Trans. on Software Engineering 19 (6), June 1993, pp. 554-570.

S. Takai, T. Ushio. Effective computation of an Lm(G)-closed, controllable,and observable sublanguage arising in supervisory control. Systems & Con-trol Letters 49, 2003, pp. 191-200.

530 BIBLIOGRAPHY

R.J.M. Theunissen. Supervisory Control in Health Care Systems. Ph.D.Thesis, Mechanical Engineering Department, Eindhoven University of Tech-nology, January 2015.

A.W. Tucker. Dual systems of homogeneous linear relations. In: H.W.Kuhn, A.W. Tucker (Eds.), Linear Inequalities and Related Systems, Annalsof Mathematics Studies (38), Princeton U.P., 1956; pp. 3-18.

Y. Willner, M. Heymann. On supervisory control of concurrent discrete-eventsystems. International J. of Control 54(5), 1991, pp. 1143-1169.

K.C. Wong. On the complexity of projections of discrete-event systems.Proc. International Workshop on Discrete Event Systems (WODES’ 98).IEE, London, 1998; pp. 201-206.

H. Wong-Toi, G. Hoffmann. The control of dense real-time discrete event sys-tems. Proc. of the 30th IEEE Conference on Decision and Control, Brighton,U.K., December 1991, pp. 1527-1528.

W.M. Wonham. Towards an abstract internal model principle. IEEE Trans.on Systems, Man, and Cybernetics SMC 6(11), 1976, pp. 735-740.

W.M.Wonham. Linear Multivariable Control: A Geometric Approach. Thirdedn., Springer, 1985.

SYSTEMS CONTROL GROUP PUBLICATIONS AND THESESON DISCRETE-EVENT SYSTEMS

Monograph

[M1] C. Ma, W.M. Wonham. Nonblocking Supervisory Control of StateTree Structures. Lecture Notes in Control and Information Sciences(LNCIS) 317, Springer 2005.

[M2] K. Cai, W. Murray Wonham. Supervisor Localization: A Top-DownApproach to Distributed Control of Discrete-Event Systems. LectureNotes in Control and Information Sciences (LNCIS) 459, Springer In-ternational Publishing, Switzerland, 2016.

Encyclopedia Article

531

[E1] W.M. Wonham. Supervisory Control of Discrete-Event Systems. InJ. Baillieul, T. Samad (Eds.), Encyclopedia of Systems and Control,Springer 2015. Available at www.springerreference.com, under En-gineering, Encyclopedia of Systems and Control.

Journal Publications

[J01] A.F. Vaz, W.M. Wonham. On supervisor reduction in discrete-eventsystems. International J. Control 44 (2), 1986, pp. 475-491.

[J02] J.G. Thistle, W.M. Wonham. Control problems in a temporal logicframework. International J. Control 44 (4), 1986, pp. 943-976.

[J03] P.J. Ramadge, W.M. Wonham. Supervisory control of a class of dis-crete event processes. SIAM J. Control and Optimization 25 (1), 1987,pp. 206-230.

[J04] W.M. Wonham. Some remarks on control and computer science. Con-trol Systems Magazine 7 (2), 1987, pp. 9-10.

[J05] W.M. Wonham, P.J. Ramadge. On the supremal controllable sublan-guage of a given language. SIAM J. Control and Optimization 25 (3),1987, pp. 637-659.

[J06] P.J. Ramadge, W.M. Wonham. Modular feedback logic for discreteevent systems. SIAM J. Control and Optimization, 25 (5), 1987, pp.1202-1218.

[J07] W.M. Wonham, P.J. Ramadge. Modular supervisory control of discreteevent systems. Maths. of Control, Signals & Systems 1 (1), 1988, pp.13-30.

[J08] F. Lin, W.M. Wonham. Decentralized supervisory control of discrete-event systems. Information Sciences 44 (2), 1988, pp. 199-224.

[J09] F. Lin, W.M. Wonham. On observability of discrete-event systems.Information Sciences 44 (2), 1988, pp. 173-198.

[J10] F. Lin, A. Vaz, W.M. Wonham. Supervisor specification and synthesisfor discrete event systems. International J. Control 48 (1), 1988, pp.321-332.

532 BIBLIOGRAPHY

[J11] Y. Li, W.M. Wonham. On supervisory control of real-time discrete-event systems. Information Sciences 46 (3), 1988, pp. 159-183.

[J12] P.J. Ramadge, W.M. Wonham. The control of discrete event systems.Proc. IEEE, Special Issue on Discrete Event Dynamic Systems, 77 (1),January 1989, pp. 81-98.

[J13] J.S. Ostroff, W.M. Wonham. A framework for real-time discrete eventcontrol. IEEE Trans. on Automatic Control 35 (4) 1990, pp. 386-397.

[J14] H. Zhong, W.M. Wonham. On consistency of hierarchical supervisionin discrete-event systems. IEEE Trans. on Automatic Control 35 (10)1990, pp. 1125-1134.

[J15] R.D. Brandt, V. Garg, R. Kumar, F. Lin, S.I. Marcus, W.M. Won-ham. Formulas for calculating supremal controllable and normal sub-languages. Systems & Control Letters 15, 1990, pp. 111-117.

[J16] F. Lin, W.M. Wonham. Decentralized control and coordination ofdiscrete-event systems with partial observation. IEEE Trans. on Au-tomatic Control 35 (12), 1990, pp. 1330-1337.

[J17] K. Rudie, W.M. Wonham. The infimal prefix-closed and observablesuperlanguage of a given language. Systems & Control Letters 15,1990, pp. 361-371.

[J18] F. Lin, W.M. Wonham. Verification of nonblocking in decentralizedsupervision. Control Theory and Advanced Technology 7 (1) 1991, pp.19-29.

[J19] T. Ushio, Y. Li, W.M. Wonham. Concurrency and state feedback indiscrete-event systems. IEEE Trans. on Automatic Control 37 (8)1992, pp. 1180-1184.

[J20] K. Rudie, W.M. Wonham. Think globally, act locally: decentralizedsupervisory control. IEEE Trans. on Automatic Control 37 (11) 1992,pp. 1692-1708. Reprinted in F.A. Sadjadi (Ed.), Selected Papers onSensor and Data Fusion, 1996; ISBN 0-8194-2265-7.

[J21] Y. Li, W.M. Wonham. Control of vector discrete-event systems: I -The base model. IEEE Trans. on Automatic Control 38 (8), August

533

1993, pp. 1214-1227. Correction: IEEE Trans. on Automatic Control39 (8) August 1994, p. 1771.

[J22] B.A. Brandin, W.M. Wonham. Supervisory control of timed discrete-event systems. IEEE Trans. on Automatic Control 39 (2) February1994, pp. 329-342.

[J23] Y. Li, W.M. Wonham. Control of vector discrete-event systems: II -controller synthesis. IEEE Trans. on Automatic Control 39 (3) March1994, pp. 512-531.

[J24] J.G. Thistle, W.M. Wonham. Control of infinite behavior of finiteautomata. SIAM J. on Control and Optimization 32 (4) July 1994, pp.1075-1097.

[J25] J.G. Thistle, W.M.Wonham. Supervision of infinite behavior of discrete-event systems. SIAM J. on Control and Optimization 32 (4) July 1994,pp. 1098-1113.

[J26] F. Lin, W.M. Wonham. Supervisory control of timed discrete eventsystems under partial observation. IEEE Trans. on Automatic Control40 (3) March 1995, pp. 558-562.

[J27] Y. Li, W.M.Wonham. Concurrent vector discrete-event systems. IEEETrans. on Automatic Control 40 (4) April 1995, pp. 628-638.

[J28] M. Lawford, W.M. Wonham. Equivalence preserving transformationsfor timed transition models. IEEE Trans. on Automatic Control 40(7) July 1995, pp. 1167-1179.

[J29] P. Kozak, W.M. Wonham. Fully decentralized solutions of supervi-sory control problems. IEEE Trans. on Automatic Control 40 (12)December 1995, pp. 2094-2097.

[J30] K.C. Wong, W.M. Wonham. Hierarchical control of discrete-event sys-tems. Discrete Event Dynamic Systems 6 (3) July 1996, pp. 241-273.

[J31] K.C. Wong, W.M. Wonham. Hierarchical control of timed discrete-event systems. Discrete Event Dynamic Systems 6 (3) July 1996, pp.274-306.

534 BIBLIOGRAPHY

[J32] P. Kozak, W.M. Wonham. Design of transaction management pro-tocols. IEEE Trans. Automatic Control 41 (9) September 1996, pp.1330-1335.

[J33] K.C. Wong, W.M. Wonham. Modular control and coordination of dis-crete event systems. Discrete Event Dynamic Systems 8 (3) October1998, pp. 247-297.

[J34] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Supremum operatorsand computation of supremal elements in system theory. SIAM J.Control & Optimization 37 (3) March 1999, pp. 695-709.

[J35] P. Gohari, W.M. Wonham. On the complexity of supervisory controldesign in the RW framework. IEEE Trans. on Systems, Man and Cy-bernetics; Part B: Cybernetics. (Special Issue on Discrete Systems andControl) 30 (5) October 2000, pp. 643-652.

[J36] P.C.Y. Chen, W.M. Wonham. Stable supervisory control of flexiblemanufacturing systems with fixed supply and demand rates. Interna-tional J. of Production Research: Special Issue on Modeling, Specifica-tion and Analysis of Manufacturing Systems 39 (2) January 2001, pp.347-368.

[J37] P.C.Y. Chen, W.M. Wonham. Real-time supervisory control of a pro-cessor for non-preemptive execution of periodic tasks. Real Time Sys-tems J. 23 (3) November 2002, pp. 183-208.

[J38] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Fault diagnosis indiscrete-event systems: framework and model reduction. IEEE Trans.on Automatic Control 48 (7) July 2003, pp. 1199-1212.

[J39] P. Gohari, W.M. Wonham. Reduced supervisors for timed discrete-event systems. IEEE Trans. on Automatic Control 48 (7) July 2003,pp. 1187-1198.

[J40] R. Su, W.M. Wonham. Supervisor reduction for discrete-event systems.Discrete Event Dynamic Systems 14 (1) January 2004, pp. 31-53.

[J41] K.C. Wong, W.M. Wonham. On the computation of observers indiscrete-event systems. Discrete Event Dynamic Systems 14 (1) Jan-uary 2004, pp. 55-107.

535

[J42] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Fault diagnosis indiscrete-event systems: incorporating timing information. IEEE Trans.on Automatic Control 50 (7) 2005, pp. 1010-1015.

[J43] S. Hashtrudi Zad, M. Moosaei, W.M. Wonham. On computation ofsupremal controllable, normal sublanguages. Systems & Control Let-ters 54 (9) September 2005, pp. 871-876.

[J44] M. Uzam, W.M. Wonham. A hybrid approach to supervisory controlof discrete event systems coupling RW supervisors to Petri nets. Intnl.J. of Advanced Manufacturing Technology 28 (7-8) 2006, pp. 747-760.

[J45] R.J. Leduc, B.A. Brandin, M. Lawford, W.M. Wonham. Hierarchicalinterface-based supervisory control, part I: serial case. IEEE Trans. onAutomatic Control 50 (9) September 2005, pp. 1322-1335.

[J46] R.J. Leduc, M. Lawford, W.M. Wonham. Hierarchical interface-basedsupervisory control, part II: parallel case. IEEE Trans. on AutomaticControl 50 (9) September 2005, pp. 1336-1348.

[J47] Max H. Queiroz, Jose E. Cury, W.M. Wonham. Multitasking super-visory control of discrete-event systems. Discrete Event Dynamic Sys-tems 15 (4) December 2005, pp. 375-395.

[J48] P. Gohari, W.M. Wonham. Efficient implementation of fairness indiscrete-event systems using queues. IEEE Trans. on Automatic Con-trol 50 (11) November 2005, pp. 1845-1849.

[J49] R. Su, W.M. Wonham. Global and local consistencies in distributedfault diagnosis for discrete-event systems. IEEE Trans. on AutomaticControl 50 (12) December 2005, pp. 1923-1935.

[J50] S.E. Bourdon, M. Lawford, W.M. Wonham. Robust nonblocking su-pervisory control of discrete-event systems. IEEE Trans. on AutomaticControl 50 (12) December 2005, pp. 2015-2021.

[J51] R. Su, W.M. Wonham. Hierarchical fault diagnosis for discrete-eventsystems under global consistency. Discrete Event Dynamic Systems 16(1) January 2006, pp. 39-70.

536 BIBLIOGRAPHY

[J52] C. Ma, W.M. Wonham. Nonblocking supervisory control of state treestructures. IEEE Trans. on Automatic Control 51 (5) May 2006, pp.782-793.

[J53] A. Saadatpoor, W.M. Wonham. State-based control of timed discrete-event systems using binary decision diagrams. Systems & Control Let-ters 56 (1) January 2007, pp. 62-74.

[J54] Y.-Z. Chen, W.M. Wonham. Supervisory control based on vector syn-chronous product of automata. Studies in Informatics and Control 16(1) March 2007, pp. 7-18.

[J55] L. Feng, W.M. Wonham, P.S. Thiagarajan. Designing communicatingtransaction processes by supervisory control theory. Formal Methodsin System Design 30 (2) April 2007, pp. 117-141.

[J56] L. Feng, W.M. Wonham. Supervisory control architecture for discrete-event systems. IEEE Trans. on Automatic Control 53 (6) July 2008,pp. 1449-1461.

[J57] A. Nabavi, R. Iravani, A. Afzalian, W.M. Wonham. Discrete-eventsystems supervisory control for a dynamic flow controller. IEEE Trans.on Power Delivery 24 (1) January 2009, pp. 219-230.

[J58] A. Afzalian, A. Saadatpoor, W.M. Wonham. Systematic supervisorycontrol solutions for under-load tap-changing transformers. ControlEngineering Practice 16 (9) September 2008, pp. 1035-1054.

[J59] L. Feng, K. Cai, W.M. Wonham. A structural approach to the non-blocking supervisory control of discrete-event systems. International J.of Advanced Manufacturing Technology 41 (11) 2009, pp. 1152-1167.

[J60] L. Feng, W.M. Wonham. On the computation of natural observers indiscrete-event systems. Discrete Event Dynamic Systems 20 (1) March2010, pp. 63-102.

[J61] K. Cai, W.M. Wonham. Supervisor localization: a top-down approachto distributed control of discrete-event systems. IEEE Trans. on Auto-matic Control 55 (3) March 2010, pp. 605-618.

537

[J62] K. Cai, W.M. Wonham. Supervisor localization for large discrete-eventsystems: case study, production cell. International J. of AdvancedManufacturing Technology 50 (9-12) October 2010, pp. 1189-1202.

[J63] W-J. Chao, Y-M. Gan, Z-O. Wang, W.M. Wonham. Modular supervi-sory control and coordination of state tree structures. International J.of Control 86 (1) January 2013, pp. 9-21.

[J64] R.-Y. Zhang, K. Cai, Y. Gan, Z. Wang, W.M. Wonham. Supervisionlocalization of timed discrete-event systems. Automatica 49 (9) 2013,pp. 2786-2794.

[J65] K. Cai, W.M. Wonham. Supervisor localization of discrete-event sys-tems based on state tree structures. IEEE Trans. on Automatic Con-trol 59 (5) May 2014, pp. 1329-1335.

[J66] K. Cai, R.-Y. Zhang, W.M.Wonham. Relative observability of discrete-event systems and its supremal sublanguages. IEEE Trans. on Auto-matic Control 60 (3) March 2015, pp. 659-670.

[J67] K. Cai, W.M. Wonham. New results on supervisor localization, withcase studies. Discrete Event Dynamic Systems 25 (1-2) June 2015, pp.203-226.

[J68] Xi Wang, Zhiwu Li, W.M. Wonham. Dynamic multiple-period recon-figuration of real-time scheduling based on timed DES supervisory con-trol. IEEE Trans. on Industrial Informatics 12 (1) February 2016, pp.101-111.

[J69] R.-Y. Zhang, K. Cai, Y. Gan, Z. Wang, W.M. Wonham. Distributedsupervisory control of discrete-event systems with communication de-lay. Discrete Event Dynamic Systems 26 (2) June 2016, pp. 263-293.

[J70] R.-Y. Zhang, K. Cai, W.M. Wonham. Delay-robustness in distributedcontrol of timed discrete-event systems based on supervisor localization.Int. J. of Control 89 (10) October 2016, pp. 2055-2072.

[J71] K. Cai, R.-Y. Zhang, W.M. Wonham. Relative observability and coob-servability of timed discrete-event systems. IEEE Trans. on AutomaticControl 61 (11) November 2016, pp. 3382-3395.

538 BIBLIOGRAPHY

[J72] K. Cai, R.-Y. Zhang, W.M. Wonham. Correction to “Relative Ob-servability of Discrete-Event Systems and Its Supremal Sublanguages”.IEEE Trans. on Automatic Control 62 (1) January 2017, pp. 511.

[J73] Xi Wang, Zhiwu Li, W.M.Wonham. Optimal priority-free conditionally-preemptive real-time scheduling of periodic tasks based on DES super-visory control. IEEE Trans. on Systems, Man, and Cybernetics. Pub.online March 2016, DOI: 10.1109/TSMC.2016.2531681.

[J74] R.-Y. Zhang, K. Cai, W.M.Wonham. Supervisor localization of discrete-event systems under partial observation. Automatica. Pub. onlineApril 2017, http://doi.org/10.1016/j.automatica.2017.03.018.

Conference Papers

[C01] P.J. Ramadge, W.M. Wonham. Supervisory control of discrete eventprocesses. Joint Workshop on Feedback & Synthesis of Linear & Non-linear Systems. Istituto di Automatica, Univ. di Roma, June 1981. In:D. Hinrichsen, A. Isidori (eds.), Feedback Control of Linear and Non-linear Systems, Lecture Notes on Control and Information Sciences No.39, Springer-Verlag, Berlin, 1982, pp. 202-214.

[C02] P.J. Ramadge, W.M. Wonham. Algebraic decomposition of controlledsequential machines. Eighth Triennial World Congress, Intnl. Fedn.Aut. Control (IFAC), Kyoto, August 1981. Preprints, vol. 3, pp.37-41.

[C03] P.J. Ramadge, W.M. Wonham. Supervision of discrete event processes.Proc. 21st IEEE Conf. on Decision and Control, IEEE Control SystemsSociety, New York, December 1982, pp. 1228-1229.

[C04] P.J. Ramadge, W.M. Wonham. Supervisory control of a class of dis-crete event processes. Proc. Sixth Intnl. Conference on Analysis andOptimization of Systems, Nice, June 1984. In: A. Bensoussan, J.L.Lions (eds.), Analysis and Optimization of Systems, Lecture Noteson Control and Information Sciences No. 63, Springer-Verlag, Berlin,1984; Part 2, pp. 477-498.

[C05] W.M. Wonham, P.J. Ramadge. On the supremal controllable sublan-guage of a given language. Proc. 23rd IEEE Conf. on Decision and

539

Control, IEEE Control Systems Society, New York, December 1984,pp. 1073-1080.

[C06] W.M. Wonham, P.J. Ramadge. On modular synthesis of supervisorycontrols for discrete event processes. Proc. Intnl. Conf. on Computers,Systems and Signal Processing, IEEE and I.I.Sc., Bangalore, December1984, pp. 500-504.

[C07] W.M. Wonham. On control of discrete event systems. Seventh Intnl.Symp. on the Mathematical Theory of Networks and Systems (MTNS-85), Stockholm, June 1985. In: C.I. Byrnes, A. Lindquist (eds.),Computational and Combinatorial Methods in Systems Theory, North-Holland, Amsterdam, 1986, pp. 159-174.

[C08] F. Lin, W.M. Wonham. On the computation of supremal controllablesublanguages. Proc. 23rd Annual Allerton Conf. on Communication,Control and Computing. Univ. of Illinois, Urbana, October 1985, pp.942-950.

[C09] J.G. Thistle, W.M. Wonham. On the use of temporal logic in controltheory. Proc. 23rd Annual Allerton Conf. on Communication, Controland Computing. Univ. of Illinois, October 1985, pp. 961-970.

[C10] A. Vaz, W.M. Wonham. On supervisor reduction in discrete event sys-tems. Proc. 23rd Annual Allerton Conf. on Communication, Controland Computing. Univ. of Illinois, Urbana, October 1985, pp. 933-939.

[C11] J.S. Ostroff, W.M. Wonham. A temporal logic approach to real timecontrol. Proc. 24th IEEE Conf. on Decision and Control, IEEE Con-trol Systems Society, New York, December 1985, pp.656-657.

[C12] P.J. Ramadge, W.M. Wonham. Modular supervisory control of discreteevent systems. Seventh Intnl. Conf. on Analysis and Optimization ofSystems, Antibes, June 1986. In: A. Bensoussan, J.L. Lions (eds.),Analysis and Optimization of Systems, Lecture Notes on Control andInformation Sciences (LNCIS) 83, Springer-Verlag, New York, 1986,pp. 202-214.

[C13] P.J. Ramadge, W.M. Wonham. Modular feedback logic for discreteevent systems. Fourth IFAC/IFORS Symp., Large Scale Systems: The-

540 BIBLIOGRAPHY

ory and Applications, Zurich, August 1986. In: H.P. Geering, M. Man-sour (eds.), Large Scale Systems: Theory and Applications. PergamonPress, Oxford, August 1986, vol.1, pp. 83-88.

[C14] W.M. Wonham. Some remarks on control and computer science. Work-shop on Future Directions in System Theory and Applications, Univ.of Santa Clara, September 1986.

[C15] Y. Li, W.M. Wonham. Supervisory control of real-time discrete-eventsystems. Proceedings, 1987 American Control Conference, Minneapo-lis, June 1987, pp. 1715-1720.

[C16] F. Lin, W.M.Wonham. Supervisory control and observation of discrete-event systems. MTNS ’87 - Mathematical Theory of Networks andSystems - International Symposium, Phoenix, June 1987. In: Byrnes,C.I., Martin, C.F., Saeks, R.E. (eds.): Analysis and Control of Nonlin-ear Systems. North-Holland, Amsterdam, 1988, pp. 337-348.

[C17] J.G. Thistle, W.M. Wonham. Supervisory control with infinite-stringspecifications. Proc. Twenty-Fifth Annual Allerton Conference onCommunication, Control and Computing, University of Illinois, 1987,vol. 1, pp. 327-334.

[C18] W.M. Wonham. Logic and language in control theory. Proc. Twenty-Fifth Annual Allerton Conference on Communication, Control andComputing, University of Illinois, 1987, vol. 1, pp. 1-3.

[C19] J.S. Ostroff, W.M. Wonham. State machines, temporal logic and con-trol: a framework for discrete event systems. Proc. 26th IEEE Con-ference on Decision and Control, IEEE Control Systems Society, NewYork, 1987, pp. 681-686.

[C20] J.S. Ostroff, W.M. Wonham. Modelling, specifying and verifying real-time embedded computer systems. Proc. Eighth Real-Time SystemsSymposium, IEEE Computer Society, New York, December 1987, pp.124-132.

[C21] H. Zhong, W.M. Wonham. On hierarchical control of discrete-eventsystems. Proc. 1988 Conference on Information Sciences and Systems,Dept. of Electrical Engineering, Princeton University, 1988, pp. 64-70.

541

[C22] Y. Li, W.M.Wonham. Deadlock issues in supervisory control of discrete-event systems. Proc. 1988 Conference on Information Sciences andSystems, Dept. of Electrical Engineering, Princeton University, 1988,pp. 57-63.

[C23] J.G. Thistle, W.M. Wonham. On the synthesis of supervisors subjectto ω-language specifications. Proc. 1988 Conference on InformationSciences and Systems, Dept. of Electrical Engineering, Princeton Uni-versity, 1988, pp. 440-444.

[C24] Y. Li, W.M. Wonham. A state-variable approach to the modeling andcontrol of discrete-event systems. Proc. Twenty-Sixth Annual AllertonConference on Communication, Control, and Computing. Universityof Illinois, September 1988, pp. 1140-1149.

[C25] W.M. Wonham. A control theory for discrete-event systems. In: M.J.Denham, A.J. Laub (eds.), Advanced Computing Concepts and Tech-niques in Control Engineering, NATO ASI Series, vol. F47, Springer-Verlag, Berlin, 1988; pp. 129-169.

[C26] W.M. Wonham. A language-based control theory of discrete-eventsystems. Preprints, Shell Conference on Logistics, Appeldoorn, TheNetherlands, October 1988. In C.F.H. van Rijn (Ed.), Logistics - WhereEnds Have To Meet, Pergamon, Oxford (UK), 1989, pp. 158- 169.

[C27] Y. Li, W.M. Wonham. Controllability and observability in the state-feedback control of discrete-event systems. Proc. 27th IEEE Confer-ence on Decision and Control, IEEE Control Systems Society, NewYork, December 1988, pp. 203-208.

[C28] F. Lin, W.M. Wonham. Decentralized control and coordination ofdiscrete-event systems. Proc. 27th IEEE Conference on Decision andControl, IEEE Control Systems Society, New York, December 1988,pp. 1125-1130.

[C29] Y. Li, W.M. Wonham. Composition and modular state-feedback con-trol of vector discrete-event systems. Proc. 1989 Conf. on InformationSciences and Systems, The Johns Hopkins University, Baltimore, March1989, pp. 103-111.

542 BIBLIOGRAPHY

[C30] Y. Li, W.M. Wonham. Strict concurrency and nondeterministic controlof discrete-event systems. Proc. 28th IEEE Conference on Decision andControl, IEEE Control Systems Society, New York, December 1989, pp.2731-2736.

[C31] T. Ushio, Y. Li, W.M. Wonham. Basis feedback, weak interaction, andconcurrent well-posedness in concurrent discrete-event systems. Proc.28th IEEE Conference on Decision and Control, IEEE Control SystemsSociety, New York, December 1989, pp. 127-131.

[C32] F. Lin, R.D. Brandt, W.M. Wonham. A note on supremal control-lable and normal sublanguages. Proc. Twenty-Seventh Annual Aller-ton Conf. on Communication, Control and Computing, September1989, pp. 491-500.

[C33] Y. Li, W.M. Wonham. Linear integer programming techniques in thecontrol of vector discrete-event systems. Proc. Twenty-Seventh AnnualAllerton Conf. on Communication, Control and Computing, Univ. ofIllinois, September 1989, pp. 528-537.

[C34] H. Zhong, W.M. Wonham. Hierarchical control of discrete-event sys-tems: computation and examples. Proc. Twenty-Seventh AnnualAllerton Conf. on Communication, Control and Computing, Univ. ofIllinois, September 1989, pp. 511-519.

[C35] N.Q. Huang, Y. Li, W.M. Wonham. Supervisory control of vectordiscrete-event systems. Proc. Twenty-Seventh Annual Allerton Conf.on Communication, Control and Computing, Univ. of Illinois, Septem-ber 1989, pp. 925-934.

[C36] S.D. O’Young, W.M. Wonham. Object-oriented computation and sim-ulation of large-scale discrete event systems. Proc. Twenty-SeventhAnnual Allerton Conf. on Communication, Control and Computing,Univ. of Illinois, September 1989, pp. 945-954.

[C37] K. Rudie, W.M. Wonham. Supervisory control of communicating pro-cesses. Tenth International IFIP WG 6.1 Symposium on Protocol Spec-ification, Testing and Verification. Ottawa, June 1990. [In L. Logrippo,R.L. Probert, H. Ural (Eds.). Protocol Specification, Testing and Ver-ification, X. Elsevier (North-Holland), 1990, pp. 243-257.]

543

[C38] H. Zhong, W.M. Wonham. Hierarchical coordination. Proc. FifthIEEE International Symposium on Intelligent Control. Philadelphia,September 5-7, 1990, pp. 8-14.

[C39] K. Rudie, W.M. Wonham. Think globally, act locally: decentralizedsupervisory control. Proc. 1991 American Control Conference, Boston,June 1991, pp. 898-903.

[C40] W.M. Wonham. Some current research directions in control of discrete-event systems. Presented at European Control Conference ECC 91,Grenoble, July 1991. [preprint available separately from Proceedings]

[C41] B.A. Brandin, B. Benhabib, W.M. Wonham. Discrete event systemsupervisory control applied to the management of manufacturing work-cells. Proc. Seventh International Conference on Computer-Aided Pro-duction Engineering, Cookeville TN USA, August 1991; Elsevier, Am-sterdam, 1991, pp. 527-536.

[C42] J.G. Thistle, W.M. Wonham. Control of ω-automata, Church’s prob-lem, and the emptiness problem for tree ω-automata. Proc. Com-puter Science Logic CSL ’91 (Institut fur Informatik und angewandteMathematik, Universitat Bern, Bern, Switzerland, October 1991). InE.Borger, G. Jager, H.K Buning, M.M. Richter (Eds.). Lecture Notesin Computer Science (LNCS) 626, Springer-Verlag, Berlin, 1992, pp.367-381.

[C43] M. Lawford, W.M. Wonham. An application of real-time transforma-tional equivalence. Proc. 1992 Conference on Information Sciencesand Systems, vol. 1, pp. 233-238, Princeton University, Princeton NJ,1992.

[C44] B.A. Brandin, W.M. Wonham, B. Benhabib. Manufacturing cell su-pervisory control - a timed discrete event system approach. Proc. 1992IEEE International Conference on Robotics and Automation, Nice,France, May 1992, pp. 931-936.

[C45] B.A. Brandin, W.M. Wonham, B. Benhabib. Modular supervisory con-trol of timed discrete-event systems. Proc. Thirtieth Annual AllertonConference on Communication, Control and Computing, University ofIllinois, 1992, pp. 624-632.

544 BIBLIOGRAPHY

[C46] K.C. Wong, W.M. Wonham. Hierarchical and modular control ofdiscrete-event systems. Proc. Thirtieth Annual Allerton Conference onCommunication, Control and Computing, University of Illinois, 1992,pp. 614-623.

[C47] S.-L. Chen, W.M. Wonham. Existence and design of supervisors forvector discrete-event systems. Proc. Thirtieth Annual Allerton Confer-ence on Communication, Control and Computing, University of Illinois,1992, pp. 604-613.

[C48] T.-J. Ho, W.M. Wonham. A framework for timed discrete-event sys-tems. Proc. Thirtieth Annual Allerton Conference on Communication,Control and Computing, University of Illinois, 1992, pp. 650-651.

[C49] K. Rudie, W.M. Wonham. Protocol verification using discrete-eventsystems. Proc. 31st IEEE Conference on Decision and Control, Tucson,Arizona, December 1992, pp. 3770-3777.

[C50] M. Lawford, W.M. Wonham. Equivalence preserving transformationsfor timed transition models. Proc. 31st IEEE Conference on Decisionand Control, Tucson, Arizona, December 1992, pp. 3350-3356.

[C51] B.A. Brandin, W.M. Wonham. Supervisory control of timed discrete-event systems. Proc. 31st IEEE Conference on Decision and Control,Tucson, Arizona, December 1992, pp. 3357-3362.

[C52] B.A. Brandin, W.M. Wonham, B. Benhabib. Manufacturing cell su-pervisory control - a modular timed discrete-event system approach.Proc. IEEE International Conference on Robotics and Automation,Atlanta, Georgia, May 1993, pp. 931-936.

[C53] K.C. Wong, W.M. Wonham. Hierarchical control of timed discrete-event systems. Proc. Second European Control Conference 1993,Groningen, The Netherlands, June-July 1993, pp. 509-512.

[C54] M. Lawford, W.M. Wonham. Supervisory control of probabilistic dis-crete event systems. Proc. 36th Midwest Symposium on Circuits andSystems, Detroit, MI, August 1993, pp. 327-331.

[C55] B.A. Brandin, W.M. Wonham. Modular supervisory control of timeddiscrete-event systems. Proc. 32nd IEEE Conference on Decision and

545

Control, IEEE Control Systems Society, New York, December 1993,pp. 2230-2235.

[C56] M. Lawford, W.M. Wonham, J.S. Ostroff. State-event observers forlabeled transition systems. Proc. 33rd IEEE Conference on Decisionand Control, December 1994, pp. 3642-3648.

[C57] W.M. Wonham. Supervisory control automata for discrete event sys-tems. Preprints, ADEDOPS Workshop (Analysis and Design of Event-Driven Operations in Process Systems), Centre for Process Systems En-gineering, Imperial College of Science Technology and Medicine, Lon-don UK, April 1995; 34 pp.

[C58] S.L. Chen, W.M. Wonham. Existence and design of supervisors forvector discrete-event systems. Proc. 1995 Canadian Conference onElectrical and Computer Engineering, Montreal, September 1995, pp.805-808.

[C59] R.J. Leduc, W.M. Wonham. Discrete event systems modeling and con-trol of a manufacturing testbed. Proc. 1995 Canadian Conference onElectrical and Computer Engineering, Montreal, September 1995, pp.793-796.

[C60] S.L. Chen, W.M. Wonham. Supervisory control of finite automataunder dynamic predicate specifications. Proc. Thirty-Third AnnualAllerton Conference on Communication, Control and Computing, Uni-versity of Illinois, October, 1995, pp. 501-509.

[C61] R.J. Leduc, W.M. Wonham. PLC implementation of a DES supervi-sor for a manufacturing testbed. Proc. Thirty-Third Annual AllertonConference on Communication, Control and Computing, University ofIllinois, October, 1995, pp. 519-528.

[C62] K.C. Wong, W.M. Wonham. Modular control and coordination ofdiscrete-event systems. Proc. 4th IEEE Mediterranean Symposiumon New Directions in Control & Automation, Chania, Crete, Greece,June 1996; pp. 595-599.

[C63] K.C. Wong, W.M. Wonham. Modular control and coordination of atransfer line: a tutorial example. Pre-Proceedings of the 1996 Work-shop on Theoretical Problems on Manufacturing Systems Design and

546 BIBLIOGRAPHY

Control, Univ. of Minho and Univ. of Parma, Lisbon, June 1996; pp.21-29.

[C64] M. Lawford, J.S. Ostroff, W.M. Wonham. Model reduction of mod-ules for state-event temporal logics. Workshop on Application of For-mal Methods to System Development: Telecommunications, VLSI andReal-Time Computerized Control Systems. Jacques Cartier Centre,Montreal, October 1996; pp. 281-287.

[C65] M. Lawford, J.S. Ostroff, W.M. Wonham. Model reduction of modulesfor state-event temporal logics. In R. Gotzhein, J. Bredereke (Eds.),Formal Description Techniques IX, Chapman & Hall, London, 1996; pp.263-278. [IFIP TC6/6.1 International Conference on Formal Descrip-tion Techniques IX/ Protocol Specification, Testing and VerificationXVI, Kaiserslautern, Germany, 8-11 October 1996]

[C66] Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Supremum operatorsand computation of supremal elements in system theory. Proc. 1997IEEE Conference on Decision and Control (CDC’97), December 1997,pp. 2946-2951.

[C67] W.M. Wonham, P. Gohari M. A linguistic framework for controlledhierarchical DES. International Workshop on Discrete Event Systems(WODES ’98). IEE, London, August 1998; pp. 207-212.

[C68] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Fault diagnosis indiscrete-event systems: framework and model reduction. Proc. 1998IEEE Conference on Decision and Control (CDC’98), December 1998,pp. 3769-3774.

[C69] C.Y.P. Chen, W.M. Wonham. Non-preemptive scheduling of periodictasks: a discrete-event control approach. Proc. Fifth InternationalConference on Control, Automation, Robotics and Vision. NanyangTechnological University, Singapore, December 8-11, 1998; pp. 1674-1678.

[C70] C.Y.P. Chen, W.M. Wonham. Real-time supervisory control of a pro-cessor for non-preemptive execution of periodic tasks. Proc. IFAC-99World Congress, Beijing, July 1999, Vol. J, pp. 13-18.

547

[C71] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Fault diagnosis intimed discrete-event systems. Proc. 1999 IEEE Conference on Decisionand Control (CDC’99), pp. 1756-1761.

[C72] R. Minhas, W.M. Wonham. Modelling of timed discrete event systems.Proc. Thirty-Seventh Annual Allerton Conference on Communication,Control and Computing, Allerton, IL, September 1999, pp. 75-84.

[C73] S. Abdelwahed, W.M. Wonham. Interacting discrete event systems.Proc. Thirty-Seventh Annual Allerton Conference on Communication,Control and Computing, Allerton. IL, September 1999, pp. 85-92.

[C74] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Fault diagnosis infinite-state automata and timed discrete-event systems. In: D. Miller,L. Qiu (Eds.), Topics in Control and Its Applications, pp. 81-105.Springer-Verlag, 1999.

[C75] W.M. Wonham. Supervisory control of discrete-event systems: an in-troduction. Proc. IEEE Intnl. Conf. on Industrial Technology 2000(ICIT2000), Goa, India, January 19-22, 2000; pp. 474-479.

[C76] K.C. Wong, W.M. Wonham. On the computation of observers indiscrete-event systems. 2000 Conference on Information Sciences andSystems, Princeton University, March 15-17, 2000, pp. TP1.7-TP1.12.

[C77] R. Su, W.M. Wonham. Decentralized fault diagnosis for discrete-event systems. 2000 Conference on Information Sciences and Systems,Princeton University, March 15-17, 2000, pp. TP1.1-TP1.6.

[C78] R.J. Leduc, B.A. Brandin, W.M. Wonham. Hierarchical interface-based non-blocking verification. Canadian Conference on Electricaland Computer Engineering (CCECE 2000), Halifax, May 7-10, 2000,pp. 1-6.

[C79] P. Gohari, W.M. Wonham. Reduced supervisors for timed discrete-event systems. In R. Boel, G. Stremersch (Eds.), Discrete Event Sys-tems: Analysis and Control [Proc. WODES2000], Kluwer, 2000; pp.119-130.

[C80] S. Hashtrudi Zad, R.H. Kwong, W.M. Wonham. Fault diagnosis andconsistency in hybrid systems. Proc. Thirty-Eighth Annual Allerton

548 BIBLIOGRAPHY

Conference on Communications, Control, and Computing, Allerton,IL, October 2000; pp. 1135-1144.

[C81] S.E. Bourdon, W.M. Wonham, M. Lawford. Invariance under scalingof time bounds in timed discrete-event systems. Proc. Thirty-EighthAnnual Allerton Conference on Communications, Control, and Com-puting, Allerton, IL, October 2000; pp. 1145-1154.

[C82] R. Su, W.M. Wonham. Supervisor reduction for discrete-event systems.2001 Conference on Information Sciences and Systems, The Johns Hop-kins University, March 21-23, 2001 [6 pp.].

[C83] P. Dietrich, R. Malik, W.M. Wonham, B.A. Brandin. Implementationconsiderations in supervisory control. In B. Caillaud, X. Xie (Eds.),Proc. Symposium on the Supervisory Control of Discrete Event Sys-tems (SCODES’2001), INRIA, Paris, July 2001; pp. 27-38.

[C84] Z.H. Zhang, W.M. Wonham. STCT: an efficient algorithm for super-visory control design. In B. Caillaud, X. Xie (Eds.), Proc. Symposiumon the Supervisory Control of Discrete Event Systems (SCODES’2001),INRIA, Paris, July 2001; pp. 82-93. See also: B. Caillaud et al. (Eds.).Synthesis and Control of Discrete Event Systems, Kluwer 2002; pp.77-100.

[C85] R.J. Leduc, B.A. Brandin, W.M. Wonham, M. Lawford. Hierarchi-cal interface-based supervisory control: serial case. Proc. 40th IEEEConference on Decision & Control, Orlando, Fla., December 2001, pp.4116-4121.

[C86] R.J. Leduc, W.M. Wonham, M. Lawford. Hierarchical interface-basedsupervisory control: parallel case. Proc. Thirty-Ninth Annual AllertonConference on Communications, Control, and Computing, Allerton, IL,October 2001, pp. 386-395.

[C87] R.J. Leduc, M. Lawford, W.M. Wonham. Hierarchical interface-basedsupervisory control: AIP example. Proc. Thirty-Ninth Annual Aller-ton Conference on Communications, Control, and Computing, Aller-ton, IL, October 2001, pp. 396-405.

[C88] W.M. Wonham. Supervisory control of discrete-event systems. In AsitK. Datta, Anish Deb, Samarjit Sengupta (Eds.): Proc. Intnl. Conf.

549

on Control, Instrumentation and Information Communication (CIIC2001), Dept. of Applied Physics, U. of Calcutta, 13-15 December 2001;pp. 321-330.

[C89] S.E. Bourdon, M. Lawford, W.M. Wonham. Robust nonblocking super-visory control of discrete-event systems. Proc. 2002 American ControlConference, Anchorage, May 2002, pp. 730-735.

[C90] P.C.Y. Chen, W.M. Wonham. Computation of complete schedules forexecution of periodic tasks on a processor with preemption. Proc. 4thAsia Control Conference, Singapore, September 25-27, 2002, pp. 1904-1909.

[C91] W. Wu, H. Su, J. Chu, W.M. Wonham. Colored Petri net control ofOR-logic. Proc. 2002 IEEE International Symposium on IntelligentControl, Vancouver, October 27-30, 2002, pp. 795-800.

[C92] R. Su, W.M. Wonham. Distributed diagnosis for qualitative systems.Proc. International Workshop on Discrete Event Systems (WODES’02), Zaragoza, Spain, October 2002, pp. 169-174.

[C93] S. Abdelwahed, W.M. Wonham. Supervisory control of interactingdiscrete event systems. Proc. 41st IEEE Conference on Decision andControl, Las Vegas, December 2002, pp. 1175-1180.

[C94] R. Su, W.M. Wonham. Probabilistic reasoning in distributed diagnosisfor qualitative systems. Proc. 41st IEEE Conference on Decision andControl, Las Vegas, December 2002, pp. 429-434.

[C95] C. Ma, W.M. Wonham. Control of state tree structures. Proc. 11thMediterranean Conference on Control and Automation, Rhodes (Greece),June 2003, paper T4-005 (6 pp.).

[C96] S. Abdelwahed, W.M. Wonham. Blocking detection in discrete-eventsystems. Proc. 2003 American Control Conference, June 2003, pp.1673-1678.

[C97] R. Minhas, W.M. Wonham. Online supervision of discrete event sys-tems. Proc. 2003 American Control Conference, June 2003, pp. 1685-1690.

550 BIBLIOGRAPHY

[C98] W.M. Wonham. Supervisory control theory: models and methods.Proc. ATPN - Workshop on Discrete Event Systems Control, 24th In-ternational Conference on Application Theory of Petri Nets (ATPN2003), Eindhoven, The Netherlands, June 2003; pp. 1-14.

[C99] M.H. de Queiroz, J.E.R. Cury, W.M. Wonham. Multi-tasking supervi-sory control of discrete-event systems. Proc. 7th International Work-shop on Discrete Event Systems (WODES’04), Reims, September 2004,pp. 175-180.

[C100] R. Su, W.M. Wonham. A model of component consistency in dis-tributed diagnosis. Proc. 7th International Workshop on DiscreteEvent Systems (WODES’04), Reims, September 2004, pp. 427-432.

[C101] R. Su, W.M. Wonham. Hierarchical distributed diagnosis under globalconsistency. Proc. 7th International Workshop on Discrete Event Sys-tems (WODES’04), Reims, September 2004, pp. 157-162.

[C102] R. Su, W.M. Wonham. An algorithm to achieve local consistency indistributed systems. Proc. 43rd IEEE Conference on Decision andControl (CDC’04), December 2004, pp. 998-1003.

[C103] R. Su, W.M. Wonham. Distributed diagnosis under global consistency.Proc. 43rd IEEE Conference on Decision and Control (CDC’04), De-cember 2004, pp. 525-530.

[C104] L. Feng, W.M. Wonham, P.S. Thiagarajan. Designing communicat-ing transaction processes by supervisory control theory. Proc. Forty-Second Annual Allerton Conference on Communications, Control, andComputing, Allerton, IL, October 2004; pp. 1060-1069.

[C105] R. Su, W.M.Wonham. Undecidability of termination of CPLC for com-puting supremal local support. Proc. Forty-Second Annual AllertonConference on Communications, Control, and Computing, Allerton, IL,October 2004; pp. 604-613.

[C106] A. Saadatpoor, W.M. Wonham. State based control of timed discreteevent systems using binary decision diagrams. Proc. Forty-SecondAnnual Allerton Conference on Communications, Control, and Com-puting, Allerton, IL, October 2004; pp. 1070-1079.

551

[C107] C. Ma, W.M. Wonham. A symbolic approach to the supervision ofstate tree structures. Proc. 13th IEEE Mediterranean Conference onControl and Automation (MED’05), Limassol, Cyprus, June 2005, pa-per TuM04.5 (6 pp.).

[C108] A.A. Afzalian, W.M. Wonham. Discrete-event system supervisory con-troller design for an electrical power transmission network. 14th IranianConference on Electrical Engineering (ICEE2006), Tehran, July 2006.

[C109] L. Feng, W.M. Wonham. Computationally efficient supervisor design:abstraction and modularity. Proc. 8th International Workshop onDiscrete-Event Systems (WODES’06), U. of Michigan, Ann Arbor, MI,July 2006, pp. 3-8.

[C110] L. Feng, W.M. Wonham. Computationally efficient supervisor design:control-flow decomposition. Proc. 8th International Workshop onDiscrete-Event Systems (WODES’06), U. of Michigan, Ann Arbor, MI,July 2006, pp. 9-14.

[C111] A.A. Afzalian, A. Saadatpoor, W.M. Wonham. Discrete-event systemmodeling and supervisory control for under-load tap-changing trans-formers. IEEE International Conference on Control Applications &IEEE International Symposium on Computer-Aided Control SystemsDesign & IEEE International Symposium on Intelligent Control (2006CCA/CACSD/ISIC), Tech. U. Munchen, Munich, Germany, October2006, pp. 1867-1872.

[C112] A. Saadatpoor, A.A. Afzalian, W.M. Wonham. Timed discrete-eventsystems supervisory control for under-load tap-changing transformers.Third Intnl. Conference on Informatics in Control, Automation andRobotics (ICINCO 2006), Setubal, Portugal, August 2006.

[C113] L. Feng, W.M. Wonham. On the computation of natural observers indiscrete-event systems. Proc. 45th IEEE Conference on Decision andControl (CDC’06), San Diego, CA, December 2006, pp. 428-433.

[C114] A. Saadatpoor, A.A. Afzalian, W.M. Wonham. Hierarchical controlof under-load tap-changing transformers using DES. Third Interna-tional Conference on Informatics in Control, Automation and Robotics(ICINCO 2006), Setubal, Portugal, August 2006.

552 BIBLIOGRAPHY

[C115] Y.Z. Chen, W.M. Wonham. Supervisory control based on vector syn-chronous product of automata. Multiconference on Computational En-gineering in Systems Applications, Beijing, October 4-6, 2006.

[C116] A. Saadatpoor, W.M. Wonham. Supervisor state size reduction fortimed discrete-event systems. Proc. 2007 American Control Conference(2007 ACC), New York, July 2007.

[C117] A. Saadatpoor, C. Ma, W.M. Wonham. Supervisory control of timedstate tree structures. 2008 American Control Conference (2008 ACC),Seattle, Washington, June 11-13, 2008.

[C118] C. Ma, W.M Wonham. STSLib and its application to two bench-marks. Proc. 9th International Workshop on Discrete Event Systems(WODES’08), Goteborg, Sweden, May 28-30, 2008; pp. 119-124.

[C119] K. Cai, W.M. Wonham. Supervisor localization: a top-down approachto distributed control of discrete-event systems. In L. Beji, S. Otmane,A. Abichou (Eds.), Proc. 2nd Mediterranean Conference on IntelligentSystems & Automation (CISA’09), Zarzis, Tunisia, March 23-25, 2009;pp. 302-308.

[C120] K. Cai, W.M. Wonham. Supervisor localization for large-scale discrete-event systems. Joint 48th IEEE Conference on Decision and Controland 28th Chinese Control Conference, Shanghai, PR China, December16-18, 2009; pp. 3099-3105.

[C121] W. Chao, Y. Gan, W.M. Wonham, Z. Wang. Nonblocking supervisorycontrol of flexible manufacturing systems based on state tree struc-tures. Workshop on Discrete-Event Control Systems. Xidian Univer-sity, Xi’an, China, 16 February 2011; 6 pp. See also full version in: Z.Li, A.M. Al-Ahmari (Eds.). Formal Methods in Manufacturing Sys-tems: Recent Advances. IGI Global, Engineering Science Reference,2013; pp. 1-19.

[C122] R. Zhang, Y. Gan, W.M. Wonham, Z. Wang. Distributed maximallypermissive nonblocking control of flexible manufacturing systems. Work-shop on Discrete-Event Control Systems. Xidian University, Xi’an,China, 16 February 2011; 6 pp.

553

[C123] R.-Y. Zhang, Y.-M. Gan, Z.-A. Wang, W.M. Wonham. On compu-tation of distributed supervisory controllers in discrete-event systems.Proc. 24th IEEE Chinese Control and Decision Conference (CCDC-2012), Taiyuan, China, 23-25 May 2012; pp. 781-786.

[C124] W.-J. Chao, Y.-M. Gan, Z.-A. Wang, W.M. Wonham. Representationof supervisory controls using state tree structures, binary decision dia-grams, automata, and supervisor reduction. Proc. 24th IEEE ChineseControl and Decision Conference (CCDC-2012), Taiyuan, China, 23-25May 2012; pp. 45-50.

[C125] W.-J. Chao, Y.-M. Gan, Z.-A. Wang, W.M. Wonham. Decentralizedsupervisory control of discrete-event systems based on state tree struc-tures. Proc. 31st Chinese Control Conference (CCC-2012), Hefei,China, 25-27 July 2012; pp. 2184-2190.

[C126] K. Cai, W.M. Wonham. New results on supervisor localization, withapplication to multi-agent formations. In A.R. Trevino, E.L. Mellado,J.-J. Lesage, M. Silva (Eds.), Preprints, 11th International Conferenceon Discrete Event Systems (WODES 2012), Guadalajara, Mexico, 3-5October, 2012, pp. 233-238.

[C127] R.-Y. Zhang, K. Cai, Y.-M. Gan, Z. Wang, W.M. Wonham. Checkingdelay-robustness of distributed supervisors of discrete-event systems.Proc. 2012 IET International Conference on Information Science andControl Engineering (ICISCE-2012), Shenzhen, China, 7-9 December2012, pp. 350-355.

[C128] K. Cai, W.M. Wonham. Supervisor localization of discrete-event sys-tems based on state tree structures. Proc. 51st IEEE Conference onDecision and Control (CDC-2012), Maui, Hawaii, USA, 10-13 Decem-ber 2012, pp. 5822-5827.

[C129] K. Cai, R.-Y. Zhang, W.M. Wonham. Supervision localization of timeddiscrete-event systems. Proc. 2013 American Control Conference,Washington DC, USA, 17-19 June, 2013, pp. 5686-5691.

[C130] K. Cai, R.-Y. Zhang, W.M. Wonham. On relative observability ofdiscrete-event systems. Proc. 52nd IEEE Conference on Decision and

554 BIBLIOGRAPHY

Control (CDC-2013), Firenze, Italy, 11-13 December, 2013, pp. 7285-7290.

[C131] K. Cai, R.-Y. Zhang, W.M. Wonham. On relative observability oftimed discrete-event systems. Proc. 12th IFAC & IEEE InternationalWorkshop on Discrete Event Systems (WODES-2014), Cachan, France,14-16 May, 2014, pp. 208-213.

[C132] R.-Y. Zhang, K. Cai, W.M. Wonham. Delay-robustness in distributedcontrol of timed discrete-event systems based on supervisor localization.Proc. 53rd IEEE Conference on Decision and Control, Los Angeles,CA, 15-17 Dec, 2014, pp. 6719-6724.

[C133] K. Cai, R.-Y. Zhang, W.M. Wonham. On relative coobservabilityof discrete-event systems. Proc. 2015 American Control Conference(ACC-2015), Chicago, IL, USA, 1-3 July, 2015, pp. 371-376.

[C134] Ting Jiao, Yongmei Gan, Xu Yang, W.M. Wonham. Exploiting sym-metry of discrete-event systems with parallel components by relabel-ing. Proc. TENCON 2015 - 2015 IEEE Region 10 Conference, Macau,November 1-4, 2015, pp.1-4.

[C135] Ting Jiao, Yongmei Gan, Guochun Xiao, W.M. Wonham. Exploit-ing symmetry of state tree structures for discrete-event systems withparallel components. Proc. 13th International Workshop on DiscreteEvent Systems (WODES-2016), Xi’an, China; May 30-June 1, 2016,pp.97-102.

[C136] K. Cai, W.M. Wonham. A new algorithm for computing the supremalrelatively observable sublanguage. Proc. 13th International Workshopon Discrete Event Systems, Xi’an, China; May 30-June 1, 2016, pp.8-13.

Graduate Theses

[T01] P.J. Ramadge. Control and Supervision of Discrete Event Processes.Ph.D. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, May 1983.

[T02] F. Lin. Supervisor Synthesis for Discrete Event Processes. M.A.Sc.Thesis, Dept. of Electl. Engrg., Univ. of Toronto, August 1984.

555

[T03] R.S.W. Chan. Simulation and Modelling of a Supervisory Control Sys-tem Using Concurrent Euclid. M.A.Sc. Thesis, Dept. of Electl. Engrg.,Univ. of Toronto, September 1984.

[T04] J.G. Thistle. Control Problems in a Temporal Logic Setting. M.A.Sc.Thesis, Dept. of Electl. Engrg., Univ. of Toronto, January 1985.

[T05] Y. Li. Supervisory Control of Real-Time Discrete Event Systems.M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, July1986.

[T06] J. Ostroff. Real-Time Computer Control of Discrete Systems Modelledby Extended State Machines: A Temporal Logic Approach. Ph.D.Thesis, Dept. of Electl. Engrg., Univ. of Toronto, January 1987.

[T07] J. Shifman. A Hierarchical Approach to Path Planning for Robots.M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, September1987.

[T08] F. Lin. On Controllability and Observability of Discrete Event Systems.Ph.D. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, November1987.

[T09] H. Zhong. Control of Discrete-Event Systems: Decentralized and Hi-erarchical Control. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. ofToronto, December 1987.

[T10] K. Rudie. Software for the Control of Discrete-Event Systems: A Com-plexity Study. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. ofToronto, March 1988.

[T11] B.A. Brandin. The Supervisory Control of Discrete Event Systems withForcible Events. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. ofToronto, October 1989.

[T12] K.C. Wong. An Algebraic Description of Hierarchical Control in Discrete-Event Systems. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. ofToronto, June 1990.

[T13] T.-M. Pai. Real Time Implementation of Discrete-Event Control Sys-tems. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, June1990.

556 BIBLIOGRAPHY

[T14] R.K. Wong. State-Based Discrete-Event Modeling and Control of Con-current Systems. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. ofToronto, November 1990.

[T15] J.G. Thistle. Control of Infinite Behaviour of Discrete-Event Systems.Ph.D. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, January 1991.

[T16] N.-Q. Huang. Supervisory Control of Vector Discrete-Event Processes.M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, April 1991.

[T17] Y. Li. Control of Vector Discrete-Event Systems. Ph.D. Thesis, Dept.of Electl. Engrg., Univ. of Toronto, April 1991.

[T18] I.E.H. Caulder. Applications of Decentralized Hierarchical DES Con-trol to Telecommunications Network Protocols. M.A.Sc. Thesis, Dept.of Electl. Engrg., Univ. of Toronto, August 1991.

[T19] M.S. Lawford. Transformational Equivalence of Timed Transition Mod-els. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, Jan-uary 1992.

[T20] H. Zhong. Hierarchical Control of Discrete-Event Systems. Ph.D. The-sis, Dept. of Electl. Engrg., Univ. of Toronto, April 1992.

[T21] J. Liao. Hierarchical Control in Vector Discrete-Event Systems. M.A.Sc.Thesis, Dept. of Electl. Engrg., Univ. of Toronto, April 1992.

[T22] C.-Y. Yuen. Control Synthesis for Timed Discrete Event Systems.M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, April1992.

[T23] K. Rudie. Decentralized Control of Discrete-Event Systems. Ph.D.Thesis, Dept. of Electl. Engrg., Univ. of Toronto, June 1992.

[T24] S.-L. Chen. Existence and Design of Supervisors for Vector DiscreteEvent Systems. M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. ofToronto, July 1992.

[T25] B. Schwartz. State Aggregation of Controlled Discrete-Event Systems.M.A.Sc. Thesis, Dept. of Electl. Engrg., Univ. of Toronto, July 1992.

557

[T26] B.A. Brandin. Real-Time Supervisory Control of Automated Manu-facturing Systems. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg.,Univ. of Toronto, January 1993.

[T27] L. Zhu. Control Theory of Stochastic Discrete Event Systems. M.A.Sc.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, April1993.

[T28] K.-C. Wong. Discrete-Event Control Architecture: An Algebraic Ap-proach. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. ofToronto, June 1994.

[T29] B. Wang. Top-Down Design for RW Supervisory Control Theory.M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto,June 1995.

[T30] R.J. Leduc. PLC Implementation of a DES Supervisor for a Manu-facturing Testbed: An Implementation Perspective. M.A.Sc. Thesis,Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, January 1996.

[T31] Y.-Q. Zhang. Software for State-Event Observation Theory and itsApplication to Supervisory Control. M.A.Sc. Thesis, Dept. of Electl.& Cmptr. Engrg., Univ. of Toronto, January 1996.

[T32] T.Y.L. Chun. Diagnostic Supervisory Control: A DES Approach.M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto,August 1996.

[T33] S.-L. Chen. Control of Discrete-Event Systems of Vector and MixedStructural Type. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg.,Univ. of Toronto, September 1996.

[T34] M.S. Lawford. Model Reduction of Discrete Real-Time Systems. Ph.D.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, January1997.

[T35] X.-Q. Zhang. Control of Boolean Discrete-Event Systems. M.A.Sc.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, April1997.

558 BIBLIOGRAPHY

[T36] Y.-C. Guan. Implementation of Hierarchical Observer Theory. M.A.Sc.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, April1997.

[T37] T.-J. Ho. The Control of Real-Time Discrete-Event Systems Subject toPredicate-Based Constraints. Ph.D. Thesis, Dept. of Electl. & Cmptr.Engrg., Univ. of Toronto, August 1997.

[T38] P. Gohari-Moghadam. A Linguistic Framework for Controlled Hierar-chical DES. M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ.of Toronto, April 1998.

[T39] C. Ma. A Computational Approach to Top-Down Hierarchical Super-visory Control of DES. M.A.Sc. Thesis, Dept. of Electl. & Cmptr.Engrg., Univ. of Toronto, April 1999.

[T40] S. Hashtrudi Zad. Fault Diagnosis in Discrete-Event and Hybrid Sys-tems. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. ofToronto, August 1999.

[T41] K.Q. Pu. Modeling and Control of Discrete-Event Systems with Hi-erarchical Abstraction. M.A.Sc. Thesis, Dept. of Electl. & Cmptr.Engrg., Univ. of Toronto, March 2000.

[T42] R. Su. Decentralized Fault Diagnosis for Discrete-Event Systems. M.A.Sc.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, April2000.

[T43] Y.W. Wang. Supervisory Control of Boolean Discrete-Event Systems.M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto,June 2000.

[T44] Z.H. Zhang. Smart TCT: An Efficient Algorithm for Supervisory Con-trol Design. M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ.of Toronto, April 2001.

[T45] S. Abdelwahed. Interacting Discrete-Event Systems: Modeling, Veri-fication, and Supervisory Control. Ph.D. Thesis, Dept. of Electl. &Cmptr. Engrg., Univ. of Toronto, March 2002.

559

[T46] R.J. Leduc. Hierarchical Interface-based Supervisory Control. Ph.D.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, April2002.

[T47] R.S. Minhas. Complexity Reduction in Discrete Event Systems. Ph.D.Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, Septem-ber 2002.

[T48] P. Gohari-Moghadam. Fair Supervisory Control of Discrete-Event Sys-tems. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. ofToronto, September 2002.

[T49] V.J. Ravichandran. Distributed Diagnosis for State-Based Discrete-Event Systems. M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg.,Univ. of Toronto, September 2002.

[T50] C. Ma. Nonblocking Supervisory Control of State Tree Structures.Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg. Univ. of Toronto,March 2004.

[T51] R. Su. Distributed Diagnosis for Discrete-Event Systems. Ph.D. The-sis, Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, June 2004.

[T52] S. Yi. Hierarchical Supervision with Nonblocking. M.A.Sc. Thesis,Dept. of Electl. & Cmptr. Engrg., Univ. of Toronto, June 2004.

[T53] A. Saadatpoor. State-Based Control of Timed Discrete-Event SystemsUsing Binary Decision Diagrams. M.A.Sc. Thesis, Dept. of Electl. &Cmptr. Engrg., Univ. of Toronto, June 2004.

[T54] L. Feng. Computationally Efficient Supervisor Design for Discrete-Event Systems. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg.,Univ. of Toronto, July 2007.

[T55] K. Cai. Supervisor Localization: A Top-Down Approach to DistributedControl of Discrete-Event Systems. M.A.Sc. Thesis, Dept. of Electl.& Cmptr. Engrg., Univ. of Toronto, June 2008.

[T56] B. Cheung. Computing Hierarchical Nonblocking Discrete-Event Sys-tems. M.A.Sc. Thesis, Dept. of Electl. & Cmptr. Engrg., Univ. ofToronto, July 2008.

560 BIBLIOGRAPHY

[T57] A. Saadatpoor. Timed State-Tree Structures: Supervisory Control andFault Diagnosis. Ph.D. Thesis, Dept. of Electl. & Cmptr. Engrg.,Univ. of Toronto, March 2009.

[T58] L.-Y. Yan. State-Based Control of Discrete-Event Systems with Ob-servational Abstractions. M.A.Sc. Thesis, Dept. of Electl. & Cmptr.Engrg., Univ. of Toronto, September 2011.

[T59] Y.-P. Yao. Sufficient Conditions for Output Regulation on Metric andBanach Spaces - A Set-Theoretic Approach. M.A.Sc. Thesis, Dept. ofElectl. & Cmptr. Engrg., Univ. of Toronto, September 2012.

[T60] S. Izadian. Supply Chain Operation Modeling and Automation UsingUntimed and Timed State Tree Structures. M.A.Sc. Thesis, Dept. ofElectl. & Cmptr. Engrg., Univ. of Toronto, August 2013.

[T61] X.-Q. Qu. Efficient Abstractions in Hierarchical Supervisory Controlof Discrete-Event Systems. M.A.Sc. Thesis, Dept. of Electl. & Cmptr.Engrg., Univ. of Toronto, September 2013.

Appendix

Supervisory Control of a MinePump

561

562 APPENDIX

UNTIMED MINE PROBLEM IN TCT

This exercise is adapted from Chapter 16 of the book: A. Burns, A. Wellings.Real-Time Systems and Their Programming Languages. Addison-Wesley1990.

The plant consists of a water pump (PUMP), water-level sensor (WLSEN-SOR), methane sensor (MESENSOR), human operator (OPERATOR), andwater-flow sensor (WFSENSOR). Each sensor reports either a high or a lowvalue for its variable, with corresponding higher- or lower-indexed event.There are two modes, automatic and manual. In automatic mode, the pump(motor) is controlled by the methane and water-level sensors; it is turnedon if and only if the water-level is high and the methane level is low. Thewater-flow sensor monitors pump operation; it reports either ‘ok’ (low) or‘problem’ (high); in case of ‘problem’ (i.e. the pump is turned on but thereis no water flow) it should sound an alarm. Manual mode overrides auto-matic; in manual, the sensors are disconnected from the pump control, andthe operator is free to turn the pump on or off at will.

The DES model is built up in stages, so the designer has a clear pictureof control action as more features are added. The TCT ‘project’ commandcan be used to look at various facets of system behavior.

STAGE 0: Create the individual plant units.

PUMP = create(PUMP,[mark 0],[tran [0,11,0],[0,13,0]]) (1,2)11 = TurnOff; 13 = TurnOnWLSENSOR = create(WLSENSOR,[mark 0],[tran [0,21,1],[1,22,0],

[1,24,0]]) (2,3)21 = Initialize, 22 = ReportWaterLevelLo, 24 = ReportWaterLevelHiMESENSOR = create(MESENSOR,[mark 0],[tran [0,31,1],[1,32,0],

[1,34,0]]) (2,3)31 = Initialize, 32 = ReportMethaneLevelLo, 34 = ReportMethaneLevelHiOPERATOR= create(OPERATOR,[mark 0],[tran [0,41,0],[0,43,0]]) (1,2)41 = EnterAutomaticMode, 43 = EnterManualModeWFSENSOR = create(WFSENSOR,[mark 0],[tran [0,51,1],[0,53,0],

[1,52,0],[1,54,0]]) (2,4)51 = Initialize, 52 = ReportOK, 53 = SoundAlarm, 54 = ReportProblem

STAGE 1: Consider just the pump and the two most critical sensors, forwater-level and methane.

563

PLANT1 = sync(PUMP,WLSENSOR) (2,7)

PLANT1 = sync(PLANT1,MESENSOR) (4,20)

ALL1 = create(ALL1,[mark 0]) (1,0)

ALL1 = selfloop(ALL1,[11,13,21,22,24,31,32,34]) (1,8)Bring in two specifications. CYCSPEC1 forces WLSENSOR and MESEN-SOR to operate in turn, re-initializing after commanding the pump to turnoff or on, as appropriate, and then recycling.

CYCSPEC1 = create(CYCSPEC1,[mark 0],[tran [0,21,1],[1,22,2],[1,24,2],[2,31 ,3],[3,32,4],[3,34,4], [4,11,0],[4,13,0]]) (5,8)

CYCSPEC1 = sync(CYCSPEC1,ALL1) (5,8)

PMPSPEC1 allows the pump to be forced (or kept) on only when water-levelis high and methane level is low. This is a boolean condition expressing theenablement or disablement of pump events 11 and 13 as a function of themost recent sensor reports.

PMPSPEC1 = create(PMPSPEC1,[mark 0],[tran [0,11,0],[0,22,0],[0,24,1],[0,32,0],[0,34,2],[1,13,1],[1,22,0],[1,24,1],[1,32,1],[1,34,3],[2,11,2],[2,22,2],[2,24,3],[2,32,0],[2,34,2],[3,11,3],[3,22,2],[3,24,3],[3,32,1],[3,34,3]]) (4,20)

PMPSPEC1 = sync(PMPSPEC1,ALL1) (4,28)

Construct the first-stage specification and compute the first-stage supervisor.

SPEC1 = meet(CYCSPEC1,PMPSPEC1) (20,28)

MSPEC1= minstate(SPEC1) (10,13)

SUPER1= supcon(PLANT1,SPEC1) (20,28)

SUPER1= condat(PLANT1,SUPER1) Controllable.

MSUPER1 = minstate(SUPER1) (10,13)

The transition graph of the (state-minimized) controlled behavior MSUPER1is as expected, and quite transparent. Investigate modular control.

true = nonconflict(PLANT1,CYCSPEC1)

true = nonconflict(PLANT1,PMPSPEC1)

MODSUP1 = meet(CYCSPEC1,PMPSPEC1) (20,28)

564 APPENDIX

true = isomorph(SUPER1,MODSUP1;identity)Modular control with separate supervisors for the sensor cycle and the pumpcontrol has been validated for the Stage 1 system.

STAGE 2: Incorporate operator’s override. This is to mean that the op-erator can force the system from automatic to manual modeat any time (ev43); when returning to automatic mode (ev41)the automatic system is re-initialized to state 0. Thus SPEC2is created by adding one new state (10) to MSPEC1, withev43 taking the system from any state of MSPEC1 to thenew manual-operation state (10); then ev41 takes 10 back to0. Note the convenience of using a wildcard ([*,43,10] whileediting.

SPEC2 = edit(MSPEC1,[trans +[0,43,10],+[1,43,10],+[2,43,10],+[3,43,10],+[4,43,10],+[5,43,10],+[6,43,10],+[7,43,10],+[8,43,10],+[9,43,10],+[10,11,10],+[10,13,10],+[10,21,10],+[10,22,10],+[10,24,10],+[10,31,10],+[10,32,10],+[10,34,10],+[10,41,0]]) (11,32)

ALL2 = selfloop(ALL1,[41,43]) (1,10)

PLANT2= sync(PLANT1,OPERATOR) (4,28)

SUPER2= supcon(PLANT2,SPEC2) (14,44)

SUPER2= condat(PLANT2,SUPER2) Controllable.Investigate modular control. From CYCSPEC1 and PMPSPEC1 respectivelyconstruct CYCSPC12 and PMPSPC12 to incorporate manual override.

CYCSPC12 = edit(CYCSPEC1,[trans +[0,43,5],+[1,43,5],+[2,43,5],+[3,43,5],+[4,43,5],+[5,41,0]]) (6,14)

CYCSPC12 = edit(CYCSPC12,[trans +[5,11,5],+[5,13,5],+[5,21,5],+[5,22,5],+[5,24,5],+[5,31,5],+[5,32,5],+[5,34,5]]) (6,22)

CYCSPC12 = condat(PLANT2,CYCSPC12) Uncontrollable.

CYCSUP12 = supcon(PLANT2,CYCSPC12) (9,34)

PMPSPC12 = edit(PMPSPEC1,[trans +[0,43,4],+[1,43,4],+[2,43,4],+[3,43,4],+[4,11,4],+[4,13,4],+[4,21,4],+[4,22,4],+[4,24,4],+[4,31,4],+[4,3 2,4],+[4,34,4],+[4,41,0]]) (5,41)

true = nonconflict(PLANT2,PMPSPC12)

565

PMPSPC12 = condat(PLANT2,PMPSPC12) Controllable.

Thus PMPSPC12 is a proper supervisor for PLANT2.

MODSUP2 = meet(CYCSUP12,PMPSPC12) (24,69)

true = nonconflict(PLANT2,MODSUP2)

MODSUP2 = condat(PLANT2,MODSUP2) Controllable.

MMODSUP2 = minstate(MODSUP2) (14,44)

true = isomorph(SUPER2,MMODSUP2;identity)

The two modular supervisors are together equivalent to the centralized su-pervisor. Check to see if they are of minimal state size.

MCYCSP12 = minstate(CYCSUP12) (9,34)

MPMSPC12 = minstate(PMPSPC12) (5,41)

They are both minimal. Make an additional check on behavior.

MODBEH2 = meet(PLANT2,MODSUP2) (24,69)

MMODBEH2 = minstate(MODBEH2) (14,44)

true = isomorph(SUPER2,MMODBEH2;identity)

Modular supervision for the Stage 2 system has been validated.

STAGE 3: Bring in WFSENSOR, specified by WFSPEC to sound analarm (ev53) if it detects a problem with water flow (ev54); itshould be initialized every time the pump is turned on (ev13);and the WFSENSOR cycle should run to completion beforethe pump is reactivated (turned off or on again).

ALL3 = selfloop(ALL2,[51,52,53,54]) (1,14)

PLANT3 = sync(PLANT2,WFSENSOR) (8,72)

SPEC23 = sync(SPEC2,ALL3) (11,76)

WFSPEC = create(WFSPEC,[mark 0],[tran [0,11,0],[0,13,1],[1,51,2],[2,52,0], [2,54,3],[3,53,0]]) (4,6)

WFSPEC = sync(WFSPEC,ALL3) (4,38)

SPEC3 = meet(SPEC23,WFSPEC) (44,157)

SPEC3 = condat(PLANT3,SPEC3) Uncontrollable.

SUPER3= supcon(PLANT3,SPEC3) (56,199)

MSUPER3 = minstate(SUPER3) (56,199)

true = isomorph(MSUPER3,SUPER3;identity)

SUPER3= condat(PLANT3,SUPER3) Controllable.

566 APPENDIX

Investigate modular supervision. We already know that modularity at Stage 2is equivalent to using SUPER2, so first upgrade SUPER2 to SUPER23 tomake it compatible with PLANT3.

SUPER23 = sync(SUPER2,ALL3) (14,100)

true = nonconflict(PLANT3,WFSPEC)

WFSPEC = condat(PLANT3,WFSPEC) Controllable.

WFSPEC is a proper supervisor for PLANT3; rename it WFSUP3. TrySUPER23 and WFSUP3 as modular supervisors.

WFSUP3 = edit(WFSPEC) (4,38)

MODSUP3 = meet(SUPER23,WFSUP3) (56,199)

true = isomorph(SUPER3,MODSUP3;identity)

As a check, go back and adapt the modular components previously obtainedfor SUPER2, to obtain three modular supervisors for the Stage 3 system.

CYCSUP13 = sync(CYCSUP12,ALL3) (9,70)

PMPSPC13 = sync(PMPSPC12,ALL3) (5,61)Combine the three modular supervisors and check the behavior under mod-ular control.

TEST3 = sync(WFSUP3,CYCSUP13) (36,142)

TEST3 = sync(TEST3,PMPSPC13) (72,244)

MODBEH3 = meet(PLANT3,TEST3) (72,244)

MMODBEH3 = minstate(MODBEH3) (56,199)

true = isomorph(SUPER3,MMODBEH3;identity)

Modular behavior for the Stage 3 system has been validated.

STAGE 4: Reduce SUPER3 to SUPER4, the behavior of the automaticmode alone, by removing ev41 and ev43.

ALL4 = edit(ALL3,[trans -[0,41,0],-[0,43,0]]) (1,12)

SUPER4= meet(SUPER3,ALL4) (37,76)

MSUPER4 = minstate(SUPER4) (37,76)

true = isomorph(MSUPER4,SUPER4;identity)

As a check, exhibit the ordering in automatic mode of evs11,13,21,31,51,53.

PSUPER4 = project(SUPER4,Null[22,24,32,34,52,54]) (10,17)

As another check, recover the Stage 1 supervisor by projecting out WFSEN-SOR from SUPER4.

567

QSUPER4 = project(SUPER4,Null[51,52,53,54]) (10,13)

MSUPER1= minstate(SUPER1) (10,13)

true = isomorph(QSUPER4,MSUPER1;identity)

STAGE 5: Make some enhancements to PLANT3 to incorporate acounter which raises a flag (ev90) if there are at least 3 consec-utive readings of both water-level high (ev24) and of methane-level high (ev34). We also add a general alarm (ev91) that canbe used to order that the mine be evacuated.

WLEMERG = create(WLEMERG,[mark 0,3],[tran [0,22,0],[0,24,1],[1,22,0],[1,24,2],[2,22,0],[2,24,3],[3,22,3],[3,24,3],[3,90,3]]) (4,9)

MEEMERG = create(MEEMERG,[mark 0,3],[tran [0,32,0],[0,34,1],[1,32,0],[1,34,2],[2,32,0],[2,34,3],[3,32,3],[3,34,3],[3,90,3]]) (4,9)

EMERG = sync(WLEMERG,MEEMERG) (16,65)EVACMINE = create(EVACMINE,[mark 0],[tran [0,91,0]]) (1,1)PLANT5 = sync(PLANT3,EMERG) (128,1160)

PLANT5 = sync(PLANT5,EVACMINE) (128,1288)

ALL5 = selfloop(ALL3,[90,91]) (1,16)Add SPEC5 to make it impossible for the operator to turn on the pumpwhen the methane level is high.

MESPEC = create(MESPEC,[mark 0],[tran [0,13,0],[0,32,0],[0,34,1],[1,32,0],[1,34,1]]) (2,5)

MESPEC = sync(MESPEC,ALL5) (2,31)SPEC35 = sync(SPEC3,ALL5) (44,245)SPEC5 = meet(SPEC35,MESPEC) (73,422)true = nonconflict(PLANT5,SPEC5)SUPER5 = supcon(PLANT5,SPEC5) (804,3927)MSUPER5 = minstate(SUPER5) (776,3826)

STAGE 6: Provide a crisis scenario to force the operating mode to man-ual (ev43) and order that the mine be evacuated, when themethane/water-level flag is raised (ev90). Note that the sen-sors are disabled at the terminal state 2.

568 APPENDIX

CRISIS = create(CRISIS,[mark 0,2],[tran [0,21,0],[0,31,0],[0,51,0],[0,90,1],[1,21,1],[1,31,1],[1,43,2],[1,51,1],[1,90,1],[2,90,2],[2,91,2]]) (3,11)

CRISIS = sync(CRISIS,ALL5) (3,41)

SPEC6 = meet(SPEC5,CRISIS) (102,386)

SUPER6 = supcon(PLANT5,SPEC6) (292,681)MSUPER6 = minstate(SUPER6) (278,652)

[STAGE 7: has been deleted]

STAGE 8: Using vocalization, develop a simple abstract model of SU-PER1, taking into account just the methane readings, withthe objective of letting a high- level manager execute a sys-tem shutdown (ev81).

SUPER8 = edit(MSUPER1) (10,13)SHUTDOWN = create(SHUTDOWN,[mark 0],[tran [0,81,0]]) (1,1)ALL8 = selfloop(ALL1,[81]) (1,9)PLANT8 = sync(PLANT1,SHUTDOWN) (4,24)

The shutdown specification SDNSPEC will require that both pump transi-tions, along with the sensor specifications, be disabled.

SDNSPEC = create(SDNSPEC,[mark 0,1],[tran [0,11,0],[0,13,0],[0,21,0],[0,31,0],[0,81,1]]) (2,5)

SDNSPEC = sync(SDNSPEC,ALL8) (2,13)Adapt the Stage 1 sensor cycle to Stage 8.

CYCSPEC8 = sync(CYCSPEC1,ALL8) (5,13)For shutdown to occur without supervisor blocking, the former restrictionthat only the ‘normal’ state be marked must be relaxed, inasmuch as shut-down will occur only after *abnormal* behavior! So now all four of the Stage1 PMPSPEC1 states must be marked.

PMPSPEC8 = edit(PMPSPEC1,[mark +[1],+[2],+[3]]) (4,28)PMPSPEC8 = sync(PMPSPEC8,ALL8) (4,32)

SPEC8 = meet(PMPSPEC8,CYCSPEC8) (20,48)

SPEC8 = meet(SPEC8,SDNSPEC) (40,64)

569

SUPER8 = supcon(PLANT8,SPEC8) (24,32)MSUPER8 = minstate(SUPER8) (9,12)SUPER8 = edit(MSUPER8) (9,12)

Next vocalize the significant events corresponding to methane-level readings(evs32,34) and shutdown (ev81).

VSUPER8 = vocalize(SUPER8,[[0,81,81],[5,34,34],[6,34,34],[5,32,32],[6,32,32]]) (10,13)

VSUPER8 = BFS(VSUPER8) (10,13)

VSUP8HI = higen(VSUPER8) (2,3)

OCVSUP8 = outconsis(VSUPER8) (10,13)

HCVSUP8 = hiconsis(VSUPER8) (10,13)

false = isomorph(HCVSUP8,OCVSUP8)OCVSUP8 has 4 vocalized states and 3 distinct vocal outputs, whereas HCV-SUP8 has 5 vocalized states with 5 vocal outputs.

X = hiconsis(OCVSUP8) (10,13)true = isomorph(X,HCVSUP8;identity)HCVSP8HI = higen(HCVSUP8) (3,5)

Reasonably small high-level abstraction of the low-level controlled behav-ior: 3 states vs. 10. Bring in SPEC8HI to shut the system down after 3consecutive high methane readings.

SPEC8HI = create(SPEC8HI,[mark 0,4],[tran [0,320,0],[0,340,1],[1,320,0],[1,340,2],[2,320,0],[2,340,3],[3,811,4]]) (5,7)

ALL8HI = create(ALL8HI,[mark 0]) (1,0)ALL8HI = selfloop(ALL8HI,[320,340,811,821,831]) (1,5)SPEC8HI = sync(SPEC8HI,ALL8HI) (5,17)SUPER8HI = supcon(HCVSP8HI,SPEC8HI) (8,13)Y = minstate(SUPER8HI) (8,13)true = isomorph(Y,SUPER8HI;identity)

By inspection of SPEC8HI an obvious simplified supervisor can be created.SMSUP8HI = edit(SPEC8HI,[trans -[3,821,3],-[3,831,3]]) (5,15)TEST = meet(HCVSP8HI,SMSUP8HI) (8,13)true = isomorph(TEST,SUPER8HI;identity)

Hierarchical treatment of SUPER1 is successful. However, it was not quitestraightforward, as the subtle effects of marking had to be dealt with.

570 APPENDIX

STAGES 9,10: Adapt the model of Stage 8 to incorporate the operator, asin Stage 2, so we have both automatic and manual modes.

PLANT9 = sync(PLANT8,OPERATOR) (4,32)

MSPEC8 = minstate(SPEC8) (12,23)

Modify MSPEC8 to allow transition from automatic to manual (ev43) andback (ev41) to occur only between the initial state and the designated en-trance state (12) to manual. Note that the latter state (12) is now marked.Shutdown (ev81) is restricted to occur only at the initial state (0) or the en-trance state to manual (2); all action ceases after shutdown and the systemremains at the shutdown state (3). The modeling intent is to cut back to asmall number of instances of significant events in order to produce a smallhigh-level model.

SPEC10 = edit(MSPEC8,[trans +[0,43,12],+[12,11,12],+[12,13,12],+[12,21,12],+[12,22,12],+[12,24,12],+[12,31,12],+[12,32,12],+[12,34,12],+[12,41,0],+[12,81,12]]) (13,34)

SPEC10 = edit(SPEC10,[trans -[1,81,5],-[3,81,7],-[4,81,7],-[6,81,10],-[8,81,10],-[9,81,7],-[11,81,7]]) (13,27)

SPEC10 = edit(SPEC10,[mark +[12]],[trans +[12,81,2],-[12,81,12]]) (13,27)

PLANT10 = edit(PLANT9) (4,32)

SUPER10 = supcon(PLANT10,SPEC10) (13,35)

MSUPER10 = minstate(SUPER10) (13,35)

true = isomorph(MSUPER10,SUPER10;identity)

Now we create the high-level model, first vocalizing SUPER10 with respectto methane readings (evs32,34), automatic/manual transitions (evs41,43),and shutdown (ev81).

VSUPER10 = Vocalize(SUPER10,[[0,43,43],[0,81,81],[2,41,41],[2,81,81],[7,32,32],[7,34,34],[8,32,32],[8,34,34],[9,32,32],[10,34,34],[9,34,34],[13,81,81],[10,32,32],[13,43,43],[14,81,81],[15,81,81],[16,81,81]]) (20,67)

X = minstate(VSUPER10) (20,67)

true = isomorph(X,VSUPER10;identity)

VSP10HI = higen(VSUPER10) (3,8)

OCVSP10 = outconsis(VSUPER10) (20,67)

false = isomorph(OCVSP10,VSUPER10)

571

In fact, VSUPER10 and OCVSP10 are actually isomorphic, up to the recod-ing of state outputs done by ‘outconsis’.

HCVSP10 = hiconsis(VSUPER10) (21,72)

X = hiconsis(OCVSP10) (21,72)

true = isomorph(X,HCVSP10;identity)

HCVS10HI = higen(HCVSP10) (6,18)

X = minstate(HCVS10HI) (6,18)

true = isomorph(X,HCVS10HI;identity)

The high-level model HCVS10HI, of size 6, does not represent a large reduc-tion over the low-level controlled model SUPER10 of size 13, but is someimprovement.

PHCVS10H = project(HCVS10HI,Null[820,821,831,841,851]) (3,8)

Notice that the manager may only be interested in the original events thathe declared to be significant, of course after any splitting that is required toresolve their control status. Here we have projected out the additional eventsintroduced by ‘hiconsis’. This small model incorporates only the originalevents selected by the manager, and in terms of which he would be mostlikely to express his high-level specification. This can be thought of as thethird (and highest) hierarchical level, the level of HCVS10HI being a middlelevel that the high-level manager need not see (because the additional eventsdue to ‘hiconsis’ may well be confusing and difficult to interpret). Thismiddle level is, of course, the one used by TCT in computing the high-levelcontrol.

Now create a high-level specification to apply to HCVS10HI.

ALL10HI = create(ALL10HI,[mark 0]) (1,0)

ALL10HI = selfloop(ALL10HI,[320,340,411,431,811,820,821,831,841,851]) (1,10)

Check that ALL10HI includes all the events that occur in HCVS10HI.

X = meet(HCVS10HI,ALL10HI) (6,18)

true = isomorph(X,HCVS10HI;identity)

For the high-level specification we decide to force an initial switch to manual(ev431). When this is followed by 3 consecutive readings of methane-high(ev340), there is a forced return to automatic (ev411) followed by shutdown(ev811).

SPEC10HI = create(SPEC10HI,[mark 0,5],[tran [0,320,0],[0,340,1],[0,431,0],[1,320,0],[1,340,2],[2,320,0],[2,340,3],[3,411,4],[4,811,5]]) (6,9)

572 APPENDIX

This specification must be augmented by selflooping the auxiliary high-levelevents that are of no direct interest to the manager.

SPEC10HI = sync(SPEC10HI,ALL10HI) (6,39)

SUP10HI = supcon(HCVS10HI,SPEC10HI) (13,33)

X = minstate(SUP10HI) (13,33)

true = isomorph(X,SUP10HI;identity)

Now project from this ‘middle-level’ behavior the undesired auxiliary events.

PSUP10HI = project(SUP10HI,Null[820,821,831,841,851]) (7,9)

This is reasonably small, and easy to comprehend. This is an importanttheme: how we achieve a comprehensible state model at any particular stageof (human) design. Indeed this is the basic rationale for the entire approach.

SPC10LO = create(SPC10LO,[mark 0,5],[tran [0,32,0],[0,34,1],[0,43,0],[1,32,0],[1,34,2],[2,32,0],[2,34,3],[3,32,0],[3,41,4],[4,81,5]]) (6,10)

SPC10LO = sync(SPC10LO,ALL9) (6,46)

SPEC10LO = meet(SPEC10,SPC10LO) (40,78)

SUP10LO = supcon(PLANT10,SPEC10LO) (17,70)

X = minstate(SUP10LO) (17,70)

true = isomorph(X,SUP10LO;identity)

This displays a conceptual advantage in hierarchical control. The low-levelcontrolled behavior has size (17,70) compared with the high-level controlledbehavior of (7,9). The latter is far more comprehensible.

PSUP10LO = project(SUP10LO,Null[11,13,21,22,24,31]) (7,9)

However, when we project out the events not of direct relevance to thehigh-level specification, we end up with a result of exactly the same sizeas PSUP10HI.

For interest, change the high-level specification by requiring an initial forcingto automatic, and a final forcing to manual.

ASPC10HI = edit(SPC10HI,[trans +[0,411,0],+[3,431,4],-[0,431,0],-[3,411,4]]) (6,33)

ASUP10HI = supcon(HCVS10HI,ASPC10HI) (9,14)

X = minstate(ASUP10HI) (9,14)

true = isomorph(X,ASUP10HI;identity)

A significant reduction in state size, from (13,33) for SUP10HI, to (9,14) forASUP10HI.

573

ASUP10HI = condat(HCVS10HI,ASUP10HI) Controllable.

PASP10HI = project(ASUP10HI,Null[831,841]) (6,8)

Compare with the size (7,9) of PSUP10HI.

STAGE 11: Bring in WFSENSOR and repeat the previous exercise withthe enlarged plant.

ALL11 = selfloop(ALL9,[51,52,53,54]) (1,15)

Modify WFSPEC by marking state 1, after pump has been turned on (ev13)but before WFSENSOR is initialized (ev51).

WFSPEC = edit(WFSPEC,[mark +[1]]) (4,38)

WFSPEC11 = sync(WFSPEC,ALL11) (4,42)

PLANT11 = sync(PLANT10,WFSENSOR) (8,80)

SP1011 = sync(SPEC10,ALL11) (10,63)

SPEC11 = meet(SP1011,WFSPEC11) (40,120)

SUPER11 = supcon(PLANT11,SPEC11) (52,162)

MSUPER11 = minstate(SUPER11) (52,162)

true = isomorph(MSUPER11,SUPER11;identity)

For comparison, try using the previous supervisor SUPER10, synched withWFSENSOR, as the new plant, and the augmented version of WFSPEC, viz.WFSPEC11, as the specification.

BSPEC11 = edit(WFSPEC11) (4,42)

BPLANT11 = sync(SUPER10,WFSENSOR) (26,122)

BSUP11 = supcon(BPLANT11,BSPEC11) (52,162)

true = isomorph(BSUP11,SUPER11;identity)

This shows consistency of the two ways of incrementally enlarging the systemat this stage. Next we create the high-level model, again regarding only theevents 32,34,41,43,81 as significant. The wild-card feature in TCT ‘vocalize’is almost essential to ensure complete data entry.

574 APPENDIX

VSUPER11 = vocalize(SUPER11,[[0,43,43],[2,81,81],[0,81,81],[2,41,41],[6,41,41],[6,81,81],[8,32,32],[9,34,34],[8,34,34],[10,34,34],[9,32,32],[10,32,32],[12,32,32],[14,41,41],[12,34,34],[13,43,43],[13,81,81],[14,81,81],[16,34,34],[16,32,32],[19,32,32],[19,34,34],[23,81,81],[21,34,34],[23,43,43],[24,81,81],[21,32,32],[24,41,41],[26,32,32],[26,34,34],[28,34,34],[32,81,81],[32,43,43],[28,32,32],[34,32,32],[35,34,34],[34,34,34],[35,32,32],[37,34,34],[37,32,32],[41,32,32],[44,34,34],[41,34,34],[44,32,32],[47,32,32],[49,34,34],[47,34,34],[52,81,81],[49,32,32],[52,43,43],[53,81,81],[54,81,81],[57,81,81],[55,81,81],[58,81,81],[57,41,41],[59,81,81],[58,41,41],[59,41,41],[65,81,81],[64,81,81],[66,81,81],[65,41,41],[66,41,41],[67,81,81],[67,41,41],[74,81,81],[75,81,81],[75,41,41],[76,81,81],[76,41,41],[77,81,81],[77,41,41],[81,81,81]]) (89,296)

X = minstate(VSUPER11) (89,296)

true = isomorph(X,VSUPER11;identity)

HCVSPR11 = hiconsis(VSUPER11) (99,335)

X = minstate(HCVSPR11) (99,335)

true = isomorph(X,HCVSPR11;identity)

PLNT11HI = higen(HCVSPR11) (20,84)

X = minstate(PLNT11HI) (20,84)

true = isomorph(X,PLNT11HI;identity)

OCVSPR11 = outconsis(VSUPER11) (89,296)

X = hiconsis(OCVSPR11) (99,335)

true = isomorph(HCVSPR11,X;[[69,70],[70,71],[71,72],[72,73],[73,74],[74,75],[75,78],[76,79],[77,80],[78,81],[79,82],[80,83],[81,84],[82,85],[83,86],[84,87],[85,88],[86,69],[87,76],[88,77],[92,93],[93,94],[94,95],[95,96],[96,97],[97,98],[98,92]])

T = trim(PLNT11HI) (20,84)

true = isomorph(T,PLNT11HI;identity)

ALL11HI = allevents(PLNT11HI) (1,31)

SPC11HI = sync(SPC10HI,ALL11HI) (6,165)

SUP11HI = supcon(PLNT11HI,SPC11HI) (31,135)

X = minstate(SUP11HI) (31,135)

true = isomorph(X,SUP11HI;identity)

PSUP11H = project(SUP11HI,Image[320,340,411,431,811]) (7,9)

575

true = isomorph(PSUP11HI,PSUP10HI;identity)We’ve done nothing new at the high level, and get the same final result asbefore. Of course the vocalized structure is now much larger (cf. VSUPER11with size (89,296), VSUPER10 with size (20,67)).Also the projection of PLNT11HI is as expected, with shutdown correctlyhandled.

PPLN11HI = project(PLNT11HI,Image[320,340,411,431,811]) (3,8)

576 APPENDIX

TIMED MINE PROBLEM IN TTCT

We continue with the mine-pump model based on the book by Burns andWellings.

Note: the earlier abbreviation ‘ME’ for ‘methane’ is here replaced by ‘CH4’.

First version of timed model: PLANT8 = WL ∥ CH4 ∥ SHUTDOWN.

Modeling follows the lines of Stages 0,1,8 of the untimed case, but with asubtlety brought out at the end.

STAGE 0: Create the five basic components, and combine to form plant1.

pump = create(pump,[mark 0],[timebounds [11,0,1000],[13,0,1000]],[forcible 11,],[tran [0,11,0],[0,13,0]]) (1,2)

wlsensor = create(wlsensor,[mark 0],[timebounds [21,0,1000],[22,0,2],[24,0,2]],[forcible 21],[tran [0,21,1],[1,22,0],[1,24,0]]) (2,3)

ch4sensor = create(ch4sensor,[mark 0],[timebounds [31,0,1000],[32,0,1],[34,0,1]],[forcible 31],[tran [0,31,1],[1,32,0],[1,34,0]]) (2,3)

wfsensor = create(wfsensor,[mark 0],[timebounds [51,0,1000],[52,0,3],[53,0,1000],[54,0,3]],[forcible 51,],[tran [0,51,1],[0,53,0],[1,52,0],[1,54,0]]) (2,4)

operator = create(operator,[mark 0],[timebounds [41,0,1000],[43,0,1000]],[forcible 41,],[tran [0,41,0],[0,43,0]]) (1,2)

wlsensor = timed graph(wlsensor) (4,10)

ch4sensor = timed graph(ch4sensor) (3,7)

wfsensor = timed graph(wfsensor) (5,14)

operator = timed graph(operator) (1,3)

pump = timed graph(pump) (1,3)

plant1= sync(pump,wlsensor) (4,18)

plant1= sync(plant1,ch4sensor) (12,71)

mplant1 = minstate(plant1) (12,71)

true = isomorph(mplant1,plant1;identity)

STAGE 1: Create the two basic specifications. Then compute centralizedsupervisor and develop modular supervisors.

577

cycspec1 = create(cycspec1,[mark 0],[tran [0,21,1],[1,0,1],[1,22,2],[1,24,2],[2,31,3],[3,0,3],[3,32,4],[3,34,4],[4,0,5],[5,11,0],[5,13,0]],[forcible 11,13,21,31]) (6,11)

pmpspec1 = create(pmpspec1,[mark 0],[tran [0,11,0],[0,22,0],[0,24,1],[0,32,0],[0,34,2],[1,13,1],[1,22,0],[1,24,1],[1,32,1],[1,34,3],[2,11,2],[2,22,2],[2,24,3],[2,32,0],[2,34,2],[3,11,3],[3,22,2],[3,24,3],[3,32,1],[3,34,3]],[forcible 11,13]) (4,20)

all1= create(all1,[mark 0]) (1,0)

all1= selfloop(all1,[0,11,13,21,22,24,31,32,34],[new forcible 11,13,21,31]) (1,9)

pmpspec1 = sync(pmpspec1,all1) (4,32)spec1 = meet(cycspec1,pmpspec1) (24,40)mspec1 = minstate(spec1) (13,19)false = isomorph(mspec1,spec1)

super1= supcon(plant1,mspec1) (17,28)

super1= condat(plant1,super1)

msuper1= minstate(super1) (17,28)true = isomorph(msuper1,super1;identity)psuper1 = project(super1,[0]) (10,13)

Develop modular control.true = nonconflict(plant1,cycspec1)cycspec1 = condat(plant1,cycspec1)modsup1= meet(cycspec1,pmpspec1) (24,40)

true = isomorph(modsup1,spec1;identity)

true = nonconflict(modsup1,plant1)

modsup1= condat(plant1,modsup1)mmodsup1 = minstate(modsup1) (13,19)true = isomorph(modsup1,spec1;identity)x = meet(plant1,modsup1) (36,68)false = isomorph(super1,x)mx = minstate(x) (17,28)

true = isomorph(msuper1,mx;identity)

true = isomorph(msuper1,super1;identity)

578 APPENDIX

This verifies that modular supervision is optimal.

STAGE 2: Bring in new process shutdown with e81.

all8 = selfloop(all1,[81],[new forcible 81]) (1,10)

super8 = edit(msuper1) (17,28)shutdown = create(shutdown,[mark 0],[timebounds [81,0,1000]],

[forcible 81],[tran [0,81,0]]) (1,1)

shutdown = timed graph(shutdown) (1,2)

plant8= sync(plant1,shutdown) (12,83)

sdnspec = create(sdnspec,[mark 0,1],[tran [0,0,0],[0,11,0],[0,13,0],[0,21,0],[0,31,0],[0,81,1],[1,0,1]],[forcible 11,13,21,31,81]) (2,7)

sdnspec = sync(sdnspec,all8) (2,15)

cycspec8 = sync(cycspec1,all8) (6,17)

pmpspec8 = edit(pmpspec1,[mark +[1],+[2],+[3]]) (4,32)

pmpspec8 = sync(pmpspec8,all8) (4,36)

spec8 = meet(cycspec8,pmpspec8) (24,64)

spec8 = meet(spec8,sdnspec) (48,92)

mspec8 = minstate(spec8) (15,33)

false = isomorph(mspec8,spec8)

super8 = supcon(plant8,spec8) (36,68)

msuper8 = minstate(super8) (14,25)

false = isomorph(msuper8,super8)

pmsuper8 = project(msuper8,Null[0]) (8,11)

This supervisor has eliminated e81 because it would lead to blocking. Thisof course was not the intention!

false = nonconflict(plant8,spec8)

Revise SPEC8 so it releases CYCSPEC8 when e81 occurs, namely allows e0(tick) to occur at every target state for e81. This will prevent the blockingthat would have occurred before. Notice that adding one spec after anothercan have unintended side effects. Here CYCSPEC8 disabled tick (e0) byforcing initialization of the sensor cycle (e21), so when in turn e21 was dis-abled after e81, the occurrence of e81 would have brought the system to ahalt. For this reason, ‘supcon’ naturally disabled e81 everywhere, to pre-

579

vent blocking. Thus ‘change of mode’ must be treated with care: it cannotin general be created just by using ‘meet’.

spec8 = edit(spec8,[trans +[2,0,2],+[7,0,7],+[9,0,9],+[24,0,24],+[26,0,26],+[28,0,28],+[30,0,30],+[32,0,32],+[34,0,34],+[36,0,36],+[43,0,43],+[45,0,45]]) (48,104)

super8 = supcon(plant8,spec8) (40,76)

msuper8 = minstate(super8) (15,27)

pmsuper8 = project(msuper8,Null[0]) (9,12)

Now it looks fine. Shutdown (e81) can occur without stopping the clock.

STAGE 3: Bring in the operator events e41, e43, and enhance SPEC8to allow for switching from automatic mode to manual mode(e43) and back (e41). The shutdown event (e81) should workfrom manual mode as well.

all9 = selfloop(all8,[41,43],[new forcible 41,43]) (1,12)

plant9 = sync(plant8,operator) (12,107)

mspec8 = minstate(spec8) (14,34)

spec9 = edit(mspec8,[mark +[14]],[forcible +[41],+[43]],[trans +[0,43,14],+[14,0,14],+[14,11,14],+[14,13,14],+[14,21,14],+[14,22,14],+[14,24,14],+[14,31,14],+[14,32,14],+[14,34,14],+[14,41,0],[14,81,2]]) (15,46)

STAGE 4: Next we create a CH4 emergency specification, to result in aforced change to automatic mode (e41) followed by shutdown(e81), after 3 consecutive high CH4 readings (e34).

emerg = create(emerg,[mark 0,5],[tran [0,0,0],[0,32,0],[0,34,1],[1,0,1],[1,32,0],[1,34,2],[2,0,2],[2,32,0],[2,34,3],[3,0,3],[3,41,4],[4,81,5],[5,0,5]],[forcible 41,81]) (6,13)

semerg = sync(emerg,all9) (6,55)

spec10 = meet(spec9,semerg) (49,118)

super10= supcon(plant9,spec10) (85,320)

super10= condat(plant9,super10)

psuper10= project(super10,Null[0,21,22,24,31]) (15,35)

580 APPENDIX

PSUPER10 displays how manual mode overrides the previous specifications,which apply in automatic mode, allowing the pump to be turned on (e13)even after a CH4-high reading (e34).

msuper10 = minstate(super10) (85,320)p0super10 = project(super10,Null[0]) (42,114)

STAGE 5: Now we bring in WFSENSOR and a suitable specification.Developing a specification caused some difficulty with block-ing: the design is very sensitive to the timing requirements ofWFSPEC.

all13 = selfloop(all9,[51,52,53,54],[new forcible 51,53]) (1,16)

spec1013 = sync(spec10,all13) (49,314)

wfsensor = edit(wfsensor,[trans +[0,0,0]]) (5,14)

plant13 = sync(plant9,wfsensor) (60,649)

wfspec1= create(wfspec1,[mark 0,2],[tran [0,0,0],[0,11,0],[0,13,1],[1,51,2],[2,0,2],[2,11,0],[2,13,2],[2,51,2],[2,53,2]],[forcible 11,13,51,53])(3,9)

Getting WFSPEC1 right was troublesome. Initially the attempt was madeto force initialization of WFSENSOR (e51) exactly 2 ticks after turning onthe pump (e13), but this caused blocking. When several timed objects aresynchronized, blocking due to clock-stopping can become a serious problem.It was found that e51 had to be forced immediately after e13.

wfspec1 = sync(wfspec1,all13) (3,42)

WFSPEC2 guarantees that if WFSENSOR detects a problem with waterflow (e54), no OK will be reported (e52) and an alarm must be sounded(e53).

wfspec2 = create(wfspec2,[mark 0],[tran [0,0,0],[0,52,0],[0,54,1],[1,53,0]],[forcible 53]) (2,4)

wfspec2 = sync(wfspec2,all13) (2,28)

wfspec = meet(wfspec1,wfspec2) (6,75)

spec13 = meet(spec1013,wfspec) (200,788)

super13 = supcon(plant13,spec13) (425,2214)super13′ = edit(super13) (425,2214)

581

msuper13 = minstate(super13) (418,2204)

super13 = edit(msuper13) (418,2204)

super13 = condat(plant13,super13)Because the specification constraints are removed in manual mode, it is im-portant to examine the automatic operation in isolation to make sure thatthere is no removal of function by the supcon operation, to prevent unin-tended blocking. To this end, form AALL13 (ALL13 reduced for automaticmode by eliminating e43), and ‘meet’ with SUPER13 to form ASUPER13.

aall13 = edit(all13,[trans -[0,43,0]]) (1,15)asuper13 = meet(super13′,aall13) (73,137)

ASUPER13 is correct, inasmuch as none of the events e5? was eliminated inautomatic mode by the supcon operation.

pasuper13 = project(asuper13,Null[21,22,24,31,32,34,52,53,54]) (13,35)masuper13 = minstate(asuper13) (64,122)

Index

C-observable, 324I-fold Lm(G) - observer, 216I-fold nonconflicting, 216Li - observer, 310Lm(G) - observer, 213Lm - observer, 355Lvoc - observer, 267ρ-supported, 96

activitytransition, 482transition function, see transition,

function, activitytransition graph, see transition,

graph, activityadmissible, 350

agent, 286–290, 297AGV, 139, 180, 212, 233alphabet, 51, 63–65, 81, 83, 100, 101,

108, 116, 124, 140, 142, 143,175, 239, 241, 300, 353, 358,360, 409, 426, 444, 482, 489–491, 496, 497

event labelhigh-level, 242

input, 247, 248output, 63, 64, 240, 247extended, 244

sub-, 171, 175, 241transition label, 81

ambient, 324

Arden’s rule, 78–80ATG, see transition, graph, activityautomaton, 55, 63, 65–69, 71, 98, 109,

129, 162, 222, 248, 419, 421,469, 503, 521

canonical, 55Moore, 284

controllable, 131, 134, 153, 162–164, 167, 168, 175–177, 516

coreachable, 71, 103, 104, 131, 154Moore, 63–65non-coreachable, 104nonblocking, 71, 104, 119–122, 127,

130, 143, 162, 163, 222, 326,334, 353, 359

product, 67, 163reachable, 66, 67, 71, 103, 104,

108, 109, 129, 131, 143, 153,163

timed, 521trim, see DES,trimuncontrollable, 506

behavioradmissible, 136closed, 71, 73, 74, 81, 103, 118,

121, 142, 143, 148, 176, 279,283, 345, 359, 400, 409, 411,435, 444, 458, 487, 489, 492,493, 496, 500, 505, 513

closed-loop, 129, 250

582

INDEX 583

controlled, 141, 150, 155, 223, 249,334, 356, 407, 416, 472, 475,476, 506

marked, 71, 73, 74, 81, 90, 103,118, 119, 121, 136, 142, 143,176, 265, 266, 279, 283, 326,328, 359, 401, 487, 489, 492,497, 500, 512

optimal controlled, 155, 470uncontrolled, 238, 494

behaviorally equivalent, 164Big Factory, 169bijective, 15, 20, 61, 63bisimulation, 395blocking, 75, 107, 109, 112, 113, 165,

167, 176, 222, 226, 227, 286,355, 358, 359

sequence, 470, 479set, 286, 296, 297state, 472

canonicalrecognizer, 63automaton, see automaton, canon-

icalfactorization, 16, 17projection, see projection, canon-

icalrecognizer, 55–65, 67, 77, 241

Cat and Mouse, 154catenation, see string, catenationcausal, 81causal output mapping, 81cell, 10, 13, 59, 61, 63, 67, 84, 85chains of regular languages, 90channel, 339

as encoder, 343closed

behavior, see behavior, closedlanguage, 55, 59, 60, 71, 118, 120–

126, 134, 239, 249–253, 256,273, 274, 288, 305–310, 315,316, 319–321, 326–328, 344–349, 351, 366, 401, 404, 409–412, 497–500, 502

sublanguage, 239, 265, 305, 307,317, 319, 328, 346

closure, 117, 176, 305, 307, 309, 345,493

algebraic property, 304Boolean, 429language, 55prefix, 54, 119, 239, 268, 272transitive, 14

codomain, 15compatible, 409complexity reduction, 393composition, 27congruence, 19, 24

coarse, 24congruences of a dynamic system, 18conjunction, 163consistency, 258

property, 266control cover, 234control pattern, 118control VDES, 457convergence, 90coordinating modular supervisor, 185coordination

efficient, 387coordinator, 210, 387, 388

coordinators, 225coreachable state subset, see state, core-

achable, subsetcoset, 8, 9

584 INDEX

Deadly Embrace, 165decentralized modular synthesis, 161DES, 100

controllable, see automaton, con-trollable

isomorphic, 143, 168, 175, 177,227

trim, 71, 103, 104, 109, 117, 131,135, 136, 138, 162–164, 168,169, 176, 305, 516, 517

vocalized, 246DES complexity, 392descending chain, 90determinism

structural, 376Dining Philosophers, 222, 233disabled-event map

high-level, 248low-level, 248

distributed control, 339distributed supervision, 230domain, vii, ix, 15, 245downward continuous, 23DSFBC, 410, 411, 450

balanced, 410, 411optimal, 446, 458, 459optimal balanced, 446

dynamic state feedback control, seeDSFBC

dynamic system, 18

elementscomparable, 2indistinguishable, 14

Elevator modeling and simulation, ixempty sequence, see string, emptyencoder, 342encoding, 342

Endangered Pedestrian, 503ϵ, see string, emptyevent

blocking, see blockingcontrol-enabled, 143controllable, xiii, 102, 118, 132,

136–138, 140–142, 144, 148–150, 152, 154, 221, 223, 238,241, 242, 244, 245, 248, 250,252, 253, 255, 261, 262, 279,282, 300, 321, 346, 348, 352,353, 365, 406, 419, 447, 451,453, 456, 473, 475, 494, 495

high-level, 248low-level, 249

delayable, 495disable, 102, 131, 135–138, 143,

144, 148, 150, 152, 157, 158,167, 172, 174–177, 222, 241,242, 248, 249, 252, 254, 256,262, 286, 289, 300, 321, 334,352, 353, 363, 366, 402, 414,417–419, 433, 442, 443, 456,475, 477, 485, 490, 494–496,498, 520

mechanism, 132enable, 102, 110, 118, 144, 145,

148, 149, 163, 248, 366, 400,402, 406, 407, 416–418, 424,428, 429, 433, 442, 443, 451,481, 485, 488, 496

enablement, 444enablement condition, 424, 444,

468force, 151forced, 136, 147–153, 497, 498, 507,

514, 515, 520, 521forcible, 149

INDEX 585

forcing, 149, 150, 152hiding, 226label, xiii, 75, 100–102, 106, 238,

241, 299, 482, 493, 508observable, 108, 300, 317, 348, 352,

353, 357, 359, 362, 363, 366permanently enabled, 466preempt, 149, 151preemptable, 149, 150state-enabled, 143uncontrollable, xiii, 102, 118–120,

124, 141–143, 149, 152, 154,221, 226, 238, 241, 242, 245,261, 262, 265, 346, 359, 402,404, 431, 433, 443, 456, 459,460, 472, 473, 477, 495–497

unobservable, 307, 308, 317, 321,332, 333, 356–358, 363, 366,475, 477

event set, 365, 427, 446, 447inactive, 315active, 315controllable, 495uncontrollable, 495

event, flag, 112exponentiation, 26

factorizationcanonical, see canonical, factor-

izationfeasible

supervisory control, see supervi-sory, control, feasible

fiber, 15fixpoint, 23flags, 112FTG, see transition, graphfunction

partial, 69

Gas Burner, 413generator, 69–76, 80, 81, 84, 85, 87,

98, 100, 104, 110, 112, 117,129, 131, 140, 162, 165, 226,241, 260, 283, 300, 362, 419,472, 485

controlled, 100coreachable, 71deterministic, 75, 76Mealy, 85, 86Moore, 240Nerode, see Nerode, generatornonblocking, 71, 135nondeterministic, 74–76product, 132reachable, 71, 73, 74

generators, 72Guideway, 362

Hasse diagram, 4, 13, 14, 123hierarchical

aggregation, 89consistency, 236–238, 253, 257–259,

265, 273, 285high-level, 290low-level, 252

control, viii, 89, 236, 241structure, 235–237

loop, 237, 248, 249supervisory control, see supervi-

sory, control, hierarchicalhierarchical aggregation, 81

iff, 2image, 15, 17, 241, 258, 268, 274

inverse, function, 15, 301implementation, 129

586 INDEX

inadmissibleagent, 286, 289, 290, 297

independent functions, 27induced, 19infimal closed observable sublanguages,

344interrupts, 145

join, 3–8, 10, 11, 21, 54, 124

Kanban, 112kernel

coarse, 16equivalence, 15, 16, 85fine, 16

Kleene’s Theorem, 77

language, 51–53ambient, 324closed-loop, 138, 143, 219, 248,

250controllable, 119–126, 130, 131,

135, 143, 144, 162–164, 239,247, 249–253, 256, 258, 271,274, 288, 321, 327–329, 346–349, 351–354, 365, 406, 409,466, 497–502, 516

closed, 124high-level, 252, 258, 265locally, 271, 272low-level, 250, 251, 258supremal, 127, 146, 159, 171,226, 239, 275, 505, 506, 513,514

empty, 52, 77, 304legal, 139, 166marked, 401nonblocking, 143

nonconflicting, see nonconflict, lan-guage

normal, 304–309, 319–321, 350–355, 363, 366

optimal, 305supremal, 305, 308

not normal, 366observable, 300, 316, 317, 319–

321, 327–329, 344–349, 353,365, 366

paranormal, 307–309prefix, 120prefix-closed, 81, 82, 238, 438uncontrollable, 119, 143, 144, 247,

256, 505unobservable, 345

lattice, 1, 5–8, 11, 12, 23, 54, 124,125, 304, 399

complete, 7–9, 11, 23, 399distributive, 6modular, 6product, 7semilattice, 21upper, 124

sublattice, 8, 19, 54, 124, 125complete, 304

Lin-Brandt formula, 306livelock, 223local observability, 339localizable, 218loop-freeness, 433, 437

machine, 69Manufacturing Workcell, 470marked

L-, 125, 126, 134, 502Lm-, see marked, L-activity, 482

INDEX 587

string, see string, markedmarker state, see state, markermarking, 302mealy output map, 85meet, 3–8, 10, 11, 54, 85memory, 409, 444message passing, 144Mine Pump, supervisory control of,

see Appendix, 361MNFSC, 328, 329MNSC, 121, 122, 127, 129, 130, 134,

500, 503monoid, 423

morphism, 423multiplicative, see multiplicative,

monoidmonolithic, 162monotone, 23multiplicative

monoid, 52semigroup with identity, 52

mutual exclusion, 153

Nerodecell, 55, 64, 84equivalence, see relation, Nerode

equivalencegenerator, 84, 86

Neutralization System, 414NFSC, 326, 328, 351nonanticipative, 81nonblocking

control, 167DES, see automaton, nonblock-

ingfeasible supervisory control, see NFSChierarchical supervision, 265–278predicate, 411, 412

property, 138, 162, 219, 223, 239,345, 411, 412

SFBC, 411optimal, 412

supervisor, see nonblocking, su-pervisory control

supervisory control, 121, 126, 129,142, 169, 219–221, 352, 456,497–502, 517

nonconflictlanguage, 134, 135, 163, 164, 219,

305, 353–355, 517predicate, 412property, 134

nondeterminism, 368, 376structural, 376

nondeterministic dynamic system, 20nondeterministic generator, 74nondeterministic transition structure,

78normality, see property, normalityNSC, see nonblocking, supervisory con-

trol

observability, 315checking, 321relative, 324strong, 319

observable, 25, 315, 316relatively, 324

observation-consistent (o.c.), 322observational equivalence, 395observations, 25

partial, 299observer, 24, 233, 267, 274, 310

naturalstate-size reduction under, 361

natural, for G, 361

588 INDEX

observer property, 368OCC, see output control consistentoscillator, 42output

controllable, 254, 285globally, 271locally, 271

map, 63, 85, 87, 242, 243Mealy, 85

uncontrollable, 285output control consistency, 245–247,

257, 265, 271, 278, 279, 290strict, 254, 255, 265, 273, 283, 285,

295output control consistent, 247, 249,

251, 253, 254, 258, 262, 266,284, 285, 290

strict, 254, 256, 257, 262, 265, 274,276, 277, 285–287

output language, 82output map, 25

parametrized internal model, 40paranormal, 307partition, 9, 11–15, 18, 19, 24, 53,

54, 63, 64, 101, 112, 238, 241,242, 284, 304, 307, 482, 484,501

binary, 63coarse, 10, 11, 13, 86fine, 10–12, 24, 53, 54, 63, 65, 90partition, 12refine, 10, 55, 66

path, 19, 20permutable, 27Petri nets, 422, 469, 521Piston Rod Robotic Assembly Cell,

472

poset, 1–5, 7, 10, 85, 122product, 3

predicate, 398, 399, 401, 402, 406, 409,410, 413, 414, 428–431, 441,445–447, 455, 458

controllable, 402–406, 409, 411,412, 431, 432

family, 402, 412linear, 428, 429, 438, 439linear dynamic, 445strongest, 399, 402transformer, 399, 400, 404true, see predicate, weakestuncontrollable, 403weakest, 399, 404

prefix, see string, prefix-preserving, 64, 239closure, see closure,prefix

preimage, 258prioritized synchronous product, 111production network, 451projection, 74, 162, 222, 226, 303, 304,

310, 317, 320, 349, 355, 359,365

canonical, 15–17, 19, 56, 66catenative, 105natural, 87, 105, 106, 108, 111,

300, 309, 310, 489on TDES, 489

propertyadmissible, 329, 350–352composition, 58controllability, vii, 119, 120, 131,

144, 251, 256, 258, 271, 275,276, 307, 328, 347, 354, 400,402–404, 422, 430, 432, 460,464, 482

local controllability, 267, 268, 271,

INDEX 589

272, 275normality, 300, 307, 321, 349, 350,

352–354, 364observability, vii, 300, 315, 317,

321, 328, 329, 347, 349, 352,353, 364, 400, 412, 422

reachability, vii, 406, 430relative observability, 300TDES controllability, 498, 499, 501,

517, 521pyramidal hierarchy, 237

quasi-congruence, 20quasi-congruences, 368

reachabilitypredicate, 399, 402set, 414tree, 82, 83, 242, 243, 245, 253,

254, 267, 268, 275, 279, 283,287, 399, 410, 496

reachable state subset, see state, reach-able, subset

recognizer, 55, 65, 68–70, 74, 79, 121,134, 500

canonical, see canonical, recgonizerdeterministic, 80minimal-state, 74nondeterministic, 79

reduction, 302regular expressions, 76relation

antisymmetric, 2, 10binary, 1, 8, 14, 106, 315equivalence, 1, 8–15, 24, 53, 64,

66, 83–85, 241, 242, 284, 412refine, 86, 90, 317

Nerode equivalence, 53–55, 63, 64,66, 67, 73, 83, 88

coarse, 55fine, 53

reduced, 302reflexive, 2, 8, 10, 14, 315right congruence, 53, 54, 57, 63,

83, 85, 86, 88, 90, 240, 241,245, 301

coarse, 54, 63, 65reduced, 302refinement, 241, 245

symmetric, 8, 14, 315tolerance, 14, 315transitive, 2, 8, 10, 14

relationshipabsorption, 6consistency, 6

relative observability, 324reporter, 81represents, 104

SCOP, 356–358SCOP Supervisory control and obser-

vation problem, 350seedlist, 386selfloop, 75, 80, 90, 112, 117, 140,

171, 175, 220, 252, 424, 442,443, 505, 514

semilattice, see lattice, semilatticeSFBC, 401–403, 405, 406, 410–412,

429, 430, 432, 433, 437, 439,450, 458

balanced, 406, 410modular, 407, 412nonblocking, see nonblocking, SFBCoptimal, 407, 439, 446

shuffle product, 108Σ, see alphabetsilent

590 INDEX

node, 243–245, 254, 256, 278, 279,281–286

output symbol, 82, 240, 278path, 243, 244, 253, 279, 285, 287silent, 275silent pathuncontrollable, 284

symbol, 64, 240transition, 115

simultaneous events, 427Small Factory, 116, 168, 226, 357SOCC, see output control consistent,

strictspecification

language, 100, 122, 134, 136, 171,266, 350, 353, 359, 362, 409,411, 459

state, 57, 61, 69coreachable, 71, 104, 134subset, 103

description, 100dump, 55, 59, 61, 62, 69, 71, 116,

142entrance, xiii, 90, 101, 486exit, xiii, 74, 101initial, xiii, 19, 20, 25, 26, 58–60,

63, 65, 70, 79, 81, 100, 102,109, 115, 117, 154, 157, 158,222, 238, 242, 273, 278–280,414, 419, 426, 430, 456, 483

marker, xiii, 58–61, 65, 66, 70, 71,100–102, 110, 115–117, 134,139, 140, 154, 157, 158, 167,219, 221, 222, 238, 264, 280,409, 411, 456, 483, 513

non-coreachable, 71, 75, 140nonreachable, 71nonvocalizable, 284

output, 246output map, 240reachability, 400reachable, 65–67, 71, 75, 104, 134subset, 103

root, 82, 242, 244, 245, 253, 256,267, 283, 284, 287

set, 100transition graph, see transition,

graphvocal, 154vocalization, 267vocalize, 255, 283–285

state feedback control, see SFBCstate, dump, 59string, 51–53, 55, 58, 62–66, 68, 70,

71, 74, 75, 79, 81–83, 85, 89,101, 105, 108–110, 118, 119,121, 122, 125, 134, 140, 176,220, 221, 238, 240, 243–245,247, 249–251, 253, 254, 256,267, 268, 271, 272, 274, 276,287, 301, 310, 315–317, 320,321, 326, 328, 329, 347, 350,355, 366, 401, 423, 430, 431,447, 466, 485, 487, 489, 493,496, 497, 500, 502, 505–507

catenation, 52, 53, 77, 88, 308empty, 51, 52, 54, 55, 57–60, 63,

64, 69, 74, 76–79, 81, 82, 84,86–88, 103, 104, 107, 109, 118,120, 124, 126, 134, 135, 221,239, 240, 244, 250, 251, 256,267, 271, 272, 300, 308, 309,316, 317, 345, 347–349, 351,354, 404, 496, 497, 499

infinite, 487length, 52, 58

INDEX 591

marked, 71, 110, 119, 220, 274,350, 514

prefix, 54, 55, 119, 134uncontrollable, 249, 284

strings, 71, 245look-alike, 317

strong observability, 319strong quasi-congruence, 385strongly (G, P ) - observable, 318structural boundedness, 469structurally bounded, 425structurally deterministic, 376structurally nondeterministic, 376subalphabet, see alphabet, sub-sublattice, see lattice, sublatticesubpredicate, 399subset construction, 75subsystems

uncontrollable, 145successive approximation, 90supervisor, 131, 135, 137, 142, 144,

146, 155, 159, 161, 168, 173,220, 299, 300, 321, 329, 332,359, 412, 475, 496, 516, 517

candidate, 138centralized, 162, 171, 174, 177component, 162, 174, 175conjunction, 162–165decentralized, 162, 176, 177design, 136feasible, 362, 476global, 222high-level, 259language, 131localization, 229, 234modular, 162, 169, 221–223monolithic, see supervisor, cen-

tralized

optimal, 137, 469optimal global, 166optimal low-level, 260proper, 131, 134, 136, 138, 162,

163, 165, 169, 171, 172, 177,220, 513, 517

reduction, 155state, 157, 158supremal, 474synthesis, 157

supervisoryaction, 121, 135, 161, 163, 172,

219, 328, 363, 500control, 118–122, 126, 127, 129,

132, 140, 142, 143, 150, 154,156, 233, 248, 299, 305, 321,326, 346, 349, 350, 352, 366,419, 469, 479, 482, 494–498,500, 503, 520, 521

feasible, 326, 328, 346hierarchical, 278

controller, 241modules, 162structure, 242

supervisory control of a mine pump,561

supported, 95surjective, 15, 16, 57, 87synchronous product, 104synchronously nonconflicting, 310system

uncontrollable, 438

tail map, 82TATG, see transition, graph, timed

activityTCT

allevents, 143, 222

592 INDEX

complement, 115, 116, 142condat, 131, 136–138, 141, 143,

144, 168, 169, 174, 176, 334,356, 357, 363

create, 246, 362hiconsis, 257, 262higen, 246, 257, 262isomorph, 139, 169, 358localize, xvmeet, 108–110, 112, 117, 118, 134,

137–139, 142, 163, 164, 166,167, 169, 171, 174, 175, 177,260, 356, 357, 363, 470, 505,512, 513, 516

minstate, 68, 74, 115, 143, 357mutex, 153, 362natobs, 386nonconflict, 134, 138, 140, 143,

164, 165, 167–363outconsis, 246project, 80, 111, 113, 115, 141,

142, 150, 226, 227, 301, 307,356–358, 363, 489, 490

relabel, 222selfloop, 110, 112, 141, 149, 150,

159, 175, 226, 227, 281, 301,356, 357, 363

(s)observ, 322supcon, 131, 136, 137, 139, 141,

142, 145, 150, 154, 155, 165,166, 171, 174, 175, 222, 226,227, 356–358, 363, 471, 512,513, 515

supconrobs, 339supnorm, 307, 356, 357, 363suprobs, 326supscop, 360sup(s)qc, 386

sync, 105, 107–109, 112, 113, 116,139–141, 144, 150, 153, 165,170, 174, 175, 222, 226, 227,260, 357, 477, 492

trim, 103, 118, 138, 139, 169, 176vocalize, 261, 262, 283–286, 289,

290, 296TDES, 481, 484, 486, 487, 489, 493,

496, 501, 503–505, 512–514,516, 518

composition, 491controllability, 494–501generalized, 511modular supervision, 516transition, 494structure, 487

Three Cooks, 142tick, 482, 484–493, 495–500, 504–507,

513–517preemptive, 497

tickcount, 484timed

activitytransition graph, see transition,graph, timed activity

transition graph, see transition,graph, timed

timed automata, 521timed manufacturing cell, 507Toolmaker, Parable of the, 18Toy, 115trajectory, 25Transfer Line, 173transfer line, 227, 259, 273, 277transition, 60, 68–70, 74, 78, 82–84,

86, 90, 101, 102, 113, 115, 116,131, 139, 140, 142, 145, 149,154, 157, 158, 171, 174, 176,

INDEX 593

222, 223, 255, 261, 281–283,286, 287, 290, 294, 296, 332,362, 365, 400, 413, 417, 426,427, 431, 445, 452, 458, 474,485, 487, 488, 490, 492–494,498, 512, 513, 515

action, 83, 89, 448activity, 490, 503, 504arrow, 102constraint, 155diagram, 259function, 57, 63, 65, 69, 70, 74,

81, 83, 88, 90, 100, 109, 116,129, 131, 134, 162, 238, 402,422, 452, 484

activity, 482graph, 60–62, 64, 69, 75, 76, 79,

100–102, 137, 146, 252, 278,285, 286, 288, 289, 317, 363,484

activity, 484, 487, 489, 493, 503–505, 507, 508, 513

timed, 484, 485, 488, 492, 493,503–507, 509, 510

timed activity, 484, 489invariant, 428label, 102, 115, 244, 279, 482map, 238matrix, 413model, 414rule, 417timed, 490

structure, 57, 69, 116, 135, 137,148, 171, 241, 244–246, 254,278, 280, 290, 291, 295, 363,365, 397, 414, 415, 484, 487,490

activity, 486, 491, 498

refinement, 253timed, 486, 492

timed, 504tracking, 87

transition function, 25tree, 82, 83, 242–244, 283, 284, 287,

496extended, 244new-, 284, 285sub-, 284

TTG, see transition, graph, timed

uncertainty sets, 322uncontrollable subsystems, 145Unreliable Machine (deadlock avoid-

ance), 477upward continuous, 23

VDES implementation (VDESI), 458vector discrete-event system (VDES),

422vocal

node, xiii, 243–245, 253, 254, 256,261, 267, 268, 273, 275, 276,278–287, 289, 294

weakly ρ-supported, 96weakly supported, 92witness, 340word, 55Workcell, 141