Abstract: Efficient algorithms for synthesis and verification of supervisors in the Supervisory Control Theory framework are presented. The presented algorithms solve the controllability problem. In many real-world applications both the plant and specification is given as a set of interacting automata or processes. In this work, we exploit this modular structure to reduce the computational effort. First, we present an algorithm that verifies if a given supervisor is controllable with respect to a plant. Second, we show how to synthesize a set of modular supervisors that while interacting with the original supervisors guarantees that the closed system is controllable. Third, we show how the verification algorithm can be used as an efficient language inclusion algorithm. The presented algorithms are benchmarked on a real-world application.
INTRODUCTION
The Supervisory Control Theory (SCT) as introduced by Ramadge and Wonham presents a framework for synthesizing supervisors satisfying closedloop specifications. For a detailed overview of the SCT see (Ramadge and Wonham, 1989) . The SCT consists of two main components, the plant and the supervisor. The task of the supervisor is to dynamically disable events generated by the plant so that a given specification is fulfilled. The plant events are divided into two disjoint sub-sets, the controllable and the uncontrollable events. The supervisor is only allowed to disable controllable events, that is, the supervisor must be controllable with respect to the plant. In addition, the supervisor must also be such that from any state reachable in the closed-loop system, some state out of a set of designated states must be reachable. This is known as the non-blocking problem, and is a generalization of the deadlock problem. The deadlock problem has been studied extensively in the computer science literature (Corbett, 1996) .
To transfer the SCT from academia into industry it is crucial to have efficient algorithms for synthesis and verification of supervisors. A major problem with the SCT is the computational effort, see (Gohari and Wonham, 2000) . One approach to handle complexity is to use an efficient representation of the statespace. Binary Decision Diagrams (BDDs) (Bryant, 1992) are widely used for this purpose. BDDs and its variants have been used for supervisory synthesis in (Hoffmann and Wong-Toi, 1992; Zhang and Wonham, 2001; Tronci, 1997) . To the authors knowledge, the current BDD-based implementations do not take advantage of the modular structure of the plant and the specification. Thus, BDD based approaches rely on an exhaustive search of the global state-space. Since this state-space might be very large due to the stateexplosion problem, even BDDs have their limits. Another approach to handle the complexity is to exploit the inherent modular structure of the problem. Algorithms can take advantage of the structure to solve smaller sub-problems that together solve the entire problem. Modular approaches to supervisory control have been presented in (Brandin et al., 2000; Wonham and Ramadge, 1988; Wong and Wonham, 1998) . It is our belief that BDD-based approaches should be combined with modular approaches to efficiently handle even larger systems than currently.
In this paper, we attack the controllability verification and synthesis problem by exploiting the modular structure of both the supervisor and plant. Particularly, we show how it is possible to exploit the fact that the alphabets of the different sub-systems might be unequal. This differ from the approach in (Brandin et al., 2000) , where is is assumed that all sub-systems have the same alphabet. Efficient algorithms for verification and synthesis, both optimal and sub-optimal, are presented. The presented algorithms are implemented in the verification and synthesis tool Supremica. The algorithms are applied to a real-world central-locking system, and we present the computational effort needed for verifying and synthesizing the system. The FSC has a useful property -the composition is associative and commutative with respect to the generated languages. This property implies that composition is easily extended to more than two automata at a time, something that can be very efficient compared to synchronizing automata two and two. The reason is that a potential blow-up of the intermediate state-space is avoided.
The projection operator, Proj, is used to restrict a string to an event set Σ, by removing all occurrences of events not in Σ. Formally, the projection operator is defined as follows.
. The projection and inverseprojection operators are extended to work on a language by applying the operator to all strings in the language.
In an automaton the inverse projection operation can be implemented by adding self-loops with events from Σ to all states. We assume that Σ in the inverse projection is disjoint from the alphabet of the automaton that generated the original language. For two automata P and S, the language of their FSC is L P B
S L9
, where
Controllability
Let P be the automaton modeling the plant, and let S be the supervisor. We will assume that P and S is composed of a set of sub-plants and subsupervisors, respectively, i.e., P P 1 B
S n . Both the sub-plants and the subsupervisors might have different alphabets. A crucial requirement for S to function properly with the respect to the plant, is that it never tries to disable (or prevent) an uncontrollable event that can be generated by the plant; that is, that S is controllable with respect to P. The controllability condition can be written as a language inclusion test.
Definition 3. (Controllability). S is controllable with respect to
We do not assume by definition that the supervisor is controllable with respect to the plant. Instead, we want to restrict the behavior of the supervisor in order to make it controllable. Thus, it is also possible to think of the supervisor as a specification. This is discussed in detail in sections 3 and 4.
Note that Definition 3 presupposes that P and S have the same alphabet, which is a natural assumption. However, in a modular setting, the individual subplants and sub-supervisors do not in general have the same alphabets. Since we want to exploit the modularity in verifying controllability and synthesizing controllable supervisors, we have to take the non-equality of the alphabets into account. In this case, Definition 3 does not capture the necessary requirements as is illustrated in Example 1. It might seem natural to extend the alphabets by introducing self-loops such that the alphabets become equal. This operation does not change L P i S j , but unfortunately it not useful for modular controllability verification or synthesis, as is also shown by Example 1. Fig. 1 . The leftmost automaton is sub-plant P 1 , the middle automaton is sub-plant P 2 , and the rightmost automaton is the supervisor S. The plant is P P 1 ¡¡ P 2 . The alphabets are: Fig. 1 two sub-plants, P 1 and P 2 (the leftmost automata), together with a supervisor S (the rightmost automaton) for the composed plant P P 1 P 2 are depicted.
Clearly, Σ P Σ S and S is controllable with respect to P. However, since Σ P 1 8 Σ S , we cannot directly use the normal definition of controllability, (3), to verify controllability of S with respect to P 1 . The usual way to defeat this problem, is to augment Σ P 1 with the events of Σ S 4 Σ P 1 . This is effectively done by introducing self-loops into P 1 on the missing events, thus creating P 1 , and then use the standard controllability verification algorithm to verify that S is controllable with respect to P 1 . As this example shows, though, this may surprisingly create the new problem that S is deemed not to be controllable with respect to P 1 . The reason for this is that the uncontrollable event u 2 will be self-looped in P 1 at both its states, and thus the strings u 2 and c 1 u 2 both belong to L P 1 . On the other hand, those strings do not belong to L S , while their prefixes ε and c 1 do. In the total plant P, the strings on which S fail controllability will not arise, since P 2 will only allow u 2 after c 2 . Not being able to handle non-equal alphabets is clearly a problem when trying to do modular verification since the sub-systems might not look controllable when the total system is, or vice versa. Note also that the the same type of problems manifest themselves when Σ S § Σ P i , as well as when projecting out events not in both alphabets, see (Flordal, 2001 ).
As Example 1 shows, in a truly modular setting we need to redefine controllability to handle automata with different alphabets. These new definitions will be presented in two forms. First, a definition based on automata is presented. This definition is similar to what the actual implementation looks like. Second, the controllability definition is formulated as a condition on the languages L P and L S . This definition is similar to the standard controllability definition for equal alphabets. In the following definitions P and S are not necessarily the total supervisor and plant, respectively, but rather may be compositions of subsupervisors and/or sub-plants.
Definition 4. (Controllability -Automata).
Let P be a plant and let S be a supervisor. No restrictions are placed on the alphabets of P and S. S is controllable with respect to P if for each string s ¦ L S P the following relation holds,
where
That is, p is the state in P after observing the string s, and q is the corresponding state in S. Sometimes the term completeness is used to denote controllability between two automata.
The definition of controllability in terms of languages becomes more complicated with non-equal alphabets, forcing us to use inverse projection in order to be able to intersect languages.
Definition 5. (Controllability -Languages). The same assumptions as in Definition 4. S is controllable with respect to P if their languages fulfill the following relation.
Note, that Definitions 4 and 5 are equivalent to Definition 3 when Σ S Σ P .
Definition 6. (Configuration).
A configuration is a finite set of automata.
We will regard the sets of sub-plants and sub-supervisors, as well as respective sub-sets thereof, as configurations. Thus, it becomes meaningful to define what we mean by controllability of one configuration with respect to another.
Definition 7. (Controllability -Configurations).
Let
be two configurations. F 1 is said to be controllable with respect to 
Note, that when implementing this function only one synchronization, if more than two automata are allowed in the synchronization, is needed.
CONTROLLABILITY VERIFICATION
Definition 4 together with FSC, Definition 2, can be used to implement a controllability verifier. For each new state found by the FSC algorithm, it is checked if (5) is fulfilled. If it is fulfilled for all, from the initial state, reachable states, then the (sub)system is controllable, otherwise it might not be controllable.
We assumed that the plant and the supervisor were composed of sub-plants and sub-supervisors. This modular structure will be exploited to be able to verify controllability of the global system, i.e., P S by verifying controllability for a set of sub-systems. How to construct the sub-systems will be presented later, first some more definitions. First, we will introduce a function that given a configuration returns another configuration. We are now ready to present a sufficient condition for controllability.
Definition 8. (Event Dependence
, and a plant P
. S is controllable with respect to P if
. To prove the theorem we need to show (from (7))
Let σ . Note, that all automata in P that included σ were selected in (8). Hence, it is not possible to find a σ such that (9) does not hold.
In an implementation it might in some situations be faster to verify all uncontrollable events for a S i at once, i.e. change (8) to check if
is true. Theorem 1 can be extended to also handle this case.
If (8) P then the system is not controllable. Thus the only possibility for the system to still be controllable is when q is not reachable from the initial state. When verifying if such q exists, we may also find a path from the initial state to q. This path is of great importance to the user who wants to use this information to get an idea of what is wrong. In case it is not possible to find a state q reachable from the initial state we have a false-alarm situation. These situations can be resolved by FSC with some of the other sub-automata, making the uncontrollable state unreachable. In our implementation, we use the following simple heuristic rule for selecting these automata. They are selected based on how many common events they have with the problematic configuration. Due to limited space we refer the reader to (Flordal, 2001) . The bottom line is that the heuristics work well for those cases we have tried, but there exists pathological cases where these heuristics force FSC of all sub-supervisors and subplants, although these situations should be rare.
CONTROLLABILITY SYNTHESIS
In this section, we will use insights gained from the previous section to construct modular synthesis algorithms. There are two main advantages with the algorithms presented in this section. (i) They are computationally efficient in many practical applications. This is important since it allows us to solve large synthesis problems faster. (ii) They do not destroy modularity. First, this allows us to use a modular deadlock/nonblocking algorithm after the system has been made controllable. Second, a modular supervisor is easier to understand, than a monolithic supervisor. Third, a modular structure might represent a very large number of states with little memory. If the supervisor is implemented on a device with limited memory, e.g. a PLC, this is important.
Definition 10. (Monolithic Synthesis Algorithm
be two configurations where S is the supervisor and P is the plant. Let Synt S ¢ P be the monolithic controllability synthesis algorithm. More specifically,
where all states that violate (4), and those states that can reach these states by a sequence of uncontrollable events, are removed. The synthesized supervisor is more restricting, in the sense of disabling events, than the original supervisor. The previously outlined synthesis algorithm will be our basic synthesis algorithm. We will now introduce the modular synthesis algorithms. First, we present a straightforward modular synthesis algorithm, which unfortunately, may result in a non-maximally permissive supervisor.
THEOREM 2. Extend the set of supervisors according to the following rules. For each S i such that
synthesize a supervisor S i such that
Then extend S by adding all the newly constructed supervisors, resulting in a configuration, of subsupervisors, S . Then S is controllable with respect to P.
Proof:
To show this theorem we will rely on (8 
From this we can conclude that the system is controllable.
Note that the synthesis algorithm might remove substates that were not reachable from the initial state. Removing such states are unnecessary but perfectly valid. The problem with Theorem 2 is that it does not give a maximally permissive solution. This is due to that the sub-plants in
might have uncontrollable events not included in Σ S i . Call these events Σ . The synthesis algorithm has to follow uncontrollable events backward from the initially uncontrollable states. Since not all sub-plants that have Σ in its alphabet are included in the synthesis, uncontrollable events might be removed when synchronized with these automata. Fortunately, this is fixed by a relatively simple modification. PROPOSITION 1. Extend the set of supervisors according to the following rules. For each S i such that
is false. First initialize Σ 1¡ and P 1¡ to
Then repeat the following statements until Σ n¢ 1¡ Σ n¡ .
This iteration will always terminate in a finite number of steps, say k. k will always be less than the number of automata in P.
THEOREM 3. Synthesize a supervisor S i such that
Then extend S by adding all the newly constructed supervisors. Call the new supervisor set S . Then S is controllable with respect to P. Note, k is equal to the number of steps to terminate in the previous proposition. Proof: This proof is similar to the proof of Theorem 2. The major difference is that each new sub-supervisor is synthesized from a larger set of sub-plants.
PROPOSITION 2. Theorem 3 will result in a maximally permissive supervisor. Proof: To show this we will make an argument for each sub-state that were removed by the synthesis algorithm. We have two alternatives, to remove or to keep the forbidden state. In Theorem 3 the set of sub-plants were extended until there did not exist a sub-plant outside the set that had an uncontrollable event in common with the sub-plants in the set. This property implies that no uncontrollable event could be prevented from occurring by FSC with another subplant. From this we conclude that all sub-states that could uncontrollably reach one of the initially forbidden states must also be forbidden. Since we start the supervisor construction by synchronizing with the plant we know that removing uncontrollable states in the supervisor candidate is equivalent to removing uncontrollable strings from the maximally permissive language as generated by the standard RamadgeWonham algorithms. This gurantees the maximally permissiveness of the synthesized supervisor.
LANGUAGE INCLUSION CHECK
Language inclusion is a general problem that has been studied extensively in the computer science literature. In verification applications language inclusion can be used to check if an implementation contains a specified behavior. Another application is to check for language equality, where
In this section, we will show that we can use the modular controllability verification algorithm to check for language inclusion of prefixed-closed languages. Assume that we want to check if
THEOREM 4. Let L 1 and L 2 be two prefixed-closed regular languages, i.e. A 1 and A 2 can be constructed such that
. We can safely assume that
Proof: We are to show that L9 1
When this holds then L9 1 A 2 L A 2 s ince no events remain to be inserted. Thus we can rewrite the expression as L A 2
. Let us also note that the right-hand side is equivalent to L A 2 E
Assume first that the right-hand side holds, that is that L A 2
and in that case the expression becomes
. Now, when intersecting
, only the Σ A 1 events are significant, and we have that
The intuition behind the theorem is to consider A 1 to be the plant and A 2 to be the supervisor. Since all events in A 1 , the plant, are uncontrollable the supervisor, A 2 , is never allowed to prevent any of them from occurring. We have two versions of the problem, one that is controllable and one that is not, these examples will be called basic c and basic u, respectively. In Table 1 , left table, we show how many states that the verification algorithm examines during verification. In Table 1, right table, the total number of states in the new sub-supervisors are presented. Note, in basic c it is not necessary to do any synthesis since the system is controllable before synthesis, but it is always safe to do a synthesis. Instead of having to examine all 7 5 F 10 8 states we only had to examine a few hundreds to a few thousand states. Somewhat surprisingly, synthesis seems to be cheaper than verification. The reason for this is that verification needs to verify if a found sub-state is reachable from the initial state, while the synthesis can safely proceed with the synthesis. The necessary time for doing synthesis and verification of this example in Supremica on a standard desktop computer is well below one second. Even though this is a single application, we are encouraged by the results, but it is necessary to run the algorithms on other large examples before drawing any definitive conclusions. To make it harder for the algorithms we have modified the example by removing modularity, which is easily done by pre-synchronizing sub-models. Our preliminary results show that verification seems to work efficiently in most cases. As expected, optimal synthesis is sensitive to the degree of interaction between different sub-plants.
CONCLUSIONS
We have shown how a modular structure of the plant and the supervisor can be exploited to get efficient algorithms for verifying and synthesizing controllable supervisors. Limited usage of both time and space is of great practical importance when dealing with practical applications that usually have a very large state space. In industry, a PLC is very common device for logical controllers. Thus, it is if importance not to synthesize a monolithic supervisor, but instead synthesize a number of supervisors that when interacting with each other accomplish the same result as the monolithic supervisor. Potentially, implementing a set of interacting supervisors instead of one monolithic supervisor requires much less memory. The presented algorithms has been verified on a central-locking example. Both verification and synthesis could be performed with a standard desktop computer within a couple of seconds. We believe that modular algorithms could be combined with BDD-approaches in order to handle problems with little modular structure or when the sub-problems that the modular algorithms give rise too become to large for brute-force approaches. FSC is a special case of prioritized synchronous composition. Extensions of this work to prioritized synchronous composition (PSC), (Heymann, 1990) , is presented in (Flordal, 2001) . PSC allows the use of broadcast synchronization that is the mechanism used in Statechart and State diagrams in the Unified Model Language (UML). We are currently working on extending the algorithms to handle arbitrary forbidden states and sub-states, we are also working on algorithms for nonblocking verification and synthesis.
