Abstract-Hierarchical Interface-Based Supervisory Control (HISC) decomposes a discrete-event system (DES) into a high-level subsystem which communicates with 1 low-level subsystems, through separate interfaces. It provides a set of local conditions that can be used to verify global conditions such as nonblocking and controllability such that the complete system model never needs to be constructed.
Synthesis Method for Hierarchical
Interface-Based Supervisory Control I. INTRODUCTION I N the area of discrete-event systems (DES) [1] - [3] , two common tasks are to verify that a composite system, based on a Cartesian product of subsystems, is (i) nonblocking and (ii) controllable. The main obstacle to performing these tasks is the combinatorial explosion of the product statespace.
The Hierarchical Interface-Based Supervisory Control (HISC) framework was proposed by Leduc et al. ([4] , [6] , [7] ) to alleviate the state explosion problem. The HISC approach decomposes a system into a high-level subsystem which communicates with parallel low-level subsystems through separate interfaces that restrict the interaction of the subsystems.
HISC provides a set of local conditions that can be used to verify global conditions such as nonblocking and controllability. As each clause of the definition can be verified using a single subsystem, the complete system model never needs to be stored in memory, offering potentially significant savings in computational resources. Also, because HISC emphasizes localization of behavior and compartmentalization of information, HISC systems tend to be more highly structured, easier to understand, and have a higher degree of reusability. Not only can individual components be designed and tested separately, a change to a given level does not affect the other components; only the conditions for that level need to be rechecked.
Currently, a designer must create the supervisors for a HISC system himself, and then verify that they satisfy the HISC conditions. If they do not, he must modify them until they do satisfy the conditions. For a complex system, it may be non obvious how to achieve this. Also, the resulting supervisors may be more restrictive than they need to be. In this paper, we develop a synthesis method that can take advantage of the HISC structure. We replace the supervisor for each level by a corresponding specification DES . We then do a per-level synthesis to construct for each level a maximally permissive supervisor that satisfies the corresponding HISC conditions. As the synthesis will be done on a per-level basis, the complete system model never needs to be constructed. We thus expect to see similar savings in computation as in the HISC verification method. These savings should be even more pronounced as synthesis is an iterative process, thus typically requiring more computation. It should be noted that due to the information compartmentalization requirements, the method presented here does not guarantee global maximal permissiveness, but compensates for this by enforcing level-wise maximal permissiveness that respects the HISC conditions. However, both the HISC synthesis and verification method are currently based upon explicit state and transition listings which limit the size of a given level to about states when 1GB of memory is used. To counter this problem, we have developed a set of symbolic, predicate-based algorithms. We use Binary Decision Diagrams (BDD: [8] , [9] ) to represent the statespace and transitions for each subsystem, and develop algorithms based on BDD representations to verify or synthesize supervisors. As we will see, by using BDD representation and algorithms we will be able to handle much larger subsystems, allowing HISC to be applied to even larger systems.
Using Integer Decision Diagrams (IDD, an extension of BDD) to verify and synthesize flat DES have previously been investigated by Zhang et al. [10] , while Vahidi et al. [11] have investigated applying BDD to flat systems.
Ma et al. [12] , [13] presented a top-down multi-level design model called State Tree Structures (STS), which was initiated 0018-9286/$25.00 © 2009 IEEE in [14] by using the idea of state charts [15] . Ma used BDD based algorithms that allowed him to model and synthesize a state-based supervisor for a system with an estimated statespace on the order of . There has also been some very promising recent work by Pena et al. [16] , Flordal et al. [17] , and Hill et al. [18] in using different forms of equivalence abstractions to verify flat systems in a modular fashion. These methods promise to increase the size of unstructured systems that we can verify. As individual levels (components) of an HISC system are treated as flat systems, these new results have the potential of being able to increase the individual component size that we can handle, if they can be adapted to verify the per-component HISC conditions.
In this paper, we first discuss DES preliminaries, and then introduce the HISC approach in Section III. As the HISC method has already been explained and justified in detail in [5] - [7] , we will only discuss it briefly here. For a small illustrative HISC example, please see [5] .
For the remainder of the paper we will be presenting our new results from [19] - [22] , 1 beginning with an introduction to our HISC synthesis method. We will then define a set of language-based fixpoint operators and show that they compute the required level-wise supremal languages. We will then show the equivalence between removing strings that fail the HISC conditions to removing DES states, as done in our algorithms.
We will then discuss the complexity of our algorithms and show that they potentially offer significant improvement over the monolithic approach. Next, we will very briefly discuss the symbolic methods we have developed. We close by discussing a large manufacturing system example (estimated worst-case statespace on the order of ) which was extended from the AIP example in [4] , [7] . The example demonstrates the improved scalability that our symbolic approach offers.
II. DES PRELIMINARIES
Supervisory control theory provides a framework for the control of discrete-event systems (DES), systems that are discrete in space and time. For a detailed exposition of DES, see [3] . Below, we present a summary of the terminology that we use in this paper.
Let be a finite set of distinct symbols (events), and be the set of all finite sequences of events plus , the empty string. For strings , we say is a prefix of (written ) if , for some . We also say that can be extended to . For arbitrary set , we define be the set of all subsets of . We can now define the extension operator for language . . We will also use the notation , , to mean applications of in a row with . i.e., , and so on.
We will be using the well-known Knaster-Tarski Fixpoint Theorem [24] . Below we give a version from [23] .
Theorem 1 (Knaster-Tarski Theorem): Let be a complete lattice, and let be a monotone function. Then the greatest fixpoint of exists and is equal to Dually, the least fixpoint of exists and is equal to
The Nerode equivalence relation over with respect to is defined for as: . We say is regular if relation has a finite number of equivalence classes.
A DES automaton is represented as a 5-tuple where is the state set, is the event set, the partial function is the transition function, is the initial state, and is the set of marked states. The function is extended to in the natural way. The notation means that is defined for at state . For DES , its closed behavior is denoted by , and is defined to be . The marked behavior of , is defined as . The reachable state subset of DES , denoted , is:
. A DES is reachable if . We will always assume that a DES has a finite state and event set, and is deterministic. In HISC there is a master-slave relationship. A high-level subsystem sends a command to a particular low-level subsystem, which then performs the indicated task and returns an answer. Fig. 1 shows conceptually the structure and information flow of the system. This style of interaction is enforced by an interface that mediates communication between the two subsystems.
In order to restrict information flow and decouple the subsystems, the system alphabet is partitioned into pairwise disjoint alphabets (1) where we use " " to represent disjoint union. The events in are called high-level events and the events in are low-level events as these events appear only in the high-level and low-level subsystem models, and , respectively. These events represent information that is local to a single level. We define our flat system to be . By flat system we mean the equivalent DES if we ignored the interface structure. For the remainder of this paper, the index has range . The interface, , is defined over the events that are common to both levels of the hierarchy, . The events in , called request events, represent commands sent from the high-level subsystem to the low-level subsystem. The events in are answer events and represent the low-level subsystem's responses to the request events. Request and answer events are collectively known as the set of interface events, defined as . In order to enforce the serialization of requests and answers, we restrict the interfaces to the subclass of command-pair interfaces defined below. We present below a state-based interface definition as it is more straightforward to verify. We show in [19] that it is equivalent to the language-based definition given in [5] - [7] as long as is reachable.
Definition 3:
The interface DES is a command-pair interface if: 1
3)
Point 1 of the above definition says the initial state is always marked. Point 2 specifies that only request events can occur at a marked state and must lead to an unmarked state. Point 3 states that only answer events are allowed at unmarked states and must lead to a marked state.
Because the initial state is marked (point 1), answer events are not possible at marked states (point 2), only request events can take us from a marked state to an unmarked state (point 2), and answer events always take us to a marked state (point 3), we are guaranteed a sequence of request-answer pairs. This ensures that we will be able to apply point 5 of the interface consistency definition (see Defn 4 below) in our proofs. The fact that request events only occur at marked states allows us to force a low-level to a marked state by means of point 6 of the interface consistency definition even if the request event the low-level is waiting for is disabled by the high-level.
To simplify notation in our exposition, we bring in the following event sets, natural projections, and languages
We now present the properties that the system must satisfy to ensure that it interacts with the interfaces correctly. The point 5 in the definition below is actually slightly different than the one given in [4] - [7] . We use it since it makes the synthesis definitions clearer. We show in [19] that our new definition is equivalent.
Definition 4: The degree interface system composed of DES , is interface consistent with respect to the alphabet partition given by (1), if for all , the following conditions are satisfied: Multi-level Properties 1) The event set of is , and the event set of is .
2)
is a command-pair interface. High-Level Property 3) Low-Level Properties 4) 5)
6) The first two properties assert that the system has the required basic architecture, with the high-level and low-level subsystems only sharing request and answer events, and the interaction between the levels mediated by interfaces. This provides a form of information hiding as it restricts the high-level subsystem from knowing (and directly affecting) internal details of the low-level subsystems and vice versa.
The high-level property (3) asserts that the high-level subsystem must always accept an answer event if the event is eligible in the interface . In other words, the high-level subsystem is forbidden to assume more about when an answer event can occur than what is provided by the interface. Similarly, low-level property (4) asserts that the low-level subsystem must always accept a request event if the event is eligible in its interface . Property (5) states that immediately after a request event (some ) has occurred, and before it is followed by any low-level events in , there exist one or more paths via strings in to each answer event that says can follow the request event. Finally, (6) asserts that every string marked by the interface and accepted by the low-level subsystem, can be extended by a string in to a string marked by .
A. Local Conditions for Global Nonblocking of the System
We now provide the conditions that the subsystems and their interface(s) must satisfy in addition to the interface consistency properties, if the system is to be nonblocking. It essentially requires that the each level be individually nonblocking.
Definition 5: The degree interface system composed of DES , is said to be level-wise nonblocking if the following conditions are satisfied:
(I) (II) Theorem 2 (from [7] ): If the degree interface system composed of DES , is level-wise nonblocking and interface consistent with respect to the alphabet partition given by (1), then , where .
B. Local Conditions for Global Controllability of the System
For controllability, we need to split the subsystems into their plant and supervisor components. To do this, we define the highlevel plant to be , and the high-level supervisor to be (both defined over event set ). Similarly, the low-level plant and supervisor are and (defined over ). The high-level subsystem and the low-level subsystem are then and , respectively. We can now define our flat supervisor and plant as well as some useful languages as follows:
For the controllability requirements at each level, we adopt the standard partition , splitting our alphabet into uncontrollable and controllable events. Note that this partition may, in general, be independent of the partition given by (1) . In fact, point 3 of the interface consistency definition allows answer events to be controllable at the low-level, but forces high-level supervisors to treat them like uncontrollable events. Point 4 produces a similar result for request events and low-level supervisors.
Definition 6: The degree interface system composed of DES , is level-wise controllable with respect to the alphabet partition given by (1) , if for all the following conditions hold:
(I) The alphabet of and is , the alphabet of and is , and the alphabet of is (II)
The first property is an information hiding statement. By restricting the supervisors to the indicated event sets, we allow them to only view and disable events for their specific component. Point (II) states that the low-level supervisor and interface are together controllable for the low-level plant. Finally, (III) states that the high-level supervisor is controllable for the high-level plant combined with all of the interfaces.
Theorem 3 (From [7] ): If the degree interface system composed of plant components , supervisors , and interfaces , is level-wise controllable with respect to the alphabet partition given by (1), then
IV. HISC SYNTHESIS METHOD
In Section III, we describe a system composed of plant DES , supervisor DES , and interface DES as an degree interface system. When we specify an degree interface system and give supervisors (as opposed to specifications), we will refer to such a system as an degree supervisor interface system. For this system, we showed how the properties of interface consistency, level-wise nonblocking, and level-wise controllable could be used to verify that the flat system is nonblocking, and that the flat supervisor is controllable for the flat plant. However, if the system fails one of these properties, we need a way to automatically modify the system to correct this. We need a synthesis method that can take advantage of the HISC structure and thus provide a similar level of scalability.
A. Synthesis Setting
For synthesis, we will replace supervisor by specification DES (defined over ), and we will replace supervisor by specification DES (defined over ). We thus get the system illustrated in Fig. 2 . We will refer to such a system as an degree specification interface system. Typically, will express system-wide constraints about how the components interact and what tasks the low-levels should perform. expresses how the low-level will perform the tasks (requests) given to it, by the high-level.
As a starting point for synthesis, we need to make sure that our specification interface system meets certain basic requirements. We require that the individual DES have the events sets required for the interface consistency and level-wise controllability definitions, and that the interfaces already satisfy the command-pair definition.
Definition 7: The degree specification interface system composed of plant DES , specification DES , and interface DES is wellformed with respect to the alphabet partition given by (1) , if for all , the following conditions are satisfied: 1) The event set of and is , and the event set of and is . 2) is a command-pair interface. For the rest of this section, we will use to stand for the degree specification interface system that is well-formed with respect to the alphabet partition given by (1) and is composed of the plant DES , specification DES , and interface DES , that we are considering.
In Section III, we introduced the languages , , , and . We now introduce a few more useful languages.
We will refer to the DES that represents the high-level of as . We can now define the languages for over as:
We will refer to the DES that represents the low-level of as . We can now define the languages for over as:
B. High-Level Synthesis
We start by examining how, given system , we can synthesize a supervisor for the high-level. Our first step is to capture the HISC properties that the supervisor's marked language must satisfy. as the marked language of our high-level supervisor (assuming that ), and as the supervisor's closed behavior, then the supervisor will represent the closed-loop behavior of the high-level. As this supervisor is clearly nonblocking, it follows that the high-level will be nonblocking, and thus point I of the level-wise nonblocking definition will be satisfied.
The reason that allows us to construct the supremal HIC nonblocking supervisor follows from Defn. 8 where we refer to a language as being HIC, but the actual definition is in terms of . We can think of as the set of marked sublanguages of language , whose corresponding closed behavior satisfies the terms of the HIC definition. 1) High-Level Fixpoint Operator: Now that we have shown that exists, we need a means to construct it. We will do so by defining a fixpoint operator , and show that our supremal element is the greatest fixpoint of the operator. To do this, we need to first define functions and . Definition 9: For system , we define the high-level nonblocking operator, , for arbitrary as follows:
The way we will be using , we would have and closed, thus would be the marked strings of the highlevel that remain in . Clearly, operator is monotone. Definition 10: For system , we define the high-level interface controllability operator, , for arbitrary as follows:
where . We first note that and thus , as , for all . This operator takes our current estimate of our marked language, constructs its prefix closure ( ), then removes any strings (and their extensions) that would cause to fail the HIC definition. The reason we also remove the extensions, is so that will always produce a prefix-closed language.
We now show that operator is monotone. Proposition 2: For system , the operator satisfies:
Proof: Similar to the proof of Proposition 6. We now combine these two operators to construct our fixpoint operator. As the composition of two monotone operators is also monotone, it follows that is monotone. Definition 11: For system , we define , for arbitrary , as follows:
2) High-level Propositions and Theorem: We next present two useful propositions before we give our main result for this section. Our first proposition says that is equal to the set of post-fixpoints of . This will allow us to apply the Knaster-Tarski Fixpoint Theorem (Theorem 1) in our next proposition.
Proposition 3: For system , we have:
Proof: Similar to the proof of Proposition 7. The proof of our next proposition follows easily from Proposition 2 and the Knaster-Tarski Fixpoint Theorem.
Proposition 4: For system , is the greatest fixpoint of . Proof: Similar to the proof of Proposition 8. We will now show that if reaches a fixpoint after a finite number of steps, then that fixpoint is our supremal element. In Section IV-E, we show that as long as the languages involved are regular, then a finite index always exists; thus our fixpoint operator can always produce the required supremal language in a finite number of steps. We now show that we can use to define our high-level supervisor and satisfy the relevant interface conditions. We will use to stand for the marked language of the high-level supervisor in the corollary below.
Corollary 1: For system , if there exists such that is a fixpoint, then system with and satisfies point 3 of the interface consistency definition, point I of the level-wise nonblocking definition and point III of the level-wise controllability definition.
Proof: Similar to the proof of Corollary 2. We note that the high-level supervisor we have defined above is the maximally permissive nonblocking HIC supervisor for system . Any other supervisor that satisfies the HISC conditions of Corollary 1 and whose marked language is a different sublanguage of , would be a more restrictive solution. An analogous statement can be made about Corollary 2 and the low-level HISC conditions.
C. Low-Level Synthesis
We now examine how, given system , we can synthesize a supervisor for the low-level. Our first step is to capture the HISC properties that the supervisor's marked language must satisfy.
Definition 12: Let . For system , language is low-level interface controllable if for all , the following conditions are satisfied: 1
4) These conditions are essentially point II of the level-wise controllability definition, and points 4-6 of the interface consistency definition, where we have substituted for any reference of the low-level supervisor's closed behavior , for any reference of the supervisor's marked language, and we have used the identity for the low-level subsystem.
For an arbitrary language , we now define the set of all sublanguages of that are with respect to as Proposition 5: Let . For system , is nonempty and is closed under arbitrary union. In particular, contains a (unique) supremal element that we will denote . Proof: See Appendix. If , we can take as the marked language of our low-level supervisor and as the supervisor's closed behavior, and it will follow that the low-level is nonblocking (i.e., point II of the level-wise nonblocking definition is satisfied, for this ).
D. The Low-Level Fixpoint Operator
We will now define a fixpoint operator , to construct . We need to first define functions and . Operator removes from any string that has a prefix that would cause to fail the definition. We now show that it is monotone.
Proposition 6: For system , the operator satisfies:
Proof: See Appendix. We now combine these two operators to construct our fixpoint operator. As the composition of two monotone operators is also monotone, it follows that is monotone. Definition 15: For system , we define , for arbitrary , as follows:
1) Low-Level Propositions and Theorem:
We next present two useful propositions before we give our main result for this section. Our first proposition says that is equal to the set of post-fixpoints of . This will allow us to apply the Knaster-Tarski Fixpoint Theorem (Theorem 1) in our next proposition.
Proposition 7: For system , we have:
Proof: See Appendix. The proof of our next proposition follows easily from Proposition 7 and the Knaster-Tarski Fixpoint Theorem.
Proposition 8: For system , is the greatest fixpoint of . Proof: As is a complete lattice and operator is monotone, we can apply the Knaster-Tarski Fixpoint Theorem and conclude that the greatest fixpoint of exists and is equal to . By Proposition 7, we thus have is the greatest fixpoint of . We will now show that if reaches a fixpoint after a finite number of steps, then that fixpoint is our supremal element. In Section IV-E, we show that as long as the languages involved are regular, then a finite index always exists; thus our fixpoint operator can always produce the required supremal language in a finite number of steps. Using facts , and , we see points 4-6 of the interface consistency definition follow from (4)- (6) .
To show that point II of the level-wise nonblocking definition is satisfied, it is sufficient to show: . By (2) Combining Corollaries 1 and 2, we see that our fixpoint operators allow us to construct supervisors for the high-level and low-levels that by design, will make system , with its specification DES replaced by these supervisors, be interface consistent, level-wise nonblocking, and level-wise controllable.
E. String and State Equivalence
In Sections IV-B and IV-D, we presented a set of languagebased fixpoint operators to construct our supremal languages. The algorithms we have developed in [19] , [21] construct DES that represent these supremal languages, but they operate by removing states instead of strings. In this section, we will show the equivalence of the two approaches, and that our method can always construct the required supremal languages in a finite amount of time.
The first step in the synthesis process is the construction of the synchronous product of all the DES in the system. Let DES , , , with . Define , , and . The proposition below states that for any two strings that go to the same state in , then these two strings also lead to the same state in each of the component DES, and thus they belong to the same Nerode equivalence classes of the component DES's closed and marked languages. The key here is that the synchronous product has not been minimized, or we could lose this one-to-one relationship between a state in and a state in . Proposition 9: Let , , , and be defined as above. It then follows:
Proof: See [19] for an example of how to prove this result.
As we will see, this relationship is important as it will ensure that if a string that takes us to a state in fails one of our HISC conditions, then we can show that all strings that lead to this state also fail; thus we can simply remove the state. This allows our algorithm to operate on a finite number of states, instead of a possibly infinite number of strings.
For convenience, we first discuss a well-known nonblocking result. If a DES blocks, we would have . The proposition below states that if a string cannot be extended to a marked string, then all strings that lead to the same state in cannot either; thus we need to remove the state. We also note that removing a state not only removes all strings that reach this state, but also removes all defined strings that can leave this state. In other words, if we remove state of DES , we remove from the strings as well as all strings that have prefixes in (i.e., ). This is consistent with how we defined our language-based fixpoint operators in Sections IV-B and IV-C.
Proposition 10: For , it follows:
Proof: Proof follows easily from Proposition 9. We now present a proposition relevant to the definition. We first need to define DES to be DES (see definition in Section IV-A) with events selflooped at every state. This is to extend the event set of to , so that it will be compatible with the languages used in the definition (i.e., ). Essentially, the proposition states that if a string fails one of the clauses in the definition, then all strings that lead to the same state in will also fail, thus we need to remove the state. 
2)
Proof: Proof follows easily from Proposition 9 and noting that if two strings are Nerode equivalent, then they will have the same set of eligible events.
We next present a proposition relevant to the definition. Again, we first need to define DES to be DES (see definition in Section IV-A) with events selflooped at every state, thus . Essentially, the proposition states that if a string fails one of the clauses in the definition, then all strings that lead to the same state in will also fail, thus we need to remove the state.
Proposition 12: For system , let . It follows that for all , if then 1)
4)
Proof: See Appendix. Combining the results from Propositions 10 and 11, it follows that each application of is equivalent to either removing at least one state from , or reaching a fixpoint. As we assume that all DES components have a finite statespace, it follows that also has a finite statespace. We can thus conclude that will reach a fixpoint in at most steps and, by Theorem 4, the fixpoint will be the desired supremal element.
Similarly, by Propositions 10 and 12, we can conclude that will reach a fixpoint in at most steps and, by Theorem 5, the fixpoint will be the desired supremal element.
We next note that every regular language can be represented by a deterministic finite state automaton [25] . The above result thus implies that as long as the languages involved are all regular, then Theorem 4 and Theorem 5 state that our fixpoint operators can always produce the required supremal languages in a finite number of steps.
Finally, we note that the level-wise controllability definition requires that the high-level supervisor be over , and the low-level supervisor over . If we start with DES and , our supervisors will be over . However, it can be shown that starting with and will produce the correct result as the added selfloops have no effect [21] .
V. ALGORITHMS
In this section, we discuss very briefly the HISC algorithms that we have developed. We will first discuss automata-based algorithms that rely on explicit lists of states and transitions, and then we discuss symbolic algorithms.
A. Automata-Based Algorithms
In [19] , we first defined a set of algorithms to verify that a given system is interface consistent and then we defined algorithms to implement the high-level and the low-level fixpoint operators. Both sets of algorithms are based on explicit state and transition listings. The complexity to synthesize our highlevel supervisor was found to be , and to synthesize each of our low-level supervisors, where is the number of DES at the high-level, the number of DES at the low-level, is an upperbound for the statespace of the high-level DES, and is an upperbound for the statespace of the low-level DES. Please see [19] for full details of data structures used, algorithms, and complexity analysis.
We now briefly discuss the scalability of our synthesis method. Let denote the size of the statespace of , and and be upper bounds for the statespaces of and , respectively. As was discussed in [6] , the limiting factor for analyzing a flat system would typically be the size of its statespace, . For an HISC system, the limiting factor would typically be the size of the statespace of the high-level, , since it grows as we add more low-levels. We would expect our method to offer significant improvement as long as . Of course, this increased scalability comes with a price: a more restrictive architecture and thus the possible loss of global maximal permissiveness. We feel the tradeoff is worthwhile due to the increase in scalability and the other benefits of our approach.
The reason we can potentially lose global maximal permissiveness is due to the information hiding constraints that we have added and the fact that the HISC conditions are a sufficient, but not necessary condition for the flat system to be controllable and nonblocking. The primary reason is that the high-level and low-level supervisors can only view and effect their local events and interface events. For example, we might be able to get a more permissive solution if the high-level was able to view and disable low-level events as well.
B. Symbolic Algorithms
Both the HISC verification algorithms from [4] - [6] , [19] and the HISC synthesis algorithms we just discussed, are currently based upon explicit state and transition listings which limit the size of a given level to about states when 1GB of memory is used. As each subsystem in HISC is typically modeled as a group of plant DES and a group of specification/supervisor DES, each subsystem-wide state can be represented as a vector, where each element of the vector is the state of a component DES. Therefore, we can use Binary Decision Diagrams (BDD: [8] , [9] ) to represent the statespace and transitions for each subsystem, and develop algorithms based on BDD representations to verify or synthesize supervisors for our HISC system. As we will see in the next section, our BDD-based algorithms allow us to easily handle statespaces on the order of . This represents an eight orders of magnitude increase over our previous algorithms.
In [21] , [22] , we present a set of predicate-based fixpoint operators for HISC synthesis, and prove that they converge to the desired HISC supremal languages for each level. We also provide a set of algorithms to implement these operators, as well as to perform symbolic HISC verification. We then discuss how to represent the system's transition function as predicates such that we can express the predicates required for the above algorithms. We were then able to implement our algorithms using BDD, making use of the BDD software package BuDDy 2.4 developed by Jørn Lind-Nielsen. To achieve this, we drew heavily on the work of Ma et al. [13] . Please refer to [21] for details.
In [21] , [22] , we also introduce a method to implement our synthesized supervisors in a more compact manner. Typically, the result of synthesis is a single, very large supervisor that would be difficult to implement as a controller directly. For instance, the high-level supervisor from the AIP example in the next section has a statespace on the order of . Instead of representing this supervisor directly, we suggest using a state predicate for each controllable event, and using observers for the required plant and specification DES to provide the current state information for the predicates. A state predicate for a given DES takes a state from , and returns true or false to indicate (in this case) whether the event should be enabled at that state. Each predicate can be represented as a BDD, and typically the BDD is much smaller than the corresponding automata supervisors. We also show that HISC systems have the additional advantage that the enablement of high-level and request events could be determined using only the state of the high-level, while enablement of low-level and answer events could be determined using only the state of their corresponding low-level. See [21] , [22] for complete details.
VI. AIP EXAMPLE
To demonstrate the utility of our method, we apply it to a large manufacturing system, the Atelier Inter-établissement de Productique (AIP) as described in [26] , [27] . The AIP, shown in Fig. 3 , is an automated manufacturing system consisting of a central loop (CL) and four external loops (EL), three assembly stations (AS), an input/output (I/O) station, and four inter-loop transport units (TU). The I/O station is where the pallets enter and leave the system. Pallets entering the system can be of type 1 or of type 2. The system consists of a high-level and eight low-levels; one for each transfer unit and assembly station, and one for the I/O station. As the example is quite large, we will only briefly introduce it. Please see [21] for complete details.
In [4] , [7] , Leduc et al. modelled the AIP as an HISC system. Using their algorithms based upon explicit state and transition listings, it took 254.7 s and 659MB to verify that the high-level, with states, satisfied the HISC conditions. Using our BDD-based algorithms, it took us 2 s and an estimated 30MB. This is a 127 times computational speedup, and a 22 times reduction in memory.
We then extended the AIP example of [4] , [7] by modelling how pallets move around the system. For example, a pallet cannot reach an assembly station until it is transported from the central loop to the section of the external loop leading to the station. We also enforced capacity restrictions on each loop section as follows: maximum four pallets at a time in a given section of the CL, and five pallets at a time for a section of an EL. This was not originally modelled by Leduc et al. [4] , [7] as it made the high-level too large for them to handle.
To verify the system, we needed to add an additional supervisor that restricted the number of pallets in the system (excluding EL4) to 15, to prevent the system from blocking. Using our BDD-based algorithms, the system was verified on a 2.8 GHz Pentium 4 CPU, with 512MB memory, running Fedora Core 2. It used less than 160MB of RAM, took 25.7 min to verify the high-level HISC conditions and less than 1 second to verify the low-level HISC conditions for each low-level. The reachable statespace for the high-level was and the total estimated, worst-case, reachable statespace for the flat system was , although the actual statespace is likely a lot smaller. A flat verification with our BDD tool quickly used up all available RAM, and had failed to complete after 24 h.
We then removed the "15 pallets in system" supervisor, and performed a HISC synthesis. Our BDD tool used less than 160MB of RAM, took 128 min to synthesize a high-level supervisor, and less than 1 second to synthesize each low-level supervisor. The reachable statespace for the high-level was , and the total estimated, worst-case, reachable statespace was . This is a clear improvement over previous HISC algorithms from [4] - [6] , [19] .
It is interesting to note that typically we can not perform a flat synthesis (eg. the supcon algorithm from TCT [3] ) on an HISC system and expect to receive a useful result. For example, if a high-level specification required that a controllable answer event be disabled, the flat synthesis would just disable the event. This would not produce the desired effect as this would still allow the corresponding low-level task to occur, and might only prevent the low-level from reporting that the task was complete. For instance, there could be an alternate "timeout" answer event that could occur instead. However, the high-level HISC synthesis would be unable to disable the answer event and would be forced to disable the request events leading to the answer event. This would have the correct effect of preventing the low-level task from occurring.
It's important to remember that HISC systems were designed to function in a structured, modular manner. Its designers never expected high-level supervisors to be able to disable answer events, nor low-level supervisors to be able to disable request events. This behavior was not considered when they modelled the system and defined the specifications. As a result, we believe such behavior could produce unexpected and undesirable results. A flat synthesis on an HISC system would be like writing a software program that uses a system library, but instead of interacting with the library internals through the provided function calls, it views and modifies them directly. Such a program is unlikely to be reliable.
VII. CONCLUSION
In this paper we developed a synthesis method for the Hierarchical Interface-Based Supervisory Control system that does a per-level synthesis to construct for each level a maximally permissive supervisor that satisfies the HISC conditions.
As the synthesis is done on a per-level basis, the complete system model never needs to be stored in memory or traversed, offering potentially significant savings in computational resources. In fact, as long as the statespaces of the interfaces are much smaller than the statespace of the corresponding low-levels, we should see significant reduction in complexity over a standard flat synthesis approach.
Combined with symbolic methods implemented using binary decision diagrams, we are now able to handle HISC systems with individual levels significantly larger (eight orders of magnitude in the AIP example) than approaches based upon explicit state and transition listings.
The benefits of our approach were illustrated by a large example (worst-case statespace on order of ) based on the AIP example. The example demonstrates how the HISC synthesis method can be applied to interesting systems of realistic complexity.
APPENDIX PROOFS OF SELECTED PROPOSITIONS

Proposition 5:
Proof: Proof can be broken down into three parts: 1) show is nonempty, 2) show is closed under arbitrary union, and 3) show contains a (unique) supremal element. As the first and last step are basically the same as for the standard supremal controllable sublanguage proof, they will be omitted. Refer to [19] , by (2). a-b) Show points 1) and 2). As both conditions are of the form of a standard controllability definition, their proofs are omitted. Refer to [19] 
