The setting of this article is the implementation of timed discrete-event systems (TDES) as sampled-data (SD) controllers. An SD controller is driven by a periodic clock and sees the system as a series of inputs and outputs. On each clock edge (tick event), it samples its inputs, changes states and updates its outputs. In this article, we establish a formal representation of an SD controller as a Moore synchronous finite state machine (FSM). We describe how to translate a TDES supervisor to an FSM, as well as necessary properties to be able to do so. We discuss how to construct a single centralised controller as well as a set of modular controllers, and show that they will produce equivalent output. We briefly discuss how the recently introduced SD controllability definition relates to our translation method. SD controllability is an extension of TDES controllability which captures several new properties that are useful in dealing with concurrency issues, as well as make it easier to translate a TDES supervisor into an SD controller. We next discuss the application of SD controllability to a small flexible manufacturing system (FMS) from the literature. The example demonstrates the successful application of the new SD properties. We describe the design of the system in detail to illustrate the new conditions and to provide designers with guidance on how to apply the properties. We also present some FSM translation issues encountered, as well as the FSM version of the system's supervisors.
Introduction
In the area of discrete-event systems (DES) Wonham and Ramadge 1987; Wonham 2008 ), a lot of effort has been devoted for studying standard properties such as nonblocking and controllability in a theoretical setting. However, limited effort has been made in investigating what an implementation of a DES supervisor would be like, whether we can guarantee that it will retain the controllability and nonblocking properties of the theoretical supervisor and how to handle timing delay and concurrency issues inherent in an implementation.
A good implementation method for DES supervisors would be as sampled-data (SD) controllers. An SD controller is driven by a periodic clock and sees the system as a series of inputs and outputs. On each clock edge, it samples its inputs, changes state and updates its outputs. An example of an SD controller might be a programmable logic controller (PLC) (Bolton 2006) or a Moore synchronous finite state machine (FSM) (Brown and Vranesic 2008) . For simplicity, we will assume inputs and outputs of an SD controller can take the values of true or false. We are particularly interested in the timing and concurrency issues involved in implementing timed DES (TDES) (Brandin and Wonham 1994) as SD controllers.
When we are using an SD controller to manage a given system, we associate an input with each event, and an output with each (non-tick) controllable event. We consider an event to have occurred when its corresponding input has gone true during a given clock period. We consider a controllable event to be enabled when its corresponding output has been set true by the controller, disabled otherwise. Finally, we associate the clock edge that drives the SD controller with the TDES tick () event.
These definitions have several ramifications. First, an SD controller does not know an event has occurred until the next clock edge, and then it has no information on the order or number of occurrences of events. The only ordering information that remains is which sampling period (clock period) a given event occurred in. Also, forcing and disablement decisions can only be made immediately after the clock edge and are constant till the next clock edge.
As an example, consider Figure 1 . We see on the third rising edge of the clock, the SD controller knows that both events event1 and event2 have occurred, but not which came first. This means that the SD controller cannot tell the difference between the strings Event1-Event2-, Event2-Event1-or Event1-Event2-Event1-.
Concurrency and timing issues arise when implementing TDES as SD controllers as TDES assume that events occur in an interleaving fashion (i.e. we can always determine event ordering), we know immediately when events occur, and enablement and forcing occur immediately (i.e. no communication delay). These assumptions are false in general for SD controllers. Also, due to variations in how an SD controller is designed, the occurrence of a forced event in a specified clock period will vary and could possibly occur in any order relative to the other events occurring in the same clock period. These have ramifications with respect to controllability, plant model correctness and the SD controllers ability to determine which state the TDES system currently is in.
Finally, if an SD controller is forcing multiple events (say and ) to occur in the same clock period, these events may only actually occur (due to design or timing constraints) in a specific order (say only), even though the TDES model says they can occur in multiple orderings (say as well). This means a TDES could be nonblocking, but its SD controller implementation could block.
In Wang (2009) , Leduc and Wang (2010) and Leduc, Wang, and Ahmed (2012) , we identified a number of existing TDES properties as well as introduced some new properties, in particular SD controllability, in order to address these concerns and to make the translation from a TDES supervisor to an SD controller easier.
In this article, we will focus on formalising SD controllers and defining how to translate a TDES supervisor into an SD controller. We establish a formal representation of an SD controller as a Moore synchronous FSM, and describe how to translate a TDES supervisor to an FSM, as well as necessary properties to be able to do so. We discuss how to construct a single centralised controller as well as a set of modular controllers, and show that they will produce equivalent output.
We then present an application of SD controllability to a small flexible manufacturing system (FMS) from (Hill 2008) to demonstrate that it can be applied in practice. We describe the design of the system in detail to illustrate the new conditions and to provide designers with guidance on how to apply the properties. We also present some FSM translation issues encountered, as well as the FSM version of the system's supervisors.
In Section 2, we discuss TDES preliminaries, including introducing some TDES-related properties that we will need. Section 3 gives a quick introduction to the SD setting and the properties we wish to apply. In Section 4, we introduce a formal representation for SD controllers as FSM, and present a centralised and modular conversion method from TDES supervisors to FSM. In Section 5, we discuss our FMS example and FSM implementations. We finish with conclusions.
Preliminaries
Below, we present a summary of the DES terminology that we use in this article.
Let AE be a finite set of distinct symbols (events), AE þ the set of finite sequences of events and AE* ¼ AE þ [ {}, where is the empty string. Let L AE* be a language over AE. A string t 2 AE* is a prefix of s 2 AE* (written t s) if s ¼ tu, for some u 2 AE*. The prefix closure of language L is defined as L ¼ ft 2 AE Ã jt s for some s 2 Lg. Let Pwr(AE) denote the set of all possible subsets of AE. We will use the notation AE*. to stand for the set of all strings s for some s 2 AE*.
For AE, natural projection P : AE* ! * denotes the operation that deletes all events not in from strings. For language L AE*, the eligibility operator Elig L : AE* ! Pwr(AE) is given by Elig L (s) :¼ { 2 AE j s 2 L} for s 2 AE*.
Definition 2.1: The Nerode equivalence relation over AE* mod L is defined for s, t 2 AE* as: s L t iff (8u 2 AE*)su 2 L , tu 2 L.
TDES (Brandin and Wonham 1994) extends untimed DES theory by adding a new tick () event, corresponding to the tick of a global clock. The event set of a TDES contains the tick event as well as other non-tick events called activity events (AE act ).
A TDES automaton is represented as a 5-tuple
[ fg is the event set, the partial function : Q Â AE ! Q is the transition function, q 0 is the initial state, and Q m is the set of marked states. We extend to : Q Â AE* ! Q in the natural way. The notation (q, s)! means the transition is defined. The closed behaviour of G is defined to be [ fg, and the uncontrollable events are AE u ¼ AE À AE c . For the SD setting, we assume that the set of prohibitable events is exactly equal to the set of forcible events for our system. This will not only make our definitions simpler, but it will also make our controllers simpler as enablement and forcing are now the same thing.
We will always assume that a DES is reachable, has a finite state and event set and is deterministic.
we define the product of the two DES as:
where 1 Â 2 : Q 1 Â Q 2 Â AE ! Q 1 Â Q 2 is given by ( 1 Â 2 )((q 1 , q 2 ), ) :¼ ( 1 (q 1 , ), 2 (q 2 , )), whenever 1 (q 1 , )! and 2 (q 2 , )!.
we define the synchronous product G 1 jj G 2 of the two DES as
where ((q 1 , q 2 ),) is only defined and equals
For the definitions given in this article, we assume that our plant G and supervisor S are always combined with the product DES operator, thus our closed-loop system is G Â S. If we instead combined the two with the synchronous product operator, we would add selfloops to each DES to extend them over the combined alphabet AE, and then use these new DES instead. 
We now introduce several existing TDES conditions that will be useful. The first one ensures that TDES do not allow a tick event to be indefinitely preempted by activity events.
Definition 2.8: TDES G ¼ (Q, AE, , q 0 , Q m ) is activityloop-free (ALF) if ð8q 2 Q r Þð8s 2 AE þ act Þðq, sÞ 6 ¼ q:
We require that our closed-loop system be ALF, but it does not make sense to require our supervisors to be ALF as they may contain selfloops of prohibitable events in order to be more compact. However, selfloops provide enablement information but do not contain useful next-state information for SD controllers, so we can ignore them for translation purposes. We now introduce the definition below that will make supervisors easier to translate. Essentially, it says if we remove the selfloops of any activity events in the TDES, the rest of the TDES must be ALF.
Definition 2.9: Let G ¼ (Q, AE, , q 0 , Q m ) be a TDES, and let G 0 be G with all activity event selfloops removed. G is non-selfloop ALF if G 0 is ALF.
We will also require that our plant TDES have proper time behaviour, as defined by Wong and Wonham (1996) .
Definition 2.10: TDES G has proper time behaviour if ð8q 2 Q r Þð9 2 AE u [ fgÞ ðq, Þ! Controllable events are often part of the supervisor's implementation and can occur when we want them to as described in Balemi (1994) . However, a plant might be modelled more restrictively in order to make the system easier to model or understand.
Definition 2.11: Let TDES G be a plant and TDES S be a supervisor. G is complete for S if ð8s 2 LðGÞ \ LðSÞÞð8 2 AE hib Þs 2 LðSÞ ¼) s 2 LðGÞ:
SD controllers
In this section, we introduce the SD setting from Wang (2009), Leduc and Wang (2010) and Leduc et al. (2012) . We will take AE ¼ AE act _ [ fg to be our system event set with AE hib AE act .
Assumptions
We make the following assumptions about our system. It is the designer's responsibility to ensure that they are met.
(1) The set of prohibitable events is exactly equal to the set of forcible events for our system (i.e. AE for ¼ AE hib ). This is a reasonable assumption that will greatly simplify things. This is essentially a modelling issue.
(2) Enabling a prohibitable event means we should force the event during the current clock period. We only allow it to occur once per clock period. (3) Our SD controllers will be implemented centrally with a common clock, such that they all sample inputs and update outputs at the same time. (4) We assume an event has 'occurred' when its input goes true unless this occurs so close to the clock edge, it shows up in the next sampling period. In that case, it 'occurs' immediately after the clock edge. This should be reflected in the system model. (5) When we force an event in a given sampling period, it occurs sometime during that clock period. (6) The length of a given input pulse for an event is such that the controller will never miss it, or interpret the event as occurring in the wrong clock period.
Applicable systems should not find Assumptions 1, 2, 5 and 6 very restrictive. Assumptions 3 and 4 partially address timing delay issues and likely will be removed in future work.
SD preliminaries
For SD controllers, we identify a tick event with the clock edge that the SD controller uses for sampling and state change. This means the strings an SD controller can observe are and strings ending with a tick. The reason for including is that it represents the initial state of the system, which is known. We refer to these strings as sampled strings, defined as
An SD controller changes the state after each clock edge (tick). Its next state is determined by all the strings that can occur containing a single tick event at the end, since the last tick event. We refer to such strings as concurrent strings, defined as L conc ¼ AE Ã act : & L samp . For TDES S ¼ (X, AE, , x 0 , X m ), states reached from the initial state by sampled strings are referred to as sampled states, defined as
However, if two concurrent strings contain the exact same events but in different order and/or number, they are indistinguishable to the controller. To capture this uncertainty, we define the occurrence operator. It takes a string and returns the set of events (the occurrence image) that make up the string.
Definition 3.1: For s 2 AE*, the occurrence operator, Occu: AE* ! Pwr(AE), is defined as
OccuðsÞ :¼ f 2 AE j s 2 AE Ã ::AE Ã g:
Clearly, we would have a problem translating a supervisor if two concurrent strings with the same occurrence image are possible at a given sampled state, but they lead to different states in S. This would mean our controller would become nondeterministic. To ensure this does not happen, we require our TDES be concurrent string deterministic.
ð8s 2 LðSÞ \ L samp Þð8s 0 , s 00 2 L conc Þ ½ss 0 , ss 00 2 LðSÞ^Occuðs 0 Þ ¼ Occuðs 00 Þ ¼) ½ss 0 LðSÞ ss 00^s s 0 L m ðSÞ ss 00^ ðx 0 , ss 0 Þ ¼ ðx 0 , ss 00 Þ In Figure 2 (a), we see part of a TDES that is not CS deterministic. For this, example we can merge states x 0 and x 00 and use the minimal version for our translation. This results in the TDES we see in Figure 2 (b), which is CS deterministic. If the two states were not equivalent, we would not be able to translate TDES.
We now can define for a given TDES a nextsampling-state function. This represents how a TDES will move from sampling state to sampling state via concurrent strings and will be needed later when we define our TDES to FSM translation method.
Definition 3.3: For CS deterministic TDES S ¼ (X, AE, , x 0 , X m ), we define the next-sampling-state partial function, D: X samp Â Pwr(AE act ) ! X samp , as follows. For x 2 X samp X and AE 0 AE act ,
We use the notation D(x, AE 0 )! to indicate that D(x, AE 0 ) is defined. As function D is only used for CS deterministic TDES, it is easy to see that it is well defined.
We now define another map that will be needed later to define our TDES to FSM translation method. We define for S a prohibited action function that captures the prohibitable events that are disabled at a given sampled state.
Definition 3.4: For TDES supervisor S ¼ (X, AE, , x 0 , X m ), the prohibited action function : X samp ! Pwr(AE hib ) is defined for x 2 X samp X as follows:
For SD controllers, we assume that prohibitable events are only allowed to occur once per sampling period. We thus want our TDES plant G to reflect this.
Definition 3.5: For plant G and supervisor S, we say that G has S-singular prohibitable behaviour if ð8s 2 LðSÞ \ LðGÞ \ L samp Þð8s 0 2 AE Ã act Þss 0 2 LðSÞ \ LðGÞ ¼) ð8 2 Occuðs 0 Þ \ AE hib Þ 6 2 Elig LðGÞ ðss 0 Þ:
SD controllable languages
Even if the TDES conditions introduced so far are met, our actual system behaviour under the control of the corresponding SD controller could block, violate our control law, or even exhibit behaviour not contained in our plant model. To address these issues, we now introduce a new concept called SD controllable. Let G ¼ (Q, AE, , q 0 , Q m ) be our plant and S ¼ (X, AE, , x 0 , X m ) be our supervisor. Note that implicit in the definition is the assumption AE for ¼ AE hib .
Definition 3.6: S is SD controllable with respect to G if, 8s 2 L(S) \ L(G), the following statements are satisfied:
Point i: This is standard untimed controllability. Point ii: The (() direction and point i imply standard TDES controllability. The ()) part says that if we enable a prohibitable event, we must disable tick. This is to capture the notion that we only enable a prohibitable event when we want to force it. Point iii.1: This point says that when a prohibitable event is possible in a clock period, it must be possible immediately after the tick and stay possible for the period until it occurs. This captures the notion that the enablement information for an SD controller is constant for the clock period. It also captures the idea that when a controller forces a prohibitable event, the event must occur before the next tick, but we do not know when. Point iii.2: This point says that if two concurrent strings with the same occurrence image can occur, they must have the same future with respect to the system's closed behaviour (i.e. we take same control action now and in the future for both strings), and with respect to its marked behaviour (i.e. the strings are interchangeable with respect to reaching future marked states). Point iv: This point says marked strings must be sampled strings ( or end in a tick).
Let C be an SD controller translated from our CS deterministic supervisor, S, using the method described in Section 4.4. To investigate the enablement and forcing behaviour of our controller, we capture the behaviour of C as a supervisory control for G. In Wang (2009) and Leduc et al. (2012) , we give a detailed algorithm to define map V based on our controller.
Theorem 3.7 (Wang 2009; Leduc and Wang 2010; Leduc et al. 2012) : For plant G and CS deterministic supervisor S that is SD controllable for G, let both TDES have finite state spaces, let G be complete for S, have proper time and S-singular prohibitable behaviour, let G Â S be ALF, let C be the SD controller that is constructed from S and let V be the map that is constructed from C. Then,
The marked behaviour of V/G is defined to be L m ðV=GÞ :¼ LðV=GÞ \ L m ðSÞ \ L m ðGÞ:
We say V is nonblocking for G if L m ðV=GÞ ¼ LðV=GÞ. It follows immediately that if the assumptions of Theorem 3.7 are met,
We also want to ensure that if G Â S is nonblocking, then our plant and SD controller will be nonblocking even if only a single concurrent string is actually possible in our physical system at a given sampled state, despite our TDES model saying multiple concurrent strings with the same occurrence image are possible. We wish to be robust with respect to such variations and nonblocking. We will frame our argument in terms of supervisory control maps.
Definition 3.8: Let V and V 0 be supervisory controls for G. We say V 0 is concurrent supervisory control
The first point essentially guarantees that L(V 0 / G) L(V/G). The second point says that if V 0 /G accepts the sampled string s and V/G accepts concurrent string s 0 , then V 0 /G must accept at least one concurrent string that has the same occurrence image as s 0 .
Theorem 3.9 (Wang 2009; Leduc and Wang 2010; Leduc et al. 2012) : For plant G and CS deterministic supervisor S that is SD controllable for G, let both TDES have finite state spaces, let G be complete for S, and have proper time and S-singular prohibitable behaviour, let G Â S be ALF, let C be the SD controller that is constructed from S, let V be the map constructed from C and let V 0 be a supervisory control for G. If V is nonblocking for G and V 0 is CSCE to V, then V 0 is also nonblocking for G.
Moore FSM
In this section, we introduce a formal representation for SD controllers and a translation method for TDES supervisors. We will model SD controllers as Moore synchronous FSM (Brown and Vranesic 2008) . Our choice to do so is based on the work of Leduc (1996) who implemented, in an ad hoc fashion, untimed DES as FSM. Using FSM to define SD controllers is a good choice as it provides a concrete definition of the controller, yet an FSM still allows a variety of physical implementations such as a PLC (Bolton 2006 ) program, using digital logic (Brown and Vranesic 2008) , or as a software program on a computer.
Formal model
Before we give a formal definition of an SD controller, we first need to discuss some notation. We will often be discussing Boolean vectors that change periodically with respect to some clock. A Boolean vector is a vector whose individual elements can only be assigned the values of true (1) or false (0). We say 'at time k' to indicate the point of time at which k clock ticks have gone by since our starting reference point at k ¼ 0. For
to denote the value of v and v j ( j 2 { 1, . . . , n}) at time k. As our index k takes on new values, our vector v defines a sequence with respect to ticks of our clock, which we define to be {v(k) jk ¼ 0, 1, . . . }, and is denoted as {v(k)}. When we are discussing an SD controller, we can think of k ¼ 0 as representing the time when the controller has just been turned on or reset. For TDES systems, a 'clock tick' corresponds to the occurrence of a tick event.
Definition 4.1: We define an SD controller C as the tuple
where . I is the set of possible Boolean vectors that the inputs to our controller can take on. Each vector i ¼ [i 0 , i 1 , . . . , i vÀ1 ] 2 I has v input variables. Each element of i corresponds to a unique activity event in our system. When an element is set to 1, this means the corresponding event has occurred at least once in the previous clock period, otherwise it is set to 0. Input combination i ¼ [0, 0, . . . , 0] means no activity events occurred in the clock period that just ended. For a TDES, this is equivalent to the concurrent string . . Z is the set of possible Boolean vectors that the controller outputs can take on. Each vector z ¼ [z 0 , z 1 , . . . , z rÀ1 ] 2 Z has r output variables. Each element of z corresponds to a unique prohibitable event in our system. When an element is set to 1, this means that corresponding event is enabled and that the controller should make the event occur before the next clock tick, where 0 means it is disabled. We note that exactly when the event occurs in the current clock period is unknown and will depend on the physical plant and the controllers implementation. . Q is the set of possible Boolean vectors that the state of our controller can take on. Each vector q ¼ [q 0 , q 1 , . . . , q lÀ1 ] 2 Q has l state variables. . q res 2 Q is the initial (reset) state for when the controller starts operating or is reset. We take q(0) ¼ q res . . : Q Â I ! Q is a next-state function which takes the current state q(k) 2 Q and an input vector i(k þ 1) 2 I, and returns the next state
For a specific run of our controller, we would receive a specific sequence of inputs {i(k)}, starting at time k ¼ 0. This sequence, combined with q res , and , will uniquely define our current sequence of states, {q(k)}. In turn, {q(k)} and È will uniquely define our current sequence of outputs {z(k)}. If we wish to distinguish between two vector sequences, we will use different variables such as {i(k)} and {i(k 0 )}.
Translation method introduction
Informally, to convert TDES S ¼ (X, AE, , x 0 , X m ) into SD controller C ¼ (I, Z, Q, , È, q res ), we take the sampled states of S as the states of C. The initial (reset) state of C would be the initial state of S. We then determine which concurrent strings are possible from a given sampled state. The occurrence image of these concurrent strings would then define our nextstate conditions. For state q of C, an output (enablement of some 2 AE hib ) is set to true if the corresponding event is possible at the corresponding sampled state x in S, else set to false.
As an example, consider the TDES shown in Figure 3 (a) where arrows with slashes indicate prohibitable events. We see that the sampled states are I (initial state), W and D (only other states with incoming tick event). We thus equate the states of our FSM in Figure 3 
For our FSM, our ordering for the input variables is i ¼ [ 1 , 2 , 1 , 2 , , ] and for our outputs it is z ¼ [ 1 , 2 , 1 , 2 ]. Our outputs for each state of the FSM is determined by the prohibitable events possible at the corresponding sampled state of the TDES. As only 1 and 2 are possible at state I, only these outputs are set to 1 at state [0, 0] . Similarly, all outputs are set to 0 at state [0, 1] and only 1 and 2 outputs are set to 1 at state [1, 0] .
Examining state I, we see that the only concurrent strings leaving it are 1 2 and 2 1 . They have the same concurrent image { 1 , 2 , } and both take us to state W. Our next-state condition is thus when only 1 and 2 have occurred, we go to state [0, 1] as shown in Figure 3 (b). As is a total function and is a partial function, we usually have to add a DEF, or default transition, to cover input combinations that we have not explicitly specified (i.e. it matches all remaining unspecified input combinations). We determine the next-state conditions for the remaining sampled states in a similar fashion.
In Figure 3 (c), we present a more compact and human-readable version of the FSM. At each state in the FSM, we only list prohibitable events whose outputs are set to true. For next-state conditions, we use Boolean equations to express input conditions and we simplify them to only include input events possible at that state.
For example, at state 1 of FSM we see the nextstate condition [] Á ![], which means event occurred in the last sampling period, but event did not. It will match any input vector for which this is true. Here we are representing logical AND as 'Á', and logical negation as '!'. We also represent logical OR as ' þ '. In the FSM, we enclose event names by '[ ]' to distinguish between an event label and its corresponding input being set to 1.
The operation of our FSM is that at system reset, it starts operating at state q res ¼ [0, 0] with its outputs set to enable only 1 and 2 . At each clock tick, it samples its inputs creating a new input vector, i, which is matched to the current state's next-state conditions to determine its new state and output. It then changes to the new state, updates its outputs and then waits for the next clock tick. For an example of how to implement an FSM on a PLC, see Leduc (1996) .
To be able to translate a TDES supervisor into an SD controller, we only require it to be CS deterministic to ensure that the resulting FSM will be deterministic. In practice, we also require that the TDES be nonselfloop ALF as a design aid. This makes it more likely that the TDES be CS deterministic and typically makes the translation easier and more compact as we will see in Section 5. As a TDES that fails to be non-selfloop ALF cannot model a physical system, this additional constraint is not a limitation.
Although the CS deterministic property is a sufficient condition to do the translation, it is not sufficient to ensure that the resulting controller applied to the plant will have the desired enablement, forcing and nonblocking behaviour. As seen in Theorems 3.7 and 3.9, this requires that our supervisor S be SD controllable for our plant G, that G has proper time behaviour, S-singular prohibitable behaviour, that G be complete for S, and that our closed-loop system be ALF and nonblocking.
In particular, plant completion and SD controllability make TDES to FSM translation simpler. As plant completion ensures that if a prohibitable event is possible in the supervisor then it is also possible in the plant, we are able to rely solely on our supervisors to define our SD controllers.
For SD controllability, points (ii) and (iii.1) are particularly useful. Point (ii) requires that a prohibitable event be disabled until it is to be forced. This requires the designer to specify exactly in which sampling period an event should occur, instead of requiring the translation method to make a 'choice'. This eliminates a lot of ambiguity.
Point (iii) captures the notion that enablement information is constant for a sampling period; thus if a prohibitable event is enabled during a sampling period, it must be enabled at the start of the sampling period and stay enabled until it occurs or the sampling period ends. This means determining the enablement for a sampling period is as simple as determining which prohibitable events are enabled at the corresponding sampled state of the supervisor.
Event mapping functions
As we will often be discussing vectors whose elements refer to specific events in AE act , we need a way to map events to a vector's elements and vice versa. Let G ¼ (Y, AE, , y 0 , Y m ) be the TDES plant to be controlled and let S ¼ (X, AE S , , x 0 , X m ) be a CS deterministic TDES supervisor for G with AE S AE. Let C ¼ (I, Z, Q, , È, q res ) be the SD controller for S.
As we could have multiple controllers, each using their own event orderings, we first need to define a default bijective map, g , between our activity event set and a default index set that we will use for labelling the events. To simplify things, we will require the event mapping functions for each controller to respect the event ordering imposed by g . This means that g will induce a single way to define the various mapping functions for our controller.
Definition 4.2: Let bijective map g : AE act ! {0, . . . , jAE act j À 1} be the canonical event mapping function for AE act .
We now define input and output mapping functions for our controller. Each function will map events to the index value for the corresponding variable in the specified vector (I or Z ).
Definition 4.3:
The input event mapping function for C is defined to be a bijective map :
Definition 4.4: The output event mapping function for C is defined to be a bijective map : AE S \ AE hib ! {0, 1, . . . , r À 1} with r ¼ jAE S \ AE hib j such that ð8 1 , 2 2 AE S \ AE hib Þ g ð 1 Þ 5 g ð 2 Þ ¼) ð 1 Þ 5 ð 2 Þ:
As these functions are bijective, their inverse functions always exist. We can thus use their inverse functions to map an index value to its corresponding activity event.
Centralized translation method
We will now discuss how to translate a TDES supervisor into a single centralised controller. Let TDES S ¼ (X, AE, , x 0 , X m ) be CS deterministic. To translate S into a controller C ¼ (I, Z, Q, , È, q res ), we need to determine values for the members of the tuple.
We will start with I, Z and Q. As they represent all possible assignments of Boolean vectors, we first need to define the size (number of elements/variables) of each vector. The size of each input vector i 2 I is defined to be v ¼ jAE act j. The size of each output vector z 2 Z is defined to be r ¼ jAE hib j.
We now specify Q. We need to define the size of the state vectors, l, so that a state vector is large enough to encode a value for each sampled state x 2 X samp X. We thus choose l to satisfy 2 lÀ1 5 jX samp j 2 l . We note that if jX samp j 5 2 l , then Q will contain some vector assignments that do not correspond to sampled states but they will be unreachable.
To complete our definition of I, Z and Q, we now need to associate activity events with individual input variables, prohibitable events with individual output variables and sampled states with state assignments of Q.
Definition 4.5: Let be the input event mapping function for controller C. We define for C the input set mapping bijective function, À I : Pwr(AE act ) ! I, as follows. For AE 0 AE act , we have À I (AE 0 ) ¼ [i 0 , i 1 , . . . , i vÀ1 ] such that for j ¼ 0, 1, . . . , v À 1,
Definition 4.6: Let be the output event mapping function for controller C. We define for C the output set mapping bijective function, À Z : Pwr(AE hib ) ! Z, as follows.
Definition 4.7: We define for controller C the state set mapping function, Ã : X samp ! Q, to be an arbitrary injective function of the designer's choice.
We can now define the reset state for C as q res ¼ Ã(x 0 ). Next, we define the next-state and stateto-output maps.
Definition 4.8: Let D be the next-sampling-state partial function for supervisor S. For state q 2 Q and input i 2 I, the next-state function, , is defined to be ðq, iÞ :¼ Definition 4.9: Let be the prohibited action function for supervisor S. For state q 2 Q, the stateto-output map È is defined to be
We have now completely defined our controller C for TDES supervisor S. As long as S is CS deterministic, then its next-sampling-state partial function D will be well defined, allowing us to do the translation. Based on the above definitions, it is easy to see that for AE 0 AE act and x 2 X samp , if D(x, AE 0 )!, then the diagram in Figure 4 commutes. So far we have assumed our supervisor's event set is AE. If instead our supervisor is defined over a subset AE S & AE, we would simply add to every state of our supervisor selfloops for each 2 AE ÀAE S and use this new supervisor for the translation.
Output equivalence
Before we define a modular translation method, we first need to consider how to determine if two different controllers would produce equivalent output (i.e. enablement information) for the same input sequence. The problem is that the controllers could be defined over different sets of input events and might use different event ordering for their vectors.
To handle different input requirements, we will assume that we have a system input vector, i g , containing all activity events and ordered with respect to the canonical event mapping function, g . We call {i g (k)} a canonical input sequence and i g 2 {i g (k)} a canonical input vector. We can then map each i g to a corresponding input vector for each controller using g and the controllers own output event mapping function, . For example, we can map i g ¼ ½i g,0 , i g,1 , . . . ,
In particular, we are interested in comparing two controllers C 1 and C 2 that have been defined relative to the same CS deterministic supervisor S ¼ (X, AE, , x 0 , X m ). We are thus only interested in determining if they generate the same output with respect to input sequences that represent valid input strings to S (i.e. s 2 L(S) \ L samp ).
Definition 4.10: A canonical input sequence {i g (k)} is input valid for S, if ð8k 0 2 f1, 2, . . . , gÞð9s 1 , s 2 , . . . , s k 0 2 L conc Þ ½s 1 s 2 . . . s k 0 2 LðSÞ^½ð8n 2 f1, 2, . . . , k 0 gÞ ð8 2 AE act Þi g, g ðÞ ðnÞ ¼ 1 iff 2 Occuðs n Þ Essentially in the above definition, we require the sequence {i g (k)} to correspond to a sequence of concurrent strings that supervisor S will accept.
Definition 4.11: Let C j ¼ (I j , Z j , Q j , j , È j , q res,j ) be an SD controller with output mapping function j , j ¼ 1, 2. We say C 1 and C 2 are output equivalent with respect to S if for any canonical input sequence {i g (k)} that is input valid for S, and induced outputs z j ðk 0 Þ ¼ ½z j,1 ðk 0 Þ, z j,2 ðk 0 Þ, . . . , z j,r j ðk 0 Þ 2 Z j ( j ¼ 1, 2) at time k 0 ¼ {0, 1, 2, . . .}, the follow conditions are satisfied:
Points 1 and 2 require the outputs of the two controllers to be of the same size, and represent the same events in the same order. Point 3 requires that one controller enables a prohibitable event if and only if the other does.
Modular translation method
For large systems, we typically define multiple modular supervisors rather than a single centralised supervisor. We would like to translate each individual supervisor into their own modular controller, and then combine their outputs to produce the equivalent enablement information of a centralised controller.
Let TDES S ¼ S 1 jjS 2 jj..jjS n ¼ (X, AE, , x 0 , X m ) be a CS deterministic supervisor where each modular supervisor S j ¼ (X j , AE j , j , x 0,j , X m,j ), j ¼ 1, 2, . . . , n, is also CS deterministic. Let AE j ¼ AE act,j _ [fg, AE hib,j :¼ AE hib \ AE act,j , and AE ¼ S l 2 f1, 2,..., ng AE l . For the following discussion, we will define the logical AND of vectors u ¼
Definition 4.12: For j ¼ 1, 2, . . . , n, the j-th modular translation of CS deterministic supervisor S j to modular controller C j ¼ (I j , Z j , Q j , j , È j , q res,j ) is performed using the method defined in Section 4.4 after replacing AE act by AE act,j , and AE hib with AE hib,j in the definitions.
To define how we combine the individual outputs of the modular controllers together, we need to define the composite controller of our n modular controllers.
Definition 4.13: The composite controller for C 1 , C 2 , . . . , C n , C ¼ (I, Z, Q, , È, q res ) ¼ comp(C 1 , C 2 , . . . , C n ), is defined as follows:
. The size of each input vector i 2 I is defined to be v ¼ jAE act j. The size of each output vector z 2 Z is defined to be r ¼ jAE hib j. Let to be the input event mapping function for C and to be the output event mapping function. . The number of state variables for vectors q 2 Q is defined to be l ¼ P n j¼1 l j , where l j is the number of state variables for Q j . The reset state is defined to be q res ¼ q res,1 q res,2 . . . q res,n . . The next-state function is defined such that, for q(k) ¼ q 1 (k)q 2 (k) Á Á Á q n (k) 2 Q and i(k þ 1) 2 I,
where input vector i(k þ 1) in canonical form with respect to g was mapped to input vector i j (k þ 1) ( j ¼ 1, . . . , n), as described in Section 4.5. . The state-to-output map È is defined as follows.
For each z j , we translate it to z 0 j ¼ ½z 0 j,0 , z 0 j,1 , . . . , z 0 j,rÀ1 2 Z such that, ð8 2 AE hib Þz 0 j,ðÞ ¼ z j, j ðÞ if 2 AE hib,j 1 otherwise:
We can now define:
ÈðqÞ ¼ĵ 2 f1,2,::,ng z 0 j :
Before we state our main theorem, we first present a useful result from Leduc et al. (2012) .
Proposition 4.14 (Leduc et al. 2012) : For CS deterministic supervisor S ¼ (X, AE, , x 0 , X m ), let C be the SD controller that is constructed from S.
(8s 2 L(S) \ L samp ) String s will take C to state q ¼ Ã((x 0 , s)) with outputs 2 AE q ¼ Elig L(S) (s) \ AE hib set to true.
The following theorem essentially states that the enablement information of the composite controller is equivalent to that of the centralised controller.
Theorem 4.15: Let CS deterministic supervisors S ¼ S 1 jjS 2 jjÁ Á ÁjjS n and S j ( j ¼ 1, 2, . . . , n) be defined as above. Let C j be the modular controller for S j , C 0 ¼ comp(C 1 , C 2 , . . . , C n ) be the composite controller and C be the centralised controller translated from S; then C and C 0 are output equivalent with respect to S.
Proof: Assume initial conditions. Let X samp X and X samp,j X j be the sets of sampling states for S and S j , respectively. Let Ã and Ã j be the state mapping functions for C and C j , respectively. Let À Z be the output set mapping function for C.
Let , 0 be the input event mapping functions for C, and C 0 , respectively. As and 0 have domain AE act , they must both equal g due to how they are defined.
(1) Let , 0 , be the output event mapping functions for C, and C 0 , respectively. We have ¼ 0 since they both have domain AE hib . This means that Z and Z 0 represent exactly the same prohibitable events, and in the same order.
(2) Let {i(k 00 )} be a canonical input sequence with respect to g , and let the sequence be input valid with respect to S.
( 3) From (1), we have ¼ 0 ¼ g . This means that {i(k 00 )} can be used as an input for both C and C 0 without requiring any mapping.
Let z 0 (k) 2 Z 0 be the induced output vector for C 0 at time k, for input sequence {i(k 00 )}. Similarly, let z(k) 2 Z be the induced output vector for C at time k.
We will now show that C and C 0 are output equivalent with respect to S. We first note that points 1 and 2 of the output equivalence definition follow immediately from (2). All that remains is to show: ð8k 2 f0, 1, 2, . . .gÞ zðkÞ ¼ z 0 ðkÞ:
Claim: If C is in state q ¼ Ã(x) for some x 2 X samp , and each C j ( j ¼ 1, 2, . . . , n) is in state q j ¼ Ã j (x j ) for some x j 2 X samp,j such that x ¼ (x 1 , x 2 , . . . , x n ), then C at state q and C 0 at state q 0 ¼ q 1 q 2 . . . q n will have the same output.
Let C be in state q ¼ Ã(x) for some x 2 X samp and let each C j be in state q j ¼ Ã j (x j ) for some x j 2 X samp,j such that x ¼ (x 1 , x 2 , . . . , x n ). We thus have C 0 at state q 0 ¼ q 1 q 2 . . . q n .
We will now show that z ¼ È(q) equals output z 0 ¼ È 0 (q 0 ). It is sufficient to show that they enable the same set of prohibitable events.
By the definition of the output map, È, we have for
The set of prohibitable events enabled at q is thus
by the definition of the synchronous product. From the composite controller definition, we have
where z 0 j is the expanded output for controller C j . The set of prohibitable events enabled by z 0 j is thus
The set of events enabled by C 0 is thus
Claim proven.
(4) Let k 2 {0, 1, 2, . . .}. If k ¼ 0, we have q(0) ¼ q res ¼ Ã(x 0 ) and for each C j , q j (0) ¼ q res,j ¼ Ã j (x 0,j ). We also have that each initial state is a sampled state, x 0 ¼ (x 0,1 , x 0,2 , . . . , x 0,n ), and q 0 (0) ¼ q 1 (0)q 2 (0). . .q n (0).
Applying (4), we have that q(0) and q 0 (0) have the same output.
We now consider k 2 {1, 2, . . .}.
As {i(k 00 )} is input valid for S by (3), we have ð9s 1 , s 2 , . . . , s k 2 L conc Þ ½s 1 s 2 . . . s k 2 LðSÞ ½ð8t 2 f1, 2, . . . , , kgÞð8 2 AE act Þi g ðÞ ðtÞ ¼ 1 1, 2, . . . , n) be natural projections. As s k 2 L conc and 2 AE Ã j , we have P j (s) 2 L(S j ) \ L samp .
By Proposition 4.14, we can thus conclude q(k) ¼ Ã((x 0 , s)) for C and that q j (k) ¼ Ã((x 0,j , P j (s))) for C j .
Let q 0 (k) ¼ q 1 (k)q 2 (k). . .q n (k). Let x ¼ (x 0 , s) and x j ¼ (x 0,j , P j (s)). By the definition of the synchronous product, we have x ¼ (x 1 , x 2 , . . . , x n ).
We can now conclude by (4) that q(k) and q 0 (k) have the same output, as required. oe
FMS example
In this section we present an example based on the untimed FMS from Hill (2008) . The system, shown in Figure 5 , is composed of six plant components and five one slot buffers. We will treat the buffers as specifications, requiring that they do not overflow or underflow. The flow of material is illustrated in Figure 5 . Event 921 represents parts entering system, and events 966 and 964 represent finished parts leaving the system. Table 1 shows an explanation of the numeric event labels used. Events labelled as numbers are directly from the Hill untimed example, where even numbers represent uncontrollable events. Event names that are not numbers start with a '!' to indicate uncontrollability. For TDES, marked states are indicated by a gray circle, and initial states have a thick outline.
FMS plant components
The plant components consist of two conveyors (Con2 and Con3), and a handling robot (Robot) that takes parts from buffer B2 to place in buffer B4, as well as taking parts from B4 to put in either buffer B6 (part type A) or buffer B7 (part type B). There is also a lathe that can produce two different part types (type A and type B), a painting machine (PM) and a finishing machine (AM). The TDES for these plant components are shown in Figure 6 , and our plant G is the synchronous product of all TDES in the figure. The figure shows four additional plant components that were added as part of the supervisor design, and will be discussed later.
It is a good design practice to make sure each plant component has proper time behaviour. This does not guarantee that plant G will have proper time behaviour but makes it likely.
To ensure that the closed-loop system is ALF, design each plant component to be ALF and ensure that every event in the supervisor belongs to at least one plant component. We have show in Wang (2009) that this is sufficient. To ensure a plant component is ALF, make sure that whenever an activity event occurs, at least one tick must occur before that event can occur again. If this is done for each plant component, it will also ensure that plant G will have S-singular prohibitable behaviour for any supervisor S, as it will make sure that each prohibitable event can occur at most once per sampling period. One must also make sure that each prohibitable event in the system belongs to at least one plant component.
To make plant G complete for our supervisor S, we recommend a couple of strategies. First, keep in mind that prohibitable events are likely part of the supervisor implementation and could potentially occur at any time during a sampling period. As such, they should be Finished from B6 Figure 6 . Plant models. possible to occur at the beginning of a sampling period, and stay eligible until they occur or we get a tick event. This is also important to satisfy SD controllability point iii.1. Second, design your supervisors to only enable events when the plant model says they can occur. This will also help the supervisor satisfy SD controllability point ii.
Buffer supervisors
We now discuss the TDES supervisors, shown in Figure 7 , that control the flow of parts in and out of the buffers. Their goal is to make sure the buffers do not overflow or underflow. They are based on the original untimed buffer specifications of Hill (2008) , but extended to the SD controllability setting. Our supervisor S is the synchronous product of all TDES in the figure.
Supervisor B2 not only prevents overflow and underflow of buffer B2, it also decides when event 921 should occur. As soon as the system is turned on, it immediately enables and forces 921, causing Con2 to accept a new piece into the system. It then waits for the piece to enter B2, before it enables event 933, allowing the robot to remove the part. It does not cause another 921 to occur until 933 does, ensuring that the buffer is empty.
A few things are worth noting. First, B2 enables prohibitable event 933, but does not disable the tick at state 4. This tells us that it wants to prevent the event from occurring too soon, but does not decide when the event will actually occur. This is controlled by another supervisor. Second, B2 makes sure there is a tick between 933 occurring, and enabling and forcing event 921. This is to satisfy point iii.1 of the SD controllability definition. Third, Supervisor B2 contains a special event, no921, which we will discuss in a later section. This is an 'expansion event' that was not part of the original plant, but was added to aid in communication between supervisors.
Supervisors B4, B6 and B7 manage their respective buffers. They strictly disable and enable events to prevent buffer overflow and underflow. They do not force any events, telling us that other supervisors make these decisions. This is because the decision of when these events should occur requires more than just a local view of whether a buffer is empty or not.
Supervisor B8 not only prevents overflow and underflow of buffer B8, it also controls the flow of pieces once a part enters buffer B7 (event 930), flows to painting machine (PM), and then back to buffer B7. It does this by watching the parts progress, and then forcing events 971, 981 and 973 as needed. As B8 determines when these events occur, it disables tick as soon as it enables these events to comply with point ii of the SD controllability definition. In other words, once the event is enabled by all the supervisors and possible in the plant, the event is also forced.
B4 to lathe path
We now design supervisors to resolve some nonblocking and concurrency issues on the robot-to-B4-to-lathe path of Figure 5 . These supervisors are shown in Figure 7 .
We first need to address a nonblocking issue with respect to buffers B4 and B2. We see from Figures 5 and 6, that the robot takes a piece from buffer B2 (event 933), and places it in B4. The piece then goes to the lathe, and then back to B4. The robot will then take the piece from B4, and put it in either buffer B6 (event 938) if it is of type A, or buffer B7 (event 930) if it is type B.
There are two issues here. The first is how to decide which action the robot should take if both buffers B2 and B4 have a part waiting. Normally, we just enable the safe choices, and allow the plant to 'somehow' make the decision. However, we want to be able to convert from a TDES supervisor to an SD controller in an easy, deterministic fashion. This means we must dictate which prohibitable events occur and when. We thus have to choose to service either B2 or B4, as we cannot do both at the same time. This issue is handled by supervisor TakeB2. It forces the robot to first service B2, then B4, then back to buffer B2.
The second issue is to prevent a conflict with respect to buffer B4. Once the robot puts a piece in B4 and the piece is taken by the lathe, the robot could put a second piece in B4. This would mean the lathe has no place to return its part, and the system blocks. TakeB2 prevents this by disabling event 933 until the current part has returned to B4, and then removed to either buffer B6 or B7. We also note that from state 4 of TakeB2, concurrent strings 938-922-tick and 922-938tick are both possible and that they have the same occurrence image. We thus make sure they both take us to the same next state in order to satisfy point iii.2 of the SD controllability definition.
We now discuss supervisor B4Path. It works with supervisor B4 to ensure the proper behaviour of the robot-B4-lathe path. Supervisor B4 primarily ensures that buffer B4 does not overflow or underflow. It serves an additional role in making sure that once a piece is put in B4, the correct action is taken when the piece is taken out. When the robot initially puts a piece in B4 (event 934), it makes sure that only events 951 and 953 can be used to take the piece out. This ensures the part goes to the lathe for processing. The lathe can process the piece as type A (event 951) or type B (event 953), producing different results. The lathe then returns the part to B4 using events 952 (part is type A) or event 954 (part is type B). Since type A parts go to buffer B6 (events 937, 938), and type B parts (event 939, 930) must go to buffer B7, supervisor B4 ensures only the correct follow up event is possible. B4Path contributes to the proper behaviour of the path by disabling event 933 once a part is put into B4 from B2, and disabling events 937 and 939 until a part is placed into B4 from B2.
Supervisor LathePick also contributes to the control of the robot-B4-lathe path. To satisfy point ii of SD controllability, we cannot just enable both events 951 and 953 and let the system 'decide'. We have to dictate when these events are to occur. Supervisor LathePick requires the lathe to first produce a type A part, then a type B part, and then to alternate between the two.
Moving parts from B4 to B6/B7
We now discuss some concurrency and blocking issues involved with moving pieces from buffer B4, to either buffer B6 or B7. These supervisors are shown in Figure 7 . To move a part from buffer B4 to B6, we use event 937. To satisfy point ii of SD controllability, we need to decide when to enable and force this event. This is handled by supervisor TakeB4PutB6. It waits for event 952 to occur, which signifies a piece of type A is ready to be transferred to buffer B6. It forces event 937 and then waits for event 963 to occur, signifying that the piece has been taken by the finishing machine (AM) and that B6 is ready for a new part.
We now consider moving a part from B4 to B7. We do this using event 939. We have to not only decide when to force 939, but we also have to deal with a potential blocking situation. Because a part placed in B7 first goes to PM for processing, it is possible that the robot could put a part in the now empty buffer B7, leaving no place for the returning part. Supervisor TakeB4PutB7 handles both issues. It watches for event 954 to occur, signalling that a part of type B has been placed in B4, and is ready to be transferred to buffer B7. TakeB4PutB7 forces event 939 to make the transfer. It then waits for event 965 to occur signalling that AM has removed the part from B7, before allowing another 939 to occur, thus preventing blocking.
Am to exit path
We now discuss the paths from buffers B6 and B7, leading through finishing machine (AM) and then leaving the system. We have several concurrency issues to deal with here. First, we have to specify when prohibitable events 961, 963 and 965 are suppose to occur in order to satisfy point ii of SD controllability. This is complicated by the fact that a piece could be waiting for AM in both buffers B6 and B7, so we need to specify how to choose which buffer to service first. The relevant supervisors are shown in Figure 7 .
The problem is that these three events are linked and we have to keep track of several issues in order to decide when to force which event. We could create a single supervisor to do this but it would be quite large and complicated, thus difficult to design correctly. We want to be able to design several modular supervisors. If we were only disabling events, this would not be difficult. However, since we must decide when to force the events, we have to make sure we do not try to force an event when it is not possible in the plant or disabled by another supervisor. It was not obvious how to do this modularly, without significant reuse of logic from other supervisors.
Our solution was to add new prohibitable expansion events no963a, no963b, no965a and no965b to provide communication between the supervisors. We introduced these new events to the system by adding plants AddNo963 and AddNo965, shown in Figure 6 .
We first discuss how to handle event 963. The idea is that when we want to disable tick to force event 963 in one supervisor, events no963a/b can be used as an alternate event to force if event 963 is disabled by another supervisor, or not possible yet in the plant. The other supervisors will only enable event no963a or no963b when they know 963 is not possible, and they will make sure only one of the three events are possible at a given time. The reason there is an 'a' and 'b' event is that there are three supervisors with which we need to coordinate enablement information. This will become clear later.
The primary supervisor for event 963 is Force963. It watches for event 938 to occur, signifying that there is a part in B6 waiting to go to AM. The supervisor then disables tick to force 963. Note, that it is the only supervisor that tries to force this event. However, event 963 could be ineligible in plant component AM, or disabled by supervisors Force961 or AMChooser. Force963 has no way of knowing this. It handles this by adding the no963a/b-tick loop at state 2. Supervisors Force961 and AMChooser will ensure that out of events 963, no963a, and no963b, one and only one event will be eligible and enabled immediately after a tick. If 963 is ineligible or disabled, then no963a or no963b gets forced instead, and then we try again after the tick. This way we signal we want 963 to occur as soon as it can, but do not 'stop the clock'. We also do not need to repeat information from the plant and other supervisors about when these events are eligible/ enabled.
The reason that only one of the three events are ever allowed to be eligible/enabled at the start of a tick, is to avoid violating point iii.1 of the SD controllability definition. Examining state 2 of Force963, we see that once one of the three events occurs, the others are disabled. If more than one was enabled and eligible at state 2, this would cause one of them to change eligibility status between ticks, violating point iii.1 of the SD controllability definition.
For event 965, we have similar behaviour represented by supervisor Force965. Force965 interacts in a similar way with plant component AM, and supervisors Force961 and AMChooser.
We now discuss supervisor Force961. Its primary task is to determine when to force event 961 which readies AM to process parts. First, it forces 961 right away, and then waits for events 964 or 966 (signifies AM has finished processing the part) to occur, before forcing event 961 again.
The secondary task of Force961 is to only enable events no963a and no965a when events 963 and 965 are not possible in the plant component AM. When they are possible in the plant, Force961 enables no963b and no965b instead. This insures that events no963a and no965a will always be possible after a tick when events 963 and 965 are ineligible in the plant. It also ensures that the 'a' and 'b' events are never eligible at the same time. Also, as supervisor AMChooser ignores the 'a' events, they will never be disabled when Force961 needs them. As Force961 never disables the 'b' events when 963 and 965 are possible in the plant, this ensures that they will not be disabled when AMChooser needs them. This means the two supervisors do not interfere with each other with respect to these events.
We now consider our last supervisor for this section, AMChooser. The role of this supervisor is to choose between taking a piece from buffer B7 (event 965) or buffer B6 (event 963), when both have a waiting part. If both receive a part in the same sampling period, we take the piece from buffer B7 first as there are other machines to keep busy along the B7 to PM path. We then take a piece from B6. If there is already a new piece from B7 waiting, we continue in an alternating fashion. If there is only one piece waiting in a given sampling period, then we handle that piece. Because AMChooser sometimes disables event 963 or 965 in order to enforce this order, it enables the appropriate no963b or no965b event as a forcing substitute. It also ensures that event 963 and no963b are never enabled at the same time. It behaves similarly for events 965 and no965b.
System shutdown
When we tested the system (ignoring any TDES not yet discussed, and excepting the facts that supervisor B2 originally did not have a state 6, plant component AM was not marked at state 3, and supervisor Force961 was not marked at state 2), we found that it was blocking. The system was completing its tasks, but all of the TDES were never in a marked state at the same time. We could have delayed forcing some events to rectify this, but that would have been less efficient.
The problem was that the system did not have a shutdown mechanism which would stop conveyor Con2 from taking new parts (event 921), and allow existing parts to be completed and exit the system. This would allow all components of the system to go idle and return to a marked state. To achieve this, we added a new plant component SystDownNup, shown in Figure 6 . It contains an event shutdown to empty the system, and an event restart to bring the system back up.
Our next task was to stop new pieces from entering the system. The problem was that supervisor B2 forced event 921 as soon as buffer B2 was empty. As we want to keep supervisor B2 simple, we added a new prohibitable expansion event, no921. This was introduced by adding plant AddNo921, shown in Figure 6 . We then added the no921-tick loop at state 0 of supervisor B2. This allows B2 to force no921 when 921 is disabled so that we do not 'stop the clock'.
Finally, we added supervisor handleSystDown, shown in Figure 7 . Its job was to enable event 921 and disable no921 initially, and then disable 921 and enable no921 once the shutdown event occurs. When the restart event occurs, the process is reversed.
However, we found that we were still nonblocking. The culprit was supervisor Force961. As soon as event 961 was eligible, it was forced so that AM was ready to process a part. We could have created a no961 event like we did for B2, but this would have been trickier as we needed to allow enough 961 events to occur to allow the existing pieces to leave. Instead, we decided that for AM, state 3 was a rest state, and it was fine to leave it there. So, we marked state 3 of AM, and state 2 of Force961, and the system was nonblocking. Note that we could have instead marked state 2 of TDES AM and state 1 of TDES Force961, but that would have likely caused point iv of the SD controllability definition to fail.
Results
As part of this work, we developed a set of predicatebased algorithms to verify the SD controllability property, as well as the other conditions that we require (see Wang (2009) for details). We have also created a software tool that implements these algorithms using binary decision diagrams (BDD) (Bryant 1992 ).
For this system, our plant G is the synchronous product of all TDES in Figure 6 and our supervisor S is the synchronous product of all TDES in Figure 7 . Our closed-loop system is SjjG. Using a 1.8 GHz PC, we verified in 3 minutes that S is SD controllable for G, that G has proper time behaviour, S-singular prohibitable behaviour and is complete for S, and that our closed-loop system (82,608 states) is ALF and nonblocking.
Controller translation issues
When we examine the supervisors in Figure 7 , we find that supervisors B4, B4Path, B6 and B7 are neither non-selfloop ALF or CS deterministic.
For example, consider state 0 of supervisor B4. We see we can do a 934-tick sequence, a {934-951}*-tick sequence, and a 934-951-934-tick sequence, among others. Not only would our controller be nondeterministic, but these sequences provide us with numerous next-state conditions, many of which are not possible in the system due to timing restrictions. Examining the plants and supervisors in Figures 6 and 7 , we see that there will always be a tick event after event 934 and before 951, so we can add this to our supervisor without restricting the closed-loop behaviour of our system. Making similar observations for the other nonselfloop activity loops, we arrive at supervisor NewB4, shown in Figure 8 , which is now non-selfloop ALF and CS deterministic. Similarly, we derive replacement supervisors NewB4Path, NewB6 and NewB7, also shown in Figure 8 .
When we replace supervisors B4, B4Path, B6 and B7 with the new versions in Figure 8 and rerun the tests from Section 5.7, we find that the new system still passes all required conditions.
Controller implementation
We now convert our supervisors into modular controllers using the method described in Section 4.6. Figure 9 shows the results of converting the supervisors from Figure 8 . Please note that selflooped events in the supervisors contribute to enablement information, but not next-state information.
To keep the diagrams for FSM NewB4Path and FSM NewB4 simple, we took a couple of shortcuts. This was done strictly for readability purposes, and would not be done with an automated conversion process. Technically, the next-state condition from state 1 to state 0 of FSM NewB4Path should be ([937] Á ![939]) þ (![937] Á [939]). However, examining the plants and supervisors in Figures 6 and 7 , we see that events 937 and 939 can never occur in the same clock period so we can safely simplify this condition to [937] þ [939]. We can make a similar simplification for FSM NewB4 and the transition leaving state 1, labelled [951] þ [953].
The results of converting the remaining supervisors are shown in Figure 10 . The FSM for supervisors B2, Force963, and Force965 deserve some clarification. If we examine supervisor B2 in Figure 7 , we see the loop no921-tick at state 0. Technically, the transition at state 0 of FSM B2 should be labelled [921]Á![no921]. However, these events can never occur in the same sampling period and loop no921-tick will get absorbed by the DEF transition; thus simplifying the transition label to [921] will not cause any confusion. Similar simplifications were made with respect to state 2 in supervisors Force963 and Force965, for their FSM.
We note that we could further simplify the FSM by removing outputs for no963a/b, no965a/b and no921. The reason they can be removed is because the plants ignore the events, and no FSM changes state based on these events; thus they serve no useful purpose in the FSM. This is not surprising as these events were adding to the TDES to allow for a modular way of expressing the concept 'force this event as soon as it is possible in the plant and enabled by all supervisors'. This is not straightforward since in TDES expressing forcing (disable tick) and enablement (enable prohibitable event) are not done in the same way.
However, these events are not needed for SD controllers since a prohibitable event is forced by the controllers as soon as it is enabled by all modular controllers. Also, as we require the plant to be complete for our supervisors, we are guaranteed that if our controllers enable the event, the event will be possible in the plant.
Conclusions
In this article, we establish a formal representation of a SD controller as a Moore synchronous FSM, and describe how to translate a TDES supervisor to a FSM, as well as necessary properties to be able to do so. We discuss how to construct a single centralised controller as well as a set of modular controllers, and show that they will produce equivalent output. Implementing modular supervisors as a set of modular controllers provides a compact implementation method.
SD controllers provide, for the first time, a standard implementation target for TDES that supervisors can be easily converted to using an automated method, and that provides a formal model that can be used to prove correctness about the implementation with respect to controllability, forcing, and nonblocking properties. In combination with the related SD controllability properties, SD controllers address a number of important concurrency and timing issues, and promise to usher in the ability to easily, automatically translate a TDES supervisory into a reliable implementation.
We describe the SD setting and the properties that it requires, in particular SD controllability. We discuss in detail the application of the SD controllability definition to a small FMS from the literature. This not only demonstrates the applicability of the method, but gives designers useful guidance in understanding and applying the new conditions. We also present some FSM translation issues encountered, as well as the FSM version of the system's supervisors.
Future work
At the moment, the SD controllability and related properties are used strictly for verification purposes. The logical next step would be to develop a synthesis process for these properties and to automate the TDES supervisor to SD controller translation process.
