Symbolic Computation of Nonblocking Control Function for Timed Discrete Event Systems by Miremadi, Sajed et al.
Chalmers Publication Library
Symbolic Computation of Nonblocking Control Function for Timed Discrete Event
Systems
This document has been downloaded from Chalmers Publication Library (CPL). It is the author´s
version of a work that was accepted for publication in:
51st IEEE Conference on Decision and Control (ISSN: 0191-2216)
Citation for the published paper:
Miremadi, S. ; Fei, Z. ; Åkesson, K. (2012) "Symbolic Computation of Nonblocking Control
Function for Timed Discrete Event Systems". 51st IEEE Conference on Decision and Control
pp. 7352-7359.
http://dx.doi.org/10.1109/CDC.2012.6426079
Downloaded from: http://publications.lib.chalmers.se/publication/171191
Notice: Changes introduced as a result of publishing processes such as copy-editing and
formatting may not be reflected in this document. For a definitive version of this work, please refer
to the published source. Please note that access to the published version might require a
subscription.
Chalmers Publication Library (CPL) offers the possibility of retrieving research publications produced at Chalmers
University of Technology. It covers all types of publications: articles, dissertations, licentiate theses, masters theses,
conference papers, reports etc. Since 2006 it is the official tool for Chalmers official publication statistics. To ensure that
Chalmers research results are disseminated as widely as possible, an Open Access Policy has been adopted.
The CPL service is administrated and maintained by Chalmers Library.
(article starts on next page)
Symbolic Computation of Nonblocking Control Function
for Timed Discrete Event Systems
S. Miremadi, Z. Fei, K. A˚kesson and B. Lennartson
Automation Research Group, Department of Signals and Systems
Chalmers University of Technology
SE-412 96 Gothenburg, Sweden
{miremads, zhennan, knut, bengt.lennartson}@chalmers.se
Abstract—In this paper, we symbolically compute a minimally
restrictive nonblocking supervisor for timed discrete event sys-
tems, in the supervisory control theory context. The method is
based on Timed Extended Finite Automata, which is an aug-
mentation of extended finite automata (EFAs) by incorporating
discrete time into the model. EFAs are ordinary automaton
extended with discrete variables, guard expressions and action
functions. To tackle large problems all computations are based
on binary decision diagrams (BDDs). The main feature of this
approach is that the BDD-based fixed-point computations is
not based on “tick” models that have been commonly used in
this area, leading to better performance in many cases. As a
case study, we effectively computed the minimally restrictive
nonblocking supervisor for a well-known production cell.
I. INTRODUCTION
Discrete Event Systems (DES) are discrete-state, event-driven
systems where their state evolution depends entirely on the
occurrence of asynchronous events over time. DES have
many applications in modeling technological systems such
as automated manufacturing and embedded systems. When
designing control functions for DES, model-based approaches
may be used to conveniently understand the system’s behavior.
A well known framework of such a model-based approach
is supervisory control theory (SCT) [1]. Having a plant (the
system to be controlled) and a specification, SCT automatically
synthesizes a control function, called supervisor, that restricts
the conduct of the plant to ensure that the system never violates
the given specification. Most of the research in this field has
focused on analyzing qualitative properties, such as safety or
liveness specifications, by investigating the logical sequencing
of events. However, the correct behavior of many real-time
systems such as air traffic control systems and networked
multimedia systems depends on the delays between events.
In addition, on pure DES one cannot perform quantitative
analysis such as time optimization or scheduling. Timed DES
(TDES) is a generalization of DES in which the times that the
events occur are also taken into consideration. In this work
we do not consider stochastic properties of the models. The
modeling formalism used in this work is an augmentation of
a previously proposed modeling formalism, called extended
finite automaton (EFA) [2], where time has been incorporated
into the model. EFAs are ordinary automaton extended with
discrete variables, guard expressions and action functions. The
guards and action functions are attached to the transitions,
which admits local design techniques of systems consisting
of different parts. The main features of EFAs are that they
are suitable for the SCT framework and that they usually
yield compact models because of the existence of discrete
variables. EFAs have been used in several research works and
successfully applied to a range of examples such as [3], [4],
[5]. The EFA framework has been implemented in Supremica
[6], a verification and supervisory control tool, where powerful
algorithms exist for analysis of DES [7], [8], [9].
There have been many attempts to model TDES and gen-
eralize SCT considering the real-time aspects. These works
can be divided into two categories; they are either based on
continuous time or discrete time. On the continuous side, timed
automata [10] is the most popular modeling formalism used
for modeling TDES and employing them in SCT [11], [12].
With respect to control function generation, there exist another
approach that differs from the ones using the SCT theory
[13], where the controller is defined as a winning strategy for
a certain game defined for the timed automata, called timed
game automata (TGA). There exist different works based on
this paradigm such as [14].
There exists a lot of work that have analyzed discrete time
models with respect to SCT such as [15], [16], [17], [18]. In
these works, it is assumed that there exists a global digital
clock. In [17], the timing information is incorporated into the
system states in the form of timer variables, which are updated
according to some rules relating event occurrences and the
passage of time. The more common way to model TDES,
described in [15], [18], is that lower and upper time bounds
are associated with events to restrict their occurrence times.
In addition, they use a special event “tick”, which represents
the passage of time, and is generated by the global clock. In
[19], Brandin and Wonham applied SCT to Timed Transition
Models (TTMs) proposed in [15]. The main problem with their
approach is that by introducing the “tick” event more iterations
maybe needed in the fixed point computations. In addition, it
is more likely to get early state space explosion. In [20] some
methods have been proposed to reduce the state space.
Consequently, there are many models and implementations
that are suitable for quantitative analysis (such as time opti-
mization), most of them based on continuous time; and there
are many that are suitable for the SCT framework (qualitative
analysis), most of them based on discrete time. Yet no work
exists considering both aspects. In this paper, we attempt to
combine the best of both paradigms by using Timed EFAs
(TEFAs), EFAs equipped with a finite set of discrete clocks,
where the value of each clock is increased implicitly as
time progresses. Based on TEFAs, inspired by the “zone”
concept from the timed automata community, we symbolically
compute a minimally restrictive nonblocking supervisor by
using BDDs. The main feature of our approach, in the context
of SCT, compared to most of the other approaches with
discrete time, is the elimination of the “tick” event in the BDD-
based fixed-point computations. In most of the cases, this leads
to less number of fixed-point iterations and more compact
BDD representation yielding a more efficient implementation.
Furthermore, from a modeling perspective, the advantage of
using TEFAs compared to TTMs is that the time constraints
are added as guards on the transitions (as in timed automata
[10]), rather than lower and upper bounds on the events.
This could potentially facilitate the modeling for the users.
For instance, if the constraints are associated to the events,
it will be complicated to model the situation, where the
user wants to put different time constraints on an event that
appears on different places on the same model. Usually the
consequence is a larger state space. The mentioned advantages
are demonstrated in Section V.
II. TIMED EXTENDED FINITE AUTOMATA
A Timed Extended Finite Automaton (TEFA) is an EFA aug-
mented with a finite set of digital clocks. Intuitively, a clock in
a TEFA is a discrete variable in the sense of EFAs, restricted
by some rules, mentioned later. The time automatically elapses
only at locations, whereas the transitions occur instantaneously
with zero delay.
A. Syntax and Semantics
In the following, we describe the syntax and semantics of
TEFAs.
Definition 1 (Timed Extended Finite Automaton).
A timed extended finite automaton is a 9-tuple
TE = (L,DV , C,Σ,→, L0, DV0 , Lm, Dm),
where
- L is a finite set of locations,
- DV = DV1 × . . . × D
V
n is the domain of n variables
V = {v1, . . . , vn}, where DVi is a finite set of integers,
- C is a finite set of p discrete valued clocks {c1, . . . , cp},
- Σ is a nonempty finite set of events,
- →⊆ L× Σ× G ×A× L is the transition relation,
- L0 ⊆ L is the set of initial locations,
- DV0 = DV01 × . . . ×D
V0
n is the set of initial values of
the variables,
- Lm ⊆ L is the set of marked locations that are desired
to be reached, and
- Dm = DVm × DCm is the set of pairs of marked
valuations of the variables and clocks.
In addition to DV , we also define DC representing the domain
of p clocks. Later we will explain how the domain of a
clock is defined and show that it is finite. The global variable
domain denoted by DV∪ is the set that contains the values of
all variables, defined formally as:
DV∪ =
|V|⋃
i=1
DVi .
The global clock domain denoted by DC∪ is defined similarly.
The largest value in DV∪ and DC∪ is denoted by µmaxV and
µmaxC , respectively. If a variable exceeds its domain, the
result is not defined, and from an implementation point of
view, it is upon the developer to decide how to implement
such cases. For instance, the program can give the user a
warning. In our implementation, values outside the domain
are not reachable. In contrast to variables, it is assumed that
if a clock ci reaches its maximum value, it will keep its value
until it is reset. For a clock ci, this behavior is modeled by a
saturation function ̺i : N → DCi :
̺i(x) =
{
x if x < µmaxCi
µmaxCi if x ≥ µmaxCi
,
where N is the set of natural numbers. The function ̺ : Np →
DC is used to saturate the current value of all clocks.
The elements G and A are the sets of guards (conditional
expressions) and action functions, respectively. In the TEFA
framework, an arithmetic expression ϕ is formed according to
the grammar
ϕ ::= ν | v | c | (ϕ) | ϕ+ ϕ | ϕ− ϕ | ϕ ∗ ϕ | ϕ/ϕ | ϕ%ϕ,
where v ∈ V , c ∈ C, ν ∈ DV∪ ∪ DC∪, and % is the modulo
operator. We use ϕV to denote an expression that does not
contain any clocks and ν ∈ DV∪ . A variable evaluation for
a variable vi ∈ V is a function µVi : vi → DVi , assigning a
value to the variable. A clock evaluation µCi : ci → DCi is
defined similarly. The set of evaluations for all variables and
clocks is represented by µV and µC , respectively. To denote the
“current” evaluation of a variable or clock we use the notation
η.
A guard g ∈ G is a propositional expression formed
according to the grammar
g ::= (g) | gV ∧ gC | gV ∨ gC ,
where gV and gC are guards that are based on regular variables
and clocks, respectively,
gV ::= ϕV < ϕV | ϕV ≤ ϕV | ϕV > ϕV | ϕV ≥ ϕV |
ϕV == ϕV | (gV) | gV ∧ gV | gV ∨ gV | ⊤ | ⊥,
gC ::= c < ω | c ≤ ω | c > ω | c ≥ ω | c == ω |
(gC) | gC ∧ gC | ⊤ | ⊥,
where ⊤ and ⊥ represent Boolean logic true and false,
respectively, and ω ∈ DC∪. This implies that clocks can only
be compared to constants. All nonzero values are considered
as ⊤. The semantics of a guard g is specified by a satisfaction
relation |= indicating the pair of variable and clock evaluations
(µV , µC) for which guard g is ⊤. It is written (µV , µC) |= g.
An action a ∈ A is an n-tuple of functions (a1, . . . , an+p),
updating variables. An action ai : DV × DC → DVi is a
function that updates a variable or clock; in the case of a
clock the range of the function is zero. Hence, for a variable,
the action is formed as vi := ϕ and for a clock it is formed
as ci := 0. For brevity, we use the following notation:
a(µV , µC) , (a1(µ
V , µC), . . . , an+p(µ
V , µC)).
An action function ai that does not update a variable or clock
is denoted by ξ. The semantics of an action function can also
be represented by a relation,
SATA(a) , {((µV , µC), µ´V,C) | µ´V,C = a(µV , µC)},
where µV,C is the updated value for a variable or clock.
Consequently, in contrast to variables, clocks may only be
inspected, and reset to zero.
A partial transition relation is written as l σ→g/a l´, where
l, l´ ∈ L, σ ∈ Σ, g ∈ G, and a ∈ A. A transition without guard
indicates that there are no restrictions, i.e., g = ⊤.
We assume that all clocks evolve synchronically at rate one.
The value of a clock denotes the amount of time that has been
elapsed since its last reset. Potentially, the clocks in C can
have an infinite domain because the time will elapse forever.
Nevertheless, based on the following argument a finite domain
can be considered for each clock. Among the possible values
of a clock, only a subset is relevant: those that can impact
the guards’ evaluations. For instance, for a guard c1 ≤ 4, the
values above 4 will all have the same impact on the guard; thus
the relevant values of c1 is {0, . . . , 5}. Considering µlargestCi
to be the largest constant in the model (including all guards),
which the clock ci is compared to, the domain of the clock ci is
DCi = {0, 1, . . . , µlargest
C
i +1}. Thus, µmaxCi = µlargest
C
i +1.
Consequently, the domain of the clocks DC = DC1 × . . .×DCp
will be finite.
For a variable vi, DV0i consists of the initial values of vi.
If the set of marked locations, valuations of a variable vi, or
a clock ci is empty, then the entire domain is considered as
marked:
Lm = ∅ ⇒ Lm = L,
DVmi = ∅ ⇒ D
Vm
i = D
V
i ,
DCmi = ∅ ⇒ D
Cm
i = D
C
i .
A transition will be executed if an event occurs, and if
the guard on the corresponding transition (the transition that
involves that event) is satisfied, which may follow by a number
of updates on the variables and clocks. It is assumed that
the time will elapse at locations and that the transitions are
executed instantaneously. Furthermore, we assume that the
initial values of all clocks are zero and that all TEFAs are
deterministic in the sense of deterministic EFAs defined in
[2].
B. Full Synchronous Composition
For modeling purposes, it is often easier to have a modular
representation, specially for complex systems. Then, to have
a monolithic model of the system we need to synchronize
the components. For a model with a number of TEFAs, we
assume that the variables V and clocks C are all global,
i.e., they are shared between the TEFAs. Hence, the clocks
evolve synchronically with the same rate. The full synchronous
composition on TEFAs, can be defined similar to [2].
A notation that will be used frequently in this paper, is
the SOS-notation (Structured Operational Semantics) used to
define the transition relations. The notation
premise
conclusion
should be read as follows. If the proposition above the “solid
line” (premise) holds, then the proposition under the fraction
bar (conclusion) holds as well.
Definition 2 (Full Synchronous Composition).
Consider the following two TEFAs
TEk = (Lk, DV , C,Σk,→k, L0k, D
V0 , Lmk , D
m),
where k = 1, 2. The Full Synchronous Composition (FSC) of
TE1 and TE2, denoted by TE1‖TE2, is defined as
TE1‖TE2 = (L,DV , C,Σ,→, L0, DV0 , Lm, Dm),
where
- L = L1 × L2,
- Σ = Σ1 ∪ Σ2,
- the transition relation
→⊆ L1 × L2 × Σ× G ×A× L1 × L2
is defined based on the following rules:
a) σ ∈ Σ1 ∩Σ2,
(l1, σ, g1,a1, l´1) ∈→1 ∧
(l2, σ, g2,a2, l´2) ∈→2
((l1, l2), σ, g, aˆ, (l´1, l´2)) ∈→
such that,
(i) g = g1 ∧ g2,
(iii) For i = 1, . . . , |V|,
aˆi =


a1i if a1i = a2i
a1i if a2i = ξ
a2i if a1i = ξ
ηVi otherwise
, (1)
where aki is the action function belonging to
→k, updating the i-th variable or clock;
b) σ ∈ Σ1\Σ2,
(l1, σ, g1,a1, l´1) ∈→1
((l1, l2), σ, g1,a1, (l´1, l´2)) ∈→ ∧ l2 = l´2
;
c) σ ∈ Σ2\Σ1,
(l2, σ, g2,a2, l´2) ∈→2
((l1, l2), σ, g2,a2, (l´1, l´2)) ∈→ ∧ l1 = l´1
.
- L0 = L01 × L
0
2, and
- Lm = Lm1 × L
m
2 .
Similar to the proof in [21], it can be proved that the FSC
operator is both commutative and associative and can be
extended to N TEFAs. Note that, in the case where the action
functions of TE1 and TE2 explicitly try to update a shared
variable to different values, we assume that the variable is not
updated. It can indeed be discussed whether such a transition
should be executed, nevertheless, such a situation is usually a
consequence of bad modeling.
C. EFA Semantics
As mentioned earlier, the clocks in TEFAs are discrete-values,
indicating that we imagine measuring time only with a global
digital clock with output tickcount : R+ → N, where
tickcount(t) = n, n ≤ t < n+ 1,
and R+ = {t ∈ R|t ≥ 0} is the set of positive real values.
Consequently, the temporal resolution available for modeling
purposes is thus just one unit of clock time. For a TEFA,
this behavior, can be represented by an EFA by introducing
an additional event “tick” as in [15]. The event “tick” occurs
exactly at the real time moments, which can be imagined to be
generated by the global digital clock. Consider a TEFA with a
single clock c1. Lets treat c1 as a regular variable with domain
{0, . . . , µmaxC1}. The described time semantics of the TEFA
can be achieved by adding two transitions to each location ℓ:
(ℓ, tick, c1 < µmax
C
1 , c1 := c1 + 1, ℓ) and
(ℓ, tick, c1 ≥ µmax
C
1 , c1 := c1, ℓ). (2)
For a clock c1, we call an EFA that has a single location ℓ
and consists of the transitions in (2) a clock-EFA and denote
it by CE1. If there exists multiple clocks, all combinations of
the transitions in (2) for different clocks should be considered.
This can be carried out by synchronizing the clock-EFAs based
on the full synchronous composition on EFAs [2].
Definition 3 (isomorphic EFA of a TEFA). Let TE =
(L,DV , C,Σ,→, L0, DV0 , Lm, Dm) be an TEFA. Its corre-
sponding isomorphic EFA, denoted by iEFA(TE), is an 8-tuple
(L,DV
E
,Σ,→, L0, DV
E
0 , Lm, Dm):
- DV
E
= DV ×DC , where VE = V ∪ C;
- DV
E
0 = DV0×{0|C|}, where 0|C| is a |C|-tuple of zeros.
Proposition 1. For N TEFAs, the following statement holds:
iEFA(TE1 ‖ . . . ‖ TEN ) = iEFA(TE1) ‖ . . . ‖ iEFA(TEN ).
Proof: The proof follows directly from Definition 2 and
the full synchronous composition of EFAs, defined in [2].
Let TE = (L,DV , C,Σ,→, L0, DV0 , Lm, Dm) be an TEFA.
Based on the full synchronous composition of EFAs, TE’s
corresponding EFA, denoted by EFA(TE) is computed as
follows:
EFA(TE) = iEFA(TE) ‖ CE1 ‖ . . . ‖ CE|C|. (3)
We call EFA(TE) the tick-EFA of TE.
Lemma 2. In the corresponding EFA of a TEFA the “tick”
event never becomes restricted due to synchronization between
the clock-EFAs.
Proof: Based on the definition of full synchronous com-
position on EFAs and the following facts, the statement can
be directly deduced:
• For a clock ci, since (ci < µmaxCi )∨ (ci ≥ µmaxCi ) = ⊤,
CEi will always allow either of the transitions;
• The clock-EFAs do not share any variables and thus
cannot restrict each other in synchronization.
Theorem 3. For N TEFAs and p clocks, the following
statement holds:
EFA(TE1 ‖ . . . ‖ TEN ) = EFA(TE1) ‖ . . . ‖ EFA(TEN ).
(4)
Proof: Let CE = CE1 ‖ . . . ‖ CEp. We construct the
left-hand side by starting from the right-hand side and using
(3) and propositions 1 and 2:
EFA(TE1) ‖ . . . ‖ EFA(TEN ) =(
iEFA(TE1) ‖ CE
)
‖ . . . ‖
(
iEFA(TEN ) ‖ CE
)
=
iEFA(TE1) ‖ . . . ‖ iEFA(TEN ) ‖ CE =
EFA(TE1 ‖ . . . ‖ TEN ).
The above theorem will be the basis for applying supervi-
sory control theory to TEFAs. However, as we will see later in
Section IV, the symbolic computations will be performed on
an abstraction of the tick-EFAs by eliminating the “tick” event.
This will be the main advantage of this approach compared to
the “tick”-based approach in [22], [23].
III. SUPERVISORY CONTROL THEORY
Supervisory Control Theory (SCT) [1], [24] is the first control
theory for a general class of DES, where a control function is
automatically synthesized, referred to as supervisor, based on
a given plant and a specification. A specification describes the
allowed and inhibited behaviors. The supervisor restricts the
conduct of plant to guarantee that the system never violates
the given specification. However, it is often desired, and also
in our work, that the supervisor restricts the plant as least
as possible, referred to as optimal or minimally restrictive
supervisor. This gives the developers several alternatives to
implement the controller and performing further analysis such
as time or energy optimization.
A plant P can be described by the synchronization of a
number of sub-plants P = P1 ‖ P2 ‖ . . . and similarly for a
specification Sp = Sp1 ‖ Sp2 ‖ . . .. There are different ways
of computing a supervisor such as monolithic [1], modular
[25], and compositional [26] synthesis. In our approach we
apply monolithic synthesis, which is performing fixed-point
computations on the single composed automaton S0 = P‖Sp.
After the synthesis procedure, some blocking states may be
identified, which are the states from where no marked state
can be reached. By removing the blocking states from S0,
a nonblocking supervisor is obtained. In SCT, the events
can be divided into controllable and uncontrollable events
(events that cannot be influenced by the supervisor) , causing
controllability issues, which is not the focus in this paper.
In the context of SCT, the behavior of a system is usually
represented by its language, i.e. the sets of strings that the
system may generate. Conventionally, automata has been used
as the modeling formalism to generate the language. In this
work, the problems are modeled by TEFAs, while the SCT
analysis is performed on their corresponding EFA models. In
[3], [27] it is described how a nonblocking and minimally
restrictive supervisor is symbolically computed. The fixed-
point computations are performed on the corresponding state
transition system of the EFAs. The state transition system of
an EFA is based on its explicit transition relation, which can
be thought as the transition relation of an ordinary automaton.
The explicit transition relation (ℓ, σ, g,a, ℓ´) belonging to an
EFA is defined as (ℓ, µV , σ, ℓ´, µ´V), where µV ∈ SATG(g)
and (µV , µ´V) ∈ SATA(a), represented as (ℓ, µV) σ7→ (ℓ´, µ´V).
The symbolic computations is based on the explicit transition
relation of S0.
IV. SYMBOLIC REPRESENTATIONS AND COMPUTATIONS
When performing fixed point computations for systems of
industrially interesting sizes, exploring all states in the com-
posed model explicitly can be computationally expensive, in
terms of both time and memory, due to the state space
explosion problem. We tackle this problem by representing the
models and performing the computations symbolically using
Binary Decision Diagrams (BDDs), powerful data structures
for representing Boolean functions. For large systems where
the number of states grows exponentially, BDDs can improve
the efficiency of set and Boolean operations performed on the
state sets [8], [28], [7].
Given a set of x Boolean variables B, a Boolean function
f : Bx → B (B is the set of Boolean values, i.e., 0 and
1) can be expressed using Shannon’s decomposition. This
decomposition can be expressed by a directed acyclic graph,
called a BDD, which consists of two types of nodes: decision
nodes and terminal nodes. A terminal node can either be 0-
terminal or 1-terminal. Each decision node is labeled by a
Boolean variable and has two edges to its low-child and high-
child, corresponding to assigning 0 and 1 to the variable,
respectively. The size of a BDD, denoted as |B|, refers to
the number of decision nodes.
The power of BDDs lies in their simplicity and efficiency
to perform binary operations. The time complexity of a binary
operator between two BDDs B1 and B2 is O(|B1| · |B2|).
Two BDD operations that have been used extensively in
our implementation is the existential quantification and the
replacement operators. Let B be a BDD and B1 and B2 two
sets of Boolean variables. The operation ∃B1 : B removes
all variables belonging to B1 that have appeared in B. The
operation replace(B, (B1,B2)) will replace all occurrences of
variables belonging to B1 by variables belonging to B2. For
a more elaborate and verbose exposition of BDDs and the
implementation of different operators, refer to [29].
The corresponding BDD for a finite set W ⊆ U can be
represented using its corresponding characteristic function.
Definition 4 (Characteristic function). Let W be a finite set
so that W ⊆ U , where U is the finite universal set. A
characteristic function χW : U → B is defined by:
χW (a) =
{
1 iff a ∈W
0 iff a 6∈W .
Since the set U is finite, in practice its elements are
represented with numbers in Z|U| or their corresponding
binary x-tuples belonging to Bx (x = ⌈log|U|2 ⌉). For a binary
characteristic function, an injective function θ : U → Bx is
used to map the elements in U to elements in Bx. In general,
χW (a) is constructed as
χW (a) =
∨
w∈W
a↔ θ(w), (5)
where ↔ on two binary x-tuples b1 and b2 is defined as
b1 ↔ b2 ,
∧
0≤i<x
(b1i ↔ b2i), (6)
where bji denotes the i-th element of bj .
Hence, different set-operations can be carried out on χ using
basic Boolean operators.
A. Abstraction of Tick-EFAs
As stated earlier, supervisory control on timed DES based on
“tick” models has been investigated in several works such as
[22], [23]. The “tick” models suffer from a major problem.
The state size is very sensitive to the clock frequency: a “tick”
event must be associated with the passage of each unit of time.
As the clock frequency increases, so must the number of tick
events. As a consequence, performing reachability analysis
based on “tick” models using BDDs follows with two main
issues:
1) usually many iterations are needed in the fixed point
computations;
2) the intermediate BDDs representing the reachable states
can be very big that may need more memory than
available, i.e., state space explosion.
Following, we explain how the iterations caused by the “tick”
event can be eliminated in the BDD implementation to tackle
the above-mentioned issues.
The idea lies on the fact that time cannot be stopped, which
indicates that all the “tick” transitions will eventually occur.
For instance, consider two clocks with domains {0, . . . , 3}
and {0, . . . , 5} and assume (ℓ, 1, 2) is the current state of the
system. Following shows the sequence of the states that can
be reached by the “tick” event:
(ℓ, 1, 2)
tick
7→ (ℓ, 2, 3)
tick
7→ (ℓ, 3, 4)
tick
7→ (ℓ, 3, 5).
Since all “tick” transitions will eventually occur, it can be
directly computed that when the state (ℓ, 1, 2) is reached,
the states {(ℓ, 2, 3), (ℓ, 3, 4), (ℓ, 3, 5)} are also reachable.
Hence, having a transition (ℓ, σ, g,a, ℓ´) belonging to a clock-
EFA, instead of performing the fixed-point computations on
(ℓ, (µV , µC), σ, ℓ´, (µ´V , µ´C)), we can use a reachability transi-
tion (ℓ, (µV , µC), σ, ℓ´, Q´), where
Q´ = ∀d ∈ DC∪ : {(l´, µ´
V , ̺(µ´C + d))}, (7)
denoted as (ℓ, (µV , µC))
σ
֌ (ℓ´, Q´). The backward reacha-
bility transition relation can be defined similarly. Using the
reachability transition relation in a BDD-based fixed-point
computation has two advantages:
1) a number of states can be reached with a single itera-
tion, compared to the “tick” transitions, where multiple
iterations are required;
2) usually the corresponding BDD of a set of states is
smaller than the intermediate BDDs resulted after ex-
ecuting a “tick” transition.
In [3], we shown how EFAs and their synchronous oper-
ator are transformed to BDDs. However, this transformation
becomes more complicated when clocks are included in the
model, specially when it comes to synchronizing the clocks
with the same rate. Following we will discuss these challenges
and motivate the solution we used to construct the correspond-
ing BDD for the explicit transition relations of S0.
Assume we have a model with a single TEFA and a single
clock c1. Lets construct the corresponding characteristic func-
tion of the explicit transition representing a partial transition
l
σ
→g/a l´; for brevity, we write χl σ→g/a l´. Let b
Σ be an ⌈log|Σ|2 ⌉-
tuple of Boolean variables used to represent the events; bL
be an ⌈log|L|2 ⌉-tuple of Boolean variables used to represent
the locations; bVi be an ⌈log
|DVi |
2 ⌉-tuple of Boolean variables
used to represent the valuations of variable vi. Similarly,
let b´L and b´Vi denote Boolean tuples used to represent the
target (updated) locations and valuations of vi after executing
a transition, respectively. In [3], for the case of EFAs, we
shown how a partial transition represented by its corresponding
characteristic function. Based on the characteristic function in
[3] and (7), the characteristic function of a partial transition
with a single clock is constructed as follows,
χ
l
σ
→g/a l´
(bV1 , . . . ,b
V
n , b´
V
1 , . . . , b´
V
n ,
b
C
1 , b´
C
1 ,b
L, b´L,bΣ) =( ∨
(µV ,µC)|=g ∧ ((µV ,µC),µ´V)∈SATA(a)
n∧
i=1
b
V
i ↔ θ(µ
V
i ) ∧ b´
V
i ↔ θ(µ´
V
i )
)
∧
b
C
1 ↔θ(µ
C
1 ) ∧ χM´1(b´
C
1 ) ∧
b
L ↔θ(l) ∧ b´L ↔ θ(l´) ∧ bΣ ↔ θ(σ), (8)
where M´1 = ∀d ∈ DC∪ : {µC1 + d}. In this case, we assumed
that the clock is not reset. Otherwise, the term χC´(b´C1 ) should
be removed, indicating that the target valuations of the clock
are all values in DC1 . However, if we follow (8) to construct
a partial transition relation with multiple clocks, the clocks
will not be synchronized. If we add another clock to the
model, then the result will be (8) ∧ χM´2(b´
C
2 ). Thus, the
term χC´1(b´
C
1 ) ∧ χC´2(b´
C
2 ) will yield states, where the target
valuations of the clocks will be M´1×M´2, which clearly means
that clocks do not evolve synchronously with the same rate.
Instead, as mentioned earlier, the result should yield states,
where the target clock valuations are:
M´ = ∀d ∈ DC∪ : {̺(µ
C + d)}. (9)
This issue is a special case of synchronizing two TEFAs, which
will be explained in the sequel.
B. BDD Construction of the Reachability Transition Relation
The construction of the BDD representing the synchronization
of a number of EFAs has already been elaborated in [3].
By extending the method in [3], we construct the BDD
representing ֌S0 by performing the following steps:
1) consider the clocks as ordinary variables and construct
the BDD of the explicit transition relation of each TEFA
(which is now considered as an EFA),
2) construct the BDD representing the synchronization of
all TEFAs,
3) construct a BDD representing the time evolution,
4) construct the BDD of ֌S0 based on the BDDs in steps
2 and 3.
The first two steps have been described in [3]. We denote the
characteristic function of the BDD from step 2 by χ 7→S0 . Note
that based on (1), if a clock is not reset on a transition it will
keep its old valuation.
In step 3, the time evolution BDD is constructed, which will
synchronously extend the target valuations of the clocks. The
characteristic function of the time evolution BDD is,
χtimeEvolution(b´
C
1 , . . . , b´
C
n, bˆ
C
1 , . . . , bˆ
C
n) =
∨
µC∈DC
( |C|∧
i=1
b´
C
i ↔ θ(µ
C
i ) ∧
|DC
∪
|∨
d=1
|C|∧
i=1
bˆ
C
i ↔ θ(̺(µ
C
i + d))
)
,
Algorithm 1: The algorithm for constructing the BDD
representing the time evolution.
Input: C and DC
Output: BtimeEvolution
BtimeEvolution ← B(1);1
for k← 2 to |C| do2
Bforward ← B(0);3
for i← 0 to µmaxC1 do4
for j ← 0 to µmaxCk do5
if i ≥ j then6
B1 ←
(
(
−→
B(·, bˆC1 )−
−→
B(·, bˆCk))↔7
(
−→
B(i, bˆC1 )−
−→
B(j, bˆCk))
)
;
else
B1 ←
(
(
−→
B(·, bˆCk)−
−→
B(·, bˆC1 ))↔8
(
−→
B(j, bˆCk)−
−→
B(i, bˆC1 ))
)
;
end
diffG← (µmaxC1 − i);9
diffC← (µmaxCk − j);10
if diffG ≤ diffC then11
B2 ←
(
B(µmaxCk)∧12
(
−→
B(·, bˆCk) ≥
−→
B(j + diffG, bˆCk))
)
;
else
B2 ←
(
B(µmaxC1)∧13
(
−→
B(·, bˆC1 ) ≥
−→
B(i+ diffC, bˆC1 ))
)
;
end
Bforward ←
(
Bforward ∨14
(B(i, b´C1 ) ∧B(j, b´
C
k) ∧ (B1 ∨ B2))
)
;
end
end
BtimeEvolution ← (BtimeEvolution ∧ Bforward);15
end
where bˆCi is a new set of temporary Boolean variables used to
represent the valuations of clock ci. The reason of introducing
a new set of variables is related to step 4 of constructing the
BDD of ֌S0 . Algorithm 1 shows the construction of the
corresponding BDD of χtimeEvolution. In the algorithm, B(0)
and B(1) denote the 0 and 1 terminals, respectively; B(i, bˆCk)
is a BDD representing value i by using the Boolean variables
in the tuple b. In our implementation, we represent integers
and the arithmetic operations by BDD bit-vectors, discussed in
[30]. The notation−→B(i, bˆCk) is the BDD bit-vector representing
value i, where each bit is a BDD using the Boolean variables
bˆ
C
k .
−→
B(·, bˆCk) is the BDD bit-vector for all values that can be
represented by bˆCk . For a more detailed description on how
arithmetic operations are performed on BDD bit-vectors refer
to [30]. In line 7 clocks c1 and ck are synchronized, yielding
a BDD, i.e. B1, representing all pairs of valuations, where the
difference is i− j. In lines 12 and 13 the saturation function
̺ is implemented.
The time complexity of the algorithm is O(|C| · |DC∪|2 ·
K), where K is the time complexity of performing the BDD
operations in the loops, which is proportional to the sizes of the
BDDs. The exact time complexity and the proof of correctness
of the algorithm are included in [31].
Since the clocks are considered as ordinary variables, each
target valuation µ´C in χ 7→S0 should be synchronously extended
as (9). Hence, each term ∧|C|i=1 b´Ci ↔ θ(µ´Ci ) in χ 7→S0 should
be substituted by
∨|DC
∪
|
d=1
∧|C|
i=1 b´
C
i ↔ θ(̺(µ´
C
i + d)). The
substitution is performed by utilizing some extra temporary
Boolean variables mentioned in the algorithm.
Lemma 4. The BDD representing ֌S0 is constructed asfollows:
B֌S0
= replace
(
∃B´ : (B 7→S0 ∧BtimeEvolution) , (Bˆ, B´)
)
.
The proof is included in [31].
The BDD for the backward reachability transition relation,
used for coreachability, can be computed in an analogous
manner.
V. CASE STUDY: A PRODUCTION CELL
In this section, the symbolic approach discussed from Section
IV is applied to a benchmark example: the production cell ex-
ample in [32]. The benchmark example is of interest to formal
method researchers as it is complicated but still manageable.
In the context of supervisory control, it has been investigated
in [33] based on the State Tree Structure (STS) methodology
and then extended to timed STS in [18].
The production cell, shown in Fig. 1, consists of six
interconnected parts: feed belt, elevating rotary table, robot,
press, deposit belt and traveling crane. One notable feature is
that the robot has two arms to maximize the capacity of the
press, namely to make it possible for the press to be forging
while arm1 is picking up another metal blank. More exposition
can be found in [33]. The main object is to prevent collisions
among certain parts at the same time guarantee nonblocking.
OUTPUT
INPUT
feed belt
sensor1
el
ev
at
in
g
ro
ta
ry
ta
bl
e
robot base
arm1
arm2
press
deposit belt
sensor2
test unit
crane
Figure 1: The Production Cell
Due to the complexity of the example and the page lim-
itation, we only focus on the modeling of one component:
the elevating rotary table. In addition, there are six speci-
fications expressed as logic formulas to prevent the system
from reaching collision states. For the sake of simplicity, those
safety specifications are not taken into account. We forgo the
discussion and only synthesize the nonblocking supervisor of
the production cell example.
The table can move vertically and horizontally. Its task is to
lift blanks to the top position and rotates by 50 degrees so that
arm1 of the robot can pick them up. Subsequently, it needs
to come back the bottom position with 0 degree to acquire
another blank from the feed belt. In our work, we model the
table as two modular TEFAs, Ta H, shown in Fig. 2 and
Ta V, modeling the horizontal and vertical movement respec-
tively. The complete behavior of the table can be obtained by
the synchronous product Ta H ‖ Ta V. As a comparison,
Fig. 3 shows the corresponding ”tick” model where a regular
integer variable tH , rather than a clock, is used to express the
time information in an explicit way. In order to synchronize
multiple clocks, two self-loops, labeled by a common event t
but with different guards, are attached into every location of
the model. From the modeling perspective, the TEFA model
that embeds the evolution of clocks implicitly at locations,
gives a more compact and comprehensible representation.
Ta SH
!Ta 0
Ta L
A1 mOn
Ta SH
!Ta 50
Ta R
!FB S1Off
Ta H clockH ≥ 2
clockH ≥ 2
clockH ≥ 1
clockH ≥ 1
clockH := 0
clockH := 0
clockH := 0
clockH := 0
Figure 2: TEFA modeling the horizontal movement of the elevating
rotary table. The description of the alphabet can be found in [33].
!FB S1Off
Ta R
!Ta 50
A1 mOn
Ta L
!Ta 0
Ta SH
Ta SH
!t
!t
!t!t
!t
!t
!t !t
!t
!t
!t !t
!t
!t
!t
!t
tH ≥ 2
tH ≥ 2
tH ≥ 1
tH ≥ 1
tH := 0
tH := 0
tH := 0
tH := 0
tH >= 2
tH >= 2
tH >= 2
tH >= 2
tH >= 2
tH >= 2
tH >= 2
tH >= 2
tH < 2
tH < 2 tH < 2
tH < 2
tH < 2tH < 2
tH < 2
tH < 2
tH += 1
tH += 1
tH += 1
tH += 1
tH += 1tH += 1
tH += 1
tH += 1
Figure 3: The corresponding tick-EFA of Ta H.
The symbolic approach proposed in this paper has been
implemented and integrated in the supervisory control tool
Supremica [6] which uses JavaBDD [34] as the BDD package.
The experiment is carried out on a standard personal computer
(Intel Dual Core CPU @ 1.83GHz and 1.5GB RAM) run-
ning Ubuntu 10.10. Table I shows the comparison between
two symbolic approaches based on tick-EFAs and TEFAs.
It can be observed that both can handle the production cell
example, which has 5.58 × 1010 and 3.26 × 1010 reachable
and nonblocking states, respectively. The latter shows a better
performance, almost twice as fast as the EFA-tick approach,
due to the less number of iterations during the fixed-point
computation. The second column shows the average size of
the intermediate BDDs during the fixed-point computation of
reachable states. The average BDD size of the TEFA approach
is significantly less than the tick-EFA approach.
It should be mentioned that the result, in terms of the num-
ber of states, computed from either of those two approaches
is different from the result in [18] due to distinct modeling
formalisms used to model the production cell.
Table I: Nonblocking Supervisory Synthesis.
Approach Iterations Average BDD size Computation Time
tick-EFA 343 39876 19sec
TEFA 129 16173 10sec
VI. CONCLUSIONS AND FUTURE WORKS
In this paper, we presented a method to efficiently compute a
minimally restrictive nonblocking supervisor for a timed DES.
The system is modeled by TEFAs, ordinary automata extended
with variables and clocks, and the supervisor is symbolically
computed based on the TEFAs’ corresponding tick-EFAs using
BDDs. However, in the BDD-based fixed-point computations,
the “tick” event is eliminated by abstracting the tick-EFAs.
This leads to less iterations and smaller intermediate BDDs in
the fixed-point computations. As a case study, we applied our
method to a classical production cell.
There are some possible directions for future work that
we are currently working on. From an SCT perspective, we
still does not handle controllability. From a modeling point of
view, we desire to be able to model invariants, i.e., deadlines
that must be satisfied, by TEFAs. Finally, we also desire to
develop efficient algorithms for quantitative analysis such as
time optimization, beside the qualitative analysis (supervisor
synthesis). The interesting point about optimization on TEFAs
is the existence of uncontrollable events that may lead to
several optimal solutions.
REFERENCES
[1] P. Ramadge and W. M. Wonham, “The control of discrete event
systems,” Proceedings of the IEEE, vol. 77, no. 1, pp. 81–98, 1989.
[2] M. Sko¨ldstam, K. A˚kesson, and M. Fabian, “Modeling of discrete event
systems using finite automata with variables,” Decision and Control,
2007 46th IEEE Conference on, pp. 3387–3392, 2007.
[3] S. Miremadi, B. Lennartson, and K. A˚ kesson, “A BDD-based approach
for modeling plant and supervisor by extended finite automata,” IEEE
Transactions on Control Systems Technology, vol. 20, no. 6, pp. 1421–
1435, 2012.
[4] K. Bengtsson, C. Thorstensson, B. Lennartson, K. A˚Kesson, S. Mire-
madi, and P. Falkman, “Relations identification and visualization for
sequence planning and automation design,” in 2010 IEEE International
Conference on Automation Science and Engineering, Aug. 2010, pp.
841–848.
[5] P. Magnusson, N. Sundstro¨m, K. Bengtsson, B. Lennartson, P. Falkman,
and M. Fabian, “Planning transport sequences for flexible manufacturing
systems,” in Preprints of the 18th IFAC World Congress, Milano, Italy,
2011, pp. 9494–9499.
[6] K. A˚kesson, M. Fabian, H. Flordal, and R. Malik, “Supremica—an inte-
grated environment for verification, synthesis and simulation of discrete
event systems,” in Proceedings of the 8th international Workshop on
Discrete Event Systems, WODES’06, Ann Arbor, MI, USA, 2006, pp.
384–385.
[7] A. Vahidi, M. Fabian, and B. Lennartson, “Efficient supervisory synthe-
sis of large systems,” Control Engineering Practice, vol. 14, no. 10, pp.
1157–1167, Oct. 2006.
[8] S. Miremadi, K. A˚kesson, M. Fabian, A. Vahidi, and B. Lennartson,
“Solving two supervisory control benchmark problems using Suprem-
ica,” in 9th International Workshop on Discrete Event Systems, 2008,
WODES 08., May 2008, pp. 131–136.
[9] Z. Fei, S. Miremadi, and K. A˚kesson, “Efficient symbolic supervisory
synthesis and guard generation,” in 3rd International Conference on
Agents and Artificial Intelligence, Rome, Italy, 2011, pp. 106–115.
[10] R. Alur and D. L. Dill, “A theory of timed automata,” Theoretical
Computer Science, vol. 126, no. 2, pp. 183–235, Apr. 1994.
[11] H. Wong-Toi and G. Hoffmann, “The control of dense real-time discrete
event systems,” in Proceedings of the 30th IEEE Conference on Decision
and Control. IEEE, 1991, pp. 1527–1528.
[12] A. Khoumsi and L. Ouedraogo, “A New Method for Transforming
Timed Automata,” Electronic Notes in Theoretical Computer Science,
vol. 130, pp. 101–128, May 2005.
[13] E. Asarin, O. Maler, and A. Pnueli, “Symbolic controller synthesis
for discrete and timed systems,” Hybrid Systems II - Lecture Notes in
Computer Science, vol. 999, pp. 1–20, 1995.
[14] F. Cassez, A. David, E. Fleury, K. G. Larsen, and D. Lime, “Efficient on-
the-fly algorithms for the analysis of timed games,” in In proceedings
of the 16th International Conference on Concurrency Theory, CON-
CUR’05. Springer, 2005, pp. 66–80.
[15] J. S. Ostroff and W. M. Wonham, “A framework for real-time discrete
event control,” IEEE Transactions on Automatic Control, vol. 35, no. 4,
pp. 386–397, Apr. 1990.
[16] H. Chen and H. Li, “Maximally permissive state feedback logic for
controlled time Petri nets,” in Proceedings of the 1997 American Control
Conference, vol. 4. American Autom. Control Council, 1997, pp. 2359–
2363.
[17] B. A. Brandin, “The Modeling and Supervisory Control of Timed DES,”
in Proceedings of the 4th International Workshop of Discrete Event
Systems, WODES’98, 1998, pp. 8–14.
[18] A. Saadatpoor, “Timed State Tree Structures: Superviory Control and
Fault Diagnosis,” Ph.D. dissertation, University of Toronto, 2009.
[19] B. A. Brandin and W. M. Wonham, “Supervisory Control of Timed
Discrete-Event Systems,” IEEE Transactions on Automatic Control,
vol. 39, no. 2, pp. 329–342, 1994.
[20] P. Gohari and W. M. Wonham, “Reduced supervisors for timed discrete-
event systems,” IEEE Transactions on Automatic Control, vol. 48, no. 7,
pp. 1187–1198, Jul. 2003.
[21] C. A. R. Hoare, “Communicating sequential processes,” Communica-
tions of the ACM, vol. 21, no. 8, pp. 666–667, 1978.
[22] Y. Brave and M. Heymann, “Formulation and control of real time
discrete event processes,” in Proceedings of the 27th IEEE Conference
on Decision and Control. IEEE, 1988, pp. 1131–1132.
[23] B. A. Brandin and W. M. Wonham, “The supervisory control of timed
DES,” IEEE Transactions on Automatic Control, vol. 39, no. 2, pp. 329–
342, 1994.
[24] C. G. Cassandras and S. Lafortune, Introduction to Discrete Event
Systems, 2nd ed. Springer, 2008.
[25] W. M. Wonham and P. Ramadge, “Modular supervisory control of
discrete-event systems,” Mathematics of Control Signals and Systems,
vol. 1, no. 1, pp. 13–30, 1988.
[26] H. Flordal, R. Malik, M. Fabian, and K. A˚kesson, “Compositional
Synthesis of Maximally Permissive Supervisors Using Supervision
Equivalence,” Discrete Event Dynamic Systems, vol. 17, no. 4, pp. 475–
504, Aug. 2007.
[27] Z. Fei, S. Miremadi, K. A˚ kesson, and B. Lennartson, “Efficient supervi-
sory synthesis to large-scale discrete event systems modeled as extended
finite automata,” Chalmers University of Technology, Go¨teborg, Sweden,
Tech. Rep., 2012.
[28] C. Ma and W. M. Wonham, “STSLib and its application to two
benchmarks,” in 9th International Workshop on Discrete Event Systems,
2008, WODES’08., May 2008, pp. 119–124.
[29] H. Andersen, “An introduction to binary decision diagrams,” Department
of Information Technology, Technical University of Denmark, Tech.
Rep., 1999.
[30] E. M. Clarke, K. L. Mcmillan, X. Zhao, M. Fujita, and J. Yang, “Spectral
transforms for large boolean functions with applications to technology
mapping,” Form. Methods Syst. Des., vol. 10, no. 2-3, pp. 137–148,
1997.
[31] S. Miremadi, Z. Fei, K. A˚kesson, and B. Lennartson, “Symbolic
nonblocking computation of timed discrete event systems, extended
version,” Chalmers University of Technology, Tech. Rep., 2012.
[32] C. Lewerentz and T. Lindner, Eds., Formal Development of Reactive
Systems—Case Study Production Cell, ser. Lecture Notes in Computer
Science. Springer, 1995, vol. 891, ch. II, pp. 7–19.
[33] C. Ma, “Nonblocking Supervisory Control of State Tree Structures,”
Ph.D. dissertation, University of Toronto, 2005.
[34] “JavaBDD.” [Online]. Available: http://javabdd.sourceforge.net
