Non-blocking Supervisory Control of Timed Automata using Forcible Events by Rashidinejad, Aida et al.
Non-blocking Supervisory Control of Timed Automata using Forcible
Events
Downloaded from: https://research.chalmers.se, 2021-08-31 12:32 UTC
Citation for the original published paper (version of record):
Rashidinejad, A., Van Der Graaf, P., Reniers, M. et al (2020)
Non-blocking Supervisory Control of Timed Automata using Forcible Events
IFAC-PapersOnLine, 53(4): 356-362
http://dx.doi.org/10.1016/j.ifacol.2021.04.035
N.B. When citing this work, cite the original published paper.
research.chalmers.se offers the possibility of retrieving research publications produced at Chalmers University of Technology.
It covers all kind of research output: articles, dissertations, conference papers, reports etc. since 2004.
research.chalmers.se is administrated and maintained by Chalmers Library
(article starts on next page)
IFAC PapersOnLine 53-4 (2020) 356–362
ScienceDirect
Available online at www.sciencedirect.com
2405-8963 Copyright © 2020 The Authors. This is an open access article under the CC BY-NC-ND license.
Peer review under responsibility of International Federation of Automatic Control.
10.1016/j.ifacol.2021.04.035
10.1016/j.ifacol.2021.04.035 2405-8963
Copyright © 2020 The Authors. This is an open access article under the CC BY-NC-ND license  
(http://creativecommons.org/licenses/by-nc-nd/4.0)
Non-blocking Supervisory Control of
Timed Automata using Forcible Events
Aida Rashidinejad ∗ Patrick van der Graaf ∗ Michel Reniers ∗
Martin Fabian ∗∗
∗ Control Systems Technology, Eindhoven University of Technology,
P.O.Box 513, 5600 MB Eindhoven, The Netherlands
(e-mail:{a.rashidinejad,m.a.reniers}@tue.nl)
∗∗ Department of Electrical Engineering, Chalmers University of
Technology, Sweden (e-mail:fabian@chalmers.se)
Abstract: Real-valued clocks make the state space of timed automata (TA) infinite. Conven-
tional supervisory control synthesis techniques are only applicable to finite automata (FA).
Therefore, to synthesize a supervisor for TA using conventional techniques, an abstraction
of TA to FA is required. For many applications, the abstraction of real-time values results
in an explosion in the finite state space. This paper presents a supervisory control synthesis
technique applied directly to TA without any abstraction. The plant is given as a TA with a
set of uncontrollable events and a set of forcible events that may preempt the passage of time.
To obtain a non-blocking controlled system, a synthesis algorithm is proposed that delivers a
supervisor (also as a TA) avoiding the blocking states. The algorithm works by (iteratively)
strengthening the guards of edges labeled by controllable events and invariants of locations
where time progress can be preempted by forcible events.
Keywords: Automata, forcible event, real-time, non-blocking, supervisory control, synthesis.
1. INTRODUCTION
Discrete-event systems (DES) are event-driven systems
with a set of discrete states. Traffic systems, communi-
cation networks, and manufacturing systems are examples
of DES (Cassandras and Lafortune, 2009). DES are often
modeled by means of finite automata (FA). In order to
provide a compact representation for complex and large
DES, FA have been extended with discrete variables into
extended finite automata (EFA) (Skoldstam et al., 2007).
In EFA, edges are associated with events as well as guard
constraints and updates of variables.
In order to ensure that a DES satisfies a desired behaviour,
supervisory control theory (SCT) has been developed (Ra-
madge and Wonham, 1989). For a DES, SCT synthesizes
a supervisor that guarantees that the closed-loop system
satisfies the desired behaviour.
In DES, only the sequences of events matter, and the time
of event occurrences is neglected. However, there exist
many applications for which it is necessary to involve
timing information. For instance, the processing time of
a manufacturing system may be given by a specific time
window (Wong-Toi and Hoffmann, 1991). Considering
time in DES would also be very important in a network-
based supervisory control setting due to the presence of
time delays (Rashidinejad et al., 2018). To incorporate
time in a DES, real-time discrete-event systems (RTDES)
have been introduced (Khoumsi, 2002).
 This research has received funding from the European Union’s
Horizon 2020 Framework Programme for Research and Innovation
under grant agreement no 674875.
Based on the model of time (discrete or dense), two types
of RTDES have been proposed in the literature: 1. timed
discrete-event systems (TDES), and 2. timed automata
(TA). TDES are DES in which there exists a digital clock,
and each event is supposed to occur between a lower
and an upper time bound (Brandin and Wonham, 1994).
The semantics of a TDES is given as a timed transition
graph (TTG). A TTG is an FA that includes a tick event
that represents the passage of the smallest measurable
time unit (Brandin and Wonham, 1994). Similar to DES,
TDES have been extended with discrete variables into
timed extended finite automata (TEFA) (Miremadi et al.,
2015). In (Brandin and Wonham, 1994), SCT of DES has
been extended for TDES. The main problem that discrete-
time modeling faces is the state space explosion, especially
for systems with various time scales. Moreover, specifying
the time of each event occurrence by fixed lower upper
bounds, restricts the applications that can be modeled
using TDES.
In order to consider dense-time in DES, TA have been
proposed (Alur and Dill, 1994). A TA is modeled by means
of an FA (including a finite set of locations) extended with
a finite set of real-valued clocks. Edges between locations
of a TA are associated with both events and timing con-
straints (guards). A TA is considered a more natural way
to model real-life applications not only because it considers
real-time, but also because it allows multiple and different
timing constraints for events. However, the inclusion of
time makes the state space of TA infinite. Consequently,
conventional supervisory control synthesis approaches are
not adequate for TA. To overcome this problem in existing
Non-blocking Supervisory Control of
Timed Automata using Forcible Events
Aida Rashidinejad ∗ Patrick van der Graaf ∗ Michel Reniers ∗
Martin Fabian ∗∗
∗ Control Systems Technology, Eindhoven University of Technology,
P.O.Box 513, 5600 MB Eindhoven, The Netherlands
(e-mail:{a.rashidinejad,m.a.reniers}@tue.nl)
∗∗ Department of Electrical Engineering, Chalmers University of
Technology, Sweden (e-mail:fabian@chalmers.se)
Abstract: Real-valued clocks make the state space of timed automata (TA) infinite. Conven-
tional supervisory control synthesis techniques are only applicable to finite automata (FA).
Therefore, to synthesize a supervisor for TA using conventional techniques, an abstraction
of TA to FA is required. For many applications, the abstraction of real-time values results
in an explosion in the finite state space. This paper presents a supervisory control synthesis
technique applied directly to TA without any abstraction. The plant is given as a TA with a
set of uncontrollable events and a set of forcible events that may preempt the passage of time.
To obtain a non-blocking controlled system, a synthesis algorithm is proposed that delivers a
supervisor (also as a TA) avoiding the blocking states. The algorithm works by (iteratively)
strengthening the guards of edges labeled by controllable events and invariants of locations
where time progress can be preempted by forcible events.
Keywords: Automata, forcible event, real-time, non-blocking, supervisory control, synthesis.
1. INTRODUCTION
Discrete-event systems (DES) are event-driven systems
with a set of discrete states. Traffic systems, communi-
cation networks, and manufacturing systems are examples
of DES (Cassandras and Lafortune, 2009). DES are often
modeled by means of finite automata (FA). In order to
provide a compact representation for complex and large
DES, FA have been extended with discrete variables into
extended finite automata (EFA) (Skoldstam et al., 2007).
In EFA, edges are associated with events as well as guard
constraints and updates of variables.
In order to ensure that a DES satisfies a desired behaviour,
supervisory control theory (SCT) has been developed (Ra-
madge and Wonham, 1989). For a DES, SCT synthesizes
a supervisor that guarantees that the closed-loop system
satisfies the desired behaviour.
In DES, only the sequences of events matter, and the time
of event occurrences is neglected. However, there exist
many applications for which it is necessary to involve
timing information. For instance, the processing time of
a manufacturing system may be given by a specific time
window (Wong-Toi and Hoffmann, 1991). Considering
time in DES would also be very important in a network-
based supervisory control setting due to the presence of
time delays (Rashidinejad et al., 2018). To incorporate
time in a DES, real-time discrete-event systems (RTDES)
have been introduced (Khoumsi, 2002).
 This research has received funding from the European Union’s
Horizon 2020 Framework Programme for Research and Innovation
under grant agreement no 674875.
Based on the model of time (discrete or dense), two types
of RTDES have been proposed in the literature: 1. timed
discrete-event systems (TDES), and 2. timed automata
(TA). TDES are DES in which there exists a digital clock,
and each event is supposed to occur between a lower
and an upper time bound (Brandin and Wonham, 1994).
The semantics of a TDES is given as a timed transition
graph (TTG). A TTG is an FA that includes a tick event
that represents the passage of the smallest measurable
time unit (Brandin and Wonham, 1994). Similar to DES,
TDES have been extended with discrete variables into
timed extended finite automata (TEFA) (Miremadi et al.,
2015). In (Brandin and Wonham, 1994), SCT of DES has
been extended for TDES. The main problem that discrete-
time modeling faces is the state space explosion, especially
for systems with various time scales. Moreover, specifying
the time of each event occurrence by fixed lower upper
bounds, restricts the applications that can be modeled
using TDES.
In order to consider dense-time in DES, TA have been
proposed (Alur and Dill, 1994). A TA is modeled by means
of an FA (including a finite set of locations) extended with
a finite set of real-valued clocks. Edges between locations
of a TA are associated with both events and timing con-
straints (guards). A TA is considered a more natural way
to model real-life applications not only because it considers
real-time, but also because it allows multiple and different
timing constraints for events. However, the inclusion of
time makes the state space of TA infinite. Consequently,
conventional supervisory control synthesis approaches are
not adequate for TA. To overcome this problem in existing
Non-blocking Supervisory Control of
Timed Automata using Forcible Events
Aida Rashidinejad ∗ Patrick van der Graaf ∗ Michel Reniers ∗
Martin Fabian ∗∗
∗ Control Systems Technology, Eindhoven University of Technology,
P.O.Box 513, 5600 MB Eindhoven, The Netherlands
(e-mail:{a.rashidinejad,m.a.reniers}@tue.nl)
∗∗ Department of Electrical Engineering, Chalmers University of
Tech ol gy, Sweden (e-mail:fabian@chalmers.se)
Abstract: Real-valued clocks make the state space of timed automata (TA) infinite. Conven-
tional supervisory control synthesis technique r nly applicable o finite automata (FA).
Therefore, to synthesize a superv or for TA using conventional techniques, an abstraction
of TA to FA is required. For many application , the abstraction of real-time values results
in an explosion in the finite state space. This paper presents a supervisory control synthesi
tech ique applied dir ctly to TA without any abstraction. The plant is given as a TA with a
s t of uncontrollable vents and a se f forcible events that may preempt the passage of time.
To btain a n n- locking controlled system, a synthe is algorithm is propos d that delivers a
supervisor (also as a TA) avoiding the blocking s ates. The algorithm works by (iteratively)
trengthening the guards of edges labeled by con rollable vents and invariants of locations
wh re time progr ss can be preempted by forcible events.
Keywords: Aut ata, f cible event, real-time, non-blocking, supervisory control, synthesis.
1. INTRODUCTION
Discrete-event systems (DES) are event-driven systems
w th a s t of discr te states. Traffic systems, communi-
ca ion netw rks, and manufacturing sy tems are exa ples
of DES (Cassandras and Lafortune, 2009). DES are often
modeled by means of finite automata (FA). In order to
pr vid a co p ct represent tion for complex and large
DES, FA have been xt nded with discrete vari bles into
extended finite automa a (EFA) (Skoldstam et l., 2007).
In EFA, edges are associated with events as well as guard
constraints and updates of variables.
In order to ensure th a DES satisfies a desired behaviour,
supervisory control theory ( CT) has been d veloped (Ra-
madge and Wonham, 1989). For a DES, SCT synthesizes
a sup rvisor that guarantees that the closed-loop sy tem
satisfi s the desired behaviour.
In DES, only the sequ nces of events matter, and the time
of event occurr nces is neglect d. However, there exist
many appli atio s for which it is necessa y to involve
timing information. For instance, the processing time of
a anufacturing system may be given by a specific time
window (Wong-Toi and Hoffmann, 1991). Considering
time in DES would also be very important in a etwork-
bas d supervis ry control setting due o he pres nce of
tim delays (Rashidi ejad al., 2018). To incorporate
in a DES, real-time iscrete-event systems (RTDES)
hav been introduced (Khoumsi, 2002).
 This research has received funding from the European Union’s
Horizon 2020 Framework Programme for Research and I novation
under grant agree nt no 674875.
Based on the model of time (discrete or dense), two types
of RTDES have b en proposed in the literature: 1. timed
discrete-event syst ms (TDES), and 2. timed automata
(TA). TDES are DES in which there exists a digital clock,
and each event is supposed to occur between a lower
an upper time bound (Brandin and Wonham, 1994).
The semantics of a TDES is given as a timed transition
graph (TTG). A TTG is an FA that includes a ick event
th t represents the pa s ge of the smallest measurable
ime unit (Brandin and Wonham, 1994). Similar to DES,
TDES have been extended with discrete variables into
timed extended finite automata (TEFA) (Miremadi et al.,
2015). In (Brandi and Wonham, 1994), SCT of DES has
been extended for TDES. The main problem that discrete-
time modeling aces is the state space explosion, espe ially
for systems with var ous time scales. Moreover, specifying
the tim of each event occurrenc by fixed lower upper
bounds, restricts th applications that can be modeled
using TDES.
In order to consider dense-time in DES, TA have been
propos d (Alur an Dill, 1994). A TA is modeled by means
of an FA (includi g a finite set of locations) xtended with
a fi ite set of real-v lued clocks. Edges between locations
of a TA are associated with both events and timing c -
str ints (guard ). A TA is considered a more natural way
to model real-life applications not only because it considers
real-time, but also because it allows multiple and differ nt
timing constraints for ev n s. However, the i clusion of
e makes the state space of TA infinite. Co seque tly,
conventional supervisory ontrol synthesis approach s are
n t adequate for TA. To overcome this problem in exi ting
on-blocking Supervisory ontrol of
i ed uto ata using Forcible Events
Aida Rashidinejad ∗ Patrick van der Graaf ∗ ichel Reniers ∗
artin Fabian ∗∗
∗ Control Systems Technology, Eindhoven University of Technology,
P.O.Box 513, 5600 MB Eindhoven, The Netherlands
(e-mail:{a.rashidinejad,m.a.reniers}@tue.nl)
∗∗ Department of Electrical Engineering, Chalmers University of
Tech ol gy, Sweden (e-mail:fabian@chalmers.se)
Abstract: Real-valued clocks make the state space of timed automata (TA) infinite. Conven-
tional supervisory control synthesis technique r nly applicable o finite automata (FA).
Therefore, to synthesize a supervi or for TA using conventional techniques, an abstraction
of TA to FA is required. For many application , the abstraction of real-time values results
in an explosion in the finite state space. This paper presents a supervisory control synthesi
tech ique applied dir ctly to TA without any abstraction. The plant is given as a TA with a
s t of uncontrollable vents and a se f forcible events that may preempt the passage of time.
To btain a n n- locking controlled system, a synthe is algorithm is propos d that delivers a
supervisor (also as a TA) avoiding the blocking s ates. The algorithm works by (iteratively)
trengthening the guards of edges labeled by con rollable vents and invariants of locations
wh re time progr ss can be preempted by forcible events.
Keywords: Automata, forcible event, real-time, non-blocking, supervisory control, synthesis.
1. INTRODUCTION
Discrete-event systems (DES) are event-driven systems
with a s t of discr te states. Traffic systems, communi-
ca ion netw rks, and manufacturing sy tems are exa ples
of DES (Cassandras and Lafortune, 2009). DES are often
modeled by means of finite automata (FA). In order to
pr vid a co p ct represent tion for complex and large
DES, FA have been xt nded with discrete vari bles into
extended finite automa a (EFA) (Skoldstam et l., 2007).
In EFA, edges are associated with events as well as guard
constraints and updates of variables.
In order to ensure that a DES satisfies a desired behaviour,
supervisory control theory ( CT) has been d veloped (Ra-
madge and Wonham, 1989). For a DES, SCT synthesizes
a sup rvisor that guarantees that the closed-loop sy tem
satisfi s the desired behaviour.
In DES, only the sequences of events matter, and the time
of event occurr nces is neglect d. However, there exist
many appli atio s for which it is necessa y to involve
timing information. For instance, the processing time of
a anufacturing system may be given by a specific time
window (Wong-Toi and Hoffmann, 1991). Considering
time in DES would also be very important in a etwork-
bas d supervis ry control setting due o he pres nce of
tim delays (Rashidi ejad al., 2018). To incorporate
i in a DES, real-time iscrete-event systems (RTDES)
hav been introduced (Khoumsi, 2002).
 This research has received funding from the European Union’s
Horizon 2020 Framework Programme for Research and I novation
under grant agree nt no 674875.
Based on the model of time (discrete or dense), two types
of RTDES have b en proposed in the literature: 1. timed
discrete-event syst ms (TDES), and 2. timed automata
(TA). TDES are DES in which there exists a digital clock,
and each event is supposed to occur between a lower
an upper time bound (Brandin and Wonham, 1994).
The semantics of a TDES is given as a timed transition
graph (TTG). A TTG is an FA that includes a ick event
th t represents the pa s ge of the smallest measurable
ime unit (Brandin and Wonham, 1994). Similar to DES,
TDES have been extended with discrete variables into
timed extended finite automata (TEFA) (Miremadi et al.,
2015). In (Brandi and Wonham, 1994), SCT of DES has
been extended for TDES. The main problem that discrete-
time modeling faces is the state space explosion, espe ially
for systems with various time scales. Moreover, specifying
the tim of each event occurrenc by fixed lower upper
bounds, restricts th applications that can be modeled
using TDES.
In order to consider dense-time in DES, TA have been
propos d (Alur an Dill, 1994). A TA is modeled by means
of an FA (includi g a finite set of locations) xtended with
a fi ite set of real-v lued clocks. Edges between locations
of a TA are associated with both events and timing c -
str ints (guard ). A TA is considered a more natural way
to model real-life applications not only because it considers
real-time, but also because it allows multiple and differ nt
timing constraints for ev n s. However, the i clusion of
i e makes the state space of TA infinite. Co seque tly,
conventional supervisory ontrol synthesis approach s are
n t adequate for TA. To overcome this problem in exi ting
Non-blocking Supervisory Control of
Timed Autom ta using Forcible Events
Aida Rashidinejad ∗ Patrick van der Graaf ∗ Michel Reniers ∗
Martin Fabian ∗∗
∗ Control Systems Technology, Eindhoven University of Technology,
P.O.Box 513, 5600 MB Eindhoven, The Netherlands
(e-mail:{a.rashidinejad,m.a.reniers}@tue.nl)
∗∗ Departme t f Electrical Engineering, Chalmers University of
Technology, Sweden (e-mail:fabian@chalmers.se)
Abstract: Real-valued clocks make the state p c f timed automa a (TA) infinite. Conven-
tional supervisory control synthesi techniques are only applicable to finite automata (FA).
Therefore, to synthesize a supervisor for TA u ing conventional techniques, an abstraction
of TA to FA is required. For many applications, the abstraction of real-time values result
in a explosion in th finite state space. This paper presents a supervisory control synthesis
t chnique applied dir ctly to TA wi h ut any abstraction. The plant is given as a TA with a
set f uncontr lla le events and a set of forcible event that may pree pt th passage of time.
To obtain a non-blocking controlled system, a syn hesis algorithm is proposed that delivers a
upervisor (also as a TA) avoiding the blocking s ates. Th algorithm works by (iteratively)
str ngthening th guards of edges label d by controllable events and invariants of locations
where time progress can be preempted by forcible events.
Keywords: Automata, forcible event, real-time, non-blocking, supervisory control, synthesis.
1. INTRODUCTION
Discrete- vent syst ms (DES) are event-driven systems
wi h a set f discrete states. Traffic ystems, com uni-
cation networks, and manufacturing systems are examples
of DES (Cassandras and Lafortune, 2009). DES are often
m del d by e ns of finite utomata (FA). In order to
provide a compact r pr sentation for complex nd large
DES, FA have been ex ended with discrete vari bles into
extended finite automata (EFA) (Skoldstam et al., 2007).
EFA, edge are associated wi h events as well as guard
constraints and upd s of variables.
In order to ensure that a DE satisfies a desir d behaviour,
supervisory control theory (SCT) has been developed (Ra-
madg and Wonham, 1989). For a DES, SCT synthe izes
a sup rvisor t at guarantees that the closed-loop system
satisfies the desired b haviour.
In DES, only th sequences of ev nts matter, and the time
of event oc urre ces is neglected. Howeve , there exist
many applications for which it is necessary to involve
ti ing information. For instance, the processing time of
a anufacturing system may be given by a specific time
window (Wong-Toi and Hoffmann, 1991). Co sidering
ti in DES w uld also be very impor an in a n twork-
bas d supervisory co trol s ting due to the presence of
i delays (Rashidineja et al., 2018). To incorporate
tim in a DES, real-time discrete-event systems (RTDES)
have be n introduc d (Khou si, 2002).
 This esearch has received funding from the Europea Union’s
Horizon 2020 Fra work Programme for Research and Innovation
under grant agreement no 674875.
Based on the mod l of time (discrete or dense), two types
of RTDES have be n proposed in the literature: 1. timed
discrete-event systems (TDES), and 2. timed automata
(TA). TDES are DES in which there exists a digital clock,
each event is supposed to occur between a lower
and an upper time bound (Brandin and Wonham, 1994).
The semantics of a TDES is given as a timed ransition
gr ph (TTG). A TTG i n FA that includes a tick event
hat represents the passage of the smallest measurable
ti e unit (Brandin and Wonham, 1994). Similar to DES,
TDES have been extended with discrete variables into
timed extended fi ite automata (TEFA) (Miremadi et al.,
2015). In (Brandin and Wonham, 1994), SCT of DES has
been extended for TDES. The main problem that dis rete-
time modeling faces is the state space explosion, especially
for syst ms with various time scal s. Moreover, specifying
the time of each ev nt occurrence by fixed lower upper
boun s, restrict the applications that can be model d
using TDES.
In ord r to consi er dense-time in DES, TA have been
proposed (Alur a d Dill, 1994). A TA is mod led by means
of a FA (including finite set of locations) extended with
a finite set of real-valued clocks. Edges between locati s
of TA are as ociated with both events and timing con-
straints (guards). A TA is considered a more natural way
to model real-life applications not only because it consid rs
real-time, but also becaus i allows multiple a d different
i ing constraints for events. However, the i clusio of
time makes the state spa e of TA infinite. Consequ ntly,
c nventional supervisory control synthesis approache are
not adequate for TA. To overcome this problem in existing
 Aida Rashidinejad  et al. / IFAC PapersOnLine 53-4 (2020) 356–362 357
Copyright © 2020 The Authors. This is an open access article under the CC BY-NC-ND license  
(http://creativecommons.org/licenses/by-nc-nd/4.0)
works, TA are abstracted to FA for which a supervisor can
be synthesized using existing synthesis methods (Wong-
Toi and Hoffmann, 1991; Tripakis and Altisen, 1999; Maler
et al., 1995). The abstraction of TA to FA is based on
region or zone equivalences introduced by Alur and Dill
(1994). Abstraction-based synthesis of timed automata
has also been implemented in tools such as UPPAAL-
TIGA (Behrmann et al., 2007).
In general, zone-based abstractions do not preserve suffi-
cient information required for synthesis (Ouedraogo et al.,
2010). On the other hand, region-based abstractions typi-
cally suffer from the state-space explosion problem, mak-
ing industrial-sized systems intractable (Khoumsi and
Nourelfath, 2002; Tripakis and Yovine, 2001). To overcome
the state space explosion of region-based abstraction, a
transformation is introduced by Khoumsi and Nourelfath
(2002) which achieves an FA from a TA (without location
invariants) using two special events Set and Exp. The
event Set represents the set and reset of a clock, and
Exp indicates the expiration of the clock. Although the
transformation results in a minimal FA, the synthesis
technique is not satisfying since it is currently unknown
how to refine the synthesized supervisor (as an FA with
Set and Exp events) to a TA (with these events translated
into time constraints).
The objective of this paper is to provide a supervisory
control synthesis technique that is applied directly on TA
without involving any abstraction. The method presented
in this paper is closely related to the synthesis technique
for EFA (Ouedraogo et al., 2011). For an EFA with a set
of forbidden locations, Ouedraogo et al. (2011) present a
synthesis algorithm that iteratively strengthens the guards
of edges labeled with controllable events until all the
forbidden and blocking states are avoided.
The main difference between TA and EFA is that the
semantics of TA is a (semantic) graph which includes time
transitions besides event transitions. Compared to Oue-
draogo et al. (2011), our work provides the following con-
tributions:
• to each location is associated an invariant in the form
of clock constraints, determining the time that the
TA is allowed to stay in the location.
• a subset of events are forcible, i.e., they may preempt
time passage at a location where they are enabled.
• we define a non-blocking predicate for each location
that determines the condition under which a location
is non-blocking. Nonblockingness of locations (see
Definition 4) is determined based on the semantic
graph (see Definition 3) of the TA: a state is non-
blocking whenever a marked state is reachable from
that state. In reaching the marked state not only
execution of events (as in EFA), but also time passage
is considered.
• we define a bad-state predicate for each location that
determines the condition under which a bad state
is reached in the semantic graph of the TA. In TA
with forcible events, a bad state is blocking, and a
state from which a bad state is reachable through
uncontrollable events (as in EFA) or non-preemptable
time passage.
• to avoid the bad states, a synthesis algorithm is
presented which strengthens not only the guards
labeled by controllable events, but also the invariant
of locations where time is preemptable.
The rest of the paper is organized as follows. Formal
definitions related to TA are given in Section 2. Section 3
introduces the problem investigated in this paper. The
synthesis algorithm is presented in Section 4. Section 5
concludes the paper and discusses future work.
2. PRELIMINARIES
A TA is an FA extended with a set of real-valued clocks.
Formally, a TA is defined as in (Alur and Dill, 1994).
Definition 1. (Timed Automaton). A timed automaton is
a 7-tuple (C,L,Σ, E, Lm, L0, I) where
• C is a finite set of clocks x ∈ R≥0 that are defined
locally and can be read by other automata (the initial
value of each clock variable is assumed to be 0),
• L is a finite set of locations,
• Σ is a finite set of events,
• E is a finite set of edges with elements e of the form
(ls, σ, g, r, lt) for which ls, lt ∈ L are the source and
target locations, respectively, σ ∈ Σ, g is the guard
(clock constraint) which is a predicate over clock
variables, and r is the clock reset (update) which is
an assignment of the clock variables specifying which
clocks are reset to 0,
• Lm ⊆ L is the set of marked locations,
• L0 ⊆ L is the set of initial locations,
• I is a function associating an invariant to each lo-
cation l ∈ L. An invariant is a clock constraint
that needs to be satisfied when the system is in the
location. 
In this paper, no assumption is made on the clock con-
straints representing guards and invariants. Moreover, we
frequently use the notation Pred [u], for a predicate Pred
and an update u. The meaning of this notation is a predi-
cate in which all occurrences of the variables are replaced
by the right-hand sides of their updates. For instance, the
predicate (x ≥ 3)[x := x + y] gives x + y ≥ 3. Moreover,
we frequently use the notation P (C) to indicate the set of
all predicates over the clock variables.
In this paper, we only deal with deterministic TA, defined
as in (Alur and Dill, 1994).
Definition 2. (Deterministic TA). A timed automatonG =
(C,L,Σ, E, Lm, L0, I) is deterministic if it has only one ini-
tial location and for all l ∈ L, σ ∈ Σ, and any pair of edges
of the form (l, σ, g1,−,−) ∈ E and (l, σ, g2,−,−) ∈ E, the
clock constraints g1 and g2 are mutually exclusive. 
In examples, TA are depicted graphically. The locations
are represented by circles, and the edges by arrows from
the source location to the target location labeled with
the event, the guard, and the update. The initial location
is depicted by a dangling incoming arrow, and marked
locations by double circles. Every TA has an underlying
semantic graph (Alur and Dill, 1994; Tripakis and Yovine,
2001).
Definition 3. (Semantic graph). The semantic graph of a
TA G = (C,L,Σ, E, Lm, l0, I), is a labeled graph with
358 Aida Rashidinejad  et al. / IFAC PapersOnLine 53-4 (2020) 356–362
a set of states L × (C → R≥0) consisting of a location
and a clock valuation (i.e., a function that assigns a non-
negative real value to each clock). The initial state is
(l0,0), where 0 denotes the clock valuation where all the
clock variables have value 0. The semantic graph has the
following transitions:
• time transition: from state (l, u) to state (l, u + ∆)
labeled with delay ∆ ∈ R≥0 if u + δ satisfies I(l) for
any δ such that 0 ≤ δ ≤ ∆. Note that for a valuation
u and a real value δ, u+δ denotes the clock valuation
with (u + δ)(c) = u(c) + δ for each clock c in the
domain of u.
• event transition: from state (ls, us) to state (lt, us[r])
labeled by event σ if there is an edge e = (ls, σ, g, r, lt)
such that us satisfies g, and us[r] satisfies I(lt).
Moreover, states (l, u) in the semantic graph with l ∈ Lm
(regardless of the clock valuation u) are marked. A word
in the semantic graph of G is a finite sequence (with ε
denoting the empty sequence) of labels (a non-negative
real value representing passage of an amount of time or
an event). A state in the semantic graph of G is called
reachable if it can be reached from the initial state via a
word w ∈ (Σ ∪ R≥0)∗. The language of G, indicated by
L(G), is the set of all words in its semantic graph starting
from the initial state. 
Based on the semantic graph, some relevant notions for
timed automata are defined.
Definition 4. (Non-blockingness). A state in a semantic
graph is non-blocking if there exists a path leading from
that state to a marked state, i.e., a state (lt, ut) with
lt ∈ Lm. A TA is non-blocking if all of the reachable states
in its semantic graph are non-blocking. 
Applications are usually modeled by a network of au-
tomata, where each automaton represents a subsystem.
A single automaton representing the network can then be
composed by the synchronous product of the constituent
automata.
Definition 5. (Synchronous product of TA). The synchro-
nous product of two TA G1 = (C1, L1,Σ1, E1, L1m, l10, I1)
and G2 = (C2, L2,Σ2, E2, L2m, l20, I2), under the assump-
tion that C1∩C2 = ∅, is given by G1||G2 = (C1∪C2, L1×
L2,Σ1 ∪ Σ2, Ep, L1m × L2m, (l10, l20), Ip), where for each
l1 ∈ L1 and l2 ∈ L2, I(l1, l2) = I(l1)∧ I(l2) and each edge
in Ep is as follows:
• take e ∈ Σ1\Σ2, then for every (ls1, e, g1, r1, lt1) ∈ E1
and ls2 ∈ L2, ((ls1, ls2), e, g1, r1, (lt1, ls2)) ∈ Ep.
• take e ∈ Σ2\Σ1, then for every (ls2, e, g2, r2, lt2) ∈ E2
and ls1 ∈ L1, ((ls1, ls2), e, g2, r2, (ls1, lt2)) ∈ Ep.
• take e ∈ Σ1∩Σ2, then for every (ls1, e, g1, r1, lt1) ∈ E1
and (ls2, e, g2, r2, lt2) ∈ E2, ((ls1, ls2), e, g1 ∧ g2, r1 ∪
r2, (lt1, lt2)) ∈ Ep. 
The set of events of a TA is partitioned into disjoint sets
of uncontrollable events Σuc and controllable events Σc.
Uncontrollable events are events that occur spontaneously
in the plant such as disturbances or sensor readings. In
the figures, edges labeled by uncontrollable events are
indicated by dashed lines. Passage of time is uncontrollable
by nature. However, it may be preempted by a forcible
event belonging to Σfor ⊆ Σ. Note that, as in Brandin
and Wonham (1994), both controllable and uncontrol-
lable events can be forcible. Example of an uncontrollable
forcible event is landing of a plane where air defense could
force the plane to land within some time but not prevent
it from landing eventually (Brandin and Wonham, 1994).
Forcible events are underlined in the figures. The following
definition of controllability for TA with forcible events, is
inspired from (Brandin and Wonham, 1994).
Definition 6. (Controllability of TA with forcible events).
Given a timed plant G with uncontrollable events Σu, and
forcible events Σfor , a supervisor S is controllable w.r.t. G
if ∀s ∈ L(S||G) and ∀σ ∈ (Σu ∪ R≥0), if sσ ∈ L(G) then
(1) sσ ∈ L(S||G) for σ ∈ Σu, otherwise,
(2) sσf ∈ L(S||G) for σf ∈ {σ} ∪ Σfor 
Property (1) in the above definition is the standard
controllability property; S cannot disable uncontrollable
events that G may generate. However, if a forcible event
is enabled, this may preempt the time event, which is
captured by Property (2).
3. PROBLEM STATEMENT
The problem that is solved in the rest of the paper is
formalized below.
Problem Statement: For a given TA G (representing
a plant) with a set of uncontrollable events and a set
of forcible events, the objective is to synthesize a TA
S (a supervisor) such that the supervised plant S||G is
controllable and non-blocking.
To clarify the problem and the proposed solution, the bus-
pedestrian example from Brandin and Wonham (1994) is
used.
Example 1. (Bus-pedestrian). Consider a bus that is head-
ed directly for a pedestrian and will run over him at time
x = 2 if he does not move. The pedestrian needs an amount
of time y = 1 to realise his fate, after which he has the
chance to jump out of the bus’s path. If the pedestrian
jumps before the bus passes, he is safe. Figure 1 gives the
a














Fig. 1. Plant automata from Example 1.
automata representing the bus, pedestrian, and the safe
behaviour of the system. The safe behaviour is modeled
in such a way that if the pedestrian jumps before the bus
passes, then the system goes to a marked state. Otherwise,
 Aida Rashidinejad  et al. / IFAC PapersOnLine 53-4 (2020) 356–362 359
a set of states L × (C → R≥0) consisting of a location
and a clock valuation (i.e., a function that assigns a non-
negative real value to each clock). The initial state is
(l0,0), where 0 denotes the clock valuation where all the
clock variables have value 0. The semantic graph has the
following transitions:
• time transition: from state (l, u) to state (l, u + ∆)
labeled with delay ∆ ∈ R≥0 if u + δ satisfies I(l) for
any δ such that 0 ≤ δ ≤ ∆. Note that for a valuation
u and a real value δ, u+δ denotes the clock valuation
with (u + δ)(c) = u(c) + δ for each clock c in the
domain of u.
• event transition: from state (ls, us) to state (lt, us[r])
labeled by event σ if there is an edge e = (ls, σ, g, r, lt)
such that us satisfies g, and us[r] satisfies I(lt).
Moreover, states (l, u) in the semantic graph with l ∈ Lm
(regardless of the clock valuation u) are marked. A word
in the semantic graph of G is a finite sequence (with ε
denoting the empty sequence) of labels (a non-negative
real value representing passage of an amount of time or
an event). A state in the semantic graph of G is called
reachable if it can be reached from the initial state via a
word w ∈ (Σ ∪ R≥0)∗. The language of G, indicated by
L(G), is the set of all words in its semantic graph starting
from the initial state. 
Based on the semantic graph, some relevant notions for
timed automata are defined.
Definition 4. (Non-blockingness). A state in a semantic
graph is non-blocking if there exists a path leading from
that state to a marked state, i.e., a state (lt, ut) with
lt ∈ Lm. A TA is non-blocking if all of the reachable states
in its semantic graph are non-blocking. 
Applications are usually modeled by a network of au-
tomata, where each automaton represents a subsystem.
A single automaton representing the network can then be
composed by the synchronous product of the constituent
automata.
Definition 5. (Synchronous product of TA). The synchro-
nous product of two TA G1 = (C1, L1,Σ1, E1, L1m, l10, I1)
and G2 = (C2, L2,Σ2, E2, L2m, l20, I2), under the assump-
tion that C1∩C2 = ∅, is given by G1||G2 = (C1∪C2, L1×
L2,Σ1 ∪ Σ2, Ep, L1m × L2m, (l10, l20), Ip), where for each
l1 ∈ L1 and l2 ∈ L2, I(l1, l2) = I(l1)∧ I(l2) and each edge
in Ep is as follows:
• take e ∈ Σ1\Σ2, then for every (ls1, e, g1, r1, lt1) ∈ E1
and ls2 ∈ L2, ((ls1, ls2), e, g1, r1, (lt1, ls2)) ∈ Ep.
• take e ∈ Σ2\Σ1, then for every (ls2, e, g2, r2, lt2) ∈ E2
and ls1 ∈ L1, ((ls1, ls2), e, g2, r2, (ls1, lt2)) ∈ Ep.
• take e ∈ Σ1∩Σ2, then for every (ls1, e, g1, r1, lt1) ∈ E1
and (ls2, e, g2, r2, lt2) ∈ E2, ((ls1, ls2), e, g1 ∧ g2, r1 ∪
r2, (lt1, lt2)) ∈ Ep. 
The set of events of a TA is partitioned into disjoint sets
of uncontrollable events Σuc and controllable events Σc.
Uncontrollable events are events that occur spontaneously
in the plant such as disturbances or sensor readings. In
the figures, edges labeled by uncontrollable events are
indicated by dashed lines. Passage of time is uncontrollable
by nature. However, it may be preempted by a forcible
event belonging to Σfor ⊆ Σ. Note that, as in Brandin
and Wonham (1994), both controllable and uncontrol-
lable events can be forcible. Example of an uncontrollable
forcible event is landing of a plane where air defense could
force the plane to land within some time but not prevent
it from landing eventually (Brandin and Wonham, 1994).
Forcible events are underlined in the figures. The following
definition of controllability for TA with forcible events, is
inspired from (Brandin and Wonham, 1994).
Definition 6. (Controllability of TA with forcible events).
Given a timed plant G with uncontrollable events Σu, and
forcible events Σfor , a supervisor S is controllable w.r.t. G
if ∀s ∈ L(S||G) and ∀σ ∈ (Σu ∪ R≥0), if sσ ∈ L(G) then
(1) sσ ∈ L(S||G) for σ ∈ Σu, otherwise,
(2) sσf ∈ L(S||G) for σf ∈ {σ} ∪ Σfor 
Property (1) in the above definition is the standard
controllability property; S cannot disable uncontrollable
events that G may generate. However, if a forcible event
is enabled, this may preempt the time event, which is
captured by Property (2).
3. PROBLEM STATEMENT
The problem that is solved in the rest of the paper is
formalized below.
Problem Statement: For a given TA G (representing
a plant) with a set of uncontrollable events and a set
of forcible events, the objective is to synthesize a TA
S (a supervisor) such that the supervised plant S||G is
controllable and non-blocking.
To clarify the problem and the proposed solution, the bus-
pedestrian example from Brandin and Wonham (1994) is
used.
Example 1. (Bus-pedestrian). Consider a bus that is head-
ed directly for a pedestrian and will run over him at time
x = 2 if he does not move. The pedestrian needs an amount
of time y = 1 to realise his fate, after which he has the
chance to jump out of the bus’s path. If the pedestrian
jumps before the bus passes, he is safe. Figure 1 gives the
a














Fig. 1. Plant automata from Example 1.
automata representing the bus, pedestrian, and the safe
behaviour of the system. The safe behaviour is modeled
in such a way that if the pedestrian jumps before the bus
passes, then the system goes to a marked state. Otherwise,
the system goes to a blocking state. The event pass is
uncontrollable, and the event jump is controllable and
forcible. The synchronous product of the bus, pedestrian
and the safe behaviour automata is shown in Figure 2.
(a, r, 0)
x ≤ 2 (g, r,⊥)
(a, c, 1)







Fig. 2. Synchronous product of the TA from Example 1.
Considering Example 1, a supervisor is required that pre-
vents the plant to reach the blocking location (location
(g, r,⊥) in Figure 2) while respecting controllability (Defi-
nition 6). The rest of the paper discusses how to synthesize
such a supervisor.
4. SUPERVISORY CONTROL SYNTHESIS
In this section, an algorithm is proposed to synthesize
a supervisor for a plant modeled as a TA (introduced
in Definition 1). The supervisor is synthesized from the
plant by adapting the guards and invariants such that
the supervised plant is non-blocking and controllable. In
other words, considering the semantic graph of a TA,
the objective is to prevent the possibility of reaching
the blocking states. In order to apply synthesis without
any abstraction, first it is determined for which clock
valuations a location is non-blocking by computing a so-
called non-blocking predicate for each location. To take
care of controllability, preventing the blocking states can
be achieved only by disabling of controllable transitions.
Therefore, blocking states as well as states from which a
blocking state is reachable through an uncontrollable event
transition or an uncontrollable time transition need to be
avoided.
These states are referred to as bad states. Bad states of
a TA are captured by the bad-state predicate associated
to each location. The bad-state predicate of a location
gives the clock valuations for which the location is mapped
to a bad state in the semantic graph. Based on the bad-
state predicate of locations, the guards of edges labeled by
controllable events and invariants of locations where time
is preemptable are adapted so as to guarantee that the
closed-loop system avoids any bad states while respecting
controllability.
Figure 3 gives an overview of the synthesis procedure. As
indicated in the figure, there are two loops: 1. guard adap-
tation (Loop-1) considers how the supervisor can affect the
controllable events, and 2. invariant adaptation (Loop-2)
considers how the invariants can be modified using the
concept of forcible events. In the following, first, each step
of synthesis depicted in Figure 3 (non-blocking and bad-
state conditions, and guard and invariant adaptation) is
described in detail. Afterwards, the synthesis algorithm is






















Fig. 3. An overview of the synthesis procedure.
4.1 Non-Blocking Condition
The first step is to compute the clock valuations for which
a location of the plant l ∈ L is non-blocking. For this
purpose, Algorithm 1 is introduced which gives the non-
blocking predicate of each location N(l). Initially, N(l)
is set to I(l) for all marked locations and to false for all
other locations (line 2). For each location, the non-blocking
predicate N i+1(l) is updated based on 1. the previous non-
blocking predicate N i(l); 2. the condition for any outgoing
edge e = (l, σ, g, r, l′) to lead to a non-blocking location;
and 3. the condition to stay (for some time delay δ ≤ ∆) in
a non-blocking location as long as the invariant is satisfied
(line 4). This will be repeated until a fix-point is reached
where the non-blocking predicate stays the same for all
locations (line 6).
Algorithm 1 follows the same steps as presented for the
non-blocking predicate of EFA in Ouedraogo et al. (2011)
with the following adjustments (indicated in red in Algo-
rithm 1):
(1) The initial non-blocking condition for marked loca-
tions is set to the location invariant I(l) instead of
true. This is to take into account the invariants of
the marked locations.
(2) In the update, the invariant of the target location
is added to the second term to guarantee that the
invariant of the target location is satisfied upon
entrance of that location.
(3) The third term is added to take into account the time
transitions in the semantic graph of the TA that may
be used for reaching a non-blocking state.
Example 2 visualizes how Algorithm 1 works.
Example 2. (Non-blocking predicates for bus-pedestrian).
Consider the bus-pedestrian from Example 1. The result
of Algorithm 1 is given in Table 1. The conditions for
locations (g, r,⊥) and (g, c, 2) are left out, as they are false
and true respectively, for all iterations.
4.2 Bad-state Condition
Taking into account controllability (Definition 6), it is not
enough to compute only the non-blocking condition to
achieve a controllable supervisor. It is also needed to deter-
mine if the blocking states are reached in an uncontrollable
manner, i.e., through an uncontrollable event transition
360 Aida Rashidinejad  et al. / IFAC PapersOnLine 53-4 (2020) 356–362
Algorithm 1 Non-blocking Predicate (NBP)
Input: G = (C,L,Σ, E, Lm, l0, I)
Output: N : L → P (C)
1: i := 0
2: for l ∈ L do N0(l) :=
{
I(l), if l ∈ Lm,
false, otherwise
3: repeat
4: for l ∈ L do
N i+1(l) := N i(l)∨∨
l
σ,g,r−−−→l′
(g ∧ I(l′)[r] ∧N i(l′)[r])∨
∃∆ ∈ R≥0 ∀δ ≤ ∆(I(l)[C + δ] ∧N i(l)[C + δ])
5: i := i+ 1
6: until ∀l ∈ L N i(l) = N i−1(l)
7: for l ∈ L do N(l) := N i(l)
Table 1. Non-blocking predicate for bus-pedestrian.
N
i Loc (a, r, 0) Loc (a, c, 1)
0 false false
1 false x = 2
2 x = 2 ∧ y ≥ 1 x ≤ 2
3 x ≤ 2 ∧ y ≥ 0 x ≤ 2
4 x ≤ 2 x ≤ 2
or through a non-preemptable time transition. This issue
is captured by the bad-state predicate. For each location
l ∈ L, Algorithm 2 gives the bad-state predicate B(l).
Initially, B(l) is set to the logical negation of N(l) for
each location l ∈ L (line 2) because these characterize the
blocking states. Then for each location (line 4), the bad-
state predicate Bj+1(l) is updated based on
(1) the previous bad-state predicate Bj(l);
(2) the condition of any outgoing edge e = (l, σ, g, r, l′)
labeled by an uncontrollable event σ ∈ Σuc to lead to
a bad state; and
(3) the condition of staying in a bad state for some time
delay δ ≤ ∆ as long as the invariant is satisfied for
all the clock variables and while there is no forcible
event able to preempt time for any δ′ ≤ δ.
This is repeated until a fix-point is reached where the bad-
state predicate stays the same for all locations (line 6).
The differences (indicated in red) between Algorithm 2 and
the bad-state condition of EFA presented by Ouedraogo
et al. (2011) are as follows; 1. The invariant of the target
location is considered to determine if the uncontrollable
transition exists in the semantic graph of the TA. 2. The
third term takes into account the non-preemptable time
transitions leading to a bad state.
Example 3. (Bad-state predicates for bus-pedestrian). By
applying Algorithm 2 on the bus-pedestrian example, the
bad-state predicate of locations (a, r, 0) and (a, c, 1) are ob-
tained as in Table 2. The bad-state predicates for (g, r,⊥)
and (g, c, 2) are true and false, respectively.
Algorithm 2 Bad-State Predicate (BSP)
Input: G = (C,L,Σ, E, Lm, l0, I), N(l)
Output: B : L → P (C)
1: j := 0
2: for l ∈ L do B0(l) := ¬N(l)
3: repeat
4: for l ∈ L do






g ∧ I(l′)[r] ∧Bj(l′)[r]
)
∨
∃∆ ∈ R≥0 ∀δ ≤ ∆
((
Bj(l)[C + δ] ∧ I(l)[C + δ]
)
∧






g[C + δ′] ∧ I(l′)[C + δ′][r]∧
¬Bj(l′)[C + δ′][r]
))
5: j := j + 1
6: until ∀l ∈ L Bj(l) = Bj−1(l)
7: for l ∈ L do B(l) := Bj(l)
Table 2. Bad-state predicate for bus-pedestrian.
B
j Loc (a, r, 0) Loc (a, c, 1)
0 x > 2 x > 2
1 x ≥ 2 x > 2
2 x ≥ 2 x > 2
4.3 Guard Adaptation
Considering Figure 3, in Loop-1, the guards are adapted
to obtain a supervisor that prevents the blocking states.
For this purpose, the guard of each edge e = (l, σ, g, r, l′)
labeled by a controllable event σ ∈ Σc is adjusted to
become e = (l, σ, g ∧ ¬B(l′)[r], r, l′).
4.4 Invariant Adaptation
So far, forcible events have not been taken into account.
The effect of forcible events preempting time events is
taken into account in the invariant adaptation (Loop-2).
Example 4 clarifies how the invariant adaptation affects
the result of the synthesis.
Example 4. Consider the plant given in Figure 4 for which
Σuc = {a} and Σfor = {b}. The non-blocking and bad-
state predicates are N(0) = x < 1, N(1) = false, N(2) =
true, B(0) = x ≥ 1, B(1) = true, B(2) = false. Assume
that the synthesis is limited to the guard adaptation.
Then, the result would be an empty supervisor since there
is no way to prevent the blocking state. However, since
the edge (0, b, x < 1,−, 2) is enabled at location 0, time is
preemptable there, and I(0) = x ≤ 2 can be changed to
x < 1 to satisfy non-blockingness.
The invariant of a location l ∈ L can be changed only if
there exists an edge labeled by a forcible event f ∈ Σfor
starting from l. In this case, the invariant is adapted to
prevent the blocking states as follows:
I(l) := I(l) ∧ ¬B(l).
 Aida Rashidinejad  et al. / IFAC PapersOnLine 53-4 (2020) 356–362 361
Algorithm 1 Non-blocking Predicate (NBP)
Input: G = (C,L,Σ, E, Lm, l0, I)
Output: N : L → P (C)
1: i := 0
2: for l ∈ L do N0(l) :=
{
I(l), if l ∈ Lm,
false, otherwise
3: repeat
4: for l ∈ L do
N i+1(l) := N i(l)∨∨
l
σ,g,r−−−→l′
(g ∧ I(l′)[r] ∧N i(l′)[r])∨
∃∆ ∈ R≥0 ∀δ ≤ ∆(I(l)[C + δ] ∧N i(l)[C + δ])
5: i := i+ 1
6: until ∀l ∈ L N i(l) = N i−1(l)
7: for l ∈ L do N(l) := N i(l)
Table 1. Non-blocking predicate for bus-pedestrian.
N
i Loc (a, r, 0) Loc (a, c, 1)
0 false false
1 false x = 2
2 x = 2 ∧ y ≥ 1 x ≤ 2
3 x ≤ 2 ∧ y ≥ 0 x ≤ 2
4 x ≤ 2 x ≤ 2
or through a non-preemptable time transition. This issue
is captured by the bad-state predicate. For each location
l ∈ L, Algorithm 2 gives the bad-state predicate B(l).
Initially, B(l) is set to the logical negation of N(l) for
each location l ∈ L (line 2) because these characterize the
blocking states. Then for each location (line 4), the bad-
state predicate Bj+1(l) is updated based on
(1) the previous bad-state predicate Bj(l);
(2) the condition of any outgoing edge e = (l, σ, g, r, l′)
labeled by an uncontrollable event σ ∈ Σuc to lead to
a bad state; and
(3) the condition of staying in a bad state for some time
delay δ ≤ ∆ as long as the invariant is satisfied for
all the clock variables and while there is no forcible
event able to preempt time for any δ′ ≤ δ.
This is repeated until a fix-point is reached where the bad-
state predicate stays the same for all locations (line 6).
The differences (indicated in red) between Algorithm 2 and
the bad-state condition of EFA presented by Ouedraogo
et al. (2011) are as follows; 1. The invariant of the target
location is considered to determine if the uncontrollable
transition exists in the semantic graph of the TA. 2. The
third term takes into account the non-preemptable time
transitions leading to a bad state.
Example 3. (Bad-state predicates for bus-pedestrian). By
applying Algorithm 2 on the bus-pedestrian example, the
bad-state predicate of locations (a, r, 0) and (a, c, 1) are ob-
tained as in Table 2. The bad-state predicates for (g, r,⊥)
and (g, c, 2) are true and false, respectively.
Algorithm 2 Bad-State Predicate (BSP)
Input: G = (C,L,Σ, E, Lm, l0, I), N(l)
Output: B : L → P (C)
1: j := 0
2: for l ∈ L do B0(l) := ¬N(l)
3: repeat
4: for l ∈ L do






g ∧ I(l′)[r] ∧Bj(l′)[r]
)
∨
∃∆ ∈ R≥0 ∀δ ≤ ∆
((
Bj(l)[C + δ] ∧ I(l)[C + δ]
)
∧






g[C + δ′] ∧ I(l′)[C + δ′][r]∧
¬Bj(l′)[C + δ′][r]
))
5: j := j + 1
6: until ∀l ∈ L Bj(l) = Bj−1(l)
7: for l ∈ L do B(l) := Bj(l)
Table 2. Bad-state predicate for bus-pedestrian.
B
j Loc (a, r, 0) Loc (a, c, 1)
0 x > 2 x > 2
1 x ≥ 2 x > 2
2 x ≥ 2 x > 2
4.3 Guard Adaptation
Considering Figure 3, in Loop-1, the guards are adapted
to obtain a supervisor that prevents the blocking states.
For this purpose, the guard of each edge e = (l, σ, g, r, l′)
labeled by a controllable event σ ∈ Σc is adjusted to
become e = (l, σ, g ∧ ¬B(l′)[r], r, l′).
4.4 Invariant Adaptation
So far, forcible events have not been taken into account.
The effect of forcible events preempting time events is
taken into account in the invariant adaptation (Loop-2).
Example 4 clarifies how the invariant adaptation affects
the result of the synthesis.
Example 4. Consider the plant given in Figure 4 for which
Σuc = {a} and Σfor = {b}. The non-blocking and bad-
state predicates are N(0) = x < 1, N(1) = false, N(2) =
true, B(0) = x ≥ 1, B(1) = true, B(2) = false. Assume
that the synthesis is limited to the guard adaptation.
Then, the result would be an empty supervisor since there
is no way to prevent the blocking state. However, since
the edge (0, b, x < 1,−, 2) is enabled at location 0, time is
preemptable there, and I(0) = x ≤ 2 can be changed to
x < 1 to satisfy non-blockingness.
The invariant of a location l ∈ L can be changed only if
there exists an edge labeled by a forcible event f ∈ Σfor
starting from l. In this case, the invariant is adapted to
prevent the blocking states as follows:
I(l) := I(l) ∧ ¬B(l).
0






Fig. 4. Plant of Example 4.
Considering Figure 3, after the invariant adaptation, the
synthesis goes back to Loop-1 (guard adaptation). There-
fore, one needs to be careful that if a forcible event starting
from location l becomes disabled (in some later iteration),
then the invariant of l should be set back to its original
value. This issue is considered in Loop-2 of the synthesis
algorithm.
4.5 Synthesis Algorithm
In Algorithm 3, the synthesis algorithm is presented. For
a TA G with a set of uncontrollable events Σuc, and a
set of forcible events Σfor , it results in a non-blocking and
controllable supervisor S = (C,L,Σ, Es, Lm, l0, Is). In this
algorithm, the following concepts are used:
• the notation . is used to refer to an element of a tuple.
For instance, e.σ refers to σ from e.
• the notation FS(l) = {e ∈ Es | e.ls = l, e.σ ∈
Σfor , e.g is satisfiable} gives the set of edges of S
starting from location ls and labeled by a forcible
event.
The algorithm starts from S = G. As indicated in Figure 3,
in the inner loop (line 6-11), the guards of edges labeled by
controllable events are adapted. In the outer loop (line 5-
17), the invariants of locations where there exists an edge
labeled by a forcible event are adapted until a fix-point is
reached. Note that if the invariant of a location is adapted,
and in some later iteration, the guard of the edge labeled
by the forcible event becomes unsatisfiable, the invariant
should be set back to the original one (from the plant).
This issue is captured in line 15. In case that the guard
of the edge labeled by the forcible event becomes false at
location l, then the invariant is set back to I(l).
Remark 1. In Algorithm 3, the conditions for repetition
depend on constraints on clock variables that do not nec-
essarily have a finite number of possible values. Therefore,
Algorithm 3 terminates only under certain assumptions
on guards and location invariants of TA. The assumptions
are not discussed here, as this paper presents the primary
results.
Conjecture 1. Consider a TA G and the supervisor S
resulting for G from Algorithm 3 (if it terminates). Then,
S is controllable for G, and the supervised plant S||G is
non-blocking. 
Example 5. (Supervisor synthesis for bus-pedestrian). Let
us apply Algorithm 3 to the bus-pedestrian from Exam-
ple 1. Initially, S is set to the plant depicted in Figure 2.
First, the guard of the edge labeled by the controllable
event jump is modified to y ≥ 1∧x ≤ 2. Since N1,0 = N0,0
and also B1,0 = B0,0, g1.e = g0.e, and the inner loop stops.
Algorithm 3 Supervisory control synthesis of TA
Input: G = (C,L,Σ, E, Lm, l0, I), Σuc, Σc, Σfor
Output: S = (C,L,Σ, Es, Lm, l0, Is)
1: S := G
2: m,n := 0
3: for e ∈ Es, e = (l, σ, g, r, l′) do e.g0 := e.g
4: for l ∈ L do I0s (l) := I(l)
5: repeat  Loop2: Invariant Adaptation
6: repeat  Loop1: Guard Adaptation
7: Nm,n := NBP (S)
8: Bm,n := BSP (S,Nm,n)
9: for e ∈ Es such that e.σ ∈ Σc do
e.gm+1 := e.gm ∧ ¬Bm,n(l′)[r]
10: m := m+ 1
11: until ∀e ∈ Es e.gm = e.gm−1
12: for e ∈ Es do e.g := e.gm
13: for l ∈ L do
14: if FS(l) = ∅ then In+1s (l) := Ins (l)∧¬Bm,n(l)
15: else In+1s (l) := I(l)
16: n := n+ 1
17: until ∀l ∈ L Ins (l) = In−1s (l)
18: for l ∈ L do Is(l) := In(l)
Next, for l0 = (a, r, 0), the invariant is adapted to x ≤ 2∧
x < 2 = x < 2. Since N1,1 = N1,0 and also B1,1 = B1,0,
I1(l0) = I
0(l0) and the outer loop also terminates. The





x ≤ 2 (g, c, 2)
x = 2
pass




Fig. 5. Supervisor synthesized for bus-pedestrian from
Example 1.
Remark 2. The synthesis procedure is easily adjustable for
TA without forcible events as follows:
(1) the update of the bad-state predicate (Algorithm 2-
line 4) changes to






g ∧Bj(l′)[r] ∧ I(l′)[r]
)
∨
∃∆ ∀δ ≤ ∆
(
Bj(l)[C + δ] ∧ I(l)[C + δ]
)
since a time transition always becomes uncontrol-
lable, and
(2) the algorithm ends after the inner loop indicated in
Figure 3 since guard adaptation is the only modifica-
tion that can be applied through synthesis.
5. CONCLUSION
In this paper, a synthesis algorithm has been proposed
for timed automata (TA) with a set of forcible events.
The algorithm is directly applied on TA without being
362 Aida Rashidinejad  et al. / IFAC PapersOnLine 53-4 (2020) 356–362
abstracted to finite state automata. To ensure that the
supervisor makes controllable decisions, the modifications
made through synthesis are as follows: 1. guard adaptation
of edges labeled by controllable events, and 2. invariant
adaptation of locations from which there exists an edge
labeled by a forcible event. The objective is to avoid the
blocking states. To take care of controllability, not only the
blocking states but also the states from which a blocking
state is reachable in an uncontrollable manner (known as
the bad states) should be avoided. The bad states are
determined using non-blocking and bad-state predicates
associated to each location.
The condition for termination of the synthesis algorithm
will be investigated in future research. The synthesis tech-
nique will be generalized to consider control requirements
(also as TA) describing the allowed behaviour of the plant.
Moreover, the approach will be implemented in available
toolsets for discrete-event systems.
REFERENCES
Alur, R. and Dill, D.L. (1994). A theory of timed
automata. Theoretical computer science, 126(2), 183–
235.
Behrmann, G., Cougnard, A., David, A., Fleury, E.,
Larsen, K.G., and Lime, D. (2007). Uppaal-tiga: Time
for playing games! In International Conference on Com-
puter Aided Verification, 121–125. Springer.
Brandin, B.A. and Wonham, W.M. (1994). Supervisory
control of timed discrete-event systems. IEEE Transac-
tions on Automatic Control, 39(2), 329–342.
Cassandras, C.G. and Lafortune, S. (2009). Introduction
to discrete event systems. Springer Science & Business
Media.
Khoumsi, A. (2002). Supervisory control of dense real-
time discrete-event systems with partial observation.
In Proceedings of the 6th International Workshop on
Discrete Event Systems (WODES’02), 105–112. IEEE.
Khoumsi, A. and Nourelfath, M. (2002). An efficient
method for the supervisory control of dense real-time
discrete event systems. In Proceedings of the 8th Inter-
national Conference on Real-Time Computing Systems
(RTCSA).
Maler, O., Pnueli, A., and Sifakis, J. (1995). On the
synthesis of discrete controllers for timed systems. In
Annual Symposium on Theoretical Aspects of Computer
Science, 229–242. Springer.
Miremadi, S., Fei, Z., Åkesson, K., and Lennartson, B.
(2015). Symbolic supervisory control of timed discrete
event systems. IEEE Transactions on Control Systems
Technology, 23(2), 584–597.
Ouedraogo, L., Khoumsi, A., and Nourelfath, M. (2010).
Setexp: a method of transformation of timed automata
into finite state automata. Real-Time Systems, 46(2),
189–250.
Ouedraogo, L., Kumar, R., Malik, R., and Akesson, K.
(2011). Nonblocking and safe control of discrete-event
systems modeled as extended finite automata. IEEE
Transactions on Automation Science and Engineering,
8(3), 560–569.
Ramadge, P.J. and Wonham, W.M. (1989). The control of
discrete event systems. Proceedings of the IEEE, 77(1),
81–98.
Rashidinejad, A., Reniers, M., and Feng, L. (2018). Super-
visory control of timed discrete-event systems subject to
communication delays and non-fifo observations. IFAC-
PapersOnLine, 51(7), 456–463.
Skoldstam, M., Akesson, K., and Fabian, M. (2007). Mod-
eling of discrete event systems using finite automata
with variables. In 2007 46th IEEE Conference on Deci-
sion and Control, 3387–3392. IEEE.
Tripakis, S. and Altisen, K. (1999). On-the-fly controller
synthesis for discrete and dense-time systems. In In-
ternational Symposium on Formal Methods, 233–252.
Springer.
Tripakis, S. and Yovine, S. (2001). Analysis of timed
systems using time-abstracting bisimulations. Formal
Methods in System Design, 18(1), 25–68.
Wong-Toi, H. and Hoffmann, G. (1991). The control of
dense real-time discrete event systems. In Proceedings
of the 30th IEEE Conference on Decision and Control,
1527–1528.
