Logic diagram verification by modular supervisory control of discrete-event system by Liu, Yong Chang
Logic Diagram Verification by Modular Supervisory Control 
of Discrete-Event System 





Electrical and Computer Engineering 
Presented in Partial Fulfillment of the Requirements 
for the Degree of Master of Applied Science (Electrical Engineering ) at 
Concordia University 
Montreal, Quebec, Canada 
September 2008 
©Yong Chang Liu, 2008 
1*1 Library and Archives Canada 
Published Heritage 
Branch 
395 Wellington Street 





Patrimoine de I'edition 
395, rue Wellington 
Ottawa ON K1A0N4 
Canada 
Your file Votre reference 
ISBN: 978-0-494-45520-3 
Our file Notre reference 
ISBN: 978-0-494-45520-3 
NOTICE: 
The author has granted a non-
exclusive license allowing Library 
and Archives Canada to reproduce, 
publish, archive, preserve, conserve, 
communicate to the public by 
telecommunication or on the Internet, 
loan, distribute and sell theses 
worldwide, for commercial or non-
commercial purposes, in microform, 
paper, electronic and/or any other 
formats. 
AVIS: 
L'auteur a accorde une licence non exclusive 
permettant a la Bibliotheque et Archives 
Canada de reproduire, publier, archiver, 
sauvegarder, conserver, transmettre au public 
par telecommunication ou par I'lnternet, prefer, 
distribuer et vendre des theses partout dans 
le monde, a des fins commerciales ou autres, 
sur support microforme, papier, electronique 
et/ou autres formats. 
The author retains copyright 
ownership and moral rights in 
this thesis. Neither the thesis 
nor substantial extracts from it 
may be printed or otherwise 
reproduced without the author's 
permission. 
L'auteur conserve la propriete du droit d'auteur 
et des droits moraux qui protege cette these. 
Ni la these ni des extraits substantiels de 
celle-ci ne doivent etre imprimes ou autrement 
reproduits sans son autorisation. 
In compliance with the Canadian 
Privacy Act some supporting 
forms may have been removed 
from this thesis. 
While these forms may be included 
in the document page count, 
their removal does not represent 




Conformement a la loi canadienne 
sur la protection de la vie privee, 
quelques formulaires secondaires 
ont ete enleves de cette these. 
Bien que ces formulaires 
aient inclus dans la pagination, 
il n'y aura aucun contenu manquant. 
Abstract 
Logic Diagram Verification by Modular Supervisory Control of Discrete-Event 
System 
Yong Chang Liu 
Control function verification is an important task in current engineering design. Tra-
ditional researches usually focus on the final function validation when the control system 
has already been implemented on a hardware controller. However, it would be more useful 
if design errors are found in earlier stages of design. Logic diagram, as a popular middle 
medium, plays a critical role in the current design practices, especially for medium-sized 
and large-sized control systems. Therefore, verification of the design specifications of the 
logic diagrams is an interesting topic in order to find and eliminate the design errors in 
an early stage. In this thesis, we provide a viable approach to verify the design functions 
of the logic diagrams which is based on the modular supervisory control of Discrete-Event 
Systems. We create models for basic logic gates and introduce buffers to obtain automaton 
representation of logic diagrams. After converting the informal verbal specifications to au-
tomata, we can verify whether the logic diagram satisfies these specifications with the help 
of TTCT (a computer program based on automata for analysis and design of supervisory 
control systems). A formal proof of controllability and a semi-formal proof of nonblocking 
property are given. An industrial-sized example is studied to demonstrate the feasibility of 
our methodology. 
i i i 
Acknowledgments 
First of all, I would like to thank my supervisor, Dr. Peyman Gohari for his constant 
support and guidance to my research. This is my first time to do a formal research after 
over ten years engineering work. Dr. Gohari always shows me a great patience to my course 
study and thesis review. What I learned from him is not just a new research field but a 
strict research attitude, which makes my life more meaningful. 
I am particularly grateful to Dr. Shahin Hashtrudi Zad for his detailed review and 
his kindly arrangement of my defense. I also want to express my gratitude to my thesis 
committee: Dr. John Zhang, Dr. Otmane Ait Mohamed and Dr. Ali Dolatabadi. They 
gave me lots of insightful advices. 
I'd like to extend many thanks to my friend Siamak. We passed the initial difficulties 
together in learning Discrete-Event Systems and other courses. Our discussions still impress 
me and built a solid base for my future work. Furthermore, I want to acknowledge Amin. 
He lent his time and materials to me to explain how to write a paper by LaTeX, which 
made my thesis exist in front of us. 
Finally, I thank my wife, my son and my parents for their loves and supports. They 
are always my inspiring sources in my entire life. 




List of Tables viii 
List of Figures ix 
Chapter 1 Introduction 1 
1.1 Motivation 1 
1.2 Literature Review 3 
1.2.1 DES Supervisor Implementation by PLC 3 
1.2.2 PLC Program Verification 4 
1.2.3 Creating a Formal Specification from an Informal Verbal Requirement. 6 
1.3 Thesis Outline 7 
Chapter 2 Background Review 9 
2.1 Languages and Automata 9 
2.1.1 Languages 9 
2.1.2 Automata 10 
2.2 Operations on Languages and Automata 11 
2.3 Supervisory Control of DES 13 
2.3.1 Basics of Supervisory Control 13 
2.3.2 Controllability 14 
2.3.3 Nonblocking 15 
2.3.4 Modular Supervisory Control 16 
2.4 Industrial Logic Diagram 17 
v 
2.5 Conclusion 17 
Chapter 3 Logic Models And Their Functional Verification 19 
3.1 Introduction 19 
3.2 Basic Logic Models and Supervisors 20 
3.2.1 AND Gate 21 
3.2.2 OR Gate 23 
3.2.3 Flip-flop 24 
3.2.4 Time Delay 27 
3.3 A Motivating Example 29 
3.3.1 Buffer Models 31 
3.3.2 Case Analysis 32 
3.4 Controllability and Nonblocking 37 
3.4.1 Definitions 37 
3.4.2 Controllability 38 
3.4.3 Nonblocking 41 
3.5 Conclusion 43 
Chapter 4 Diesel Generator Startup Controller Function Verification 44 
4.1 Introduction 44 
4.2 GS Logic Diagram Verification 46 
4.2.1 GS Logic Diagram Verification Sequences 46 
4.2.2 Applicable Scope of Reduced Verification Technique 49 
4.2.3 The Complete GS Logic Diagram Verification 50 
4.3 Conclusion 82 
Chapter 5 Conclusion and Future Research 83 
5.1 Conclusion 83 
5.2 Future Research 84 
Bibliography 86 
VI 
Appendix A Diesel Generator Star tup Controller Logic Diagrams 89 
vn 
List of Tables 
3.1 Truth table of AND 22 
3.2 Truth table of OR 24 
3.3 Truth table of RS 25 
3.4 Truth table of SR 27 
4.1 Events table of logic diagram 1 51 
4.2 Events table of logic diagram 2 54 
4.3 Events table of logic diagram 3 56 
4.4 Events table of logic diagram 4 58 
4.5 Events table of logic diagram 5 61 
4.6 Events table of logic diagram 6 63 
4.7 Events table of logic diagram 7 65 
4.8 Events table of logic diagram 8 67 
4.9 Events table of logic diagram 9 68 
4.10 Events table of logic diagram 10 71 
4.11 Events table of logic diagram 11 73 
4.12 Events table of logic diagram 12 75 
4.13 Events table of logic diagram 14 76 
4.14 Events table of logic diagram 15 78 
4.15 Events table of logic diagram 16 79 
4.16 Events table of logic diagram 18 80 
vin 
List of Figures 
1.1 Logic diagram verification 8 
2.1 The monolithic supervisory control 15 
2.2 The modular supervisory control 16 
2.3 Basic logic gates 17 
3.1 AND gate 21 
3.2 Logic plant model 22 
3.3 AND specification and supervisor 23 
3.4 OR gate 23 
3.5 OR specification and supervisor 24 
3.6 RS gate with reset priority 25 
3.7 RS plant model 25 
3.8 RS specification and supervisor 26 
3.9 RS gate with set priority 26 
3.10 SR specification and supervisor 27 
3.11 Power-on time delay 28 
3.12 Power-on time delay sequence 28 
3.13 Power-on time delay model 29 
3.14 Power-off time delay 29 
3.15 Power-off t ime delay sequence 29 
3.16 Power-off time delay model 30 
3.17 A typical memory logic diagram 30 
IX 
3.18 Forward buffer model 31 
3.19 Feedback buffer model 32 
3.20 Specification 1 34 
3.21 Specification 2 34 
3.22 Simplified specification 1 35 
3.23 Assumed condition B' = 0 36 
4.1 Diesel generator flow diagram 45 
4.2 Monolithic supervisor generation process 48 
4.3 Logic Diagram verification process 49 
4.4 Specification 1 of logic diagram 1 52 
4.5 Specification 2 of logic diagram 1 52 
4.6 Assumed condition for specification 3 of logic diagram 1 52 
4.7 Specification 3 of logic diagram 1 53 
4.8 Assumed condition for specification 1 of logic diagram 2 54 
4.9 Specification 1 of logic diagram 2 54 
4.10 Specification 2 of logic diagram 2 55 
4.11 Specification 1 of logic diagram 3 56 
4.12 Assumed condition for specification 2 of logic diagram 3 56 
4.13 Specification 2 of logic diagram 3 57 
4.14 Specification 3 of logic diagram 3 57 
4.15 Specification 1 of logic diagram 4 59 
4.16 Assumed condition for specification 2 of logic diagram 4 59 
4.17 Specification 2 of logic diagram 4 59 
4.18 Assumed condition for specification 3 of logic diagram 4 60 
4.19 Specification 3 of logic diagram 4 60 
4.20 Specification 4 of logic diagram 4 60 
4.21 Specification 1 of logic diagram 5 62 
4.22 Specification 1 of logic diagram 6 63 
4.23 Assumed condition for specification 2 of logic diagram 6 63 
4.24 Specification 2 of logic diagram 6 64 
x 
4.25 Specification 1 of logic diagram 7 65 
4.26 Assumed condition for specification 2 of logic diagram 7 66 
4.27 Specification 2 of logic diagram 7 66 
4.28 Specification 1 of logic diagram 8 68 
4.29 Specification 1 of logic diagram 9 69 
4.30 Assumed condition for specification 2 and 3 of logic diagram 9 70 
4.31 Specification 2 of logic diagram 9 70 
4.32 Specification 3 of logic diagram 9 70 
4.33 Specification 1 of logic diagram 10 71 
4.34 Assumed condition for specification 2 of logic diagram 10 72 
4.35 Specification 2 of logic diagram 10 72 
4.36 Specification 1 of logic diagram 11 74 
4.37 Specification 2 of logic diagram 11 74 
4.38 Specification 1 of logic diagram 12 75 
4.39 Specification 1 of logic diagram 14 77 
4.40 Specification 2 of logic diagram 14 77 
4.41 Specification 1 of logic diagram 15 78 
4.42 Specification 1 of logic diagram 16 80 
4.43 Specification 1 of logic diagram 18 81 
4.44 Specification 2 of logic diagram 18 81 
A.l Logic diagram 1 90 
A.2 Logic diagram 2 91 
A.3 Logic diagram 3 92 
A.4 Logic diagram 4 93 
A.5 Logic diagram 5 94 
A.6 Logic diagram 6 95 
A.7 Logic diagram 7 96 
A.8 Logic diagram 8 97 
A.9 Logic diagram 9 98 
A.10 Logic diagram 10 99 
xi 
A.ll Logic diagram 11 100 
A.12 Logic diagram 12 101 
A.13 Logic diagram 13 102 
A.14 Logic diagram 14 103 
A.15 Logic diagram 15 104 
A.16 Logic diagram 16 105 
A.17 Logic diagram 17 106 





Control function verification is one of the most routine and important tasks in industrial 
control system design, especially in safety critical systems, such as nuclear power plants 
[CC04], [YK05], aerospace industries and toxic chemical plants, where the safety and reli-
ability of control systems are becoming more important. Traditional verification methods 
usually verify the design function when the control system is nearly built up and mostly 
depend on manual tests based on the designer's experience. This means that the designer 
must wait until the control algorithms have been implemented in a controller, such as a 
Programmable Logic Controller (PLC), a Distributed Control System (DCS) or an indus-
trial PC, and then the design can be tested by some Hardware-In-Loop (HIL) platform with 
incomplete experience rules. Therefore the test relies on a hardware platform to verify the 
design function. 
In order to understand the context, we need to discuss the typical design philosophy. 
The generic engineering design currently used in practice proceeds as follows: 
1. Process system engineer gives the informal verbal design specifications 1 to ensure the 
system is always operating in a safe and legal state. 
2. Process system engineer and control engineer work together to draw the logic diagrams 
1
 Specification, property and requirement are used interchangeably in this thesis. 
1 
specifying these requirements. 
3. Control engineer implements the logic diagrams in an industrial controller, such as a 
PLC. 
4. Process system engineer and control engineer test and verify the program in the con-
troller by a specific test platform. 
5. If any unexpected result happens during the test period, process system engineer and 
control engineer must trace back to find out the possible errors in the whole cycle. 
Many previous and present works overlook the importance of steps 2 and 3. Mostly, 
they just pay attention to steps 1, 4 and 5. Due to their scales and complexities, many 
control systems are usually implemented on the basis of logic diagrams, which is a useful 
and popular middle medium. As a matter of fact, logic diagrams let the technical staff 
understand the system's operating principle and they make the troubleshooting much easier. 
A logic diagram generally is an essential document to submit to the customer in current 
engineering practice as a formal contract between the two parties. Event though we could 
possibly develop PLC programs directly from the informal verbal design specifications for 
some small-sized systems, drafting logic diagrams is still a good middle step to design the 
control system. 
Instead of direct verification of the final PLC program, we believe that it will be quite 
meaningful if we can find a feasible solution to verify the logic diagrams and their associated 
design functions before hardware implementation. The reason is quite simple: it will let us 
find the potential errors in an early stage of the design, which means that the errors could 
be corrected in a timely fashion and the overall design cost could be reduced. 
In our work, a logic diagram verification method based on modular supervisory control 
theory of Discrete-Event Systems (DES) is introduced to verify the logic diagram in the 
design phase. Discrete-event system framework is a useful modeling abstraction for various 
manufacturing systems, especially for those systems which can be modeled by boolean logic. 
A discrete-event system is driven by the occurrence of events (as opposed to time) and 
occupies a discrete state at each time instant. Supervisory Control Theory (SCT) [RW87] 
is developed for the synthesis of control systems for DES and has received wide acceptance 
2 
with a series of complementary works by [WR87], [FW88], [WR88], and, [Won06], to name 
a few. Our work is based on supervisory control theory. Chapter 2 will give a detailed 
review of this theory. Another important DES modeling framework is Petri-net and will 
not be covered in our work. 
1.2 Literature Review 
It is necessary to review some related topics before we present our research. The verification 
of control logic diagrams can be rarely found in the existing literature. Many papers exist 
on logic verification in VLSI design, which is not our interest. However, we can find three 
topics which we believe are closely related to our research. 
1.2.1 DES Supervisor Implementation by PLC. 
The objective here is to find an algorithm and directly or indirectly implement a formal 
DES controller by PLCs. [LW95] and [Led96] have addressed this issue initially. They 
translate a DES supervisor to an equivalent Clocked Moore Synchronous State Machine 
(CMSSM). At this point, the state transition can be naturally expressed by boolean logic, 
which is finally converted to PLC Ladder Logic Diagrams (LLDs). The most interesting 
aspects of these works are the modular approach and formal model reduction theorems, 
although the conditions for application of these theorems are very strict. [FH98] offers 
a good insight into the implementation problems caused by the gap between the event-
based asynchronous automata and the synchronous signal-based PLC, but does not provide 
any solutions. [LD02] proposes a conversion method based on IDEF3 standard and treats 
a manufacturing system as a set of activities and their required resources. It is quite 
complicated to apply this method and it also seems impossible to automatically apply it to a 
large-scale system. [Mon06] presents a quite straightforward solution to convert a supervisor 
to LLDs, where inputs are regarded as uncontrollable events and outputs are regarded as 
controllable events. [ZV98] derives LLDs from a Petri-net controller, and provides Petri-
net models for basic logic gates. [HelOl] and [HL02] propose a solution to design a DES 
controller by Petri-net, and then convert it to PLC Sequential Function Charts (SFC). SFC 
3 
is a structured PLC language, but SFC is ambiguous in some cases, and is not as formal as 
LLD, which limits its application scope. 
After an analysis from both theoretical and engineering perspectives, we believe that 
all of the above works have the following drawbacks: 
1. Even though the controller is derived from a formal supervisor, the formal supervisor 
is still designed from some informal verbal requirements. Thus the formal function 
verification cannot be avoided. 
2. Even for a small-scale application, the size of an LLD converted from a DES supervisor 
is still much bigger than the size of an LLD derived from a conventional boolean logic 
controller. The actual application value is quite limited in this sense. 
3. The PLC program implemented by a DES supervisor cannot be easily maintained by 
a general maintenance engineer, and its upgrade and troubleshooting will be difficult, 
too. 
1.2.2 PLC Program Verification 
One popular industrial approach is direct implementation of the informal specifications 
using a PLC programming language. Then, the test engineer simply validates the program 
against the informal specifications. It is a manageable but informal way to verify the 
correctness of a simple system, but for a large-sized or even a medium-sized system, the 
problem of incompleteness may happen. As [FLOO] defines, the term "informal" refers 
to "everything that is not based on a strictly composed, syntactically and semantically 
well-defined form". The main problem with informal specifications is that "they do not 
facilitate tests for completeness, unambiguity and consistency". Hence, formal verification 
of PLC programs is an interesting topic which can address the incompleteness, ambiguity 
and inconsistency issues. 
[FLOO] has given an overview of the current state of the art of formal methods in PLC 
program verification. The present approaches are mainly of two types: model-based or non-
model-based. The general choices of formalism are: Petri-nets, automata, condition/event 
systems, high order logics, synchronous languages, general transition systems and algebraic 
4 
equations. And the methods of verification and validation are: simulation, model checking, 
reachability analysis and theorem proving. 
[RK98] adopts the model-based approach and converts the PLC programs into Sym-
bolic Model Verifier (SMV) modules. SMV is a model-checker to verify the specification. 
[GD06] investigates how to provide an efficient representation of SMV modules. As a pio-
neering work, [Moo94] developed a non-model-based method for the verification of LLDs. 
The LLD is reinterpreted using a transition system and the properties to be checked are 
formalized using Computation Tree Logic (CTL). Again, an early version of SMV model 
checker is employed to determine whether the CTL assertion is satisfied in the model being 
verified. [DCOO] took a similar approach as [Moo94] and extended the results to several 
PLC languages defined in IEC 61131-3 standards: LLD, SFC and Structured Text (ST) 
(modeled as transition systems synchronized by message exchanges). The properties to be 
checked are expressed in Linear Temporal Logic (LTL). SMV is still the model checker used 
to verify these properties. As one of the latest works, [LY05] converts the PLC Instruction 
List (IL) program into SMV code and uses the bounded model checking technique to avoid 
unmanageably large state spaces. [Hu03] develops a comprehensive formal transition system 
for SFC and IL. It employs the SMV model checker to verify the temporal logic properties 
of SFC program as well, and combines the abstract interpretation and data flow analysis 
to detect the run-time errors of IL program. 
The above works on PLC program verification, we believe, have the following draw-
backs: 
1. They directly verify the final PLC program and do not verify the middle results, such 
as the logic diagrams, and therefore cannot guarantee the correctness of these middle 
results. In this sense, it is not a full verification and validation of all stages and is just 
a function validation for a complete design cycle. 
2. They generally face the state explosion problem when manipulating large-sized sys-
tems. 
3. Converting PLC programs to some formal forms, such as Petri-nets, condition/event 
systems, automata and algebraic equations, is not an easy job and these models could 
5 
be difficult to understand for most field engineers. 
4. They usually do not pay much attention to the expressions and interpretations of infor-
mal design specifications, which will limit their applications in engineering practices. 
The reason is that we need to get a formal form of these informal design specifications 
to verify the PLC program. 
We found that model checking is an extensively adopted tool in PLC program veri-
fication, and is also employed in our method. Therefore it is necessary to understand its 
principles. Model checking is a three-steps process [LY05], [FLOO]: 
• In the first step, the system description is converted to a finite formal model; 
• The second step is to generate a formal description of properties or specifications to 
be verified; 
• In the third step, a model checker takes the results from the previous two steps and 
shows whether each property or specification holds or not. 
1.2.3 Creating a Formal Specification from an Informal Verbal Require-
ment. 
We will briefly review this topic. [JB93] builds a software environment called Aries to 
manually make this conversion. [Amo95] provids a stepwise evolutionary refining method 
to establish formal specification from informal requirement. It starts from very general 
requirements and consists of five steps: requirements categorization, initial specification, re-
quirements restatement, evolutionary refinement and target language specification. We can 
see that these steps almost all involve manual efforts as well. Instead of taking these compli-
cated operations, our approach, which is based on the current industrial practices, follows 
a straightforward path. The informal verbal requirements in our work are constrained to a 
reduced subset of a natural language, which can cover most of logic control functions. This 
reduced subset can be readily converted to some formal or semi-formal boolean expressions. 
The detailed implementation is demonstrated in Chapter 3 and Chapter 4. 
6 
Previously, we reviewed PLC implementation of DES supervisors, PLC program ver-
ification and creating formal specification from informal verbal requirements, and pointed 
out their drawbacks and beneficial results from these works. We believe that verification of 
logic diagrams will be more fruitful. The following tasks will be considered in our research: 
• Model the logic diagrams by automata and include the cyclic execution feature of 
PLC, which makes it possible for the approach to be extended to test PLC programs. 
• Apply the well-developed supervisory control theory of discrete-event systems to con-
vert the logic diagram to automata. 
• Take the modular approach to avoid the state explosion problem; therefore, we take 
a suboptimal approach rather than a centralized and optimal one. 
• Use the popular model checking method; the properties will be expressed by automata 
and T T C T (a computer program based on automata for analysis and design of super-
visory control systems) is used as a model-checker. 
• Take the non-model-based approach to directly verify the properties or specifications 
of logic diagrams (which will avoid establishing the controlled system model). 
• Straightforwardly covert the informal design specifications to Boolean expressions and 
then to automata. 
Our suggested method is illustrated in Fig. 1.1. The left side describes the steps in 
modeling the logic diagrams, and the right side the system specifications. The last step 
is to check whether the logic diagrams satisfy the specifications. This diagram precisely 
represents the three steps of model checking. 
1.3 Thesis Outline 
The rest of the thesis is organized as follows. Chapter 2 will briefly review the background 
of supervisory control theory of discrete-event systems. A complete logic diagram modeling 
methodology is presented in Chapter 3. The formal proof of controllability and semi-formal 
proof of nonblocking are provided as well. An industrial-sized example, logic diagram 
7 
I Single logic 
I diagram of 
V a controller 
/ M S model o 
( the logic 
diagram 
Figure 1.1: Logic diagram verification 
verification of an emergency diesel generator startup controller, is studied in Chapter 4. 
Chapter 5 summarizes our work and points out future research directions. 
Chapter 2 
Background Review 
In this chapter, we will briefly introduce automata theory and supervisory control theory 
of discrete-event systems [RW87], [WR87], [Won06]. Only the part related to our future 
discussions will be covered. Since TTCT is our design tool to realize the supervisory control 
of DES, each T T C T procedure used in our work will be introduced in the context. 
2.1 Languages and Automata 
2 .1 .1 L a n g u a g e s 
Let E be a finite alphabet. £ + denotes the set of all finite symbol sequences or strings over 
E. Let e be the empty string (sequence with no symbols) . Then we define: 
£* := {e} U £+ 
Obviously, an element of E* is a string or word over E. A language over £ is any subset of 
£*. 
For s, t G £*, we say t is a prefix of s, denoted by t < s, if 3u € £*, such that s = tu. 
Prefix closure of L, denoted by L, is defined by: 
L : = {t£ £* | 3s£L,t< s} 
It can be observed that L consists of all prefixes of strings in L, and that L C L. 
9 
2.1 .2 A u t o m a t a 
We use an automaton (a finite state machine) to model a discrete-event system. The 
behavior of an automaton is represented by a pair of languages. A discrete-event system 
can be modeled by an automaton, which is a 5-tuple: 
G=(Q,E,5,qQ,Qm) 
where Q is the set of states, qo E Q is the initial state, Qm C Q is the set of marked 
states, and 6 is a partial state transition function 5 : Q x £ —• Q: 5(q, a) = q' means that 
there is a transition labeled by event a from state q to state q'. An automaton with partial 
state transitions is also termed a generator. Throughout this chapter, the DES plant is 
always denoted by G. 
The transition function 5 can be recursively extended from Q x £ to Q x E* by two 
rules: 
1. S(q,e) =q 
2. 5(q,sa) =6(6(q,s),a) 
where q E Q, s G S* and a € S. 
With the above definitions, we can obtain two kinds of behaviors of G: 
• Closed behavior, defined by: 
L(G):={sEE*\5(q0,s)EQ} 
which is the set of all strings generated by G; 
• Marked behavior, defined by: 
Lm(G):={sEi:*\8(qo,s)EQm} 
which is the set of all strings that can take G from the initial state go to a marked 
state in Qm. 
It can be seen that Lm(G) C L(G). 
Now, we define two other concepts related to G: 
10 
• Reachable states: 
Qr := {q&Q | 3s € T,*,5(q0,s) = q) 
Qr is the set of states which can be reached from the initial state qo. 
• Coreachable s t a t e s : 
Qcr •= {q G Q | 3s G T,*,5(q, s) £ Qm} 
Qcr is the set of all states which can reach marked states. 
G is reachable iiQr = Q and is coreachable if Qcr = Q. G is trim if it is both reachable 
and coreachable. 
G is nonblocking if Lm(G) = L(G), meaning every reachable state is coreachable. 
TTCT procedure Create can be used to create a DES. 
2.2 Operations on Languages and Automata 
We will define some important operations used in our work. 
• Complement 
The complement operation on Lm(G) can be defined as: 
Lm(GCo) = S — Lm(G) 
We see later that it is frequently used in logic function verification. This operation 
can be realized by T T C T procedure Complement. 
• Natural projection 
Let L\ C EJ, L2 C E£, where in general Ei n E2 ^ 0. Let E = Ei U E2 . Define a 
natural projection 
P i : E * - > E J (t = l ,2) 
according to 
1. Pi(e) = e; 
11 
2. Pi(a) = 
e if <T ^ Si 
o- if a G S j 
3. Pi(sff) = Pi(s)Pi(<r), s G S*, a G S. 
Pi is catenative since Pj(st) = Pi(s)Pj(t). The action of Pi on a string s is just to 
erase all occurrences of a in s such that a £ S j . Pj is called the natural projection of 
S* onto S t . Let 
P - 1 : P w ( S * ) - • Pwr(S*) 
be the inverse image function of Pi, where Pwr denotes power set. Then for H C S*, 
^ ( f f ) := { s G S * | Pi(s)GH} 
T T C T procedure P ro j ec t is employed to realize this function. 
Synchronous product 
For L\ C SJ and L2 C S 2 , the synchronous product L\ || L2 C S* is defined according 
to 
Lx || L2 := P,-1^ n P ^ 1 ^ 
Thus, s G Li || L2 if and only if Pi(s) G L\ and P2(s) G L2 . 
If there are two generators Gi = (Qi,Si,<5i,9io,Qm i) and G2 = {Q2,^2,^2,q2o,Qm2), 
the synchronous product of G\ and G2 is the reachable part of the automation 
G\ || G2 : = G = (Qi X Q 2 ,S iUS 2 ,<5, (9lO,92o),Qml X Qm2) 
where for (91,92) G Qi x Q2 and cr G S i U S 2 , 
<5((<7i,<?2),cr) = < 
((5i(c?i,cr),(52(g2,cr)) if 5i (91,(7) 
(<5i(?i,0"),<72) if <5i (91,(7) 
(91,^2(92,0-)) i f52(92 , (7) 
undefined otherwise 
and <52(92,cr)! 
and a £ S2 
and (7 ^ S i 
T T C T procedure Sync is employed to realize this function and is usually employed to 
combine the modular plants to a single, more complex plant. 
12 
• Meet 
The meet operation is the same as synchronous product except that its partial tran-
sition function is defined as follows: 
J (6i(qi,a),62(q2,<T)) if <5i(«i>°")! a n d fcfe, <r)\ 
S((qi,q2),o-)= < 
I undefined otherwise 
Note that meet and synchronous product are identical when Ei = E2. We use A to 
denote meet. 
T T C T procedure Meet is used to realize this function. Generally, in cases with more 
than one specification, the specifications are combined by the Meet operation. 
• Selfloop 
For G — (Q,£,,5,qo,Qm), let E' be a set of events which is disjoined from E, or 
E fl S ' = 0. The selflooped automaton G is formed from G by adding transitions 
5(q, <r) = Q for V<7 G E ' and \/q £ Q. 
T T C T procedure Se l f loop is employed to realize this function. It is mainly used to 
extend a modular specification on a subalphabet to a specification for the entire plant. 
• Trim 
In Section 2.1.2, we have mentioned that trim is the reachable and coreachable part 
of an automaton. T T C T procedure Trim is used to obtain the trim substructure of 
an automaton. Therefore, if an automaton has no marked state, after trim operation, 
the result will be an empty automaton. 
2.3 Supervisory Control of DES 
2.3 .1 B a s i c s of S u p e r v i s o r y Contro l 
Ramadge-Wonham [RW87] supervisory control theory provides a framework for control of 
a DES. Here, plant's behavior is considered as the language generated by a generator. A 
supervisor, which is also modeled by a generator, is coupled with the plant to restrict its 
behavior. 
13 
To consider the real situation of a control system and impose control on the plant, the 
events set £ is partitioned to two disjoined sets E = ECL)SU. S c is the set of controllable 
events and S u is the set of uncontrollable events. The supervisor can just enable or disable 
the occurrence of controllable events. The occurrence of uncontrollable events should always 
be allowed. 
A control pattern 7 is any set within the bounds Eu C 7 C £. The set of all control 
patterns is introduced as: 
r := {7 € Pwr{E) I 7 D S„} 
A supervisory control for G is an arbitrary map V : L(G) —> T. Denote G under 
supervision of V by V/G and define recursively the closed behavior of V/G, L(V/G), as the 
smallest set satisfying 
1. e e L(V/G); 
2. If s G L(V/G), so- G L(G) and a e V(s), then sa € L(V/G); 
3. No other strings belong to L(V/G). 
Prom the above definition, we know that L(V/G) is nonempty and closed. The marked 
behavior of V/G is 
Lm(V/G) = L(V/G)nLm(G) 
which consists of the strings of Lm(G) which survive under the supervision of V. 
We say V is nonlocking if Lm(V/G) = L(V/G). 
We can use an automaton S to implement V if 
1. L(S A G) = L(S) n L(G) = L(V/G) 
2. Lm(S A G) = Lm(S) n Lm(G) = Lm(V/G) 
2.3.2 Controllability 
A language K C L(G) is said to be controllable with respect to G if 
Zs u n L(G) c Tc 
14 
Considering an industrial application, we can treat L(G) as the behavior of a plant G 
and K as a design specification. If K is controllable with respect to G, then it means that 
a supervisory control can be found such that the plant under control can meet the design 
specification. We call the agent that realizes this supervisory control map as a supervisor, 
therefore, the agent or supervisor just enables or disables some controllable events in each 









Figure 2.1: The monolithic supervisory control 
If K C Lm(G) which may not in general be controllable, then from [WR87] we know 
that a supremal controllable sublanguage of K can always be found and at this time, the 
supervisor is maximally permissive or minimally restrictive. 
TTCT procedure Supcon is used to get the supremal supervisor S of a given specifica-
tion K based on a given plant G. If S = 0, it means that K is not controllable with respect 
to G, and does not have any nontrivial sublanguage that is controllable with respect to G. 
2.3 .3 N o n b l o c k i n g 
In Section 2.1.2, we defined the nonblocking property of an automaton. Here we will give 
the definition of a nonblocking supervisor. A supervisor S is nonblocking for G if 
Lm(SAG) = L{S A G) 
T T C T procedure Nonconf l i c t is used to check if S is nonblocking for G. 
15 
2.3.4 Modular Supervisory Control 
Up to now, we just presented the centralized supervisor, which means that a plant G 
is controlled by a single supervisor S. It can only be applied to a small plant. For a 
large-sized or even a medium-sized plant, this approach will immediately become infeasible 
due to the combinatory state explosion. [FW88] and [WR88] introduce decentralized or 
modular supervisory control and it can solve this problem under certain conditions. Fig. 2.2 
illustrates this idea. 









Figure 2.2: The modular supervisory control 
To define modular supervision, let's first introduce what a proper supervisor is. 
We call S a proper supervisor for G when: 
1. S is trim, 
2. Lm(S) is controllable with respect to G, 
3. S A G is nonblocking or Lm(S A G) = L(S A G). 
[FW88], [WR88] and [Won06] give the following result. 
If Si, i—1, 2, are two proper supervisors for plant G, then for S = Si A £2 to be a 
proper supervisor for G we must have: 
1. Si and 52 are controllable with respect to G, 
16 
2. Si A 52 and G are nonblocking, 
3. S\ A S2 is trim. 
The modular supervisory control is adopted in our work as a critical solution to verify 
logic diagrams. 
2.4 Industrial Logic Diagram 
Industrial logic diagrams are widely used in engineering design in logic control field. Gen-
erally, an industrial logic diagram is a graphic representation of design specifications and 
is composed of some basic logic gates, for example and, or, not, flip-flop and time delay as 















flip-flop flip-flop time delay 
with reset priority with set priority 
Figure 2.3: Basic logic gates 
These basic logic gates are powerful and can realize most design specifications. In 
Appendix A, an Emergency Diesel Generator Startup Controller is specified based on these 
logic gates. 
2.5 Conclusion 
In this chapter, we have given a brief and necessary introduction to languages, automata and 
supervisory control theory of DES. The corresponding operations and TTCT procedures 
are provided. The concepts of controllability and nonblocking are presented as well. A brief 
17 
introduction to logic diagrams is given. This background knowledge will become the basis 
of our further discussions in the next two chapters. 
18 
Chapter 3 
Logic Models And Their 
Functional Verification 
3.1 Introduction 
In order to verify the correctness of a logic diagram, the following steps must be taken: 
1. Find a controllable and nonblocking supervisor Si for each logic diagram; 
2. Convert the informal design function requirements to one or several formal specifica-
tion automata Vf, 
3. Verify whether L(Si) C L(Vi) for each i to check the design functions. 
We can use the specification automata in step (2) and the uncontrolled plant model 
to design a supremal supervisor for each specification automaton. But there are drawbacks 
to this approach, namely, 1) the supremal supervisor can be too large for efficient imple-
mentation by PLCs or other industrial controllers, which is a potential application in the 
future for our research, and 2) the functionality of such a supervisor may not be very well 
understood. Instead, we use traditional, suboptimal supervisors designed as logic diagrams. 
To make sure that what is modeled by a logic diagram can serve as a supervisor, we need to 
show that it is controllable and nonblocking (step (1)), and that it satisfies the specification 
(step (3)). 
19 
A standard industrial logic diagram, generally, is composed of some basic logic gates, 
such as AND, OR and Flip-Flop logic elements. Another special element is time delay. In 
the first part of this chapter we will give a standard plant model and its supervisor for each 
basic logic gate. A motivating example will be used to show the complete methodology in 
Section 3.3. Section 3.4 will try to formally prove the controllability of the combined DES 
supervisor from the controllability of the logic gates in each circuit, and infer its nonblocking 
nature. The next chapter will apply this method to an industrial diesel generator startup 
controller to demonstrate its feasibility in real industrial control systems. 
Remark: Here we will consider each logic diagram as a DES supervisor of a single DES 
plant. 
In each logic diagram, there are always several basic logic elements. Obtaining an 
appropriate DES plant and its supervisor is not a trivial task. We probably can design a 
monolithic plant and supervisor according to the function requirements of each logic dia-
gram, but this will not be easy in most situations because the size of the resulting supervisor 
becomes unmanageable and it is impossible to be taken as a standard method. Modular 
approach seems more feasible in real industrial systems, which can take full advantage of 
modular DES supervisory control approaches. 
The design of plant model and its corresponding supervisor for basic logic gates is not 
difficult. It is therefore natural to find a suitable DES plant model and its supervisor for 
each basic logic element. Then, a monolithic supervisor of a logic diagram can be obtained 
with modular supervisory control theory of DES by synchronizing the DES supervisor for 
each basic logic element. In the next section, DES plant models and their corresponding 
supervisors for basic logic elements will be presented. 
3.2 Basic Logic Models and Supervisors 
Before giving the detailed models, we need to make the following important assumption: 
Assumption: All input signals in a logic gate will be treated as uncontrollable, and the 
output signals will be treated as controllable. This assumption is reasonable from the 
controller's point of view. 
20 
In order to model dynamical time-varying behavior and memory capability of a logic 
controller, we introduce a special timing event T, which represents the scan cycle of the 
PLC. It must be pointed out that despite this our models differ from timed DES models; 
the convenience of introducing T is to simulate the real controller behavior and to model 
flip-flop and time delays. 
We assume that at every point in time the value of a signal x is either 0 or 1. Events 
are derived from signals in the following way: at the beginning of the fcth cycle the signal 
x is sampled. If x{kT) = 1 then event X is generated at the fcth cycle, while if x(kT) = 0 
event X is generated. 
NOT gate is a basic logic gate too, but it will not be separately modeled since its 
nature can be easily denoted by the event itself. For example, when a signal x is 1(0), then 
event X(X) is generated. We can directly use X(X) to represent the NOT of X(X). 
3.2.1 A N D G a t e 
Fig. 3.1 is a 2-input AND gate and Table. 3.1 gives its truth table. The value 1 represents 
that the corresponding signal is triggered and the value 0 means that it is not triggered. A 
multiple-input AND gate can be decomposed into several 2-input AND gates, so a 2-input 




Figure 3.1: AND gate 
For each input signal, a basic plant model is shown in Fig. 3.2-(a) and (b). The model is 
reasonable since an output event can only be generated after an input event. Other than this 
functional requirement, the plant model does not impose any restriction on the input-output 
relationship: for any value of the input, the output can assume any value. It simulates the 
21 
















operation sequence of a real controller, for example, a PLC. The synchronization of plant 
models for each input yields 
G = Gi || Gi 
The final logic plant model G is shown in Fig. 3.2-(c). The state after event T is always 
marked. The reason is that the controller processing time is much shorter than the plant 
response time, and any functional requirement is always based on a complete processing 
cycle. Here the marked state is also the initial state. 
Figure 3.2: Logic plant model 
From its truth table, a specification of the AND gate can be derived as in Fig. 3.3. 
Using the TTCT command SUPCON, it is verified that the specification is controllable and 
nonblocking and can thus serve as a supervisor. From Fig. 3.3 we can see that when A(B) 
22 
is zero, regardless of the value of B(A) the output signal C must be set to zero. 
Figure 3.3: AND specification and supervisor 
3.2.2 O R G a t e 
Similarly, Fig. 3.4 is a 2-input OR gate and Table. 3.2 gives its truth table. Due to their 





Figure 3.4: OR gate 
Based on its truth table, the specification of the OR gate can be derived as in Fig. 3.5. 
Using TTCT command SUPCON, the nonblocking and controllable supervisor satisfying this 
specification can be shown to be the same as the specification in Fig. 3.5. 
From Fig. 3.5 we can see that when A (B) is one, regardless of the value of B (A) the 
output signal C must be set to one. 
23 
















Figure 3.5: OR specification and supervisor 
3.2.3 Flip-flop 
An RS flip-flop is a special logic element which includes memory function. Depending on 
the input priority, there are two types of flip-flops. 
• RS with reset priority. 
Fig. 3.6 is an RS gate with reset priority and Table. 3.3 gives its truth table. R stands 
for Reset and S stands for Set. 
From the truth table, we can observe that when both inputs are 0, the output will keep 
its previous value. Output will always be 0 as long as R is 1, which means that reset 
has priority over set. It will be quite complicated if we just try to model the behavior 




Figure 3.6: RS gate with reset priority 
















problem can be easily dealt with when timing event T is introduced. The plant model 
will be a little bit different now as illustrated in Fig. 3.7. 
Figure 3.7: RS plant model 
In this model, controllable outputs O and O are forcible and can preempt the time 
event T, so they can be either both disabled, indicating that the previous value of 
the output must be kept, or when either one is enabled it can preempt the transition 
labeled with T back to the initial state. 
The specification is derived from Table 3.3 in Fig. 3.8. We can see that when both 
25 
inputs are 0, O and O are disabled and only T can happen back to the initial state. In 
this case, the output will keep its previous value. It can be easily verified using TTCT 
that the nonblocking and controllable supremal supervisor satisfying this specification 
is isomorphic to the specification in Fig. 3.8. 
Figure 3.8: RS specification and supervisor 
RS with set priority. 
RS with set priority (also called SR) is almost identical to RS with reset priority and 
is shown in Fig. 3.9. The only difference is that the set signal has priority over the 
reset signal as shown in Table. 3.4. Note that the output will always be 1 when S is 
1. The plant model is unchanged (Fig. 3.7). 
R S 
O 
Figure 3.9: RS gate with set priority 
The controllable and nonblocking specification, which is isomorphic to its supremal 
26 
















supervisor, is depicted in Fig. 3.10. 
Figure 3.10: SR specification and supervisor 
3.2.4 Time Delay 
Time delay can be categorized to two types, Power-On Time Delay and Power-Off Time De-
lay. The timing event introduced earlier can be thought of as having a qualitative nature—it 
represents the passage of some units of time. Time delay duration A can be one cycle time, 
or millions of cycle times. It is impossible to model the exact duration of delay with a 
simple untimed DES model. In this work, the duration of all time delays will be abstracted 
as one cycle time T, and the delay circuit will be modeled as a buffer. As a result, we can 
only verify the existence of time delay, but cannot verify its duration. 
• Power-On Time Delay. 
27 
Fig. 3.11 is the power-on time delay and Fig. 3.12 describes its exact function. Pa-
rameter A is the delay duration. Obviously, when the input i" jumps from 0 to 1, the 
controller will start a timer with preset time A and the output O will change from 0 to 
1 if the timer expires while the input has been continuously 1; otherwise, the output 
will stay at 0. Once the input I changes from 1 to 0, the output O will immediately 
change from 1 to 0 without any delay. 
I -A h o 
AON 
Figure 3.11: Power-on time delay 
i _ J L 
o •Aj |_ 
i "LIT 
on 
Figure 3.12: Power-on time delay sequence 
As mentioned above, we will abstract any arbitrary duration A to a single cycle time 
T and model the delay circuit as a buffer; Fig. 3.13 is the model we use in this work 
for power-on time delay. 
Power-Off Time Delay. 
Power-off time delay is just the opposite of power-on time delay. Fig. 3.14 is the 
power-off time delay and Fig. 3.15 describes its exact sequence function. 
Fig. 3.16 shows the model which will be used in this thesis. 
28 





Figure 3.14: Power-off time delay 
Or A o J 
i r u 
o J 
Figure 3.15: Power-off time delay sequence 
3.3 A Motivating Example 
The previous section has covered all basic logic elements in a standard industrial control 
logic diagram. However, it is still impossible to get a monolithic supervisor from the mod-
ular supervisors for basic logic elements because the interconnections between basic logic 
elements have not been defined yet. In this section we use a motivating example to describe 
how different basic elements in a logic diagram are interconnected. 
First, we will give a typical industrial memory logic as in Fig. 3.17. To give the example 
29 
Figure 3.16: Power-off time delay model 
a practical flavor, assume that input B can be considered as a high-level signal from a level 
switch in a tank, and B' is the alarm acknowledgement signal from a pushbutton. Once the 
level switch sends a high-level signal, the output C will be set to 1 and an alarm will sound, 
even if B becomes 0, until pushbutton B' is manually pressed to 0 to reset the alarm. 
B B' 
A 
| >=1 | 
C 
A ' J I 
I & 
C 
Figure 3.17: A typical memory logic diagram 
Second, we will define the buffer model. A logic diagram is a network consisting of basic 
logic elements interconnected by wires. Not only should each logic element be modeled, but 
30 
also their interconnections must be specified. After analyzing Fig. 3.17, we can find that 
there are two types of interconnections, forward connection and feedback connection. In 
Fig. 3.17, the connection from C to A' is a forward connection, and the connection from C 
to A is a feedback connection. In the next part we will model these two types of connections 
with two types of buffers: for forward connection, we require that the value of the input be 
consumed by the output in the same cycle, while in a feedback connection the value of the 
input can be consumed by the output only in the next scan cycle. 
Finally, we will show how to get a monolithic plant model from the basic logic plant 
models and their interconnection buffers. 
3 .3 .1 Buffer M o d e l s 
All buffer models are to be synchronized with basic logic plant models to obtain a monolithic 
plant model. 
Forward Buffer Model. 
Fig. 3.18 shows the forward buffer model in which all states are marked. After receiving a 
controllable event C or C from the output of a gate, forward buffer will immediately (i.e. 
in the same scan cycle) sends an uncontrollable event A' or A' to the input of a subsequent 
gate (i.e. a gate whose output in no way influences the output of the current gate). 
T 
Figure 3.18: Forward buffer model 
Feedback Buffer Model. 
Fig. 3.19 shows the feedback buffer model in which all states are marked. After receiving 
a controllable event C or C from the output of a gate, feedback buffer must wait for the 
31 
next scan cycle to send an uncontrollable event A or A to the input of a preceding gate (i.e. 
a gate whose output affects the output of the current gate). 
AtA 
Figure 3.19: Feedback buffer model 
3 .3 .2 C a s e A n a l y s i s 
Monolithic Supervisor 
In this subsection we will obtain a monolithic supervisor for the system of Fig. 3.17 and show 
the isomorphism between the monolithic supervisor and the meet of modular supervisors. 
First, we define the following notations: 
• Pi is the plant model of OR gate. 
• P2 is the plant model of AND gate. 
• Speci is the supervisor of OR gate. 
• Speci is the supervisor of AND gate. 
• Speci is Speci with all of events not in OR selflooped. 
• Spec2 is Specs with all of events not in AND selflooped. 
• B\ is the forward buffer model from C to A', 
• Bi is the backward buffer model from C to A. 
Naturally, the monolithic plant automaton model P of Fig. 3.17 can be obtained as: 
P = Pi || P2 || P i || P 2 
32 
In addition, the modular supervisor of the OR gate, Si, can be obtained by 
Si = SW>C0H{P, Speci) 
The modular supervisor of the AND gate, S2, can be obtained by 
S2 = SUPC0N(P, Sp~ec2). 
Actually, we can directly obtain the result since £1 is isomorphic to Speci (similarly, 52 
is isomorphic to Spec?). The reason is that Speci is already controllable and nonblocking 
with respect to Pi, and we selfloop events that are not in Pj to obtain Speci, so Speci 
should remain controllable and nonblocking with respect to P. 
The monolithic specification can be obtained by: 
Spec = Speci f] Spec2 
Then, the monolithic supervisor S will be: 
S = SUPC0N(P, Spec) 
We can verify that Si A §2 is controllable and nonblocking, by using TTCT; in addition, 
we can verify that 
L{§i) n L(52) n L(P) = L{S) n L(P) 
Lm(Si) n Lm(s2) n Lm(P) = Lm(S) n Lm(P) 
which means the joint supervision of the modular supervisors induces the same behavior as 
the monolithic supervisor does. 
Logic Design Function Verification 
The design specification of the logic diagram of Fig. 3.17 is informally stated as follows. 
1. When tank level switch B sends a high-level signal and alarm-acknowledge pushbutton 
is not pressed, the alarm output C should be set; 
33 
2. Once C is set, it should remain set without caring about the status of the level switch 
B. The alarm signal can only be reset by alarm-acknowledge pushbutton B'. 
In general, the translation of informal English requirements to formal automata models 
is a challenging task which requires logical thinking and sufficient knowledge about the 
system. We will try to give a reasonable and feasible way to obtain the models. 
For function 1, the alarm output C must be generated (i.e. alarm should sound) when 
the following two conditions are both satisfied: level switch B sends a high signal, and 
alarm-acknowledge pushbutton B' is not pressed. So we summarize this by a logic and 
equation C — B A B'. This equation will be the basis of the automaton model. Fig. 3.20 is 
the automaton model V\ based on the above analysis. In this model, after B and B', only 
C" is permitted (i.e. C is disabled). Note that the automaton must be carefully designed 
to faithfully translate the English statement: no new behavior should be introduced, and 
no legal behavior should be removed. 
c,c' c;,c: 
-I7B.B' B jB ' 
O B,B' W B,B' _ 
~4—^T> * - Q M f ) self-looped I-{B,B,B',B',C',C',T} 
Figure 3.20: Specification 1 
For function 2, it is a memory function which is very convenient to be described by an 
automaton. Fig. 3.21 shows the memory automaton model Vi- In this model, once C is 
generated, only B' can reset the automaton to its initial state. 
B\C' C 
self-looped I-{B',E3',C',C'} 
Figure 3.21: Specification 2 
34 
The next step is to verify that the supervisor S satisfies these two function requirements, 
which means: 
Lm(S) C Lm(Vi) and Lm(S) C Lm(V2) 
or equivalently, 
Lm(s) nljyo = ^ and Lm(s) nZJVzj = <D 
TTCT COMPLEMENT and MEET commands have been used to verify the above equalities. 
A Reduced Verification Technique 
The motivating example described in this section is not a complicated example. If a logic 
diagram has more basic logic elements and inputs, the design of specification model will be 
quite difficult, which will make this method not so applicable to real industrial applications. 
In this subsection, we will try to simplify the verification of a complicated logic diagram by 
fixing some inputs to either true or false when specifying a certain requirement, which will 
make the specification design much easier and can directly yield a reduced supervisor from 
the monolithic supervisor. 
In a complicated logic diagram, we usually assume some fixed initial conditions to 
simplify the specification of a requirement. For instance, in the above example, we can 
assume that alarm-acknowledge pushbutton B' is not pressed when specifying the first 
requirement. Then the first specification will be simplified as: When tank level switch B 
sends a high-level signal, the alarm output C will send a signal. This simplified specification 
V{ is shown in Fig. 3.22. 
self-looped I-{B,B,B', C',C',T} 
Figure 3.22: Simplified specification 1 
If the condition that alarm-acknowledge pushbutton B' is not pressed is assumed, 
it follows that the event B' is not present in the alphabet of the supervisor. We call the 
resulting supervisor a reduced supervisor, denoted by S'. This reduced supervisor S' can be 
35 
obtained by taking the meet of the supervisor S with the automaton C\ shown in Fig. 3.23, 
i.e. S' = S A C\. It can be observed that C\ is a single state automaton with all events 
self-looped except the event B' which is to be removed. According to the definition of meet, 
S' will be the same as S with all transitions labeled with B' removed. 
I-{B'} 
Figure 3.23: Assumed condition B' = 0 
Then we can use the same logic to verify that the reduced supervisor S" satisfies the 
specification V{, or Lm{S') n Lm(V{) = 0. 
The key observation in the above example is that the original requirements V\ and V2 
have redundancies, in the sense that part of the plant's behavior is restricted by both V\ 
and V2. The requirement specification V{ is more efficient in that it doesn't duplicate but 
complements V2. 
For any signal a, break every (supervisor, specification) pair into two pairs: one in 
which a is assumed to be 0, and the other in which a is assumed to be 1. If both pairs 
are verified, the original pair is verified. Sometimes only one pair need to be verified. The 
other pair is not necessary to be verified since it is contained in other specifications (as in 
the above example), or it is not required by the specification (as in the next chapter). 
It can be observed that V[ is less complex than V\ while jointly with V2 it restricts the 
plant's behavior in an identical fashion. This benefit will be much more significant if the 
logic diagram is more complicated as shown in the next chapter's real industrial example. 
The operational procedure can be summarized as follows: 
1. Decide the input signals to be fixed as triggered (1) or not-triggered (0) according to 
the informal function requirements, which needs correct understanding of the system 
operation; 
2. Design a simplified specification V? without considering the fixed events; 
36 
3. Design a single state condition automaton d with all events self-looped except the 
fixed input events; 
4. Synchronize the monolithic supervisor S with Q to get a reduced supervisor S'; 
5. Verify Lm(S') C Lm{y() to verify the design function. 
3.4 Controllability and Nonblocking 
The previous section has given a detailed description of basic plant models and their su-
pervisors. A motivating example has shown that the monolithic supervisor is isomorphic 
to the composition of the modular supervisors, and is controllable and nonblocking. 
However, it is necessary to give a formal proof for the general case to make sure that 
this method can be applied to industrial control systems. This section presents a formal 
proof of the controllability of the composition of modular supervisors, and makes informal 
arguments in support of the nonblocking of the plant controlled by the modular supervisors. 
3.4.1 Definitions 
Each plant P in a logic diagram is composed of n > 1 basic plant models and m > 0 basic 
buffer models. The event set of P is denoted by E, and consists of disjoint controllable 
event set S c and uncontrollable event set Su . 
Let I — {1,2, • • • , n) be an index set for the n basic plant models. Define a basic plant 
model as: 
&i = \Xi,Sj,£j,XQi,Xmi), i £ I 
Let J = {1,2, •• • ,m) be an index set for the m basic buffer models. Define a basic 
buffer model as: 
Here, 
37 
Si U E'2 U . . . U T,'m C Si U E2 U . . . U E„ = E 
The monolithic plant model P is defined by taking the parallel composition of all basic 
plant models and all basic buffer models: 
P = Gx || G2 || . • • || Gn || Pi || P 2 || . . . || P m 
For each basic plant model Gi, define the corresponding supervisor as: 
Let 5j be a supervisor that is identical to Si except that events not in Ej are self-looped: 
Si = (Zi, E, Q, zoi, Zmi), i £ I 
where 
2 ; o- ^ Ei 
We denote all the uncontrollable events in Ej by Ej)U; the set of all other uncontrollable 
events is denoted by Ej]nx: Ej i ru = E„ — E;)U. 
3.4.2 Controllability 
In this section, we show that the controllability of gate supervisors implies the controllability 
of the composition of all gate supervisors. First we will give Lemma 1, then we will prove 
Theorem 3.4.1 based on this Lemma. 
Lemma 1 Suppose that Si, Si and P are defined according to Section 3.4.1 and Si is 
constructed following the procedure in Section 3.2. Then Si is controllable with respect to 
plant P. 
Proof: 
Since Si is controllable with respect to d, and L(Si) is a prefix-closed language, we 
have: 
L(S<)Eiitt n L(Gi) C L(Si) (3.1) 
38 
We must show that §i is controllable with respect to plant P, i.e.: 
£(&)£„ n L(P) C L(Si) (3.2) 
Let P' be the plant without buffers, i.e.: 
P' = Gi || G2 || • • • || Gn 
It is obvious that 
L(P) C L(P') (3.3) 
First, we show that Si is controllable with respect to P', i.e.: 
L(5 i )S„nL(P ' )CL(5 i ) (3.4) 
Then our target equation (3.2) immediately follows from equations (3.3) and (3.4). 
Let Pi : S* —* S* denote the natural projection for i £ I. Let s G L(Si), a E £„ and 
scr G L(P'). We must show that scr € L(5j). 
We consider two cases: 1) a = T, 2) a G {S„ — T}. 
1. For a = T, since 
L(P') - PfHiCGi)) n P2-1(L(G2)) n . . . n P ~ 1 ( L ( G „ ) ) (3.5) 
then sT e L{P') implies that for all iel, sT e P~1(L(G i)). It follows that 
PifcT) G L(G4) 
In each basic plant model i G J we have T G Sj, so 
Pi(s)T G L(Gi) (3.6) 
From the definition of Si it follows from s G L(5») that 
Pi(s) G L(5i) (3.7) 
From equations (3.6) and (3.7), and the controllability of 5» it follows that 
39 
Pi(s)T G L(Si) 
which implies Pi(sT) G L(S<), and therefore sT G P r ^ S ; ) ) = L(Si) for all i G J, 
as desired. 
2. For IT G {£„ — T } , for any i £ I, there are two possible sub-cases, 
2-1) a G £ i )U , or 2-2) cr G EiiT.u. 
• Sub-case 2 -1 : cr G Ej>u 
The proof is very similar to case 1. 
From equation (3.5), sa G L(P') implies that for all i G / , sa G P~l{L{Gi)). It 
follows that 
Pi(scr) G L(Gi) 
In each basic plant model i G / we have cr G Sj , so 
Pi(5)cr G L(Gi) (3.8) 
From equations (3.7) and (3.8), and the controllability of Si it follows that 
Pi(s)a G L(Si) 
which implies Pi(sa) G L(Si), and therefore scr G P i_1(L(S'i)) = L(5j) for all 
i G / , as desired. 
• Sub-case 2-2: a G Ej ) r u 
It is quite obvious in this situation. 
Since cr ^ Ej, it is apparent that 
Pi (scr) = p^g) 
From equation (3.7), it follows that 
Pi(scr) G L(Si) 
which implies sa G Pf1(L(Si)) = L(Si) for all i G / , as desired. • 
40 
Now we will prove that the monolithic supervisor is controllable with respect to P. 
Theorem 3.4.1 Suppose that S\, S2 • • • Sn, P are denned according to Section 3.4.1 and 
S\, £2 • • • Sn are constructed following the procedure in Section 3.2. Then 
S = Si || £2 || • • • || Sn is controllable with respect to plant P. 
Proof: According to Lemma 1, we know that S% is controllable with respect to plant P. 
We also notice that L(§i) is a prefix-closed language, and 
L(S) = L(Si)r\L{S2)r\...nL{Sn) (3.9) 
so, L(S) is also a prefix-closed language. We only need to show 
L(S)E„ n L(P) C L(S) 
Let s G L(S), a G £„, and sa G L(P). We must show that sa G L(S). 
Prom equation (3.9), we know that 
s G L(Si), Vie I 
Since Si is controllable w.r.t. P (Lemma 1), it follows that 
sa € L(Si), Vie I 
so 
sa G L{S) 
as desired. • 
We have formally proved the controllability of S. The next subsection will argue in 
favor of S being nonblocking. 
3.4.3 Nonblocking 
For the nonblocking property of the monolithic supervisor, at first we will prove that the 
monolithic supervisor S is nonblocking for P'. 
Lemma 2 Suppose that Si, S2 • • • Sn, P' are defined according to Section 3.4.1 and Si, S2 • • • S, 
are constructed following the procedure in Section 3.2. Then S = Si || S2 || . . . || Sn is 
nonblocking for P'. 
41 
Proof: 
We already know that Si is nonblocking for Gj from Section 3.2. And Si is identical 
to Si except that the events not in Ej are self-looped, so Si is nonblocking for P'. 
In order to prove this Lemma, we need to show: 
LZ(S/P') = L{S/P') 
Since Lm(S/P') C L(S/P') is automatic, we only need to show 
L(S/P') C ZZiS/P') 
We will prove it by contradiction. If we assume that 
L(S/P') £ L^(S/P') 
then there exists s G ~L^(S/P') and a G E such that su G L{S/P') but scr ^ T^(S/P'). 
Two cases need to be considered: 1) a G Ej — {T} for some i G I, 2) a = T. 
1. For o- e Ei - {T}, 3t G 7, 
It follows from the assumption that for some i G I, 
sa G L(Si) n L(P') 
and since 5j is nonblocking for P', then 
sc rGL m (^ )nL m (PO 
Since a is self-looped in all states of Sj, j =fi i, (i, j G I) it follows that 
sa G I m ( 5 i ) n . . . n L r a ( 5 n ) n L m ( P ' ) = L^(S/P') 
which is a contradiction. 
2. For a = T, 
It also follows from the assumption that for all i s / , 
sT G L(50 n L(P') 
42 
and similarly, since Si is nonblocking for P', then 
sT E Lm(Si) n Lm(P'), Vz e I 
It follows that 
sT G L m ( 5 i ) n . . . n L m ( 5 n ) n L m ( P ' ) = I ^ ( 5 / P ' ) 
which is a contradiction, too. • 
Next, we will give an informal explanation why S is also nonblocking for P. 
Since P = P' \\ B% || P>i || . . . || Bm, we need to consider whether Bi will introduce 
a blocking situation. After checking the structures of forward buffer and feedback buffer, 
we can state that both buffers will unlikely cause blocking when plant P is controlled by 
S. The reason is that they don't disable any controllable events and all states are marked. 
Both buffers permit two controllable events which are generated from the preceding logic 
gate. After generating a controllable event, the forward buffer will generate a corresponding 
uncontrollable event and return to the initial, marked state. After generating a controllable 
event and waiting for the next cycle, the feedback buffer will also generate a corresponding 
uncontrollable event and return to the initial marked state. 
We conclude that the monolithic supervisor S is nonblocking for P based on the above 
proof and explanation. 
3.5 Conclusion 
In this chapter, at first we described the plant model and its supervisor of each basic logic 
gate. Then a motivating example was used to show the general logic verification process. 
At the same time, a reduced verification technique was introduced. Finally we gave a 




Diesel Generator S ta r tup 
Controller Function Verification 
4.1 Introduction 
Emergency Diesel Generator Set (GS) is a critical backup power supply system in many 
industries, especially in nuclear power plants. A typical GS consists of several subsystems 
(Fig. 4.1) [Fr96], including: 
• Diesel engine and generator, is the machine body itself. 
• Compressed air system, produces high-pressure compressed air to start GS. 
• Preheating system, maintains GS in hot state when GS is shutdown. 
• Lubrication oil system, lubricates GS. 
• Cooling water system, dissipates the heat of lubrication oil into cooling water. The 
cooling water is cooled by air cooler fan. 
• Fuel oil system, provides fuel oil. 
• Ventilation system, ventilates GS building when GS is running. 
When GS is in standby mode, the cooling water is heated by the electrical heater of 
preheating system to keep GS in hot state. A pre-lubricating oil pump is also running to 
44 
r ^ 
AIR COMPRESSOR J — ^ J U^-
STARTING VALVE 
FUE^OIk, _ . 
LUBRICATION OIL , 
>T* 
AJR COOLER h 
AIR COOLER FAN 
[ LUBRICATION OIL 1 ^ 
" ~ 1 TANK V*' 
• & 
DAILY FUEL TANK 





LUBRICATION OIL SUMP 
—\ HEAT EXCHANGER 
^J " & • - • 
WATER CIRCULATING 
PUMP - & 
Figure 4.1: Diesel generator flow diagram 
lubricate the machine. At this time, lubrication oil is heated by the water through the 
oil/water heat exchanger. However, when GS is running, it is the opposite, which means 
that lubrication oil is cooled by the water. The water itself is cooled by the air cooler fan 
located on top of the building when its temperature is higher than 80 degrees Celsius to 
prevent it from boiling. 
Once GS receives a starting order, it should start automatically by the high-pressure 
compressed air. The starting order will open a starting solenoid valve to conduct the high-
pressure compressed air to the engine cylinders. The maximum duration of starting order is 
5 seconds. When GS is started, the controller will simultaneously start the fuel oil transfer 
pump, emergency fuel feeding pump and building exhaust fan. The function of fuel oil 
transfer pump is to transfer the fuel oil from a large underground storage tank to a smaller 
and high-positioned daily tank. Emergency fuel feeding pump is used to supply fuel oil 
from the daily tank to the diesel engine. 
45 
The start order can be classified to two types, remote start order and local start order. 
The remote start order has higher priority and is triggered by a low voltage signal across 
a bus bar, which can only be reset by an operator or four emergency signals: overspeed, 
ground fault, under-voltage and emergency stop pushbutton. The local start order is usually 
generated by a test procedure which is performed periodically to check the availability of 
GS, so it has a lower priority. Local start order can be reset by a number of local alarm 
signals as well as a local operator. The stop order is sent to the engine governor to stop the 
supply of fuel oil. 
In this chapter we use the GS logic diagrams in a typical pressurized water reactor, 
and will verify the function of each logic diagram by the methodology presented in Chapter 
3. The reduced verification technique in Section 3.3.2 will be widely used in this chapter to 
simplify the verifications. 
4.2 GS Logic Diagram Verification 
4.2.1 GS Logic Diagram Verification Sequences 
The GS logic diagrams are attached in Appendix A [Pr96]. In each logic diagram, the 
following steps are taken: 
1. Events and their acronyms are listed. Each event is assigned two unique numbers, 
which correspond to the on and off conditions. An uncontrollable event represents 
an input signal while a controllable event represents an output signal. 
2. The monolithic supervisor SUPmon specifying the function of the current logic dia-
gram is generated by the methodology of Chapter 3 as shown in Fig. 4.2. 
3. The design requirements of the current logic diagram, given by GS system engineers, 
are formalized by automata. 
4. For each verification automaton model Vj we verify 
Lm(SUPmcm) C Lm(Vi) 
which means that the current logic diagram satisfies each of its requirements. 
46 
5. In some cases, the reduced verification technique may be applied and we will give 
a single state condition automaton C% and a simplified verification automaton V( to 
verify the requirement. The scope of applicability of the reduced verification technique 
will be discussed in Section 4.2.2. 
N o t e : T T C T will be used throughout these steps. 
In order to make the above steps clearer, two flow charts are developed to show the 
detailed process. Fig. 4.2 specifies the exact operations of steps 1 and 2. The inputs of 
these operations are: logic diagram, basic logic plant models, buffer models, and basic logic 
gates specifications. The output is a monolithic supervisor representing the function of the 
current logic diagram. We will also verify that the monolithic supervisor is isomorphic to 
the combination of modular supervisors, a fact that has been proven in Chapter 3. 
Fig. 4.3 specifies the exact operations of steps 3, 4 and 5. The output of Fig. 4.2, the 
monolithic supervisor SUPmon, is actually one of the two inputs in this flow chart. The 
only remaining input is the listed verbal design requirements of the logic diagram. These 
requirements could be given by GS system engineers who may not know DES or automata 
theory at all. How to interpret these requirements and convert them to automata is difficult 
and error-prone. In order to overcome this difficultly, we suggest that these requirements 
are described by some standard forms: 
• If XXX then YYY 
• Once XXX then YYY 
• When XXX then YYY 
XXX could be an input condition given by certain verbal logic expressions, such as A and B, 
A or B. YYY usually is the state of output signal. These forms can be easily expressed 
by boolean expressions, and consequently can be converted to automata without much 
difficulty. 
We can see that most of the operations in Fig. 4.2 and Fig. 4.3 can be taken into two 
parallel lines. One line is to obtain the monolithic supervisor and the other line is to convert 
the design requirements to specification automata. The two final steps in Fig. 4.3 integrates 
47 
One logic 
diagram is ready 
for verification 
Each signal is assigned 
two eventnumbers 
Define the basic plants GitGlr •*•, G„ 
and buffers fl,,S2,-••,#,„ 
Define the specifications Specv Specv • ••,Specn 
correspond ing to G,, Gv —, G„ 
Get the monolithic plant 
G^GjG1h-\\GHlBl\\B1\\-\\Bm 
Get the self - looped specifications Specx, Specv—, SpecH 
corresponding to Spect, SpecJt ••-, Specn 
Get the modular supervisor s 5,, Si,---,S„ 
by S, = SUPCQN(G,Spec,) /=!•••» 
Get the monolithic specification 
Spec = Spect C\ Spec2 fl • • • 0 SpecB 
Get the combination of modular supervisors Sup,^ 
by 5 « p p „ I = S ! n 5 i n - n 5 n . = l - n 
Get the monolithic supervisor Sup^ 
by Sup^n = SUPCON(G, Spec) 
Monolithic supervisor 
SupmoB of the logic diagram is) 
available for verification 
To Figure 4.3 
Figure 4.2: Monolithic supervisor generation process 
these two lines together and delivers the result of verification: whether the logic diagram 
satisfies the design requirements or not. 
Once the logic diagram cannot satisfy the design requirement, we can know the illegal 
behavior with the help of TTCT procedures and thus, can judge the possible following 
reasons. 
1. The automaton model is wrong and is not accordance with the logic diagram or design 
requirement. The model should be established again. 
48 
Design the automaton Vt 
specifying the requirement to 
verify the reduced supervisor 
Design the single state 
automaton Q specifying the 
assumed condition 
Monolithic supervisor 
Supmonot the logic 
diagram is available for 
verification 
Get thereduced monolithic supervisor Sup'm 
No, go back and 
find the mistakes. 
No, go back and 
find the mistakes. 
/The logic diagramN 
f satisfies this design J 
\ ^ requirement ^/ 
Figure 4.3: Logic Diagram verification process 
2. The logic diagram has problem and needs to be modified. 
3. The design requirement is not right and needs to be given again. 
Since the automata models are designed according to the verbal design requirements, 
the completeness of verification will mostly depend on the completeness of such verbal 
design requirements. 
4.2.2 Applicable Scope of Reduced Verification Technique 
As we mentioned earlier, the reduced verification technique is an efficient tool and will be 
frequently utilized in this chapter. Hence, a natural question to ask is under what kind 
of circumstances it should be applied. We believe this should be an engineering question 
49 
rather than a theoretical one, which implies that the answer could be given by different 
engineering scenarios instead of formal justification. 
We know that the reduced monolithic supervisor is the composition of a monolithic 
supervisor and an assumed condition with a single state, so the reduced supervisor is just 
the monolithic supervisor with all of the events not in the assumed condition removed. The 
critical questions are: 
• How can we know that there should be an assumed condition for a specification? 
• How can we make sure that the removed portion of the monolithic supervisor can still 
satisfy the design requirements? 
After carefully looking into the logic diagram, we list four scenarios to apply the reduced 
technique. 
1. The removed portion is already covered by other design requirements. The assumed 
condition should be defined based on the analysis of all design requirements. 
2. It 's a symmetrical structure, so the removed portion can be verified in an identical 
manner. The assumed condition can be defined based on the symmetrical structure 
of the design requirement and the logic diagram. 
3. The removed portion is not restricted by the design requirement. The assumed con-
dition should be defined according to the current design requirement. 
4. The assumed condition is a unique situation, which depends on the result of analyzing 
all design requirements. 
In the following section, it will be pointed out which scenario is applied when the 
reduced technique is utilized. 
4 .2 .3 T h e C o m p l e t e G S Logic D i a g r a m Veri f icat ion 
Now, we will start analyzing the logic diagrams page by page. 
1. Logic diagram 1. 1 
1
 Please refer to the corresponding logic diagram in Appendix A. 
50 
The design requirements are given below. 
(a) If fault in remote and local control bistable memory set (FRS) signal is on, GS 
starting remote control reset (RSR) signal should be on. 
(b) If remote start order (RSO) is off and stop authorization (SA) pushbutton is 
pressed, GS starting remote control reset (RSR) signal should be on. 
(c) Once GS starting remote control reset (RSR) signal is triggered by the situation 
described in (b), it can only be reset by one of the following two signals: 
• Remote start order (RSO) is on. 
• GS starting order bistable memory set (SOS) signal is off and stop autho-
rization (SA) pushbutton is not pressed. 
Table. 4.1 lists the events in this logic diagram. 









GS starting order bistable memory set 
Fault in remote and local control bistable memory set 
Remote start order 













By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 381 states and 1460 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
• Requirement (a) is very straightforward and can be expressed in logic as RSR = 
FRS. Fig. 4.4 shows the automaton model expressing this requirement. 
• Requirement (b) can be expressed as RSR — RSO A SA. Fig. 4.5 shows the 




self - looped I - {FRS, FRS, RSR, RSR, T} 
Figure 4.4: Specification 1 of logic diagram 1 
RSO,SA RSO,SA 
RSR, RSR, T RSRJRSR 
self - looped I - {RSO, RSO, SA, SA, RSR, RSR, T} 
Figure 4.5: Specification 2 of logic diagram 1 
Requirement (c) can be expressed as RSR = RSO V (SA A SOS). Observe that 
by requirement (a), RSR can also be set by FRS. Fig. 4.6 shows the condition 
automaton model, which means that FRS signal is removed to make sure that 
RSR is triggered by the mechanism described in (b) only. Fig. 4.7 shows the 
automaton model based on this assumed condition. 
I-{FRS} 
Figure 4.6: Assumed condition for specification 3 of logic diagram 1 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 








Figure 4.7: Specification 3 of logic diagram 1 
requirements. 
Please notice that the reduced verification technique has been employed in verification 
of design requirement (c). 
2. Logic diagram 2. 
The design requirements are given below. 
(a) If remote start order (RSO) is on and fault in remote and local control bistable 
memory set (FRS) signal is off and GS starting remote control reset (SRR) signal 
is off, GS starting remote control bistable memory set (SRS) signal should be on 
and maintained until GS starting remote control reset (SRR) signal is on. 
(b) While GS starting remote control reset (SRR) signal is on, GS starting remote 
control bistable memory set (SRS) signal should always be off. 
Table. 4.2 is the events list in this logic diagram. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 32 states and 73 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
53 







Fault in remote and local control bistable memory set 
Remote start order 
GS starting remote control reset 











• Requirement (a) can be expressed as SRS = FRS A RSO A SRR. Since SRR on 
signal will be verified in requirement (b), we can design the condition automaton 
model in Fig. 4.8 to combine with the monolithic supervisor and get a reduced 
supervisor, which means that SRR is off. In this situation, the design require-
ment can be simplified as SRSnew = SRS0id V (FRS A RSO). Here SRS0id is 
the current state of SRS and SRSnew is the state of next cycle. Fig. 4.9 shows 
the automaton model in accordance with this requirement. We can see that only 
output SRS is permitted in the last state. 
I-{SRR} 
Figure 4.8: Assumed condition for specification 1 of logic diagram 2 
T,FRS T, FRS, FRS 
RSO, SRS RSO, RSO, SRS 
FRS, RSO self-looped Z-{RSO,RSO,FRS,FRS,SRS,SRS,T} 
Figure 4.9: Specification 1 of logic diagram 2 





Figure 4.10: Specification 2 of logic diagram 2 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements. 
3. Logic d i a g r a m 3. 
The design requirements are given below. 
(a) If fault in remote and local control bistable memory set (FRS) signal is on, GS 
starting order reset (SOR) signal should be on. 
(b) If GS starting remote control bistable memory set (SRS) signal is off, either 
fault in local control monostable memory set (FLS) signal or local stop (LS) 
pushbutton should make GS starting order reset (SOR) signal on. 
(c) If GS starting remote control bistable memory set (SRS) signal is on and fault 
in remote and local control bistable memory set (FRS) signal is off, GS starting 
order reset (SOR) signal should always be off. 
Table. 4.3 is the events list in this logic diagram. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 92 states and 277 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
55 








Fault in remote and local control bistable memory set 
Fault in local control monostable memory set 
Local stop 
GS starting remote control bistable memory set 













• Requirement (a) can be expressed as SOR = FRS. Fig. 4.11 shows the automa-
ton model in accordance with this requirement. 
T, SOR, SOR, FRS 
self-looped I-{FRS,FRS,SOR,SOR,T} 
Figure 4.11: Specification 1 of logic diagram 3 
• Requirement (b) can be expressed as SOR = SRS A (FLS V LS). Fig. 4.12 
shows the condition automaton model used to get a reduced supervisor, which 
means that SRS is off, since SRS on signal has been covered by requirements 
(a) and (c). In this situation, the design requirement can be simplified as SOR = 
FLS V LS. Fig. 4.13 shows the desired automaton model. 
I - {SRS} 
-8 
Figure 4.12: Assumed condition for specification 2 of logic diagram 3 
• Requirement (c) can be expressed as SOR — SRS A FRS. Fig. 4.14 shows the 
56 
T,SOR, SOR LS, FLS 
LS 
F L S
 » Q self-looped I-{LS,FLS,SRS,T) 
^SOF 
Figure 4.13: Specification 2 of logic diagram 3 
desired automaton model. 
FRS,SRS FRS,SRS 
SOR,T SOR, SOR 
self - looped Z- {FRS, FRS, SRS, SRS, SOR, SOR, T} 
Figure 4.14: Specification 3 of logic diagram 3 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements. 
4. Logic diagram 4. 
The design requirements are given below. 
(a) GS starting order reset (SOR) on signal should always reset GS starting order 
bistable memory set (SOS) signal. 
(b) If GS starting order reset (SOR) signal is off, then GS starting remote control 
bistable memory set (SRS) signal should make GS starting order bistable memory 
set (SOS) signal on. 
57 
(c) If GS starting order reset (SOR) signal is off and local start (LT) pushbutton is 
pressed and fault in local control monostable set (FLS) signal is off and local stop 
(LS) pushbutton is not pressed and GS starting remote control bistable memory 
set (SRS) signal is off, then GS starting order bistable memory set (SOS) signal 
should be on. 
(d) If GS starting order bistable memory set (SRS) signal is on, then it should be 
maintained until GS starting order reset (SOR) signal is on. 
Table. 4.4 is the events list in this logic diagram. 









Fault in local control monostable memory set 
Local stop 
GS starting remote control bistable memory set 
Local start 
GS starting order reset 















By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 271 states and 983 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
• Requirement (a) can be expressed as SOS = SOR. Fig. 4.15 shows the automa-
ton model in accordance with this requirement. 
• Requirement (b) can be expressed as SOS = SOR A SRS. Fig. 4.16 shows 
the condition automaton model used to get a reduced supervisor, which means 
that SOR signal is off, since SOR on signal has been dealt with in requirement 
(a). In this situation, the design requirement can be simplified as SOS = SRS. 
58 
T,SOR,SOS,SOS 
self-looped I - {SOR, SOR, SOS, SOS.T} 
Figure 4.15: Specification 1 of logic diagram 4 
Fig. 4.17 shows the desired automaton model. 
Z-{SOR} 
Figure 4.16: Assumed condition for specification 2 of logic diagram 4 
T,SRS 
SOS, SOS 
self-looped I-{SRS, SRS,SOS, SOS,T} 
Figure 4.17: Specification 2 of logic diagram 4 
• Requirement (c) can be expressed as SOS = SOR A SRS A LT A FLS A LS. 
Fig. 4.18 shows the condition automaton model used to get a reduced supervisor, 
which means that SOR, SRS, FLS, LS will be discarded. In this situation, the 
design requirement can be simplified as SOS = LT. Fig. 4.19 shows the desired 
automaton model. The assumed condition here is a mixed situation. Since 
SOR has been covered by requirement (a) and SOR A SRS has been covered by 
requirement (b), we only need to verify the all combinations of LT, FLS and LS. 
It is a symmetrical structure and the other two cases can be verified similarly as 
follows: 
59 
(a) SOR, SRS, LT, LS will be discarded and the design requirement will be 
SOS = TLS. 
(b) SOR, SRS, LT, FLS will be discarded and the design requirement will be 
SOS = TS. 
I-{SOR,SRS,FLS,LS} 
Figure 4.18: Assumed condition for specification 3 of logic diagram 4 
T,LT,SOS, SOS 
self - looped I - {LT, T f , SOS,"SOS, SOR, SRS, FLS, LS, T} 
Figure 4.19: Specification 3 of logic diagram 4 
• Requirement (d) can be expressed as 
If SOS0id = 1, then SOSnew = ~SOR. 
Fig. 4.20 shows the automaton model in accordance with this requirement. We 
can notice that once SOS is set it will be maintained until SOR is on. 
SOR, SOR SOR, SOS 
SOS,T T 
8 SOS U SOR _ K ) * 0 self-looped Z-{SOR, SOR.SOS, SOS,T} 
^ ^ S O S ^ ^ " 
Figure 4.20: Specification 4 of logic diagram 4 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
—«0 LT »Q 
Xsos^/ 
60 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements. 
5. Logic diagram 5. 
The design requirement is given below. 
If started lubrication oil pressure greater than 1.5 bar (LOP) signal is off and GS 
starting order bistable memory set (SOS) signal is on, start pulse (SP) signal should 
be on. If started lubrication oil pressure greater than 1.5 bar (LOP) signal is on when 
GS starting order bistable memory set (SOS) signal is on, the start pulse should be 
off immediately, otherwise the start pulse (SP) should last at most 5 seconds. 
Table. 4.5 is the events list in this logic diagram. 






Started lubrication oil pressure > 1.5 bar 
GS starting order bistable memory set 









There is a power-on delay in this logic diagram and it will be modeled by one cycle 
(T) delay, so we can only verify that the time duration is one cycle time (T) instead 
of 5 seconds. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 56 states and 132 transitions. 
The design requirement can be expressed as SP = (LOP A SOS) | , where f means 
that the output SP will be set only one cycle time (T) even though LOP is off and 
SOS is on for more than 2 cycles. Fig. 4.21 shows the desired automaton model. We 
can see that SP is maintained only for one cycle time. 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by this 
61 
Figure 4.21: Specification 1 of logic diagram 5 
automaton, which means that the logic diagram satisfies the design requirements. 
6. Logic diagram 6. 
The design requirements are given below. 
(a) If generator exciter contactor (ECC) closed signal is off, then the real under-
voltage set (UVS) signal should never be generated. 
(b) If generator exciter contactor (ECC) closed signal is on and any 2 out of 3 under-
voltage sensors (UV1, UV2, UVS) send under-voltage signal, the real under-
voltage set (UVS) signal should be generated. 
Note: The power-on delays in this logic diagram will not be modeled. 
Table. 4.6 is the events list in this logic diagram. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 535 states and 1589 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
• Requirement (a) can be expressed as UVS = ECC. Fig. 4.22 shows the automa-
ton model in accordance with this requirement. 
• Requirement (b) can be expressed as: 
62 


























self - looped I - {ECC, ECC, UVS, UVS, T} 
Figure 4.22: Specification 1 of logic diagram 6 
UVS = ECC A {(UV1 A UV2) V (UV1 A UVS) V (UV2 A UVS)) 
Fig. 4.23 shows the automaton model used to get a reduced supervisor, which 
means that ECC signal is on. The ECC off signal has been verified by re-
quirement (a). In this situation, the design requirement can be simplified as: 
UVS = (UV1 A UV2) V (UV1 A UVS) V (UV2 A UVS) 
Fig. 4.24 shows the desired automaton model. 
I-{ECC} 
~8 
Figure 4.23: Assumed condition for specification 2 of logic diagram 6 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
63 
self -looped I-{UV1, UV1, UV2, UV2, UV3, UV3, UVS, UVS, T} 
Figure 4.24: Specification 2 of logic diagram 6 
requirements. 
7. Logic d i a g r a m 7. 
The design requirements are given below. 
(a) Any of the following signals should make fault in remote and local control bistable 
memory set (FRS) signal on: 
• Overspeed (OS) 
• Emergency stop (ES) 
• Under-voltage set (UVS) 
• Ground fault (GF) 
(b) If fault in remote and local control bistable memory set (FRS) signal is on and 
none of the above signals exists, then it can be reset by fault acknowledge (FA) 
pushbutton. 
Table. 4.7 is the events list in this logic diagram. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 268 states and 1043 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
• Requirement (a) can be expressed as: 
64 





























FRS = OSVESV UVS V GF 
Fig. 4.25 shows the automaton model in accordance with this requirement. 
OS, OS 
self - looped I - {OS, OS, ES, ES, UVS, UVS, FRS, FRS, T} 
Figure 4.25: Specification 1 of logic diagram 7 
• Requirement (b) can be expressed as: 
TRS = O~S AE~S AUVS AGF A FA 
Due to its symmetric structure, we only verify one case. Fig. 4.26 shows the 
condition automaton model used to get a reduced supervisor, which means that 
ES, UVS, and GF are assumed to be off. In this situation, the design require-
ment can be simplified as: 
FRS = OS A FA. Fig. 4.27 shows the desired automaton model. 
65 
I-{ES,UVS,GF} 
Figure 4.26: Assumed condition for specification 2 of logic diagram 7 
FRS 
self - looped I - {OS, OS, FA, FA, FRS, FRS, T} 
Figure 4.27: Specification 2 of logic diagram 7 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements. 
8. Logic diagram 8. 
The design requirements are given below. 
Any of the following signals should generate fault in local control alarm (FLO): 
• Crankcase pressure high (CPH) 
• Exhaust gas temperature high (ETH) 
• Oil sump level low (OLL) 
• Lubrication oil pressure low (OPL) 
• Lubrication oil temperature high (OTH) 
• Cooling water temperature high (WTH) 
66 
• Cooling water tank level low (WLL) 
• Cooling water pressure low (WPL) 
Table. 4.8 is the events list in this logic diagram. 












Crankcase pressure high 
Exhaust gas temperature high 
Oil sump level low 
Oil pressure low 
Oil temperature high 
Cooling water temperature high 
Cooling water tank level low 
Cooling water pressure low 





















By applying the operations of Fig. 4.2, we can obtain a supervisor 2 which has 13072 
states and 78679 transitions. 
The requirement can be expressed as: 
FLO = CPH V ETH V OLL V OPL V OTH V WTH V WLL V WPL 
Fig. 4.28 gives the automaton to realize this function. 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by this 
automaton, which means that the logic diagram satisfies the design requirements. 
9. Logic d i a g r a m 9. 
The design requirements are given below. 
2The computing scale of monolithic supervisor is over the limit of TTCT, so the supervisor is generated 




^ ™ CPH,ETH 
WLMVPL
 0 L L ; 0 p L 
T
'
 Fi=Q OTH, WTH 
OLL, OLL, OPL, OPL 
OTH, OTH, WTH, WTH 
WLL,WLL,WPL,WPL 
self - looped {others} 
Figure 4.28: Specification 1 of logic diagram 8 
(a) GS starting remote control bistable memory set (SRS) signal should always make 
fault in local control monostable memory set (FLS) signal off. 
(b) If GS starting remote control bistable memory set (SRS) signal is off, then fault 
in local control alarm (FLO) signal should make fault in local control monostable 
memory set (FLS) signal on. While FLS is on only fault in local control alarm 
(FLO) off signal together with fault acknowledge (FA) pushbutton pressed signal 
can make it off. 
Table. 4.9 is the events list in this logic diagram. 








Fault in local control alarm 
GS starting remote control bistable memory set 











By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 62 states and 135 transitions. 
68 
The formal automata models specifying the above requirements are designed as fol-
lows: 
• Requirement (a) can be expressed as: FLS — SRS. Fig. 4.29 shows the automa-
ton model in accordance with this requirement. 
SRS, FLS, FLS, T 
SRS, 
self - looped I-{SRS, SRS, FLS, FLS,T} 
Figure 4.29: Specification 1 of logic diagram 9 
Requirement (b) can be shown by two expressions: 
FLS = SRS A FLO 
FLS = SRS A FLO A FA 
Fig. 4.30 gives the condition automaton model to get the reduced supervisor 
when SRS is off. SRS on signal has been covered by requirement (a). In this 
case, the above two expressions can be simplified as: 
FLS=FLO 
FLS = FLO A FA 
Fig. 4.31 gives the automaton to realize the function of the first expression and 
Fig. 4.32 gives the automaton to realize the function of the second one. Please no-
tice that the priority of FLO over FA has been covered by requirement (a), since 
FLO on signal will always make FLS signal off as demonstrated in Fig. 4.31, 
which does not care the state of FA. 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 




Figure 4.30: Assumed condition for specification 2 and 3 of logic diagram 9 
US-
self-looped I-{FLO,FLO,FLS,FLS,T} 
Figure 4.31: Specification 2 of logic diagram 9 
FA, FLS FLS 
self - looped I - {FA, FLS, FLS} 
Figure 4.32: Specification 3 of logic diagram 9 
10. Logic diagram 10. 
The design requirements are given below. 
(a) If no start (NS) signal is off or GS starting order bistable memory set (SOS) 
signal is off, then no starting fault alarm (NSA) should always be off. 
(b) When GS starting order bistable memory set (SOS) signal is on for 10 seconds or 
more and no start (NS) signal is still on, no starting fault alarm (NSA) should 
be on. 
Table. 4.10 is the events list in this logic diagram. 
The 10 seconds power-on time delay will be modeled by one cycle time (T) power-on 
time delay, so requirement (b) will be changed to: When GS starting order bistable 
70 







GS starting order bistable memory set 









memory set (SOS) signal is on for at least two cycles and no start (NS) signal is still 
on, no starting fault alarm (NSA) will be on. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 42 states and 79 transitions. 
The formal automata models specifying the above requirements are designed as fol-
lows: 
• Requirement (a) can be expressed by: NSA = NS V SOS. Fig. 4.33 shows the 
automaton model in accordance with this requirement. 
NSA, NSA, T NS,SOS 
self-looped I - {NS, SOS, NSA, NSA, T} 
Figure 4.33: Specification 1 of logic diagram 10 
• Requirement (b) can be shown by the following expression: 
NSA = NSA (SOS /) 
/ denotes power-on time delay. Fig. 4.34 gives the condition automaton model 
to get the reduced supervisor under the assumption that NS is on. NS off signal 
has been dealt with by requirement (a). In this case, the above two expressions 
can be simplified as: 
NSA = SOS / 
71 
Fig. 4.35 gives the automaton to realize the function. We can see that NSA is 
generated after SOS happens twice in succession. 
Z-{NS} 
-«—K 
Figure 4.34: Assumed condition for specification 2 of logic diagram 10 
NSA,SOS NSA NSA, SOS 
self - looped I - {SOS, SOS, NSA, NSA} 
Figure 4.35: Specification 2 of logic diagram 10 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements. 
11. Logic diagram 11. 
The design requirements are given below. 
(a) When air tank pressure low (APL) signal is on, air compressor starting order 
should be issued. 
(b) When air tank pressure low (APL) signal is on for more than 8 seconds and air 
compressor lubrication oil pressure low (LOL) signal is still on, air compressor 
stopping order (ACS) should be issued. 
(c) When air tank pressure high (APE) signal is on, air compressor stopping order 
(ACS) should be issued. 
72 
Table. 4.11 is the events list in this logic diagram. 







Air tank pressure high 
Air tank pressure low 
Compressor lubrication oil pressure low 











Because air tank pressure low signal directly drives air compressor starting order 
signal and no logic gate is involved, requirement (a) will not be verified. And for 
simplicity, the 8 seconds power-on time delay in requirement (b) will be skipped as 
well. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 30 states and 71 transitions. 
The formal automata models specifying requirements (b) and (c) are designed as 
follows: 
• Requirement (b) can be expressed as: 
ACS = APL V LOL 
Fig. 4.36 shows the automaton model in accordance with this requirement. 
• Requirement (c) can be shown by the expression: ACS = APH. Fig. 4.37 gives 
the automaton needed to realize the function. 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements (b) and (c). 
12. Logic diagram 12. 
73 
APL,LOL APL,LOL 
ACS,ACS, T ACS, ACS 
self - looped Z - {APL, APL, LOL, LOL, ACS, ACS, T} 
Figure 4.36: Specification 1 of logic diagram 11 
APH,T 
^ACS^ 
self-looped I - {APH, APH, ACS, ACS, T} 
Figure 4.37: Specification 2 of logic diagram 11 
The design requirements are given below. 
(a) When GS starting order bistable memory set (SOS) signal is on, fuel oil transfer 
pump starting order should be issued. 
(b) When GS starting order bistable memory set (SOS) signal is off or fuel oil transfer 
pump stop pushbutton (FPP) is pressed, fuel oil transfer pump stopping order 
(FPS) should be issued. 
Table. 4.12 is the events list in this logic diagram. 
Because GS starting order bistable memory set signal directly drives fuel oil transfer 
pump starting order signal and no logic gate is involved, requirement (a) will not be 
verified. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 8 states and 15 transitions. 
74 






Fuel oil transfer pump stop pushbutton 
GS starting order bistable memory set 









Requirement (b) can be expressed as: 
FPS = FPP V SOS 
Fig. 4.38 gives the automaton needed to realize the function. 
FPP, SOS FPP, FPP 
FPS, T SOS, SOS 
Figure 4.38: Specification 1 of logic diagram 12 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by this 
automaton, which means that the logic diagram satisfies requirement (b). 
13. Logic diagram 13. 
The verification of this logic diagram is skipped due to its simplicity. 
14. Logic diagram 14. 
The design requirements are given below. 
(a) When started lubrication oil pressure greater than 1.5 bar signal is off for more 
than 120 seconds, pre-lubricating pump and water circulating pump starting order 
should be issued. When started lubrication oil pressure greater than 1.5 bar is 
75 
on, pre-lubricating pump and water circulating pump stopping order should be 
issued. 
(b) When both preheating water temperature lower than 80 degrees (PTL) signal 
and water circulating pump started (WPS) signal are on, electrical water heater 
starting order (WHS) should be issued. 
(c) When preheating water temperature lower than 80 degrees (PTL) signal is off 
or water circulating pump stopped (WPP) signal is on, electrical water heater 
stopping order (WHP) should be issued. 
Table. 4.13 is the events list in this logic diagram. 








Water circulating pump stopped 
Water circulating pump started 
Preheating temperature low < 80 
Electrical water heater stopping order 













Requirement (a) has no logic gate involved, so it will not be verified. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 30 states and 77 transitions. 
The formal automata models specifying the requirements (b) and (c) are designed as 
follows: 
• Requirement (b) can be expressed as: 
WHS = WPS A PTL 
Fig. 4.39 shows the automaton model specifying this requirement. 




self - looped I - {WPS, WPS, PTL, PTL, WHS, WHS, T} 
Figure 4.39: Specification 1 of logic diagram 14 
WHP = WPP V PTL 
Fig. 4.40 gives the automaton needed to realize the function. 
WPP, PTL WPP, WPP 
self-looped I-{WPP, WPP, PTL, PTL, WHP, WHP, T} 
Figure 4.40: Specification 2 of logic diagram 14 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 
each of these automata, which means that the logic diagram satisfies the listed design 
requirements. 
15. Logic d i a g r a m 15. 
The design requirements are given below. 
(a) When GS starting order bistable memory set (SOS) signal is on and air cooler 
temperature high (ATE) signal is on, air cooler fan starting order (AFS) should 
be issued. 
77 
(b) When GS starting order bistable memory set (SOS) signal is off, air cooler fan 
stopping order should be issued. 
Table. 4.14 is the events list in this logic diagram. 






GS starting order bistable memory set 
Air cooler temperature high 









Requirement (b) has no logic gate involved, so it will not be verified. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 8 states and 15 transitions. 
Requirement (a) can be expressed as: 
AFS = SOS A ATH 
Fig. 4.41 gives the automaton needed to realize the function. 
SOS,ATH SOS,ATH 
AFS,T AFS 
Figure 4.41: Specification 1 of logic diagram 15 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by this 
automaton, which means that the logic diagram satisfies requirement (a). 
78 
16. Logic diagram 16. 
The design requirements are given below. 
(a) When GS starting order bistable memory set (SOS) signal is on, diesel engine 
building exhaust fan starting order should be issued. 
(b) When exhaust fan stop pushbutton (EFS) is pressed or GS starting order bistable 
memory set (SOS) signal is off, diesel engine building exhaust fan stopping order 
(EFP) should be issued. 
Table. 4.15 is the events list in this logic diagram. 






GS Starting order bistable memory set 
Exhaust fan stop pushbutton 









Requirement (a) has no logic gate involved, so it will not be verified. 
By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 8 states and 15 transitions. 
Requirement (b) can be expressed as: 
EFP = EFS V 'SOS 
Fig. 4.42 gives the automaton needed to realize the function. 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by this 
automaton, which means that the logic diagram satisfies requirement (b). 
17. Logic diagram 17. 
The verification of this logic diagram is skipped due to its simplicity. 
79 
EFS,SOS EFS,EFS 
EFP, T SOS, SOS 
Figure 4.42: Specification 1 of logic diagram 16 
18. Logic diagram 18. 
The design requirements are given below. 
(a) When lubrication oil tank level high (OLE) signal is off and oil transfer pump 
pushbutton (0P0) is pressed, oil transfer pump starting order (OPS) should be 
issued. 
(b) When lubrication oil tank level high (OLH) signal is on or oil transfer pump 
pushbutton (0P0) is released, oil transfer pump stopping order (OPP) should 
be issued. 
Table. 4.16 is the events list in this logic diagram. 







Lubrication oil tank level high 
Oil transfer pump pushbutton 
Oil transfer pump stopping order 











By applying the operations of Fig. 4.2, we can obtain a monolithic supervisor, which 
has 12 states and 21 transitions. 
The formal automata models specifying these requirements are designed as follows: 
80 
• Requirement (a) can be expressed as: 
OPS = ~OLHAOPO 
Fig. 4.43 shows the automaton model specifying this requirement. 
OLH, OPO OLH, OPO 
Figure 4.43: Specification 1 of logic diagram 18 
• Requirement (b) can be shown by the expression: 
OPP = OLH\/OPO 
Fig. 4.44 gives the automaton needed to realize the function. 
self-looped {OPS, OPS} 
Figure 4.44: Specification 2 of logic diagram 18 
Through TTCT, we can verify that the language generated by the system under the 
supervision of the monolithic supervisor is a subset of the language generated by 




In this chapter, first we described the composition and basic operation principle of an 
emergency diesel generator set. Then we presented the detailed logic diagram verification 
process based on the methodology developed in Chapter 3. The applicable scope of reduced 
verification technique is discussed, too. The final part of this chapter is to verify GS logic 
diagrams page by page. The purpose is to show that logic function verification by modular 
supervisory control of DES is feasible and has potential industrial application value. One 
thing we need to point out again is that since the verification automata are designed based 
on verbal design requirements, the completeness of the logic verification depends not only on 
how to convert the verbal requirements to automata, but also on how to give and interpret 
these verbal requirements. Our efforts in this chapter is to ensure that each informal 
requirement is correctly expressed by an automaton. 
82 
Chapter 5 
Conclusion and Future Research 
5.1 Conclusion 
This dissertation has proposed a feasible way to verify the industrial logic diagrams by 
modular supervisory control of discrete-event system. 
Our approach is based on a single logic diagram. In the first step we establish the basic 
plants for basic logic gates. Even though we have used T T C T to establish these models, we 
just partially adopt the timed discrete-event models to make the forcible events preempt 
the time cycle (T) when necessary and thus, satisfy the function requirements of flip-flops. 
The duration of the time delay is not modeled. 
Next we create the specification model of each logic gate according to its truth table. 
Using T T C T procedures, we verify their controllability and nonblocking. To obtain a 
centralized supervisor for a logic diagram, it is necessary to introduce the forward and 
feedback buffers to form a monolithic plant. We also treat the power-on and power-off time 
delays as buffers to simplify our models. After we convert the verbal design requirements to 
automata, the verification can be easily conducted by TTCT. If the logic diagram cannot 
satisfy certain requirement, with the help of T T C T procedures, we can quickly capture the 
illegal behaviors and then find out whether the problems originate in the logic diagram, 
design requirement or the implementation process. 
Next, a formal proof of controllability and a semi-formal proof of nonblocking are 
presented. These are important and necessary steps if we would like to apply this method 
83 
to a real industrial application. 
Finally, an industrial example, an emergency diesel generater startup controller is taken 
to fully demonstrate our methodology. The reduced verification technique is frequently 
employed to reduce the complexity of specification model. 
One critical work in Chapter 4 is how to interpret each informal verbal requirement 
and convert it to a specification automaton. All of the verification steps can be automat-
ically performed by computer except the informal verbal requirements interpretation and 
conversion, which need manual effort. 
We believe that our method has its unique advantage over other methods. Nevertheless, 
it surely has some limitations pointing out possible directions for future research. We have 
verified a single logic diagram; verification of the high-level requirements for the whole 
system is still an open issue. A complete timed model should also be introduced to verify 
the time function. 
5.2 Future Research 
Our work is the initial step. Some of potential future challenges are described in the 
following : 
1. Based on our present work, by incorporating the modular and hierarchy approaches, 
the centralized controller for the whole system could possibly be built to verify multiple 
logic diagram or high-level specifications. The interconnections between the logic 
diagrams can be similarly modeled as buffers; we can also consider that there is 
a communication mechanism to coordinate the information exchange between these 
logic diagrams. 
2. Many control systems have time delays and other timing functions. To include the 
real-time feature, we must extend our models to timed models. The suggested buffer 
models for the time delays in our work are too simple to verify their actual time values. 
3. We can develop a software platform which is embedded with the T T C T procedures 
and our methodology. Then this platform could be used to verify the logic diagrams 
by the design engineer. 
84 
4. Our methodology could also be extended to test real industrial controller programs, 
such as those of PLCs. Since we adopted the program execution cycle (T) in each 
model, the final centralized controller model already reflects the execution sequence 
of a real industrial controller. 
5. Creating formal requirements from informal verbal requirements still needs manual 
effort in our thesis. However, this research field is quite active currently. By combining 
these research results with our method, the new method could possibly become a 
completely automatic solution. 
85 
Bibliography 
[Amo95] E. G. Amoroso, "Creating formal specifications from informal requirements doc-
uments," SIGSOFT Software Engineering Notes, vol. 20, pp. 67-71, 01. 1995. 
[CC04] S. W. Cheon, K. H. Cha and K. C. Kwon, "The Software Verification and Valida-
tion Tasks for a Safety Critical System in Nuclear Power Plants," International 
Journal of Safety, vol. 3, pp. 38-46, 2004. 
[DC00] O. De Smet, S. Couffin, "Safe programming of PLC using formal verification 
methods," Proc. 4th Int. PLCopen Conf. on Industrial Control Programming 
(ICP'2000), Utrecht, the Netherlands, pp. 73-74. 2000. 
[FH98] M. Fabian and A. Hellgren, "PLC-based implementation of supervisory control 
for discrete events ystems," Decision and Control, 1998. Proceedings of the 37th 
IEEE Conference on, vol. 3, 1998. 
[FL00] G. Frey and L. Litz, "Formal methods in PLC programming," Systems, Man, 
and Cybernetics, 2000 IEEE International Conference on, vol. 4, 2000. 
[Fr96] "Emergency Diesel Generator System Design Manual," Framatome, Paris, 
France, 1996. 
[FW88] F. Lin and W. M. Wonham, "Decentralized supervisory control of discrete-event 
systems," Information Sciences, vol. 44, pp. 199-224, 4. 1988. 
[GD06] V. Gourcuff, O. De Smet and J. M. Faure, "Efficient representation for formal 
verification of PLC programs," Discrete Event Systems, 2006 8th International 
Workshop on, pp. 182-187, 2006. 
86 
[HelOl] A. Hellgren, "Modelling and Implementation Aspects of Supervisory Control," 
Licentiate Thesis, Chlmers University of Technology, Sweden, 2001. 
[HL02] A. Hellgren, B. Lennartson and M. Fabian, "Modelling and PLC-based imple-
mentation of modular supervisory control," Discrete Event Systems, 2002.Pro-
ceedings. Sixth International Workshop on, pp. 371-376, 2002. 
[Hu03] R. Huuck, "Software Verification for Programmable Logic Controllers," Ph.D. 
dissertation, Kiel University, Germany, 2003. 
[JB93] W. Johnson, K. Benner and D. Harris, "Developing formal specifications from 
informal requirements," Expert, IEEE [See also IEEE Intelligent Systems and 
their Applications], vol. 8, pp. 82-90, 1993. 
[LD02] J. Liu and H. Darabi, "Ladder logic implementation of Ramadge-Wonham super-
visory controller," Discrete Event Systems, 2002.Proceedings.Sixth International 
Workshop on, pp. 383-389, 2002. 
[Led96] R. Leduc, "PLC Implementation of a DES Supervisor for a Manufacturing 
Testbed: An Implementation Perspective," M.A.Sc, Toronto University, Canada, 
1996. 
[LW95] R. Leduc and W. Wonham, "Discrete event systems modeling and control of a 
manufacturing testbed," Electrical and Computer Engineering, 1995.Canadian 
Conference on, vol. 2, 1995. 
[LY05] K. Loeis, M. B. Younis and G. Frey, "Application of symbolic and bounded model 
checking to the verification of logic control systems," in 10th IEEE International 
Conference on Emerging Technologies and Factory Automation, PP. 4, 2005. 
[Mon06] M. Moniruzzaman, "Implementing supervisory control maps with PLC," M.A.Sc, 
Concordia University, Canada, 2006. 
[Moo94] I. Moon, "Modeling programmable logic controllers for logic verification," Control 
Systems Magazine, IEEE, vol. 14, pp. 53-59, 1994. 
87 
[RK98] M. Rausch and B. Krogh, "Formal verification of PLC programs," American 
Control Conference, 1998.Proceedings of the 1998, vol. 1, 1998. 
[RW87] P. J.Ramadge and W.M.Wonham, "Supervisory control of a class of discrete event 
processes," SIAM J. Control and Optimization, 25(1):206-230,1987. 
[Won06] W.M.Wonham, "Supervisory control of discrete-event systems," 
http://www.control.toronto.edu/people/profs/wonham/wonham.html, 2006. 
[WR87] W.M.Wonham and P.J.Ramadge, "On the supremal controllable sublanguage of 
a given language," SIAM J. Control and Optimization, 25(3):637-659, May 1987. 
[WR88] W. M. Wonham and P. J. Ramadge, "Modular supervisory control of discrete-
event systems," Mathematics of Control, Signals, and Systems (MCSS), vol. 1, 
pp. 13-30, 1988. 
[YK05] J. Yoo, T. Kim, S. Cha, J. S. Lee and H. Seong Son, "A formal software require-
ments specification method for digital nuclear plant protection systems," The 
Journal of Systems & Software, vol. 74, pp. 73-83, 2005. 
[ZV98] M. C. Zhou and K. Venkatesh, Modeling, Simulation, and Control of Flexible 




Diesel Generator Startup 





























To logic diagram 2 
Figure A.l: Logic diagram 1 
'The double-framed block is a physical input signal. The bold-framed block is a physical output signal. 
The other type blocks are the intermediate logic boolean signals. 
90 




















To logic diagram 3,4, 9 































To logic diagram 4 
















LOCAL STOP LOCAL START 
>=1 
& 











To logic diagram 
1,5,10,12,13,15,16 
Figure A.4: Logic diagram 4 
93 















To logic diagram 10 

















To logic diagram 7 
























To logic diagram 1,2 





































To logic diagram 9 


















To logic diagram 3,4 






Figure A.9: Logic diagram 9 
98 






















STOPPING I STARTING 
STARTING AIR 
COMPRESSOR 
STOPPED I STARTED 
Figure A.11: Logic diagram 11 
100 






STOPPING I STARTING 
FUEL OIL 
TRANSFER PUMP 





Figure A.12: Logic diagram 12 
101 
STOPPING I STARTING 
EMERG. FUEL 
FEED PUMP 
STOPPED I STARTED 














Figure A.14: Logic diagram 14 
103 






STOPPING I STARTING 
AIR COOLER FAN 




Figure A. 15: Logic diagram 15 
104 


























Figure A.17: Logic diagram 17 
106 
LUBRICATION 
OIL TANK LEVEL 
HIGH 
>=1 
STOPPING I STARTING 
OIL TRANSFER 
PUMP 






Figure A. 18: Logic diagram 18 
107 
