Design of asynchronous supervisors by Beohar, Harsh et al.
Design of asynchronous supervisors
Harsh Beohar ∗ Pieter Cuijpers † Jos Baeten ‡
April 2, 2019
Abstract
One of the main drawbacks while implementing the interaction be-
tween a plant and a supervisor, synthesised by the supervisory control
theory of Ramadge and Wonham, is the inexact synchronisation. Balemi
was the first to consider this problem, and the solutions given in his PhD
thesis were in the domain of automata theory. Our goal is to address the
issue of inexact synchronisation in a process algebra setting, because we
get concepts like modularity and abstraction for free, which are useful to
further analyze the synthesised system. In this paper, we propose four
methods to check a closed loop system in an asynchronous setting such
that it is branching bisimilar to the modified (asynchronous) closed loop
system. We modify a given closed loop system by introducing buffers ei-
ther in the plant models, the supervisor models, or the output channels of
both supervisor and plant models, or in the input channels of both super-
visor and plant models. A notion of desynchronisable closed loop system
is introduced, which is a class of synchronous closed loop systems such
that they are branching bisimilar to their corresponding asynchronous
versions. Finally we study different case studies in an asynchronous set-
ting and then try to summarise the observations (or conditions) which
will be helpful in order to formulate a theory of desynchronisable closed
loop systems.
1 Introduction
Supervisory control theory (RW-theory) [10, 11] performs automatic synthesis
of a supervisor which controls a plant such that a corresponding requirement
(legal behaviour) is achieved. In control theory terminology,
• the model which is to be controlled is known as plant,
• the model which specifies the requirement is known as specification,
• the model which forces the plant to meet the specification by interacting
with it is known as supervisor.
∗h.beohar@tue.nl
†P.J.L.Cuijpers@tue.nl
‡josb@win.tue.nl
1
ar
X
iv
:0
91
0.
08
68
v1
  [
cs
.L
O]
  5
 O
ct 
20
09
• the interaction between the plant and the supervisor is known as closed-
loop behavior.
The closed loop behaviour in RW-theory is realized by synchronous parallel
composition. Informally, it allows a plant and a supervisor to synchronise on
common events while other events can happen independently.
One of the main drawbacks while implementing the interaction between a plant
and a supervisor, synthesised by the supervisory control theory of Ramadge and
Wonham, is the inexact synchronization [6]. In practical industrial application
the interaction between a plant and a supervisor is not synchronous but rather
asynchronous. Due to the synchronous parallel composition, the interaction
between the plant and the supervisor is strict. By strict we mean that, either
plant or supervisor has to wait for the other party while synchronising. To
overcome this problem it is important to study asynchronous communication
between the plant and the supervisor where communications are delayed in
buffers. The choice of buffers depends on the domain of the system to be
modeled. For instance, to model delay insensitive circuits, a wire (see [9]) could
be chosen as a buffering mechanism, while to model data-flow networks (see [8])
a queue could be used as a buffering mechanism.
Balemi was the first to consider the inexact synchronisation problem, and the
solutions given in his PhD thesis [5] were in the domain of automata theory. In
[5] an input-output interpretation was given between a plant and a supervisor
and a special delay operator was introduced to model the delay in communica-
tion. Furthermore, to achieve modularity and abstraction in supervisory control
theory, the original theory was extended with the concepts of decentralised con-
trol and partial observation, respectively. These concepts were also developed
in [5].
The disadvantage of a theory to be based on automata theory is that it requires
development of some special concepts like decentralised control for modularity
in case of RW-theory. If the theory is based on process algebra, these addi-
tional concepts can be attained for free. Congruence is one of the key features
in process algebra which helps in achieving this modularity in system design.
Modularity is a way of designing a complex system by dividing it into different
smaller components or subsystems.
Process algebra is one of the ways in which one can formally specify a system
behaviour. It contains different constructs such as sequential composition, and
parallel composition which are used as a basic building block to specify any
desired behaviour. Apart from this, process algebra also provides modularity
in system design, and abstraction from behaviour in system analysis. In this
paper we show that it is possible to redesign a synchronous closed loop system
in in an asynchronous setting by performing three case studies. Finally, some
conditions are given which will be helpful in formulating the theory of desyn-
chronisable closed loop systems. A synchronous closed loop system is called
desynchronisable iff it is branching bisimilar to a corresponding asynchronous
closed loop system.
This report is organized as follows. Section 2 introduces the overall background
required for this report and consists of three sub-sections with the following de-
scription. In subsection 2.1 we introduce the formal language in which different
models (like plant, supervisor or requirement) are specified. In subsection 2.2
2
we define different buffer models in the specification language. In subsection 2.3
we give a brief introduction on RW-theory and discuss the relation and some
results from previous literature with respect to our specification language. In
section 3 the work-flow for the different case-studies is given. In particular, it
explains how different tools can be used to refine synchronous communication
into asynchronous communication. Then the subsections 3.1,3.2, and 3.3 are
devoted to explain three different case studies. Finally, in section 4 we discuss
the key conditions which were satisfied by the synchronous closed loop systems
in the case studies such that they were branching bisimilar to the corresponding
asynchronous version.
2 Preliminaries
2.1 Specification language
We consider the TCP process algebra [4] as the suitable formalism which will
be used throughout this paper. This choice is motivated by the following two
main reasons:
• One of our goals is to develop this theory and implement it in the current χ
[3] tool set as an extended functionality. We know that TCP as a language
is a subset of χ and is simpler to work upon, as the latter has a constructs
to model hybrid systems while the former is used to model discrete event
systems only.
• Previous studies [8, 7, 12] of an asynchronous process composed using
buffers used failure equivalence. By studying asynchronous system using
TCP we want to find out whether it is possible to state results in a equiv-
alence finer than trace or failure equivalence (see [13], for the lattice of
process equivalences).
In this paper we use D and H to denote finite sets of data elements and channel
names, respectively. Then for each channel h ∈ H and each d ∈ D, assume the
presence of the following atomic actions:
• h!d : send a data element d at channel h,
• h?d : receive d at channel h, and
• h?!d : communicate d at channel h.
The following notation and definition will be used throughout the paper. The
complete set of actions is denoted by A where A = {h!d, h?d, h?!d | ∀d ∈ D ∧
∀h ∈ H}. Then the communication function γ : A × A → A is defined for
all h ∈ H as γ(h!d, h?d) = γ(h?d, h!d) = h?!d and undefined otherwise. Define
the blocking set as B = {h?d, h!d | d ∈ D ∧ h ∈ H} and the hiding set as
I = {h?!d | d ∈ D ∧ h ∈ H}. The set of all process terms (denoted by P) is then
defined by the following grammar:
3
P , 0 deadlock process
| 1 empty process or skip
| h!d ·P action prefix, where ! ∈ {?, !, ?!}
| P + P alternative composition
| P ‖ P parallel composition
| ∂B(P) action encapsulation, where B ⊆ B
| τI(P) abstraction (hiding of actions), where I ⊆ I
| ρf (P) renaming of process, wheref : A → A.
| R recursive definition
The notationR denotes a recursion definition by a set of pairs {X0 = t0, . . . , Xm =
tm} where Xi denotes a recursion variable and ti the process term defining it.
The formal semantics for these operators can be found in [4].
Note that in the above definition of process terms it is possible that a process
may have the same channel for sending and receiving a data element. But
such processes causes a problem while constructing an asynchronous closed loop
system from its synchronous counter part. The problem is following: ”Suppose
a process X has h?a and h!b in its alphabet. Then the information whether
h is an input or an output channel is unknown. In this paper we construct
an asynchronous process by introducing input queues in input channels and
output queues in output channels. The difference between input and output
queues will be cleared later in Section 3. Thus, the information whether an
input or an output queue should be attached with channel h becomes unclear”.
In order to simplify things, we assume that every process has different channels
for sending and receiving. Let α(Q) denote the alphabet (see [4]) of a process
Q. Formally, a process Q ∈ P is called a simple process iff ∀h, d.[h!d ∈ α(Q)⇒6
∃d′.[h?d′ ∈ α(Q)] and vice versa. We will work with plants and supervisors
which are specified as simple processes.
We now introduce the transition system for a process and for a synchronous
closed loop system which will be helpful in defining conditions, presented in
Section 4. A transition system generated by a process X ∈ P is denoted by
quintuple TX = (QX ,→X , qiX , AX), where QX denotes the set of states, →X⊆
QX×AX×QX is the transition relation, qiX is the initial state of the process X,
and AX ⊆ A is the alphabet of X. In this paper we make distinction between
a transition system for a process and a transition system for synchronous ( or
asynchronous ) closed loop system. This distinction is based on the alphabet of
a process, i.e. for a process X which can be used to model a plant or a supervisor
the alphabet of X should be a set B ⊆ B while for a closed loop system Y it
should be a set I ⊆ I. We use notation TX for a transition system of a process
X, TSC for a synchronous closed loop system. In the next subsection we define
the different buffer processes which will be used later to study asynchronous
communication with respect to these different kinds of buffer.
2.2 Buffer models
In the previous subsection we defined the syntax of the formal language which
will be used for specifying plant, supervisor, requirement and buffers. A buffer
is a process which receives data from another process and stores that data until
another process reads it. For example, a buffer can be a queue (FIFO), or a
4
stack (LIFO), or a wire, or a bag. Before defining the different buffer processes
in the above language, we need to define an auxiliary set for channels. This
is necessary for the conversion of a given synchronous closed system into an
asynchronous one. So assume that the set H is closed under ˆ , i.e. if h ∈ H
then also hˆ ∈ H. Then define renaming functions fˆ : H → H and f : H → H as
follows:
• for any k ∈ H, fˆ(k) = kˆ,
• for any kˆ ∈ H, f(kˆ) = k,
• for k ∈ H not in the image of fˆ , f(k) = k.
The subscript notation fi (fo) is used to indicate the renaming of input (output)
channels only. Now we give the formal definition for different types of buffers.
Definition 2.1. (Queue). Let ε denote the empty list. Let ξ denote a list
of data elements. Let e.ξ, and ξ.d denote a list with first element e and last
element d, respectively. Then, a queue with input channel h ∈ H and output
channel hˆ = fˆ(h) is specified as follows:
Qh(ε) =
∑
d∈D
h?d · Qh(d.ε)
Qh(ξ.d) = hˆ!d · Qh(ξ) +
∑
e∈D
h?e · Qh(e.ξ.d)
(for every ξ ∈ D∗, d ∈ D.)
Now define a queue for every set of channels H ⊆ H:
QueueH =‖h∈H Qh(ε)
Definition 2.2. (Stack). A stack with input channel h ∈ H and output channel
hˆ = fˆ(h) is specified as follows (with parameters as in definition 2.1):
Sh(ε) =
∑
d∈D
h?d · Sh(d.ε)
Sh(d.ξ) = hˆ!d · Sh(ξ) +
∑
e∈D
h?e · Sh(e.d.ξ)
(for every ξ ∈ D∗, d ∈ D.)
Now define a stack for every set of channels H ⊆ H:
StackH =‖h∈H Sh(ε)
Definition 2.3. (Wire). A wire with input channel h ∈ H and output channel
hˆ = fˆ(h) is specified as follows (with parameters as in definition 2.1):
Wh(ε) =
∑
d∈D
h?d · Wh(d.ε)
Wh(d) = hˆ!d · Wh(d) +
∑
e∈D
h?e · Wh(e).
5
Now define a wire for every set of channels H ⊆ H:
WireH =‖h∈H Wh(ε)
Definition 2.4. (Bag). Let ∅ denote the empty multiset. Let ξ denote a
multiset of data elements . Let ξuniondbl{e} denote the multiset ξ with the multiplicity
of e increased by 1 and ξ e {e} denote the multiset ξ with the multiplicity of
e decreased by 1. Then, a bag with input channel h ∈ H and output channel
hˆ = fˆ(h) is specified as follows:
Bh(∅) =
∑
d∈D
h?d · Bh(∅ uniondbl {d})
Bh(ξ) =
∑
e∈ξ
hˆ!e · Bh(ξ e {e}) +
∑
f∈D
h?f · Bh(ξ uniondbl {f})
(for every ξ ∈ D∗, d ∈ D.)
Now define a bag for every set of channels H ⊆ H:
BagH =‖h∈H Bh(∅)
2.3 Supervisory control theory
In this subsection we give a brief introduction to the RW-theory in our setup.
The basic building block in RW-theory is a deterministic automaton. Plants
and supervisors are allowed to perform actions or events which are divided
into two disjoint subsets: controllable events and uncontrollable events, i.e.
D = Dc unionmultiDuc. The idea behind this partition is that the supervisor can enable
or disable controllable events so that the closed loop behavior is the same as
the specification under language equivalence. Furthermore, it can observe but
cannot influence uncontrollable events.
The two basic differences from the original theory and the current setup are
following. Firstly, we use processes as the building blocks instead of automata.
As a consequence we work with finer equivalence than language equivalence.
Secondly, we follow the input-output interpretation [5] between a plant and a
supervisor (see Figure 1). In this interpretation the uncontrollable events are
outputs from a plant to a supervisor and the controllable events are outputs
from a supervisor to a plant.
Next we introduce the term deterministic process which will be helpful in defin-
ing a plant, supervisor and requirement models in our setup.
Definition 2.5. A process Y ∈ P is called a deterministic process [4] if and
only if for all states Y of the transition system (generated by the operational
rules) it holds that Y a−→ U ∧ Y a−→ Z ⇒ U ≡ Z, where U,Z ∈ P, and U ≡ Z
means U and Z are syntactically equivalent.
The three basic entities in the RW-theory are: a plant, a supervisor, and a
requirement. A plant is a simple and deterministic process P ∈ P that does
not contain communication actions. The requirement of determinism is nec-
essary because the RW-theory (and its synthesis tool TCT [15]) is based only
on deterministic finite automata. The condition that a plant process does not
6
Figure 1: Context diagram for plant and supervisor.
contain communication actions can be stated formally as ∂I(P ) ↔ P . The
requirement of the above condition is due to the construction of asynchronous
processes which is explained in detail in following lines. Buffers (like queues,
stack, etc) are introduced in both input and output channel. So if communi-
cation actions (like h?!d ∈ I) are allowed in the specification of a plant process
then the information whether the channel h would be an input or an output
channel of the plant process is unknown. Similarly, a supervisor is a simple and
deterministic process S ∈ P such that ∂I(S)↔ S.
A requirement is a process which specifies the legal interaction that should
occur while the plant and supervisor are interacting such that a required task
(for which supervisor is synthesised) is completed. Thus, a requirement is a
deterministic process E ∈ P such that ∂B(E) ↔ E. This condition suggests
that a requirement process should contain only communication actions in its
alphabet.
Now we can state the control problem as follows: find a supervisor S for a given
plant P and a given requirement E such that,
∂B(P ‖ S)↔ E.
In this paper we do not consider how the supervisor is computed and rather
use the solution [15] which provides a closed loop system ∂B(P ‖ S) strongly
bisimilar to a requirement E. Then the aim of this paper is to check whether it
is possible to construct an asynchronous closed loop system (Figure 2(b)) such
that it is branching bisimilar with its corresponding synchronous closed loop
system (Figure 2(a)).
3 Approach
As already discussed in the introduction section, it is important to study an
asynchronous interaction between a plant and a supervisor to model an indus-
trial application. So in this section we first give four ways to construct an
asynchronous closed loop system from a given synchronous closed loop system.
Then, a work-flow is presented which explains how different tools can be used
to refine synchronous communication into asynchronous communication in a
straightforward and correct way. Later we redesign three case studies in an
7
(a) Synchronous closed loop system.
(b) Asynchronous closed loop system.
Figure 2: Illustration of the research question.
asynchronous setting based upon the above work-flow and methods which were
already modelled by the System Engineering group of Eindhoven university of
technology (TU/e) in the synchronous setting [14].
A synchronous closed loop system (Figure 2(a)) can be converted into an asyn-
chronous one by introducing queues (see Fiugre 2(b)) in following ways:
M1. introducing queues between the plant and supervisor process models such
that the interaction between the plant and queues are hidden (see Fig-
ure 3(a)). The thick lines are used to indicate the visible interaction and
thin lines are used to indicate the invisible interaction in Figure 3.
M2. introducing queues between the plant and the supervisor process models
such that the interaction between the supervisor and queues are hidden
(see Figure 3(b)).
M3. introducing the queues between a plant and a supervisor such that the
interaction between the output channels of both plant and supervisor with
their corresponding queues are hidden (see Figure 3(c)).
M4. introducing the queues between a plant and a supervisor such that the
interaction between the input channels of both plant and supervisor with
their corresponding queues are hidden (see Figure 3(d)).
Note that the above indices M1, M2, M3, and M4 are important as they will be
used while presenting the results obtained from all the three case studies.
To study an asynchronous interaction between a plant and a supervisor we
present the work-flow shown in Figure 4, which checks whether the synchronous
and the asynchronous implementation of a plant and a supervisor are equivalent.
We check for both branching bisimulation equivalence and weak trace equiva-
lence between the two closed loop systems. Our approach assumes that a plant
8
(a) Construction method, M1.
(b) Construction method, M2.
(c) Construction methods, M3.
(d) Construction methods, M4.
Figure 3: Different ways to construct an asynchronous closed loop system.
9
Figure 4: Work-flow for refinement of synchronous communication into asyn-
chronous communication
model and a requirement model are given as automata. The tool Supremica [2]
is used to synthesise the supervisor for a given plant and a given requirement
model. The synthesised automaton is then converted into a process algebraic
model in TCP language. Similarly the plant automaton model is also converted
into a process algebraic model. This conversion of automaton models into pro-
cess models is done manually, indicated by the dashed lines (Figure 4). Finally,
the tool-set mcrl2 [1] is used to check for the branching bisimulation relation
between a synchronous closed loop and an asynchronous closed loop system de-
signed by each construction method. The following case studies are modified in
this report under asynchronous setting:
1. Two machines and a buffer example.
2. Pusher-lift system.
3. Pneumatic cylinder.
For each of the case studies we follow the work-flow as presented. In the next
subsections we first introduce the three case studies, and in the last subsec-
tion 3.4 we present the overall results obtained in a table. The mCRL2 specifi-
cation for all the three case studies can be found in Appendix A,B,C.
3.1 Two machines and a buffer example.
This case study is adapted from the examples given in the Supremica tool set [2].
The case study consists of two machines which are connected through a buffer.
10
(a) Plant Models. (b) Requirement
model.
(c) Supervisor model.
Figure 5: Two machines and a buffer example.
11
The control task is to synthesise a supervisor which controls the two machines
such that the requirement is met, see Figure 5(b). The plant models are shown in
Figure 5(a), the requirement model in Figure 5(b) and the synthesised supervisor
in Figure 5(c). Note that the synchronous closed loop system for this case study
is isomorphic to the supervisor transition system, except for the naming of the
action labels. The action labels in a closed loop system will have ?! symbol, while
in a supervisor process they will be annotated with either ? or !.
The asynchronous system contained finitely many states and the results per-
taining to this case study are shown in Figure 12.
3.2 Pusher-lift system [14]
The pusher lift system is a case study taken from a set of lecture notes on
supervisory control course [14]. The overall system consists of a lift that can
go up and down, a pusher that can retract and extend, and a product holder
(see Figure 6(a)). The plant model of the lift is shown in Figure 6(c), pusher
and product holder models in Figure 6(b), and the different requirements are
shown in Figure 7. The synthesised supervisor model using the Supremica tool
is shown in Figure 8. Note that the synchronous closed loop system for this
case study is also isomorphic to the supervisor transition system, except for the
naming of the action labels.
The asynchronous closed loop system composed by all the four construction
methods contained a deadlock for this case. Further analyzing the asynchronous
closed loop system it was identified that the cause of the deadlock was a self
loop in the plant model. This situation is explained by the following example
in Figure 9 where a plant, a supervisor and a synchronous closed loop is given.
When the asynchronous closed loop system is designed with the construction
method M1, the following trace indicated the deadlock: < h1?!a1 ·h3?!a3 ·h2?!a2 ·
hˆ2?!a2 ·hˆ1?!a1 ·hˆ3?!a3 > as the transition k?!b is not possible. Note that in the above
trace the actions decorated with “ˆ” will be performed by plant model. More-
over, the removal of self loop (h2?!a2) does not affect the synchronous closed loop
system and then the above trace will not be valid for the modified asynchronous
closed loop.
Note that the results obtained for all the construction methods are shown in
Figure 12 with respect to both, modified plants (i.e. plant models without self
loops) and original plants.
3.3 Pneumatic cylinder [14]
The task in this case study is to design a supervisor that makes a cylinder
move out when a push button is activated. Pushing the button will start the
extending movement and releasing the button will start the retracting movement
(see Figure 10). The control signals ci and co are used to make the cylinder move
in and out. The detection of the cylinder being at its innermost (outermost)
position is realized through sensor psi (pso). The plant and requirement models
are shown in Figure 11(a). The synthesised supervisor is shown in Figure 11(b).
Note that the transition system of synchronous closed loop system is again
isomorphic to supervisor model, except for the action labelling.
12
(a) Pusher-lift system [14].
(b) Pusher and Product model
(c) Lift model
Figure 6: Plant models for Pusher-lift system.
13
Figure 7: Requirement models for Pusher-lift system.
Figure 8: Supervisor model for Pusher-lift system.
Figure 9: Deadlock caused by the self loop.
14
Figure 10: Schematic diagram of pneumatic cylinder [14].
(a) Plant and requirement models for Pneu-
matic cylinder.
(b) Synchronous closed loop model (Supervisor model) for
Pneumatic cylinder.
Figure 11: Pneumatic cylinder case study models.
15
Figure 12: Results obtained from all the case studies.
In this case all the asynchronous closed loop systems designed by different meth-
ods were containing infinitely many states. To further analyse this system, all
the asynchronous closed loop systems were redesigned with 1 place queues. The
results pertaining to all the construction methods are shown in Figure 12.
3.4 Results
In this subsection we present the results obtained for all the three case-studies in
the Figure 12. The following are the key observations found in the table shown
in Figure 12. We use the phrase ‘positive result’ to mean that synchronous
closed loop system is equivalent to asynchronous one.
• The construction method M1 yielded positive result for the all case studies
with respect to weak trace equivalence.
• In the modified pusher lift case study, only M1 and M3 yielded positive
result under weak trace equivalent even though the asynchronous closed
loop system constructed by M1 was branching bisimilar to synchronous
one.
• The toy example case study had positive results for all the construction
methods.
The construction method M1 satisfied the most number of case studies under
weak trace and branching bisimulation equivalence. This makes M1 a suitable
candidate to further study and answer our research question.
4 Discussion
In this section we sketch the conditions for a synchronous closed loop system
to be desynchronisable. A synchronous closed loop system is called desynchro-
16
nisable iff it is branching bisimilar to the corresponding asynchronous closed
loop system. These conditions are important as they prevent the constructed
asynchronous closed loop system from deadlocks and generation of infinitely
many states. Before we give these conditions formally we need some auxiliary
definitions. First, we ask the reader to recall the definitions of transition system
of a process, and a synchronous closed loop system as defined in Section 2.1.
Let η : QC → 2I be a function which returns a set of enabled actions at a
state in a synchronous closed loop system C, i.e. η(qC) = {a | qC a−→}, where
qC ∈ R, a ∈ I. Let Br : R → N be a function defined as Br(qc) = |η(qc)|,
which is used to access the degree of branching at a state.
Furthermore, we partition the set I (defined in Section 2.1) into two disjoint
subsets IiP , IoP with respect to the given plant process P as:
• IiP = {h?!a | h?!a ∈ I ∧ h ∈ inch(P )}.
• IoP = {k?!a | k?!a ∈ I ∧ k ∈ outch(P )}.
The following conditions are sufficient for desynchronisability:
1. Plant and supervisor composition must be well posed. This term is bor-
rowed from [5] where it was used for similar purpose, i.e. to ensure the
asynchronous closed loop system is deadlock free. Consider the transition
system TP = (QP ,→P , qiP ,B) for a plant process P . Similarly consider
TS as the transition system of a supervisor process S with TS = (QS ,→S
, qiS ,B). Let N : B∗ → B∗ be a function defined as: N(h?a.s) = h!a.N(s)
and N(h!a.s) = h?a.N(s) for some sequence s ∈ B∗, and the dot symbol
(.) indicates the concatenation of the sequence. Then, the plant and su-
pervisor composition is called well posed iff the following conditions are
satisfied:
∀s ∈ B∗, h!a ∈ A.[qiP s→− P qP h!a−→P ⇒ qiS
N(s)→− S qS h?a−→S ] ∧
∀s ∈ B∗, h!a ∈ A.[qiS s→− S qS h!a−→S ⇒ qiP
N(s)→− P qP h?a−→P ].
For example, consider a plant process P = h!a · l?c · P + k!b · 0 and a
supervisor process S = h?a·l!c·S. It is easy to verify that the synchronous
closed loop system is deadlock free, as ∂B(P ‖ S) = h?!a · l?!c · ∂B(P ‖ S).
But when asynchronous closed loop system is designed using construction
method M1 it will deadlock, because the plant can reach a deadlock state
(0) by performing an action k!b.
2. No self loops in either plant model or supervisor model, i.e. both plant
and supervisor should not contain a state such that a transition from that
state lead into that same state. Let TP , TS be the transition system for a
plant and a supervisor, respectively. Then, Tj must satisfy the condition
∀a ∈ B, 6 ∃ qj ∈ Qj .[qj a−→ qj ] for j ∈ {P, S}.
The need of this condition was explained with an example in Pusher-lift
case study (Section 3.2), which resulted in a deadlocked state in asyn-
chronous closed loop system even though the synchronous closed loop
system was deadlock free.
17
Figure 13: Important property for desynchronisability.
Figure 14: Cycles containing only controllable actions causes infinite states.
3. All the states in a transition system for closed loop system must satisfy
the diamond property (see Figure 13). Let TC be a transition system of
a synchronous closed loop system C. Then TC is said to satisfy diamond
property iff the following condition holds
∀a, b ∈ I, q, q1, q2 ∈ QC .
[
q
a−→ q1 ∧ q b−→ q2 ⇒ ∃q3.[q1 b−→ q3 ∧ q2 a−→ q3]
]
.
This condition is required for establishing a branching bisimulation rela-
tion between a synchronous and an asynchronous closed loop system.
4. All the cycles from the initial state in a synchronous closed loop system
must have at least one controllable, and one uncontrollable action in that
cyclic trace. Again let TC be a transition system of a synchronous closed
loop system. Then,
∀pi ∈ I∗.
[
qiC
pi→− qiC ⇒ (pi ∩ IiP 6= ∅) ∧ (pi ∩ IoP 6= ∅)
]
.
Note, that we abuse the notation x∩A to denote the set of elements that
occur both in the sequence x and the set A. Intuitively, this condition
ensures the progress of the components (i.e. plant and supervisor) in
an asynchronous interaction. Consider the following example where P =
(k?b ·h?a+h?a · k?b) ·P and S = (k!b ·h!a+h!a · k!b) ·S. It is clear to see
that ∂B(P ‖ S) = (k?!b ·h?!a+h?!a ·k?!b) ·∂B(P ‖ S), and there exists a cycle
of actions (h?!a ·k?!b)∗ such that all actions are controllable actions. In this
case the asynchronous closed loop system will have infinite states because
supervisor S can always send the controllable actions k!b, or h!a to the
unbounded queue, and the plant can wait forever to remove these actions
from the queue (see Figure 14). In figure 14 the two states with triangles
indicate that the transitions from these two states are same as that of the
black state. A similar example can also be given in which cycles contain
only uncontrollable actions.
18
Note that the formal proof of the above fact is under construction and will be
published in future.
A Final Remark. The transition systems generated by the four methods
from a synchronous closed loop system are always isomorphic to each other
apart from the difference in abstraction of actions. A hypothesis which one
would expect to hold is that, all the four construction methods should always
yield an equivalent asynchronous closed loop systems at least modulo weak
trace equivalence. But the results shown in the Figure 12 implies that the
above hypothesis is not true in general and the abstraction of actions does
matter while reducing a transition system (the asynchronous one) even modulo
weak trace equivalence. We conclude this report by framing the following open
question namely, “which of the construction methods classify a larger class of
desynchronisable closed loop system with respect to an equivalence relation?”
References
[1] The mcrl2 tool-set. www.mcrl2.org.
[2] The Supremica software. www.supremica.org.
[3] J. C. M. Baeten, D. A. van Beek, P. J. L. Cuijpers, M. A. Reniers, J. E.
Rooda, R. R. H. Schiffelers, and R. J. M. Theunissen. Model-based En-
gineering of Embedded Systems Using the Hybrid Process Algebra Chi.
Electron. Notes Theor. Comput. Sci., 209:21–53, 2008. ISSN 1571-0661.
[4] J. C. M. Baeten, T. Basten, and M. Reniers. Process Algebra: Equational
Theories of Communicating Processes. Cambridge University Press, 2009.
[5] Silvano Balemi. Control of Discrete Event Systems: Theory And Applica-
tion. PhD thesis, Swiss Federal Institute of Technology, Automatic Control
Laboratory, ETH Zurich, May 1992.
[6] M. Fabian and A. Hellgren. PLC-based implementation of supervisory
control for discrete event systems. Proceedings of the 37th IEEE Conference
on Decision and Control, 1998, 3:3305–3310, 1998.
[7] Clemens Fischer and Wil Janssen. Synchronous development of asyn-
chronous systems. In Ugo Montanari and Vladimiro Sassone, editors,
Proceedings of CONCUR’96, volume 1119 of Lecture Notes in Computer
Science, pages 735–750. Springer-Verlag, 1996.
[8] He Jifeng, M. B. Josephs, and C. A. R. Hoare. A theory of synchrony and
asynchrony. In M. Broy and C. B. Jones, editors, Programming Concepts
and Methods, pages 459–479, 1990.
[9] Hemangee K. Kapoor and Mark B. Josephs. Modelling and verification
of delay-insensitive circuits using CCS and the concurrency workbench.
volume 89, pages 293–296. Elsevier North-Holland, Inc., 2004.
19
[10] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of
discrete event processes. SIAM Journal on Control and Optimization, 25
(1):206–230, 1987.
[11] P.J.G. Ramadge and W.M. Wonham. The control of discrete event systems.
Proceedings of the IEEE, 77(1):81–98, Jan 1989.
[12] A. W. Roscoe. The pursuit of buffer tolerance. unpublished draft, May
2005. URL http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/
publications/106.pdf.
[13] R. J. v. Glabbeek. Comparative concurrency semantics and refinement of
actions. Ph.D. thesis, CWI, Amsterdam, 1990.
[14] J.M. van de Mortel-Fronczak and Rong Su. Advanced supervisory control
- 4k460. http://w3.wtb.tue.nl/nl/onderzoek/research_groups/
system_engineering/se_educational_activities/se_courses/
4k460_advanced_supervisory_control.
[15] W. M. Wonham. Supervisory control of discrete-event systems. Monograph
ECE 1636F/1637S, University of Toronto, Dept. of Electrical & Computer
Engineering, 2008.
A mCRL2 model for two machine and a buffer
example
%%%%%%%%%%%%%Index for action names%%%%%%%%%%%%%%
%%l1 = load1
%%l2 = load2
%%ul1= unload1
%%ul2= unload2
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
act
s_l1,r_l1,s_l1’,r_l1’,c_l1,c_l1’,s_l2,r_l2,s_l2’,r_l2’,c_l2,c_l2’,
s_ul1,r_ul1,s_ul1’,r_ul1’,c_ul1,c_ul1’,s_ul2,r_ul2,s_ul2’,r_ul2’,c_ul2,c_ul2’;
proc
M1=r_l1’.s_ul1’.M1;
M2=r_l2’.s_ul2’.M2;
%M1=r_l1’.s_ul1.M1;
%M2=r_l2’.s_ul2.M2;
S0=s_l1.S4;
S4=r_ul1.S1;
S1=s_l2.S2;%
S2=r_ul2.S0 + s_l1.S5;
20
S5=r_ul2.S4 + r_ul1.S3;
S3=r_ul2.S1;
%S0=s_l1.S4;
%S4=r_ul1’.S1;
%S1=s_l2.S2;
%S2=r_ul2’.S0 + s_l1.S5;
%S5=r_ul2’.S4 + r_ul1’.S3;
%S3=r_ul2’.S1;
Ql1(x1: Int) = (x1==0)-> r_l1.Ql1(x1+1) <>
(s_l1’.Ql1(x1-1) + r_l1.Ql1(x1+1));
Ql2(x2: Int) = (x2==0)-> r_l2.Ql2(x2+1) <>
(s_l2’.Ql2(x2-1) + r_l2.Ql2(x2+1));
Qul1(ux1: Int) = (ux1==0)-> r_ul1’.Qul1(ux1+1) <>
(s_ul1.Qul1(ux1-1) + r_ul1’.Qul1(ux1+1));
Qul2(ux2: Int) = (ux2==0)-> r_ul2’.Qul2(ux2+1) <>
(s_ul2.Qul2(ux2-1) + r_ul2’.Qul2(ux2+1));
Plant=M1||M2;
Supervisor=S0;
init
hide({c_l1’,c_l2’,c_ul1’,c_ul2’},
allow({c_l1,c_l2,c_ul1,c_ul2,c_l1’,c_l2’,c_ul1’,c_ul2’},
comm({s_l1|r_l1->c_l1,s_l2|r_l2->c_l2,s_ul1|r_ul1->c_ul1,
s_ul2|r_ul2->c_ul2,s_l1’|r_l1’->c_l1’,s_l2’|r_l2’->c_l2’,
s_ul1’|r_ul1’->c_ul1’,s_ul2’|r_ul2’->c_ul2’},
Plant||Ql1(0)||Ql2(0)||Qul1(0)||Qul2(0)||Supervisor )))
;
B mCRL2 model for Pusher-lift case study.
%%%%%%Index for action names%%%%%%
%% asc=ascended
%% desc=descended
%% d0=down0
%% d1=down1
%% ext=extended
%% ret=retracted
%% pl1=place1
%% pld=placed
%% pu0=push0
%% pu1=push1
%% up0=up0
%% up1=up1
21
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
act
s_asc,r_asc,s_asc’,r_asc’,c_asc,c_asc’,s_desc,r_desc,s_desc’,r_desc’,
c_desc,c_desc’,s_d0,r_d0,s_d0’,r_d0’,c_d0,c_d0’,s_d1,r_d1,s_d1’,r_d1’,
c_d1,c_d1’,s_ext,r_ext,s_ext’,r_ext’,c_ext,c_ext’,s_pl1,r_pl1,s_pl1’,
r_pl1’,c_pl1,c_pl1’,s_pld,r_pld,s_pld’,r_pld’,c_pld,c_pld’,s_pu0,r_pu0,
s_pu0’,r_pu0’,c_pu0,c_pu0’,s_pu1,r_pu1,s_pu1’,r_pu1’,c_pu1,c_pu1’,s_ret,
r_ret,s_ret’,r_ret’,c_ret,c_ret’,s_up0,r_up0,s_up0’,r_up0’,c_up0,c_up0’,
s_up1,r_up1,s_up1’,r_up1’,c_up1,c_up1’;
proc
Pu1=r_pu0’.Pu1+r_pu1’.Pu2;
Pu2=s_ext’.Pu3;
Pu3=r_pu1’.Pu3 + r_pu0’.Pu4;
Pu4=s_ret’.Pu1;
%L0001=r_d0.L0001+r_up0.L0001+r_up1.L1001+r_d1.L0101;
L0001=r_up1’.L1001+r_d1’.L0101;
L1001=s_asc’.L1010;
%L1010=(r_up1+r_d0).L1010 + r_up0.L0010+r_d1.L1110;
L1010=r_up0’.L0010+r_d1’.L1110;
%L1110=(r_up1+r_d1).L1110 + r_d0.L1010 + r_up0.L0110;
L1110=r_d0’.L1010 + r_up0’.L0110;
%L0010=(r_up0+r_d0).L0010 + r_up1.L1010 + r_d1.L0110;
L0010=r_up1’.L1010 + r_d1’.L0110;
L0110=s_desc’.L0101;
%L0101=(r_up0+r_d1).L0101 + r_d0.L0001 +r_up1.L1101;
L0101=r_d0’.L0001 +r_up1’.L1101;
%L1101=(r_up1+r_d1).L1101 + r_up0.L0101+r_d0.L1001;
L1101=r_up0’.L0101+r_d0’.L1001;
Pr1=r_pl1’.Pr2;
Pr2=s_pld’.Pr1;
%Qpu0(pu0: Int) = (pu0==0)-> r_pu0.Qpu0(pu0+1) <>
% (s_pu0’.Qpu0(pu0-1) + r_pu0.Qpu0(pu0+1));
%Qpu1(pu1: Int) = (pu1==0)-> r_pu1.Qpu1(pu1+1) <>
% (s_pu1’.Qpu0(pu1-1) + r_pu1.Qpu1(pu1+1));
S0=s_d1.S11+s_pl1.S22;
S11=s_pl1.S9;
22
S22=s_d1.S9 + r_pld.S23;
S9=r_pld.S12;
S23=s_d1.S12;
S12=s_up1.S8 + s_d0.S24;
S8=s_d0.S21;
S24=s_up1.S21;
S21=r_asc.S2;
S2=s_pu1.S4;
S4=r_ext.S6;
S6=s_d1.S18+s_up0.S10+s_pu0.S3;
S18=s_up0.S20 + s_pu0.S15;
S10=s_d1.S20 + s_pu0.S7;
S3=s_d1.S15+s_up0.S7+r_ret.S1;
S20=r_desc.S16+s_pu0.S19;
S15=s_up0.S19+ r_ret.S14;
S7=s_d1.S19+r_ret.S5;
S1=s_d1.S14+s_up0.S5;
S16=s_pu0.S13;
S19=r_desc.S13+r_ret.S17;
S14=s_up0.S17;
S5=s_d1.S17;
S13=r_ret.S11;
S17=r_desc.S11;
Qpu0(x1: Int) = (x1==0)-> r_pu0.Qpu0(x1+1) <>
(s_pu0’.Qpu0(x1-1) + r_pu0.Qpu0(x1+1));
Qpu1(x2: Int) = (x2==0)-> r_pu1.Qpu1(x2+1) <>
(s_pu1’.Qpu1(x2-1) + r_pu1.Qpu1(x2+1));
Qext(x3: Int) = (x3==0)-> r_ext’.Qext(x3+1) <>
(s_ext.Qext(x3-1) + r_ext’.Qext(x3+1));
Qret(x4: Int) = (x4==0)-> r_ret’.Qret(x4+1) <>
(s_ret.Qret(x4-1) + r_ret’.Qret(x4+1));
Qd0(x5: Int) = (x5==0)-> r_d0.Qd0(x5+1) <>
(s_d0’.Qd0(x5-1) + r_d0.Qd0(x5+1));
Qd1(d1: Int) = (d1==0)-> r_d1.Qd1(d1+1) <>
(s_d1’.Qd1(d1-1) + r_d1.Qd1(d1+1));
Qup0(up0: Int) = (up0==0)-> r_up0.Qup0(up0+1) <>
(s_up0’.Qup0(up0-1) + r_up0.Qup0(up0+1));
Qup1(up1: Int) = (up1==0)-> r_up1.Qup1(up1+1) <>
(s_up1’.Qup1(up1-1) + r_up1.Qup1(up1+1));
Qasc(x6: Int) = (x6==0)-> r_asc’.Qasc(x6+1) <>
(s_asc.Qasc(x6-1) + r_asc’.Qasc(x6+1));
23
Qdesc(x7: Int) = (x7==0)-> r_desc’.Qdesc(x7+1) <>
(s_desc.Qdesc(x7-1) + r_desc’.Qdesc(x7+1));
Qpl1(pl1: Int) = (pl1==0)-> r_pl1.Qpl1(pl1+1) <>
(s_pl1’.Qpl1(pl1-1) + r_pl1.Qpl1(pl1+1));
Qpld(pld: Int) = (pld==0)-> r_pld’.Qpld(pld+1) <>
(s_pld.Qpld(pld-1) + r_pld’.Qpld(pld+1));
Plant=Pu1||L0001||Pr1;
Supervisor=S0;
init
%%For asynchronous closed loop system.
hide({c_asc’,c_desc’,c_d0’,c_d1’,c_ext’,c_pl1’,c_pld’,c_pu0’,c_pu1’,c_ret’,
c_up0’,c_up1’},
allow({c_asc,c_desc,c_d0,c_d1,c_ext,c_pl1,c_pld,c_pu0,c_pu1,c_ret,c_up0,c_up1,
c_asc’,c_desc’,c_d0’,c_d1’,c_ext’,c_pl1’,c_pld’,c_pu0’,c_pu1’,c_ret’,
c_up0’,c_up1’},
comm({s_asc|r_asc->c_asc,s_desc|r_desc->c_desc,s_d0|r_d0->c_d0,s_d1|r_d1->c_d1,
s_ext|r_ext->c_ext,s_pl1|r_pl1->c_pl1,s_pld|r_pld->c_pld,
s_pu0|r_pu0->c_pu0,s_pu1|r_pu1->c_pu1,s_ret|r_ret->c_ret,
s_up0|r_up0->c_up0,s_up1|r_up1->c_up1,
s_asc’|r_asc’->c_asc’,s_desc’|r_desc’->c_desc’,s_d0’|r_d0’->c_d0’,
s_d1’|r_d1’->c_d1’,s_ext’|r_ext’->c_ext’,s_pl1’|r_pl1’->c_pl1’,
s_pld’|r_pld’->c_pld’,s_pu0’|r_pu0’->c_pu0’,s_pu1’|r_pu1’->c_pu1’,
s_ret’|r_ret’->c_ret’,s_up0’|r_up0’->c_up0’,s_up1’|r_up1’->c_up1’},
(Plant||Supervisor||Qasc(0)||Qdesc(0)||Qd0(0)||Qd1(0)||Qext(0)||Qpl1(0)||
Qpld(0)||Qpu0(0)||Qpu1(0)||Qret(0)||Qup0(0)||Qup1(0))
)));
%% For synchrnous closed loop system.
%allow({c_asc,c_desc,c_d0,c_d1,c_ext,c_pl1,c_pld,c_pu0,c_pu1,c_ret,c_up0,c_up1},
% comm({s_asc|r_asc->c_asc,s_desc|r_desc->c_desc,s_d0|r_d0->c_d0,s_d1|r_d1->c_d1,
% s_ext|r_ext->c_ext,s_pl1|r_pl1->c_pl1,s_pld|r_pld->c_pld,s_pu0|r_pu0->c_pu0,
% s_pu1|r_pu1->c_pu1,s_ret|r_ret->c_ret,s_up0|r_up0->c_up0,s_up1|r_up1->c_up1},
%Plant||Supervisor
%));
C mCRL2 model for the Pneumatic cylinder
act
s_13,r_13,s_13’,r_13’,c_13,c_13’,s_14,r_14,s_14’,r_14’,c_14,c_14’,s_16,r_16,
s_16’,r_16’,c_16,c_16’,s_23,r_23,s_23’,r_23’,c_23,c_23’,s_24,r_24,s_24’,
r_24’,c_24,c_24’,s_25,r_25,s_25’,r_25’,c_25,c_25’,s_26,r_26,s_26’,r_26’,c_26,c_26’;
proc
P0=r_13’.P1;
24
P1=(s_14’+s_16’).P0;
Q0=r_23’.Q1;
Q1=r_25’.Q3+s_24’.Q2;
Q2=r_25’.Q3;
Q3=s_26’.Q0+r_23’.Q1;
Plant=P0||Q0;
%Note that for this case study 1 place queues are used.
%Because unbounded queues cause infinite states asynchronous
%closed loop system.
Q13(x13: Int) = (x13==0)-> r_13.Q13(x13+1) +
(x13==1)-> (s_13’.Q13(x13-1) + r_13.Q13(x13+1));
Q14(x14: Int) = (x14==0) -> r_14’.Q14(x14+1)+
(x14==1) ->( s_14.Q14(x14-1)+r_14’.Q14(x14+1));
Q16(x16: Int) = (x16==0) -> r_16’.Q16(x16+1) +
(x16==1) -> (s_16.Q16(x16-1)+r_16’.Q16(x16+1));
Q23(x23: Int) = (x23==0)-> r_23.Q23(x23+1) +
(x23==1)->( s_23’.Q23(x23-1)+r_23.Q23(x23+1));
Q25(x25: Int) = (x25==0)-> r_25.Q25(x25+1) +
(x25==1)->( s_25’.Q25(x25-1)+r_25.Q25(x25+1));
Q24(x24: Int) = (x24==0) -> r_24’.Q24(x24+1) +
(x24==1) -> (s_24.Q24(x24-1)+r_24’.Q24(x24+1));
Q26(x26: Int) = (x26==0) -> r_26’.Q26(x26+1) +
(x26==1) ->(s_26.Q26(x26-1)+r_26’.Q26(x26+1));
S0=s_13.S1;
S1=r_14.S0 + r_16.S2;
S2=s_23.S3;
S3=s_13.S4+r_24.S5;
S4=r_16.S3 +r_14.S6+ r_24.S7;
S5=s_13.S7;
S6=r_24.S8+s_25.S9;
S7=r_16.S5+r_14.S8;
S8=s_25.S9;
S9=s_13.S10+r_26.S0;
S10=r_16.S11 + r_26.S1 + r_14.S9;
S11=r_26.S2 + s_23.S3;
Supervisor=S0;
init
%For asynchronous closed loop system
25
hide({c_13’,c_14’,c_16’,c_23’,c_24’,c_25’,c_26’},
allow({c_13,c_13’,c_14,c_14’,c_16,c_16’,c_23,c_23’,c_24,c_24’,c_25,
c_25’,c_26,c_26’},
comm({s_13|r_13->c_13,s_13’|r_13’->c_13’,s_14|r_14->c_14,s_14’|r_14’->c_14’,
s_16|r_16->c_16,s_16’|r_16’->c_16’,s_23|r_23->c_23,s_23’|r_23’->c_23’,
s_24|r_24->c_24,s_24’|r_24’->c_24’,s_25|r_25->c_25,s_25’|r_25’->c_25’,
s_26|r_26->c_26,s_26’|r_26’->c_26’},
Plant||Q13(0)||Q14(0)||Q16(0)||Q23(0)||Q24(0)||Q25(0)||Q26(0)||Supervisor
)))
;
%% For synchronous closed loop sytem
%allow({c_13,c_14,c_16,c_23,c_24,c_25,c_26},
% comm({s_13|r_13->c_13,s_14|r_14->c_14,s_16|r_16->c_16,
% s_23|r_23->c_23,s_24|r_24->c_24,s_25|r_25->c_25,
% s_26|r_26->c_26},
% Plant||Supervisor
% ))%
% ;
26
